Summary: | <app-emulation/xen-{4.2.5-r6,4.4.1-r8}: Multiple vulnerabilities (XSA-{121,122}) (CVE-2015-{2044,2045}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, xen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-05 15:44:33 UTC
+*xen-4.5.0-r2 (10 Mar 2015) +*xen-4.4.1-r7 (10 Mar 2015) +*xen-4.3.3-r6 (10 Mar 2015) +*xen-4.2.5-r5 (10 Mar 2015) + + 10 Mar 2015; Yixun Lan <dlan@gentoo.org> +xen-4.2.5-r5.ebuild, + +xen-4.3.3-r6.ebuild, +xen-4.4.1-r7.ebuild, -xen-4.5.0-r1.ebuild, + +xen-4.5.0-r2.ebuild: + security bump, bug 542266, XSA-121,122 Unfortunately we have also: http://www.openwall.com/lists/oss-security/2015/03/10/4 | XSA-120 http://www.openwall.com/lists/oss-security/2015/03/10/5 | XSA-123 http://www.openwall.com/lists/oss-security/2015/03/10/3 | XSA-124 +*xen-4.5.0-r3 (12 Mar 2015) +*xen-4.4.1-r8 (12 Mar 2015) +*xen-4.3.3-r7 (12 Mar 2015) +*xen-4.2.5-r6 (12 Mar 2015) + + 12 Mar 2015; Yixun Lan <dlan@gentoo.org> -xen-4.2.5-r4.ebuild, + -xen-4.2.5-r5.ebuild, +xen-4.2.5-r6.ebuild, -xen-4.3.3-r5.ebuild, + -xen-4.3.3-r6.ebuild, +xen-4.3.3-r7.ebuild, -xen-4.4.1-r6.ebuild, + -xen-4.4.1-r7.ebuild, +xen-4.4.1-r8.ebuild, -xen-4.5.0-r2.ebuild, + +xen-4.5.0-r3.ebuild: + security bump, fix bug 542263, XSA-123 Arches, please test and mark stable: =app-emulation/xen-4.2.5-r6 =app-emulation/xen-tools-4.2.5-r2 Target keywords Both : "amd64 x86" =app-emulation/xen-4.4.1-r8 =app-emulation/xen-tools-4.4.1-r6 =app-emulation/xen-pvgrub-4.4.1 Target keywords Only: "amd64" For now, I'll just leave out arm(64) for stabilization XSA-120 -> need to patch kernel, not xen source code, and I checked gentoo-sources-3.19.1, haven't include this patch. XSA-124 -> no patches, no reasonable resolution in software btw, can we file a separate bug for XSA-120, and then CC kernel team? x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. Would it be possible to also stabilize the 4.3 branch? (In reply to Tomas Mozes from comment #6) > Would it be possible to also stabilize the 4.3 branch? any reason here? actually I'm talking to @idella4 that we'd plan to stabilize 4.4.x series, and prune out 4.3.x (In reply to Yixun Lan from comment #7) > (In reply to Tomas Mozes from comment #6) > > Would it be possible to also stabilize the 4.3 branch? > > any reason here? > actually I'm talking to @idella4 that we'd plan to stabilize 4.4.x series, > and prune out 4.3.x We are stabilizing 4.2 and 4.4 and leaving 4.3 behind, however according to: http://www.xenproject.org/downloads/xen-archives.html Supported Xen Project 4.3 series Supported Xen Project 4.4 series Supported Xen Project 4.5 series Unsupported Xen Project 4.2 series Wouldn't it make sense to drop 4.2 and stabilize 4.3 and 4.4? (In reply to Tomas Mozes from comment #8) > (In reply to Yixun Lan from comment #7) > > (In reply to Tomas Mozes from comment #6) > > > Would it be possible to also stabilize the 4.3 branch? > > > Unsupported Xen Project 4.2 series > > Wouldn't it make sense to drop 4.2 and stabilize 4.3 and 4.4? Please keep this discussion another place than a security bug. (but as I understand it 4.2 is the latest branch supporting x86 as hypervisor) Added to existing GLSA request CVE-2015-2045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2045): The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. CVE-2015-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2044): The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. Maintainer(s), Thank you for you for cleanup. This issue was resolved and addressed in GLSA 201504-04 at https://security.gentoo.org/glsa/201504-04 by GLSA coordinator Yury German (BlueKnight). |