diff options
author | Alex Legler <alex@a3li.li> | 2015-03-08 22:02:38 +0100 |
---|---|---|
committer | Alex Legler <alex@a3li.li> | 2015-03-08 22:02:38 +0100 |
commit | a24567fbc43f221b14e805f9bc0b7c6d16911c46 (patch) | |
tree | 910a04fe6ee560ac0eebac55f3cd2781c3519760 /glsa-201309-24.xml | |
download | glsa-a24567fbc43f221b14e805f9bc0b7c6d16911c46.tar.gz glsa-a24567fbc43f221b14e805f9bc0b7c6d16911c46.tar.bz2 glsa-a24567fbc43f221b14e805f9bc0b7c6d16911c46.zip |
Import existing advisories
Diffstat (limited to 'glsa-201309-24.xml')
-rw-r--r-- | glsa-201309-24.xml | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/glsa-201309-24.xml b/glsa-201309-24.xml new file mode 100644 index 00000000..9b451589 --- /dev/null +++ b/glsa-201309-24.xml @@ -0,0 +1,158 @@ +<?xml version="1.0" encoding="UTF-8"?> +<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?> +<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201309-24"> + <title>Xen: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, allowing attackers + on a Xen Virtual Machine to execute arbitrary code, cause Denial of + Service, or gain access to data on the host. + </synopsis> + <product type="ebuild">xen</product> + <announced>September 27, 2013</announced> + <revised>September 27, 2013: 1</revised> + <bug>385319</bug> + <bug>386371</bug> + <bug>420875</bug> + <bug>431156</bug> + <bug>454314</bug> + <bug>464724</bug> + <bug>472214</bug> + <bug>482860</bug> + <access>local</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.2.2-r1</unaffected> + <vulnerable range="lt">4.2.2-r1</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.2.2-r3</unaffected> + <vulnerable range="lt">4.2.2-r3</vulnerable> + </package> + <package name="app-emulation/xen-pvgrub" auto="yes" arch="*"> + <unaffected range="ge">4.2.2-r1</unaffected> + <vulnerable range="lt">4.2.2-r1</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>Guest domains could possibly gain privileges, execute arbitrary code, or + cause a Denial of Service on the host domain (Dom0). Additionally, guest + domains could gain information about other virtual machines running on + the same host or read arbitrary files on the host. + </p> + </impact> + <workaround> + <p>The CVEs listed below do not currently have fixes, but only apply to Xen + setups which have “tmem” specified on the hypervisor command line. + TMEM is not currently supported for use in production systems, and + administrators using tmem should disable it. + Relevant CVEs: + * CVE-2012-2497 + * CVE-2012-6030 + * CVE-2012-6031 + * CVE-2012-6032 + * CVE-2012-6033 + * CVE-2012-6034 + * CVE-2012-6035 + * CVE-2012-6036 + </p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.2.2-r1" + </code> + + <p>All Xen-tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.2.2-r3" + </code> + + <p>All Xen-pvgrub users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-pvgrub-4.2.2-r1" + </code> + + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901">CVE-2011-2901</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262">CVE-2011-3262</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217">CVE-2012-0217</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218">CVE-2012-0218</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934">CVE-2012-2934</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432">CVE-2012-3432</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3433">CVE-2012-3433</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494">CVE-2012-3494</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495">CVE-2012-3495</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496">CVE-2012-3496</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497">CVE-2012-3497</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498">CVE-2012-3498</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515">CVE-2012-3515</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411">CVE-2012-4411</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535">CVE-2012-4535</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536">CVE-2012-4536</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537">CVE-2012-4537</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538">CVE-2012-4538</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539">CVE-2012-4539</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5510">CVE-2012-5510</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5511">CVE-2012-5511</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5512">CVE-2012-5512</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5513">CVE-2012-5513</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5514">CVE-2012-5514</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5515">CVE-2012-5515</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5525">CVE-2012-5525</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5634">CVE-2012-5634</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030">CVE-2012-6030</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031">CVE-2012-6031</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032">CVE-2012-6032</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033">CVE-2012-6033</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034">CVE-2012-6034</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035">CVE-2012-6035</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036">CVE-2012-6036</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6075">CVE-2012-6075</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6333">CVE-2012-6333</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0151">CVE-2013-0151</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0152">CVE-2013-0152</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153">CVE-2013-0153</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0154">CVE-2013-0154</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215">CVE-2013-0215</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1432">CVE-2013-1432</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917">CVE-2013-1917</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918">CVE-2013-1918</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919">CVE-2013-1919</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920">CVE-2013-1920</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922">CVE-2013-1922</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952">CVE-2013-1952</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1964">CVE-2013-1964</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2076">CVE-2013-2076</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2077">CVE-2013-2077</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2078">CVE-2013-2078</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2194">CVE-2013-2194</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2195">CVE-2013-2195</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2196">CVE-2013-2196</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2211">CVE-2013-2211</uri> + <uri link="http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html"> + Xen TMEM + </uri> + </references> + <metadata tag="requester" timestamp="Tue, 06 Mar 2012 01:02:21 +0000">craig</metadata> + <metadata tag="submitter" timestamp="Fri, 27 Sep 2013 20:19:09 +0000"> + creffett + </metadata> +</glsa> |