Recommended update for KVM and Xen

SUSE Recommended Update: Recommended update for KVM and Xen

Announcement ID:	SUSE-RU-2012:0729-1
Rating:	low
References:	#720929 #733715 #739585 #742773 #743414 #744771 #745005 #745367 #745880 #745890 #746613 #746702 #747172 #747331 #753165 #754906 #757346 #757537 #757970 #760023 #760557 #761142 #764077
Affected Products:	SUSE Linux Enterprise Software Development Kit 11 SP2 SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Desktop 11 SP2

An update that solves three vulnerabilities and has 20 fixes is now available. It includes two new package versions.

Description:

This collective update for Xen 2012/06 on SUSE Linux
Enterprise 11 SP2 provides the following fixes:

Xen

* 757537: xen: CVE-2012-0217 PV guest escalation
* 757970: xen: CVE-2012-0218 guest denial of service on
syscall GPF generation
*

764077: xen: CVE-2012-2934 Report a denial of service
issue on old, pre-SVM AMD CPUs (AMD Erratum 121).

AMD Erratum #121 is described in "Revision Guide for
AMD Athlon 64 and AMD Opteron Processors":
http://support.amd.com/us/Processor_TechDocs/25759.pdf

The following 130nm and 90nm (DDR1-only) AMD
processors are subject to this erratum:

o

First-generation AMD-Opteron(tm) single and
dual core processors in either 939 or 940 packages:

+ AMD Opteron(tm) 100-Series Processors
+ AMD Opteron(tm) 200-Series Processors
+ AMD Opteron(tm) 800-Series Processors
+ AMD Athlon(tm) processors in either 754,
939 or 940 packages
+ AMD Sempron(tm) processor in either 754
or 939 packages
+ AMD Turion(tm) Mobile Technology in 754
package

This issue does not effect Intel processors.

The impact of this flaw is that a malicious PV guest
user can halt the host system.

As this is a hardware flaw, it is not fixable except
by upgrading your hardware to a newer revision, or not
allowing untrusted 64bit guestsystems.

The patch changes the behaviour of the host system
booting, which makes it unable to create guest machines
until a specific boot option is set.

There is a new XEN boot option "allow_unsafe" for
GRUB which allows the host to start guests again.

This is added to /boot/grub/menu.lst in the line
looking like this:

kernel /boot/xen.gz .... allow_unsafe

or add this option to the XEN_APPEND line
/etc/sysconfig/bootloader, like e.g.:

XEN_APPEND="allow_unsafe"

Note: .... in the first example represents the
existing boot options for the host.

*

753165: xen/scripts/network-bridge wont create bridge

* 745880: cpuid setting is not preserved across xend
restarts
* 747331: standard "newburn" kernel QA stress test
freezes the guest
* 745367: MCE bank handling during migration
* 744771: VM with passed through PCI card fails to
reboot under dom0 load
* 746702: Xen HVM DomU crash during Windows Server 2008
install, when maxmem > memory
* 745005: Update vif configuration examples in
xmexample*
* 743414: using vifname is ignored when defining a xen
virtual interface with xl/libxl
* 739585: Xen block-attach fails after repeated
attach/detach
* Fate 310510: fix xenpaging

vm-install

* 760557: Fix error on two virtual discs with
conflicting virtual names
* 760023: Can't upgrade an OES 2 (64-bit) XEN Guest
Server to OES 11
* 757346: XEN guest OS installation (SLES 11 SP2 guest)
fails on SLED 11 SP2
* 742773: vm-install shows bogus error msg without
defined installation source
* KVM: Add 'unsafe' and 'directsync' as options to
cache_mode
* KVM: During installation set the target disk to
'unsafe' mode for better performance.
* 761142: vm-install fails to create its new VM: bogus
"Not enough space on device" message
* 754906: virt-manager is not allowing to upgrade oes11
to oes11sp1 machine

virt-manager

* 746613: validation error when adding USB redirection
* KVM: Add cache mode support for directsync and unsafe

libvirt

* 747172: PCI device passthrough fails with "Broadcom
NetXtreme II BCM5709 Gigabit Ethernet" (bnx2) (kvm)
* 745890: Unable to start xen domains with virsh when
using libxenlight toolstack and apparmor
* KVM: Add support for qemu's 'unsafe' cache mode
(directsync mode already there)

virt-utils

* vpc: Round up image size during fixed image creation
* fate 309765: Create images that can be run on
Microsoft Hyper-V host Added the VHD Fixed Disk format
support

yast2-vm

* 720929: Upgrade from OES 2 SP2 to OES 11 RC3 re-adds
"x0..respawn..xterm" to inittab
* 733715: Fix typo in relocation-server.pot

Security Issue references:

* CVE-2012-0217
>
* CVE-2012-0218
>
* CVE-2012-2934
>

Indications:

Every Xen and KVM user should update.

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-xen-201206-6400
SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-xen-201206-6400
SUSE Linux Enterprise Desktop 11 SP2:
zypper in -t patch sledsp2-xen-201206-6400

To bring your system up-to-date, use "zypper patch".

Package List:

SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):

libvirt-devel-0.9.6-0.15.71

xen-devel-4.1.2_18-0.9.1
SUSE Linux Enterprise Software Development Kit 11 SP2 (x86_64):

libvirt-devel-32bit-0.9.6-0.15.71
SUSE Linux Enterprise Server 11 SP2 (i586 x86_64) [New Version: 0.5.9 and 2.17.10]:

libvirt-0.9.6-0.15.71

libvirt-client-0.9.6-0.15.71

libvirt-doc-0.9.6-0.15.71

libvirt-python-0.9.6-0.15.71

virt-manager-0.9.0-3.17.26

virt-utils-1.1.7-0.11.15

vm-install-0.5.9-0.7.13

xen-kmp-default-4.1.2_18_3.0.31_0.9-0.9.1

xen-kmp-trace-4.1.2_18_3.0.31_0.9-0.9.1

xen-libs-4.1.2_18-0.9.1

xen-tools-domU-4.1.2_18-0.9.1

yast2-vm-2.17.10-0.5.42
SUSE Linux Enterprise Server 11 SP2 (x86_64):

libvirt-client-32bit-0.9.6-0.15.71

xen-4.1.2_18-0.9.1

xen-doc-html-4.1.2_18-0.9.1

xen-doc-pdf-4.1.2_18-0.9.1

xen-libs-32bit-4.1.2_18-0.9.1

xen-tools-4.1.2_18-0.9.1
SUSE Linux Enterprise Server 11 SP2 (i586):

xen-kmp-pae-4.1.2_18_3.0.31_0.9-0.9.1
SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 0.5.9 and 2.17.10]:

libvirt-0.9.6-0.15.71

libvirt-client-0.9.6-0.15.71

libvirt-doc-0.9.6-0.15.71

libvirt-python-0.9.6-0.15.71

virt-manager-0.9.0-3.17.26

virt-utils-1.1.7-0.11.15

vm-install-0.5.9-0.7.13

xen-kmp-default-4.1.2_18_3.0.31_0.9-0.9.1

xen-kmp-trace-4.1.2_18_3.0.31_0.9-0.9.1

xen-libs-4.1.2_18-0.9.1

xen-tools-domU-4.1.2_18-0.9.1

yast2-vm-2.17.10-0.5.42
SUSE Linux Enterprise Desktop 11 SP2 (x86_64):

libvirt-client-32bit-0.9.6-0.15.71

xen-4.1.2_18-0.9.1

xen-doc-html-4.1.2_18-0.9.1

xen-doc-pdf-4.1.2_18-0.9.1

xen-libs-32bit-4.1.2_18-0.9.1

xen-tools-4.1.2_18-0.9.1
SUSE Linux Enterprise Desktop 11 SP2 (i586):

xen-kmp-pae-4.1.2_18_3.0.31_0.9-0.9.1

References:

http://support.novell.com/security/cve/CVE-2012-0217.html

http://support.novell.com/security/cve/CVE-2012-0218.html

http://support.novell.com/security/cve/CVE-2012-2934.html

https://bugzilla.novell.com/720929

https://bugzilla.novell.com/733715

https://bugzilla.novell.com/739585

https://bugzilla.novell.com/742773

https://bugzilla.novell.com/743414

https://bugzilla.novell.com/744771

https://bugzilla.novell.com/745005

https://bugzilla.novell.com/745367

https://bugzilla.novell.com/745880

https://bugzilla.novell.com/745890

https://bugzilla.novell.com/746613

https://bugzilla.novell.com/746702

https://bugzilla.novell.com/747172

https://bugzilla.novell.com/747331

https://bugzilla.novell.com/753165

https://bugzilla.novell.com/754906

https://bugzilla.novell.com/757346

https://bugzilla.novell.com/757537

https://bugzilla.novell.com/757970

https://bugzilla.novell.com/760023

https://bugzilla.novell.com/760557

https://bugzilla.novell.com/761142

https://bugzilla.novell.com/764077

http://download.suse.com/patch/finder/?keywords=10328b4d3af18715e20d3656ebf3478c