Security update for Xen
SUSE Security Update: Security update for Xen
XEN has been updated to 4.1.5 c/s 23509 to fix various bugs
and security issues.
The following security issues have been fixed:
*
CVE-2013-1918: Certain page table manipulation
operations in Xen 4.1.x, 4.2.x, and earlier were not
preemptible, which allowed local PV kernels to cause a
denial of service via vectors related to deep page table
traversal.
*
CVE-2013-1952: Xen 4.x, when using Intel VT-d for a
bus mastering capable PCI device, did not properly check
the source when accessing a bridge devices interrupt
remapping table entries for MSI interrupts, which allowed
local guest domains to cause a denial of service (interrupt
injection) via unspecified vectors.
*
CVE-2013-2076: A information leak in the XSAVE/XRSTOR
instructions could be used to determine state of floating
point operations in other domains.
*
CVE-2013-2077: A denial of service (hypervisor crash)
was possible due to missing exception recovery on XRSTOR,
that could be used to crash the machine by PV guest users.
*
CVE-2013-2078: A denial of service (hypervisor crash)
was possible due to missing exception recovery on XSETBV,
that could be used to crash the machine by PV guest users.
*
CVE-2013-2072: Systems which allow untrusted
administrators to configure guest vcpu affinity may be
exploited to trigger a buffer overrun and corrupt memory.
*
CVE-2013-1917: Xen 3.1 through 4.x, when running
64-bit hosts on Intel CPUs, did not clear the NT flag when
using an IRET after a SYSENTER instruction, which allowed
PV guest users to cause a denial of service (hypervisor
crash) by triggering a #GP fault, which is not properly
handled by another IRET instruction.
*
CVE-2013-1919: Xen 4.2.x and 4.1.x did not properly
restrict access to IRQs, which allowed local stub domain
clients to gain access to IRQs and cause a denial of
service via vectors related to "passed-through IRQs or PCI
devices."
*
CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when
the hypervisor is running "under memory pressure" and the
Xen Security Module (XSM) is enabled, used the wrong
ordering of operations when extending the per-domain event
channel tracking table, which caused a use-after-free and
allowed local guest kernels to inject arbitrary events and
gain privileges via unspecified vectors.
*
CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly
released a grant reference when releasing a non-v1,
non-transitive grant, which allowed local guest
administrators to cause a denial of service (host crash),
obtain sensitive information, or possible have other
impacts via unspecified vectors.
Bugfixes:
*
Upstream patches from Jan
26956-x86-mm-preemptible-cleanup.patch
27071-x86-IO-APIC-fix-guest-RTE-write-corner-cases.patch
27072-x86-shadow-fix-off-by-one-in-MMIO-permission-check.pat
ch 27079-fix-XSA-46-regression-with-xend-xm.patch
27083-AMD-iommu-SR56x0-Erratum-64-Reset-all-head-tail-pointe
rs.patch
*
Update to Xen 4.1.5 c/s 23509 There were many
xen.spec file patches dropped as now being included in the
4.1.5 tarball.
*
bnc#809662 - can't use pv-grub to start domU (pygrub
does work) xen.spec
*
Upstream patches from Jan
26702-powernow-add-fixups-for-AMD-P-state-figures.patch
26704-x86-MCA-suppress-bank-clearing-for-certain-injected-ev
ents.patch
26731-AMD-IOMMU-Process-softirqs-while-building-dom0-iommu-m
appings.patch
26733-VT-d-Enumerate-IOMMUs-when-listing-capabilities.patch
26734-ACPI-ERST-Name-table-in-otherwise-opaque-error-message
s.patch
26736-ACPI-APEI-Unlock-apei_iomaps_lock-on-error-path.patch
26737-ACPI-APEI-Add-apei_exec_run_optional.patch
26742-IOMMU-properly-check-whether-interrupt-remapping-is-en
abled.patch 26743-VT-d-deal-with-5500-5520-X58-errata.patch
26744-AMD-IOMMU-allow-disabling-only-interrupt-remapping.pat
ch
26749-x86-reserve-pages-when-SandyBridge-integrated-graphics
.patch
26765-hvm-Clean-up-vlapic_reg_write-error-propagation.patch
26770-x86-irq_move_cleanup_interrupt-must-ignore-legacy-vect
ors.patch
26771-x86-S3-Restore-broken-vcpu-affinity-on-resume.patch
26772-VMX-Always-disable-SMEP-when-guest-is-in-non-paging-mo
de.patch
26773-x86-mm-shadow-spurious-warning-when-unmapping-xenheap-
pages.patch
26799-x86-don-t-pass-negative-time-to-gtime_to_gtsc.patch
26851-iommu-crash-Interrupt-remapping-is-also-disabled-on-cr
ash.patch
*
bnc#814709 - Unable to create XEN virtual machines in
SLED 11 SP2 on Kyoto xend-cpuinfo-model-name.patch
*
Upstream patches from Jan
26536-xenoprof-div-by-0.patch
26578-AMD-IOMMU-replace-BUG_ON.patch
26656-x86-fix-null-pointer-dereference-in-intel_get_extended
_msrs.patch 26659-AMD-IOMMU-erratum-746-workaround.patch
26660-x86-fix-CMCI-injection.patch
26672-vmx-fix-handling-of-NMI-VMEXIT.patch
26673-Avoid-stale-pointer-when-moving-domain-to-another-cpup
ool.patch
26676-fix-compat-memory-exchange-op-splitting.patch
26677-x86-make-certain-memory-sub-ops-return-valid-values.pa
tch 26678-SEDF-avoid-gathering-vCPU-s-on-pCPU0.patch
26679-x86-defer-processing-events-on-the-NMI-exit-path.patch
26683-credit1-Use-atomic-bit-operations-for-the-flags-struct
ure.patch 26692-x86-MSI-fully-protect-MSI-X-table.patch
Security Issue references:
* CVE-2013-1917
>
* CVE-2013-1918
>
* CVE-2013-1919
>
* CVE-2013-1920
>
* CVE-2013-1952
>
* CVE-2013-1964
>
* CVE-2013-2072
>
* CVE-2013-2076
>
* CVE-2013-2077
>
* CVE-2013-2078
>
| Announcement ID: | SUSE-SU-2013:1075-1 |
| Rating: | important |
| References: | #801663 #809662 #813673 #813675 #813677 #814709 #816156 #816159 #816163 #819416 #820917 #820919 #820920 |
| Affected Products: |
An update that solves 10 vulnerabilities and has three fixes is now available.
Description:
XEN has been updated to 4.1.5 c/s 23509 to fix various bugs
and security issues.
The following security issues have been fixed:
*
CVE-2013-1918: Certain page table manipulation
operations in Xen 4.1.x, 4.2.x, and earlier were not
preemptible, which allowed local PV kernels to cause a
denial of service via vectors related to deep page table
traversal.
*
CVE-2013-1952: Xen 4.x, when using Intel VT-d for a
bus mastering capable PCI device, did not properly check
the source when accessing a bridge devices interrupt
remapping table entries for MSI interrupts, which allowed
local guest domains to cause a denial of service (interrupt
injection) via unspecified vectors.
*
CVE-2013-2076: A information leak in the XSAVE/XRSTOR
instructions could be used to determine state of floating
point operations in other domains.
*
CVE-2013-2077: A denial of service (hypervisor crash)
was possible due to missing exception recovery on XRSTOR,
that could be used to crash the machine by PV guest users.
*
CVE-2013-2078: A denial of service (hypervisor crash)
was possible due to missing exception recovery on XSETBV,
that could be used to crash the machine by PV guest users.
*
CVE-2013-2072: Systems which allow untrusted
administrators to configure guest vcpu affinity may be
exploited to trigger a buffer overrun and corrupt memory.
*
CVE-2013-1917: Xen 3.1 through 4.x, when running
64-bit hosts on Intel CPUs, did not clear the NT flag when
using an IRET after a SYSENTER instruction, which allowed
PV guest users to cause a denial of service (hypervisor
crash) by triggering a #GP fault, which is not properly
handled by another IRET instruction.
*
CVE-2013-1919: Xen 4.2.x and 4.1.x did not properly
restrict access to IRQs, which allowed local stub domain
clients to gain access to IRQs and cause a denial of
service via vectors related to "passed-through IRQs or PCI
devices."
*
CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when
the hypervisor is running "under memory pressure" and the
Xen Security Module (XSM) is enabled, used the wrong
ordering of operations when extending the per-domain event
channel tracking table, which caused a use-after-free and
allowed local guest kernels to inject arbitrary events and
gain privileges via unspecified vectors.
*
CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly
released a grant reference when releasing a non-v1,
non-transitive grant, which allowed local guest
administrators to cause a denial of service (host crash),
obtain sensitive information, or possible have other
impacts via unspecified vectors.
Bugfixes:
*
Upstream patches from Jan
26956-x86-mm-preemptible-cleanup.patch
27071-x86-IO-APIC-fix-guest-RTE-write-corner-cases.patch
27072-x86-shadow-fix-off-by-one-in-MMIO-permission-check.pat
ch 27079-fix-XSA-46-regression-with-xend-xm.patch
27083-AMD-iommu-SR56x0-Erratum-64-Reset-all-head-tail-pointe
rs.patch
*
Update to Xen 4.1.5 c/s 23509 There were many
xen.spec file patches dropped as now being included in the
4.1.5 tarball.
*
bnc#809662 - can't use pv-grub to start domU (pygrub
does work) xen.spec
*
Upstream patches from Jan
26702-powernow-add-fixups-for-AMD-P-state-figures.patch
26704-x86-MCA-suppress-bank-clearing-for-certain-injected-ev
ents.patch
26731-AMD-IOMMU-Process-softirqs-while-building-dom0-iommu-m
appings.patch
26733-VT-d-Enumerate-IOMMUs-when-listing-capabilities.patch
26734-ACPI-ERST-Name-table-in-otherwise-opaque-error-message
s.patch
26736-ACPI-APEI-Unlock-apei_iomaps_lock-on-error-path.patch
26737-ACPI-APEI-Add-apei_exec_run_optional.patch
26742-IOMMU-properly-check-whether-interrupt-remapping-is-en
abled.patch 26743-VT-d-deal-with-5500-5520-X58-errata.patch
26744-AMD-IOMMU-allow-disabling-only-interrupt-remapping.pat
ch
26749-x86-reserve-pages-when-SandyBridge-integrated-graphics
.patch
26765-hvm-Clean-up-vlapic_reg_write-error-propagation.patch
26770-x86-irq_move_cleanup_interrupt-must-ignore-legacy-vect
ors.patch
26771-x86-S3-Restore-broken-vcpu-affinity-on-resume.patch
26772-VMX-Always-disable-SMEP-when-guest-is-in-non-paging-mo
de.patch
26773-x86-mm-shadow-spurious-warning-when-unmapping-xenheap-
pages.patch
26799-x86-don-t-pass-negative-time-to-gtime_to_gtsc.patch
26851-iommu-crash-Interrupt-remapping-is-also-disabled-on-cr
ash.patch
*
bnc#814709 - Unable to create XEN virtual machines in
SLED 11 SP2 on Kyoto xend-cpuinfo-model-name.patch
*
Upstream patches from Jan
26536-xenoprof-div-by-0.patch
26578-AMD-IOMMU-replace-BUG_ON.patch
26656-x86-fix-null-pointer-dereference-in-intel_get_extended
_msrs.patch 26659-AMD-IOMMU-erratum-746-workaround.patch
26660-x86-fix-CMCI-injection.patch
26672-vmx-fix-handling-of-NMI-VMEXIT.patch
26673-Avoid-stale-pointer-when-moving-domain-to-another-cpup
ool.patch
26676-fix-compat-memory-exchange-op-splitting.patch
26677-x86-make-certain-memory-sub-ops-return-valid-values.pa
tch 26678-SEDF-avoid-gathering-vCPU-s-on-pCPU0.patch
26679-x86-defer-processing-events-on-the-NMI-exit-path.patch
26683-credit1-Use-atomic-bit-operations-for-the-flags-struct
ure.patch 26692-x86-MSI-fully-protect-MSI-X-table.patch
Security Issue references:
* CVE-2013-1917
* CVE-2013-1918
* CVE-2013-1919
* CVE-2013-1920
* CVE-2013-1952
* CVE-2013-1964
* CVE-2013-2072
* CVE-2013-2076
* CVE-2013-2077
* CVE-2013-2078
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-xen-201305-7798 - SUSE Linux Enterprise Server 11 SP2 for VMware:
zypper in -t patch slessp2-xen-201305-7798 - SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-xen-201305-7798 - SUSE Linux Enterprise Desktop 11 SP2:
zypper in -t patch sledsp2-xen-201305-7798
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):
- xen-devel-4.1.5_02-0.5.1
- SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):
- xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1
- SUSE Linux Enterprise Server 11 SP2 (i586 x86_64):
- xen-kmp-default-4.1.5_02_3.0.74_0.6.10-0.5.1
- xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1
- xen-libs-4.1.5_02-0.5.1
- xen-tools-domU-4.1.5_02-0.5.1
- SUSE Linux Enterprise Server 11 SP2 (x86_64):
- xen-4.1.5_02-0.5.1
- xen-doc-html-4.1.5_02-0.5.1
- xen-doc-pdf-4.1.5_02-0.5.1
- xen-libs-32bit-4.1.5_02-0.5.1
- xen-tools-4.1.5_02-0.5.1
- SUSE Linux Enterprise Server 11 SP2 (i586):
- xen-kmp-pae-4.1.5_02_3.0.74_0.6.10-0.5.1
- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64):
- xen-kmp-default-4.1.5_02_3.0.74_0.6.10-0.5.1
- xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1
- xen-libs-4.1.5_02-0.5.1
- xen-tools-domU-4.1.5_02-0.5.1
- SUSE Linux Enterprise Desktop 11 SP2 (x86_64):
- xen-4.1.5_02-0.5.1
- xen-doc-html-4.1.5_02-0.5.1
- xen-doc-pdf-4.1.5_02-0.5.1
- xen-libs-32bit-4.1.5_02-0.5.1
- xen-tools-4.1.5_02-0.5.1
- SUSE Linux Enterprise Desktop 11 SP2 (i586):
- xen-kmp-pae-4.1.5_02_3.0.74_0.6.10-0.5.1
References:
- http://support.novell.com/security/cve/CVE-2013-1917.html
- http://support.novell.com/security/cve/CVE-2013-1918.html
- http://support.novell.com/security/cve/CVE-2013-1919.html
- http://support.novell.com/security/cve/CVE-2013-1920.html
- http://support.novell.com/security/cve/CVE-2013-1952.html
- http://support.novell.com/security/cve/CVE-2013-1964.html
- http://support.novell.com/security/cve/CVE-2013-2072.html
- http://support.novell.com/security/cve/CVE-2013-2076.html
- http://support.novell.com/security/cve/CVE-2013-2077.html
- http://support.novell.com/security/cve/CVE-2013-2078.html
- https://bugzilla.novell.com/801663
- https://bugzilla.novell.com/809662
- https://bugzilla.novell.com/813673
- https://bugzilla.novell.com/813675
- https://bugzilla.novell.com/813677
- https://bugzilla.novell.com/814709
- https://bugzilla.novell.com/816156
- https://bugzilla.novell.com/816159
- https://bugzilla.novell.com/816163
- https://bugzilla.novell.com/819416
- https://bugzilla.novell.com/820917
- https://bugzilla.novell.com/820919
- https://bugzilla.novell.com/820920
- http://download.suse.com/patch/finder/?keywords=2f3309c493da194384ed2eba64f84f0d