Security update for Xen

SUSE Security Update: Security update for Xen
Announcement ID: SUSE-SU-2014:1700-1
Rating: moderate
References: #866902 #882089 #896023 #901317 #903850 #903967 #903970 #905465 #905467 #906439
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Desktop 11 SP3
    		•

    An update that solves 5 vulnerabilities and has 5 fixes is now available.

    Description:


    Xen has been updated to version 4.2.5 with additional patches to fix six
    security issues:

    * Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
    (CVE-2014-9030).
    * Insufficient bounding of "REP MOVS" to MMIO emulated inside the
    hypervisor (CVE-2014-8867).
    * Excessive checking in compatibility mode hypercall argument
    translation (CVE-2014-8866).
    * Guest user mode triggerable VM exits not handled by hypervisor
    (bnc#903850).
    * Missing privilege level checks in x86 emulation of far branches
    (CVE-2014-8595).
    * Insufficient restrictions on certain MMU update hypercalls
    (CVE-2014-8594).

    These non-security issues have been fixed:

    * Xen save/restore of HVM guests cuts off disk and networking
    (bnc#866902).
    * Windows 2012 R2 fails to boot up with greater than 60 vcpus
    (bnc#882089).
    * Increase limit domUloader to 32MB (bnc#901317).
    * Adjust xentop column layout (bnc#896023).

    Security Issues:

    * CVE-2014-9030

    * CVE-2014-8867

    * CVE-2014-8866

    * CVE-2014-8595

    * CVE-2014-8594

    Special Instructions and Notes:

    Please reboot the system after installing this update.

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11 SP3:
      zypper in -t patch sdksp3-xen-11sp3-2014-11-26-10018
    • SUSE Linux Enterprise Server 11 SP3:
      zypper in -t patch slessp3-xen-11sp3-2014-11-26-10018
    • SUSE Linux Enterprise Desktop 11 SP3:
      zypper in -t patch sledsp3-xen-11sp3-2014-11-26-10018

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11 SP3 (x86_64):
      • xen-devel-4.2.5_02-0.7.1
    • SUSE Linux Enterprise Server 11 SP3 (x86_64):
      • xen-4.2.5_02-0.7.1
      • xen-doc-html-4.2.5_02-0.7.1
      • xen-doc-pdf-4.2.5_02-0.7.1
      • xen-kmp-default-4.2.5_02_3.0.101_0.40-0.7.1
      • xen-libs-32bit-4.2.5_02-0.7.1
      • xen-libs-4.2.5_02-0.7.1
      • xen-tools-4.2.5_02-0.7.1
      • xen-tools-domU-4.2.5_02-0.7.1
    • SUSE Linux Enterprise Desktop 11 SP3 (x86_64):
      • xen-4.2.5_02-0.7.1
      • xen-doc-html-4.2.5_02-0.7.1
      • xen-doc-pdf-4.2.5_02-0.7.1
      • xen-kmp-default-4.2.5_02_3.0.101_0.40-0.7.1
      • xen-libs-32bit-4.2.5_02-0.7.1
      • xen-libs-4.2.5_02-0.7.1
      • xen-tools-4.2.5_02-0.7.1
      • xen-tools-domU-4.2.5_02-0.7.1

    References:

    • http://support.novell.com/security/cve/CVE-2014-8594.html
    • http://support.novell.com/security/cve/CVE-2014-8595.html
    • http://support.novell.com/security/cve/CVE-2014-8866.html
    • http://support.novell.com/security/cve/CVE-2014-8867.html
    • http://support.novell.com/security/cve/CVE-2014-9030.html
    • https://bugzilla.suse.com/show_bug.cgi?id=866902
    • https://bugzilla.suse.com/show_bug.cgi?id=882089
    • https://bugzilla.suse.com/show_bug.cgi?id=896023
    • https://bugzilla.suse.com/show_bug.cgi?id=901317
    • https://bugzilla.suse.com/show_bug.cgi?id=903850
    • https://bugzilla.suse.com/show_bug.cgi?id=903967
    • https://bugzilla.suse.com/show_bug.cgi?id=903970
    • https://bugzilla.suse.com/show_bug.cgi?id=905465
    • https://bugzilla.suse.com/show_bug.cgi?id=905467
    • https://bugzilla.suse.com/show_bug.cgi?id=906439
    • http://download.suse.com/patch/finder/?keywords=b64990dee077b443be24ed84558ed00b