Security update for xen SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0124-1 Final 1 1 2016-01-14T18:12:22Z current 2016-01-14T18:12:22Z 2016-01-14T18:12:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following security issues: - CVE-2015-8550: paravirtualized drivers incautious about shared memory contents (XSA-155, boo#957988) - CVE-2015-8558: qemu: usb: infinite loop in ehci_advance_state results in DoS (boo#959006) - CVE-2015-7549: qemu pci: null pointer dereference issue (boo#958918) - CVE-2015-8504: qemu: ui: vnc: avoid floating point exception (boo#958493) - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164, boo#958007) - CVE-2015-8555: information leak in legacy x86 FPU/XMM initialization (XSA-165, boo#958009) - boo#958523 xen: ioreq handling possibly susceptible to multiple read issue (XSA-166) - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list (boo#956832) - boo#956592: xen: virtual PMU is unsupported (XSA-163) - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues (XSA-159, boo#956408) - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error (XSA-160, boo#956409) - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator (XSA-162, boo#956411) - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142, boo#947165) - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception (boo#954405) - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156, boo#954018) - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150, boo#950704) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html E-Mail link for openSUSE-SU-2016:0124-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings xen-4.3.4_10-53.1 xen-devel-4.3.4_10-53.1 xen-doc-html-4.3.4_10-53.1 xen-kmp-default-4.3.4_10_k3.11.10_29-53.1 xen-kmp-desktop-4.3.4_10_k3.11.10_29-53.1 xen-kmp-pae-4.3.4_10_k3.11.10_29-53.1 xen-libs-4.3.4_10-53.1 xen-libs-32bit-4.3.4_10-53.1 xen-tools-4.3.4_10-53.1 xen-tools-domU-4.3.4_10-53.1 xen-xend-tools-4.3.4_10-53.1 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. CVE-2015-5307 moderate 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-5307.html CVE-2015-5307 https://bugzilla.suse.com/953527 SUSE Bug 953527 https://bugzilla.suse.com/954018 SUSE Bug 954018 https://bugzilla.suse.com/954404 SUSE Bug 954404 https://bugzilla.suse.com/954405 SUSE Bug 954405 https://bugzilla.suse.com/962977 SUSE Bug 962977 libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. CVE-2015-7311 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-7311.html CVE-2015-7311 https://bugzilla.suse.com/947165 SUSE Bug 947165 https://bugzilla.suse.com/950367 SUSE Bug 950367 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVE-2015-7504 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-7504.html CVE-2015-7504 https://bugzilla.suse.com/956411 SUSE Bug 956411 The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method. CVE-2015-7549 low 2.3 AV:A/AC:M/Au:S/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-7549.html CVE-2015-7549 https://bugzilla.suse.com/958917 SUSE Bug 958917 https://bugzilla.suse.com/958918 SUSE Bug 958918 The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand. CVE-2015-7970 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-7970.html CVE-2015-7970 https://bugzilla.suse.com/950704 SUSE Bug 950704 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. CVE-2015-8104 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8104.html CVE-2015-8104 https://bugzilla.suse.com/953527 SUSE Bug 953527 https://bugzilla.suse.com/954018 SUSE Bug 954018 https://bugzilla.suse.com/954404 SUSE Bug 954404 https://bugzilla.suse.com/954405 SUSE Bug 954405 https://bugzilla.suse.com/962977 SUSE Bug 962977 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. CVE-2015-8339 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8339.html CVE-2015-8339 https://bugzilla.suse.com/956408 SUSE Bug 956408 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. CVE-2015-8340 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8340.html CVE-2015-8340 https://bugzilla.suse.com/956408 SUSE Bug 956408 The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. CVE-2015-8341 moderate 5.5 AV:A/AC:L/Au:S/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8341.html CVE-2015-8341 https://bugzilla.suse.com/956409 SUSE Bug 956409 The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list. CVE-2015-8345 moderate 5.2 AV:A/AC:M/Au:S/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8345.html CVE-2015-8345 https://bugzilla.suse.com/956829 SUSE Bug 956829 https://bugzilla.suse.com/956832 SUSE Bug 956832 Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client. CVE-2015-8504 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8504.html CVE-2015-8504 https://bugzilla.suse.com/958491 SUSE Bug 958491 https://bugzilla.suse.com/958493 SUSE Bug 958493 Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. CVE-2015-8550 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8550.html CVE-2015-8550 https://bugzilla.suse.com/1052256 SUSE Bug 1052256 https://bugzilla.suse.com/957988 SUSE Bug 957988 Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path." CVE-2015-8554 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8554.html CVE-2015-8554 https://bugzilla.suse.com/958007 SUSE Bug 958007 Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. CVE-2015-8555 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8555.html CVE-2015-8555 https://bugzilla.suse.com/958009 SUSE Bug 958009 The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. CVE-2015-8558 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html https://www.suse.com/security/cve/CVE-2015-8558.html CVE-2015-8558 https://bugzilla.suse.com/959005 SUSE Bug 959005 https://bugzilla.suse.com/959006 SUSE Bug 959006 https://bugzilla.suse.com/976109 SUSE Bug 976109 https://bugzilla.suse.com/976111 SUSE Bug 976111