Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:3413-1 Final 1 1 2020-11-19T11:45:25Z current 2020-11-19T11:45:25Z 2020-11-19T11:45:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.12.4 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-3413,SUSE-SLE-Module-Basesystem-15-SP1-2020-3413,SUSE-SLE-Module-Server-Applications-15-SP1-2020-3413 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20203413-1/ Link for SUSE-SU-2020:3413-1 https://lists.suse.com/pipermail/sle-security-updates/2020-November/007815.html E-Mail link for SUSE-SU-2020:3413-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1027519 SUSE Bug 1027519 https://bugzilla.suse.com/1177950 SUSE Bug 1177950 https://bugzilla.suse.com/1178591 SUSE Bug 1178591 https://www.suse.com/security/cve/CVE-2020-28368/ SUSE CVE CVE-2020-28368 page SUSE Linux Enterprise Module for Basesystem 15 SP1 SUSE Linux Enterprise Module for Server Applications 15 SP1 xen-4.12.4_02-3.34.2 xen-devel-4.12.4_02-3.34.2 xen-doc-html-4.12.4_02-3.34.2 xen-libs-4.12.4_02-3.34.2 xen-libs-32bit-4.12.4_02-3.34.2 xen-libs-64bit-4.12.4_02-3.34.2 xen-tools-4.12.4_02-3.34.2 xen-tools-domU-4.12.4_02-3.34.2 xen-libs-4.12.4_02-3.34.2 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 xen-tools-domU-4.12.4_02-3.34.2 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP1 xen-4.12.4_02-3.34.2 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 xen-devel-4.12.4_02-3.34.2 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 xen-tools-4.12.4_02-3.34.2 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP1 Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen. CVE-2020-28368 SUSE Linux Enterprise Module for Basesystem 15 SP1:xen-libs-4.12.4_02-3.34.2 SUSE Linux Enterprise Module for Basesystem 15 SP1:xen-tools-domU-4.12.4_02-3.34.2 SUSE Linux Enterprise Module for Server Applications 15 SP1:xen-4.12.4_02-3.34.2 SUSE Linux Enterprise Module for Server Applications 15 SP1:xen-devel-4.12.4_02-3.34.2 SUSE Linux Enterprise Module for Server Applications 15 SP1:xen-tools-4.12.4_02-3.34.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20203413-1/ https://www.suse.com/security/cve/CVE-2020-28368.html CVE-2020-28368 https://bugzilla.suse.com/1178591 SUSE Bug 1178591 https://bugzilla.suse.com/1178658 SUSE Bug 1178658