Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 3663-1] xen security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 3663-1] xen security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 3663-1] xen security update
  • Date: Fri, 09 Sep 2016 05:39:36 +0000
  • List-archive: https://lists.debian.org/msgid-search/E1biEXI-0001lH-8j AT master.debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-return-path: <carnil AT master.debian.org>
  • Priority: urgent
  • Resent-date: Fri, 9 Sep 2016 05:39:53 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <AolVktjOOjL.A.pO.psk0XB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3663-1 security AT debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 09, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2016-7092 CVE-2016-7094 CVE-2016-7154

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2016-7092 (XSA-185)

Jeremie Boutoille of Quarkslab and Shangcong Luan of Alibaba
discovered a flaw in the handling of L3 pagetable entries, allowing
a malicious 32-bit PV guest administrator can escalate their
privilege to that of the host.

CVE-2016-7094 (XSA-187)

x86 HVM guests running with shadow paging use a subset of the x86
emulator to handle the guest writing to its own pagetables. Andrew
Cooper of Citrix discovered that there are situations a guest can
provoke which result in exceeding the space allocated for internal
state. A malicious HVM guest administrator can cause Xen to fail a
bug check, causing a denial of service to the host.

CVE-2016-7154 (XSA-188)

Mikhail Gorobets of Advanced Threat Research, Intel Security
discovered a use after free flaw in the FIFO event channel code. A
malicious guest administrator can crash the host, leading to a
denial of service. Arbitrary code execution (and therefore privilege
escalation), and information leaks, cannot be excluded.

For the stable distribution (jessie), these problems have been fixed in
version 4.4.1-9+deb8u7.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJX0kg2AAoJEAVMuPMTQ89EAG0P/0fZID2dOBod15r0GoN28Y7L
qFx1Yx3+ZJi/SEq1IVZQQczXCSz19EVe0s+nzcFzsaS5RStoHtUy2DZygjSV+lHU
asmfwZgrWeaQejDfo6F8rihXbLCU+cD+R5YUWUODiA6z0NClYHxWu6IgZPPVPRJm
vgoPUlSgZRBn/4P5WaLk3rjflMynxbmuLpPOiBxue1ZNzRy4N5rr2w8mGI5Wf0vq
MdLkIROy5F3GJvZ30uO4ca4U6fUN49pJ3CE+YefQDsav7MyD9o3wA+94bQ7oFXgj
+65QZLtKPhPYX0m3pFwmfuiQCupzog1B9o33eYyBAUV6i2JRS4FQ4ciKujBj+tNC
KD1agKNRgXFKgr2itDKlmMgajrACKS1vVnVJrRwlWyX0kegeH61UQFKu7oiWtzl+
WO853HRFaIQFOwrFEPv0KWKzA4zrmz7FXjqSG/yvJAeDenLbODclJlgn4Sei68oI
G4nZNPc9Lkfq2xK2UY0FsNKmf1cg92423raKzDhXZbSXl4BVa83d3ZaFCehKrQVO
MCDytLw0OudR0aa1kT4O11mwPVLtz2GzxtNv+GVzcsBDoyBvZSyWt8RO6bBDSfiA
FYvRvd19L7GQmRoQGdwS2v+2AdU+P4LvZe7NXBXXaW6KWkXccWlk4zd60a2b+FyO
GqVKO5POhzy86ToQ5Nho
=rOCc
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 3663-1] xen security update, Salvatore Bonaccorso, 09.09.2016

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang