Overview

File _patchinfo of Package patchinfo.6738

<patchinfo incident="6738">
  <issue id="1027519" tracker="bnc">Xen: Missing upstream bug fixes</issue>
  <issue id="1035442" tracker="bnc">L3: libxl: error: libxl.c:1676:devices_destroy_cb: libxl__devices_destroy failed</issue>
  <issue id="1061081" tracker="bnc">VUL-0: CVE-2017-15595: xen: Unlimited recursion in linear pagetable de-typing (XSA-240)</issue>
  <issue id="1068032" tracker="bnc">VUL-0: speculative side channel attacks on various CPU platforms aka "SpectreAttack" and "MeltdownAttack"</issue>
  <issue id="1070158" tracker="bnc">VUL-0: CVE-2017-17566: xen: x86 PV guests may gain access to internally used pages (XSA-248)</issue>
  <issue id="1070159" tracker="bnc">VUL-0: CVE-2017-17563: xen: broken x86 shadow mode refcount overflow check (XSA-249)</issue>
  <issue id="1070160" tracker="bnc">VUL-0: CVE-2017-17564: xen: improper x86 shadow mode refcount error handling (XSA-250)</issue>
  <issue id="1070163" tracker="bnc">VUL-0: CVE-2017-17565: xen: improper bug check in x86 log-dirty handling (XSA-251)</issue>
  <issue id="1074562" tracker="bnc">VUL-0: xen: Information leak via side effects of speculative execution (XSA-254)</issue>
  <issue id="1076116" tracker="bnc">VUL-1: CVE-2018-5683: xen:  Qemu: Out-of-bounds read in vga_draw_text routine</issue>
  <issue id="1076180" tracker="bnc">VUL-1: CVE-2017-18030: xen: qemu: Out-of-bounds access in cirrus_invalidate_region routine</issue>
  <issue id="1080635" tracker="bnc">VUL-0: EMBARGOED: xen:   DoS via non-preemptable L3/L4 pagetable freeing (XSA-252)</issue>
  <issue id="1080662" tracker="bnc">VUL-0: EMBARGOED: xen: grant table v2 -&gt; v1 transition may crash Xen (XSA-255)</issue>
  <issue id="2017-15595" tracker="cve" />
  <issue id="2017-17563" tracker="cve" />
  <issue id="2017-17564" tracker="cve" />
  <issue id="2017-17565" tracker="cve" />
  <issue id="2017-17566" tracker="cve" />
  <issue id="2017-18030" tracker="cve" />
  <issue id="2017-5715" tracker="cve" />
  <issue id="2017-5753" tracker="cve" />
  <issue id="2017-5754" tracker="cve" />
  <issue id="2018-5683" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>charlesa</packager>
    <description>This update for xen fixes several issues.

These security issues were fixed:

- CVE-2017-5753, CVE-2017-5715, CVE-2017-5754: Prevent information leaks via
  side effects of speculative execution, aka "Spectre" and "Meltdown" attacks
  (bsc#1074562, bsc#1068032)
- CVE-2018-5683: The vga_draw_text function allowed local OS guest privileged
  users to cause a denial of service (out-of-bounds read and QEMU process crash)
  by leveraging improper memory address validation (bsc#1076116).
- CVE-2017-18030: The cirrus_invalidate_region function allowed local OS guest
  privileged users to cause a denial of service (out-of-bounds array access and
  QEMU process crash) via vectors related to negative pitch (bsc#1076180).
- CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded
  recursion, stack consumption, and hypervisor crash) or possibly gain privileges
  via crafted page-table stacking (bsc#1061081)
- CVE-2017-17566: Prevent PV guest OS users to cause a denial of service (host
  OS crash) or gain host OS privileges in shadow mode by mapping a certain
  auxiliary page (bsc#1070158).
- CVE-2017-17563: Prevent guest OS users to cause a denial of service (host OS
  crash) or gain host OS privileges by leveraging an incorrect mask for
  reference-count overflow checking in shadow mode (bsc#1070159).
- CVE-2017-17564: Prevent guest OS users to cause a denial of service (host OS
  crash) or gain host OS privileges by leveraging incorrect error handling for
  reference counting in shadow mode (bsc#1070160).
- CVE-2017-17565: Prevent PV guest OS users to cause a denial of service (host
  OS crash) if shadow mode and log-dirty mode are in place, because of an
  incorrect assertion related to M2P (bsc#1070163).
- Added missing intermediate preemption checks for guest requesting removal of
  memory. This allowed malicious guest administrator to cause denial of service
  due to the high cost of this operation (bsc#1080635).
- Because of XEN not returning the proper error messages when transitioning
  grant tables from v2 to v1 a malicious guest was able to cause DoS or
  potentially allowed for privilege escalation as well as information leaks
  (bsc#1080662).

This non-security issue was fixed:

- bsc#1035442: Increased the value of LIBXL_DESTROY_TIMEOUT from 10 to 100
  seconds. If many domUs shutdown in parallel the backends couldn't keep up

- Upstream patches from Jan (bsc#1027519)
</description>
  <summary>Security update for xen</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places