Debian DSA-3554-1 Moderate: Xen Hypervisor Security Risks
debian
April 21, 2016
Multiple vulnerabilities have been discovered in the Xen hypervisor
Summary
CVE-2016-3158, CVE-2016-3159 (XSA-172)
Jan Beulich from SUSE discovered that Xen does not properly handle
writes to the hardware FSW.ES bit when running on AMD64 processors.
A malicious domain can take advantage of this flaw to obtain address
space usage and timing information, about another domain, at a
fairly low rate.
CVE-2016-3960 (XSA-173)
Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360
discovered an integer overflow in the x86 shadow pagetable code. A
HVM guest using shadow pagetables can cause the host to crash. A PV
guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, potentially leading to privilege
escalation.
For the stable distribution (jessie), these problems have been fixed in
version 4.4.1-9+deb8u5.
We recommend that you upgrade your xen packages.
Further information about Debian Security Advisories, how to apply
these upda...
PREVIOUS
NEXT
Package: xen
CVE ID: CVE-2016-3158 CVE-2016-3159 CVE-2016-3960
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!