Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

openSUSE Leap 42.2: 2016:3134-1 Important: Xen Multiple Issues

opensuse
Calendar Grey December 14, 2016
Scroller Opensuse
A crucial patch for the Xen component in openSUSE has resolved 17 security flaws, categorized as critical and high severity.
An update that fixes 17 vulnerabilities is now available

Description

xen was updated to version 4.7.1 to fix 17 security issues.

These security issues were fixed:

- CVE-2016-9637: ioport array overflow allowing a malicious guest

administrator can escalate their privilege to that of the host

(bsc#1011652).

- CVE-2016-9386: x86 null segments were not always treated as unusable

allowing an unprivileged guest user program to elevate its privilege to

that of the guest operating system. Exploit of this vulnerability is

easy on Intel and more complicated on AMD (bsc#1009100).

- CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a

unprivileged guest process to escalate its privilege to that of the

guest operating system on AMD hardware. On Intel hardware a malicious

unprivileged guest process can crash the guest (bsc#1009103).

- CVE-2016-9385: x86 segment base write emulation lacked canonical address

checks, allowing a malicious guest administrator to crash the host

...

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.2:

zypper in -t patch openSUSE-2016-1477=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE Leap 42.2 (i586 x86_64):

xen-debugsource-4.7.1_02-3.1

xen-devel-4.7.1_02-3.1

xen-libs-4.7.1_02-3.1

xen-libs-debuginfo-4.7.1_02-3.1

xen-tools-domU-4.7.1_02-3.1

xen-tools-domU-debuginfo-4.7.1_02-3.1

- openSUSE Leap 42.2 (x86_64):

xen-4.7.1_02-3.1

xen-doc-html-4.7.1_02-3.1

xen-libs-32bit-4.7.1_02-3.1

xen-libs-debuginfo-32bit-4.7.1_02-3.1

xen-tools-4.7.1_02-3.1

xen-tools-debuginfo-4.7.1_02-3.1

References

https://www.suse.com/security/cve/CVE-2016-7777.html

https://www.suse.com/security/cve/CVE-2016-7908.html

https://www.suse.com/security/cve/CVE-2016-7909.html

https://www.suse.com/security/cve/CVE-2016-8667.html

https://www.suse.com/security/cve/CVE-2016-8669.html

https://www.suse.com/security/cve/CVE-2016-8910.html

https://www.suse.com/security/cve/CVE-2016-9377.html

https://www.suse.com/security/cve/CVE-2016-9378.html

https://www.suse.com/security/cve/CVE-2016-9379.html

https://www.suse.com/security/cve/CVE-2016-9380.html

https://www.suse.com/security/cve/CVE-2016-9381.html

https://www.suse.com/security/cve/CVE-2016-9382.html

https://www.suse.com/security/cve/CVE-2016-9383.html

https://www.suse.com/security/cve/CVE-2016-9384.html

https://www.suse.com/security/cve/CVE-2016-9385.html

https://www.suse.com/security/cve/CVE-2016-9386.html

https://www.suse.com/security/cve/CVE-2016-9637.html

https://bugzilla.suse.com/1000106

https://bugzilla.suse.com/1003030

https://bugzilla.suse.com/1003032

https://bugzilla....

Read the Full Advisory

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2016:3134-1
Rating: important
Affected Products: openSUSE Leap 42.2 .

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.