Alerts This Week
Warning Icon 1 525
Alerts This Week
Warning Icon 1 525

openSUSE Leap 42.3: openSUSE-SU-2018:1274-1 critical: xen Denial Of Service

opensuse
Calendar Grey May 12, 2018
Dist Opensuse Esm H88
A significant security patch has been released for the xen component of openSUSE, focusing on resolving vital vulnerabilities and improving overall system reliability.
An update that solves 6 vulnerabilities and has 6 fixes is now available.

Description

This update for xen to version 4.9.2 fixes several issues.

This feature was added:

- Added script, udev rule and systemd service to watch for vcpu

online/offline events in a HVM domU. They are triggered via 'xl vcpu-set

domU N'

These security issues were fixed:

- CVE-2018-8897: Prevent mishandling of debug exceptions on x86 (XSA-260,

bsc#1090820)

- Handle HPET timers in IO-APIC mode correctly to prevent malicious or

buggy HVM guests from causing a hypervisor crash or potentially

privilege escalation/information leaks (XSA-261, bsc#1090822)

- Prevent unbounded loop, induced by qemu allowing an attacker to

permanently keep a physical CPU core busy (XSA-262, bsc#1090823)

- CVE-2018-10472: x86 HVM guest OS users (in certain configurations) were

able to read arbitrary dom0 files via QMP live insertion of a CDROM, in

conjunction with specifying the target file as the backing file of a

snapshot (bsc#1089152).

-...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory denial of service critical system updates xen openSUSE

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-454=1

Package List

- openSUSE Leap 42.3 (x86_64):

xen-4.9.2_04-19.2

xen-debugsource-4.9.2_04-19.2

xen-devel-4.9.2_04-19.2

xen-doc-html-4.9.2_04-19.2

xen-libs-4.9.2_04-19.2

xen-libs-debuginfo-4.9.2_04-19.2

xen-tools-4.9.2_04-19.2

xen-tools-debuginfo-4.9.2_04-19.2

xen-tools-domU-4.9.2_04-19.2

xen-tools-domU-debuginfo-4.9.2_04-19.2

References

https://www.suse.com/security/cve/CVE-2018-10471.html

https://www.suse.com/security/cve/CVE-2018-10472.html

https://www.suse.com/security/cve/CVE-2018-7540.html

https://www.suse.com/security/cve/CVE-2018-7541.html

https://www.suse.com/security/cve/CVE-2018-7542.html

https://www.suse.com/security/cve/CVE-2018-8897.html

https://bugzilla.suse.com/1027519

https://bugzilla.suse.com/1072834

https://bugzilla.suse.com/1080634

https://bugzilla.suse.com/1080635

https://bugzilla.suse.com/1080662

https://bugzilla.suse.com/1087251

https://bugzilla.suse.com/1087252

https://bugzilla.suse.com/1089152

https://bugzilla.suse.com/1089635

https://bugzilla.suse.com/1090820

https://bugzilla.suse.com/1090822

https://bugzilla.suse.com/1090823

--

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2018:1274-1
Rating: important
Affected Products: openSUSE Leap 42.3 le.

Topics%20covered

Topics Covered

security advisory denial of service critical system updates xen openSUSE

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here