Stay Secure with the Latest Linux Advisories

security advisorydebianarbitrary code execution

Debian LTS DLA-964-1 Moderate: Multiple Xen Hypervisor Issues

Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: . Hash: SHA512 Package : xen Version : 4.1.6.lts1-8 CVE ID : CVE-2016-9932 CVE-2017-7995 CVE-2017-8903 CVE-2017-8904 CVE-2017-8905 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9932 (XSA-200) CMPXCHG8B emulation allows local HVM guest OS users to obtain sensitive information from host stack memory. CVE-2017-7995 Description Xen checks access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads. CVE-2017-8903 (XSA-213) Xen mishandles page tables after an IRET hypercall which can lead to arbitrary code execution on the host OS. The vulnerability is only exposed to 64-bit PV guests. CVE-2017-8904 (XSA-214) Xen mishandles the "contains segment descriptors" property during GNTTABOP_transfer. This might allow PV guest OS users to execute arbitrary code on the host OS. CVE-2017-8905 (XSA-215) Xen mishandles a failsafe callback which might allow PV guest OS users to execute arbitrary code on the host OS. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.6.lts1-8. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . A variety of vulnerabilities in the Xen hypervisor have been addressed in Debian LTS DLA-964-1, necessitating immediate updates to ensure system security.. Debian LTS Security, Xen Hypervisor Issues, OS Exposures. . Severity: Important. LinuxSecurity.com Team

Jun 01, 2017 •Important Debian LTS