[gentoo-announce] [ GLSA 201801-14 ] Xen: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201801-14 ] Xen: Multiple vulnerabilities
Date:	Sun, 14 Jan 2018 23:49:49
Message-Id:	`d3f67be0-42a7-fb11-3a13-398819e2720b@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201801-14

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Xen: Multiple vulnerabilities

9

     Date: January 14, 2018

10

     Bugs: #627962, #634668, #637540, #637542, #639688, #641566

11

       ID: 201801-14

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Xen, the worst of which

19

could allow for privilege escalation.

20

21

Background

22

==========

23

24

Xen is a bare-metal hypervisor.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  app-emulation/xen           < 4.9.1-r1               >= 4.9.1-r1

33

  2  app-emulation/xen-tools     < 4.9.1-r1               >= 4.9.1-r1

34

    -------------------------------------------------------------------

35

     2 affected packages

36

37

Description

38

===========

39

40

Multiple vulnerabilities have been discovered in Xen. Please review the

41

referenced CVE identifiers for details.

42

43

Impact

44

======

45

46

A local attacker could potentially execute arbitrary code with the

47

privileges of the Xen (QEMU) process on the host, gain privileges on

48

the host system, or cause a Denial of Service condition.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All Xen users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.9.1-r1"

62

63

All Xen tools users should upgrade to the latest version:

64

65

  # emerge --sync

66

  # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.9.1-r1"

67

68

References

69

==========

70

71

[  1 ] CVE-2017-12134

72

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12134

73

[  2 ] CVE-2017-12135

74

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12135

75

[  3 ] CVE-2017-12136

76

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12136

77

[  4 ] CVE-2017-12137

78

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12137

79

[  5 ] CVE-2017-15588

80

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15588

81

[  6 ] CVE-2017-15589

82

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15589

83

[  7 ] CVE-2017-15590

84

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15590

85

[  8 ] CVE-2017-15591

86

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15591

87

[  9 ] CVE-2017-15592

88

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15592

89

[ 10 ] CVE-2017-15593

90

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15593

91

[ 11 ] CVE-2017-15594

92

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15594

93

[ 12 ] CVE-2017-15595

94

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15595

95

[ 13 ] CVE-2017-17044

96

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17044

97

[ 14 ] CVE-2017-17045

98

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17045

99

[ 15 ] CVE-2017-17046

100

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17046

101

[ 16 ] CVE-2017-17563

102

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17563

103

[ 17 ] CVE-2017-17564

104

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17564

105

[ 18 ] CVE-2017-17565

106

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17565

107

[ 19 ] CVE-2017-17566

108

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17566

109

110

Availability

111

============

112

113

This GLSA and any updates to it are available for viewing at

114

the Gentoo Security Website:

115

116

 https://security.gentoo.org/glsa/201801-14

117

118

Concerns?

119

=========

120

121

Security is a primary focus of Gentoo Linux and ensuring the

122

confidentiality and security of our users' machines is of utmost

123

importance to us. Any security concerns should be addressed to

124

security@g.o or alternatively, you may file a bug at

125

https://bugs.gentoo.org.

126

127

License

128

=======

129

130

Copyright 2018 Gentoo Foundation, Inc; referenced text

131

belongs to its owner(s).

132

133

The contents of this document are licensed under the

134

Creative Commons - Attribution / Share Alike license.

135

136

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201801-14
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Xen: Multiple vulnerabilities
9	Date: January 14, 2018
10	Bugs: #627962, #634668, #637540, #637542, #639688, #641566
11	ID: 201801-14
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Xen, the worst of which
19	could allow for privilege escalation.
20
21	Background
22	==========
23
24	Xen is a bare-metal hypervisor.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-emulation/xen < 4.9.1-r1 >= 4.9.1-r1
33	2 app-emulation/xen-tools < 4.9.1-r1 >= 4.9.1-r1
34	-------------------------------------------------------------------
35	2 affected packages
36
37	Description
38	===========
39
40	Multiple vulnerabilities have been discovered in Xen. Please review the
41	referenced CVE identifiers for details.
42
43	Impact
44	======
45
46	A local attacker could potentially execute arbitrary code with the
47	privileges of the Xen (QEMU) process on the host, gain privileges on
48	the host system, or cause a Denial of Service condition.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All Xen users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.9.1-r1"
62
63	All Xen tools users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.9.1-r1"
67
68	References
69	==========
70
71	[ 1 ] CVE-2017-12134
72	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12134
73	[ 2 ] CVE-2017-12135
74	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12135
75	[ 3 ] CVE-2017-12136
76	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12136
77	[ 4 ] CVE-2017-12137
78	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12137
79	[ 5 ] CVE-2017-15588
80	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15588
81	[ 6 ] CVE-2017-15589
82	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15589
83	[ 7 ] CVE-2017-15590
84	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15590
85	[ 8 ] CVE-2017-15591
86	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15591
87	[ 9 ] CVE-2017-15592
88	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15592
89	[ 10 ] CVE-2017-15593
90	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15593
91	[ 11 ] CVE-2017-15594
92	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15594
93	[ 12 ] CVE-2017-15595
94	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15595
95	[ 13 ] CVE-2017-17044
96	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17044
97	[ 14 ] CVE-2017-17045
98	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17045
99	[ 15 ] CVE-2017-17046
100	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17046
101	[ 16 ] CVE-2017-17563
102	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17563
103	[ 17 ] CVE-2017-17564
104	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17564
105	[ 18 ] CVE-2017-17565
106	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17565
107	[ 19 ] CVE-2017-17566
108	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17566
109
110	Availability
111	============
112
113	This GLSA and any updates to it are available for viewing at
114	the Gentoo Security Website:
115
116	https://security.gentoo.org/glsa/201801-14
117
118	Concerns?
119	=========
120
121	Security is a primary focus of Gentoo Linux and ensuring the
122	confidentiality and security of our users' machines is of utmost
123	importance to us. Any security concerns should be addressed to
124	security@g.o or alternatively, you may file a bug at
125	https://bugs.gentoo.org.
126
127	License
128	=======
129
130	Copyright 2018 Gentoo Foundation, Inc; referenced text
131	belongs to its owner(s).
132
133	The contents of this document are licensed under the
134	Creative Commons - Attribution / Share Alike license.
135
136	http://creativecommons.org/licenses/by-sa/2.5