[gentoo-announce] [ GLSA 201612-56 ] Xen: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201612-56 ] Xen: Multiple vulnerabilities
Date:	Sat, 31 Dec 2016 16:18:08
Message-Id:	`2d9a26f9-c774-fac7-f445-d09c78a8ba33@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201612-56

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Xen: Multiple vulnerabilities

9

     Date: December 31, 2016

10

     Bugs: #600382, #600662, #601248, #601250, #601986

11

       ID: 201612-56

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Xen, the worst of which

19

could lead to the execution of arbitrary code on the host system.

20

21

Background

22

==========

23

24

Xen is a bare-metal hypervisor.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  app-emulation/xen           < 4.7.1-r4               >= 4.7.1-r4

33

  2  app-emulation/xen-tools     < 4.7.1-r4               >= 4.7.1-r4

34

  3  app-emulation/xen-pvgrub

35

                                 < 4.7.1-r1               >= 4.7.1-r1

36

    -------------------------------------------------------------------

37

     3 affected packages

38

39

Description

40

===========

41

42

Multiple vulnerabilities have been discovered in Xen. Please review the

43

CVE identifiers referenced below for details.

44

45

Impact

46

======

47

48

A local attacker could possibly execute arbitrary code with the

49

privileges of the process, could gain privileges on the host system,

50

cause a Denial of Service condition, or obtain sensitive information.

51

52

Workaround

53

==========

54

55

There is no known workaround at this time.

56

57

Resolution

58

==========

59

60

All Xen users should upgrade to the latest version:

61

62

  # emerge --sync

63

  # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r4"

64

65

All Xen Tools users should upgrade to the latest version:

66

67

  # emerge --sync

68

  # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.7.1-r4"

69

70

All Xen PvGrub users should upgrade to the latest version:

71

72

  # emerge --sync

73

  # emerge --ask --oneshot -v ">=app-emulation/xen-pvgrub-4.7.1-r1"

74

75

References

76

==========

77

78

[  1 ] CVE-2016-10024

79

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10024

80

[  2 ] CVE-2016-9377

81

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9377

82

[  3 ] CVE-2016-9378

83

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9378

84

[  4 ] CVE-2016-9379

85

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9379

86

[  5 ] CVE-2016-9380

87

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9380

88

[  6 ] CVE-2016-9381

89

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9381

90

[  7 ] CVE-2016-9382

91

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9382

92

[  8 ] CVE-2016-9383

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9383

94

[  9 ] CVE-2016-9384

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9384

96

[ 10 ] CVE-2016-9385

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9385

98

[ 11 ] CVE-2016-9386

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9386

100

[ 12 ] CVE-2016-9637

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9637

102

[ 13 ] CVE-2016-9815

103

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9815

104

[ 14 ] CVE-2016-9816

105

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9816

106

[ 15 ] CVE-2016-9817

107

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9817

108

[ 16 ] CVE-2016-9818

109

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9818

110

[ 17 ] CVE-2016-9932

111

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9932

112

113

Availability

114

============

115

116

This GLSA and any updates to it are available for viewing at

117

the Gentoo Security Website:

118

119

 https://security.gentoo.org/glsa/201612-56

120

121

Concerns?

122

=========

123

124

Security is a primary focus of Gentoo Linux and ensuring the

125

confidentiality and security of our users' machines is of utmost

126

importance to us. Any security concerns should be addressed to

127

security@g.o or alternatively, you may file a bug at

128

https://bugs.gentoo.org.

129

130

License

131

=======

132

133

Copyright 2016 Gentoo Foundation, Inc; referenced text

134

belongs to its owner(s).

135

136

The contents of this document are licensed under the

137

Creative Commons - Attribution / Share Alike license.

138

139

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201612-56
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Xen: Multiple vulnerabilities
9	Date: December 31, 2016
10	Bugs: #600382, #600662, #601248, #601250, #601986
11	ID: 201612-56
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Xen, the worst of which
19	could lead to the execution of arbitrary code on the host system.
20
21	Background
22	==========
23
24	Xen is a bare-metal hypervisor.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-emulation/xen < 4.7.1-r4 >= 4.7.1-r4
33	2 app-emulation/xen-tools < 4.7.1-r4 >= 4.7.1-r4
34	3 app-emulation/xen-pvgrub
35	< 4.7.1-r1 >= 4.7.1-r1
36	-------------------------------------------------------------------
37	3 affected packages
38
39	Description
40	===========
41
42	Multiple vulnerabilities have been discovered in Xen. Please review the
43	CVE identifiers referenced below for details.
44
45	Impact
46	======
47
48	A local attacker could possibly execute arbitrary code with the
49	privileges of the process, could gain privileges on the host system,
50	cause a Denial of Service condition, or obtain sensitive information.
51
52	Workaround
53	==========
54
55	There is no known workaround at this time.
56
57	Resolution
58	==========
59
60	All Xen users should upgrade to the latest version:
61
62	# emerge --sync
63	# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r4"
64
65	All Xen Tools users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.7.1-r4"
69
70	All Xen PvGrub users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot -v ">=app-emulation/xen-pvgrub-4.7.1-r1"
74
75	References
76	==========
77
78	[ 1 ] CVE-2016-10024
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10024
80	[ 2 ] CVE-2016-9377
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9377
82	[ 3 ] CVE-2016-9378
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9378
84	[ 4 ] CVE-2016-9379
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9379
86	[ 5 ] CVE-2016-9380
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9380
88	[ 6 ] CVE-2016-9381
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9381
90	[ 7 ] CVE-2016-9382
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9382
92	[ 8 ] CVE-2016-9383
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9383
94	[ 9 ] CVE-2016-9384
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9384
96	[ 10 ] CVE-2016-9385
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9385
98	[ 11 ] CVE-2016-9386
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9386
100	[ 12 ] CVE-2016-9637
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9637
102	[ 13 ] CVE-2016-9815
103	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9815
104	[ 14 ] CVE-2016-9816
105	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9816
106	[ 15 ] CVE-2016-9817
107	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9817
108	[ 16 ] CVE-2016-9818
109	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9818
110	[ 17 ] CVE-2016-9932
111	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9932
112
113	Availability
114	============
115
116	This GLSA and any updates to it are available for viewing at
117	the Gentoo Security Website:
118
119	https://security.gentoo.org/glsa/201612-56
120
121	Concerns?
122	=========
123
124	Security is a primary focus of Gentoo Linux and ensuring the
125	confidentiality and security of our users' machines is of utmost
126	importance to us. Any security concerns should be addressed to
127	security@g.o or alternatively, you may file a bug at
128	https://bugs.gentoo.org.
129
130	License
131	=======
132
133	Copyright 2016 Gentoo Foundation, Inc; referenced text
134	belongs to its owner(s).
135
136	The contents of this document are licensed under the
137	Creative Commons - Attribution / Share Alike license.
138
139	http://creativecommons.org/licenses/by-sa/2.5