Gentoo Archives: gentoo-commits

From: "Chris Reffett (creffett)" <creffett@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-201309-24.xml
Date: Fri, 27 Sep 2013 20:22:58
Message-Id: 20130927202252.2B1B32004C@flycatcher.gentoo.org
1 creffett 13/09/27 20:22:52
2
3 Added: glsa-201309-24.xml
4 Log:
5 GLSA-201309-24
6
7 Revision Changes Path
8 1.1 xml/htdocs/security/en/glsa/glsa-201309-24.xml
9
10 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201309-24.xml?rev=1.1&view=markup
11 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/glsa/glsa-201309-24.xml?rev=1.1&content-type=text/plain
12
13 Index: glsa-201309-24.xml
14 ===================================================================
15 <?xml version="1.0" encoding="UTF-8"?>
16 <?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17 <?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18 <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19 <glsa id="201309-24">
20 <title>Xen: Multiple vulnerabilities</title>
21 <synopsis>Multiple vulnerabilities have been found in Xen, allowing attackers
22 on a Xen Virtual Machine to execute arbitrary code, cause Denial of
23 Service, or gain access to data on the host.
24 </synopsis>
25 <product type="ebuild">xen</product>
26 <announced>September 27, 2013</announced>
27 <revised>September 27, 2013: 1</revised>
28 <bug>385319</bug>
29 <bug>386371</bug>
30 <bug>420875</bug>
31 <bug>431156</bug>
32 <bug>454314</bug>
33 <bug>464724</bug>
34 <bug>472214</bug>
35 <bug>482860</bug>
36 <access>local</access>
37 <affected>
38 <package name="app-emulation/xen" auto="yes" arch="*">
39 <unaffected range="ge">4.2.2-r1</unaffected>
40 <vulnerable range="lt">4.2.2-r1</vulnerable>
41 </package>
42 <package name="app-emulation/xen-tools" auto="yes" arch="*">
43 <unaffected range="ge">4.2.2-r3</unaffected>
44 <vulnerable range="lt">4.2.2-r3</vulnerable>
45 </package>
46 <package name="app-emulation/xen-pvgrub" auto="yes" arch="*">
47 <unaffected range="ge">4.2.2-r1</unaffected>
48 <vulnerable range="lt">4.2.2-r1</vulnerable>
49 </package>
50 </affected>
51 <background>
52 <p>Xen is a bare-metal hypervisor.</p>
53 </background>
54 <description>
55 <p>Multiple vulnerabilities have been discovered in Xen. Please review the
56 CVE identifiers referenced below for details.
57 </p>
58 </description>
59 <impact type="high">
60 <p>Guest domains could possibly gain privileges, execute arbitrary code, or
61 cause a Denial of Service on the host domain (Dom0). Additionally, guest
62 domains could gain information about other virtual machines running on
63 the same host or read arbitrary files on the host.
64 </p>
65 </impact>
66 <workaround>
67 <p>The CVEs listed below do not currently have fixes, but only apply to Xen
68 setups which have “tmem” specified on the hypervisor command line.
69 TMEM is not currently supported for use in production systems, and
70 administrators using tmem should disable it.
71 Relevant CVEs:
72 * CVE-2012-2497
73 * CVE-2012-6030
74 * CVE-2012-6031
75 * CVE-2012-6032
76 * CVE-2012-6033
77 * CVE-2012-6034
78 * CVE-2012-6035
79 * CVE-2012-6036
80 </p>
81 </workaround>
82 <resolution>
83 <p>All Xen users should upgrade to the latest version:</p>
84
85 <code>
86 # emerge --sync
87 # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.2.2-r1"
88 </code>
89
90 <p>All Xen-tools users should upgrade to the latest version:</p>
91
92 <code>
93 # emerge --sync
94 # emerge --ask --oneshot --verbose
95 "&gt;=app-emulation/xen-tools-4.2.2-r3"
96 </code>
97
98 <p>All Xen-pvgrub users should upgrade to the latest version:</p>
99
100 <code>
101 # emerge --sync
102 # emerge --ask --oneshot --verbose
103 "&gt;=app-emulation/xen-pvgrub-4.2.2-r1"
104 </code>
105
106 </resolution>
107 <references>
108 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2901">CVE-2011-2901</uri>
109 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262">CVE-2011-3262</uri>
110 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3262">CVE-2011-3262</uri>
111 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0217">CVE-2012-0217</uri>
112 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0218">CVE-2012-0218</uri>
113 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2934">CVE-2012-2934</uri>
114 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3432">CVE-2012-3432</uri>
115 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3433">CVE-2012-3433</uri>
116 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3494">CVE-2012-3494</uri>
117 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3495">CVE-2012-3495</uri>
118 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3496">CVE-2012-3496</uri>
119 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3497">CVE-2012-3497</uri>
120 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3498">CVE-2012-3498</uri>
121 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3515">CVE-2012-3515</uri>
122 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4411">CVE-2012-4411</uri>
123 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4535">CVE-2012-4535</uri>
124 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4536">CVE-2012-4536</uri>
125 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4537">CVE-2012-4537</uri>
126 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4538">CVE-2012-4538</uri>
127 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4539">CVE-2012-4539</uri>
128 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5510">CVE-2012-5510</uri>
129 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5511">CVE-2012-5511</uri>
130 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5512">CVE-2012-5512</uri>
131 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5513">CVE-2012-5513</uri>
132 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5514">CVE-2012-5514</uri>
133 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5515">CVE-2012-5515</uri>
134 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5525">CVE-2012-5525</uri>
135 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5634">CVE-2012-5634</uri>
136 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6030">CVE-2012-6030</uri>
137 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6031">CVE-2012-6031</uri>
138 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6032">CVE-2012-6032</uri>
139 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6033">CVE-2012-6033</uri>
140 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6034">CVE-2012-6034</uri>
141 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6035">CVE-2012-6035</uri>
142 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6036">CVE-2012-6036</uri>
143 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6075">CVE-2012-6075</uri>
144 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6333">CVE-2012-6333</uri>
145 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0151">CVE-2013-0151</uri>
146 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0152">CVE-2013-0152</uri>
147 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0153">CVE-2013-0153</uri>
148 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0154">CVE-2013-0154</uri>
149 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0215">CVE-2013-0215</uri>
150 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1432">CVE-2013-1432</uri>
151 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1917">CVE-2013-1917</uri>
152 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1918">CVE-2013-1918</uri>
153 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1919">CVE-2013-1919</uri>
154 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1920">CVE-2013-1920</uri>
155 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1922">CVE-2013-1922</uri>
156 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1952">CVE-2013-1952</uri>
157 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1964">CVE-2013-1964</uri>
158 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2076">CVE-2013-2076</uri>
159 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2077">CVE-2013-2077</uri>
160 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2078">CVE-2013-2078</uri>
161 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2194">CVE-2013-2194</uri>
162 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2195">CVE-2013-2195</uri>
163 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2196">CVE-2013-2196</uri>
164 <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2211">CVE-2013-2211</uri>
165 <uri link="http://lists.xen.org/archives/html/xen-announce/2012-09/msg00006.html">
166 Xen TMEM
167 </uri>
168 </references>
169 <metadata tag="requester" timestamp="Tue, 06 Mar 2012 01:02:21 +0000">craig</metadata>
170 <metadata tag="submitter" timestamp="Fri, 27 Sep 2013 20:19:09 +0000">
171 creffett
172 </metadata>
173 </glsa>