Security update for xen SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1964-1 Final 1 1 2015-10-30T17:14:32Z current 2015-10-30T17:14:32Z 2015-10-30T17:14:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen xen was updated to fix 13 security issues. These security issues were fixed: - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845). - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS) (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267). - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl fails to honour readonly flag on disks with qemu-xen (bsc#947165). - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712). - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: e1000: infinite loop issue (bsc#944697). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). This non-security issues was fixed: - bsc#941074: VmError: Device 51728 (vbd) could not be connected. Hotplug scripts not working. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html E-Mail link for openSUSE-SU-2015:1964-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings xen-4.3.4_06-50.1 xen-devel-4.3.4_06-50.1 xen-doc-html-4.3.4_06-50.1 xen-kmp-default-4.3.4_06_k3.11.10_29-50.1 xen-kmp-desktop-4.3.4_06_k3.11.10_29-50.1 xen-kmp-pae-4.3.4_06_k3.11.10_29-50.1 xen-libs-4.3.4_06-50.1 xen-libs-32bit-4.3.4_06-50.1 xen-tools-4.3.4_06-50.1 xen-tools-domU-4.3.4_06-50.1 xen-xend-tools-4.3.4_06-50.1 Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVE-2014-0222 moderate 5.5 AV:A/AC:L/Au:S/C:N/I:N/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2014-0222.html CVE-2014-0222 https://bugzilla.suse.com/877642 SUSE Bug 877642 https://bugzilla.suse.com/950367 SUSE Bug 950367 https://bugzilla.suse.com/964925 SUSE Bug 964925 The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. CVE-2015-4037 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-4037.html CVE-2015-4037 https://bugzilla.suse.com/932267 SUSE Bug 932267 https://bugzilla.suse.com/950367 SUSE Bug 950367 Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. CVE-2015-5154 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-5154.html CVE-2015-5154 https://bugzilla.suse.com/938344 SUSE Bug 938344 https://bugzilla.suse.com/950367 SUSE Bug 950367 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5165 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-5165.html CVE-2015-5165 https://bugzilla.suse.com/939712 SUSE Bug 939712 https://bugzilla.suse.com/950367 SUSE Bug 950367 Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. CVE-2015-5166 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-5166.html CVE-2015-5166 https://bugzilla.suse.com/939709 SUSE Bug 939709 https://bugzilla.suse.com/950367 SUSE Bug 950367 Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. CVE-2015-5239 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-5239.html CVE-2015-5239 https://bugzilla.suse.com/944463 SUSE Bug 944463 https://bugzilla.suse.com/950367 SUSE Bug 950367 The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. CVE-2015-6815 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-6815.html CVE-2015-6815 https://bugzilla.suse.com/944697 SUSE Bug 944697 https://bugzilla.suse.com/950367 SUSE Bug 950367 libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. CVE-2015-7311 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-7311.html CVE-2015-7311 https://bugzilla.suse.com/947165 SUSE Bug 947165 https://bugzilla.suse.com/950367 SUSE Bug 950367 The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. CVE-2015-7835 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-7835.html CVE-2015-7835 https://bugzilla.suse.com/940929 SUSE Bug 940929 https://bugzilla.suse.com/947159 SUSE Bug 947159 https://bugzilla.suse.com/950367 SUSE Bug 950367 Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. CVE-2015-7969 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-7969.html CVE-2015-7969 https://bugzilla.suse.com/950703 SUSE Bug 950703 https://bugzilla.suse.com/950705 SUSE Bug 950705 Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. CVE-2015-7971 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-7971.html CVE-2015-7971 https://bugzilla.suse.com/950706 SUSE Bug 950706 The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure." CVE-2015-7972 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2015-11/msg00018.html https://www.suse.com/security/cve/CVE-2015-7972.html CVE-2015-7972 https://bugzilla.suse.com/950704 SUSE Bug 950704 https://bugzilla.suse.com/951845 SUSE Bug 951845