http://support.citrix.com/article/CTX203879

DSA-3519

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

79543

1034477

http://xenbits.xen.org/xsa/advisory-165.html

GLSA-201604-03

xen was updated to fix 36 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0081 for details.

xen was updated to fix 46 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bsc#964746).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bsc#964929).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bsc#964950).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#964644).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#964452).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#962642).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#962335).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#962758).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#964925).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#965112).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#962611).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#962627).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#964431).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#962632).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#964947).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#965156).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#962360).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958918).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956832).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958493).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959006).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#965269).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960726).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960836).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969125).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969126).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961692).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962321).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963783).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964415).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967101).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967090).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#968004).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This security update fixes a number of security issues in Xen in wheezy.

For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.1-1+deb7u1.

We recommend that you upgrade your libidn packages.

CVE-2015-2752

The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm).

CVE-2015-2756

QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.

CVE-2015-5165

The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.

CVE-2015-5307

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.

CVE-2015-7969

Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of 'teardowns' of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall.

CVE-2015-7970

The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a 'time-consuming linear scan,' related to Populate-on-Demand.

CVE-2015-7971

Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.

CVE-2015-7972

The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to 'heavy memory pressure.'

CVE-2015-8104

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.

CVE-2015-8339

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown.

CVE-2015-8340

The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling.

CVE-2015-8550

Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability.

CVE-2015-8554

Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a 'write path.'

CVE-2015-8555

Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors.

CVE-2015-8615

The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ).

CVE-2016-1570

The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.

CVE-2016-1571

The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check.

CVE-2016-2270

Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.

CVE-2016-2271

VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 27 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xen was updated to fix 47 security issues.

These security issues were fixed :

  - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might     have allowed remote attackers to execute arbitrary code     via vectors related to the number of timers     (bnc#864673).

  - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c     allowed remote attackers to cause a denial of service     and possibly execute arbitrary code via a large log_num     value in a savevm image (bnc#864678).

  - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed     remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted tx_fifo_head     and rx_fifo_head values in a savevm image (bnc#864682).

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Xen. Please review the       CVE identifiers referenced below for details.
  Impact :

    A local attacker could possibly cause a Denial of Service condition or       obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

xen was updated to fix 44 security issues.

These security issues were fixed :

  - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load     function in hw/arm/pxa2xx.c allowed remote attackers to     cause a denial of service or possibly execute arbitrary     code via a crafted s->rx_level value in a savevm image     (bsc#864655).

  - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c     allowed remote attackers to cause a denial of service or     possibly execute arbitrary code via vectors related to     IRQDest elements (bsc#864811).

  - CVE-2013-4537: The ssi_sd_transfer function in     hw/sd/ssi-sd.c allowed remote attackers to execute     arbitrary code via a crafted arglen value in a savevm     image (bsc#864391).

  - CVE-2013-4538: Multiple buffer overflows in the     ssd0323_load function in hw/display/ssd0323.c allowed     remote attackers to cause a denial of service (memory     corruption) or possibly execute arbitrary code via     crafted (1) cmd_len, (2) row, or (3) col values; (4)     row_start and row_end values; or (5) col_star and     col_end values in a savevm image (bsc#864769).

  - CVE-2013-4539: Multiple buffer overflows in the     tsc210x_load function in hw/input/tsc210x.c might have     allowed remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm image     (bsc#864805).

  - CVE-2014-0222: Integer overflow in the qcow_open     function in block/qcow.c allowed remote attackers to     cause a denial of service (crash) via a large L2 table     in a QCOW version 1 image (bsc#877642).

  - CVE-2014-3640: The sosendto function in slirp/udp.c     allowed local users to cause a denial of service (NULL     pointer dereference) by sending a udp packet with a     value of 0 in the source port and address, which     triggers access of an uninitialized socket (bsc#897654).

  - CVE-2014-3689: The vmware-vga driver     (hw/display/vmware_vga.c) allowed local guest users to     write to qemu memory locations and gain privileges via     unspecified parameters related to rectangle handling     (bsc#901508).

  - CVE-2014-7815: The set_pixel_format function in ui/vnc.c     allowed remote attackers to cause a denial of service     (crash) via a small bytes_per_pixel value (bsc#902737).

  - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces     in the IDE functionality had multiple interpretations of     a function's return value, which allowed guest OS users     to cause a host OS denial of service (memory consumption     or infinite loop, and system crash) via a PRDT with zero     complete sectors, related to the bmdma_prepare_buf and     ahci_dma_prepare_buf functions (bsc#928393).

  - CVE-2015-1779: The VNC websocket frame decoder allowed     remote attackers to cause a denial of service (memory     and CPU consumption) via a large (1) websocket payload     or (2) HTTP headers section (bsc#924018).

  - CVE-2015-5278: Infinite loop in ne2000_receive()     function (bsc#945989).

  - CVE-2015-6855: hw/ide/core.c did not properly restrict     the commands accepted by an ATAPI device, which allowed     guest users to cause a denial of service or possibly     have unspecified other impact via certain IDE commands,     as demonstrated by a WIN_READ_NATIVE_MAX command to an     empty drive, which triggers a divide-by-zero error and     instance crash (bsc#945404).

  - CVE-2015-7512: Buffer overflow in the pcnet_receive     function in hw/net/pcnet.c, when a guest NIC has a     larger MTU, allowed remote attackers to cause a denial     of service (guest OS crash) or execute arbitrary code     via a large packet (bsc#957162).

  - CVE-2015-7549: pci: NULL pointer dereference issue     (bsc#958917).

  - CVE-2015-8345: eepro100: infinite loop in processing     command block list (bsc#956829).

  - CVE-2015-8504: VNC: floating point exception     (bsc#958491).

  - CVE-2015-8550: Paravirtualized drivers were incautious     about shared memory contents (XSA-155) (bsc#957988).

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164) (bsc#958007).

  - CVE-2015-8555: Information leak in legacy x86 FPU/XMM     initialization (XSA-165) (bsc#958009).

  - CVE-2015-8558: Infinite loop in ehci_advance_state     resulted in DoS (bsc#959005).

  - CVE-2015-8567: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8568: vmxnet3: host memory leakage     (bsc#959387).

  - CVE-2015-8613: SCSI: stack-based buffer overflow in     megasas_ctrl_get_info (bsc#961358).

  - CVE-2015-8619: Stack based OOB write in hmp_sendkey     routine (bsc#960334).

  - CVE-2015-8743: ne2000: OOB memory access in ioport r/w     functions (bsc#960725).

  - CVE-2015-8744: vmxnet3: Incorrect l2 header validation     lead to a crash via assert(2) call (bsc#960835).

  - CVE-2015-8745: Reading IMR registers lead to a crash via     assert(2) call (bsc#960707).

  - CVE-2015-8817: OOB access in address_space_rw lead to     segmentation fault (I) (bsc#969121).

  - CVE-2015-8818: OOB access in address_space_rw lead to     segmentation fault (II) (bsc#969122).

  - CVE-2016-1568: AHCI use-after-free vulnerability in aio     port commands (bsc#961332).

  - CVE-2016-1570: The PV superpage functionality in     arch/x86/mm.c allowed local PV guests to obtain     sensitive information, cause a denial of service, gain     privileges, or have unspecified other impact via a     crafted page identifier (MFN) to the (1)     MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in     the HYPERVISOR_mmuext_op hypercall or (3) unknown     vectors related to page table updates (bsc#960861).

  - CVE-2016-1571: VMX: intercept issue with INVLPG on     non-canonical address (XSA-168) (bsc#960862).

  - CVE-2016-1714: nvram: OOB r/w access in processing     firmware configurations (bsc#961691).

  - CVE-2016-1922: NULL pointer dereference in vapic_write()     (bsc#962320).

  - CVE-2016-1981: e1000 infinite loop in start_xmit and     e1000_receive_iov routines (bsc#963782).

  - CVE-2016-2198: EHCI NULL pointer dereference in     ehci_caps_write (bsc#964413).

  - CVE-2016-2270: Xen allowed local guest administrators to     cause a denial of service (host reboot) via vectors     related to multiple mappings of MMIO pages with     different cachability settings (bsc#965315).

  - CVE-2016-2271: VMX when using an Intel or Cyrix CPU,     allowed local HVM guest users to cause a denial of     service (guest crash) via vectors related to a     non-canonical RIP (bsc#965317).

  - CVE-2016-2391: usb: multiple eof_timers in ohci module     lead to NULL pointer dereference (bsc#967013).

  - CVE-2016-2392: NULL pointer dereference in remote NDIS     control message handling (bsc#967012).

  - CVE-2016-2538: Integer overflow in remote NDIS control     message handling (bsc#967969).

  - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive     (bsc#969350).

  - XSA-166: ioreq handling possibly susceptible to multiple     read issue (bsc#958523).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure.

The oldstable distribution (wheezy) will be updated in a separate DSA.

Xen was updated to fix the following vulnerabilities :

CVE-2014-0222: Qcow1 L2 table size integer overflows (bsc#877642)

CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267)

CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463)

CVE-2015-7504: Heap buffer overflow vulnerability in pcnet emulator (XSA-162, bsc#956411)

CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (XSA-152, bsc#950706)

CVE-2015-8104: Guest to host DoS by triggering an infinite loop in microcode via #DB exception (bsc#954405)

CVE-2015-5307: Guest to host DOS by intercepting #AC (XSA-156, bsc#953527)

CVE-2015-8339: XENMEM_exchange error handling issues (XSA-159, bsc#956408)

CVE-2015-8340: XENMEM_exchange error handling issues (XSA-159, bsc#956408)

CVE-2015-7512: Buffer overflow in pcnet's non-loopback mode (bsc#962360)

CVE-2015-8550: Paravirtualized drivers incautious about shared memory contents (XSA-155, bsc#957988)

CVE-2015-8504: Avoid floating point exception in vnc support (bsc#958493)

CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165, bsc#958009)

Ioreq handling possibly susceptible to multiple read issue (XSA-166, bsc#958523)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

paravirtualized drivers incautious about shared memory contents [XSA-155, CVE-2015-8550] qemu-dm buffer overrun in MSI-X handling [XSA-164, CVE-2015-8554] information leak in legacy x86 FPU/XMM initialization [XSA-165, CVE-2015-8555] ioreq handling possibly susceptible to multiple read issue [XSA-166]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/VMX: prevent INVVPID failure due to non-canonical     guest address While INVLPG (and on SVM INVLPGA) don't     fault on non-canonical addresses, INVVPID fails (in the     'individual address' case) when passed such an address.
    Since such intercepted INVLPG are effectively no-ops     anyway, don't fix this in vmx_invlpg_intercept, but     instead have paging_invlpg never return true in such a     case. This is XSA-168. (CVE-2016-1571)

  - x86/mm: PV superpage handling lacks sanity checks     MMUEXT_[,UN]MARK_SUPER fail to check the input MFN for     validity before dereferencing pointers into the     superpage frame table. get_superpage has a similar     issue. This is XSA-167. (CVE-2016-1570)

  - x86/HVM: avoid reading ioreq state more than once     Otherwise, especially when the compiler chooses to     translate the switch to a jump table, unpredictable     behavior (and in the jump table case arbitrary code     execution) can result. This is XSA-166.

  - x86: don't leak ST(n)/XMMn values to domains first using     them FNINIT doesn't alter these registers, and hence     using it is insufficient to initialize a guest's initial     state. This is XSA-165. (CVE-2015-8555)

  - MSI-X: avoid array overrun upon MSI-X table writes     pt_msix_init allocates msix->msix_entry[] to just cover     msix->total_entries entries. While pci_msix_readl     resorts to reading physical memory for out of bounds     reads, pci_msix_writel so far simply accessed/corrupted     unrelated memory. pt_iomem_map's call to     cpu_register_physical_memory registers a page granular     region, which is necessary as the Pending Bit Array may     share space with the MSI-X table (but nothing else is     allowed to). This also explains why pci_msix_readl     actually honors out of bounds reads, but pci_msi_writel     doesn't need to. This is XSA-164. (CVE-2015-8554)

  - From 43a10fecd6f4a9d8adf9f5d85e3d5e7187e2d54a Mon Sep 17     00:00:00 2001 From: Ian Jackson Date: Wed, 18 Nov 2015     15:34:54 +0000 Subject: [PATCH] libxl: Fix     bootloader-related virtual memory leak on pv build     failure The bootloader may call     libxl__file_reference_map, which mmap's the pv_kernel     and pv_ramdisk into process memory. This was only     unmapped, however, on the success path of     libxl__build_pv. If there were a failure anywhere     between libxl_bootloader.c:parse_bootloader_result and     the end of libxl__build_pv, the calls to     libxl__file_reference_unmap would be skipped, leaking     the mapped virtual memory. Ideally this would be fixed     by adding the unmap calls to the destruction path for     libxl__domain_build_state. Unfortunately the lifetime of     the libxl__domain_build_state is opaque, and it doesn't     have a proper destruction path. But, the only thing in     it that isn't from the gc are these bootloader     references, and they are only ever set for one     libxl__domain_build_state, the one which is     libxl__domain_create_state.build_state. So we can clean     up in the exit path from libxl__domain_create_*, which     always comes through domcreate_complete. Remove the     now-redundant unmaps in libxl__build_pv's success path.
    This is XSA-160.

    Based on xen.org's xsa160.patch Conflicts: adjust patch     context to match OVM 3.3 code base (CVE-2015-8341)

  - memory: fix XENMEM_exchange error handling assign_pages     can fail due to the domain getting killed in parallel,     which should not result in a hypervisor crash. Also     delete a redundant put_gfn - all relevant paths leading     to the 'fail' label already do this (and there are also     paths where it was plain wrong). All of the put_gfn-s     got introduced by 51032ca058 ('Modify naming of queries     into the p2m'), including the otherwise unneeded     initializer for k (with even a kind of misleading     comment - the compiler warning could actually have     served as a hint that the use is wrong). This is     XSA-159.

22326022] (CVE-2015-8339, CVE-2015-8340)

  - x86/HVM: always intercept #AC and #DB Both being benign     exceptions, and both being possible to get triggered by     exception delivery, this is required to prevent a guest     from locking up a CPU (resulting from no other VM exits     occurring once getting into such a loop). The specific     scenarios: 1) #AC may be raised during exception     delivery if the handler is set to be a ring-3 one by a     32-bit guest, and the stack is misaligned. 2) #DB may be     raised during exception delivery when a breakpoint got     placed on a data structure involved in delivering the     exception. This can result in an endless loop when a     64-bit guest uses a non-zero IST for the vector 1 IDT     entry, but even without use of IST the time it takes     until a contributory fault would get raised (results     depending on the handler) may be quite long. This is     XSA-156.

(CVE-2015-5307, CVE-2015-8104)

This update for xen fixes the following issues :

  - CVE-2015-8567,CVE-2015-8568: xen: qemu: net: vmxnet3:
    host memory leakage (boo#959387)

  - CVE-2015-8550: xen: paravirtualized drivers incautious     about shared memory contents (XSA-155, boo#957988)

  - CVE-2015-8558: xen: qemu: usb: infinite loop in     ehci_advance_state results in DoS (boo#959006)

  - CVE-2015-7549: xen: qemu pci: NULL pointer dereference     issue (boo#958918)

  - CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point     exception (boo#958493)

  - CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X     handling (XSA-164, boo#958007)

  - CVE-2015-8555: xen: information leak in legacy x86     FPU/XMM initialization (XSA-165, boo#958009)

  - boo#958523: xen: ioreq handling possibly susceptible to     multiple read issue (XSA-166)

  - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop     in processing command block list (boo#956832)

  - CVE-2015-5307: xen: x86: CPU lockup during fault     delivery (XSA-156, boo#954018)

  - boo#956592: xen: virtual PMU is unsupported (XSA-163)

  - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error     handling issues (XSA-159, boo#956408)

  - CVE-2015-8341: xen: libxl leak of pv kernel and initrd     on error (XSA-160, boo#956409)

  - CVE-2015-7504: xen: heap buffer overflow vulnerability     in pcnet emulator (XSA-162, boo#956411)

This update for xen fixes the following security issues :

  - CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3:
    host memory leakage (boo#959387)

  - CVE-2015-8550: xen: paravirtualized drivers incautious     about shared memory contents (XSA-155, boo#957988)

  - CVE-2015-8558: xen: qemu: usb: infinite loop in     ehci_advance_state results in DoS (boo#959006)

  - CVE-2015-7549: xen: qemu pci: NULL pointer dereference     issue (boo#958918)

  - CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point     exception (boo#958493)

  - CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X     handling (XSA-164, boo#958007)

  - CVE-2015-8555: xen: information leak in legacy x86     FPU/XMM initialization (XSA-165, boo#958009)

  - boo#958523: xen: ioreq handling possibly susceptible to     multiple read issue (XSA-166)

  - CVE-2015-5307: xen: x86: CPU lockup during fault     delivery (XSA-156, boo#954018)

  - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop     in processing command block list (boo#956832)

  - boo#956592: xen: virtual PMU is unsupported (XSA-163)

  - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error     handling issues (XSA-159, boo#956408)

  - CVE-2015-8341: xen: libxl leak of pv kernel and initrd     on error (XSA-160, boo#956409)

  - CVE-2015-7504: xen: heap buffer overflow vulnerability     in pcnet emulator (XSA-162, boo#956411)

This update for xen fixes the following security issues :

  - CVE-2015-8550: paravirtualized drivers incautious about     shared memory contents (XSA-155, boo#957988)

  - CVE-2015-8558: qemu: usb: infinite loop in     ehci_advance_state results in DoS (boo#959006)

  - CVE-2015-7549: qemu pci: NULL pointer dereference issue     (boo#958918)

  - CVE-2015-8504: qemu: ui: vnc: avoid floating point     exception (boo#958493)

  - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling     (XSA-164, boo#958007) 

  - CVE-2015-8555: information leak in legacy x86 FPU/XMM     initialization (XSA-165, boo#958009)

  - boo#958523 xen: ioreq handling possibly susceptible to     multiple read issue (XSA-166)

  - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop     in processing command block list (boo#956832)

  - boo#956592: xen: virtual PMU is unsupported (XSA-163)

  - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error     handling issues (XSA-159, boo#956408)

  - CVE-2015-8341: xen: libxl leak of pv kernel and initrd     on error (XSA-160, boo#956409)

  - CVE-2015-7504: xen: heap buffer overflow vulnerability     in pcnet emulator (XSA-162, boo#956411)

  - CVE-2015-7311: xen: libxl fails to honour readonly flag     on disks with qemu-xen (xsa-142, boo#947165)

  - CVE-2015-8104: Xen: guest to host DoS by triggering an     infinite loop in microcode via #DB exception     (boo#954405)

  - CVE-2015-5307: xen: x86: CPU lockup during fault     delivery (XSA-156, boo#954018)

  - CVE-2015-7970: xen: x86: Long latency populate-on-demand     operation is not preemptible (XSA-150, boo#950704)

The Xen Project reports :

When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers.

A malicious domain may be able to leverage this to obtain sensitive information such as cryptographic keys from another domain.

ID	Name	Product	Family	Severity
93177	SUSE SLES11 Security Update : xen (SUSE-SU-2016:1745-1)	Nessus	SuSE Local Security Checks	high
91756	OracleVM 3.2 : xen (OVMSA-2016-0081)	Nessus	OracleVM Local Security Checks	high
91249	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)	Nessus	SuSE Local Security Checks	high
91198	Debian DLA-479-1 : xen security update	Nessus	Debian Local Security Checks	medium
90759	SUSE SLES11 Security Update : xen (SUSE-SU-2016:1154-1)	Nessus	SuSE Local Security Checks	high
90396	SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)	Nessus	SuSE Local Security Checks	high
90380	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)	Nessus	Gentoo Local Security Checks	high
90186	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:0873-1)	Nessus	SuSE Local Security Checks	high
90030	Debian DSA-3519-1 : xen - security update	Nessus	Debian Local Security Checks	high
89723	SUSE SLES10 Security Update : Xen (SUSE-SU-2016:0658-1)	Nessus	SuSE Local Security Checks	high
89429	Fedora 23 : xen-4.5.2-6.fc23 (2015-d8253e2b1d)	Nessus	Fedora Local Security Checks	medium
89398	Fedora 22 : xen-4.5.2-6.fc22 (2015-c44bd3e0fa)	Nessus	Fedora Local Security Checks	medium
88170	OracleVM 3.3 : xen (OVMSA-2016-0007)	Nessus	OracleVM Local Security Checks	high
88126	openSUSE Security Update : xen (openSUSE-2016-36)	Nessus	SuSE Local Security Checks	high
88125	openSUSE Security Update : xen (openSUSE-2016-35)	Nessus	SuSE Local Security Checks	high
88124	openSUSE Security Update : xen (openSUSE-2016-34)	Nessus	SuSE Local Security Checks	high
87752	FreeBSD : xen-kernel -- information leak in legacy x86 FPU/XMM initialization (e839ca04-b40d-11e5-9728-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2015-8555

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins