Fedora 17 : xen-4.1.5-1.fc17 (2013-6723)

This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.


Synopsis :

The remote Fedora host is missing a security update.

Description :

- Thu Apr 25 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.5-1

- update to xen-4.1.5 includes fixes for passed through
IRQs or PCI devices might allow denial of service
attack [XSA-46, CVE-2013-1919] (#953568) SYSENTER in
32-bit PV guests on 64-bit xen can crash hypervisor
[XSA-44, CVE-2013-1917] (#953569) grant releases can
release more than intended potentially crashing xen
[XSA-50, CVE-2013-1964] (#953632)

- remove patches that are included in 4.1.5

- allow xendomains to work with xl saved images

- Thu Apr 4 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-7

- make xendomains systemd script executable (#919705)

- Potential use of freed memory in event channel
operations [XSA-47, CVE-2013-1920]

- Fri Feb 22 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-6

- patch for [XSA-36, CVE-2013-0153] can cause boot time
crash

- backport the fixes discovered when building with gcc
4.8

- Fri Feb 15 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-5

- patch for [XSA-38, CVE-2013-0215] was flawed

- Wed Feb 6 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-4

- guest using oxenstored can crash host or exhaust
memory [XSA-38, CVE-2013-0215] (#907888)

- guest using AMD-Vi for PCI passthrough can cause denial
of service [XSA-36, CVE-2013-0153] (#910914)

- Thu Jan 17 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-3

- Buffer overflow when processing large packets in qemu
e1000 device driver [XSA-41, CVE-2012-6075] (#910845)

- fix a bug introduced by fix for XSA-27

- Fri Jan 11 2013 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-2

- VT-d interrupt remapping source validation flaw
[XSA-33, CVE-2012-5634] (#893568)

- Tue Dec 18 2012 Michael Young <m.a.young at
durham.ac.uk> - 4.1.4-1

- update to xen-4.1.4

- remove patches that are included in 4.1.4

- Tue Dec 4 2012 Michael Young <m.a.young at
durham.ac.uk> - 4.1.3-7

- 6 security fixes A guest can cause xen to crash
[XSA-26, CVE-2012-5510] (#883082) An HVM guest can
cause xen to run slowly or crash [XSA-27,
CVE-2012-5511] (#883084) An HVM guest can cause xen to
crash or leak information [XSA-28, CVE-2012-5512]
(#883085) A PV guest can cause xen to crash and might
be able escalate privileges [XSA-29, CVE-2012-5513]
(#883088) An HVM guest can cause xen to hang [XSA-30,
CVE-2012-5514] (#883091) A guest can cause xen to hang
[XSA-31, CVE-2012-5515] (#883092)

- Tue Nov 13 2012 Michael Young <m.a.young at
durham.ac.uk> - 4.1.3-6

- 5 security fixes A guest can block a cpu by setting a
bad VCPU deadline [XSA 20, CVE-2012-4535] (#876198)

[plus 60 lines in the Changelog]

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=950668
https://bugzilla.redhat.com/show_bug.cgi?id=950686
https://bugzilla.redhat.com/show_bug.cgi?id=953632
http://www.nessus.org/u?21e17665

Solution :

Update the affected xen package.

Risk factor :

Medium / CVSS Base Score : 6.9
(CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.0
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Fedora Local Security Checks

Nessus Plugin ID: 66321 ()

Bugtraq ID: 59291
59292
59293

CVE ID: CVE-2013-1917
CVE-2013-1919
CVE-2013-1964

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now