openSUSE Security Update : xen (openSUSE-SU-2013:1392-1)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

XEN was updated to 4.1.5 release. It fixes various bugs and security
issues.

Issues fixed separately from the 4.1.5 release :

- bnc#824676 - Failed to setup devices for vm instance
when start multiple vms simultaneously

- bnc#XXXXXX - xen: CVE-2013-XXXX: XSA-61: suppress device
assignment to HVM guest when there is no IOMMU

- Various upstream patches from Jan were integrated.

- bnc#823786 - migrate.py support of short options dropped
by PTF

- bnc#803712 - after live migration rcu_sched_state
detected stalls add new option xm migrate --min_remaing
<num>

- CVE-2013-1432 / bnc#826882 - xen: XSA-58: x86: fix page
refcount handling in page table pin error path

- CVE-2013-2211 / bnc#823608 - xen: XSA-57: libxl allows
guest write access to sensitive console related xenstore
keys

- bnc#823011 - xen: XSA-55: Multiple vulnerabilities in
libelf PV kernel handling

- bnc#801663 - performance of mirror lvm unsuitable for
production

- CVE-2013-1918/ bnc#816159 - xen: CVE-2013-1918: XSA-45:
Several long latency operations are not preemptible

- CVE-2013-1952 / bnc#816163 - xen: CVE-2013-1952: XSA-49:
VT-d interrupt remapping source validation flaw for
bridges

- CVE-2013-2076 / bnc#820917 - CVE-2013-2076: xen:
Information leak on XSAVE/XRSTOR capable AMD CPUs
(XSA-52)

- CVE-2013-2077 / bnc#820919 - CVE-2013-2077: xen:
Hypervisor crash due to missing exception recovery on
XRSTOR (XSA-53)

- CVE-2013-2078 / bnc#820920 - CVE-2013-2078: xen:
Hypervisor crash due to missing exception recovery on
XSETBV (XSA-54)

- CVE-2013-2072 / bnc#819416 - xen: CVE-2013-2072: XSA-56:
Buffer overflow in xencontrol Python bindings affecting
xend

- Update to Xen 4.1.5 c/s 23509 There were many xen.spec
file patches dropped as now being included in the 4.1.5
tarball.

- CVE-2013-1918 / bnc#816159 - xen: XSA-45: Several long
latency operations are not preemptible

- CVE-2013-1952 / bnc#816163 - xen: XSA-49: VT-d interrupt
remapping source validation flaw for bridges

- bnc#809662 - can't use pv-grub to start domU (pygrub
does work)

- CVE-2013-1917 / bnc#813673 - xen: Xen PV DoS
vulnerability with SYSENTER

- CVE-2013-1919 / bnc#813675 - xen: Several access
permission issues with IRQs for unprivileged guests

- CVE-2013-1920 / bnc#813677 - xen: Potential use of freed
memory in event channel operations

- bnc#814709 - Unable to create XEN virtual machines in
SLED 11 SP2 on Kyoto

See also :

http://lists.opensuse.org/opensuse-updates/2013-08/msg00056.html
https://bugzilla.novell.com/show_bug.cgi?id=801663
https://bugzilla.novell.com/show_bug.cgi?id=803712
https://bugzilla.novell.com/show_bug.cgi?id=809662
https://bugzilla.novell.com/show_bug.cgi?id=813673
https://bugzilla.novell.com/show_bug.cgi?id=813675
https://bugzilla.novell.com/show_bug.cgi?id=813677
https://bugzilla.novell.com/show_bug.cgi?id=814709
https://bugzilla.novell.com/show_bug.cgi?id=816156
https://bugzilla.novell.com/show_bug.cgi?id=816159
https://bugzilla.novell.com/show_bug.cgi?id=816163
https://bugzilla.novell.com/show_bug.cgi?id=819416
https://bugzilla.novell.com/show_bug.cgi?id=820917
https://bugzilla.novell.com/show_bug.cgi?id=820919
https://bugzilla.novell.com/show_bug.cgi?id=820920
https://bugzilla.novell.com/show_bug.cgi?id=823011
https://bugzilla.novell.com/show_bug.cgi?id=823608
https://bugzilla.novell.com/show_bug.cgi?id=823786
https://bugzilla.novell.com/show_bug.cgi?id=824676
https://bugzilla.novell.com/show_bug.cgi?id=826882

Solution :

Update the affected xen packages.

Risk factor :

High / CVSS Base Score : 7.4
(CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now