Debian DSA-4369-1 : xen - security update
High Nessus Plugin ID 121168
Synopsis
The remote Debian host is missing a security-related update.
Description
Multiple vulnerabilities have been discovered in the Xen hypervisor :
- CVE-2018-19961 / CVE-2018-19962 Paul Durrant discovered that incorrect TLB handling could result in denial of service, privilege escalation or information leaks.
- CVE-2018-19965 Matthew Daley discovered that incorrect handling of the INVPCID instruction could result in denial of service by PV guests.
- CVE-2018-19966 It was discovered that a regression in the fix to address CVE-2017-15595 could result in denial of service, privilege escalation or information leaks by a PV guest.
- CVE-2018-19967 It was discovered that an error in some Intel CPUs could result in denial of service by a guest instance.
Solution
Upgrade the xen packages.
For the stable distribution (stretch), these problems have been fixed in version 4.8.5+shim4.10.2+xsa282-1+deb9u11.