SuSE 11.2 Security Update : Xen (SAT Patch Number 7492)

High Nessus Plugin ID 65797


The remote SuSE 11 host is missing one or more security updates.


XEN has been updated to fix various bugs and security issues :

- (XSA 36) To avoid an erratum in early hardware, the Xen AMD IOMMU code by default choose to use a single interrupt remapping table for the whole system. This sharing implied that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other guests, including domain 0. This has been disabled for AMD chipsets not capable of it.

- qemu: The e1000 had overflows under some conditions, potentially corrupting memory. (CVE-2012-6075)

- (XSA 37) Hypervisor crash due to incorrect ASSERT (debug build only). (CVE-2013-0154)

- (XSA-33) A VT-d interrupt remapping source validation flaw was fixed. Also the following bugs have been fixed :. (CVE-2012-5634)

- xen hot plug attach/detach fails. (bnc#805094)

- domain locking can prevent a live migration from completing. (bnc#802690)

- no way to control live migrations. (bnc#797014)

- fix logic error in stdiostream_progress

- restore logging in xc_save

- add options to control migration tunables

- enabling xentrace crashes hypervisor. (bnc#806736)

- Upstream patches from Jan 26287-sched-credit-pick-idle.patch 26501-VMX-simplify-CR0-update.patch 26502-VMX-disable-SMEP-when-not-paging.patch 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch)

- Add $network to xend initscript dependencies.

- Unable to dvd or cdrom-boot DomU after xen-tools update Fixed with update to Xen version 4.1.4. (bnc#799694)

- L3: HP iLo Generate NMI function not working in XEN kernel. (bnc#800156)

- Upstream patches from Jan 26404-x86-forward-both-NMI-kinds.patch 26427-x86-AMD-enable-WC+.patch

- Xen VMs with more than 2 disks randomly fail to start.

- Upstream patches from Jan 26332-x86-compat-show-guest-stack-mfn.patch 26333-x86-get_page_type-assert.patch (Replaces CVE-2013-0154-xsa37.patch) 26340-VT-d-intremap-verify-legacy-bridge.patch (Replaces CVE-2012-5634-xsa33.patch) 26370-libxc-x86-initial-mapping-fit.patch

- Update to Xen 4.1.4 c/s 23432

- Update xenpaging.guest-memusage.patch add rule for xenmem to avoid spurious build failures

- Upstream patches from Jan 26179-PCI-find-next-cap.patch 26183-x86-HPET-masking.patch 26188-x86-time-scale-asm.patch 26200-IOMMU-debug-verbose.patch 26203-x86-HAP-dirty-vram-leak.patch 26229-gnttab-version-switch.patch (Replaces CVE-2012-5510-xsa26.patch) 26230-x86-HVM-limit-batches.patch (Replaces CVE-2012-5511-xsa27.patch) 26231-memory-exchange-checks.patch (Replaces CVE-2012-5513-xsa29.patch) 26232-x86-mark-PoD-error-path.patch (Replaces CVE-2012-5514-xsa30.patch) 26233-memop-order-checks.patch (Replaces CVE-2012-5515-xsa31.patch) 26235-IOMMU-ATS-max-queue-depth.patch 26272-x86-EFI-makefile-cflags-filter.patch 26294-x86-AMD-Fam15-way-access-filter.patch CVE-2013-0154-xsa37.patch

- Restore c/s 25751 in 23614-x86_64-EFI-boot.patch. Modify the EFI Makefile to do additional filtering.


Apply SAT patch number 7492.

See Also

Plugin Details

Severity: High

ID: 65797

File Name: suse_11_xen-130313.nasl

Version: $Revision: 1.2 $

Type: local

Agent: unix

Published: 2013/04/04

Modified: 2013/10/25

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:xen, p-cpe:/a:novell:suse_linux:11:xen-doc-html, p-cpe:/a:novell:suse_linux:11:xen-doc-pdf, p-cpe:/a:novell:suse_linux:11:xen-kmp-default, p-cpe:/a:novell:suse_linux:11:xen-kmp-pae, p-cpe:/a:novell:suse_linux:11:xen-kmp-trace, p-cpe:/a:novell:suse_linux:11:xen-libs, p-cpe:/a:novell:suse_linux:11:xen-libs-32bit, p-cpe:/a:novell:suse_linux:11:xen-tools, p-cpe:/a:novell:suse_linux:11:xen-tools-domU, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2013/03/13

Reference Information

CVE: CVE-2012-5510, CVE-2012-5511, CVE-2012-5513, CVE-2012-5514, CVE-2012-5515, CVE-2012-5634, CVE-2012-6075, CVE-2013-0153, CVE-2013-0154