Fedora 17 : xen-4.1.5-1.fc17 (2013-6723)

medium Nessus Plugin ID 66321
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Fedora host is missing a security update.

Description

- Thu Apr 25 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.5-1

- update to xen-4.1.5 includes fixes for passed through IRQs or PCI devices might allow denial of service attack [XSA-46, CVE-2013-1919] (#953568) SYSENTER in 32-bit PV guests on 64-bit xen can crash hypervisor [XSA-44, CVE-2013-1917] (#953569) grant releases can release more than intended potentially crashing xen [XSA-50, CVE-2013-1964] (#953632)

- remove patches that are included in 4.1.5

- allow xendomains to work with xl saved images

- Thu Apr 4 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-7

- make xendomains systemd script executable (#919705)

- Potential use of freed memory in event channel operations [XSA-47, CVE-2013-1920]

- Fri Feb 22 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-6

- patch for [XSA-36, CVE-2013-0153] can cause boot time crash

- backport the fixes discovered when building with gcc 4.8

- Fri Feb 15 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-5

- patch for [XSA-38, CVE-2013-0215] was flawed

- Wed Feb 6 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-4

- guest using oxenstored can crash host or exhaust memory [XSA-38, CVE-2013-0215] (#907888)

- guest using AMD-Vi for PCI passthrough can cause denial of service [XSA-36, CVE-2013-0153] (#910914)

- Thu Jan 17 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-3

- Buffer overflow when processing large packets in qemu e1000 device driver [XSA-41, CVE-2012-6075] (#910845)

- fix a bug introduced by fix for XSA-27

- Fri Jan 11 2013 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-2

- VT-d interrupt remapping source validation flaw [XSA-33, CVE-2012-5634] (#893568)

- Tue Dec 18 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.4-1

- update to xen-4.1.4

- remove patches that are included in 4.1.4

- Tue Dec 4 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-7

- 6 security fixes A guest can cause xen to crash [XSA-26, CVE-2012-5510] (#883082) An HVM guest can cause xen to run slowly or crash [XSA-27, CVE-2012-5511] (#883084) An HVM guest can cause xen to crash or leak information [XSA-28, CVE-2012-5512] (#883085) A PV guest can cause xen to crash and might be able escalate privileges [XSA-29, CVE-2012-5513] (#883088) An HVM guest can cause xen to hang [XSA-30, CVE-2012-5514] (#883091) A guest can cause xen to hang [XSA-31, CVE-2012-5515] (#883092)

- Tue Nov 13 2012 Michael Young <m.a.young at durham.ac.uk> - 4.1.3-6

- 5 security fixes A guest can block a cpu by setting a bad VCPU deadline [XSA 20, CVE-2012-4535] (#876198)

[plus 60 lines in the Changelog]

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected xen package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=950668

https://bugzilla.redhat.com/show_bug.cgi?id=950686

https://bugzilla.redhat.com/show_bug.cgi?id=953632

http://www.nessus.org/u?21e17665

Plugin Details

Severity: Medium

ID: 66321

File Name: fedora_2013-6723.nasl

Version: 1.17

Type: local

Agent: unix

Published: 5/5/2013

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 6

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:xen, cpe:/o:fedoraproject:fedora:17

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/26/2013

Vulnerability Publication Date: 5/13/2013

Reference Information

CVE: CVE-2013-1917, CVE-2013-1919, CVE-2013-1964

BID: 59291, 59292, 59293

FEDORA: 2013-6723