openSUSE Security Update : xen (openSUSE-SU-2013:1392-1)

high Nessus Plugin ID 75129
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

XEN was updated to 4.1.5 release. It fixes various bugs and security issues.

Issues fixed separately from the 4.1.5 release :

- bnc#824676 - Failed to setup devices for vm instance when start multiple vms simultaneously

- bnc#XXXXXX - xen: CVE-2013-XXXX: XSA-61: suppress device assignment to HVM guest when there is no IOMMU

- Various upstream patches from Jan were integrated.

- bnc#823786 - migrate.py support of short options dropped by PTF

- bnc#803712 - after live migration rcu_sched_state detected stalls add new option xm migrate --min_remaing <num>

- CVE-2013-1432 / bnc#826882 - xen: XSA-58: x86: fix page refcount handling in page table pin error path

- CVE-2013-2211 / bnc#823608 - xen: XSA-57: libxl allows guest write access to sensitive console related xenstore keys

- bnc#823011 - xen: XSA-55: Multiple vulnerabilities in libelf PV kernel handling

- bnc#801663 - performance of mirror lvm unsuitable for production

- CVE-2013-1918/ bnc#816159 - xen: CVE-2013-1918: XSA-45:
Several long latency operations are not preemptible

- CVE-2013-1952 / bnc#816163 - xen: CVE-2013-1952: XSA-49:
VT-d interrupt remapping source validation flaw for bridges

- CVE-2013-2076 / bnc#820917 - CVE-2013-2076: xen:
Information leak on XSAVE/XRSTOR capable AMD CPUs (XSA-52)

- CVE-2013-2077 / bnc#820919 - CVE-2013-2077: xen:
Hypervisor crash due to missing exception recovery on XRSTOR (XSA-53)

- CVE-2013-2078 / bnc#820920 - CVE-2013-2078: xen:
Hypervisor crash due to missing exception recovery on XSETBV (XSA-54)

- CVE-2013-2072 / bnc#819416 - xen: CVE-2013-2072: XSA-56:
Buffer overflow in xencontrol Python bindings affecting xend

- Update to Xen 4.1.5 c/s 23509 There were many xen.spec file patches dropped as now being included in the 4.1.5 tarball.

- CVE-2013-1918 / bnc#816159 - xen: XSA-45: Several long latency operations are not preemptible

- CVE-2013-1952 / bnc#816163 - xen: XSA-49: VT-d interrupt remapping source validation flaw for bridges

- bnc#809662 - can't use pv-grub to start domU (pygrub does work)

- CVE-2013-1917 / bnc#813673 - xen: Xen PV DoS vulnerability with SYSENTER

- CVE-2013-1919 / bnc#813675 - xen: Several access permission issues with IRQs for unprivileged guests

- CVE-2013-1920 / bnc#813677 - xen: Potential use of freed memory in event channel operations

- bnc#814709 - Unable to create XEN virtual machines in SLED 11 SP2 on Kyoto

Solution

Update the affected xen packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=801663

https://bugzilla.novell.com/show_bug.cgi?id=803712

https://bugzilla.novell.com/show_bug.cgi?id=809662

https://bugzilla.novell.com/show_bug.cgi?id=813673

https://bugzilla.novell.com/show_bug.cgi?id=813675

https://bugzilla.novell.com/show_bug.cgi?id=813677

https://bugzilla.novell.com/show_bug.cgi?id=814709

https://bugzilla.novell.com/show_bug.cgi?id=816156

https://bugzilla.novell.com/show_bug.cgi?id=816159

https://bugzilla.novell.com/show_bug.cgi?id=816163

https://bugzilla.novell.com/show_bug.cgi?id=819416

https://bugzilla.novell.com/show_bug.cgi?id=820917

https://bugzilla.novell.com/show_bug.cgi?id=820919

https://bugzilla.novell.com/show_bug.cgi?id=820920

https://bugzilla.novell.com/show_bug.cgi?id=823011

https://bugzilla.novell.com/show_bug.cgi?id=823608

https://bugzilla.novell.com/show_bug.cgi?id=823786

https://bugzilla.novell.com/show_bug.cgi?id=824676

https://bugzilla.novell.com/show_bug.cgi?id=826882

https://lists.opensuse.org/opensuse-updates/2013-08/msg00056.html

Plugin Details

Severity: High

ID: 75129

File Name: openSUSE-2013-669.nasl

Version: 1.8

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6

CVSS v2

Risk Factor: High

Base Score: 7.4

Temporal Score: 5.5

Vector: AV:A/AC:M/Au:S/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:xen, p-cpe:/a:novell:opensuse:xen-debugsource, p-cpe:/a:novell:opensuse:xen-devel, p-cpe:/a:novell:opensuse:xen-doc-html, p-cpe:/a:novell:opensuse:xen-doc-pdf, p-cpe:/a:novell:opensuse:xen-kmp-default, p-cpe:/a:novell:opensuse:xen-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:xen-kmp-desktop, p-cpe:/a:novell:opensuse:xen-kmp-desktop-debuginfo, p-cpe:/a:novell:opensuse:xen-kmp-pae, p-cpe:/a:novell:opensuse:xen-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:xen-libs, p-cpe:/a:novell:opensuse:xen-libs-32bit, p-cpe:/a:novell:opensuse:xen-libs-debuginfo, p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit, p-cpe:/a:novell:opensuse:xen-tools, p-cpe:/a:novell:opensuse:xen-tools-debuginfo, p-cpe:/a:novell:opensuse:xen-tools-domU, p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/22/2013

Reference Information

CVE: CVE-2013-1432, CVE-2013-1917, CVE-2013-1918, CVE-2013-1919, CVE-2013-1920, CVE-2013-1952, CVE-2013-1964, CVE-2013-2072, CVE-2013-2076, CVE-2013-2077, CVE-2013-2078, CVE-2013-2211

BID: 58880, 59291, 59292, 59293, 59615, 59617, 59982, 60277, 60278, 60282, 60721, 60799