openSUSE Security Update : xen (openSUSE-SU-2013:1404-1)

high Nessus Plugin ID 75130
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

XEN was updated to 4.2.2, fixing lots of bugs and several security issues.

Various upstream patches were also merged into this version by our developers.

Detailed buglist :

- bnc#824676 - Failed to setup devices for vm instance when start multiple vms simultaneously

- bnc#817799 - sles9sp4 guest fails to start after upgrading to sles11 sp3

- bnc#826882 - xen: CVE-2013-1432: XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes

- Add upstream patch to fix devid assignment in libxl 27184-libxl-devid-fix.patch

- bnc#823608 - xen: XSA-57: libxl allows guest write access to sensitive console related xenstore keys 27178-libxl-Restrict-permissions-on-PV-console-device-xe nstore-nodes.patch

- bnc#823011 - xen: XSA-55: Multiple vulnerabilities in libelf PV kernel handling

- bnc#808269 - Fully Virtualized Windows VM install is failed on Ivy Bridge platforms with Xen kernel

- bnc#801663 - performance of mirror lvm unsuitable for production block-dmmd

- bnc#817904 - [SLES11SP3 BCS Bug] Crashkernel fails to boot after panic on XEN kernel SP3 Beta 4 and RC1

- Upstream AMD Erratum patch from Jan

- bnc#813675 - - xen: CVE-2013-1919: XSA-46: Several access permission issues with IRQs for unprivileged guests

- bnc#820917 - CVE-2013-2076: xen: Information leak on XSAVE/XRSTOR capable AMD CPUs (XSA-52)

- bnc#820919 - CVE-2013-2077: xen: Hypervisor crash due to missing exception recovery on XRSTOR (XSA-53)

- bnc#820920 - CVE-2013-2078: xen: Hypervisor crash due to missing exception recovery on XSETBV (XSA-54)

- bnc#808085 - aacraid driver panics mapping INT A when booting kernel-xen

- bnc#817210 - openSUSE 12.3 Domain 0 doesn't boot with i915 graphics controller under Xen with VT-d enabled

- bnc#819416 - xen: CVE-2013-2072: XSA-56: Buffer overflow in xencontrol Python bindings affecting xend

- bnc#818183 - xen: CVE-2013-2007: XSA-51: qga set umask 0077 when daemonizing

- add lndir to BuildRequires

- remove xen.migrate.tools_notify_restore_to_hangup_during_migrat ion_--abort_if_busy.patch It changed migration protocol and upstream wants a different solution

- bnc#802221 - fix xenpaging readd xenpaging.qemu.flush-cache.patch

- bnc#808269 - Fully Virtualized Windows VM install is failed on Ivy Bridge platforms with Xen kernel

- Additional fix for bnc#816159 CVE-2013-1918-xsa45-followup.patch

- bnc#817068 - Xen guest with >1 sr-iov vf won't start

- Update to Xen 4.2.2 c/s 26064 The following recent security patches are included in the tarball CVE-2013-0151-xsa34.patch (bnc#797285) CVE-2012-6075-xsa41.patch (bnc#797523) CVE-2013-1917-xsa44.patch (bnc#813673) CVE-2013-1919-xsa46.patch (bnc#813675)

- bnc#816159 - xen: CVE-2013-1918: XSA-45: Several long latency operations are not preemptible

- bnc#816163 - xen: CVE-2013-1952: XSA-49: VT-d interrupt remapping source validation flaw for bridges

- bnc#809662 - can't use pv-grub to start domU (pygrub does work) xen.spec

- bnc#814709 - Unable to create XEN virtual machines in SLED 11 SP2 on Kyoto

- bnc#813673 - CVE-2013-1917: xen: Xen PV DoS vulnerability with SYSENTER

- bnc#813675 - CVE-2013-1919: xen: Several access permission issues with IRQs for unprivileged guests

- bnc#814059 - xen: qemu-nbd format-guessing due to missing format specification

Solution

Update the affected xen packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=797285

https://bugzilla.novell.com/show_bug.cgi?id=797523

https://bugzilla.novell.com/show_bug.cgi?id=801663

https://bugzilla.novell.com/show_bug.cgi?id=802221

https://bugzilla.novell.com/show_bug.cgi?id=808085

https://bugzilla.novell.com/show_bug.cgi?id=808269

https://bugzilla.novell.com/show_bug.cgi?id=809662

https://bugzilla.novell.com/show_bug.cgi?id=813673

https://bugzilla.novell.com/show_bug.cgi?id=813675

https://bugzilla.novell.com/show_bug.cgi?id=814059

https://bugzilla.novell.com/show_bug.cgi?id=814709

https://bugzilla.novell.com/show_bug.cgi?id=816159

https://bugzilla.novell.com/show_bug.cgi?id=816163

https://bugzilla.novell.com/show_bug.cgi?id=817068

https://bugzilla.novell.com/show_bug.cgi?id=817210

https://bugzilla.novell.com/show_bug.cgi?id=817799

https://bugzilla.novell.com/show_bug.cgi?id=817904

https://bugzilla.novell.com/show_bug.cgi?id=818183

https://bugzilla.novell.com/show_bug.cgi?id=819416

https://bugzilla.novell.com/show_bug.cgi?id=820917

https://bugzilla.novell.com/show_bug.cgi?id=820919

https://bugzilla.novell.com/show_bug.cgi?id=820920

https://bugzilla.novell.com/show_bug.cgi?id=823011

https://bugzilla.novell.com/show_bug.cgi?id=823608

https://bugzilla.novell.com/show_bug.cgi?id=824676

https://bugzilla.novell.com/show_bug.cgi?id=826882

https://lists.opensuse.org/opensuse-updates/2013-09/msg00007.html

Plugin Details

Severity: High

ID: 75130

File Name: openSUSE-2013-677.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:xen, p-cpe:/a:novell:opensuse:xen-debugsource, p-cpe:/a:novell:opensuse:xen-devel, p-cpe:/a:novell:opensuse:xen-doc-html, p-cpe:/a:novell:opensuse:xen-doc-pdf, p-cpe:/a:novell:opensuse:xen-kmp-default, p-cpe:/a:novell:opensuse:xen-kmp-default-debuginfo, p-cpe:/a:novell:opensuse:xen-kmp-desktop, p-cpe:/a:novell:opensuse:xen-kmp-desktop-debuginfo, p-cpe:/a:novell:opensuse:xen-kmp-pae, p-cpe:/a:novell:opensuse:xen-kmp-pae-debuginfo, p-cpe:/a:novell:opensuse:xen-libs, p-cpe:/a:novell:opensuse:xen-libs-32bit, p-cpe:/a:novell:opensuse:xen-libs-debuginfo, p-cpe:/a:novell:opensuse:xen-libs-debuginfo-32bit, p-cpe:/a:novell:opensuse:xen-tools, p-cpe:/a:novell:opensuse:xen-tools-debuginfo, p-cpe:/a:novell:opensuse:xen-tools-domU, p-cpe:/a:novell:opensuse:xen-tools-domU-debuginfo, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/25/2013

Reference Information

CVE: CVE-2012-6075, CVE-2013-0151, CVE-2013-1432, CVE-2013-1917, CVE-2013-1918, CVE-2013-1919, CVE-2013-1922, CVE-2013-1952, CVE-2013-2007, CVE-2013-2072, CVE-2013-2076, CVE-2013-2077, CVE-2013-2078

BID: 57420, 57495, 59070, 59291, 59292, 59615, 59617, 59675, 59982, 60277, 60278, 60282, 60799