Frederik Schüler uploaded new packages for xen-3 which fixed the following security problems: CVE-2008-0928, Debian Bug #469649, #469654, #469662, #469666 Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. CVE-2008-1943, Debian Bug #487095, #487097 Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer. CVE-2008-1944, Debian Bug #487095, #487097 Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages." CVE-2008-1952, Debian Bug #487095 The backend for XenSource Xen Para Virtualized Frame Buffer (PVFB) in Xen ioemu does not properly restrict the frame buffer size, which allows attackers to cause a denial of service (crash) by mapping an arbitrary amount of guest memory. For the etch-backports distribution the problems have been fixed in version 3.2.1-2~bpo4+1. For the lenny and sid distributions the problems have been fixed in version 3.2.1-2. Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the packages manually via "apt-get -t etch-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=etch-backports Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature