N/A Re: [alerts-security] [SECURITY] [DSA 3140-1] xen security update
Running only PV guests will avoid this issue.
No upgrade needed.
On Tue, Jan 27, 2015 at 11:53:46AM +0100, Moritz Muehlenhoff wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3140-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> January 27, 2015 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : xen
> CVE ID : CVE-2014-8594 CVE-2014-8595 CVE-2014-8866 CVE-2014-8867
> CVE-2014-9030
>
> Multiple security issues have been discovered in the Xen virtualisation
> solution which may result in denial of service, information disclosure
> or privilege escalation.
>
> CVE-2014-8594
>
> Roger Pau Monne and Jan Beulich discovered that incomplete
> restrictions on MMU update hypercalls may result in privilege
> escalation.
>
> CVE-2014-8595
>
> Jan Beulich discovered that missing privilege level checks in the
> x86 emulation of far branches may result in privilege escalation.
>
> CVE-2014-8866
>
> Jan Beulich discovered that an error in compatibility mode hypercall
> argument translation may result in denial of service.
>
> CVE-2014-8867
>
> Jan Beulich discovered that an insufficient restriction in
> acceleration support for the "REP MOVS" instruction may result in
> denial of service.
>
> CVE-2014-9030
>
> Andrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE
> handling, resulting in denial of service.
>
> For the stable distribution (wheezy), these problems have been fixed in
> version 4.1.4-3+deb7u4.
>
> For the upcoming stable distribution (jessie), these problems have been
> fixed in version 4.4.1-4.
>
> For the unstable distribution (sid), these problems have been fixed in
> version 4.4.1-4.
>
> We recommend that you upgrade your xen packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJUx233AAoJEBDCk7bDfE427SwP/0vk4BEClNotQKKEEJduVMP2
> zb8b++/f4ZocQgezJ9/oew8UGgd9Klq6XcIh5BVaQi6PD70sw4uWX03820PCs88X
> ywRCrTHSXPfPlwOG6dY8nZ1oOUItP64N03j+nugI27GNPgmJpu7xgewmY+c8vZpF
> r5sEjhINwgDmHMCgb8bCFKQ/7UDUcE2MZJVF++oWuKusvCFo57cG/pakRwF9XFsw
> Aw24obp7vySzOs5mThid3asOHcNqUYZml1YTI6E3nxL+bL9K11KFZzl98a75Q4YI
> HJJuqJk3H5CO+GCSq2Dl6NzHBWA7hCFepaKilhj/Ao6vnAoqbkFjklwczofXM6fq
> wQ1586wFp6ZTFtawn66DKoeT3CQp+OhOce5N4X3num6Ev32yaK8Rox7CF9xena6Q
> ubEEW2pKKblwFJRVm9wyBo1RQvPUyMUsvbq+DNX2GBJ1+wOzIMqm0K9G7+nFlGI8
> Z7u3RIgLTolzgFN0NR6B4A03/0kOYKNlrFuJB8wXerkwFsK/X4wX/f2dRJRleiNX
> JzDvWYCfcjWTrRjcvGdotNELdDoz+eePFuRzp7Os4SdJE2dxdWBsmvqU/NXc8pBL
> d1FtjPArM8IndL0Mf6+oPz3uAAFPjbaeTRQk/uhX7HPVN9gLDqyLWGuCsaf+seMu
> 9IwVAOzHz+HymOHT02af
> =5heI
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: https://lists.debian.org/20150127105345.GA5712@pisco.westfalen.local
--
Regards,
Pim van den Berg - Cloud Infrastructure Engineer
GPG: 0x50A8EDDA - pim.van.den.berg@mendix.com - www.mendix.com
Reply to: