SUSE-SU-2014:0470-1: important: Security update for Xen

Tue Apr 1 12:04:12 MDT 2014

   SUSE Security Update: Security update for Xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0470-1
Rating:             important
References:         #786516 #786517 #787163 #789950 #789951 #813673 
                    #813677 #823011 #840592 #842511 #848657 #849668 
                    #853049 
Cross-References:   CVE-2012-4535 CVE-2012-4537 CVE-2012-4544
                    CVE-2012-5513 CVE-2012-5515 CVE-2013-1917
                    CVE-2013-1920 CVE-2013-2194 CVE-2013-2195
                    CVE-2013-2196 CVE-2013-4355 CVE-2013-4368
                    CVE-2013-4494 CVE-2013-4554 CVE-2013-6885

Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that fixes 15 vulnerabilities is now available.

Description:

   The SUSE Linux Enterprise 10 Service Pack 3 LTSS Xen
   hypervisor and toolset  have been updated to fix various
   security issues:

   The following security issues have been addressed:

   *

   XSA-20: CVE-2012-4535: Xen 3.4 through 4.2, and
   possibly earlier versions, allows local guest OS
   administrators to cause a denial of service (Xen infinite
   loop and physical CPU consumption) by setting a VCPU with
   an "inappropriate deadline". (bnc#786516)

   *

   XSA-22: CVE-2012-4537: Xen 3.4 through 4.2, and
   possibly earlier versions, does not properly synchronize
   the p2m and m2p tables when the set_p2m_entry function
   fails, which allows local HVM guest OS administrators to
   cause a denial of service (memory consumption and assertion
   failure), aka "Memory mapping failure DoS vulnerability".
   (bnc#786517)

   *

   XSA-25: CVE-2012-4544: The PV domain builder in Xen
   4.2 and earlier does not validate the size of the kernel or
   ramdisk (1) before or (2) after decompression, which allows
   local guest administrators to cause a denial of service
   (domain 0 memory consumption) via a crafted (a) kernel or
   (b) ramdisk. (bnc#787163)

   *

   XSA-29: CVE-2012-5513: The XENMEM_exchange handler in
   Xen 4.2 and earlier does not properly check the memory
   address, which allows local PV guest OS administrators to
   cause a denial of service (crash) or possibly gain
   privileges via unspecified vectors that overwrite memory in
   the hypervisor reserved range. (bnc#789951)

   *

   XSA-31: CVE-2012-5515: The (1)
   XENMEM_decrease_reservation, (2) XENMEM_populate_physmap,
   and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier
   allow local guest administrators to cause a denial of
   service (long loop and hang) via a crafted extent_order
   value. (bnc#789950)

   *

   XSA-44: CVE-2013-1917: Xen 3.1 through 4.x, when
   running 64-bit hosts on Intel CPUs, does not clear the NT
   flag when using an IRET after a SYSENTER instruction, which
   allows PV guest users to cause a denial of service
   (hypervisor crash) by triggering a #GP fault, which is not
   properly handled by another IRET instruction. (bnc#813673)

   *

   XSA-47: CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier,
   when the hypervisor is running "under memory pressure" and
   the Xen Security Module (XSM) is enabled, uses the wrong
   ordering of operations when extending the per-domain event
   channel tracking table, which causes a use-after-free and
   allows local guest kernels to inject arbitrary events and
   gain privileges via unspecified vectors. (bnc#813677)

   *

   XSA-55: CVE-2013-2196: Multiple unspecified
   vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and
   earlier allow local guest administrators with certain
   permissions to have an unspecified impact via a crafted
   kernel, related to "other problems" that are not
   CVE-2013-2194 or CVE-2013-2195. (bnc#823011)

   *

   XSA-55: CVE-2013-2195: The Elf parser (libelf) in Xen
   4.2.x and earlier allow local guest administrators with
   certain permissions to have an unspecified impact via a
   crafted kernel, related to "pointer dereferences" involving
   unexpected calculations. (bnc#823011)

   *

   XSA-55: CVE-2013-2194: Multiple integer overflows in
   the Elf parser (libelf) in Xen 4.2.x and earlier allow
   local guest administrators with certain permissions to have
   an unspecified impact via a crafted kernel. (bnc#823011)

   *

   XSA-63: CVE-2013-4355: Xen 4.3.x and earlier does not
   properly handle certain errors, which allows local HVM
   guests to obtain hypervisor stack memory via a (1) port or
   (2) memory mapped I/O write or (3) other unspecified
   operations related to addresses without associated memory.
   (bnc#840592)

   *

   XSA-67: CVE-2013-4368: The outs instruction emulation
   in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or
   GS: segment override, uses an uninitialized variable as a
   segment base, which allows local 64-bit PV guests to obtain
   sensitive information (hypervisor stack content) via
   unspecified vectors related to stale data in a segment
   register. (bnc#842511)

   *

   XSA-73: CVE-2013-4494: Xen before 4.1.x, 4.2.x, and
   4.3.x does not take the page_alloc_lock and
   grant_table.lock in the same order, which allows local
   guest administrators with access to multiple vcpus to cause
   a denial of service (host deadlock) via unspecified
   vectors. (bnc#848657)

   *

   XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x
   (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x
   (possibly 4.3.1) does not properly prevent access to
   hypercalls, which allows local guest users to gain
   privileges via a crafted application running in ring 1 or
   2. (bnc#849668)

   *

   XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h
   through 0Fh processors does not properly handle the
   interaction between locked instructions and write-combined
   memory types, which allows local users to cause a denial of
   service (system hang) via a crafted application, aka the
   errata 793 issue. (bnc#853049)

   Security Issues references:

   * CVE-2012-4535
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4535
   >
   * CVE-2012-4537
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4537
   >
   * CVE-2012-4544
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4544
   >
   * CVE-2012-5513
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5513
   >
   * CVE-2012-5515
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5515
   >
   * CVE-2013-1917
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1917
   >
   * CVE-2013-1920
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1920
   >
   * CVE-2013-2194
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2194
   >
   * CVE-2013-2195
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2195
   >
   * CVE-2013-2196
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2196
   >
   * CVE-2013-4355
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4355
   >
   * CVE-2013-4368
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4368
   >
   * CVE-2013-4494
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4494
   >
   * CVE-2013-4554
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4554
   >
   * CVE-2013-6885
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885
   >

Indications:

   Everyone using the Xen hypervisor should update.

Special Instructions and Notes:

   Please reboot the system after installing this update.

Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 x86_64):

      xen-3.2.3_17040_28-0.6.21.3
      xen-devel-3.2.3_17040_28-0.6.21.3
      xen-doc-html-3.2.3_17040_28-0.6.21.3
      xen-doc-pdf-3.2.3_17040_28-0.6.21.3
      xen-doc-ps-3.2.3_17040_28-0.6.21.3
      xen-kmp-debug-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-default-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-kdump-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-smp-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-libs-3.2.3_17040_28-0.6.21.3
      xen-tools-3.2.3_17040_28-0.6.21.3
      xen-tools-domU-3.2.3_17040_28-0.6.21.3
      xen-tools-ioemu-3.2.3_17040_28-0.6.21.3

   - SUSE Linux Enterprise Server 10 SP3 LTSS (x86_64):

      xen-libs-32bit-3.2.3_17040_28-0.6.21.3

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586):

      xen-kmp-bigsmp-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-kdumppae-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-vmi-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3
      xen-kmp-vmipae-3.2.3_17040_28_2.6.16.60_0.113.9-0.6.21.3

References:

   http://support.novell.com/security/cve/CVE-2012-4535.html
   http://support.novell.com/security/cve/CVE-2012-4537.html
   http://support.novell.com/security/cve/CVE-2012-4544.html
   http://support.novell.com/security/cve/CVE-2012-5513.html
   http://support.novell.com/security/cve/CVE-2012-5515.html
   http://support.novell.com/security/cve/CVE-2013-1917.html
   http://support.novell.com/security/cve/CVE-2013-1920.html
   http://support.novell.com/security/cve/CVE-2013-2194.html
   http://support.novell.com/security/cve/CVE-2013-2195.html
   http://support.novell.com/security/cve/CVE-2013-2196.html
   http://support.novell.com/security/cve/CVE-2013-4355.html
   http://support.novell.com/security/cve/CVE-2013-4368.html
   http://support.novell.com/security/cve/CVE-2013-4494.html
   http://support.novell.com/security/cve/CVE-2013-4554.html
   http://support.novell.com/security/cve/CVE-2013-6885.html
   https://bugzilla.novell.com/786516
   https://bugzilla.novell.com/786517
   https://bugzilla.novell.com/787163
   https://bugzilla.novell.com/789950
   https://bugzilla.novell.com/789951
   https://bugzilla.novell.com/813673
   https://bugzilla.novell.com/813677
   https://bugzilla.novell.com/823011
   https://bugzilla.novell.com/840592
   https://bugzilla.novell.com/842511
   https://bugzilla.novell.com/848657
   https://bugzilla.novell.com/849668
   https://bugzilla.novell.com/853049
   http://download.suse.com/patch/finder/?keywords=6f43bf900a8ce3d35255c35946732753