SUSE-SU-2015:2326-1: moderate: Security update for xen

Sat Dec 19 08:13:08 MST 2015

   SUSE Security Update: Security update for xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:2326-1
Rating:             moderate
References:         #947165 #950703 #950704 #950705 #950706 #951845 
                    #954018 #954405 #956408 #956409 #956411 #956592 
                    #956832 
Cross-References:   CVE-2015-5307 CVE-2015-7311 CVE-2015-7504
                    CVE-2015-7969 CVE-2015-7970 CVE-2015-7971
                    CVE-2015-7972 CVE-2015-8104 CVE-2015-8339
                    CVE-2015-8340 CVE-2015-8341 CVE-2015-8345

Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11-SP3
                    SUSE Linux Enterprise Server 11-SP3
                    SUSE Linux Enterprise Desktop 11-SP3
                    SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has one errata
   is now available.

Description:

   This update fixes the following security issues:

   - bsc#956832 -  CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in
     processing command block list

   - bsc#956592 -  xen: virtual PMU is unsupported (XSA-163)

   - bsc#956408 -  CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error
     handling issues (XSA-159)

   - bsc#956409 -  CVE-2015-8341: xen: libxl leak of pv kernel and initrd on
     error (XSA-160)

   - bsc#956411 -  CVE-2015-7504: xen: heap buffer overflow vulnerability in
     pcnet emulator (XSA-162)

   - bsc#947165 -  CVE-2015-7311: xen: libxl fails to honour readonly flag on
     disks with qemu-xen (xsa-142)

   - bsc#954405 -  CVE-2015-8104: Xen: guest to host DoS by triggering an
     infinite loop in microcode via #DB exception
   - bsc#954018 -  CVE-2015-5307: xen: x86: CPU lockup during fault delivery
     (XSA-156)

   - bsc#950704 -  CVE-2015-7970: xen: x86: Long latency populate-on-demand
     operation is not preemptible (XSA-150)

   - bsc#951845 -  CVE-2015-7972: xen: x86: populate-on-demand balloon size
     inaccuracy can crash guests (XSA-153)

   - bsc#950703 -  CVE-2015-7969: xen: leak of main per-domain vcpu pointer
     array (DoS) (XSA-149)
   - bsc#950705 -  CVE-2015-7969: xen: x86: leak of per-domain
     profiling-related vcpu pointer array (DoS) (XSA-151)
   - bsc#950706 -  CVE-2015-7971: xen: x86: some pmu and profiling hypercalls
     log without rate limiting (XSA-152)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11-SP3:

      zypper in -t patch sdksp3-xen-20151203-12274=1

   - SUSE Linux Enterprise Server 11-SP3:

      zypper in -t patch slessp3-xen-20151203-12274=1

   - SUSE Linux Enterprise Desktop 11-SP3:

      zypper in -t patch sledsp3-xen-20151203-12274=1

   - SUSE Linux Enterprise Debuginfo 11-SP3:

      zypper in -t patch dbgsp3-xen-20151203-12274=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Software Development Kit 11-SP3 (i586 x86_64):

      xen-devel-4.2.5_18-21.1

   - SUSE Linux Enterprise Server 11-SP3 (i586 x86_64):

      xen-kmp-default-4.2.5_18_3.0.101_0.47.71-21.1
      xen-libs-4.2.5_18-21.1
      xen-tools-domU-4.2.5_18-21.1

   - SUSE Linux Enterprise Server 11-SP3 (x86_64):

      xen-4.2.5_18-21.1
      xen-doc-html-4.2.5_18-21.1
      xen-doc-pdf-4.2.5_18-21.1
      xen-libs-32bit-4.2.5_18-21.1
      xen-tools-4.2.5_18-21.1

   - SUSE Linux Enterprise Server 11-SP3 (i586):

      xen-kmp-pae-4.2.5_18_3.0.101_0.47.71-21.1

   - SUSE Linux Enterprise Desktop 11-SP3 (i586 x86_64):

      xen-kmp-default-4.2.5_18_3.0.101_0.47.71-21.1
      xen-libs-4.2.5_18-21.1
      xen-tools-domU-4.2.5_18-21.1

   - SUSE Linux Enterprise Desktop 11-SP3 (x86_64):

      xen-4.2.5_18-21.1
      xen-doc-html-4.2.5_18-21.1
      xen-doc-pdf-4.2.5_18-21.1
      xen-libs-32bit-4.2.5_18-21.1
      xen-tools-4.2.5_18-21.1

   - SUSE Linux Enterprise Desktop 11-SP3 (i586):

      xen-kmp-pae-4.2.5_18_3.0.101_0.47.71-21.1

   - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64):

      xen-debuginfo-4.2.5_18-21.1
      xen-debugsource-4.2.5_18-21.1

References:

   https://www.suse.com/security/cve/CVE-2015-5307.html
   https://www.suse.com/security/cve/CVE-2015-7311.html
   https://www.suse.com/security/cve/CVE-2015-7504.html
   https://www.suse.com/security/cve/CVE-2015-7969.html
   https://www.suse.com/security/cve/CVE-2015-7970.html
   https://www.suse.com/security/cve/CVE-2015-7971.html
   https://www.suse.com/security/cve/CVE-2015-7972.html
   https://www.suse.com/security/cve/CVE-2015-8104.html
   https://www.suse.com/security/cve/CVE-2015-8339.html
   https://www.suse.com/security/cve/CVE-2015-8340.html
   https://www.suse.com/security/cve/CVE-2015-8341.html
   https://www.suse.com/security/cve/CVE-2015-8345.html
   https://bugzilla.suse.com/947165
   https://bugzilla.suse.com/950703
   https://bugzilla.suse.com/950704
   https://bugzilla.suse.com/950705
   https://bugzilla.suse.com/950706
   https://bugzilla.suse.com/951845
   https://bugzilla.suse.com/954018
   https://bugzilla.suse.com/954405
   https://bugzilla.suse.com/956408
   https://bugzilla.suse.com/956409
   https://bugzilla.suse.com/956411
   https://bugzilla.suse.com/956592
   https://bugzilla.suse.com/956832