SUSE-RU-2012:0729-1: Recommended update for KVM and Xen
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Tue Jun 12 14:08:29 MDT 2012
SUSE Recommended Update: Recommended update for KVM and Xen
______________________________________________________________________________
Announcement ID: SUSE-RU-2012:0729-1
Rating: low
References: #720929 #733715 #739585 #742773 #743414 #744771
#745005 #745367 #745880 #745890 #746613 #746702
#747172 #747331 #753165 #754906 #757346 #757537
#757970 #760023 #760557 #761142 #764077
Affected Products:
SUSE Linux Enterprise Software Development Kit 11 SP2
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Desktop 11 SP2
______________________________________________________________________________
An update that solves three vulnerabilities and has 20
fixes is now available. It includes two new package
versions.
Description:
This collective update for Xen 2012/06 on SUSE Linux
Enterprise 11 SP2 provides the following fixes:
Xen
* 757537: xen: CVE-2012-0217 PV guest escalation
* 757970: xen: CVE-2012-0218 guest denial of service on
syscall GPF generation
*
764077: xen: CVE-2012-2934 Report a denial of service
issue on old, pre-SVM AMD CPUs (AMD Erratum 121).
AMD Erratum #121 is described in "Revision Guide for
AMD Athlon 64 and AMD Opteron Processors":
http://support.amd.com/us/Processor_TechDocs/25759.pdf
<http://support.amd.com/us/Processor_TechDocs/25759.pdf>
The following 130nm and 90nm (DDR1-only) AMD
processors are subject to this erratum:
o
First-generation AMD-Opteron(tm) single and
dual core processors in either 939 or 940 packages:
+ AMD Opteron(tm) 100-Series Processors
+ AMD Opteron(tm) 200-Series Processors
+ AMD Opteron(tm) 800-Series Processors
+ AMD Athlon(tm) processors in either 754,
939 or 940 packages
+ AMD Sempron(tm) processor in either 754
or 939 packages
+ AMD Turion(tm) Mobile Technology in 754
package
This issue does not effect Intel processors.
The impact of this flaw is that a malicious PV guest
user can halt the host system.
As this is a hardware flaw, it is not fixable except
by upgrading your hardware to a newer revision, or not
allowing untrusted 64bit guestsystems.
The patch changes the behaviour of the host system
booting, which makes it unable to create guest machines
until a specific boot option is set.
There is a new XEN boot option "allow_unsafe" for
GRUB which allows the host to start guests again.
This is added to /boot/grub/menu.lst in the line
looking like this:
kernel /boot/xen.gz .... allow_unsafe
or add this option to the XEN_APPEND line
/etc/sysconfig/bootloader, like e.g.:
XEN_APPEND="allow_unsafe"
Note: .... in the first example represents the
existing boot options for the host.
*
753165: xen/scripts/network-bridge wont create bridge
* 745880: cpuid setting is not preserved across xend
restarts
* 747331: standard "newburn" kernel QA stress test
freezes the guest
* 745367: MCE bank handling during migration
* 744771: VM with passed through PCI card fails to
reboot under dom0 load
* 746702: Xen HVM DomU crash during Windows Server 2008
install, when maxmem > memory
* 745005: Update vif configuration examples in
xmexample*
* 743414: using vifname is ignored when defining a xen
virtual interface with xl/libxl
* 739585: Xen block-attach fails after repeated
attach/detach
* Fate 310510: fix xenpaging
vm-install
* 760557: Fix error on two virtual discs with
conflicting virtual names
* 760023: Can't upgrade an OES 2 (64-bit) XEN Guest
Server to OES 11
* 757346: XEN guest OS installation (SLES 11 SP2 guest)
fails on SLED 11 SP2
* 742773: vm-install shows bogus error msg without
defined installation source
* KVM: Add 'unsafe' and 'directsync' as options to
cache_mode
* KVM: During installation set the target disk to
'unsafe' mode for better performance.
* 761142: vm-install fails to create its new VM: bogus
"Not enough space on device" message
* 754906: virt-manager is not allowing to upgrade oes11
to oes11sp1 machine
virt-manager
* 746613: validation error when adding USB redirection
* KVM: Add cache mode support for directsync and unsafe
libvirt
* 747172: PCI device passthrough fails with "Broadcom
NetXtreme II BCM5709 Gigabit Ethernet" (bnx2) (kvm)
* 745890: Unable to start xen domains with virsh when
using libxenlight toolstack and apparmor
* KVM: Add support for qemu's 'unsafe' cache mode
(directsync mode already there)
virt-utils
* vpc: Round up image size during fixed image creation
* fate 309765: Create images that can be run on
Microsoft Hyper-V host Added the VHD Fixed Disk format
support
yast2-vm
* 720929: Upgrade from OES 2 SP2 to OES 11 RC3 re-adds
"x0..respawn..xterm" to inittab
* 733715: Fix typo in relocation-server.pot
Security Issue references:
* CVE-2012-0217
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0217
>
* CVE-2012-0218
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0218
>
* CVE-2012-2934
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934
>
Indications:
Every Xen and KVM user should update.
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Recommended Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11 SP2:
zypper in -t patch sdksp2-xen-201206-6400
- SUSE Linux Enterprise Server 11 SP2:
zypper in -t patch slessp2-xen-201206-6400
- SUSE Linux Enterprise Desktop 11 SP2:
zypper in -t patch sledsp2-xen-201206-6400
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):
libvirt-devel-0.9.6-0.15.71
xen-devel-4.1.2_18-0.9.1
- SUSE Linux Enterprise Software Development Kit 11 SP2 (x86_64):
libvirt-devel-32bit-0.9.6-0.15.71
- SUSE Linux Enterprise Server 11 SP2 (i586 x86_64) [New Version: 0.5.9 and 2.17.10]:
libvirt-0.9.6-0.15.71
libvirt-client-0.9.6-0.15.71
libvirt-doc-0.9.6-0.15.71
libvirt-python-0.9.6-0.15.71
virt-manager-0.9.0-3.17.26
virt-utils-1.1.7-0.11.15
vm-install-0.5.9-0.7.13
xen-kmp-default-4.1.2_18_3.0.31_0.9-0.9.1
xen-kmp-trace-4.1.2_18_3.0.31_0.9-0.9.1
xen-libs-4.1.2_18-0.9.1
xen-tools-domU-4.1.2_18-0.9.1
yast2-vm-2.17.10-0.5.42
- SUSE Linux Enterprise Server 11 SP2 (x86_64):
libvirt-client-32bit-0.9.6-0.15.71
xen-4.1.2_18-0.9.1
xen-doc-html-4.1.2_18-0.9.1
xen-doc-pdf-4.1.2_18-0.9.1
xen-libs-32bit-4.1.2_18-0.9.1
xen-tools-4.1.2_18-0.9.1
- SUSE Linux Enterprise Server 11 SP2 (i586):
xen-kmp-pae-4.1.2_18_3.0.31_0.9-0.9.1
- SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64) [New Version: 0.5.9 and 2.17.10]:
libvirt-0.9.6-0.15.71
libvirt-client-0.9.6-0.15.71
libvirt-doc-0.9.6-0.15.71
libvirt-python-0.9.6-0.15.71
virt-manager-0.9.0-3.17.26
virt-utils-1.1.7-0.11.15
vm-install-0.5.9-0.7.13
xen-kmp-default-4.1.2_18_3.0.31_0.9-0.9.1
xen-kmp-trace-4.1.2_18_3.0.31_0.9-0.9.1
xen-libs-4.1.2_18-0.9.1
xen-tools-domU-4.1.2_18-0.9.1
yast2-vm-2.17.10-0.5.42
- SUSE Linux Enterprise Desktop 11 SP2 (x86_64):
libvirt-client-32bit-0.9.6-0.15.71
xen-4.1.2_18-0.9.1
xen-doc-html-4.1.2_18-0.9.1
xen-doc-pdf-4.1.2_18-0.9.1
xen-libs-32bit-4.1.2_18-0.9.1
xen-tools-4.1.2_18-0.9.1
- SUSE Linux Enterprise Desktop 11 SP2 (i586):
xen-kmp-pae-4.1.2_18_3.0.31_0.9-0.9.1
References:
http://support.novell.com/security/cve/CVE-2012-0217.html
http://support.novell.com/security/cve/CVE-2012-0218.html
http://support.novell.com/security/cve/CVE-2012-2934.html
https://bugzilla.novell.com/720929
https://bugzilla.novell.com/733715
https://bugzilla.novell.com/739585
https://bugzilla.novell.com/742773
https://bugzilla.novell.com/743414
https://bugzilla.novell.com/744771
https://bugzilla.novell.com/745005
https://bugzilla.novell.com/745367
https://bugzilla.novell.com/745880
https://bugzilla.novell.com/745890
https://bugzilla.novell.com/746613
https://bugzilla.novell.com/746702
https://bugzilla.novell.com/747172
https://bugzilla.novell.com/747331
https://bugzilla.novell.com/753165
https://bugzilla.novell.com/754906
https://bugzilla.novell.com/757346
https://bugzilla.novell.com/757537
https://bugzilla.novell.com/757970
https://bugzilla.novell.com/760023
https://bugzilla.novell.com/760557
https://bugzilla.novell.com/761142
https://bugzilla.novell.com/764077
http://download.novell.com/patch/finder/?keywords=10328b4d3af18715e20d3656ebf3478c
More information about the sle-updates
mailing list