[security-announce] SUSE-SU-2016:0658-1: important: Security update for Xen

SUSE Security Update: Security update for Xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:0658-1 Rating: important References: #877642 #932267 #944463 #950706 #953527 #954405 #956408 #956411 #957988 #958009 #958493 #958523 #962360 Cross-References: CVE-2014-0222 CVE-2015-4037 CVE-2015-5239 CVE-2015-5307 CVE-2015-7504 CVE-2015-7512 CVE-2015-7971 CVE-2015-8104 CVE-2015-8339 CVE-2015-8340 CVE-2015-8504 CVE-2015-8550 CVE-2015-8555 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: Xen was updated to fix the following vulnerabilities: * CVE-2014-0222: Qcow1 L2 table size integer overflows (bsc#877642) * CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267) * CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463) * CVE-2015-7504: Heap buffer overflow vulnerability in pcnet emulator (XSA-162, bsc#956411) * CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (XSA-152, bsc#950706) * CVE-2015-8104: Guest to host DoS by triggering an infinite loop in microcode via #DB exception (bsc#954405) * CVE-2015-5307: Guest to host DOS by intercepting #AC (XSA-156, bsc#953527) * CVE-2015-8339: XENMEM_exchange error handling issues (XSA-159, bsc#956408) * CVE-2015-8340: XENMEM_exchange error handling issues (XSA-159, bsc#956408) * CVE-2015-7512: Buffer overflow in pcnet's non-loopback mode (bsc#962360) * CVE-2015-8550: Paravirtualized drivers incautious about shared memory contents (XSA-155, bsc#957988) * CVE-2015-8504: Avoid floating point exception in vnc support (bsc#958493) * CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165, bsc#958009) * Ioreq handling possibly susceptible to multiple read issue (XSA-166, bsc#958523) Security Issues: * CVE-2014-0222 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222> * CVE-2015-4037 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037> * CVE-2015-5239 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5239> * CVE-2015-7504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7504> * CVE-2015-7971 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7971> * CVE-2015-8104 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104> * CVE-2015-5307 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307> * CVE-2015-8339 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8339> * CVE-2015-8340 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340> * CVE-2015-7512 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512> * CVE-2015-8550 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8550> * CVE-2015-8504 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8504> * CVE-2015-8555 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8555> Special Instructions and Notes: Please reboot the system after installing this update. Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 x86_64): xen-3.2.3_17040_46-0.23.2 xen-devel-3.2.3_17040_46-0.23.2 xen-doc-html-3.2.3_17040_46-0.23.2 xen-doc-pdf-3.2.3_17040_46-0.23.2 xen-doc-ps-3.2.3_17040_46-0.23.2 xen-kmp-debug-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-default-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-kdump-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-smp-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-libs-3.2.3_17040_46-0.23.2 xen-tools-3.2.3_17040_46-0.23.2 xen-tools-domU-3.2.3_17040_46-0.23.2 xen-tools-ioemu-3.2.3_17040_46-0.23.2 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): xen-libs-32bit-3.2.3_17040_46-0.23.2 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): xen-kmp-bigsmp-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-kdumppae-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-vmi-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 xen-kmp-vmipae-3.2.3_17040_46_2.6.16.60_0.132.6-0.23.2 References: https://www.suse.com/security/cve/CVE-2014-0222.html https://www.suse.com/security/cve/CVE-2015-4037.html https://www.suse.com/security/cve/CVE-2015-5239.html https://www.suse.com/security/cve/CVE-2015-5307.html https://www.suse.com/security/cve/CVE-2015-7504.html https://www.suse.com/security/cve/CVE-2015-7512.html https://www.suse.com/security/cve/CVE-2015-7971.html https://www.suse.com/security/cve/CVE-2015-8104.html https://www.suse.com/security/cve/CVE-2015-8339.html https://www.suse.com/security/cve/CVE-2015-8340.html https://www.suse.com/security/cve/CVE-2015-8504.html https://www.suse.com/security/cve/CVE-2015-8550.html https://www.suse.com/security/cve/CVE-2015-8555.html https://bugzilla.suse.com/877642 https://bugzilla.suse.com/932267 https://bugzilla.suse.com/944463 https://bugzilla.suse.com/950706 https://bugzilla.suse.com/953527 https://bugzilla.suse.com/954405 https://bugzilla.suse.com/956408 https://bugzilla.suse.com/956411 https://bugzilla.suse.com/957988 https://bugzilla.suse.com/958009 https://bugzilla.suse.com/958493 https://bugzilla.suse.com/958523 https://bugzilla.suse.com/962360 https://download.suse.com/patch/finder/?keywords=085198b0d3665c1af17df9c5dcb... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org