openSUSE Security Update: xen: security and bugfix update to 4.1.6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1636-1 Rating: moderate References: #828623 #833251 #833796 #834751 #839596 #839600 #840196 #840592 #841766 #842511 #845520 Cross-References: CVE-2013-1442 CVE-2013-4355 CVE-2013-4361 CVE-2013-4368 CVE-2013-4416 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 6 fixes is now available. Description: Xen was updated to 4.1.6 c/s 23588 to fix various bugs and security issues. Following changes are listed: - Comment out the -include directive in Config.mk as the build service build seems to error out not finding '.config' xen-config.diff - bnc#845520 - CVE-2013-4416: xen: ocaml xenstored mishandles oversized message replies - Improvements to block-dmmd script bnc#828623 - bnc#840196 - MTU size on Dom0 gets reset when booting DomU with e1000 device - bnc#840592 - CVE-2013-4355: XSA-63: xen: Information leaks through I/O instruction emulation - bnc#841766 - CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction emulation - bnc#842511 - CVE-2013-4368: XSA-67: xen: Information leak through outs instruction emulation - xen/27397-ACPI-fix-acpi_os_map_memory.patch: address regression - bnc#839596 - CVE-2013-1442: XSA-62: xen: Information leak on AVX and/or LWP capable CPUs - bnc#833251 - In HP’s UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. - bnc#833796 - Xen: migration broken from xsave-capable to xsave-incapable host - bnc#834751 - In xen, “shutdown –y 0 –h” cannot power off system - bnc#833251 - In HP’s UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. - bnc#839600 - In HP’s UEFI x86_64 platform and sles11sp3 with xen environment, xen hypervisor will panic on multiple blades nPar. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-821 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (i586 x86_64): xen-debugsource-4.1.6_01-5.33.1 xen-devel-4.1.6_01-5.33.1 xen-kmp-default-4.1.6_01_k3.4.47_2.38-5.33.1 xen-kmp-default-debuginfo-4.1.6_01_k3.4.47_2.38-5.33.1 xen-kmp-desktop-4.1.6_01_k3.4.47_2.38-5.33.1 xen-kmp-desktop-debuginfo-4.1.6_01_k3.4.47_2.38-5.33.1 xen-libs-4.1.6_01-5.33.1 xen-libs-debuginfo-4.1.6_01-5.33.1 xen-tools-domU-4.1.6_01-5.33.1 xen-tools-domU-debuginfo-4.1.6_01-5.33.1 - openSUSE 12.2 (x86_64): xen-4.1.6_01-5.33.1 xen-doc-html-4.1.6_01-5.33.1 xen-doc-pdf-4.1.6_01-5.33.1 xen-libs-32bit-4.1.6_01-5.33.1 xen-libs-debuginfo-32bit-4.1.6_01-5.33.1 xen-tools-4.1.6_01-5.33.1 xen-tools-debuginfo-4.1.6_01-5.33.1 - openSUSE 12.2 (i586): xen-kmp-pae-4.1.6_01_k3.4.47_2.38-5.33.1 xen-kmp-pae-debuginfo-4.1.6_01_k3.4.47_2.38-5.33.1 References: http://support.novell.com/security/cve/CVE-2013-1442.html http://support.novell.com/security/cve/CVE-2013-4355.html http://support.novell.com/security/cve/CVE-2013-4361.html http://support.novell.com/security/cve/CVE-2013-4368.html http://support.novell.com/security/cve/CVE-2013-4416.html https://bugzilla.novell.com/828623 https://bugzilla.novell.com/833251 https://bugzilla.novell.com/833796 https://bugzilla.novell.com/834751 https://bugzilla.novell.com/839596 https://bugzilla.novell.com/839600 https://bugzilla.novell.com/840196 https://bugzilla.novell.com/840592 https://bugzilla.novell.com/841766 https://bugzilla.novell.com/842511 https://bugzilla.novell.com/845520