[opensuse-security] Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages
(posted this already to opensuse-virtual ML; was suggested that I post it here as well) I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo rpm -qa | grep -i ^xen | sort xen-4.5.1_10-390.1.x86_64 xen-libs-4.5.1_10-390.1.x86_64 xen-tools-4.5.1_10-390.1.x86_64 Xen's now made public it's latest critical advisory http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shat... "Xen patches 7-year-old bug that shattered hypervisor security. Critical vulnerability allowed some guests to access underlying operating system." http://xenbits.xen.org/xsa/advisory-148.html Advisory XSA-148 Public release 2015-10-29 11:59 ... CVE(s) CVE-2015-7835 Title x86: Uncontrolled creation of large page mappings by PV guests The advisory instructs patching to resolve RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa148.patch xen-unstable, Xen 4.6.x xsa148-4.5.patch Xen 4.5.x xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x Checking installed Xen's changelog rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148" (empty) it's not been applied. Or, afaict from obs, even submitted. Where's this security patch in the package tree? -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Oct 29, 2015 at 05:30:08PM -0700, PGNet Dev wrote:
Where's this security patch in the package tree?
The issues were under embargo until yesterday. Up until now we didn't receive openSUSE submission. I asked the maintainer to provide submits. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On 10/30/2015 02:59 AM, jsegitz@suse.de wrote:
On Thu, Oct 29, 2015 at 05:30:08PM -0700, PGNet Dev wrote:
Where's this security patch in the package tree?
The issues were under embargo until yesterday. Up until now we didn't receive openSUSE submission. I asked the maintainer to provide submits.
Johannes
According to http://www.xenproject.org/security-policy.html In addition to CentOS, Debian, Gentoo, Mageia, Ubuntu ... both Novell, Suse are on the Xen pre-disclosure list. It's not clear to me why Opensuse is not. Obviously Suse 'knew'. Can that be fixed so that unnecessary periods of security exposure on production machines, specifically in the case of well communicated pre-disclosure, can be avoided in the future? Simply, Opensuse should be on that list and similarly responsive. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Fri, Oct 30, 2015 at 06:53:38AM -0700, PGNet Dev wrote:
It's not clear to me why Opensuse is not. Obviously Suse 'knew'.
Yes, we knew. But because we can't disclose this issues we're not able to work on updates in OBS until they are public. Then it's a matter of how fast we get submits we can work with Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Fri, Oct 30, 2015 at 04:14:24PM +0100, jsegitz@suse.de wrote:
Then it's a matter of how fast we get submits we can work with
xen.openSUSE_13.2_Update is in openSUSE:Maintenance:4138, xen.openSUSE_13.1_Update is in openSUSE:Maintenance:4139. If someone could test these we can release them faster than usual. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
participants (2)
-
jsegitz@suse.de -
PGNet Dev