I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo rpm -qa | grep -i ^xen | sort xen-4.5.1_10-390.1.x86_64 xen-libs-4.5.1_10-390.1.x86_64 xen-tools-4.5.1_10-390.1.x86_64 Xen's now made public it's latest critical advisory http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shat... "Xen patches 7-year-old bug that shattered hypervisor security. Critical vulnerability allowed some guests to access underlying operating system." http://xenbits.xen.org/xsa/advisory-148.html Advisory XSA-148 Public release 2015-10-29 11:59 ... CVE(s) CVE-2015-7835 Title x86: Uncontrolled creation of large page mappings by PV guests The advisory instructs patching to resolve RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa148.patch xen-unstable, Xen 4.6.x xsa148-4.5.patch Xen 4.5.x xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x Checking installed Xen's changelog rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148" (empty) it's not been applied. Or, afaict from obs, even submitted. Where's this security patch in the package tree? -- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-virtual+owner@opensuse.org