Mailinglist Archive: opensuse-security (13 mails)

< Previous Next >
[opensuse-security] Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages
(posted this already to opensuse-virtual ML; was suggested that I post it here as well)

I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo

rpm -qa | grep -i ^xen | sort
xen-4.5.1_10-390.1.x86_64
xen-libs-4.5.1_10-390.1.x86_64
xen-tools-4.5.1_10-390.1.x86_64

Xen's now made public it's latest critical advisory


http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/
"Xen patches 7-year-old bug that shattered hypervisor security.
Critical vulnerability allowed some guests to access underlying operating system."

http://xenbits.xen.org/xsa/advisory-148.html
Advisory XSA-148
Public release 2015-10-29 11:59
...
CVE(s) CVE-2015-7835
Title x86: Uncontrolled creation of large page mappings by PV
guests

The advisory instructs patching to resolve

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa148.patch xen-unstable, Xen 4.6.x
xsa148-4.5.patch Xen 4.5.x
xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x

Checking installed Xen's changelog

rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148"
(empty)

it's not been applied. Or, afaict from obs, even submitted.

Where's this security patch in the package tree?
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups