Mailinglist Archive: opensuse-security (13 mails)

< Previous Next >
[opensuse-security] Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages
(posted this already to opensuse-virtual ML; was suggested that I post it here as well)

I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo

rpm -qa | grep -i ^xen | sort

Xen's now made public it's latest critical advisory
"Xen patches 7-year-old bug that shattered hypervisor security.
Critical vulnerability allowed some guests to access underlying operating system."
Advisory XSA-148
Public release 2015-10-29 11:59
CVE(s) CVE-2015-7835
Title x86: Uncontrolled creation of large page mappings by PV

The advisory instructs patching to resolve


Applying the appropriate attached patch resolves this issue.

xsa148.patch xen-unstable, Xen 4.6.x
xsa148-4.5.patch Xen 4.5.x
xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x

Checking installed Xen's changelog

rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148"

it's not been applied. Or, afaict from obs, even submitted.

Where's this security patch in the package tree?
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups