ESB-2017.3024 - [Debian] xen: Multiple vulnerabilities 2017-11-29

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3024
                            xen security update
                             29 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Increased Privileges            -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-15597 CVE-2017-15595 CVE-2017-15594
                   CVE-2017-15593 CVE-2017-15592 CVE-2017-15590
                   CVE-2017-15589 CVE-2017-15588 CVE-2017-14319
                   CVE-2017-14318 CVE-2017-14317 CVE-2017-14316

Reference:         ESB-2017.2698

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4050

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4050-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 28, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2017-14316 CVE-2017-14317 CVE-2017-14318 CVE-2017-14319 
                 CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15592 
                 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 CVE-2017-15597

Multiple vulnerabilities have been discovered in the Xen hypervisor, which
could result in denial of service, information leaks, privilege escalation
or the execution of arbitrary code.

For the oldstable distribution (jessie) a separate update will be
released.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.2+xsa245-0+deb9u1.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlodvOQACgkQEMKTtsN8
TjYK5BAAuPtJpa3G/+6/wZARyJh3v5ljkm7kZpKK2WTEe4EOC5TgMdkfCDjLTbV9
yCV3gwI5n3ePlnjGDHN3X1KDRbLSaMjt0vbJcrMcIuRFcGixN7Fhj5r+e3M7hmDG
HUZ+a+ifj9jJ3cqXqYm07KfXH7qxyf/NgD4IfH2IEc3BT6qdJihw+fNTt/Q2z3a5
rgeDUIbLof1zVoA0qGUUg2kbmmCQxKyPtBMG7rRLakBidjl4xu/QCT7vKbl0hubp
3ectK5Zypq3kAAn3J/i7K6yclyXoP+nrQwM+euVV44aLcAx8c0ajfwKI5vXf10JG
Km5pL42ZV0RwL6A6FBDu2zN+ZpReWNgA6OBC6t0RNCtPiJAkt8Jd0F8/Leg1iXOq
LB/jqLF3X9qLmlI1VOOThQVsgN1oKzpiP/aELUw+l+iChH4WYuGjiyUVs4D+T9k0
Wlxdgbd3bpG4NYZ4+M6vAit55VRsML8vCM5mhiPaTTz/VwcdEBEMfuZ/Q9ct2EIu
dl04xkcqfN1BqtfB7weQqG9WssiJTO/fphVxbbDaCZWT4pXcmlpy1Ct9ALWXwjjC
PtmwOmR0O6OQs9IrypmztgC0qsM8K5/duZj21ocai4Lnk/HEwXmu4IH7DL85akkJ
3pMQSwVFO3rcJoZIkPreddbCY1Xn9KXWnCsQX9BNd9Mr5GBgASs=
=kwuz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWh4RjIx+lLeg9Ub1AQhhCRAArPFl8WReFRDlMA+/ZQcKgTvmU8DcRR7/
+TltRg/Mh+ROydCOTATXdQb5n9KsJ/4CvPL+czkRyworkitjFy8XxhBcGNBSpPb3
lrswo11xutc/dQlvf/33zIL+oMK9HekGuNVJ5nvqG5sZpfbaBOdc2kIgOHMRGJzi
0gADCHTz0YfpHcMDG4SY7Jz16bqgH/QLVu5yjn3yW6e/HLuVBIqMsuOPYnTUGM0n
Ms99ny0Fb2l/alIppgmpABoIvVLJFE/cwgCH91qFSCkk5QLGN1B8j9NHkW6TfAOS
aPAGMTtzscvzFqxjHrsrSnryVLS6BTx8OWv3ZqEoKByvRihUuDekL3d0H4ouMLC5
ULVRd6bzxX11udMRFkb6dPHO2nCkwodPC2rK+dVJnEdt6PeIZpwOPTI8+PssGvEY
OiTCei+3oqp5iZCr9bsdTxz+Owzlon6Ak+OHt/XkMzS+ll2ss4tTn1KJLkTipnk3
IbGSE53Bh9NdkfoDPfvQXx781p2l3XpdcQMdzU6Wuqog5xwbny7wmHVranQRIzSt
GDeTGCBIBPBynKIX3nLl1yY4IzfEhfTBJlpYwA4K+CNXPkcT/hmiYfvV1/6nIxxU
Qq5n5yIUr2vm7vkUBZj2Eua/JFyex5fzkHXUGiAZ0JAW3hQCl42OYJDmFyK70q0L
2KSKxhMVDyE=
=DPI8
-----END PGP SIGNATURE-----

« Back to bulletins