ESB-2018.1808 - [Debian] xen: Access privileged data - Existing account 2018-06-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1808
                            xen security update
                               21 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3665  

Reference:         ESB-2018.1804
                   ESB-2018.1784
                   ESB-2018.1770

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4232

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4232-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 20, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3665

This update provides mitigations for the "lazy FPU" vulnerability
affecting a range of Intel CPUs, which could result in leaking CPU
register states belonging to another vCPU previously scheduled on the
same CPU. For additional information please refer to
https://xenbits.xen.org/xsa/advisory-267.html

For the stable distribution (stretch), this problem has been fixed in
version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsp+ycACgkQEMKTtsN8
TjaS5g/9FZbJH3HX+T6CsX0buGcfuJlbCACF/GYlNakcLTLDEIgnt8VHc/APX1zP
f+lUhpPwK8IEkO1HwPlp94OE4/4P1kMw+mqE58VOKczEZIdlTESoLZYYvwQ1HBwl
wgPaS7FykrLT/TPCuKTyqEGENrtmSMOAEKB1E7cIGBEthcCapdOK8xDe67qX0R6b
dnP3gDJpYRWrvMUZGURGLpVlV1fIUB1ki9O6PyA8rcm/pXLQQVqoeZ9CV+/AxA2E
2GLSLPpSNPcTtQC9lQeQ0Wp27nAC/Sb2dj0A2cByeTcDit2m53KDnhLzMammmXfi
TkY24lIgp0I0dIFRQSD6HJar1oI5gvw2xJulDCFNtWG8RQfT4zRBfxCcTe7ldhx1
R/wh8czaPLg/ysJAFP8wZjcNgNMutpX2K7kTdi2mtND9yw3Xw0Ev+ZXKvtxNzXTb
QLefmNUwqbqcoH7sIxfbCQdSA7fTqtBXzShmamuAQYO8Sa1a2PM7MEgPTtvCiRFy
aCDJ6nFlIiS94RnHtrZcOtBngMWAOLPocWFVLJOCvWS8Qp+Mu1ZqgLrSqlhealy5
hd3+b0bvSRJq9aJzMgxXMbpGI7sHGNhvE87iruSoqJN1oDBACwyx7heTPUuSQFHe
jlPuMujmWVI+VzknrDTFMFNLfOX1ZqjO9bm4lEJ6iAbikOlL56E=
=enDo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyrv62aOgq3Tt24GAQil8g//Xcde74rxwiCecvwM8FEuS2Yu4Wvz9cez
JG/tsybhotKjRfiNUPD2t1plqptikTz5QD0tfSn79R3EFOFkQxPBPVz4uDcKf8nj
c/cNRFN7Vs2hv2eXWjphh1WnF3qiBPkSnDZ0SXx4LwxriTX07G2tUZRCloYDqRMY
mfim3RUC9+08yBjyaN1fzuqbyuItiu11dojIowUvpDOpm2C9+86vSOLm5kETwXIm
0pgfancHWDo4hocne4RjUBkPb0Sif7YYqjdQekYbwEN+7S3dSDy1WX0sIN/hjrNS
yXiDDAoqfC9A0PQUY6Snj3KwuhRZhxRWz4fMQ5FgjupL9t+8qB+ghcSAKU+sZtyq
9dGBhuhckt1xhNCEw2OgH7nWIMUe3eM2JNxP9tp8mFnSTqgwipJnECYDMm2vAX1V
oJQcJyUXn7jHWypiRDb0SqXNlexz4FVkQXKtReTpXSGYR+r8OOKwKLCUfApmoU+J
gwS/8thp0Pbv7FvKB4SauNmos0mgRaPmX5/uct+75YjdwXsptAZndvNj1lgapHm1
9W8AvuHIqftpKHGZLCp2MB3waKSv3yIkrw419L7EdNvXNq3H26Aw2p8D21rNjO9o
nzeEOtxJbIO11XvlamJkXz5Zoe9At+dXp5SFRCl9V5VqfjlSz0Lcv66Tk9PxUD5c
IU+sbRPWS98=
=r4/d
-----END PGP SIGNATURE-----

« Back to bulletins