ESB-2018.1831 - [Debian] xen: Access privileged data - Existing account 2018-06-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1831
                            xen security update
                               22 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3665  

Reference:         ESB-2018.1808
                   ESB-2018.1804
                   ESB-2018.1784
                   ESB-2018.1770

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4232

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4232-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 20, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3665

This update provides mitigations for the "lazy FPU" vulnerability
affecting a range of Intel CPUs, which could result in leaking CPU
register states belonging to another vCPU previously scheduled on the
same CPU. For additional information please refer to
https://xenbits.xen.org/xsa/advisory-267.html

For the stable distribution (stretch), this problem has been fixed in
version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsp+ycACgkQEMKTtsN8
TjaS5g/9FZbJH3HX+T6CsX0buGcfuJlbCACF/GYlNakcLTLDEIgnt8VHc/APX1zP
f+lUhpPwK8IEkO1HwPlp94OE4/4P1kMw+mqE58VOKczEZIdlTESoLZYYvwQ1HBwl
wgPaS7FykrLT/TPCuKTyqEGENrtmSMOAEKB1E7cIGBEthcCapdOK8xDe67qX0R6b
dnP3gDJpYRWrvMUZGURGLpVlV1fIUB1ki9O6PyA8rcm/pXLQQVqoeZ9CV+/AxA2E
2GLSLPpSNPcTtQC9lQeQ0Wp27nAC/Sb2dj0A2cByeTcDit2m53KDnhLzMammmXfi
TkY24lIgp0I0dIFRQSD6HJar1oI5gvw2xJulDCFNtWG8RQfT4zRBfxCcTe7ldhx1
R/wh8czaPLg/ysJAFP8wZjcNgNMutpX2K7kTdi2mtND9yw3Xw0Ev+ZXKvtxNzXTb
QLefmNUwqbqcoH7sIxfbCQdSA7fTqtBXzShmamuAQYO8Sa1a2PM7MEgPTtvCiRFy
aCDJ6nFlIiS94RnHtrZcOtBngMWAOLPocWFVLJOCvWS8Qp+Mu1ZqgLrSqlhealy5
hd3+b0bvSRJq9aJzMgxXMbpGI7sHGNhvE87iruSoqJN1oDBACwyx7heTPUuSQFHe
jlPuMujmWVI+VzknrDTFMFNLfOX1ZqjO9bm4lEJ6iAbikOlL56E=
=enDo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyw4rWaOgq3Tt24GAQjwoQ/+O4ffi/4z56X38c9aXr5XMasbXNffNWRQ
AgYbPS+Ci0dk9504ppJiVce802frVt+HQdDDqPAO3PbRMsGcwZGL9BW+lp0JhPdx
ARwc9Wj1Xb3Z1AKup+Vkm+HXU8Qs61YxmAr4tntTwxNuuBYtEQKnnorSqtluPb0t
1ZM4hxG97UWYx98EX5co1dnQmDv9wtiHa6M/EVpNLIiMDkIzYuZB5D4MXTOrcnY1
SjfTniy4f7bD4KbY1J8IyRbOI/vHzhAtii6005vpxxzqdtHBtssj9FoTBaDjcHPl
oSU/0SHhvKuI7mtVdkaX2Cx0s95J4vwdJeJzm35XDReGyccY8KdAMLkH+9yA6tgU
LMm6clz2+nzlEfZHkof7AW0jGWj8PAIc+SfFCQVKQojGWkPV/XqTtpE85j2/Nx/I
qx7JNp4vvC5rZ2+3g1pAx79DsFti0omQDUCxIpphNF+fO/xZ31KOHXvF+VohEebk
2VsBrhaMd78HIbJDtXUuiHbS+7iRJLp/4IlgbA7om8N83JXxX/rfMuhao90io+I0
Mn/OLl1Zgb6pbNGsFVpx9JmUCtpBvVIVc/zj1T+ZaERamdTMc97SS9k78y3SZnKd
51ZVD6WmAeep7LinPWAryaiyurI4hHsXQlMUJ8t5vGgfsnapHTIurCTN7nxW31Ms
WI5SPCuXkXc=
=TNpV
-----END PGP SIGNATURE-----

« Back to bulletins