ESB-2018.1885 - [Linux][Debian] xen: Multiple vulnerabilities 2018-06-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1885
                            xen security update
                               28 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Linux variants
Impact/Access:     Denial of Service   -- Existing Account
                   Unauthorised Access -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12893 CVE-2018-12892 CVE-2018-12891

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4236

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running xen check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4236-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 27, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-12891 CVE-2018-12892 CVE-2018-12893

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2018-12891

    It was discovered that insufficient validation of PV MMU operations
    may result in denial of service.

CVE-2018-12892

    It was discovered that libxl fails to honour the 'readonly' flag on
    HVM-emulated SCSI disks.
    
CVE-2018-12893

    It was discovered that incorrect implementation of debug exception
    checks could result in denial of service.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsz/0cACgkQEMKTtsN8
TjYb8g//dg5mvwFAVUlUL3x83h+malQf4qXiaoHRiorREYkmndCmKLR0gsiSy1yf
rffQ2lxTnMVEN/pcEwlFDTT3kPvXWS/sKB+8d7wihLOQ/yc+R1lchZz9rLs1wlf6
STOCVSRscSRSLa5HkRSM8peNrE9WgoL9JXQO0dZ6LNGutm+9r2xjVTd/tU+Z+xsd
ZSp356iITderx0Sb8ii3UYO+nNW9itJBct3MAdmlQ6jJ6pJrYnpO1l8AE+QKapzk
70zav49qx6QS40HRz7OzJaEWH74VITIRfggxtvCoQFEnrQtkQ48ImMiEToaegtZS
DvJTsCY8YqQ9DLsINoLEwQkHelIl4w9mzH7681/meAZUJjeq80+aVhAFdovFevJ3
jceytwFskKe5qCKqLesFiXwG+sDDbqfpJSKP8xgCL5ltoPO+7aMjkCQwRfyVMEFy
ugA9oOYSWbJz5LEs0bhOgmldxgzs+u0yK8hhEQntTXQSMkldL1l6RVzzNZ2WTJZZ
UakldERJdbRGVOuzBOEV5GeyRnUtcfBvw7NIIYlcIswcp+h0pSRP5YWCUaEJ2TuB
JvKSbNidQxnoguOkuKVmWdO6fZI9oPaIVc5r9nKia017nh/fqLlgy3OC0d9/9Ppm
CYQ9plmmS7cs8Keyb7/cp2fouRhJXMMOYvCNvYU2R3UBro9TUm0=
=JIlu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzRaP2aOgq3Tt24GAQjISxAAkhmnRZ3DyL/D9T1t0pcYwPIdmCRDcOXC
+jmPz9FGbgsRtdJGMYL/lQMfQylC1qf+Nl/vxNfOGGW/4MHMBneS0AXESFiEeddf
4/IMlp8JJs7kwna5LYP963Mxy9BgaVuZfh7tATAozFKeMb3dxST5dddLSS5NdkGq
FyBvDZ1Oa7A5AokNhuUViDEPZDV3EW+EZctlR+Oimm9/p+ck0Gsx6FUB4tfs3Ulc
ZAkQ8cjpZEboHX8X3xtu7qmPjUh90hdWbuHELdjEgKz/A8oF8BilFF82qjPtcIAU
CA+/xw/41Kp29m0PRHzir4/YvtbigUq4rp+yvrH92oRV0fN2kdr2/eQ5/whJ66Ov
R5fWxttRjqY6xmHydKIkr5SPlGyz100YoCWihQ3jeWJ1mIKY1Hdv4R1EwbmFCqfu
bqgnAt+zSqNELuULjmvuzBkfyT7auTzHe1Y9B/a9A5gpt9T05ve7HurNBZOPark2
iy7RCurWi71TikMHFmBhWwIPxNAymH55u+3H+PKXYUc0wbpkj/wa6sU1VhjnKyGs
eGpmorALljdqXoyOx7/yqkOJ9fVpZ2HVZmKHJfI3m4NQYJmhusR+Dk0uRb8mXrbY
M/o1jZOAQqJPupq+fktgCcosmW2mhXkNKJ8Vj3J4GYxS0rvzhDBc+9ijtPAyQA9D
PgjwsaQvu8E=
=QnVh
-----END PGP SIGNATURE-----

« Back to bulletins