Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3968 SUSE-SU-2019:14201-1 Security update for xen 28 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xen Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-17344 CVE-2019-17343 CVE-2019-17342 CVE-2019-17341 CVE-2019-17340 CVE-2019-15890 CVE-2019-14378 CVE-2019-12155 CVE-2019-12068 CVE-2019-12067 CVE-2018-20815 CVE-2017-10806 Reference: ESB-2019.3927 ESB-2019.3578 ESB-2019.3474 ESB-2019.3405 ESB-2019.3944.2 Original Bulletin: https://www.suse.com/support/update/announcement/2019/suse-su-201914201-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:14201-1 Rating: important References: #1047675 #1126140 #1126141 #1126192 #1126195 #1126196 #1130680 #1135905 #1143797 #1145652 #1146874 #1149813 Cross-References: CVE-2017-10806 CVE-2018-20815 CVE-2019-12067 CVE-2019-12068 CVE-2019-12155 CVE-2019-14378 CVE-2019-15890 CVE-2019-17340 CVE-2019-17341 CVE-2019-17342 CVE-2019-17343 CVE-2019-17344 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for xen fixes the following issues: o CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator which could have led to Denial of Service (bsc#1149813). o CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of service (bsc#1146874). o CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU emulator which could have led to execution of arbitrary code with privileges of the QEMU process (bsc#1143797). o CVE-2019-12067: Fixed a null pointer dereference which could have led to denial of service (bsc#1145652). o CVE-2019-12155: Fixed a null pointer dereference in QXL VGA card emulator of QEMU which could have led to denial of service (bsc#1135905). o CVE-2018-20815: Fixed a heap buffer overflow while loading device tree blob (bsc#1130680). o CVE-2017-10806: Fixed a stack buffer overflow in debug logging (bsc# 1047675). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xen-14201=1 o SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xen-14201=1 Package List: o SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xen-kmp-default-4.2.5_21_3.0.101_0.47.106.59-45.33.1 xen-kmp-pae-4.2.5_21_3.0.101_0.47.106.59-45.33.1 xen-libs-4.2.5_21-45.33.1 xen-tools-domU-4.2.5_21-45.33.1 o SUSE Linux Enterprise Debuginfo 11-SP3 (i586 x86_64): xen-debuginfo-4.2.5_21-45.33.1 xen-debugsource-4.2.5_21-45.33.1 References: o https://www.suse.com/security/cve/CVE-2017-10806.html o https://www.suse.com/security/cve/CVE-2018-20815.html o https://www.suse.com/security/cve/CVE-2019-12067.html o https://www.suse.com/security/cve/CVE-2019-12068.html o https://www.suse.com/security/cve/CVE-2019-12155.html o https://www.suse.com/security/cve/CVE-2019-14378.html o https://www.suse.com/security/cve/CVE-2019-15890.html o https://www.suse.com/security/cve/CVE-2019-17340.html o https://www.suse.com/security/cve/CVE-2019-17341.html o https://www.suse.com/security/cve/CVE-2019-17342.html o https://www.suse.com/security/cve/CVE-2019-17343.html o https://www.suse.com/security/cve/CVE-2019-17344.html o https://bugzilla.suse.com/1047675 o https://bugzilla.suse.com/1126140 o https://bugzilla.suse.com/1126141 o https://bugzilla.suse.com/1126192 o https://bugzilla.suse.com/1126195 o https://bugzilla.suse.com/1126196 o https://bugzilla.suse.com/1130680 o https://bugzilla.suse.com/1135905 o https://bugzilla.suse.com/1143797 o https://bugzilla.suse.com/1145652 o https://bugzilla.suse.com/1146874 o https://bugzilla.suse.com/1149813 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbZbpmaOgq3Tt24GAQioqRAApX4KqrEWplhoDISWxOTAyaxYfpMJtwh3 BhHwNmoQ8lrfe8U0BxF2niMplso5RraSt3mDjJ1fdcKOo8bt5uC5irFkzVSERlU7 2BWAZKJ+/qDo8irIuaTnIxU4gqxRH2mrnmF0/A/20CHy6pVeIdMIn9fA34FcjUwS M7M6Oar2HE4+P+K06PznjAt8i6rgxrNWDmP2hHXVtDEim9fHikW7IoV9njTPNhKO 1jhStZJ/wWfrZ1MXGh7h1ZGv//sbPNnGgcad1LF88dH9PpDG/FjUS+vF0ljZN8bw N1g+6MHrFEj6jFsjGMvqcQziOKUccc6vJ66vNswVmp31jDyurZEDrAg/bhXmLl+6 db+q4Q3C+g1T7jy8gXQGyLarqs4u1aEfSJna9/ahFsY2uNn1EBa7G3oOodVytYwj qLHfDd3J3xFLeD2cnWpaW3GAhiDF17cqOTqdmPavAHlscj9GuNY00Wq92Z248kWv IHJjZg2d3wBPKL/iEcXwJY4HarnUMzAI5yZuW6tyxBlL/B+4vUwG7K93YILmYVE2 acueJf48gLn9fCZXHzNdeTyFjTjQtdHMzOL+0ePa2BByKGk7Kv8ASxzbc2ciccX1 GFmsguP0FEWzrTiNYwYNtGy9I3GeC+s9nAA2hMoAjXIQ1ic1KVPpcevZD8qUhRmQ 8C8k5zcbfEA= =GQ0d -----END PGP SIGNATURE-----