SUSE Security Update: Security update for Xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2014:0372-1
Rating:             important
References:         #831120 #833483 #842417 #846849 #848014 #849667 
                    #849668 #853049 #860163 #860302 #861256 
Cross-References:   CVE-2013-2212 CVE-2013-4553 CVE-2013-4554
                    CVE-2013-6885 CVE-2014-1666 CVE-2014-1891
                    CVE-2014-1892 CVE-2014-1893 CVE-2014-1894
                    CVE-2014-1950
Affected Products:
                    SUSE Linux Enterprise Server 11 SP2 LTSS
______________________________________________________________________________

   An update that solves 10 vulnerabilities and has one errata
   is now available.

Description:


   The SUSE Linux Enterprise Server 11 Service Pack 2 LTSS Xen
   hypervisor and  toolset has been updated to fix various
   security issues and several bugs.

   The following security issues have been addressed:

   *

   XSA-88: CVE-2014-1950: Use-after-free vulnerability
   in the xc_cpupool_getinfo function in Xen 4.1.x through
   4.3.x, when using a multithreaded toolstack, does not
   properly handle a failure by the xc_cpumap_alloc function,
   which allows local users with access to management
   functions to cause a denial of service (heap corruption)
   and possibly gain privileges via unspecified vectors.
   (bnc#861256)

   *

   XSA-87: CVE-2014-1666: The do_physdev_op function in
   Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not
   properly restrict access to the (1) PHYSDEVOP_prepare_msix
   and (2) PHYSDEVOP_release_msix operations, which allows
   local PV guests to cause a denial of service (host or guest
   malfunction) or possibly gain privileges via unspecified
   vectors. (bnc#860302)

   *

   XSA-84: CVE-2014-1894: Xen 3.2 (and presumably
   earlier) exhibit both problems with the overflow issue
   being present for more than just the suboperations listed
   above. (bnc#860163)

   *

   XSA-84: CVE-2014-1892 CVE-2014-1893: Xen 3.3 through
   4.1, while not affected by the above overflow, have a
   different overflow issue on FLASK_{GET,SET}BOOL and expose
   unreasonably large memory allocation to aribitrary guests.
   (bnc#860163)

   *

   XSA-84: CVE-2014-1891: The FLASK_{GET,SET}BOOL,
   FLASK_USER and FLASK_CONTEXT_TO_SID suboperations of the
   flask hypercall are vulnerable to an integer overflow on
   the input size. The hypercalls attempt to allocate a buffer
   which is 1 larger than this size and is therefore
   vulnerable to integer overflow and an attempt to allocate
   then access a zero byte buffer. (bnc#860163)

   *

   XSA-82: CVE-2013-6885: The microcode on AMD 16h 00h
   through 0Fh processors does not properly handle the
   interaction between locked instructions and write-combined
   memory types, which allows local users to cause a denial of
   service (system hang) via a crafted application, aka the
   errata 793 issue. (bnc#853049)

   *

   XSA-76: CVE-2013-4554: Xen 3.0.3 through 4.1.x
   (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x
   (possibly 4.3.1) does not properly prevent access to
   hypercalls, which allows local guest users to gain
   privileges via a crafted application running in ring 1 or
   2. (bnc#849668)

   *

   XSA-74: CVE-2013-4553: The XEN_DOMCTL_getmemlist
   hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does
   not always obtain the page_alloc_lock and mm_rwlock in the
   same order, which allows local guest administrators to
   cause a denial of service (host deadlock). (bnc#849667)

   *

   XSA-60: CVE-2013-2212: The vmx_set_uc_mode function
   in Xen 3.3 through 4.3, when disabling chaches, allows
   local HVM guests with access to memory mapped I/O regions
   to cause a denial of service (CPU consumption and possibly
   hypervisor or guest kernel panic) via a crafted GFN range.
   (bnc#831120)

   Also the following non-security bugs have been fixed:

   * Boot Failure with xen kernel in UEFI mode with error
   "No memory for trampoline" (bnc#833483)
   * Fixed Xen hypervisor panic on 8-blades nPar with
   46-bit memory addressing. (bnc#848014)
   * In HP's UEFI x86_64 platform and sles11sp3 with xen
   environment, dom0 will soft lockup on multiple blades nPar.
   (bnc#842417)
   * Soft lockup with PCI passthrough and many VCPUs
   (bnc#846849)

   Security Issue references:

   * CVE-2013-2212
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2212
   >
   * CVE-2013-4553
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4553
   >
   * CVE-2013-4554
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4554
   >
   * CVE-2013-6885
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885
   >
   * CVE-2014-1666
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1666
   >
   * CVE-2014-1891
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1891
   >
   * CVE-2014-1892
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1892
   >
   * CVE-2014-1893
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1893
   >
   * CVE-2014-1894
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1894
   >
   * CVE-2014-1950
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1950
   >

Indications:

   Everyone using the Xen hypervisor should update.

Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11 SP2 LTSS:

      zypper in -t patch slessp2-xen-201402-8964

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64):

      xen-devel-4.1.6_06-0.5.1
      xen-kmp-default-4.1.6_06_3.0.101_0.7.17-0.5.1
      xen-kmp-trace-4.1.6_06_3.0.101_0.7.17-0.5.1
      xen-libs-4.1.6_06-0.5.1
      xen-tools-domU-4.1.6_06-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 LTSS (x86_64):

      xen-4.1.6_06-0.5.1
      xen-doc-html-4.1.6_06-0.5.1
      xen-doc-pdf-4.1.6_06-0.5.1
      xen-libs-32bit-4.1.6_06-0.5.1
      xen-tools-4.1.6_06-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 LTSS (i586):

      xen-kmp-pae-4.1.6_06_3.0.101_0.7.17-0.5.1


References:

   http://support.novell.com/security/cve/CVE-2013-2212.html
   http://support.novell.com/security/cve/CVE-2013-4553.html
   http://support.novell.com/security/cve/CVE-2013-4554.html
   http://support.novell.com/security/cve/CVE-2013-6885.html
   http://support.novell.com/security/cve/CVE-2014-1666.html
   http://support.novell.com/security/cve/CVE-2014-1891.html
   http://support.novell.com/security/cve/CVE-2014-1892.html
   http://support.novell.com/security/cve/CVE-2014-1893.html
   http://support.novell.com/security/cve/CVE-2014-1894.html
   http://support.novell.com/security/cve/CVE-2014-1950.html
   https://bugzilla.novell.com/831120
   https://bugzilla.novell.com/833483
   https://bugzilla.novell.com/842417
   https://bugzilla.novell.com/846849
   https://bugzilla.novell.com/848014
   https://bugzilla.novell.com/849667
   https://bugzilla.novell.com/849668
   https://bugzilla.novell.com/853049
   https://bugzilla.novell.com/860163
   https://bugzilla.novell.com/860302
   https://bugzilla.novell.com/861256
   ?keywords=39ca3113e56362a1b6ff0a74f08124b2

-- 
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org