Roger, There's been a report in the news of a potential guest to host escape in Xen (http://www.itnews.com.au/news/xen-patches-critical-guest-privilege-escalation-bug-431869). We have a few Xen Security advisories that came up in the last week. Can you address the applicability as well as patches for the following? XSA-184 CVE-2016-5403 virtio: unbounded memory allocation issue XSA-183 CVE-2016-6259 x86: Missing SMAP whitelisting in 32-bit exception / event delivery XSA-182 CVE-2016-6258 x86: Privilege escalation in PV guests Reference: http://xenbits.xen.org/xsa/
A commit references this bug: Author: royger Date: Mon Aug 1 08:35:55 UTC 2016 New revision: 419430 URL: https://svnweb.freebsd.org/changeset/ports/419430 Log: xen: apply XSA-{182/183/184} Sponsored by: Citrix Systems R&D PR: 211482 Changes: head/emulators/xen-kernel/Makefile head/emulators/xen-kernel/files/xsa182-unstable.patch head/emulators/xen-kernel/files/xsa183-unstable.patch head/sysutils/xen-tools/Makefile head/sysutils/xen-tools/files/xsa184-qemuu-master.patch
A commit references this bug: Author: junovitch Date: Tue Aug 2 02:07:57 UTC 2016 New revision: 419463 URL: https://svnweb.freebsd.org/changeset/ports/419463 Log: Document Xen Security Advisories (XSAs 182, 183, and 184) PR: 211482 Security: CVE-2016-5403 Security: CVE-2016-6259 Security: CVE-2016-6258 Security: https://vuxml.FreeBSD.org/freebsd/06574c62-5854-11e6-b334-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/04cf89e3-5854-11e6-b334-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/032aa524-5854-11e6-b334-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Tue Aug 2 02:16:29 UTC 2016 New revision: 419464 URL: https://svnweb.freebsd.org/changeset/ports/419464 Log: MFH: r418136 r418138 r419430 seabios: update to 1.9.3 xen-tools: bump PORTREVISION after SeaBIOS update xen: apply XSA-{182/183/184} PR: 211482 Sponsored by: Citrix Systems R&D Approved by: ports-secteam (with hat) Security: CVE-2016-5403 Security: CVE-2016-6259 Security: CVE-2016-6258 Security: https://vuxml.FreeBSD.org/freebsd/06574c62-5854-11e6-b334-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/04cf89e3-5854-11e6-b334-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/032aa524-5854-11e6-b334-002590263bf5.html Changes: _U branches/2016Q3/ branches/2016Q3/emulators/xen-kernel/Makefile branches/2016Q3/emulators/xen-kernel/files/xsa182-unstable.patch branches/2016Q3/emulators/xen-kernel/files/xsa183-unstable.patch branches/2016Q3/misc/seabios/Makefile branches/2016Q3/misc/seabios/distinfo branches/2016Q3/sysutils/xen-tools/Makefile branches/2016Q3/sysutils/xen-tools/files/xsa184-qemuu-master.patch
Thank you for the prompt action Roger. I got the VuXML and MFH covered. I saw no reason to not apply the 1.9.2 -> 1.9.3 SeaBIOS version bump to quarterly along with this because of the merge conflict due to differing PORTREVISIONs. Closing on your behalf with everything completed.