Lines 57-62
Link Here
|
57 |
|
57 |
|
58 |
--> |
58 |
--> |
59 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
59 |
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> |
|
|
60 |
<vuln vid="f1deed23-27ec-11e5-a4a5-002590263bf5"> |
61 |
<topic>xen-tools -- xl command line config handling stack overflow</topic> |
62 |
<affects> |
63 |
<package> |
64 |
<name>xen-tools</name> |
65 |
<range><ge>4.1</ge><lt>4.5.0_8</lt></range> |
66 |
</package> |
67 |
</affects> |
68 |
<description> |
69 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
70 |
<p>The Xen Project reports:</p> |
71 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-137.html"> |
72 |
<p>The xl command line utility mishandles long configuration values |
73 |
when passed as command line arguments, with a buffer overrun.</p> |
74 |
<p>A semi-trusted guest administrator or controller, who is intended |
75 |
to be able to partially control the configuration settings for a |
76 |
domain, can escalate their privileges to that of the whole host.</p> |
77 |
</blockquote> |
78 |
</body> |
79 |
</description> |
80 |
<references> |
81 |
<cvename>CVE-2015-3259</cvename> |
82 |
<url>http://xenbits.xen.org/xsa/advisory-137.html</url> |
83 |
</references> |
84 |
<dates> |
85 |
<discovery>2015-07-07</discovery> |
86 |
<entry>2015-07-11</entry> |
87 |
</dates> |
88 |
</vuln> |
89 |
|
90 |
<vuln vid="8c31b288-27ec-11e5-a4a5-002590263bf5"> |
91 |
<topic>xen-kernel -- vulnerability in the iret hypercall handler</topic> |
92 |
<affects> |
93 |
<package> |
94 |
<name>xen-kernel</name> |
95 |
<range><ge>3.1</ge><lt>4.5.0_3</lt></range> |
96 |
</package> |
97 |
</affects> |
98 |
<description> |
99 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
100 |
<p>The Xen Project reports:</p> |
101 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-136.html"> |
102 |
<p>A buggy loop in Xen's compat_iret() function iterates the wrong way |
103 |
around a 32-bit index. Any 32-bit PV guest kernel can trigger this |
104 |
vulnerability by attempting a hypercall_iret with EFLAGS.VM set.</p> |
105 |
<p>Given the use of __get/put_user(), and that the virtual addresses |
106 |
in question are contained within the lower canonical half, the guest |
107 |
cannot clobber any hypervisor data. Instead, Xen will take up to |
108 |
2^33 pagefaults, in sequence, effectively hanging the host.</p> |
109 |
<p>Malicious guest administrators can cause a denial of service |
110 |
affecting the whole system.</p> |
111 |
</blockquote> |
112 |
</body> |
113 |
</description> |
114 |
<references> |
115 |
<cvename>CVE-2015-4164</cvename> |
116 |
<url>http://xenbits.xen.org/xsa/advisory-136.html</url> |
117 |
</references> |
118 |
<dates> |
119 |
<discovery>2015-06-11</discovery> |
120 |
<entry>2015-07-11</entry> |
121 |
</dates> |
122 |
</vuln> |
123 |
|
124 |
<vuln vid="80e846ff-27eb-11e5-a4a5-002590263bf5"> |
125 |
<topic>xen-kernel -- GNTTABOP_swap_grant_ref operation misbehavior</topic> |
126 |
<affects> |
127 |
<package> |
128 |
<name>xen-kernel</name> |
129 |
<range><ge>4.2</ge><lt>4.5.0_3</lt></range> |
130 |
</package> |
131 |
</affects> |
132 |
<description> |
133 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
134 |
<p>The Xen Project reports:</p> |
135 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-134.html"> |
136 |
<p>With the introduction of version 2 grant table operations, a |
137 |
version check became necessary for most grant table related |
138 |
hypercalls. The GNTTABOP_swap_grant_ref call was lacking such a |
139 |
check. As a result, the subsequent code behaved as if version 2 was |
140 |
in use, when a guest issued this hypercall without a prior |
141 |
GNTTABOP_setup_table or GNTTABOP_set_version.</p> |
142 |
<p>The effect is a possible NULL pointer dereferences. However, this |
143 |
cannot be exploited to elevate privileges of the attacking domain, |
144 |
as the maximum memory address that can be wrongly accessed this way |
145 |
is bounded to far below the start of hypervisor memory.</p> |
146 |
<p>Malicious or buggy guest domain kernels can mount a denial of |
147 |
service attack which, if successful, can affect the whole system.</p> |
148 |
</blockquote> |
149 |
</body> |
150 |
</description> |
151 |
<references> |
152 |
<cvename>CVE-2015-4163</cvename> |
153 |
<url>http://xenbits.xen.org/xsa/advisory-134.html</url> |
154 |
</references> |
155 |
<dates> |
156 |
<discovery>2015-06-11</discovery> |
157 |
<entry>2015-07-11</entry> |
158 |
</dates> |
159 |
</vuln> |
160 |
|
161 |
<vuln vid="ce658051-27ea-11e5-a4a5-002590263bf5"> |
162 |
<topic>xen-kernel -- Information leak through XEN_DOMCTL_gettscinfo</topic> |
163 |
<affects> |
164 |
<package> |
165 |
<name>xen-kernel</name> |
166 |
<range><ge>4.0</ge><lt>4.5.0_3</lt></range> |
167 |
</package> |
168 |
</affects> |
169 |
<description> |
170 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
171 |
<p>The Xen Project reports:</p> |
172 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-132.html"> |
173 |
<p>The handler for XEN_DOMCTL_gettscinfo failed to initialize a |
174 |
padding field subsequently copied to guest memory.</p> |
175 |
<p>A similar leak existed in XEN_SYSCTL_getdomaininfolist, which is |
176 |
being addressed here regardless of that operation being declared |
177 |
unsafe for disaggregation by XSA-77.</p> |
178 |
<p>Malicious or buggy stub domain kernels or tool stacks otherwise |
179 |
living outside of Domain0 may be able to read sensitive data |
180 |
relating to the hypervisor or other guests not under the control of |
181 |
that domain.</p> |
182 |
</blockquote> |
183 |
</body> |
184 |
</description> |
185 |
<references> |
186 |
<cvename>CVE-2015-3340</cvename> |
187 |
<url>http://xenbits.xen.org/xsa/advisory-132.html</url> |
188 |
</references> |
189 |
<dates> |
190 |
<discovery>2015-04-20</discovery> |
191 |
<entry>2015-07-11</entry> |
192 |
</dates> |
193 |
</vuln> |
194 |
|
195 |
<vuln vid="3d657340-27ea-11e5-a4a5-002590263bf5"> |
196 |
<topic>xen-tools -- Unmediated PCI register access in qemu</topic> |
197 |
<affects> |
198 |
<package> |
199 |
<name>xen-tools</name> |
200 |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> |
201 |
</package> |
202 |
</affects> |
203 |
<description> |
204 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
205 |
<p>The Xen Project reports:</p> |
206 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-131.html"> |
207 |
<p>Qemu allows guests to not only read, but also write all parts of |
208 |
the PCI config space (but not extended config space) of passed |
209 |
through PCI devices not explicitly dealt with for (partial) |
210 |
emulation purposes.</p> |
211 |
<p>Since the effect depends on the specific purpose of the the config |
212 |
space field, it's not possbile to give a general statement about the |
213 |
exact impact on the host or other guests. Privilege escalation, |
214 |
host crash (Denial of Service), and leaked information all cannot be |
215 |
excluded.</p> |
216 |
</blockquote> |
217 |
</body> |
218 |
</description> |
219 |
<references> |
220 |
<cvename>CVE-2015-4106</cvename> |
221 |
<url>http://xenbits.xen.org/xsa/advisory-131.html</url> |
222 |
</references> |
223 |
<dates> |
224 |
<discovery>2015-06-02</discovery> |
225 |
<entry>2015-07-11</entry> |
226 |
</dates> |
227 |
</vuln> |
228 |
|
229 |
<vuln vid="cbe1a0f9-27e9-11e5-a4a5-002590263bf5"> |
230 |
<topic>xen-tools -- Guest triggerable qemu MSI-X pass-through error messages</topic> |
231 |
<affects> |
232 |
<package> |
233 |
<name>xen-tools</name> |
234 |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> |
235 |
</package> |
236 |
</affects> |
237 |
<description> |
238 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
239 |
<p>The Xen Project reports:</p> |
240 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-130.html"> |
241 |
<p>Device model code dealing with guest PCI MSI-X interrupt management |
242 |
activities logs messages on certain (supposedly) invalid guest |
243 |
operations.</p> |
244 |
<p>A buggy or malicious guest repeatedly invoking such operations may |
245 |
result in the host disk to fill up, possibly leading to a Denial of |
246 |
Service.</p> |
247 |
</blockquote> |
248 |
</body> |
249 |
</description> |
250 |
<references> |
251 |
<cvename>CVE-2015-4105</cvename> |
252 |
<url>http://xenbits.xen.org/xsa/advisory-130.html</url> |
253 |
</references> |
254 |
<dates> |
255 |
<discovery>2015-06-02</discovery> |
256 |
<entry>2015-07-11</entry> |
257 |
</dates> |
258 |
</vuln> |
259 |
|
260 |
<vuln vid="4db8a0f4-27e9-11e5-a4a5-002590263bf5"> |
261 |
<topic>xen-tools -- PCI MSI mask bits inadvertently exposed to guests</topic> |
262 |
<affects> |
263 |
<package> |
264 |
<name>xen-tools</name> |
265 |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> |
266 |
</package> |
267 |
</affects> |
268 |
<description> |
269 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
270 |
<p>The Xen Project reports:</p> |
271 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-129.html"> |
272 |
<p>The mask bits optionally available in the PCI MSI capability |
273 |
structure are used by the hypervisor to occasionally suppress |
274 |
interrupt delivery. Unprivileged guests were, however, nevertheless |
275 |
allowed direct control of these bits.</p> |
276 |
<p>Interrupts may be observed by Xen at unexpected times, which may |
277 |
lead to a host crash and therefore a Denial of Service.</p> |
278 |
</blockquote> |
279 |
</body> |
280 |
</description> |
281 |
<references> |
282 |
<cvename>CVE-2015-4104</cvename> |
283 |
<url>http://xenbits.xen.org/xsa/advisory-129.html</url> |
284 |
</references> |
285 |
<dates> |
286 |
<discovery>2015-06-02</discovery> |
287 |
<entry>2015-07-11</entry> |
288 |
</dates> |
289 |
</vuln> |
290 |
|
291 |
<vuln vid="af38cfec-27e7-11e5-a4a5-002590263bf5"> |
292 |
<topic>xen-tools -- Potential unintended writes to host MSI message data field via qemu</topic> |
293 |
<affects> |
294 |
<package> |
295 |
<name>xen-tools</name> |
296 |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> |
297 |
</package> |
298 |
</affects> |
299 |
<description> |
300 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
301 |
<p>The Xen Project reports:</p> |
302 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-128.html"> |
303 |
<p>Logic is in place to avoid writes to certain host config space |
304 |
fields when the guest must nevertheless be able to access their |
305 |
virtual counterparts. A bug in how this logic deals with accesses |
306 |
spanning multiple fields allows the guest to write to the host MSI |
307 |
message data field.</p> |
308 |
<p>While generally the writes write back the values previously read, |
309 |
their value in config space may have got changed by the host between |
310 |
the qemu read and write. In such a case host side interrupt handling |
311 |
could become confused, possibly losing interrupts or allowing |
312 |
spurious interrupt injection into other guests.</p> |
313 |
<p>Certain untrusted guest administrators may be able to confuse host |
314 |
side interrupt handling, leading to a Denial of Service.</p> |
315 |
</blockquote> |
316 |
</body> |
317 |
</description> |
318 |
<references> |
319 |
<cvename>CVE-2015-4103</cvename> |
320 |
<url>http://xenbits.xen.org/xsa/advisory-128.html</url> |
321 |
</references> |
322 |
<dates> |
323 |
<discovery>2015-06-02</discovery> |
324 |
<entry>2015-07-11</entry> |
325 |
</dates> |
326 |
</vuln> |
327 |
|
328 |
<vuln vid="103a47d5-27e7-11e5-a4a5-002590263bf5"> |
329 |
<topic>xen-kernel -- Certain domctl operations may be abused to lock up the host</topic> |
330 |
<affects> |
331 |
<package> |
332 |
<name>xen-kernel</name> |
333 |
<range><ge>4.3</ge><lt>4.5.0_3</lt></range> |
334 |
</package> |
335 |
</affects> |
336 |
<description> |
337 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
338 |
<p>The Xen Project reports:</p> |
339 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-127.html"> |
340 |
<p>XSA-77 put the majority of the domctl operations on a list |
341 |
excepting them from having security advisories issued for them if |
342 |
any effects their use might have could hamper security. Subsequently |
343 |
some of them got declared disaggregation safe, but for a small |
344 |
subset this was not really correct: Their (mis-)use may result in |
345 |
host lockups.</p> |
346 |
<p>As a result, the potential security benefits of toolstack |
347 |
disaggregation are not always fully realised.</p> |
348 |
<p>Domains deliberately given partial management control may be able |
349 |
to deny service to the entire host.</p> |
350 |
<p>As a result, in a system designed to enhance security by radically |
351 |
disaggregating the management, the security may be reduced. But, |
352 |
the security will be no worse than a non-disaggregated design.</p> |
353 |
</blockquote> |
354 |
</body> |
355 |
</description> |
356 |
<references> |
357 |
<cvename>CVE-2015-2751</cvename> |
358 |
<url>http://xenbits.xen.org/xsa/advisory-127.html</url> |
359 |
</references> |
360 |
<dates> |
361 |
<discovery>2015-03-31</discovery> |
362 |
<entry>2015-07-11</entry> |
363 |
</dates> |
364 |
</vuln> |
365 |
|
366 |
<vuln vid="79f401cd-27e6-11e5-a4a5-002590263bf5"> |
367 |
<topic>xen-tools -- Unmediated PCI command register access in qemu</topic> |
368 |
<affects> |
369 |
<package> |
370 |
<name>xen-tools</name> |
371 |
<range><ge>3.3</ge><lt>4.5.0_6</lt></range> |
372 |
</package> |
373 |
</affects> |
374 |
<description> |
375 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
376 |
<p>The Xen Project reports:</p> |
377 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-126.html"> |
378 |
<p>HVM guests are currently permitted to modify the memory and I/O |
379 |
decode bits in the PCI command register of devices passed through to |
380 |
them. Unless the device is an SR-IOV virtual function, after |
381 |
disabling one or both of these bits subsequent accesses to the MMIO |
382 |
or I/O port ranges would - on PCI Express devices - lead to |
383 |
Unsupported Request responses. The treatment of such errors is |
384 |
platform specific.</p> |
385 |
<p>Furthermore (at least) devices under control of the Linux pciback |
386 |
driver in the host are handed to guests with the aforementioned bits |
387 |
turned off. This means that such accesses can similarly lead to |
388 |
Unsupported Request responses until these flags are set as needed by |
389 |
the guest.</p> |
390 |
<p>In the event that the platform surfaces aforementioned UR responses |
391 |
as Non-Maskable Interrupts, and either the OS is configured to treat |
392 |
NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to |
393 |
treat these errors as fatal, the host would crash, leading to a |
394 |
Denial of Service.</p> |
395 |
</blockquote> |
396 |
</body> |
397 |
</description> |
398 |
<references> |
399 |
<cvename>CVE-2015-2756</cvename> |
400 |
<url>http://xenbits.xen.org/xsa/advisory-126.html</url> |
401 |
</references> |
402 |
<dates> |
403 |
<discovery>2015-03-31</discovery> |
404 |
<entry>2015-07-11</entry> |
405 |
</dates> |
406 |
</vuln> |
407 |
|
408 |
<vuln vid="d40c66cb-27e4-11e5-a4a5-002590263bf5"> |
409 |
<topic>xen-kernel and xen-tools -- Long latency MMIO mapping operations are not preemptible</topic> |
410 |
<affects> |
411 |
<package> |
412 |
<name>xen-kernel</name> |
413 |
<range><lt>4.5.0_3</lt></range> |
414 |
</package> |
415 |
<package> |
416 |
<name>xen-tools</name> |
417 |
<range><lt>4.5.0_6</lt></range> |
418 |
</package> |
419 |
</affects> |
420 |
<description> |
421 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
422 |
<p>The Xen Project reports:</p> |
423 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-125.html"> |
424 |
<p>The XEN_DOMCTL_memory_mapping hypercall allows long running |
425 |
operations without implementing preemption.</p> |
426 |
<p>This hypercall is used by the device model as part of the emulation |
427 |
associated with configuration of PCI devices passed through to HVM |
428 |
guests and is therefore indirectly exposed to those guests.</p> |
429 |
<p>This can cause a physical CPU to become busy for a significant |
430 |
period, leading to a host denial of service in some cases.</p> |
431 |
<p>If a host denial of service is not triggered then it may instead be |
432 |
possible to deny service to the domain running the device model, |
433 |
e.g. domain 0.</p> |
434 |
<p>This hypercall is also exposed more generally to all toolstacks. |
435 |
However the uses of it in libxl based toolstacks are not believed |
436 |
to open up any avenue of attack from an untrusted guest. Other |
437 |
toolstacks may be vulnerable however.</p> |
438 |
<p>The vulnerability is exposed via HVM guests which have a PCI device |
439 |
assigned to them. A malicious HVM guest in such a configuration can |
440 |
mount a denial of service attack affecting the whole system via its |
441 |
associated device model (qemu-dm).</p> |
442 |
<p>A guest is able to trigger this hypercall via operations which it |
443 |
is legitimately expected to perform, therefore running the device |
444 |
model as a stub domain does not offer protection against the host |
445 |
denial of service issue. However it does offer some protection |
446 |
against secondary issues such as denial of service against dom0.</p> |
447 |
</blockquote> |
448 |
</body> |
449 |
</description> |
450 |
<references> |
451 |
<cvename>CVE-2015-2752</cvename> |
452 |
<url>http://xenbits.xen.org/xsa/advisory-125.html</url> |
453 |
</references> |
454 |
<dates> |
455 |
<discovery>2015-03-31</discovery> |
456 |
<entry>2015-07-11</entry> |
457 |
</dates> |
458 |
</vuln> |
459 |
|
460 |
<vuln vid="83a28417-27e3-11e5-a4a5-002590263bf5"> |
461 |
<topic>xen-kernel -- Hypervisor memory corruption due to x86 emulator flaw</topic> |
462 |
<affects> |
463 |
<package> |
464 |
<name>xen-kernel</name> |
465 |
<range><lt>4.5.0_3</lt></range> |
466 |
</package> |
467 |
</affects> |
468 |
<description> |
469 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
470 |
<p>The Xen Project reports:</p> |
471 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-123.html"> |
472 |
<p>Instructions with register operands ignore eventual segment |
473 |
overrides encoded for them. Due to an insufficiently conditional |
474 |
assignment such a bogus segment override can, however, corrupt a |
475 |
pointer used subsequently to store the result of the instruction.</p> |
476 |
<p>A malicious guest might be able to read sensitive data relating to |
477 |
other guests, or to cause denial of service on the host. Arbitrary |
478 |
code execution, and therefore privilege escalation, cannot be |
479 |
excluded.</p> |
480 |
</blockquote> |
481 |
</body> |
482 |
</description> |
483 |
<references> |
484 |
<cvename>CVE-2015-2151</cvename> |
485 |
<url>http://xenbits.xen.org/xsa/advisory-123.html</url> |
486 |
</references> |
487 |
<dates> |
488 |
<discovery>2015-03-10</discovery> |
489 |
<entry>2015-07-11</entry> |
490 |
</dates> |
491 |
</vuln> |
492 |
|
493 |
<vuln vid="ef9d041e-27e2-11e5-a4a5-002590263bf5"> |
494 |
<topic>xen-kernel -- Information leak through version information hypercall</topic> |
495 |
<affects> |
496 |
<package> |
497 |
<name>xen-kernel</name> |
498 |
<range><lt>4.5.0_3</lt></range> |
499 |
</package> |
500 |
</affects> |
501 |
<description> |
502 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
503 |
<p>The Xen Project reports:</p> |
504 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-122.html"> |
505 |
<p>The code handling certain sub-operations of the |
506 |
HYPERVISOR_xen_version hypercall fails to fully initialize all |
507 |
fields of structures subsequently copied back to guest memory. Due |
508 |
to this hypervisor stack contents are copied into the destination of |
509 |
the operation, thus becoming visible to the guest.</p> |
510 |
<p>A malicious guest might be able to read sensitive data relating to |
511 |
other guests.</p> |
512 |
</blockquote> |
513 |
</body> |
514 |
</description> |
515 |
<references> |
516 |
<cvename>CVE-2015-2045</cvename> |
517 |
<url>http://xenbits.xen.org/xsa/advisory-122.html</url> |
518 |
</references> |
519 |
<dates> |
520 |
<discovery>2015-03-05</discovery> |
521 |
<entry>2015-07-11</entry> |
522 |
</dates> |
523 |
</vuln> |
524 |
|
525 |
<vuln vid="5023f559-27e2-11e5-a4a5-002590263bf5"> |
526 |
<topic>xen-kernel -- Information leak via internal x86 system device emulation</topic> |
527 |
<affects> |
528 |
<package> |
529 |
<name>xen-kernel</name> |
530 |
<range><lt>4.5.0_3</lt></range> |
531 |
</package> |
532 |
</affects> |
533 |
<description> |
534 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
535 |
<p>The Xen Project reports:</p> |
536 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-121.html"> |
537 |
<p>Emulation routines in the hypervisor dealing with certain system |
538 |
devices check whether the access size by the guest is a supported |
539 |
one. When the access size is unsupported these routines failed to |
540 |
set the data to be returned to the guest for read accesses, so that |
541 |
hypervisor stack contents are copied into the destination of the |
542 |
operation, thus becoming visible to the guest.</p> |
543 |
<p>A malicious HVM guest might be able to read sensitive data relating |
544 |
to other guests.</p> |
545 |
</blockquote> |
546 |
</body> |
547 |
</description> |
548 |
<references> |
549 |
<cvename>CVE-2015-2044</cvename> |
550 |
<url>http://xenbits.xen.org/xsa/advisory-121.html</url> |
551 |
</references> |
552 |
<dates> |
553 |
<discovery>2015-03-05</discovery> |
554 |
<entry>2015-07-11</entry> |
555 |
</dates> |
556 |
</vuln> |
557 |
|
558 |
<vuln vid="0d732fd1-27e0-11e5-a4a5-002590263bf5"> |
559 |
<topic>xen-tools -- HVM qemu unexpectedly enabling emulated VGA graphics backends</topic> |
560 |
<affects> |
561 |
<package> |
562 |
<name>xen-tools</name> |
563 |
<range><lt>4.5.0_6</lt></range> |
564 |
</package> |
565 |
</affects> |
566 |
<description> |
567 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
568 |
<p>The Xen Project reports:</p> |
569 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-119.html"> |
570 |
<p>When instantiating an emulated VGA device for an x86 HVM guest qemu |
571 |
will by default enable a backend to expose that device, either SDL |
572 |
or VNC depending on the version of qemu and the build time |
573 |
configuration.</p> |
574 |
<p>The libxl toolstack library does not explicitly disable these |
575 |
default backends when they are not enabled, leading to an unexpected |
576 |
backend running.</p> |
577 |
<p>If either SDL or VNC is explicitly enabled in the guest |
578 |
configuration then only the expected backends will be enabled.</p> |
579 |
<p>This affects qemu-xen and qemu-xen-traditional differently.</p> |
580 |
<p>If qemu-xen was compiled with SDL support then this would result in |
581 |
an SDL window being opened if $DISPLAY is valid, or a failure to |
582 |
start the guest if not.</p> |
583 |
<p>If qemu-xen was compiled without SDL support then qemu would |
584 |
instead start a VNC server listening on ::1 (IPv6 localhost) or |
585 |
127.0.0.1 (IPv4 localhost) with IPv6 preferred if available. A VNC |
586 |
password will not be configured even if one is present in the guest |
587 |
configuration.</p> |
588 |
<p>qemu-xen-traditional will never start a vnc backend unless |
589 |
explicitly configured. However by default it will start an SDL |
590 |
backend if it was built with SDL support and $DISPLAY is valid.</p> |
591 |
</blockquote> |
592 |
</body> |
593 |
</description> |
594 |
<references> |
595 |
<cvename>CVE-2015-2152</cvename> |
596 |
<url>http://xenbits.xen.org/xsa/advisory-119.html</url> |
597 |
</references> |
598 |
<dates> |
599 |
<discovery>2015-03-13</discovery> |
600 |
<entry>2015-07-11</entry> |
601 |
</dates> |
602 |
</vuln> |
603 |
|
604 |
<vuln vid="912cb7f7-27df-11e5-a4a5-002590263bf5"> |
605 |
<topic>xen-kernel -- arm: vgic: incorrect rate limiting of guest triggered logging</topic> |
606 |
<affects> |
607 |
<package> |
608 |
<name>xen-kernel</name> |
609 |
<range><ge>4.4</ge><lt>4.5.0_3</lt></range> |
610 |
</package> |
611 |
</affects> |
612 |
<description> |
613 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
614 |
<p>The Xen Project reports:</p> |
615 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-118.html"> |
616 |
<p>On ARM systems the code which deals with virtualising the GIC |
617 |
distributor would, under various circumstances, log messages on a |
618 |
guest accessible code path without appropriate rate limiting.</p> |
619 |
<p>A malicious guest could cause repeated logging to the hypervisor |
620 |
console, leading to a Denial of Service attack.</p> |
621 |
</blockquote> |
622 |
</body> |
623 |
</description> |
624 |
<references> |
625 |
<cvename>CVE-2015-1563</cvename> |
626 |
<url>http://xenbits.xen.org/xsa/advisory-118.html</url> |
627 |
</references> |
628 |
<dates> |
629 |
<discovery>2015-01-29</discovery> |
630 |
<entry>2015-07-11</entry> |
631 |
</dates> |
632 |
</vuln> |
633 |
|
634 |
<vuln vid="785c86b1-27d6-11e5-a4a5-002590263bf5"> |
635 |
<topic>xen-kernel -- arm: vgic-v2: GICD_SGIR is not properly emulated</topic> |
636 |
<affects> |
637 |
<package> |
638 |
<name>xen-kernel</name> |
639 |
<range><ge>4.5</ge><lt>4.5.0_3</lt></range> |
640 |
</package> |
641 |
</affects> |
642 |
<description> |
643 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
644 |
<p>The Xen Project reports:</p> |
645 |
<blockquote cite="http://xenbits.xen.org/xsa/advisory-117.html"> |
646 |
<p>When decoding a guest write to a specific register in the virtual |
647 |
interrupt controller Xen would treat an invalid value as a critical |
648 |
error and crash the host.</p> |
649 |
<p>By writing an invalid value to the GICD.SGIR register a guest can |
650 |
crash the host, resulting in a Denial of Service attack.</p> |
651 |
</blockquote> |
652 |
</body> |
653 |
</description> |
654 |
<references> |
655 |
<cvename>CVE-2015-0268</cvename> |
656 |
<url>http://xenbits.xen.org/xsa/advisory-117.html</url> |
657 |
</references> |
658 |
<dates> |
659 |
<discovery>2015-02-12</discovery> |
660 |
<entry>2015-07-11</entry> |
661 |
</dates> |
662 |
</vuln> |
663 |
|
60 |
<vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0"> |
664 |
<vuln vid="7313b0e3-27b4-11e5-a15a-50af736ef1c0"> |
61 |
<topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic> |
665 |
<topic>pivotx -- Multiple unrestricted file upload vulnerabilities</topic> |
62 |
<affects> |
666 |
<affects> |