Roger, There was a handful of Xen advisories earlier last week and a few missed in September. Please advise on applicability for VuXML and take a look at what we need to do to get our end users safeguared. Advisory Public release Updated Version CVE(s) Title XSA-201 2016-11-29 14:48 2016-11-29 14:48 1 none (yet) assigned ARM guests may induce host asynchronous abort XSA-200 2016-12-13 12:00 none (yet) assigned (Prereleased, but embargoed) XSA-199 2016-12-06 12:00 assigned, but embargoed (Prereleased, but embargoed) XSA-198 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9379 CVE-2016-9380 delimiter injection vulnerabilities in pygrub XSA-197 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9381 qemu incautious about shared ring processing XSA-196 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9377 CVE-2016-9378 x86 software interrupt injection mis-handled XSA-195 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9383 x86 64-bit bit test instruction emulation broken XSA-194 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9384 guest 32-bit ELF symbol table load leaking host data XSA-193 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9385 x86 segment base write emulation lacking canonical address checks XSA-192 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9382 x86 task switch to VM86 mode mis-handled XSA-191 2016-11-22 12:00 2016-11-22 12:00 3 CVE-2016-9386 x86 null segments not always treated as unusable XSA-190 2016-10-04 12:00 2016-10-04 12:50 5 CVE-2016-7777 CR0.TS and CR0.EM not always honored for x86 HVM guests XSA-189 2016-09-21 09:46 - - Unused Xen Security Advisory number XSA-188 2016-09-08 12:00 2016-09-08 12:00 3 CVE-2016-7154 use after free in FIFO event channel code XSA-187 2016-09-08 12:00 2016-09-08 12:04 3 CVE-2016-7094 x86 HVM: Overflow of sh_ctxt->seg_reg[] XSA-186 2016-09-08 12:00 2016-09-08 12:00 4 CVE-2016-7093 x86: Mishandling of instruction pointer truncation during emulation XSA-185 2016-09-08 12:00 2016-09-08 12:00 3 CVE-2016-7092 x86: Disallow L3 recursive pagetable for 32-bit PV guests
(In reply to Jason Unovitch from comment #0) Hello, The current Xen package(s) are affected by the following XSAs: 182, 183, 184, 185, 186, 187, 188, 190, 191, 192, 193, 194, 195, 197, 198. I will prepare patches and hopefully commit them tomorrow, sorry for the delay. Roger.
Done, I've updated the Xen packages to 4.7.1 and added the missing XSAs. It's at https://svnweb.freebsd.org/ports?view=revision&revision=427568 I'm closing the bug now, thanks.
A commit references this bug: Author: junovitch Date: Sun Dec 4 19:35:14 UTC 2016 New revision: 427795 URL: https://svnweb.freebsd.org/changeset/ports/427795 Log: Document Xen Security Advisories (XSAs 185-188, 190-195, 197-198) PR: 214936 Security: CVE-2016-7092 Security: CVE-2016-7093 Security: CVE-2016-7094 Security: CVE-2016-7154 Security: CVE-2016-7777 Security: CVE-2016-9379 Security: CVE-2016-9380 Security: CVE-2016-9381 Security: CVE-2016-9382 Security: CVE-2016-9383 Security: CVE-2016-9384 Security: CVE-2016-9385 Security: CVE-2016-9386 Security: https://vuxml.FreeBSD.org/freebsd/45ca25b5-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/49211361-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4aae54be-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4d7cf654-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/50ac2e96-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/523bb0b7-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/53dbd096-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/5555120d-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/56f0f11e-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/58685e23-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/59f79c99-ba4d-11e6-ae1b-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: junovitch Date: Sun Dec 4 19:37:32 UTC 2016 New revision: 427796 URL: https://svnweb.freebsd.org/changeset/ports/427796 Log: MFH: r427568 xen: update to 4.7.1 Xen 4.7.1 contains the following XSAs: 184, 185, 186, 187, 188 and 190 which where missing in the previous package. Additionally XSAs 191, 192, 193, 194, 195, 197 and 198 are also applied. PR: 214936 Approved by: bapt Approved by: ports-secteam (with hat) Sponsored by: Citrix Systems R&D Security: CVE-2016-7092 Security: CVE-2016-7093 Security: CVE-2016-7094 Security: CVE-2016-7154 Security: CVE-2016-7777 Security: CVE-2016-9379 Security: CVE-2016-9380 Security: CVE-2016-9381 Security: CVE-2016-9382 Security: CVE-2016-9383 Security: CVE-2016-9384 Security: CVE-2016-9385 Security: CVE-2016-9386 Security: https://vuxml.FreeBSD.org/freebsd/45ca25b5-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/49211361-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4aae54be-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/4d7cf654-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/50ac2e96-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/523bb0b7-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/53dbd096-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/5555120d-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/56f0f11e-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/58685e23-ba4d-11e6-ae1b-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/59f79c99-ba4d-11e6-ae1b-002590263bf5.html Changes: _U branches/2016Q4/ branches/2016Q4/emulators/xen-kernel/Makefile branches/2016Q4/emulators/xen-kernel/distinfo branches/2016Q4/emulators/xen-kernel/files/xsa182-unstable.patch branches/2016Q4/emulators/xen-kernel/files/xsa183-unstable.patch branches/2016Q4/emulators/xen-kernel/files/xsa191.patch branches/2016Q4/emulators/xen-kernel/files/xsa192.patch branches/2016Q4/emulators/xen-kernel/files/xsa193-4.7.patch branches/2016Q4/emulators/xen-kernel/files/xsa194.patch branches/2016Q4/emulators/xen-kernel/files/xsa195.patch branches/2016Q4/sysutils/xen-tools/Makefile branches/2016Q4/sysutils/xen-tools/distinfo branches/2016Q4/sysutils/xen-tools/files/0001-libxl-fix-creation-of-pkgconf-install-dir.patch branches/2016Q4/sysutils/xen-tools/files/0001-tools-configure-fix-pkg-config-install-path-for-Free.patch branches/2016Q4/sysutils/xen-tools/files/xsa184-qemuu-master.patch branches/2016Q4/sysutils/xen-tools/files/xsa197-qemuu.patch branches/2016Q4/sysutils/xen-tools/files/xsa198.patch branches/2016Q4/sysutils/xen-tools/pkg-plist
(In reply to Roger Pau Monné from comment #2) Excellent. Thank you Roger. I've MFH'd the update and set merge-quarterly+ here in Bugzilla. If you can on the next go remember to put 'MFH: 2016Q4' in the commit message (as described in https://www.freebsd.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#ports-qa-misc-request-mfh) and the approval can be done right away. Thanks again!