Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0186 xen security update 28 January 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xen Publisher: Debian Operating System: Debian GNU/Linux 7 Xen Impact/Access: Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-9030 CVE-2014-8867 CVE-2014-8866 CVE-2014-8595 CVE-2014-8594 Reference: ESB-2014.2301 ESB-2014.2258 ESB-2014.2193 Original Bulletin: http://www.debian.org/security/2015/dsa-3140 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3140-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff January 27, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2014-8594 CVE-2014-8595 CVE-2014-8866 CVE-2014-8867 CVE-2014-9030 Multiple security issues have been discovered in the Xen virtualisation solution which may result in denial of service, information disclosure or privilege escalation. CVE-2014-8594 Roger Pau Monne and Jan Beulich discovered that incomplete restrictions on MMU update hypercalls may result in privilege escalation. CVE-2014-8595 Jan Beulich discovered that missing privilege level checks in the x86 emulation of far branches may result in privilege escalation. CVE-2014-8866 Jan Beulich discovered that an error in compatibility mode hypercall argument translation may result in denial of service. CVE-2014-8867 Jan Beulich discovered that an insufficient restriction in acceleration support for the "REP MOVS" instruction may result in denial of service. CVE-2014-9030 Andrew Cooper discovered a page reference leak in MMU_MACHPHYS_UPDATE handling, resulting in denial of service. For the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u4. For the upcoming stable distribution (jessie), these problems have been fixed in version 4.4.1-4. For the unstable distribution (sid), these problems have been fixed in version 4.4.1-4. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUx233AAoJEBDCk7bDfE427SwP/0vk4BEClNotQKKEEJduVMP2 zb8b++/f4ZocQgezJ9/oew8UGgd9Klq6XcIh5BVaQi6PD70sw4uWX03820PCs88X ywRCrTHSXPfPlwOG6dY8nZ1oOUItP64N03j+nugI27GNPgmJpu7xgewmY+c8vZpF r5sEjhINwgDmHMCgb8bCFKQ/7UDUcE2MZJVF++oWuKusvCFo57cG/pakRwF9XFsw Aw24obp7vySzOs5mThid3asOHcNqUYZml1YTI6E3nxL+bL9K11KFZzl98a75Q4YI HJJuqJk3H5CO+GCSq2Dl6NzHBWA7hCFepaKilhj/Ao6vnAoqbkFjklwczofXM6fq wQ1586wFp6ZTFtawn66DKoeT3CQp+OhOce5N4X3num6Ev32yaK8Rox7CF9xena6Q ubEEW2pKKblwFJRVm9wyBo1RQvPUyMUsvbq+DNX2GBJ1+wOzIMqm0K9G7+nFlGI8 Z7u3RIgLTolzgFN0NR6B4A03/0kOYKNlrFuJB8wXerkwFsK/X4wX/f2dRJRleiNX JzDvWYCfcjWTrRjcvGdotNELdDoz+eePFuRzp7Os4SdJE2dxdWBsmvqU/NXc8pBL d1FtjPArM8IndL0Mf6+oPz3uAAFPjbaeTRQk/uhX7HPVN9gLDqyLWGuCsaf+seMu 9IwVAOzHz+HymOHT02af =5heI - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVMgywRLndAQH1ShLAQJUZA//bR/m0ooATKwJnLcK3Tq826JDfTnvD2f1 injg4IQKlvj2SJsJGBjBBOetdQF9njJCM15Ck3GnTIssFr21cXXs86IQbku9f68K MWTaXf/T4ZNkNserC0O2d0fmptc6NQR0W96BYqslr1FgneEHX2TLrZVmijGU12HV CL3SDI5VMUewDBGcJAepUZ5ewmz54/Yx0/bYflM66KZPvImQKLPOGKClCVPhaPLE X/B+bpsWsNBtrJp3uGKBYxFDPyk1raT0ua+YaMNyGyUAT1Qtffvh8ro073IgJmLu vMDv+aCWniLU3o4kFl5B9GGjk2ychrx0N3/aMSosciIUDYZwPQSqiEo1AvxrDEl3 82Fay9UJEaUuLSYiJVr+bzDlrJuxLn5/TTvZWRqYA+SGhp1iiH/+wsCbgXws6S4r /gy9XIdJLMaDnLj/lcfkojR/hDyx+LfcRzlHrzzZ0upWF6++2sHKDg+NYA257MWD MNd+Wqnq0aYozTMeuOVGp2ZJwUwRUR2lnp89ER+KXxJgAVEyEpAohDl91p5tOEpD CzUQvAxJDNsKlHCEmkWXVuwd5SfJoJ//3In3RSuRTwnhn+QNgMm1UZl3bOu4zI91 EDsnEcOxOkXdakc7S8rpSO0oloUd9H+C50Xbf62gUSLweebWGD6cOv0+rDt87vL2 iSkB9GQk2do= =33Xm -----END PGP SIGNATURE-----