Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0467 xen security update 16 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xen Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-17566 CVE-2017-17565 CVE-2017-17564 CVE-2017-17563 Reference: ESB-2018.0462 Original Bulletin: http://www.debian.org/security/2018/dsa-4112 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4112-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 14, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2017-17563 Jan Beulich discovered that an incorrect reference count overflow check in x86 shadow mode may result in denial of service or privilege escalation. CVE-2017-17564 Jan Beulich discovered that improper x86 shadow mode reference count error handling may result in denial of service or privilege escalation. CVE-2017-17565 Jan Beulich discovered that an incomplete bug check in x86 log-dirty handling may result in denial of service. CVE-2017-17566 Jan Beulich discovered that x86 PV guests may gain access to internally used pages which could result in denial of service or potential privilege escalation. In addition this update ships the "Comet" shim to address the Meltdown class of vulnerabilities for guests with legacy PV kernels. In addition, the package provides the "Xen PTI stage 1" mitigation which is built-in and enabled by default on Intel systems, but can be disabled with `xpti=false' on the hypervisor command line (It does not make sense to use both xpti and the Comet shim.) Please refer to the following URL for more details on how to configure individual mitigation strategies: https://xenbits.xen.org/xsa/advisory-254.html Additional information can also be found in README.pti and README.comet. For the stable distribution (stretch), these problems have been fixed in version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1. We recommend that you upgrade your xen packages. For the detailed security status of xen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xen Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqErBcACgkQEMKTtsN8 TjaR6BAAlxX93JKrd2klt5IlZ7+0FGw7Ml5lg81+ZDsMqAkOox9ynRzzN87nzmRX HhSQWU5fU8RQUSvMKOgTGLE6tZ3aOX/5vTsCFrxqr6M01X4yYONXe6n2+M/Cnm00 IwVxeVudZVv7ue1bxbBa6YBXxa0Z5+5m19qtU33EHUwIh6W/pHMTKcU9cw57mhiI Qxojsi3/9M4rdwh2BGLVpHQ8qW4wyMvf8HOXn4SVqWGBK3LZCmyGuOKgj4gYuk13 3qg+i8WOCZsubvximYb41eu8XfW0oihajgmB/SkWBtScs/q09wn1gRh/kwEBmPzs 3s5d/Z47VAEP5O8lJHJmHX1+ULKczgsFHWb6vDeUgrrvWqGZ2hdZUkeo5mVLF2iB h2NlSSm734Lxb0jGLcpDWiYitpzv3vGvm8tf14r8Vt4mfEb+6+pD8T7tD5pK4Gb0 weFE+PoakMbzmTKjkyets6kKOLh9rwoO5pk+Epg8ancVYG7wkCenpb/GIID94yly nitfKQMr9uuFP1tp04aCVcXfsDVnCKkTwfRx6Ie4LS9m38MiNosxJogWS6ywOFj2 os/DcYMtn/J5w+9YPOHqLod7yJVXBBA0rb1etN8r/I76RjX/d085rjN4UQ17wdrU kRFdAPmsyZ6XEgmACfppczEXS+3adLp6GGfMiunzR0Ruxvq2AHA= =o99Q - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWoYrlox+lLeg9Ub1AQhivQ/6A05DF1PKotTUt3qD1VMJOO7Y01rruKGd M9tyPJcixvuPP6agND3gmsGzk9vvBBrEkZlgYQcb/h0V4Aep5vq/ghFEvj/hWTV8 zLuqWbieZshfCvwMlowldT/ip4AH6bk45h4opsk4m0j7tciyyfgQY1zcr3W43PXg ZazhImcPqH239grsfNzCXbifQg7MZBMY+7w4SSUrWBM3/yy26c/9nY8k3Zh8I3AC aV3TbpGjcEGmvWTvP9sT9QFU+2moaLJ3LELiAvPn4EO5na9dsaq3EUidB/kmG0+5 8egoTXrsuPT0Aod++iP9zL7dvH3CKbztLeWhvWv60RPTF8yPMKJMFgrOLPrzHkie mBviaNtGsIwn42TUMZ2TGLtzej05EcvdzJOT3+V8zzHwocXNPD8Fd00GeiWX/GhA PRLRyTxjEKm3pMlElWZM8nU79zZvMfOpXOz3NXNpeI8iRsCPuh5p8R/lUCxIndL9 ONBVoDr+ENmZ4O3jSKnG15DYXs8+ZBwNXsLGyzt1Pd/ST37di1eO1tDDW/yNVVBb rJ3U/4XtbeJBjCQ9kJLGI3rVR9iRMrFdAIc+qLaZMTmbKEAda4LE2NH0eovL1Zmo BD55hGaIHkGvUzk/QXuDcyqls2qiVRE8OSQb+VwWLeZPadNAirnbXIdoVmb4f41N Kn6pZDq6pqQ= =kRUq -----END PGP SIGNATURE-----