Operating System:

[Debian]

Published:

17 August 2018

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2398
                            xen security update
                              17 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           xen
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3646 CVE-2018-3620 

Reference:         ESB-2018.2381
                   ESB-2018.2380
                   ESB-2018.2352
                   ESB-2018.2348.2
                   ESB-2018.2344

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4274

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4274-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 16, 2018                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2018-3620 CVE-2018-3646

This update provides mitigations for the "L1 Terminal Fault"
vulnerability affecting a range of Intel CPUs.

For additional information please refer to
https://xenbits.xen.org/xsa/advisory-273.html. The microcode updates
mentioned there are not yet available in a form distributable by Debian.

In addition two denial of service vulnerabilities have been fixed
(XSA-268 and XSA-269).

For the stable distribution (stretch), these problems have been fixed in
version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlt14mwACgkQEMKTtsN8
Tjb2LhAAokwmlGxyJPC3EGG9aOLKNv23G9OzLLNRm+cy150WAMgBio+bR2CAgkfX
qu/ftFPLeKfIRbo9nLBFHQLMKlmDdFzLeicXe7GtnKcAMkt0Wp+rYIj66TMkjrMg
2kJI68ECc5Rqj3fMZ+dgkxSHzhylUGG70mEIBf2D22Y72kkIfc3EzBuu2wxaaOTP
t7Q7JkYDv9WV/6gw8Ok2vIrQcq95jtZgDSL1ZHHg6VTukHnXP2SU1rMfRCguTCtc
5JYAgWJ1GWFWt3d6FQnk7SWwJf3pHEVNg0lGpRJdu4qperQ3EhQNeJlGq8adm/Zf
QQUT9T6vsU5cefgelIRSLxFZ9bDobxXXNaox3FqB4tslkJLhTRluCvilJpWuNpH5
7S6xti5neGuHORfIkcS1PmOEx2gDkKWTgotiBx04yU3q+/zr0Ob+K2jxZXe4z2uU
sqEq8pdjCnkE03cljPbfPeutyucS3xDFpFVoXlRqgRNMdZ7jzVSP6qayt3iQIa/E
djVQ2ptHxux5Zapg5Ngr2ASBdyIw+2GLVUKQCeqM+EjMXjRBaJv8DPxWwO4nkC4d
eliy9RxErtQpgHIZKHVmTjoRlh/OH4KAdHZT2Y+Gfv1DVA6TL5cPiQ9e0ZunNNaK
vtXyOzjNPVPZa+2MEq9FTFIkDsR8Ncl/JCzp0bx5uVaV/ovX0A8=
=reP+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW3YgKWaOgq3Tt24GAQjxMA/+M0EBwfWSFA8wF1KvBjKkc+EGuTmuHxJZ
mzYcwV+KBgSo2GuCtU6VpcBT2+d3R2ld35EGRgcqRiRiGYtpba3f57O40YC7SDTX
wfXaeDLft9MDcnPDawm23MbN0KIx+rgeaF5/nkVBxa2f4HkEaV466L+JU+MhhG7x
4OuGqGotnpmPbPx8e1MYOJkYTa7DifmHmy0WAlki4bPbL+SQ35BOivurCwRDUVmj
gtqn9pnEa/MiDBeZuHg2/huyca4fhgNw+Uz3jjdHnRkwMjCzNweseHenyEnqEKAo
YU1ccBJx5fcMlYJMft9uhyp3CtXOuS7v0rUJ8XA2C5wnW4ieKR2tW8G7cQ2VG5Pc
2mQbWZ3UxRMC7wSGNQ/4adBUVSrHUNGlPi2bsZ3r1/aMRf0/TmlICoreG/+GLwAq
f76nzlCe35GGWdyuvCaBtBrWnWfu4xxb/SePyKp3tJ0r6uVN0vCaJWjHmM0/nG4y
wiKkNgYp8pcJwynQTnMkViIeu9ycIh9sEqxkYQl1hOXK1bUVrCeMSN8K5e+l3R2P
wHBlj5mORx3oZ4iOqcN4Q+e/h2YyMRKR87In6efQSAVXYz33Uf+gpzsK5M6nfvWL
vVBcQnCwhY2hWj+9rXl2Nier0MI0H6iyryPBYfOzj5QhK6vxhHUacl5LBqcyLp6d
F8MfEGeZreg=
=2zfU
-----END PGP SIGNATURE-----