Xen 4.2.1 and 4.1.4 released The original article, by Jan Beulich can be found http://blog.xen.org/index.php/2012/12/18/xen-4-2-1-and-4-1-4-released/#more-5918"]here
I am pleased to announce the release of Xen 4.2.1 and Xen 4.1.4. These are available immediately from the following locations
Xen 4.2.1 The Xen 4.2.1 release fixes the following critical vulnerabilities: We recommend to all users of Xen 4.2.0 to upgrade to Xen 4.2.1.
After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.
We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.
All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).
Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.
Summary of the updates As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:
Additionally, this proposal adds the following requirements:
I am pleased to announce the release of Xen 4.2.1 and Xen 4.1.4. These are available immediately from the following locations
- Xen 4.2.1: http://xenbits.xen.org/hg/xen-4.2-testing.hg/"]mercurial repository (tag RELEASE-4.2.1) or via the http://xen.org/download/index_4.2.1.html"]Xen 4.2.1 download page on xen.org.
- Xen 4.1.4: http://xenbits.xen.org/hg/xen-4.1-testing.hg"]mercurial repository (tag RELEASE-4.1.4) or via the http://xen.org/download/index_4.1.4.html"]Xen 4.1.4 download page on xen.org.
Xen 4.2.1 The Xen 4.2.1 release fixes the following critical vulnerabilities: We recommend to all users of Xen 4.2.0 to upgrade to Xen 4.2.1.
- CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
- CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
- CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
- CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
- CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
- CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
- CVE-2012-5511 / XSA-27: Several HVM operations do not validate the range of their inputs
- CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
- CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
- CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
- CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
- A fix for a long standing time management issue
- Bug fixes for S3 (suspend to RAM) handling
- Bug fixes for other low level system state handling
- Bug fixes and improvements to the libxl tool stack
- Bug fixes to nested virtualization
- CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability
- CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability
- CVE-2012-3496 / XSA-14: XENMEM_populate_physmap DoS vulnerability
- CVE-2012-3498 / XSA-16: PHYSDEVOP_map_pirq index vulnerability
- CVE-2012-3515 / XSA-17: Qemu VT100 emulation vulnerability
- CVE-2012-4411 / XSA-19: guest administrator can access qemu monitor console
- CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
- CVE-2012-4536 / XSA-21: pirq range check DoS vulnerability
- CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
- CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
- CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
- CVE-2012-4544,CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
- CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
- CVE-2012-5511 / XSA-27: several HVM operations do not validate the range of their inputs
- CVE-2012-5512 / XSA-28: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
- CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
- CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
- CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
- A fix for a long standing time management issue
- Bug fixes for S3 (suspend to RAM) handling
- Bug fixes for other low level system state handling
After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.
We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.
All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).
Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.
Summary of the updates As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:
- Change “Large hosting providers” to “Public hosting providers”
- Remove “widely-deployed” from vendors and distributors
- Add rules of thumb for what constitutes “genuine”
- Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined.
Additionally, this proposal adds the following requirements:
- Applicants and current members must use an e-mail alias, not an individual’s e-mail
- Applicants and current members must submit a statement saying that they have read, understand, and will abide by this process document.
http://wiki.xen.org/wiki/Security_vulnerability_process_draft"]http://wiki.xen.org/wiki/Security_vulnerability_process_draftFor comparison, the current policy can be found here:
http://www.xen.org/projects/security_vulnerability_process.html"]http://www.xen.org/projects/security_vulnerability_process.html