[Oraclevm-errata] OVMSA-2012-0039 Important: Oracle VM 3.1 xen Security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed Sep 5 09:42:06 PDT 2012
Oracle VM Security Advisory OVMSA-2012-0039
The following updated rpms for Oracle VM 3.1 have been uploaded to the
Unbreakable Linux Network:
x86_64:
xen-4.1.2-18.el5.14.x86_64.rpm
xen-devel-4.1.2-18.el5.14.x86_64.rpm
xen-tools-4.1.2-18.el5.14.x86_64.rpm
SRPMS:
http://oss.oracle.com/oraclevm/server/3.1/SRPMS-updates/xen-4.1.2-18.el5.14.src.rpm
Description of changes:
[4.1.2-18.el5.14]
- console: bounds check whenever changing the cursor due to an escape code
The device model used by fully virtualised (HVM) domains, qemu, does
not properly handle escape VT100 sequences when emulating certain
devices with a virtual console backend.
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
14555087] {CVE-2012-3515}
[4.1.2-18.el5.13]
- x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check
map->index.
This is being used as a array index, and hence must be validated before
use.
A malicious HVM guest kernel can crash the host. It might also be
able to read hypervisor or guest memory.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
14555053] {CVE-2012-3496}
[4.1.2-18.el5.12]
- xen: Don't BUG_ON() PoD operations on a non-translated guest.
XENMEM_populate_physmap can be called with invalid flags. By calling
it with MEMF_populate_on_demand flag set, a BUG can be triggered if a
translating paging mode is not being used.
Signed-off-by: Tim Deegan <tim at xen.org>
Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
Tested-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
14555002] {CVE-2012-3496}
[4.1.2-18.el5.11]
- xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq
PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq
succeeded, and if it fails will use the error code as an array index.
Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Jan Beulich <JBeulich at suse.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
14554982] {CVE-2012-3495}
[4.1.2-18.el5.10]
- xen: prevent a 64 bit guest setting reserved bits in DR7
The upper 32 bits of this register are reserved and should be written
as zero.
Signed-off-by: Jan Beulich <jbeulich at suse.com>
Reviewed-by: Ian Campbell <ian.campbell at citrix.com>
Signed-off-by: Chuck Anderson <chuck.anderson at oracle.com> [bug
14554864] {CVE-2012-3494}
More information about the Oraclevm-errata
mailing list