[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-API] [XCP] CVE-2012-0217 - PV privilege escalation and XCP 1.1
On 15/06/12 15:29, Lars Kurth wrote: Mike, > To install the RPMs that I've uploaded, download them to your dom0 and install them with 'rpm -U'. > > [1] http://downloads.xen.org/XCP/xcp-1.0-rpms/ > [2] http://downloads.xen.org/XCP/xcp-1.1-rpms/ Ping me when you have them all such that I can publish them on - http://xen.org/download/xcp/index.html - http://xen.org/download/xcp/index_1.0.0.html - http://xen.org/download/xcp/index_1.1.0.html I've uploaded all the RPMs, so go ahead and make note of them on the website. The new ISOs are still building, though. I can ping you when they finish. Also, do you have a list of the fixes that go into these. Are these just the recently published 3 security fixes or are there more. ** Here is the changelog for the changes that went into XCP 1.0's Xen: changeset: 705:bfc23bd2900d tag: tip user: David Vrabel <david.vrabel@xxxxxxxxxx> date: Fri May 25 12:51:15 2012 +0100 summary: CA-77741: replace XSA7/8 patches with latest version changeset: 704:571c0538e8f9 user: David Vrabel <david.vrabel@xxxxxxxxxx> date: Fri Apr 20 13:50:14 2012 +0100 summary: CA-77741: Apply patches for XSA7 and XSA8 changeset: 703:c57894a86c4c user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Tue Jun 14 10:37:01 2011 +0100 summary: CA-58864: backport fix for CVE-2011-1898 changeset: 702:1e5d065a3114 user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Tue Jun 14 10:32:37 2011 +0100 summary: CA-57424: backported cve-2011-1583-4.0.patch changeset: 701:646c5cc13ec8 user: James Bulpin <James.Bulpin@xxxxxxxxxxxxx> date: Tue Mar 15 17:10:16 2011 +0000summary: CA-53626 (Backport to Xen 3.4) x86_64: fix error checking in arch_set_info_guest() ** Here is the changelog for the patches that went into XCP 1.1's Xen: changeset: 714:3772a512f7ce tag: tip user: David Vrabel <david.vrabel@xxxxxxxxxx> date: Fri May 25 12:47:12 2012 +0100 summary: CA-77741: replace XSA7/8 patches with latest version changeset: 713:81b8e187992c user: David Vrabel <david.vrabel@xxxxxxxxxx> date: Fri Apr 20 13:46:52 2012 +0100 summary: CA-77741: Apply patches for XSA7 and XSA8 changeset: 712:61820ca962f2 user: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> date: Wed Mar 14 12:22:03 2012 +0000 summary: CIS3 - Add fixes for Oxford Hotfix Jones (XS56ESP2013) changeset: 711:edfedb11e8c0 user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Tue Feb 28 12:31:21 2012 +0000 summary: CA-73604: detect PVS using source port instead of filename changeset: 710:49fab07814a9 user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Thu Oct 20 13:28:57 2011 +0100 summary: CA-53613: Xen FP emulator error changeset: 709:a77a7bf612e8 user: George Dunlap <george.dunlap@xxxxxxxxxxxxx> date: Thu Oct 20 12:22:50 2011 +0100 summary: CA-54256: Import fix to racy ASSERT from unstable changeset: 708:b58fdd7741e6 user: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> date: Mon Oct 03 11:47:12 2011 +0100summary: CA-65268 - prevent the kexec path attempting to spinlock an uninitialised variable, hanging the box changeset: 707:824b34cd748a user: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> date: Mon Oct 03 11:46:39 2011 +0100summary: CA-65267 - Remove time-calibration-verbose for HFX-223. It causes a deadlock in an irq handler under certain circumstances. changeset: 706:dd41da12d322 user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Wed Jul 13 08:42:47 2011 +0100 summary: CA-58864: backport fix for CVE-2011-1898 changeset: 705:bd910c290295 user: Simon Rowe <simon.rowe@xxxxxxxxxxxxx> date: Wed Jul 13 08:42:23 2011 +0100 summary: CA-57424: backported cve-2011-1583-4.0.patch Lars On 15/06/2012 15:19, Mike McClurg wrote:On 13/06/12 17:06, George Shuklin wrote:Good day. Few days ago very serious issue has been published, allowing 64-bit PV-guest gain control over dom0. AFAIK this is fully affect XCP 1.1 Here more data http://permalink.gmane.org/gmane.comp.security.oss.general/7851 I found that http://support.citrix.com/article/CTX133176 is fixing that. Now, I have few questions: 1) Can I use xen and kernel rpms from that update to install them in XCP installation? 2) What is legal status of that operation? Can I just install xen and linux from XenServer to XCP? (I'm not talking about StrageLink or some closed components, only xen and linux) 3) May I freely publish extracted rpms (this is very non-trivial operation)?I have added new xen-hypervisor RPMs to the dowloads.xen.org site for both XCP 1.0 [1] and XCP 1.1 [2]. By tomorrow we'll have updated ISOs for each, as well. Thanks to George for posting the repackaged XenServer rpms. To install the RPMs that I've uploaded, download them to your dom0 and install them with 'rpm -U'. Mike [1] http://downloads.xen.org/XCP/xcp-1.0-rpms/ [2] http://downloads.xen.org/XCP/xcp-1.1-rpms/ _______________________________________________ Xen-api mailing list Xen-api@xxxxxxxxxxxxx http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api _______________________________________________ Xen-api mailing list Xen-api@xxxxxxxxxxxxx http://lists.xen.org/cgi-bin/mailman/listinfo/xen-api
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |