| Summary: | xen, new security issues XSA-306 XSA-304, CVE-2018-12207 XSA-305, CVE-2019-11135 XSA-296, CVE-2019-18420 XSA-298, CVE-2019-18425 XSA-299, CVE-2019-18421 XSA-301, CVE-2019-18423 XSA-302, CVE-2019-18424 XSA-303, CVE-2019-18422 XSA-295, CVE-2019-17349, CVE… | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Thierry Vignaud <thierry.vignaud> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | brtians1, davidwhodgins, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | xen-4.12.1-1.mga7 | CVE: | |
| Status comment: | |||
|
Description
Thierry Vignaud
2019-11-29 07:05:18 CET
Thierry Vignaud
2019-11-29 07:05:51 CET
Component:
RPM Packages =>
Security The following 89 packages are going to be installed:
- cyrus-sasl-2.1.27-1.1.mga7.x86_64
- edk2-aarch64-20190308stable-1.mga7.nonfree.noarch
- edk2-ovmf-20190308stable-1.mga7.nonfree.noarch
- edk2-ovmf-ia32-20190308stable-1.mga7.nonfree.noarch
- grub-0.97-48.1.mga7.x86_64
- ipxe-roms-qemu-20190125-1.mga7.noarch
- kernel-server-5.1.14-1.mga7-1-1.mga7.x86_64
- kernel-server-5.4.6-2.mga7-1-1.mga7.x86_64
- kernel-server-latest-5.4.6-2.mga7.x86_64
- lib64brlapi0.6-5.5-7.mga7.x86_64
- lib64cacard0-2.6.1-2.mga7.x86_64
- lib64capstone4-4.0.1-1.mga7.x86_64
- lib64ibverbs1-1.2.1-3.mga7.x86_64
- lib64iscsi8-1.18.0-5.mga7.x86_64
- lib64nl-route3_200-3.4.0-3.mga7.x86_64
- lib64rdmacm1-1.1.0-3.mga7.x86_64
- lib64sasl2-plug-anonymous-2.1.27-1.1.mga7.x86_64
- lib64sasl2-plug-login-2.1.27-1.1.mga7.x86_64
- lib64sasl2-plug-plain-2.1.27-1.1.mga7.x86_64
- lib64snappy1-1.1.7-2.mga7.x86_64
- lib64spice-server1-0.14.2-1.mga7.x86_64
- lib64usbredirparser1-0.8.0-2.mga7.x86_64
- lib64virglrenderer0-0.7.0-1.20190424gitd1758cc09.mga7.x86_64
- lib64xen3.0-4.12.1-1.mga7.x86_64
- lib64yajl2-2.1.0-2.mga7.x86_64
- openbios-1.1.svn1394-3.mga7.noarch
- python3-lxml-4.3.0-1.mga7.x86_64
- qemu-4.0.0-2.mga7.x86_64
- qemu-audio-alsa-4.0.0-2.mga7.x86_64
- qemu-audio-oss-4.0.0-2.mga7.x86_64
- qemu-audio-pa-4.0.0-2.mga7.x86_64
- qemu-audio-sdl-4.0.0-2.mga7.x86_64
- qemu-block-curl-4.0.0-2.mga7.x86_64
- qemu-block-dmg-4.0.0-2.mga7.x86_64
- qemu-block-iscsi-4.0.0-2.mga7.x86_64
- qemu-block-nfs-4.0.0-2.mga7.x86_64
- qemu-block-ssh-4.0.0-2.mga7.x86_64
- qemu-common-4.0.0-2.mga7.x86_64
- qemu-img-4.0.0-2.mga7.x86_64
- qemu-system-aarch64-4.0.0-2.mga7.x86_64
- qemu-system-aarch64-core-4.0.0-2.mga7.x86_64
- qemu-system-alpha-4.0.0-2.mga7.x86_64
- qemu-system-alpha-core-4.0.0-2.mga7.x86_64
- qemu-system-arm-4.0.0-2.mga7.x86_64
- qemu-system-arm-core-4.0.0-2.mga7.x86_64
- qemu-system-cris-4.0.0-2.mga7.x86_64
- qemu-system-cris-core-4.0.0-2.mga7.x86_64
- qemu-system-lm32-4.0.0-2.mga7.x86_64
- qemu-system-lm32-core-4.0.0-2.mga7.x86_64
- qemu-system-m68k-4.0.0-2.mga7.x86_64
- qemu-system-m68k-core-4.0.0-2.mga7.x86_64
- qemu-system-microblaze-4.0.0-2.mga7.x86_64
- qemu-system-microblaze-core-4.0.0-2.mga7.x86_64
- qemu-system-mips-4.0.0-2.mga7.x86_64
- qemu-system-mips-core-4.0.0-2.mga7.x86_64
- qemu-system-moxie-4.0.0-2.mga7.x86_64
- qemu-system-moxie-core-4.0.0-2.mga7.x86_64
- qemu-system-nios2-4.0.0-2.mga7.x86_64
- qemu-system-nios2-core-4.0.0-2.mga7.x86_64
- qemu-system-or1k-4.0.0-2.mga7.x86_64
- qemu-system-or1k-core-4.0.0-2.mga7.x86_64
- qemu-system-ppc-4.0.0-2.mga7.x86_64
- qemu-system-ppc-core-4.0.0-2.mga7.x86_64
- qemu-system-riscv-4.0.0-2.mga7.x86_64
- qemu-system-riscv-core-4.0.0-2.mga7.x86_64
- qemu-system-s390x-4.0.0-2.mga7.x86_64
- qemu-system-s390x-core-4.0.0-2.mga7.x86_64
- qemu-system-sh4-4.0.0-2.mga7.x86_64
- qemu-system-sh4-core-4.0.0-2.mga7.x86_64
- qemu-system-sparc-4.0.0-2.mga7.x86_64
- qemu-system-sparc-core-4.0.0-2.mga7.x86_64
- qemu-system-tricore-4.0.0-2.mga7.x86_64
- qemu-system-tricore-core-4.0.0-2.mga7.x86_64
- qemu-system-unicore32-4.0.0-2.mga7.x86_64
- qemu-system-unicore32-core-4.0.0-2.mga7.x86_64
- qemu-system-x86-4.0.0-2.mga7.x86_64
- qemu-system-x86-core-4.0.0-2.mga7.x86_64
- qemu-system-xtensa-4.0.0-2.mga7.x86_64
- qemu-system-xtensa-core-4.0.0-2.mga7.x86_64
- qemu-ui-curses-4.0.0-2.mga7.x86_64
- qemu-ui-gtk-4.0.0-2.mga7.x86_64
- qemu-ui-sdl-4.0.0-2.mga7.x86_64
- qemu-user-4.0.0-2.mga7.x86_64
- seabios-bin-1.12.1-1.mga7.noarch
- seavgabios-bin-1.12.1-1.mga7.noarch
- sgabios-bin-0.20110622svn-2.mga7.noarch
- slof-0.1.git20160223-3.mga7.noarch
- xen-4.12.1-1.mga7.x86_64
- xen-hypervisor-4.12.1-1.mga7.x86_64
869MB of additional disk space will be used.
243MB of packages will be retrieved.
---
It set up the boot option, but I could not get Xen and Mageia running on Gnome to work on Nvidia. It would go to a blank screen as soon as it said starting gnome.
---
So I moved the desk over to an Intel box and retried - this did actually work to the point I could get a screen and could confirm Xen is working
---
Installed Virt-Manager to administer. It was able to connect to xen. However, when attempting to build a VM from an ISO (non-Mageia) I get the following errors from the script.
Unable to complete install: 'An error occurred, but the cause is unknown'
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/usr/share/virt-manager/virtManager/create.py", line 2122, in _do_async_install
guest.installer_instance.start_install(guest, meter=meter)
File "/usr/share/virt-manager/virtinst/installer.py", line 415, in start_install
doboot, transient)
File "/usr/share/virt-manager/virtinst/installer.py", line 358, in _create_guest
domain = self.conn.createXML(install_xml or final_xml, 0)
File "/usr/lib64/python3.7/site-packages/libvirt.py", line 3840, in createXML
if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirt.libvirtError: An error occurred, but the cause is unknown
----
Some important things, it will try to build the VM disk by default in the /var directory. So, allocate that to it's own partition and make it large, otherwise it defaults to root which is generally restrictive.
----
Is xen able to run, yes. So this may be a yes it is functional. Not sure.CC:
(none) =>
brtians1 Okay - tested more with Virtual Manager - as we don't have all of the tools in xen by default. So - I think we need to upgrade Virtual Manager to make this work. What do you need from me?
Brian Rockwell
2020-02-28 16:20:18 CET
Whiteboard:
feedback =>
(none) As per bug 26118, I had to replace vncviewer with one downloaded from https://bintray.com/tigervnc/stable/tigervnc/1.10.1 Also found that with my current configuration, my Logitech, Inc. Unifying Receiver was not working in the guest, so unplugged it and used a ps/2 wired keyboard instead. Didn't bother trying to get networking working in the guest. Only tested an hvm guest. Notes are as follows ... Starting with a fully up-to-date real hardware install with task-xfce4-minimal, and ... # rpm -qa|grep kernel|sort -V kernel-firmware-20190603-1.mga7 kernel-firmware-nonfree-20191220-1.mga7.nonfree kernel-server-5.5.6-2.mga7-1-1.mga7 kernel-server-latest-5.5.6-2.mga7 This is on an install with a separate /boot partition Found out that "urpmi xen" still requires grub legacy, and also qemu, so switched the install to using grub legacy. # urpmi xen, which also pulled in qemu Prior to editing, /boot/grub/menu.lst only contained one entry with title linux kernel (hd0,1)/vmlinuz-5.5.6-server-2.mga7 BOOT_IMAGE=linux root=/dev/sda6 audit=0 vga=788 root (hd0,1) initrd /initrd.img Added an entry with ... title xen server 5.5.6-server-2.mga7 kernel (hd0,1)/xen.gz dom0_mem=4096MB module (hd0,1)/vmlinuz-5.5.6-server-2.mga7 BOOT_IMAGE=linux root=/dev/sda6 audit=0 vga=788 root (hd0,1) module /initrd.img Note: as /boot is on a separate partition (sda2), the kernel and module paths do not start with /boot Booted the system, selecting the xen boot entry, logged into the desktop normally. [root@localhost ~]# ps -A|grep xen 35 ? 00:00:00 xenbus 36 ? 00:00:00 xenwatch 956 ? 00:00:00 xenstored 1063 ? 00:00:00 xenconsoled Created the sparse file to contain the guest dd if=/dev/zero of=/opt/hvmtest.img count=1 bs=4M seek=4k This allows the guest to use up to 50% of the partition's free space. # # cat /etc/xen/xentest.cfg name="xentest" builder = "hvm" memory = 4096 vcpus = 2 #vif = [ 'type=ioemu, model=e1000, mac=00:16:3E:29:QQ:QQ, bridge=xenbr1' ] disk = [ 'tap:aio:/opt/hvmtest.img,xvda,w', 'file:/s3/m7.1/Mageia-7.1-Live-Xfce-x86_64/Mageia-7.1-Live-Xfce-x86_64.iso,xvdb:cdrom,r' ] boot = "dc" vga = "qxl" videoram = 128 vnc = 1 vnclisten = "192.168.10.201" # (this is this host systems ip) vncdisplay = 0 vncpasswd = "munged" # xl -v create /etc/xen/xentest.cfg -V The live iso booted after entering the password. Didn't try installing. In a separate terminal # xl list Name ID Mem VCPUs State Time(s) Domain-0 0 12014 4 r----- 157.0 xentest 1 3968 2 r----- 61.4 Advisory committed to svn. Validating the update. Whiteboard:
(none) =>
MGA7-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0113.html Resolution:
(none) =>
FIXED |