| Summary: | xen new security issue CVE-2023-46841, CVE-2023-28746 and CVE-2024-2193 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, ghibomgx, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | xen-4.17.3-1.mga9 | CVE: | CVE-2023-46841, CVE-2023-28746, CVE-2024-2193 |
| Status comment: | Patches available from upstream | ||
| Attachments: | Commands testing xen | ||
|
Description
Nicolas Salguero
2024-02-28 13:45:52 CET
Nicolas Salguero
2024-02-28 13:46:33 CET
Source RPM:
(none) =>
xen-4.18.0-5.mga10.src.rpm Assigning this to you Giuseppe because you have very recently done several similar patches for Xen; this CVE number actually follows those. Assignee:
bugsquad =>
ghibomgx CVE-2023-28746 was announced here: https://www.openwall.com/lists/oss-security/2024/03/12/13 CVE:
CVE-2023-46841 =>
CVE-2023-46841, CVE-2023-28746, CVE-2024-2193 CVE-2024-2193 was announced here: https://www.openwall.com/lists/oss-security/2024/03/12/14 For Cauldron, the build seems to fail because of GCC 14. Suggested advisory: ======================== The updated packages fix security vulnerabilities: x86: shadow stack vs exceptions from emulation stubs. (CVE-2023-46841) x86: Register File Data Sampling. (CVE-2023-28746) GhostRace: Speculative Race Conditions. (CVE-2024-2193) References: https://www.openwall.com/lists/oss-security/2024/02/27/2 https://www.openwall.com/lists/oss-security/2024/03/12/13 https://www.openwall.com/lists/oss-security/2024/03/12/14 ======================== Updated packages in core/updates_testing: ======================== lib(64)xen3.0-4.17.3-1.1.mga9 lib(64)xen-devel-4.17.3-1.1.mga9 ocaml-xen-4.17.3-1.1.mga9 ocaml-xen-devel-4.17.3-1.1.mga9 xen-4.17.3-1.1.mga9 xen-hypervisor-4.17.3-1.1.mga9 xen-licenses-4.17.3-1.1.mga9 xen-runtime-4.17.3-1.1.mga9 from SRPM: xen-4.17.3-1.1.mga9.src.rpm are you sure ALL of the patches in the latest security queue are applyied/applying correctly? As I've tried last week and some of them were not applying smootly, tso I was waiting for 4.17.4 final. To be able to apply all patches for xsa451, xsa452 and xsa453, I had to add some other patches, as same Fedora did: xen.git-0ce25b46ab2fb53a1b58f7682ca14971453f4f2c.patch xen.git-54dacb5c02cba4676879ed077765734326b78e39.patch xen.git-76ea2aab3652cc34e474de0905f0a9cd4df7d087.patch xen.git-91650010815f3da0834bc9781c4359350d1162a5.patch With those 4 patches, all patches for xsa451, xsa452 and xsa453 applied cleanly. That said, maybe I missed some other patches so, if you prefer waiting for 4.17.4 final, it is good for me (and there is the build problem with GCC 14 for Cauldron). Since all the patches up to xsa453 were included I think everything is fine with this 4.17.3+fixes release.
katnatek
2024-04-05 06:00:28 CEST
Version:
Cauldron =>
9
katnatek
2024-04-05 20:09:28 CEST
Keywords:
(none) =>
advisory RH mageia 9 x86_64
LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
Marking xen-licenses as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Release (distrib1)")
edk2-ovmf-xen 20221117git> 7.mga9 noarch (recommended)
lib64nl-cli3_200 3.7.0 1.mga9 x86_64
lib64nl-idiag3_200 3.7.0 1.mga9 x86_64
lib64nl-nf3_200 3.7.0 1.mga9 x86_64
lib64nl-xfrm3_200 3.7.0 1.mga9 x86_64
lib64nl3-devel 3.7.0 1.mga9 x86_64
lib64uuid-devel 2.38.1 1.mga9 x86_64
ocaml-compiler 4.14.0 2.mga9 x86_64
ocaml-compiler-libs 4.14.0 2.mga9 x86_64
python3-lxml 4.9.2 1.mga9 x86_64
(medium "Core Updates (distrib3)")
kernel-server 6.6.22 1.mga9 x86_64
lib64yajl-devel 2.1.0 6.1.mga9 x86_64
(command line)
lib64xen-devel 4.17.3 1.1.mga9 x86_64
lib64xen3.0 4.17.3 1.1.mga9 x86_64
ocaml-xen 4.17.3 1.1.mga9 x86_64
ocaml-xen-devel 4.17.3 1.1.mga9 x86_64
xen 4.17.3 1.1.mga9 x86_64
xen-hypervisor 4.17.3 1.1.mga9 x86_64
xen-licenses 4.17.3 1.1.mga9 x86_64
xen-runtime 4.17.3 1.1.mga9 x86_64
530MB of additional disk space will be used.
212MB of packages will be retrieved.
Proceed with the installation of the 20 packages? (Y/n) y
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nl3-devel-3.7.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-lxml-4.9.2-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nl-xfrm3_200-3.7.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nl-idiag3_200-3.7.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64uuid-devel-2.38.1-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/ocaml-compiler-4.14.0-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/edk2-ovmf-xen-20221117gitfff6d81270b5-7.mga9.noarch.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nl-cli3_200-3.7.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/lib64nl-nf3_200-3.7.0-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/ocaml-compiler-libs-4.14.0-2.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/kernel-server-6.6.22-1.mga9.x86_64.rpm
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/lib64yajl-devel-2.1.0-6.1.mga9.x86_64.rpm
installing /var/cache/urpmi/rpms/kernel-server-6.6.22-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64xen-devel-4.17.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nl-idiag3_200-3.7.0-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/ocaml-xen-devel-4.17.3-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-runtime-4.17.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nl-cli3_200-3.7.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nl-nf3_200-3.7.0-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-hypervisor-4.17.3-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/ocaml-xen-4.17.3-1.1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/xen-licenses-4.17.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/python3-lxml-4.9.2-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nl-xfrm3_200-3.7.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64uuid-devel-2.38.1-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/lib64xen3.0-4.17.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64nl3-devel-3.7.0-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/edk2-ovmf-xen-20221117gitfff6d81270b5-7.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/xen-4.17.3-1.1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/ocaml-compiler-libs-4.14.0-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/ocaml-compiler-4.14.0-2.mga9.x86_64.rpm
/var/cache/urpmi/rpms/lib64yajl-devel-2.1.0-6.1.mga9.x86_64.rpm
Preparing... ##################################################################################################
1/20: xen-licenses ##################################################################################################
2/20: lib64xen3.0 ##################################################################################################
3/20: lib64nl-nf3_200 ##################################################################################################
4/20: lib64nl-cli3_200 ##################################################################################################
5/20: ocaml-compiler ##################################################################################################
6/20: ocaml-compiler-libs ##################################################################################################
7/20: ocaml-xen ##################################################################################################
8/20: lib64yajl-devel ##################################################################################################
9/20: edk2-ovmf-xen ##################################################################################################
10/20: xen-hypervisor ##################################################################################################
Generating grub configuration file ...
Found theme: /boot/grub2/themes/maggy/theme.txt
Found linux image: /boot/vmlinuz-6.6.22-desktop-1.mga9
Found initrd image: /boot/initrd-6.6.22-desktop-1.mga9.img
Found linux image: /boot/vmlinuz-6.6.22-desktop-1.mga9
Found initrd image: /boot/initrd-6.6.22-desktop-1.mga9.img
Found memtest image: /boot/memtest
Adding boot menu entry for UEFI Firmware Settings ...
done
11/20: lib64uuid-devel ##################################################################################################
12/20: lib64nl-xfrm3_200 ##################################################################################################
13/20: python3-lxml ##################################################################################################
14/20: lib64nl-idiag3_200 ##################################################################################################
15/20: lib64nl3-devel ##################################################################################################
16/20: lib64xen-devel ##################################################################################################
17/20: kernel-server ##################################################################################################
18/20: xen-runtime ##################################################################################################
Created symlink /etc/systemd/system/multi-user.target.wants/xenstored.service -> /usr/lib/systemd/system/xenstored.service.
Created symlink /etc/systemd/system/multi-user.target.wants/xenconsoled.service -> /usr/lib/systemd/system/xenconsoled.service.
19/20: xen ##################################################################################################
Created symlink /etc/systemd/system/multi-user.target.wants/xendomains.service -> /usr/lib/systemd/system/xendomains.service.
20/20: ocaml-xen-devel ##################################################################################################
1/2: removing lib64xen3.0-4.17.3-1.mga9.x86_64
##################################################################################################
2/2: removing xen-licenses-4.17.3-1.mga9.x86_64
##################################################################################################
remove-boot-splash: Format of /boot/initrd-6.6.22-server-1.mga9.img not recognized
You should restart your computer for kernel-server
Install after this kernel-server-devel (because I have a dkms module) and I'll reboot and test the Mageia wit Xen Hypervisor
katnatek
2024-04-06 01:29:07 CEST
CC:
(none) =>
ghibomgx Mageia 9 x86_64 with Hypervisor Plasma X11 I get errors at boot time about /dev/hvc0 that not remember see before https://www.imagebam.com/view/MESUBZN Once again, don't know what more test Keywords:
(none) =>
feedback Created attachment 14496 [details] Commands testing xen Back to https://bugs.mageia.org/show_bug.cgi?id=32332#c49 and repeat the commands adding journalctl |grep hvc and ls -la /dev/hvc* to make checks about the warning at boot time, all look well I think, the reduction in memory in "xl info" is due a 4Gb module removed
katnatek
2024-04-09 19:20:05 CEST
CC:
(none) =>
andrewsfarm With nothing more to add I give OK to this Whiteboard:
(none) =>
MGA9-64-OK Thanks, katnatek. Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0115.html Status:
NEW =>
RESOLVED |