Advisory: ======================== Updated Xen packages fix security vulnerabilities: - Updated from 4.12.0 to 4.12.1 - Device quarantine for alternate pci assignment methods [XSA-306] - x86: Machine Check Error on Page Size Change DoS [XSA-304, CVE-2018-12207] - TSX Asynchronous Abort speculative side channel [XSA-305, CVE-2019-11135] - VCPUOP_initialise DoS [XSA-296, CVE-2019-18420] (rhbz#1771368) - missing descriptor table limit checking in x86 PV emulation [XSA-298, CVE-2019-18425] (rhbz#1771341) - Issues with restartable PV type change operations [XSA-299, CVE-2019-18421] (rhbz#1767726) - add-to-physmap can be abused to DoS Arm hosts [XSA-301, CVE-2019-18423] (rhbz#1771345) - passed through PCI devices may corrupt host memory after deassignment [XSA-302, CVE-2019-18424] (rhbz#1767731) - ARM: Interrupts are unconditionally unmasked in exception handlers [XSA-303, CVE-2019-18422] (rhbz#1771443) - Unlimited Arm Atomics Operations [XSA-295, CVE-2019-17349, CVE-2019-17350] (rhbz#1720760) - fix HVM DomU boot on some chipsets - adjust grub2 workaround References: https://xenbits.xen.org/xsa/advisory-306.html https://xenbits.xen.org/xsa/advisory-304.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207 https://xenbits.xen.org/xsa/advisory-305.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135 https://xenbits.xen.org/xsa/advisory-296.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18420 https://xenbits.xen.org/xsa/advisory-298.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425 https://xenbits.xen.org/xsa/advisory-299.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18421 https://xenbits.xen.org/xsa/advisory-301.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423 https://xenbits.xen.org/xsa/advisory-302.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424 https://xenbits.xen.org/xsa/advisory-303.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18422 https://xenbits.xen.org/xsa/advisory-295.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17350 ======================== Updated packages in core/updates_testing: ======================== libxen3.0-4.12.1-1.mga7.i586.rpm libxen3.0-debuginfo-4.12.1-1.mga7.i586.rpm libxen-devel-4.12.1-1.mga7.i586.rpm ocaml-xen-4.12.1-1.mga7.i586.rpm ocaml-xen-debuginfo-4.12.1-1.mga7.i586.rpm ocaml-xen-devel-4.12.1-1.mga7.i586.rpm xen-4.12.1-1.mga7.i586.rpm xen-debuginfo-4.12.1-1.mga7.i586.rpm xen-debugsource-4.12.1-1.mga7.i586.rpm xen-doc-4.12.1-1.mga7.noarch.rpm xen-hypervisor-4.12.1-1.mga7.i586.rpm lib64xen3.0-4.12.1-1.mga7.x86_64.rpm lib64xen3.0-debuginfo-4.12.1-1.mga7.x86_64.rpm lib64xen-devel-4.12.1-1.mga7.x86_64.rpm ocaml-xen-4.12.1-1.mga7.x86_64.rpm ocaml-xen-debuginfo-4.12.1-1.mga7.x86_64.rpm ocaml-xen-devel-4.12.1-1.mga7.x86_64.rpm xen-4.12.1-1.mga7.x86_64.rpm xen-debuginfo-4.12.1-1.mga7.x86_64.rpm xen-debugsource-4.12.1-1.mga7.x86_64.rpm xen-doc-4.12.1-1.mga7.noarch.rpm xen-hypervisor-4.12.1-1.mga7.x86_64.rpm lib64xen3.0-4.12.1-1.mga7.aarch64.rpm lib64xen3.0-debuginfo-4.12.1-1.mga7.aarch64.rpm lib64xen-devel-4.12.1-1.mga7.aarch64.rpm ocaml-xen-4.12.1-1.mga7.aarch64.rpm ocaml-xen-debuginfo-4.12.1-1.mga7.aarch64.rpm ocaml-xen-devel-4.12.1-1.mga7.aarch64.rpm xen-4.12.1-1.mga7.aarch64.rpm xen-debuginfo-4.12.1-1.mga7.aarch64.rpm xen-debugsource-4.12.1-1.mga7.aarch64.rpm xen-doc-4.12.1-1.mga7.noarch.rpm xen-hypervisor-4.12.1-1.mga7.aarch64.rpm libxen3.0-4.12.1-1.mga7.armv7hl.rpm libxen3.0-debuginfo-4.12.1-1.mga7.armv7hl.rpm libxen-devel-4.12.1-1.mga7.armv7hl.rpm ocaml-xen-4.12.1-1.mga7.armv7hl.rpm ocaml-xen-debuginfo-4.12.1-1.mga7.armv7hl.rpm ocaml-xen-devel-4.12.1-1.mga7.armv7hl.rpm xen-4.12.1-1.mga7.armv7hl.rpm xen-debuginfo-4.12.1-1.mga7.armv7hl.rpm xen-debugsource-4.12.1-1.mga7.armv7hl.rpm xen-doc-4.12.1-1.mga7.noarch.rpm xen-hypervisor-4.12.1-1.mga7.armv7hl.rpm
Component: RPM Packages => SecurityQA Contact: (none) => security
The following 89 packages are going to be installed: - cyrus-sasl-2.1.27-1.1.mga7.x86_64 - edk2-aarch64-20190308stable-1.mga7.nonfree.noarch - edk2-ovmf-20190308stable-1.mga7.nonfree.noarch - edk2-ovmf-ia32-20190308stable-1.mga7.nonfree.noarch - grub-0.97-48.1.mga7.x86_64 - ipxe-roms-qemu-20190125-1.mga7.noarch - kernel-server-5.1.14-1.mga7-1-1.mga7.x86_64 - kernel-server-5.4.6-2.mga7-1-1.mga7.x86_64 - kernel-server-latest-5.4.6-2.mga7.x86_64 - lib64brlapi0.6-5.5-7.mga7.x86_64 - lib64cacard0-2.6.1-2.mga7.x86_64 - lib64capstone4-4.0.1-1.mga7.x86_64 - lib64ibverbs1-1.2.1-3.mga7.x86_64 - lib64iscsi8-1.18.0-5.mga7.x86_64 - lib64nl-route3_200-3.4.0-3.mga7.x86_64 - lib64rdmacm1-1.1.0-3.mga7.x86_64 - lib64sasl2-plug-anonymous-2.1.27-1.1.mga7.x86_64 - lib64sasl2-plug-login-2.1.27-1.1.mga7.x86_64 - lib64sasl2-plug-plain-2.1.27-1.1.mga7.x86_64 - lib64snappy1-1.1.7-2.mga7.x86_64 - lib64spice-server1-0.14.2-1.mga7.x86_64 - lib64usbredirparser1-0.8.0-2.mga7.x86_64 - lib64virglrenderer0-0.7.0-1.20190424gitd1758cc09.mga7.x86_64 - lib64xen3.0-4.12.1-1.mga7.x86_64 - lib64yajl2-2.1.0-2.mga7.x86_64 - openbios-1.1.svn1394-3.mga7.noarch - python3-lxml-4.3.0-1.mga7.x86_64 - qemu-4.0.0-2.mga7.x86_64 - qemu-audio-alsa-4.0.0-2.mga7.x86_64 - qemu-audio-oss-4.0.0-2.mga7.x86_64 - qemu-audio-pa-4.0.0-2.mga7.x86_64 - qemu-audio-sdl-4.0.0-2.mga7.x86_64 - qemu-block-curl-4.0.0-2.mga7.x86_64 - qemu-block-dmg-4.0.0-2.mga7.x86_64 - qemu-block-iscsi-4.0.0-2.mga7.x86_64 - qemu-block-nfs-4.0.0-2.mga7.x86_64 - qemu-block-ssh-4.0.0-2.mga7.x86_64 - qemu-common-4.0.0-2.mga7.x86_64 - qemu-img-4.0.0-2.mga7.x86_64 - qemu-system-aarch64-4.0.0-2.mga7.x86_64 - qemu-system-aarch64-core-4.0.0-2.mga7.x86_64 - qemu-system-alpha-4.0.0-2.mga7.x86_64 - qemu-system-alpha-core-4.0.0-2.mga7.x86_64 - qemu-system-arm-4.0.0-2.mga7.x86_64 - qemu-system-arm-core-4.0.0-2.mga7.x86_64 - qemu-system-cris-4.0.0-2.mga7.x86_64 - qemu-system-cris-core-4.0.0-2.mga7.x86_64 - qemu-system-lm32-4.0.0-2.mga7.x86_64 - qemu-system-lm32-core-4.0.0-2.mga7.x86_64 - qemu-system-m68k-4.0.0-2.mga7.x86_64 - qemu-system-m68k-core-4.0.0-2.mga7.x86_64 - qemu-system-microblaze-4.0.0-2.mga7.x86_64 - qemu-system-microblaze-core-4.0.0-2.mga7.x86_64 - qemu-system-mips-4.0.0-2.mga7.x86_64 - qemu-system-mips-core-4.0.0-2.mga7.x86_64 - qemu-system-moxie-4.0.0-2.mga7.x86_64 - qemu-system-moxie-core-4.0.0-2.mga7.x86_64 - qemu-system-nios2-4.0.0-2.mga7.x86_64 - qemu-system-nios2-core-4.0.0-2.mga7.x86_64 - qemu-system-or1k-4.0.0-2.mga7.x86_64 - qemu-system-or1k-core-4.0.0-2.mga7.x86_64 - qemu-system-ppc-4.0.0-2.mga7.x86_64 - qemu-system-ppc-core-4.0.0-2.mga7.x86_64 - qemu-system-riscv-4.0.0-2.mga7.x86_64 - qemu-system-riscv-core-4.0.0-2.mga7.x86_64 - qemu-system-s390x-4.0.0-2.mga7.x86_64 - qemu-system-s390x-core-4.0.0-2.mga7.x86_64 - qemu-system-sh4-4.0.0-2.mga7.x86_64 - qemu-system-sh4-core-4.0.0-2.mga7.x86_64 - qemu-system-sparc-4.0.0-2.mga7.x86_64 - qemu-system-sparc-core-4.0.0-2.mga7.x86_64 - qemu-system-tricore-4.0.0-2.mga7.x86_64 - qemu-system-tricore-core-4.0.0-2.mga7.x86_64 - qemu-system-unicore32-4.0.0-2.mga7.x86_64 - qemu-system-unicore32-core-4.0.0-2.mga7.x86_64 - qemu-system-x86-4.0.0-2.mga7.x86_64 - qemu-system-x86-core-4.0.0-2.mga7.x86_64 - qemu-system-xtensa-4.0.0-2.mga7.x86_64 - qemu-system-xtensa-core-4.0.0-2.mga7.x86_64 - qemu-ui-curses-4.0.0-2.mga7.x86_64 - qemu-ui-gtk-4.0.0-2.mga7.x86_64 - qemu-ui-sdl-4.0.0-2.mga7.x86_64 - qemu-user-4.0.0-2.mga7.x86_64 - seabios-bin-1.12.1-1.mga7.noarch - seavgabios-bin-1.12.1-1.mga7.noarch - sgabios-bin-0.20110622svn-2.mga7.noarch - slof-0.1.git20160223-3.mga7.noarch - xen-4.12.1-1.mga7.x86_64 - xen-hypervisor-4.12.1-1.mga7.x86_64 869MB of additional disk space will be used. 243MB of packages will be retrieved. --- It set up the boot option, but I could not get Xen and Mageia running on Gnome to work on Nvidia. It would go to a blank screen as soon as it said starting gnome. --- So I moved the desk over to an Intel box and retried - this did actually work to the point I could get a screen and could confirm Xen is working --- Installed Virt-Manager to administer. It was able to connect to xen. However, when attempting to build a VM from an ISO (non-Mageia) I get the following errors from the script. Unable to complete install: 'An error occurred, but the cause is unknown' Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/asyncjob.py", line 75, in cb_wrapper callback(asyncjob, *args, **kwargs) File "/usr/share/virt-manager/virtManager/create.py", line 2122, in _do_async_install guest.installer_instance.start_install(guest, meter=meter) File "/usr/share/virt-manager/virtinst/installer.py", line 415, in start_install doboot, transient) File "/usr/share/virt-manager/virtinst/installer.py", line 358, in _create_guest domain = self.conn.createXML(install_xml or final_xml, 0) File "/usr/lib64/python3.7/site-packages/libvirt.py", line 3840, in createXML if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self) libvirt.libvirtError: An error occurred, but the cause is unknown ---- Some important things, it will try to build the VM disk by default in the /var directory. So, allocate that to it's own partition and make it large, otherwise it defaults to root which is generally restrictive. ---- Is xen able to run, yes. So this may be a yes it is functional. Not sure.
CC: (none) => brtians1Whiteboard: (none) => feedback
Okay - tested more with Virtual Manager - as we don't have all of the tools in xen by default. So - I think we need to upgrade Virtual Manager to make this work. What do you need from me?
Whiteboard: feedback => (none)
As per bug 26118, I had to replace vncviewer with one downloaded from https://bintray.com/tigervnc/stable/tigervnc/1.10.1 Also found that with my current configuration, my Logitech, Inc. Unifying Receiver was not working in the guest, so unplugged it and used a ps/2 wired keyboard instead. Didn't bother trying to get networking working in the guest. Only tested an hvm guest. Notes are as follows ... Starting with a fully up-to-date real hardware install with task-xfce4-minimal, and ... # rpm -qa|grep kernel|sort -V kernel-firmware-20190603-1.mga7 kernel-firmware-nonfree-20191220-1.mga7.nonfree kernel-server-5.5.6-2.mga7-1-1.mga7 kernel-server-latest-5.5.6-2.mga7 This is on an install with a separate /boot partition Found out that "urpmi xen" still requires grub legacy, and also qemu, so switched the install to using grub legacy. # urpmi xen, which also pulled in qemu Prior to editing, /boot/grub/menu.lst only contained one entry with title linux kernel (hd0,1)/vmlinuz-5.5.6-server-2.mga7 BOOT_IMAGE=linux root=/dev/sda6 audit=0 vga=788 root (hd0,1) initrd /initrd.img Added an entry with ... title xen server 5.5.6-server-2.mga7 kernel (hd0,1)/xen.gz dom0_mem=4096MB module (hd0,1)/vmlinuz-5.5.6-server-2.mga7 BOOT_IMAGE=linux root=/dev/sda6 audit=0 vga=788 root (hd0,1) module /initrd.img Note: as /boot is on a separate partition (sda2), the kernel and module paths do not start with /boot Booted the system, selecting the xen boot entry, logged into the desktop normally. [root@localhost ~]# ps -A|grep xen 35 ? 00:00:00 xenbus 36 ? 00:00:00 xenwatch 956 ? 00:00:00 xenstored 1063 ? 00:00:00 xenconsoled Created the sparse file to contain the guest dd if=/dev/zero of=/opt/hvmtest.img count=1 bs=4M seek=4k This allows the guest to use up to 50% of the partition's free space. # # cat /etc/xen/xentest.cfg name="xentest" builder = "hvm" memory = 4096 vcpus = 2 #vif = [ 'type=ioemu, model=e1000, mac=00:16:3E:29:QQ:QQ, bridge=xenbr1' ] disk = [ 'tap:aio:/opt/hvmtest.img,xvda,w', 'file:/s3/m7.1/Mageia-7.1-Live-Xfce-x86_64/Mageia-7.1-Live-Xfce-x86_64.iso,xvdb:cdrom,r' ] boot = "dc" vga = "qxl" videoram = 128 vnc = 1 vnclisten = "192.168.10.201" # (this is this host systems ip) vncdisplay = 0 vncpasswd = "munged" # xl -v create /etc/xen/xentest.cfg -V The live iso booted after entering the password. Didn't try installing. In a separate terminal # xl list Name ID Mem VCPUs State Time(s) Domain-0 0 12014 4 r----- 157.0 xentest 1 3968 2 r----- 61.4 Advisory committed to svn. Validating the update.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => advisory, has_procedure, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0113.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED