RedHat has issued an advisory on July 31: https://rhn.redhat.com/errata/RHSA-2012-1130.html
CC: (none) => alienWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => tmb
CC: (none) => thierry.vignaud
CC: (none) => guillomovitch
This was addressed by Fedora on June 14: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082824.html That advisory also lists CVE-2012-0217, CVE-2012-0218, and CVE-2012-2934 which may also be relevant. Those CVEs are also listed in these advisories: http://www.debian.org/security/2012/dsa-2501 Debian, June 24 http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00008.html SuSE, June 12 http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00008.html OpenSuSE, July 18 from http://lwn.net/Vulnerabilities/501763/
submitted xen-4.1.2-4.1.mga2 and xen-4.1.0-2.1.mga1 ( xen-4.1.2-6.mga3 fails due to new GCC, but that shouldn't hold off this bug, since it's cauldron ) i'm afraid this is the limit of what i have time for atm (i'm on holiday)
That's weird, the build log doesn't even say what the error was.
Oh I guess it's the incompatible pointer types in i8259.c that's throwing it off.
Packages built for updates: xen-4.1.0-2.1.mga1 xen-ocaml-4.1.0-2.1.mga1 xen-hypervisor-4.1.0-2.1.mga1 xen-doc-4.1.0-2.1.mga1 libxen3.0-4.1.0-2.1.mga1 libxen-devel-4.1.0-2.1.mga1 xen-4.1.2-4.1.mga2 ocaml-xen-4.1.2-4.1.mga2 xen-hypervisor-4.1.2-4.1.mga2 xen-doc-4.1.2-4.1.mga2 libxen3.0-4.1.2-4.1.mga2 libxen-devel-4.1.2-4.1.mga2
Now there's another one, CVE-2012-3432. Fedora has issued an advisory on July 27: http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084648.html from http://lwn.net/Vulnerabilities/509939/
Summary: xen new security issue CVE-2012-2625 => xen new security issues CVE-2012-2625 and CVE-2012-3432
I found some older ones that we missed as well. CVE-2011-3262 http://lwn.net/Vulnerabilities/466206/ CVE-2011-1898 (should only affect Mageia 1) http://lwn.net/Vulnerabilities/449904/ CVE-2011-1583 http://lwn.net/Vulnerabilities/442081/
Some more possible ones. CVE-2011-3346 http://lwn.net/Vulnerabilities/464289/ CVE-2011-2901 http://lwn.net/Vulnerabilities/457392/ CVE-2011-3131 http://lwn.net/Vulnerabilities/457108/
:( ... Since xen is likely not-working on mga1, i'd like to drop support for it... really, i don't think anyone is using xen on mga1, if somone can, then i'd like to know the magic involved... for the other CVE's... i'm thinking of waiting some more just to see if more of these CVE's are going to appear...
Debian has issued an advisory on August 18: http://www.debian.org/security/2012/dsa-2531 This covers CVE-2012-3432 (mentioned in Comment 6) and CVE-2012-3433 (not previously mentioned).
so to summate: (i hope i'm not missing something)? CVE-2012-2625 (patched) CVE-2012-0217 (patched) CVE-2012-0218 (patched) CVE-2012-2934 (patched) CVE-2011-3262 http://lwn.net/Vulnerabilities/466206/ CVE-2011-1898 (should only affect Mageia 1) http://lwn.net/Vulnerabilities/449904/ CVE-2011-1583 http://lwn.net/Vulnerabilities/442081/ CVE-2011-3346 http://lwn.net/Vulnerabilities/464289/ CVE-2011-2901 http://lwn.net/Vulnerabilities/457392/ CVE-2011-3131 http://lwn.net/Vulnerabilities/457108/ CVE-2012-3432 + CVE-2012-3433 see http://www.debian.org/security/2012/dsa-2531 for patch
Yep. With CVE-2011-3346, CVE-2011-2901, and CVE-2011-3131, I'm not 100% sure we're affected by those, as I don't know which versions are vulnerable. The other ones should all affect us.
I just updated xen to 4.1.3 in cauldron. Here's an updated summary: CVE-2012-3433: no patch found in debian for 4.1.3, so likely to be fixed CVE-2012-3432: no patch found in debian for 4.1.3, so likely to be fixed CVE-2012-2934: fixed in 4.1.3 CVE-2012-2625: no detail given CVE-2012-0218: fixed in 4.1.3 CVE-2012-0217: fixed in 4.1.3 CVE-2011-3346: no patch found in fedora for 4.1.3, so likely to be fixed CVE-2011-3262: no patch found in debian for 4.1.3, so likely to be fixed CVE-2011-3131: no patch found in fedora for 4.1.3, so likely to be fixed CVE-2011-2901: no patch found in fedora for 4.1.3, so likely to be fixed CVE-2011-1898: fixed in 4.1.3 CVE-2011-1583: no patch found in fedora for 4.1.3, so likely to be fixed So it seems the problem is fixed for cauldron, as least.
CVE-2012-3515: https://rhn.redhat.com/errata/RHSA-2012-1236.html
CVE-2012-3494 CVE-2012-3495 CVE-2012-3496 CVE-2012-3498 CVE-2012-3516: http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00004.html
CVE-2012-4411 (?): http://lwn.net/Vulnerabilities/515561/ http://www.debian.org/security/2012/dsa-2543
CC: (none) => oe
CVE-2012-4544: http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091844.html from http://lwn.net/Vulnerabilities/524572/
CVE-2012-3497 CVE-2012-4535 CVE-2012-4536 CVE-2012-4537 CVE-2012-4538 CVE-2012-4539: http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00008.html from http://lwn.net/Vulnerabilities/525449/
CVE-2012-5510 CVE-2012-5511 CVE-2012-5512 CVE-2012-5513 CVE-2012-5514 CVE-2012-5515: http://lists.opensuse.org/opensuse-security-announce/2012-12/msg00001.html from http://lwn.net/Vulnerabilities/528316/
i just submitted xen-4.2.1-1.mga3, i had to remove quite some patches (also security ones) i do hope that alot of these are fixed upstream, and i guess i should check all of them, but it's a lot... maybe a wiki page detailing these would be better...
https://wiki.mageia.org/en/XenCVE
URL: http://lwn.net/Vulnerabilities/509167/ => https://wiki.mageia.org/en/XenCVE
Original bug report URL was: http://lwn.net/Vulnerabilities/509167/ Not mentioned anywhere else, so saving for reference.
CVE-2012-5634 CVE-2013-0154: http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097350.html from http://lwn.net/Vulnerabilities/533712/
for now updated the table for completeness. given the xen lack of testing, i'm holding off on this a bit. i do have received hardware for me to test xen on. i'm gonna start with these after i got it tested.
CVE-2013-0151 CVE-2013-0152 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098106.html from http://lwn.net/Vulnerabilities/536058/ It's also worth pointing out that xen has been affected bysome of the CVEs that we fixed in qemu over the past year, but they may not all be listed in this bug. The CVE-2012-6075 (which we recently fixed in qemu), also mentioned in the above Fedora advisory, is one example.
CVE-2013-0215 CVE-2013-0153 http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098871.html from http://lwn.net/Vulnerabilities/538833/
CVE-2013-1920 http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101893.html from http://lwn.net/Vulnerabilities/547313/
switching to mga2 for now, since cauldron is patched...
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => (none)
Hardware: i586 => All
LWN link for CVE-2013-1920 changed for some reason. http://lwn.net/Vulnerabilities/547595/
CVE-2013-1917 CVE-2013-1919 http://www.debian.org/security/2013/dsa-2662 from http://lwn.net/Vulnerabilities/547772/
CVE-2013-1964 / XSA-50 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104537.html from http://lwn.net/Vulnerabilities/549440/
CVE-2013-1918 CVE-2013-1952 http://www.debian.org/security/2013/dsa-2666 from http://lwn.net/Vulnerabilities/550448/
Version: 2 => CauldronWhiteboard: (none) => MGA3TOO, MGA2TOO
David; didn't those get fixed in mga3/cauldron?
(In reply to AL13N from comment #33) > David; didn't those get fixed in mga3/cauldron? Whoops, sorry! Thanks.
Version: Cauldron => 2Whiteboard: MGA3TOO, MGA2TOO => (none)
CVE-2013-2072 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106721.html from http://lwn.net/Vulnerabilities/552025/
CVE-2013-2076 CVE-2013-2077 CVE-2013-2078 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108918.html from http://lwn.net/Vulnerabilities/554419/
Depends on: (none) => 10586
CVE-2013-2194 CVE-2013-2195 CVE-2013-2196 https://lists.fedoraproject.org/pipermail/package-announce/2013-June/109711.html from http://lwn.net/Vulnerabilities/556152/
CVE-2013-2211 CVE-2013-1432 http://advisories.mageia.org/MGASA-2013-0197.html from http://lwn.net/Vulnerabilities/557259/
Assignee: bugsquad => alien
CVE-2013-4329 https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115874.html from http://lwn.net/Vulnerabilities/567501/
CVE-2013-1442 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118037.html from http://lwn.net/Vulnerabilities/569658/
submitted xen-4.2.1-17.2.mga3 with new CVE fixes: CVE-2013-4329, CVE-2013-1442, CVE-2013-4355, CVE-2013-4361, CVE-2013-4368, CVE-2013-4369, CVE-2013-4370, CVE-2013-4371, CVE-2013-4375 cauldron follows soon with extra CVE-2013-4356 mga2 will follow at a later time
Cool. I've kept this bug around for Mageia 2, so when you're ready, please file a new bug for the Mageia 3 update, with an advisory. Thanks!
oh nuts... i figured you'd use this one for both Mga2 and Mga3... in the main time it looks like the cauldron one is finally working...
CVE-2013-4355 CVE-2013-4361 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119022.html from http://lwn.net/Vulnerabilities/570342/
CVE-2013-4369 CVE-2013-4370 CVE-2013-4371 CVE-2013-4375 https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119531.html from http://lwn.net/Vulnerabilities/571442/
CVE-2013-4416 http://lists.opensuse.org/opensuse-updates/2013-11/msg00009.html from http://lwn.net/Vulnerabilities/573220/
CVE-2013-4494 https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121315.html from http://lwn.net/Vulnerabilities/573535/
CVE-2013-4551 https://lists.fedoraproject.org/pipermail/package-announce/2013-November/122294.html from http://lwn.net/Vulnerabilities/574579/
Closing this now due to Mageia 2 EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ Please file new bugs for any future Mageia 3 (or later) xen updates.
Status: NEW => RESOLVEDResolution: (none) => OLDQA Contact: (none) => security