SUSE-SU-2018:3332-1

Source
https://www.suse.com/support/update/announcement/2018/suse-su-20183332-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:3332-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:3332-1
Related
Published
2018-10-23T13:14:17Z
Modified
2018-10-23T13:14:17Z
Summary
Security update for xen
Details

This update for xen fixes the following issues:

  • CVE-2018-17963: qemudeliverpacketiov accepted packet sizes greater than INTMAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014)
  • CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) could have locked up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276)

Non security issues fixed:

  • Kernel oops in fs/dcache.c called by dmaterialiseunique() (bsc#1094508)
References

Affected packages

SUSE:OpenStack Cloud 7 / xen

Package

Name
xen
Purl
pkg:rpm/suse/xen&distro=SUSE%20OpenStack%20Cloud%207

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.6_05-43.42.1

Ecosystem specific

{
    "binaries": [
        {
            "xen-libs": "4.7.6_05-43.42.1",
            "xen-doc-html": "4.7.6_05-43.42.1",
            "xen-libs-32bit": "4.7.6_05-43.42.1",
            "xen-tools": "4.7.6_05-43.42.1",
            "xen-tools-domU": "4.7.6_05-43.42.1",
            "xen": "4.7.6_05-43.42.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP2 / xen

Package

Name
xen
Purl
pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.6_05-43.42.1

Ecosystem specific

{
    "binaries": [
        {
            "xen-libs": "4.7.6_05-43.42.1",
            "xen-doc-html": "4.7.6_05-43.42.1",
            "xen-libs-32bit": "4.7.6_05-43.42.1",
            "xen-tools": "4.7.6_05-43.42.1",
            "xen-tools-domU": "4.7.6_05-43.42.1",
            "xen": "4.7.6_05-43.42.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-LTSS / xen

Package

Name
xen
Purl
pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.6_05-43.42.1

Ecosystem specific

{
    "binaries": [
        {
            "xen-libs": "4.7.6_05-43.42.1",
            "xen-doc-html": "4.7.6_05-43.42.1",
            "xen-libs-32bit": "4.7.6_05-43.42.1",
            "xen-tools": "4.7.6_05-43.42.1",
            "xen-tools-domU": "4.7.6_05-43.42.1",
            "xen": "4.7.6_05-43.42.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / xen

Package

Name
xen
Purl
pkg:rpm/suse/xen&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.6_05-43.42.1

Ecosystem specific

{
    "binaries": [
        {
            "xen-libs": "4.7.6_05-43.42.1",
            "xen-doc-html": "4.7.6_05-43.42.1",
            "xen-libs-32bit": "4.7.6_05-43.42.1",
            "xen-tools": "4.7.6_05-43.42.1",
            "xen-tools-domU": "4.7.6_05-43.42.1",
            "xen": "4.7.6_05-43.42.1"
        }
    ]
}

SUSE:Enterprise Storage 4 / xen

Package

Name
xen
Purl
pkg:rpm/suse/xen&distro=SUSE%20Enterprise%20Storage%204

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.6_05-43.42.1

Ecosystem specific

{
    "binaries": [
        {
            "xen-libs": "4.7.6_05-43.42.1",
            "xen-doc-html": "4.7.6_05-43.42.1",
            "xen-libs-32bit": "4.7.6_05-43.42.1",
            "xen-tools": "4.7.6_05-43.42.1",
            "xen-tools-domU": "4.7.6_05-43.42.1",
            "xen": "4.7.6_05-43.42.1"
        }
    ]
}