Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

PGNet Dev-2
(posted this already to opensuse-virtual ML; was suggested that I post
it here as well)

I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo

        rpm -qa | grep -i ^xen | sort
                xen-4.5.1_10-390.1.x86_64
                xen-libs-4.5.1_10-390.1.x86_64
                xen-tools-4.5.1_10-390.1.x86_64

Xen's now made public it's latest critical advisory

        http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/
                "Xen patches 7-year-old bug that shattered hypervisor security.
                Critical vulnerability allowed some guests to access underlying
operating system."

        http://xenbits.xen.org/xsa/advisory-148.html
                Advisory XSA-148
                Public release 2015-10-29 11:59
                ...
                CVE(s) CVE-2015-7835
                Title x86: Uncontrolled creation of large page mappings by PV guests

The advisory instructs patching to resolve

        RESOLUTION
        ==========

        Applying the appropriate attached patch resolves this issue.

        xsa148.patch                 xen-unstable, Xen 4.6.x
        xsa148-4.5.patch             Xen 4.5.x
        xsa148-4.4.patch             Xen 4.4.x, Xen 4.3.x

Checking installed Xen's changelog

        rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148"
                (empty)

it's not been applied. Or, afaict from obs, even submitted.

Where's this security patch in the package tree?
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

jsegitz
On Thu, Oct 29, 2015 at 05:30:08PM -0700, PGNet Dev wrote:
> Where's this security patch in the package tree?

The issues were under embargo until yesterday. Up until now we didn't
receive openSUSE submission. I asked the maintainer to provide submits.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

PGNet Dev-2
On 10/30/2015 02:59 AM, [hidden email] wrote:
> On Thu, Oct 29, 2015 at 05:30:08PM -0700, PGNet Dev wrote:
>> Where's this security patch in the package tree?
>
> The issues were under embargo until yesterday. Up until now we didn't
> receive openSUSE submission. I asked the maintainer to provide submits.
>
> Johannes
>

According to

        http://www.xenproject.org/security-policy.html

In addition to

        CentOS, Debian, Gentoo, Mageia, Ubuntu ...

both

        Novell, Suse

are on the Xen pre-disclosure list.

It's not clear to me why Opensuse is not.  Obviously Suse 'knew'.

Can that be fixed so that unnecessary periods of security exposure on
production machines, specifically in the case of well communicated
pre-disclosure, can be avoided in the future?

Simply, Opensuse should be on that list and similarly responsive.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

jsegitz
On Fri, Oct 30, 2015 at 06:53:38AM -0700, PGNet Dev wrote:
> It's not clear to me why Opensuse is not.  Obviously Suse 'knew'.

Yes, we knew. But because we can't disclose this issues we're not able to
work on updates in OBS until they are public. Then it's a matter of how
fast we get submits we can work with

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Xen Critical vulnerability CVE-2015-7835 unpatched in Opensuse/Xen packages

jsegitz
On Fri, Oct 30, 2015 at 04:14:24PM +0100, [hidden email] wrote:
> Then it's a matter of how fast we get submits we can work with

xen.openSUSE_13.2_Update is in openSUSE:Maintenance:4138,
xen.openSUSE_13.1_Update is in openSUSE:Maintenance:4139.

If someone could test these we can release them faster than usual.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment