Uncategorized

Announcing Xen 4.3.2 and 4.2.4 Releases

jbeulich

jbeulich

3 min read

The Xen Project is pleased to announce the availability of  two maintenance releases: Xen 4.3.2 and Xen 4.2.4.

Xen 4.3.2 Release

This release is available immediately from the git repository:

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.2)

or from the XenProject download page:

http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-432.html

This fixes the following critical vulnerabilities:

  • CVE-2013-2212 / XSA-60    Excessive time to disable caching with HVM guests with PCI passthrough
  • CVE-2013-4494 / XSA-73    Lock order reversal between page allocation and grant table locks
  • CVE-2013-4553 / XSA-74    Lock order reversal between page_alloc_lock and mm_rwlock
  • CVE-2013-4551 / XSA-75     Host crash due to guest VMX instruction execution
  • CVE-2013-4554 / XSA-76     Hypercalls exposed to privilege rings 1 and 2 of HVM guests
  • CVE-2013-6375 / XSA-78     Insufficient TLB flushing in VT-d (iommu) code
  • CVE-2013-6400 / XSA-80     IOMMU TLB flushing may be inadvertently suppressed
  • CVE-2013-6885 / XSA-82      Guest triggerable AMD CPU erratum may cause host hang
  • CVE-2014-1642 / XSA-83     Out-of-memory condition yielding memory corruption during IRQ setup
  • CVE-2014-1891 / XSA-84     integer overflow in several XSM/Flask hypercalls
  • CVE-2014-1895 / XSA-85     Off-by-one error in FLASK_AVC_CACHESTAT hypercall
  • CVE-2014-1896 / XSA-86     libvchan failure handling malicious ring indexes
  • CVE-2014-1666 / XSA-87     PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
  • CVE-2014-1950 / XSA-88     use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.3 stable series to update to this latest point release.  If you intend to stay with the 4.2 codebase, please examine the release below.
 

Xen 4.2.4 Release

This release is available immediately from the git repository:

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.4)

or from the XenProject download page:

http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-424.html

This fixes the following critical vulnerabilities:

  • CVE-2013-2212 / XSA-60     Excessive time to disable caching with HVM guests with PCI passthrough
  • CVE-2013-1442 / XSA-62     Information leak on AVX and/or LWP capable CPUs
  • CVE-2013-4355 / XSA-63     Information leaks through I/O instruction emulation
  • CVE-2013-4361 / XSA-66     Information leak through fbld instruction emulation
  • CVE-2013-4368 / XSA-67     Information leak through outs instruction emulation
  • CVE-2013-4369 / XSA-68     possible null dereference when parsing vif ratelimiting info
  • CVE-2013-4370 / XSA-69     misplaced free in ocaml xc_vcpu_getaffinity stub
  • CVE-2013-4371 / XSA-70     use-after-free in libxl_list_cpupool under memory pressure
  • CVE-2013-4375 / XSA-71     qemu disk backend (qdisk) resource leak
  • CVE-2013-4416 / XSA-72     ocaml xenstored mishandles oversized message replies
  • CVE-2013-4494 / XSA-73     Lock order reversal between page allocation and grant table locks
  • CVE-2013-4553 / XSA-74     Lock order reversal between page_alloc_lock and mm_rwlock
  • CVE-2013-4551 / XSA-75     Host crash due to guest VMX instruction execution
  • CVE-2013-4554 / XSA-76     Hypercalls exposed to privilege rings 1 and 2 of HVM guests
  • CVE-2013-6375 / XSA-78     Insufficient TLB flushing in VT-d (iommu) code
  • CVE-2013-6400 / XSA-80     IOMMU TLB flushing may be inadvertently suppressed
  • CVE-2013-6885 / XSA-82     Guest triggerable AMD CPU erratum may cause host hang
  • CVE-2014-1642 / XSA-83     Out-of-memory condition yielding memory corruption during IRQ setup
  • CVE-2014-1891 / XSA-84     integer overflow in several XSM/Flask hypercalls
  • CVE-2014-1895 / XSA-85     Off-by-one error in FLASK_AVC_CACHESTAT hypercall
  • CVE-2014-1896 / XSA-86     libvchan failure handling malicious ring indexes
  • CVE-2014-1666 / XSA-87     PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
  • CVE-2014-1950 / XSA-88     use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.2 stable series to update to this latest point release.
 

Read more

Xen Project Announces Performance and Security Advancements with Release of 4.19
Aug 05 2024

New release marks significant enhancements in performance, security, and versatility across various architectures.  SAN FRANCISCO – July 31st, 2024 – The Xen Project, an open source project under the Linux Foundation, is proud to announce the release of Xen Project 4.19. This release marks a significant milestone in enhancing performance, security,

by Olivier Lambert
Read more
Upcoming Closure of Xen Project Colo Facility
Jul 10 2024

Dear Xen Community, We regret to inform you that the Xen Project is currently experiencing unexpected changes due to the sudden shutdown of our colocated (colo) data center facility by Synoptek. This incident is beyond our control and will impact the continuity of OSSTest (the gating Xen Project CI loop)

by Olivier Lambert
Read more
Xen Summit Talks Now Live on YouTube!
Jun 18 2024

Hello Xen Community! We have some thrilling news to share with you all. The highly anticipated talks from this year’s Xen Summit are now live on YouTube! Whether you attended the summit in person or couldn’t make it this time, you can now access all the insightful presentations

by Olivier Lambert
Read more
Get ready for Xen Summit 2024!
May 24 2024

With less than 2 weeks to go, are you ready? The Xen Project is gearing up for a summit full of discussions, collaboration and innovation. If you haven’t already done so – get involved by submitting a design session topic. Don’t worry if you can’t attend in person,

by Olivier Lambert
Read more