Uncategorized

Xen 4.2.1 and 4.1.4 released

jbeulich

jbeulich

2 min read

I am pleased to announce the release of Xen 4.2.1 and Xen 4.1.4. These are available immediately from the following locations

We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1 and that users of the 4.0 and 4.1 stable series upgrade to Xen 4.1.4.

Xen 4.2.1

The Xen 4.2.1 release fixes the following critical vulnerabilities: We recommend to all users of Xen 4.2.0 to upgrade to Xen 4.2.1.

  • CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  • CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  • CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  • CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  • CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  • CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  • CVE-2012-5511 / XSA-27: Several HVM operations do not validate the range of their inputs
  • CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  • CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  • CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
  • CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs

Among many bug fixes and improvements (around 100 since Xen 4.2.0):

  • A fix for a long standing time management issue
  • Bug fixes for S3 (suspend to RAM) handling
  • Bug fixes for other low level system state handling
  • Bug fixes and improvements to the libxl tool stack
  • Bug fixes to nested virtualization

Xen 4.1.4

The Xen 4.1.4 release contains fixes for the following critical vulnerabilities: We recommend to all users of the 4.0 and 4.1 stable series to upgrade to Xen 4.1.4.

  • CVE-2012-3494 / XSA-12: hypercall set_debugreg vulnerability
  • CVE-2012-3495 / XSA-13: hypercall physdev_get_free_pirq vulnerability
  • CVE-2012-3496 / XSA-14: XENMEM_populate_physmap DoS vulnerability
  • CVE-2012-3498 / XSA-16: PHYSDEVOP_map_pirq index vulnerability
  • CVE-2012-3515 / XSA-17: Qemu VT100 emulation vulnerability
  • CVE-2012-4411 / XSA-19: guest administrator can access qemu monitor console
  • CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
  • CVE-2012-4536 / XSA-21: pirq range check DoS vulnerability
  • CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
  • CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
  • CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
  • CVE-2012-4544,CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
  • CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
  • CVE-2012-5511 / XSA-27: several HVM operations do not validate the range of their inputs
  • CVE-2012-5512 / XSA-28: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
  • CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
  • CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
  • CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
  <li>Among many bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:</li>
  <ul>
    <li>A fix for a long standing time management issue</li>
    <li>Bug fixes for S3 (suspend to RAM) handling</li>
    <li>Bug fixes for other low level system state handling</li>
  </ul>

Read more

Xen Project Announces Performance and Security Advancements with Release of 4.19
Aug 05 2024

New release marks significant enhancements in performance, security, and versatility across various architectures.  SAN FRANCISCO – July 31st, 2024 – The Xen Project, an open source project under the Linux Foundation, is proud to announce the release of Xen Project 4.19. This release marks a significant milestone in enhancing performance, security,

by Olivier Lambert
Read more
Upcoming Closure of Xen Project Colo Facility
Jul 10 2024

Dear Xen Community, We regret to inform you that the Xen Project is currently experiencing unexpected changes due to the sudden shutdown of our colocated (colo) data center facility by Synoptek. This incident is beyond our control and will impact the continuity of OSSTest (the gating Xen Project CI loop)

by Olivier Lambert
Read more
Xen Summit Talks Now Live on YouTube!
Jun 18 2024

Hello Xen Community! We have some thrilling news to share with you all. The highly anticipated talks from this year’s Xen Summit are now live on YouTube! Whether you attended the summit in person or couldn’t make it this time, you can now access all the insightful presentations

by Olivier Lambert
Read more
Get ready for Xen Summit 2024!
May 24 2024

With less than 2 weeks to go, are you ready? The Xen Project is gearing up for a summit full of discussions, collaboration and innovation. If you haven’t already done so – get involved by submitting a design session topic. Don’t worry if you can’t attend in person,

by Olivier Lambert
Read more