- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201801-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Xen: Multiple vulnerabilities Date: January 14, 2018 Bugs: #627962, #634668, #637540, #637542, #639688, #641566 ID: 201801-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xen, the worst of which could allow for privilege escalation. Background ========== Xen is a bare-metal hypervisor. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/xen < 4.9.1-r1 >= 4.9.1-r1 2 app-emulation/xen-tools < 4.9.1-r1 >= 4.9.1-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact ====== A local attacker could potentially execute arbitrary code with the privileges of the Xen (QEMU) process on the host, gain privileges on the host system, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Xen users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.9.1-r1" All Xen tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-emulation/xen-tools-4.9.1-r1" References ========== [ 1 ] CVE-2017-12134 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12134 [ 2 ] CVE-2017-12135 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12135 [ 3 ] CVE-2017-12136 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12136 [ 4 ] CVE-2017-12137 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12137 [ 5 ] CVE-2017-15588 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15588 [ 6 ] CVE-2017-15589 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15589 [ 7 ] CVE-2017-15590 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15590 [ 8 ] CVE-2017-15591 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15591 [ 9 ] CVE-2017-15592 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15592 [ 10 ] CVE-2017-15593 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15593 [ 11 ] CVE-2017-15594 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15594 [ 12 ] CVE-2017-15595 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15595 [ 13 ] CVE-2017-17044 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17044 [ 14 ] CVE-2017-17045 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17045 [ 15 ] CVE-2017-17046 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17046 [ 16 ] CVE-2017-17563 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17563 [ 17 ] CVE-2017-17564 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17564 [ 18 ] CVE-2017-17565 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17565 [ 19 ] CVE-2017-17566 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17566 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201801-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --nwpu3OcjJZCuiX4bxjeYPaXNqDz2mYZD0--