Debian Xen vulnerabilities

CVE-2017-17566 [HIGH] CVE-2017-17566: xen - An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause... An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page. Scope: local bookworm: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) bullseye: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) forky: resolved (fixed

CVE-2017-15595 [HIGH] CVE-2017-15595: xen - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to c... An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1) forky: resolved (fixed in

CVE-2017-15588 [HIGH] CVE-2017-15588: xen - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to e... An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1) forky: resolved (fixed in 4.8.2+xsa245-0+deb9u1) sid: resolved (fixed in 4.8

CVE-2017-12136 [HIGH] CVE-2017-12136: xen - Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local g... Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling. Scope: local bookworm: resolved (fixed in 4.8.1-1+deb9u3) bullseye: resolved (fixed in 4.8.1-1+deb9u3) forky: resolved (

CVE-2017-14316 [HIGH] CVE-2017-14316: xen - A parameter verification issue was discovered in Xen through 4.9.x. The function... A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise do

CVE-2017-17564 [HIGH] CVE-2017-17564: xen - An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a ... An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode. Scope: local bookworm: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) bullseye: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5)

CVE-2017-12135 [HIGH] CVE-2017-12135: xen - Xen allows local OS guest users to cause a denial of service (crash) or possibly... Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. Scope: local bookworm: resolved (fixed in 4.8.1-1+deb9u3) bullseye: resolved (fixed in 4.8.1-1+deb9u3) forky: resolved (fixed in 4.8.1-1+deb9u3) sid: resolved (fixed in 4.8.1-1+deb9u3) trixie: resolved

CVE-2017-15591 [MEDIUM] CVE-2017-15591: xen - An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who contr... An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xs

CVE-2017-17046 [MEDIUM] CVE-2017-17046: xen - An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest ... An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1) forky: resolved

CVE-2017-17044 [MEDIUM] CVE-2017-17044: xen - An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to caus... An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1) forky: resolved (fixed in 4.8.2+xsa245-0+deb9u1) sid

CVE-2017-15596 [MEDIUM] CVE-2017-15596: xen - An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users t... An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error. Scope: local bookworm: resolved (fixed in 4.8.1-1+deb9u3) bullseye: resolved (fixed in 4.8.1-1+deb9u3) forky: resolved (fixed in 4.8.1-1+deb9u3) sid: resolved (fi

CVE-2017-14431 [MEDIUM] CVE-2017-14431: xen - Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of ... Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207. Scope: local bookworm: resolved (fixed in 4.8.1-1) bullseye: resolved (fixed in 4.8.1-1) forky: resolved (fixed in 4.8.

CVE-2017-17565 [MEDIUM] CVE-2017-17565: xen - An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause... An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P. Scope: local bookworm: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) bullseye: resolved (fixed in 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) fo

CVE-2017-10919 [MEDIUM] CVE-2017-10919: xen - Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS ... Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223. Scope: local bookworm: resolved (fixed in 4.8.1-1+deb9u3) bullseye: resolved (fixed in 4.8.1-1+deb9u3) forky: resolved (fixed in 4.8.1-1+deb9u3) sid: resolved (fixed in 4.8.1-1+deb9u3) trixie: resolved (fixed in 4.8.1-1+de

CVE-2017-2620 [MEDIUM] CVE-2017-2620: qemu - Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator su... Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. Sco

CVE-2017-14318 [MEDIUM] CVE-2017-14318: xen - An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache... An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However,

CVE-2017-12855 [MEDIUM] CVE-2017-12855: xen - Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest t... Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant

CVE-2017-15589 [MEDIUM] CVE-2017-15589: xen - An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to ... An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb

CVE-2017-10923 [MEDIUM] CVE-2017-10923: xen - Xen through 4.8.x does not validate a vCPU array index upon the sending of an SG... Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225. Scope: local bookworm: resolved (fixed in 4.8.1-1+deb9u3) bullseye: resolved (fixed in 4.8.1-1+deb9u3) forky: resolved (fixed in 4.8.1-1+deb9u3) sid: resolved (fixed in 4.8.1-1+deb9u3) trixie: reso

CVE-2017-14317 [MEDIUM] CVE-2017-14317: xen - A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) ... A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc.). Scope: loc