Debian Xen vulnerabilities

CVE-2017-5754 [MEDIUM] CVE-2017-5754: linux - Systems with microprocessors utilizing speculative execution and indirect branch... Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. Scope: local bookworm: resolved (fixed in 4.14.12-1) bullseye: resolved (fixed in 4.14.12-1) forky: resolved (fixed in 4.14.12-1) sid: resolved

CVE-2017-15593 [MEDIUM] CVE-2017-15593: xen - An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to c... An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled. Scope: local bookworm: resolved (fixed in 4.8.2+xsa245-0+deb9u1) bullseye: resolved (fixed in 4.8.2+xsa245-0+deb9u1) forky: resolved (fixed in 4.8.2+xsa245-0+deb9u1) sid: resolved (fixed in 4.8.2+xsa245-0+deb9u

CVE-2017-5715 [MEDIUM] CVE-2017-5715: amd64-microcode - Systems with microprocessors utilizing speculative execution and indirect branch... Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Scope: local bookworm: resolved (fixed in 3.20180515.1) bullseye: resolved (fixed in 3.20180515.1) forky: resolved (fixed in 3.20180515.1) sid: resolved

CVE-2017-7995 [LOW] CVE-2017-7995: xen - Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after... Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL. Scope: local bookworm: resolved (fixed in 4.3.0-1) bullseye: resolved (fixed in 4

CVE-2016-6258 [HIGH] CVE-2016-6258: xen - The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-... The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie

CVE-2016-9382 [HIGH] CVE-2016-9382: xen - Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows l... Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed

CVE-2016-1570 [HIGH] CVE-2016-1570: xen - The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x t... The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unkn

CVE-2016-4480 [HIGH] CVE-2016-4480: xen - The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earl... The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) f

CVE-2016-9379 [HIGH] CVE-2016-9379: xen - The pygrub boot loader emulator in Xen, when S-expression output format is reque... The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8

CVE-2016-3960 [HIGH] CVE-2016-3960: xen - Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS u... Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie: reso

CVE-2016-9386 [HIGH] CVE-2016-9386: xen - The x86 emulator in Xen does not properly treat x86 NULL segments as unusable wh... The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) tri

CVE-2016-3710 [HIGH] CVE-2016-3710: qemu - The VGA module in QEMU improperly performs bounds checking on banked access to v... The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. Scope: local bookworm: resolved (fixed in 1:2.6+dfsg-1) bullseye: resolved (fixed in 1:2.6+dfsg-1) forky: resolv

CVE-2016-10013 [HIGH] CVE-2016-10013: xen - Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges ... Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)

CVE-2016-9383 [HIGH] CVE-2016-9383: xen - Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to mod... Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) fo

CVE-2016-9381 [HIGH] CVE-2016-9381: xen - Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to ga... Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability. Scope: local bookworm: resolved (fixed in 4.4.0-1) bullseye: resolved (fixed in 4.4.0-1) forky: resolved (fixed in 4.4.0-1) sid: resolved (fixed in 4.4.0-1) trixie: resolved (fixed in 4.4.0-1)

CVE-2016-7092 [HIGH] CVE-2016-7092: xen - The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV gu... The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie: resolved (fixed

CVE-2016-9380 [HIGH] CVE-2016-9380: xen - The pygrub boot loader emulator in Xen, when nul-delimited output format is requ... The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (

CVE-2016-10024 [MEDIUM] CVE-2016-10024: xen - Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a ... Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1)

CVE-2016-10025 [MEDIUM] CVE-2016-10025: xen - VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualizat... VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fi

CVE-2016-9817 [MEDIUM] CVE-2016-9817: xen - Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (... Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set. Scope: local bookworm: resolved (fixed in 4.8.0-1) bullseye: resolved (fixed in 4.8.0-1) forky: resolved (fixed in 4.8.0-1) sid: resolved (fixed in 4.8.0-1) trixie: resolved (fixed in 4.8.0-1)