Debian Xen vulnerabilities

CVE-2014-1896 [MEDIUM] CVE-2014-1896: xen - The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.... The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial of service or possibly gain privileges via crafted xenstore ring indexes, which triggers a "read or write past the end of the ring." Scope: local bookworm: resolved (fixed in 4.4.0-1) bullseye: resolved (fixed in 4.4.0-1) forky: reso

CVE-2014-7154 [MEDIUM] CVE-2014-7154: xen - Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ens... Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-3) bullseye: resolved (fixed in 4.4.1-3) forky: resolved (fixed in 4.4.1-3) sid: re

CVE-2014-3968 [MEDIUM] CVE-2014-3968: xen - The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest ... The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged. Scope: local bookworm: resolved (fixed in 4.4.1-1) bullseye: resolved (fixed in 4.4.1-1) forky: resolved (fixed in 4.4.1-1) sid: resolved (fixed

CVE-2014-9065 [MEDIUM] CVE-2014-9065: xen - common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and wri... common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066. Scope: local bookworm: resolved (fixed in 4.4.1-6) bullseye: resolved (fixed in 4.4

CVE-2014-8867 [MEDIUM] CVE-2014-8867: xen - The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and... The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-5) bullseye: resolved (fixed in 4.4.1-5) forky: re

CVE-2014-6268 [MEDIUM] CVE-2014-6268: xen - The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to ca... The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU. Scope: local bookworm: resolved (fixed in 4.4.1-3) bullseye: resolved (fixed in 4.4.1-3) forky: resolved (fixed in 4

CVE-2014-8866 [MEDIUM] CVE-2014-8866: xen - The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x... The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. Scope: local bookworm: resolved (fixed in 4.4.1-5) bullseye: resolved (fixed in 4.4.1-5) forky: re

CVE-2014-5146 [MEDIUM] CVE-2014-5146: xen - Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa9... Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149. Scope: local boo

CVE-2014-1894 [MEDIUM] CVE-2014-1894: xen - Multiple integer overflows in unspecified suboperations in the flask hypercall i... Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1893. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: reso

CVE-2014-4022 [LOW] CVE-2014-4022: xen - The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running... The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall. Scope: local bookworm: resolved bullseye: resolved forky: resolved si

CVE-2014-8594 [MEDIUM] CVE-2014-8594: xen - The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not pr... The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). Scope: local bookworm: resolved (fixed in 4.4.1-4) bullseye: re

CVE-2014-3717 [LOW] CVE-2014-3717: xen - Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kerne... Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-2915 [MEDIUM] CVE-2014-2915: xen - Xen 4.4.x, when running on ARM systems, does not properly restrict access to har... Xen 4.4.x, when running on ARM systems, does not properly restrict access to hardware features, which allows local guest users to cause a denial of service (host or guest crash) via unspecified vectors, related to (1) cache control, (2) coprocessors, (3) debug registers, and (4) other unspecified registers. Scope: local bookworm: resolved bullseye: resolved forky: resol

CVE-2014-1892 [MEDIUM] CVE-2014-1892: xen - Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial o... Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-2986 [MEDIUM] CVE-2014-2986: xen - The vgic_distr_mmio_write function in the virtual guest interrupt controller (GI... The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: reso

CVE-2014-4883 [MEDIUM] CVE-2014-4883: xen - resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1... resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved t

CVE-2014-3714 [LOW] CVE-2014-3714: xen - The ARM image loading functionality in Xen 4.4.x does not properly validate kern... The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-9066 [MEDIUM] CVE-2014-9066: xen - Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly han... Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065. Scope: local bookworm: open bullseye: open forky: open sid: open

CVE-2014-3715 [LOW] CVE-2014-3715: xen - Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a... Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2014-7156 [LOW] CVE-2014-7156: xen - The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x thro... The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-3) bullseye: resolved (fixed in 4.4