SB2012090707 - SUSE Linux update for Xen

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012090707

SB2012090707 - SUSE Linux update for Xen

Published: September 7, 2012

Security Bulletin ID SB2012090707
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2012-2625)

The vulnerability allows a remote #AU# to perform service disruption.

The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-3494)

The vulnerability allows a local non-authenticated attacker to perform service disruption.

The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register.


3) Input validation error (CVE-ID: CVE-2012-3515)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."


Remediation

Install update from vendor's website.

References