Your message dated Sat, 28 Jun 2008 09:47:08 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#487095: fixed in xen-3 3.2.1-2 has caused the Debian Bug report #487095, regarding xen-3: multiple security issues to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 487095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487095 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Source: xen-3 Version: 3.2.1-1 Severity: grave Tags: security, patch Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for xen-3. CVE-2008-1943[0]: | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial | of service (crash) and possibly execute arbitrary code via a crafted | description of a shared framebuffer. CVE-2008-1944[1]: | Buffer overflow in the backend framebuffer of XenSource Xen | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows | local users to cause a denial of service (SDL crash) and possibly | execute arbitrary code via "bogus screen updates," related to missing | validation of the "format of messages." CVE-2008-1952[2]: | ** RESERVED ** | This candidate has been reserved by an organization or individual that | will use it when announcing a new security problem. When the | candidate has been publicized, the details for this candidate will be | provided. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943 http://security-tracker.debian.net/tracker/CVE-2008-1943 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944 http://security-tracker.debian.net/tracker/CVE-2008-1944 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1952 http://security-tracker.debian.net/tracker/CVE-2008-1952 These issues are fixed within the following patch for fedora: http://cvs.fedoraproject.org/viewcvs/rpms/xen/F-9/xen-pvfb-validate-fb.patch?view=markup Kind regards, Thomas.signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: xen-3 Source-Version: 3.2.1-2 We believe that the bug you reported is fixed in the latest version of xen-3, which is due to be installed in the Debian FTP archive: libxen-dev_3.2.1-2_amd64.deb to pool/main/x/xen-3/libxen-dev_3.2.1-2_amd64.deb libxenstore3.0_3.2.1-2_amd64.deb to pool/main/x/xen-3/libxenstore3.0_3.2.1-2_amd64.deb xen-3_3.2.1-2.diff.gz to pool/main/x/xen-3/xen-3_3.2.1-2.diff.gz xen-3_3.2.1-2.dsc to pool/main/x/xen-3/xen-3_3.2.1-2.dsc xen-docs-3.2_3.2.1-2_all.deb to pool/main/x/xen-3/xen-docs-3.2_3.2.1-2_all.deb xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb to pool/main/x/xen-3/xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb xen-utils-3.2-1_3.2.1-2_amd64.deb to pool/main/x/xen-3/xen-utils-3.2-1_3.2.1-2_amd64.deb xenstore-utils_3.2.1-2_amd64.deb to pool/main/x/xen-3/xenstore-utils_3.2.1-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastian Blank <[EMAIL PROTECTED]> (supplier of updated xen-3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 28 Jun 2008 11:30:43 +0200 Source: xen-3 Binary: xen-docs-3.2 libxenstore3.0 libxen-dev xenstore-utils xen-utils-3.2-1 xen-hypervisor-3.2-1-amd64 xen-hypervisor-3.2-1-i386 xen-hypervisor-3.2-1-i386-nonpae Architecture: source all amd64 Version: 3.2.1-2 Distribution: unstable Urgency: low Maintainer: Debian Xen Team <[EMAIL PROTECTED]> Changed-By: Bastian Blank <[EMAIL PROTECTED]> Description: libxen-dev - Public headers and libs for Xen libxenstore3.0 - Xenstore communications library for Xen xen-docs-3.2 - Documentation for Xen xen-hypervisor-3.2-1-amd64 - The Xen Hypervisor on AMD64 xen-hypervisor-3.2-1-i386 - The Xen Hypervisor on i386 xen-hypervisor-3.2-1-i386-nonpae - The Xen Hypervisor on i386 without pae xen-utils-3.2-1 - XEN administrative tools xenstore-utils - Xenstore utilities for Xen Closes: 474509 476366 487095 Changes: xen-3 (3.2.1-2) unstable; urgency=low . * Use e2fslibs based ext2 support for pygrub. (closes: #476366) * Fix missing checks in pvfb code. See CVE-2008-1952. (closes: #487095) * Add support for loading bzImage files. (closes: #474509) * Enable TLS support in ioemu code. * Drop libcrypto usage because of GPL-incompatibility. * Remove AES code from blktap drivers. Considered broken. Checksums-Sha1: c554a791c3f7dc1bed082192d00e37848a88a947 1599 xen-3_3.2.1-2.dsc 92388212fee2582b2d62df9b9c05a650a02fb3e3 54201 xen-3_3.2.1-2.diff.gz 1ddc8e09b1ae2db6467b62ad3a2804dc4ab84aca 1198380 xen-docs-3.2_3.2.1-2_all.deb fff42ccf3ab065a531230c8a701017bcbba592c3 418614 xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb ea5b8522c4077c9e2dafecd4eac3a7de379b910e 197660 libxen-dev_3.2.1-2_amd64.deb 211fb10460b1282e560ddfe036c971091b7f592b 19360 libxenstore3.0_3.2.1-2_amd64.deb 6465d930425e260e36debdddba07979c0a192084 1070516 xen-utils-3.2-1_3.2.1-2_amd64.deb b358e53c77ede134c0d1c2ab3b4b68fa496792fd 22566 xenstore-utils_3.2.1-2_amd64.deb Checksums-Sha256: 69b20ecc25fef7f04c9547a0608e8a7bce243f27f818280addac979fe1180edd 1599 xen-3_3.2.1-2.dsc 63d4117c4171f80babeec1ff28cdd5a48c70e894dcaa3869c30aa9e72b77b86e 54201 xen-3_3.2.1-2.diff.gz 3051f89b77cff4be4b0286a90570fb7ff38cac928c8887f4182c7bcf6e519cb0 1198380 xen-docs-3.2_3.2.1-2_all.deb acd6ea5866572979a91924dca7931d2cba7150eb898e5667f447e0769336b227 418614 xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb 37b50625df1c020555f885ae1dca56e47fa892a922ac113816cd5655dcb16c13 197660 libxen-dev_3.2.1-2_amd64.deb 8f406296db2af09bc595610b5d8cfaa56c858394928255c97becb7544cffbb36 19360 libxenstore3.0_3.2.1-2_amd64.deb 4ab689b7bd57b4885b4f131606f34f5b56ad56d5d39d7621eb896657a85cfab7 1070516 xen-utils-3.2-1_3.2.1-2_amd64.deb 73ff1e710be16f2732caada6a66c6af90541bd94a9444d8dd24073fbdd7fd61e 22566 xenstore-utils_3.2.1-2_amd64.deb Files: e00ffdb6939f517d8d5afed6b418f051 1599 misc extra xen-3_3.2.1-2.dsc df6ffb368b0ce6e3723ec823407bfb52 54201 misc extra xen-3_3.2.1-2.diff.gz 963fd1aab43d22e745de2a93102ce26f 1198380 doc extra xen-docs-3.2_3.2.1-2_all.deb 6ac0ceb062f16a781eba3dcb4858b16f 418614 misc extra xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb 94df8b325e502ee549611e603ec8dac7 197660 libdevel extra libxen-dev_3.2.1-2_amd64.deb b85bef2139a4ee76fea154f0edae08b4 19360 libs extra libxenstore3.0_3.2.1-2_amd64.deb d10f8282dbf0f254a1f26a5f89ac03e9 1070516 misc extra xen-utils-3.2-1_3.2.1-2_amd64.deb 4523b836a00dc3f700662c67d72f9256 22566 admin extra xenstore-utils_3.2.1-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkhmBm0ACgkQxWtQqFixGB4ENACeLdidWsyiyy5Gxvs6fSPV+Pbz 57oAnjrl6QRi6xlYQQQBL7b94ulaZ19e =3U/n -----END PGP SIGNATURE-----
--- End Message ---