Your message dated Sat, 28 Jun 2008 09:47:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#487095: fixed in xen-3 3.2.1-2
has caused the Debian Bug report #487095,
regarding xen-3: multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
487095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487095
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: xen-3
Version: 3.2.1-1
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for xen-3.
CVE-2008-1943[0]:
| Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
| Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
| of service (crash) and possibly execute arbitrary code via a crafted
| description of a shared framebuffer.
CVE-2008-1944[1]:
| Buffer overflow in the backend framebuffer of XenSource Xen
| Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
| local users to cause a denial of service (SDL crash) and possibly
| execute arbitrary code via "bogus screen updates," related to missing
| validation of the "format of messages."
CVE-2008-1952[2]:
| ** RESERVED **
| This candidate has been reserved by an organization or individual that
| will use it when announcing a new security problem. When the
| candidate has been publicized, the details for this candidate will be
| provided.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943
http://security-tracker.debian.net/tracker/CVE-2008-1943
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944
http://security-tracker.debian.net/tracker/CVE-2008-1944
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1952
http://security-tracker.debian.net/tracker/CVE-2008-1952
These issues are fixed within the following patch for fedora:
http://cvs.fedoraproject.org/viewcvs/rpms/xen/F-9/xen-pvfb-validate-fb.patch?view=markup
Kind regards,
Thomas.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: xen-3
Source-Version: 3.2.1-2
We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:
libxen-dev_3.2.1-2_amd64.deb
to pool/main/x/xen-3/libxen-dev_3.2.1-2_amd64.deb
libxenstore3.0_3.2.1-2_amd64.deb
to pool/main/x/xen-3/libxenstore3.0_3.2.1-2_amd64.deb
xen-3_3.2.1-2.diff.gz
to pool/main/x/xen-3/xen-3_3.2.1-2.diff.gz
xen-3_3.2.1-2.dsc
to pool/main/x/xen-3/xen-3_3.2.1-2.dsc
xen-docs-3.2_3.2.1-2_all.deb
to pool/main/x/xen-3/xen-docs-3.2_3.2.1-2_all.deb
xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
to pool/main/x/xen-3/xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
xen-utils-3.2-1_3.2.1-2_amd64.deb
to pool/main/x/xen-3/xen-utils-3.2-1_3.2.1-2_amd64.deb
xenstore-utils_3.2.1-2_amd64.deb
to pool/main/x/xen-3/xenstore-utils_3.2.1-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Blank <[EMAIL PROTECTED]> (supplier of updated xen-3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 28 Jun 2008 11:30:43 +0200
Source: xen-3
Binary: xen-docs-3.2 libxenstore3.0 libxen-dev xenstore-utils xen-utils-3.2-1
xen-hypervisor-3.2-1-amd64 xen-hypervisor-3.2-1-i386
xen-hypervisor-3.2-1-i386-nonpae
Architecture: source all amd64
Version: 3.2.1-2
Distribution: unstable
Urgency: low
Maintainer: Debian Xen Team <[EMAIL PROTECTED]>
Changed-By: Bastian Blank <[EMAIL PROTECTED]>
Description:
libxen-dev - Public headers and libs for Xen
libxenstore3.0 - Xenstore communications library for Xen
xen-docs-3.2 - Documentation for Xen
xen-hypervisor-3.2-1-amd64 - The Xen Hypervisor on AMD64
xen-hypervisor-3.2-1-i386 - The Xen Hypervisor on i386
xen-hypervisor-3.2-1-i386-nonpae - The Xen Hypervisor on i386 without pae
xen-utils-3.2-1 - XEN administrative tools
xenstore-utils - Xenstore utilities for Xen
Closes: 474509 476366 487095
Changes:
xen-3 (3.2.1-2) unstable; urgency=low
.
* Use e2fslibs based ext2 support for pygrub. (closes: #476366)
* Fix missing checks in pvfb code.
See CVE-2008-1952. (closes: #487095)
* Add support for loading bzImage files. (closes: #474509)
* Enable TLS support in ioemu code.
* Drop libcrypto usage because of GPL-incompatibility.
* Remove AES code from blktap drivers. Considered broken.
Checksums-Sha1:
c554a791c3f7dc1bed082192d00e37848a88a947 1599 xen-3_3.2.1-2.dsc
92388212fee2582b2d62df9b9c05a650a02fb3e3 54201 xen-3_3.2.1-2.diff.gz
1ddc8e09b1ae2db6467b62ad3a2804dc4ab84aca 1198380 xen-docs-3.2_3.2.1-2_all.deb
fff42ccf3ab065a531230c8a701017bcbba592c3 418614
xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
ea5b8522c4077c9e2dafecd4eac3a7de379b910e 197660 libxen-dev_3.2.1-2_amd64.deb
211fb10460b1282e560ddfe036c971091b7f592b 19360 libxenstore3.0_3.2.1-2_amd64.deb
6465d930425e260e36debdddba07979c0a192084 1070516
xen-utils-3.2-1_3.2.1-2_amd64.deb
b358e53c77ede134c0d1c2ab3b4b68fa496792fd 22566 xenstore-utils_3.2.1-2_amd64.deb
Checksums-Sha256:
69b20ecc25fef7f04c9547a0608e8a7bce243f27f818280addac979fe1180edd 1599
xen-3_3.2.1-2.dsc
63d4117c4171f80babeec1ff28cdd5a48c70e894dcaa3869c30aa9e72b77b86e 54201
xen-3_3.2.1-2.diff.gz
3051f89b77cff4be4b0286a90570fb7ff38cac928c8887f4182c7bcf6e519cb0 1198380
xen-docs-3.2_3.2.1-2_all.deb
acd6ea5866572979a91924dca7931d2cba7150eb898e5667f447e0769336b227 418614
xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
37b50625df1c020555f885ae1dca56e47fa892a922ac113816cd5655dcb16c13 197660
libxen-dev_3.2.1-2_amd64.deb
8f406296db2af09bc595610b5d8cfaa56c858394928255c97becb7544cffbb36 19360
libxenstore3.0_3.2.1-2_amd64.deb
4ab689b7bd57b4885b4f131606f34f5b56ad56d5d39d7621eb896657a85cfab7 1070516
xen-utils-3.2-1_3.2.1-2_amd64.deb
73ff1e710be16f2732caada6a66c6af90541bd94a9444d8dd24073fbdd7fd61e 22566
xenstore-utils_3.2.1-2_amd64.deb
Files:
e00ffdb6939f517d8d5afed6b418f051 1599 misc extra xen-3_3.2.1-2.dsc
df6ffb368b0ce6e3723ec823407bfb52 54201 misc extra xen-3_3.2.1-2.diff.gz
963fd1aab43d22e745de2a93102ce26f 1198380 doc extra xen-docs-3.2_3.2.1-2_all.deb
6ac0ceb062f16a781eba3dcb4858b16f 418614 misc extra
xen-hypervisor-3.2-1-amd64_3.2.1-2_amd64.deb
94df8b325e502ee549611e603ec8dac7 197660 libdevel extra
libxen-dev_3.2.1-2_amd64.deb
b85bef2139a4ee76fea154f0edae08b4 19360 libs extra
libxenstore3.0_3.2.1-2_amd64.deb
d10f8282dbf0f254a1f26a5f89ac03e9 1070516 misc extra
xen-utils-3.2-1_3.2.1-2_amd64.deb
4523b836a00dc3f700662c67d72f9256 22566 admin extra
xenstore-utils_3.2.1-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhmBm0ACgkQxWtQqFixGB4ENACeLdidWsyiyy5Gxvs6fSPV+Pbz
57oAnjrl6QRi6xlYQQQBL7b94ulaZ19e
=3U/n
-----END PGP SIGNATURE-----
--- End Message ---
