I run latest Xen from d.o.o's Virtualization/openSUSE_13.2 repo
rpm -qa | grep -i ^xen | sort
xen-4.5.1_10-390.1.x86_64
xen-libs-4.5.1_10-390.1.x86_64
xen-tools-4.5.1_10-390.1.x86_64
Xen's now made public it's latest critical advisory
http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/
"Xen patches 7-year-old bug that shattered hypervisor security.
Critical vulnerability allowed some guests to access underlying
operating system."
http://xenbits.xen.org/xsa/advisory-148.html
Advisory XSA-148
Public release 2015-10-29 11:59
...
CVE(s) CVE-2015-7835
Title x86: Uncontrolled creation of large page mappings by PV
guests
The advisory instructs patching to resolve
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa148.patch xen-unstable, Xen 4.6.x
xsa148-4.5.patch Xen 4.5.x
xsa148-4.4.patch Xen 4.4.x, Xen 4.3.x
Checking installed Xen's changelog
rpm -q --changelog xen | egrep "CVE-2015-7835|xsa148"
(empty)
it's not been applied. Or, afaict from obs, even submitted.
Where's this security patch in the package tree?
--
To unsubscribe, e-mail: [email protected]
To contact the owner, e-mail: [email protected]
