Xen Project fixes two bugs in its virtualization software
Share on Twitter.
Get the best SMTP service for your business. Guaranteed or your money back.
January 21, 2016
As a whole, Xen Project's general policy is to let big cloud operators and others on a pre-disclosure
list know about bugs two weeks before the rest of us, so that the flaws can be fixed before bad guys
try to exploit it.
So the Xen Project were busy on the Dec. 31 to Jan. 3rd period fixing 2 known bugs. January 20th saw
the release of the bugs to those of us with less-sensitive Xen systems.
This means that cloud operators got wind of them on the 6th, which may have been rather a stern
post-holidays jump-starter-upper if you will.
Bug number XSA-167 comes about because the PV superpage functionality lacks certain validity checks
on data being passed to the hypervisor by guests, Xen says.
It added that “unknown effects” are the result, “ranging from information leaks through Denial of
Service potential attacks to privilege escalation.”
None of those are either pleasant or desirable. So use that patch if you're running Xen 4.3 through
Xen-unstable.
Bug number XSA-168 is also quite nasty as well, as the priveliged INVLPG instruction can fail under
some circumstances, creating a hypervisor bug check that in turn means “A malicious guest can crash
the host, leading to a Denial of Service attack from the wild.”
It will be interesting to see in the mean time if newer bugs are discovered in the software.
Source: The Xen Project.
Get the best SMTP service for your business. Guaranteed or your money back.
Share on Twitter.
