+++ This bug was initially created as a clone of Bug #39689 +++ Unfixed issues in xen-4.1.6.1 in UCS-3.3: * CVE-2016-4480 <http://xenbits.xen.org/xsa/advisory-176.html> does not apply to xen-4.1 cleanly as it is is based on xen-4.2 supporing 1G superpages <http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=96b740e209d0bea4c16d93211ceb139fc98d10c2> Either that needs to be back-ported to xen-4.1 or the patch must be adapted to only support 2k and 2M SPs. * CVE-2014-3672 <http://xenbits.xen.org/xsa/advisory-180.html> does not apply to UCS as we are not using the "xl" toolstack (but the xm one).
Upstream package version 4.1.6.1-0ubuntu0.12.04.11 fixes these issues: - CVE-2013-2212 / XSA-060 * VMX: disable EPT when !cpu_has_vmx_pat * VMX: remove the problematic set_uc_mode logic * VMX: fix cr0.cd handling - CVE-2016-3158, CVE-2016-3159 / XSA-172 * x86: fix information leak on AMD CPUs - CVE-2016-3960 / XSA-173 * x86: limit GFNs to 32 bits for shadowed superpages. * x86/HVM: correct CPUID leaf 80000008 handling - CVE-2016-4480 / XSA-176 * x86/mm: fully honor PS bits in guest page table walks - CVE-2016-3710 / XSA-179 (qemu traditional) * vga: fix banked access bounds checking * vga: add vbe_enabled() helper * vga: factor out vga register setup * vga: update vga register setup on vbe changes * vga: make sure vga register setup for vbe stays intact - CVE-2014-3672 / XSA-180 (qemu traditional) * main loop: Big hammer to fix logfile disk DoS in Xen setups
(In reply to Arvid Requate from comment #1) > Upstream package version 4.1.6.1-0ubuntu0.12.04.11 fixes these issues: > > - CVE-2013-2212 / XSA-060 > * VMX: disable EPT when !cpu_has_vmx_pat > * VMX: remove the problematic set_uc_mode logic > * VMX: fix cr0.cd handling Already fixed: 30_cve-patches.patch > - CVE-2016-3158, CVE-2016-3159 / XSA-172 > * x86: fix information leak on AMD CPUs Already fixed: 32_xsa172-4.3.patch > - CVE-2016-3960 / XSA-173 > * x86: limit GFNs to 32 bits for shadowed superpages. > * x86/HVM: correct CPUID leaf 80000008 handling Already partly fixed: 36_fix_xsa173.patch > - CVE-2016-4480 / XSA-176 > * x86/mm: fully honor PS bits in guest page table walks Unfixed > - CVE-2016-3710 / XSA-179 (qemu traditional) > * vga: fix banked access bounds checking > * vga: add vbe_enabled() helper > * vga: factor out vga register setup > * vga: update vga register setup on vbe changes > * vga: make sure vga register setup for vbe stays intact Unfixed > - CVE-2014-3672 / XSA-180 (qemu traditional) > * main loop: Big hammer to fix logfile disk DoS in Xen setups Not relevant for UCS
Additional issues: * The libxl device-handling allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore. (CVE-2016-4962 / XSA-175) * Xen 4.1.x is not affected by CVE-2016-5242 (XSA-181) * x86: Privilege escalation in PV guests (CVE-2016-6258 / XSA-182) * Xen 4.1.x is not affected by CVE-2016-6258 (XSA-183) * virtio: unbounded memory allocation on host via guest leading to DoS (CVE-2016-5403 / XSA-184)
CVE-2016-7092 / XSA-185 All versions of Xen are vulnerable. CVE-2016-7093 / XSA-186 Xen releases 4.5.2 and earlier are NOT vulnerable. CVE-2016-7094 / XSA-187 All versions of Xen are vulnerable. CVE-2016-7154 / XSA-188 Xen versions 4.3 and earlier are not vulnerable.
Xen 4.6 and earlier is vulnerable to this additional issue: * CR0.TS and CR0.EM not always honored for x86 HVM guests (CVE-2016-7777 / XSA-190)
Upstream Debian package version 4.1.6.lts1-3 fixes CVE-2016-7777.
Upstream Debian package version 4.1.6.lts1-4 fixes these issues: * delimiter injection vulnerabilities in pygrub (CVE-2016-9379 / XSA-198) * delimiter injection vulnerabilities in pygrub (CVE-2016-9380 / XSA-198) * qemu incautious about shared ring processing (CVE-2016-9381 / XSA-197) * x86 task switch to VM86 mode mis-handled (CVE-2016-9382 / XSA-192) * x86 64-bit bit test instruction emulation broken (CVE-2016-9383 / XSA-195) * x86 null segments not always treated as unusable (CVE-2016-9386 / XSA-191)
yet another issue to be fixed: * qemu ioport array overflow (CVE-2016-9637 / XSA-199) CVSSv3 7.6 (CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVE-2016-9379, CVE-2016-9380 and CVE-2016-9381 have CVSSv3 8 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
* x86 CMPXCHG8B emulation fails to ignore operand size override (CVE-2016-9932/XSA-200)
* x86: Mishandling of SYSCALL singlestep during emulation (XSA-204)
* x86 PV guests may be able to mask interrupts (CVE-2016-10024 / XSA-202)
* x86: Mishandling of SYSCALL singlestep during emulation (CVE-2016-10013 / XSA-204)
UCS 3.3 is out of maintainance.