xen-3.0.3-64.9.1AXS3

エラータID: AXSA:2009-14:01

Release date: 
Friday, January 23, 2009 - 12:18
Subject: 
xen-3.0.3-64.9.1AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for ia64
Asianux Server 3 for x86
Severity: 
Moderate
Description: 

This package contains the Xen tools and management daemons needed to run virtual machines on x86, x86_64, and ia64 systems.
Information on how to use Xen can be found at the Xen project pages.
The Xen system also requires the Xen hypervisor and domain-0 kernel, which can be found in the kernel-xen* package.
Virtualization can be used to run multiple operating systems on one physical system, for purposes of hardware consolidation, hardware abstraction, or to test untrusted applications in a sandboxed environment.
Bugs fixed:
CVE-2008-4993
qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file.
CVE-2008-4405
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.

Solution: 

Update packages

CVEs: 
CVE-2008-4993
qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file.
CVE-2008-4405
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen.
Additional Info: 

N/A

Download: 

SRPMS
  1. xen-3.0.3-64.9.1AXS3.src.rpm
    MD5: 259592cb6d7ed7034cdb15470743f363
    SHA-256: 4cf376a824028ff75984dece52752cf998ba58ef91b82687fc7139f3532c1a46
    Size: 11.96 MB

Asianux Server 3 for x86
  1. xen-3.0.3-64.9.1AXS3.i386.rpm
    MD5: 83b218203bd82a76e5a83eb79a172332
    SHA-256: 1a6a2ab397a9243f7beb4cfb0ed625e3c0ea64aed38ccd51098f29b2a12f8e3a
    Size: 1.79 MB
  2. xen-devel-3.0.3-64.9.1AXS3.i386.rpm
    MD5: 518082eed468093630aa3e9ebd6313e5
    SHA-256: 3eceaac27cab8f262706f71c804cb04e66687c08ee03777a47fb76c6b4a11910
    Size: 218.34 kB
  3. xen-libs-3.0.3-64.9.1AXS3.i386.rpm
    MD5: 793d23589ff4163e51ca765f677bd4d7
    SHA-256: 3a13ba98949a6cbf64f8b41e36fbdefe432d08020a2a0f3a76ce91460c320b05
    Size: 142.82 kB

Asianux Server 3 for x86_64
  1. xen-3.0.3-64.9.1AXS3.x86_64.rpm
    MD5: ac490962ea1ec6bf263ecca7f44c850b
    SHA-256: a158bc611ca50167aa215730233baaa400694bf79c213b408d2061430ea44b86
    Size: 1.78 MB
  2. xen-devel-3.0.3-64.9.1AXS3.x86_64.rpm
    MD5: 605575bd9ff98186255fe21f0429f353
    SHA-256: 13c3b983428ebc56ad788a95565c4bcd549a935d2f4c2b6a2291a1cc66b97d75
    Size: 221.66 kB
  3. xen-libs-3.0.3-64.9.1AXS3.x86_64.rpm
    MD5: 92e6b477bd5a4c6491bd0509c295a919
    SHA-256: c28cc51fad49d942eb98672607145d8efdaed3c65ff1717e049cb11c34b7bdd2
    Size: 139.59 kB