Your message dated Tue, 18 Apr 2017 17:34:15 +0000
with message-id <[email protected]>
and subject line Bug#859560: fixed in xen 4.8.1-1
has caused the Debian Bug report #859560,
regarding xen: CVE-2017-7228: x86: broken check in memory_exchange() permits PV
guest breakout (XSA-212)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
859560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859560
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xen
Version: 4.8.1~pre.2017.01.23-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for xen.
CVE-2017-7228[0]:
| An issue (known as XSA-212) was discovered in Xen, with fixes available
| for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix
| introduced an insufficient check on XENMEM_exchange input, allowing the
| caller to drive hypervisor memory accesses outside of the guest
| provided input/output arrays.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7228
[1] https://xenbits.xen.org/xsa/advisory-212.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xen
Source-Version: 4.8.1-1
We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Jackson <[email protected]> (supplier of updated xen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 18 Apr 2017 18:05:00 +0100
Source: xen
Binary: libxen-4.8 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common
xen-utils-4.8 xen-hypervisor-4.8-amd64 xen-system-amd64
xen-hypervisor-4.8-arm64 xen-system-arm64 xen-hypervisor-4.8-armhf
xen-system-armhf
Architecture: source
Version: 4.8.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Xen Team <[email protected]>
Changed-By: Ian Jackson <[email protected]>
Description:
libxen-4.8 - Public libs for Xen
libxen-dev - Public headers and libs for Xen
libxenstore3.0 - Xenstore communications library for Xen
xen-hypervisor-4.8-amd64 - Xen Hypervisor on AMD64
xen-hypervisor-4.8-arm64 - Xen Hypervisor on ARM64
xen-hypervisor-4.8-armhf - Xen Hypervisor on ARMHF
xen-system-amd64 - Xen System on AMD64 (meta-package)
xen-system-arm64 - Xen System on ARM64 (meta-package)
xen-system-armhf - Xen System on ARMHF (meta-package)
xen-utils-4.8 - XEN administrative tools
xen-utils-common - Xen administrative tools - common files
xenstore-utils - Xenstore command line utilities for Xen
Closes: 856229 859560
Changes:
xen (4.8.1-1) unstable; urgency=high
.
* Update to upstream 4.8.1 release.
Changes include numerous bugfixes, including security fixes for:
XSA-212 / CVE-2017-7228 Closes:#859560
XSA-207 / no cve yet Closes:#856229
XSA-206 / no cve yet no Debian bug
Checksums-Sha1:
4d5f9a55dfd26f17beb4e1c9228a13d36dca21c4 2757 xen_4.8.1-1.dsc
0733a15f1186a7190e41cdcd4d5bfaddb0a204a7 5551737 xen_4.8.1.orig.tar.gz
aa7c09c63c887504deafde1b55962750c4e780bb 51960 xen_4.8.1-1.debian.tar.xz
Checksums-Sha256:
b08be4d996ea40e5965dd0d8eb53cb2fbdb7f408d82eab00c139a1d692963259 2757
xen_4.8.1-1.dsc
0b91b4461cb9b583325516a8bcf1c34f30abf04b667271fa2790c8d7886695bf 5551737
xen_4.8.1.orig.tar.gz
91926fef457f17ee7f33fb73c2fab5a2be923e8d7cd5c1823b5626f490eb38ca 51960
xen_4.8.1-1.debian.tar.xz
Files:
be3499586dccca23244585d9fa93f1a9 2757 kernel optional xen_4.8.1-1.dsc
ecc695ca67e4545d57592cf6d8c8ffb0 5551737 kernel optional xen_4.8.1.orig.tar.gz
516438b4a0194458ac0282f0b6841611 51960 kernel optional
xen_4.8.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAlj2SMgACgkQ4+M5I0i1
DTlLvAgAjuIzb2iJxU+4vfSJ524t6CvMfEvXA5jZDP6WyDjZ7aZG9xRSiXOZEXdQ
L4sO+G84bZR41SAAt74oQaPwbXtB0SJXPwtiqrEO+Ynk7cKSoV6gN9DiaVLhj2yd
cvhAMYyD84IGro2hFOfdVbPm94FyTX8V1F/pRR2XR/rc3OX3V9EfLaLCg5F4kfHv
zenvKwowanWxjvXYXCJ7gyp3h68M7YMhcmeO30tHjAcwPGiugEWaPaA88yGPOjzP
UiNwIRabV3I1aIMU5n8CqkpMRrEo3Fzx/Ng4fSo9sgvgro7qYPHOdPDEfH0CdMrz
qa54ANO4CweRgiilpHkuiR6aAAFyqw==
=S0gv
-----END PGP SIGNATURE-----
--- End Message ---
