From predisclosure-applications-bounces@lists.xenproject.org Mon Jun 01 05:43:48 2026 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Mon, 01 Jun 2026 05:43:48 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1323691.1589359 (Exim 4.92) (envelope-from ) id 1wTvRC-0004tW-7P; Mon, 01 Jun 2026 05:43:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1323691.1589359; Mon, 01 Jun 2026 05:43:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTvRC-0004tS-4X; Mon, 01 Jun 2026 05:43:46 +0000 Received: by outflank-mailman (input) for mailman id 1323691; Mon, 01 Jun 2026 05:36:46 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wTvKQ-0003hT-3v for predisclosure-applications@lists.xenproject.org; Mon, 01 Jun 2026 05:36:46 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wTvKP-005MUJ-A4 for predisclosure-applications@lists.xenproject.org; Mon, 01 Jun 2026 07:36:45 +0200 Received: from [10.42.69.11] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 6a1d1a47-2eae-0a2a0a5409dd-0a2a450bbf4c-48 for ; Mon, 01 Jun 2026 07:36:45 +0200 Received: from [212.227.17.27] (helo=moint.1and1.com) by tlsNG-42698a.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 6a1d1a6c-212f-0a2a450b0019-d4e3111be47a-3 for ; Mon, 01 Jun 2026 07:36:45 +0200 Received: from [82.165.232.201] (helo=[10.21.56.34]) by mrint.1and1.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1wTvKO-003hAu-24 for predisclosure-applications@lists.xenproject.org; Mon, 01 Jun 2026 07:36:44 +0200 X-BeenThere: predisclosure-applications@lists.xenproject.org List-Id: Applications for membership of Xen Security Advisories Pre-disclosure List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: predisclosure-applications-bounces@lists.xenproject.org Precedence: list Sender: "Predisclosure-applications" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=corp1 header.d=1und1.de header.i="@1und1.de" header.h="From:To:Subject:MIME-Version:Date:Message-ID" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=From:To:Subject:MIME-Version:Date:Message-ID:cc:sender:reply-to; bh=23dapkrr06lmL3CKnHfF9TxmXRHjN5nQkblW3dxGXdQ=; b=r7+UEmXa9BCKnBhyaom7v6J5x/ HxR1kNNmbiCXCPAOMDrbuQrbQ3W6msjFkJuFTBvfoN9kgge1ja4Vuo+N/coWckHmoj+GE0MsYNS0e 2fxXr3KvcCuzUAy53oZFPcxZnbrWiqb514Zz4pQrgDiO+VyLhhzcb6EZ3fdmYF/wnHQQ9tZbwqmEX G9fWkSoB1qXmROxxu9MbOsvAzAmyaiFRAeh0QsTZpHQzXkOnlG0Y9QqbUOmHFB7q+XmSuPeso/966 /w45Obgp+tSyl/tvh5VY30XNIsccwUhYd7gu7W6KYz1Hpv6/woBFfs7ViXQi72suVoogLD/3aV+Gi r/tNoVBg==; Content-Type: multipart/alternative; boundary="------------0U1eEu0pLleqooGhMKefk46e" Message-ID: <3082a58e-fd7d-4877-aab3-005522506896@1und1.de> Date: Mon, 1 Jun 2026 07:36:44 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: unsubscribe from predisclosure list To: predisclosure-applications@lists.xenproject.org References: From: Information Security Access In-Reply-To: X-Virus-Scanned: ClamAV@mvs-ha-bs X-purgate-ID: tlsNG-42698a/1780292205-21382F3B-326BED5A/0/0 X-purgate-type: clean X-purgate-size: 10386 This is a multi-part message in MIME format. --------------0U1eEu0pLleqooGhMKefk46e Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hi Xen-Team, can you please unsubscrbe security@1und1.de from your predisclosure list. We as company 1&1 Telecommunication SE do not use Xen projects anymore. So a dedicated predisclosure information is not needed. Thanks, Information Securtiy Access *1&1 Telecommunication SE* Elgendorfer Str. 57 56410 Montabaur Germany Website: _https://www.1und1.de/_ Am 28.05.2026 um 23:11 schrieb Xen.org security team: >             Xen Security Advisory CVE-2026-42487 / XSA-491 > >                     x86 HVM I/O port list traversal > >               *** EMBARGOED UNTIL 2026-06-09 12:00 UTC *** > > ISSUE DESCRIPTION > ================= > > HVM guest I/O port accesses are subject to either emulation or at least > translation.  Translations are managed by the device model (via > XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed > at any time.  Traversal of those lists (while handling guest I/O port > accesses) therefore needs synchronizing with updates, which was missing > so far. > > IMPACT > ====== > > A device model of a HVM guest can cause a hypervisor crash, causing a > Denial of Service (DoS) of the entire host.  Privilege escalation and > information leaks cannot be ruled out. > > VULNERABLE SYSTEMS > ================== > > All Xen versions from at least 3.2 onwards are vulnerable. Earlier > versions have not been inspected. > > Only x86 systems are vulnerable.  Arm systems are not vulnerable. > > Only entities controlling HVM guests can leverage the vulnerability. > These are device models running in either a stub domain or de-privileged > in Dom0. > > MITIGATION > ========== > > Running only PV or PVH guests will avoid the vulnerability. > > (Switching from a device model stub domain or a de-privileged device > model to a fully privileged Dom0 device model does NOT mitigate this > vulnerability.  Rather, it simply recategorises the vulnerability to > hostile management code, regarding it "as designed"; thus it merely > reclassifies these issues as "not a bug".  The security of a Xen system > using stub domains is still better than with a qemu-dm running as a Dom0 > process.  Users and vendors of stub qemu dm systems should not change > their configuration to use a Dom0 qemu process.) > > CREDITS > ======= > > This issue was discovered by Jan Beulich of SUSE. > > RESOLUTION > ========== > > Applying the appropriate attached patch resolves this issue. > > Note that patches for released versions are generally prepared to > apply to the stable branches, and may not apply cleanly to the most > recent release tarball.  Downstreams are encouraged to update to the > tip of the stable branch before applying these patches. > > xsa491.patch           xen-unstable > xsa491-4.21.patch      Xen 4.21.x - Xen 4.17.x > > $ sha256sum xsa491* > 23a90da1c71389083351846169fc565a671b44f5f4ba838b18fc0fa6d7582bf8 > xsa491.patch > 443674f42a092b953b6ba4d91cfa19bfbee0077dfcd5a39ae53368e40ed23aac > xsa491-4.21.patch > $ > > DEPLOYMENT DURING EMBARGO > ========================= > > Deployment of the patches and/or mitigations described above (or > others which are substantially similar) is permitted during the > embargo, even on public-facing systems with untrusted guest users and > administrators. > > But: Distribution of updated software is prohibited (except to other > members of the predisclosure list). > > Predisclosure list members who wish to deploy significantly different > patches and/or mitigations, please contact the Xen Project Security > Team. > > (Note: this during-embargo deployment notice is retained in > post-embargo publicly released Xen Project advisories, even though it > is then no longer applicable.  This is to enable the community to have > oversight of the Xen Project Security Team's decisionmaking.) > > For more information about permissible uses of embargoed information, > consult the Xen Project community's agreed Security Policy: > http://www.xenproject.org/security-policy.html --------------0U1eEu0pLleqooGhMKefk46e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Hi Xen-Team,

can you please unsubscrbe security@1und1.de from your predisclosure list.

We as company 1&1 Telecommunication SE do not use Xen projects anymore.

So a dedicated predisclosure information is not needed.

Thanks,

Information Securtiy Access

1&1 Telecommunication SE
Elgendorfer Str. 57
56410 Montabaur
Germany

Website: https://www.1und1.de/


Am 28.05.2026 um 23:11 schrieb Xen.org security team:

            Xen Security Advisory CVE-2026-42487 / XSA-491

                    x86 HVM I/O port list traversal

              *** EMBARGOED UNTIL 2026-06-09 12:00 UTC ***

ISSUE DESCRIPTION
=================

HVM guest I/O port accesses are subject to either emulation or at least
translation.  Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time.  Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.

IMPACT
======

A device model of a HVM guest can cause a hypervisor crash, causing a
Denial of Service (DoS) of the entire host.  Privilege escalation and
information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only entities controlling HVM guests can leverage the vulnerability.
These are device models running in either a stub domain or de-privileged
in Dom0.

MITIGATION
==========

Running only PV or PVH guests will avoid the vulnerability.

(Switching from a device model stub domain or a de-privileged device
model to a fully privileged Dom0 device model does NOT mitigate this
vulnerability.  Rather, it simply recategorises the vulnerability to
hostile management code, regarding it "as designed"; thus it merely
reclassifies these issues as "not a bug".  The security of a Xen system
using stub domains is still better than with a qemu-dm running as a Dom0
process.  Users and vendors of stub qemu dm systems should not change
their configuration to use a Dom0 qemu process.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa491.patch           xen-unstable
xsa491-4.21.patch      Xen 4.21.x - Xen 4.17.x

$ sha256sum xsa491*
23a90da1c71389083351846169fc565a671b44f5f4ba838b18fc0fa6d7582bf8  xsa491.patch
443674f42a092b953b6ba4d91cfa19bfbee0077dfcd5a39ae53368e40ed23aac  xsa491-4.21.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

--------------0U1eEu0pLleqooGhMKefk46e-- From predisclosure-applications-bounces@lists.xenproject.org Wed Jun 17 17:44:40 2026 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Wed, 17 Jun 2026 17:44:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.1340599.1601509 (Exim 4.92) (envelope-from ) id 1wZuJZ-0003WA-Ok; Wed, 17 Jun 2026 17:44:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 1340599.1601509; Wed, 17 Jun 2026 17:44:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZuJZ-0003W6-Lf; Wed, 17 Jun 2026 17:44:37 +0000 Received: by outflank-mailman (input) for mailman id 1340599; Wed, 17 Jun 2026 17:44:36 +0000 Received: from mx.expurgate.net ([195.190.135.20]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wZuJY-0003W0-CL for predisclosure-applications@lists.xenproject.org; Wed, 17 Jun 2026 17:44:36 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wZuJX-009sEQ-5E for predisclosure-applications@lists.xenproject.org; Wed, 17 Jun 2026 19:44:35 +0200 Received: from [10.42.69.12] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 6a32dcff-5cb7-0a2a0a5109dd-0a2a450cc012-6 for ; Wed, 17 Jun 2026 19:44:34 +0200 Received: from [148.163.154.146] (helo=mx0b-002b1501.pphosted.com) by tlsNG-d25034.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 6a32dd00-62f1-0a2a450c0019-94a39a92e0de-3 for ; Wed, 17 Jun 2026 19:44:33 +0200 Received: from pps.filterd (m0119678.ppops.net [127.0.0.1]) by mx0b-002b1501.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65HHdOFk3265430; Wed, 17 Jun 2026 12:44:31 -0500 Received: from ph8pr06cu001.outbound.protection.outlook.com (mail-westus3azon11012060.outbound.protection.outlook.com [40.107.209.60]) by mx0b-002b1501.pphosted.com (PPS) with ESMTPS id 4euee63ggj-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 17 Jun 2026 12:44:30 -0500 (CDT) Received: from PH7PR17MB7026.namprd17.prod.outlook.com (2603:10b6:510:236::18) by SA1PR17MB5620.namprd17.prod.outlook.com (2603:10b6:806:1cf::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.113.18; Wed, 17 Jun 2026 17:44:28 +0000 Received: from PH7PR17MB7026.namprd17.prod.outlook.com ([fe80::a046:9950:946c:14dd]) by PH7PR17MB7026.namprd17.prod.outlook.com ([fe80::a046:9950:946c:14dd%3]) with mapi id 15.21.0113.013; Wed, 17 Jun 2026 17:44:27 +0000 X-BeenThere: predisclosure-applications@lists.xenproject.org List-Id: Applications for membership of Xen Security Advisories Pre-disclosure List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: predisclosure-applications-bounces@lists.xenproject.org Precedence: list Sender: "Predisclosure-applications" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=2k25 header.d=epic.com header.i="@epic.com" header.h="CC:Content-Type:Date:From:In-Reply-To:Message-ID:MIME-Version:References:Subject:To"; dkim=pass header.s=selector1 header.d=epic.com header.i="@epic.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epic.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=2k25; bh=WEEqDLm+AxJNA+5FUeFj7V15zfuyU rDBaHqEfGYNUzI=; b=dq19EPrW4j0hlKbhA5J2wokJY4ubH6k9dPGYA//TpQrZA +58RjCK+Yji2Lu+26cmit8o7H+aBQQRQkhLIUVMMkhzDP+un2NDErgQoetxixDs2 ZtvDXUBMP6mT5/jMOkxTbZJmpddHx9igx+fVbJvhxLwGm44m5yx22MgEUoHnI1yf 2uNLxPFsmoj8iF3rfHxy5fFmRBNPVKqeBKnDZNWWtByGgfvfw1SdN4GacCs/HbCk x9zEcmMbTBfpUMrGdSeK6WMCmlYai5yZ0C+pEnsTIq+nwIB7QzoHpXbAfMNOcTh1 g49n4Yb0YDHp+zAwUFRxrLtz/P94EX8cwi9ERAPnw== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kBVeQtl7kW446OG3S0Yzt9dlGc1h/GSCbSQCPcTtE0hGlO1yDVMjh7uAHtTqny93VWb4PRBN3mmS/K1ixMis8sf8vGBqyhytcPKDSumNpZzeI6GZ2r8JC+qBiIU81LYmw0dyZtR9KykHwZr3kSY1WwTzVxI4n8sE2AdJS9wQikS8SCh/2pqOVYvPbbRi0rS6FTQ/IXl96vBjTN8WbfuY+eBg8i1VQzbSz8mLzYvfDrBdyiM6TT9Et+4tjM/YqLgiJ69VbpAsNBNb00carVYcRvp+aMG98RNgVn0X5W9g/756L396v/+C1cUAYKbYXcAp3cnVZxXM8wm3yo7W1BwRcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WEEqDLm+AxJNA+5FUeFj7V15zfuyUrDBaHqEfGYNUzI=; b=jLny7Pi/bq7eWQwoEFFSY+aazkFFm9i61G2c1qZ2Ek3+4fCOOo8hr0cZSsqQlEVKcu+1Ym2s2y1g7fqOQ3g+Xm+0dZlkWPPVorwqwewj/OeFGVjkbsv9kt6xNudG6AFfx6DwVq4xxZtbQBVxRLthzYRP0flszLnD+jELPPvoZIWiG92aEL6L50RiMuceMg04I4PcYklrKV0nbcIwcjMI+x8t9fbwkgCBYiMAfzIgVLNLetzqFnaNzzWe7kttV1+aGKaxTmXbwBetJbUgDskp+qm5HUePafcysAl3S+QlS95qy1Wwql86zc+pQzLj8NtJoLc/LZeFUNcSJdFoDsELMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epic.com; dmarc=pass action=none header.from=epic.com; dkim=pass header.d=epic.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=epic.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WEEqDLm+AxJNA+5FUeFj7V15zfuyUrDBaHqEfGYNUzI=; b=mEPNnHY0KOkBXvfqJa9VmJD2KMAwJROMLDbNIybo6Ba2//BiJAsZ6rpBJ0cUkAqMIImlbq2aGy4OK0IA+lhnhwP6rNjBIiOmxzZeadF+KX9kWSWbnidGT/xkw47oriFr2H0myz0qBl43R5jfhaIfuVyD+nc3TB1ZuzDGtjWSKA4= From: Jake Vondra To: "'predisclosure-applications@lists.xenproject.org'" CC: Darryl Voss , "'alex.brett@citrix.com'" Subject: RE: Epic Hosting - Xen Pre-Disclosure Submission Thread-Topic: Epic Hosting - Xen Pre-Disclosure Submission Thread-Index: AdzuwttRETC9w6WvTPmhZ/dQ5WoDwAPvg/Og Date: Wed, 17 Jun 2026 17:44:27 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: PH7PR17MB7026:EE_|SA1PR17MB5620:EE_ x-ms-office365-filtering-correlation-id: 4dfce298-3e69-4b52-3412-08decc981400 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|23010399003|8096899003|13003099007|38070700021|22082099003|3023799007|18002099003|11063799006|56012099006; x-microsoft-antispam-message-info: O79/qh2LQmioI8FnpJgBHOSA2/hT6jb8EiMNEsynMQ9LNqI39xW0/VmUNom2CRubXkDmG7jXDpGdYhnLvYBAVB4UyJ3X2P280VwuI97fcB0wPhCC88+t4Ay3PXKw9Cs7XtPd7cO6YZzXtuhV/MbxSGfnjCSXqMv+HR+CbH0hGb/xCVYNU68OyE/yGbgyHeXWjwhE0Hnn8Afj+ATtGTPeLdg17Ow4zCCxaCrNnO+uZxDsHGx4EK1XE0UET66KvJa86iHrzpElbII20OOVzlA35bHClGpb7KXRQfHRDpXmNCuqOgmbf6TgAJPSFhOTnsqmRZjYYwZpkw2Kc9kGQMjxiaZ+zVHzPP8cczibuNE3vkaB3uTS/oeO7sznrWGunOINmd3p0yz8BoSi8QfmD88Y9E1ilPplsOeTRLiDtwjkmb6cuBRREvgUEzoMJVUcFZxeTwxPlGW6yCjyfwQXvmvkK+uBHVUG2hRhui1uqNuQebM8Zwkq0PrtMpl1Dg+qrYWx5+JCxAMgiQu9F5Tz6P4fjhwebXbqEwRpMPY9LvUYVtN6S7QWnO10XxjcHjL8UsxyhnkN2craD0N4vJNgflrRtgVRuYXl7xmXWbzSMAv56lKDnVptMqYZJxx2CwIcM4W9TGlg/yL7bCo5xH+JJjcmONJkDT9vjXXqXbbbIP7EmdrU0oGMvuAbvJefS+FBB2edVILk5bM/KGroM4iFUN4Hpg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR17MB7026.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(23010399003)(8096899003)(13003099007)(38070700021)(22082099003)(3023799007)(18002099003)(11063799006)(56012099006);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?fqfv6a1/fCY0aMHFV73zfhgcB3eBbnlbcOMFJnV2Pe+eE9tjGdlCoLRBxg?= =?iso-8859-1?Q?X40QNNk+haOFkPaaRl78ZcfyGJi8AE0kYRX8l63ek67gZnv4iYglg5foty?= =?iso-8859-1?Q?xSC13Q18wHt3fvadXU/RjUwFHI6WPeJwiDooY/o1sJUodf2mYnfc8M0kmC?= =?iso-8859-1?Q?mmLyiE/DzPG2nH6VVRsw5MQ7THMcin01AZ8DrQ4W5Dj4LU2C26cg1p6BoU?= =?iso-8859-1?Q?ovV5XeewoZeW8z+jfj6jPxvns5vr/4+mVdsPPq3xzncEEuHjnyE3mDtOCY?= =?iso-8859-1?Q?TbTDQVKzLfgd7qVQEffEx+pNPN79lhmEpXoyOizp9E9vBxZoifPAJnm1F3?= =?iso-8859-1?Q?h5+xCBlpCtbZu96EUttM/LdeCjsppLK/8GJG2qRfAPNunu4Ljc320Uyg4E?= =?iso-8859-1?Q?+1tU2TNuLCGSiwksEqAniI8dBhBnVR+yP1FKoSXiBwQmIKBC1ebuO3rQNU?= =?iso-8859-1?Q?4/rIiRQhibBH0Bcn2cGw0L1L8EmjKFOd/1XaTnqxkoKKeM9eh1O+sAqadK?= =?iso-8859-1?Q?NWY4HJm2LZFTjWa3CGUylj5NO7dW9ttxXDhHIX+w/RWuzQ/kQickrIV8ux?= =?iso-8859-1?Q?N6OMYg1H2epAJIp4w42HgUPd1f6ZuB7jaY1Gi2vzMk3tguImsBjJQUQiIV?= =?iso-8859-1?Q?rn+l0u8l0oxrsvjHo8iMfVYP4Vjz9W6n3zPIeYfsRIhOavF/T/hwLgrp5i?= =?iso-8859-1?Q?RSDguFopbm9u1qJTmxcPLx+P+NCqEREIz8+hDkNCSBvsD5zRvHcHe4+tOk?= =?iso-8859-1?Q?36UreCkFAX1H5kGbP9c/+VS7Csidd8r5BZt7Bht1rmRO3nWkHsnMElR73L?= =?iso-8859-1?Q?xT1xn77maBZIYPI2YJsmDzdcoRGPKnhj72XrGysVzXY6Nwi9DjylN7ASez?= =?iso-8859-1?Q?ShAR8/XDgj6Dcex8w4Ce3iqjFpFMFCsrpk+v2uAPofIciXqAv0+RRFFgGA?= =?iso-8859-1?Q?1IzR9AdfjLlPenH6IauerHy7BWDQcz54A7zIOQlnQap9lyTmI/SotEm9FY?= =?iso-8859-1?Q?Aaswmq7mP7HJeUgGbF8BFp+OFSojj1kW1qVKpk63TQXIT3ab7l5bBKfWXR?= =?iso-8859-1?Q?zmxsQmNeQrA2pCSBWhXjEjL6ntRUrrMdhj8jNN0/4Vd6aS3yNnMPfpTl1y?= =?iso-8859-1?Q?NvnfAO0wtaHHZL/TvFPeJeK41Fo1RrYAaKiat2YjJXvQAapnrUJ+B/IUha?= =?iso-8859-1?Q?bDxEofk9fxwc0A4Qiz1tU30nSqxeUiexYTnr/hQPXnRuXfW+5AsiIe4Ktq?= =?iso-8859-1?Q?f8tT0yQvSNNVd52xK2cNCNo8GbXtzTGcZO/QDrlpBQV/KWByAT8CpxbaQb?= =?iso-8859-1?Q?gZcPIhdv1ZruiKI31fLjM+i7A24cXu3SZm1VS5k8Yh9p/dhrv1szhR8yfe?= =?iso-8859-1?Q?X5mnV2PNt7I6qW3VJ6+fJv8gQjltN5UK3aRh9p0RtL/SV4tQF29gIU8rGf?= =?iso-8859-1?Q?e0YLFPJpNavFhUgYgfngO4fZ68cTuvLHhZBm6k9CwlGq3qfxvXctarZtKf?= =?iso-8859-1?Q?W24kqEZyIK48ALVwK2UHlmBK3jNJQa7KxA2HMfcKD9e6NaOe5hA2p7aJEo?= =?iso-8859-1?Q?BjLxdWILA0ynqpDfo2xdJetGSPTVdMBTWILfYebGa4Qf3GvR78dPyJ4n8O?= =?iso-8859-1?Q?bgc2PuwSZ/CKBz/BzB4uyW+6Gw2rJsmddy805ZEqVL8rGj4ejBipwywqnF?= =?iso-8859-1?Q?8GTFFkyf0AqrBj5XmCeCv8rcOjY5GoNeaB1uGKo6KlBMRGnvbyoB9uU2uH?= =?iso-8859-1?Q?lTZJk5Xv/cKTyczNnOKounTFIKLrOAIpKkAv3pyCIcvlRD?= Content-Type: multipart/alternative; boundary="_000_PH7PR17MB70261C4B092175F99F546259C0E42PH7PR17MB7026namp_" MIME-Version: 1.0 X-Exchange-RoutingPolicyChecked: D6R81IHI2Yo3Jnd+P6h2GazfdxZSLLhV1b758Z4nxon27AtfpWR6/l/1glEQVIRj1FWDeKeR0BslIx6xoXJdUhG3OQuY3tjwzBdURhK6Oqt7P31vsrNqGRIvr8B6QpFIu1/QKc9TaQ1CIynpNyQ1owq6pRtGR1lfuHth5ksOEI3jBT7pE+E3QJKkmxVCLBFT7GM9iN64Wak7nVcEuP2MqLmQJMDRFUFkW+UYXf1cZbFrimL4eUikge43KpVKyCzxOIUWWIAikOFtyQKMIXdYvtn0i6wrSJbuhDViE2aeEDgWqWxexHpEe5mjp0CvTQ0cBSjpus7bqd0GfnCNMmxxFQ== X-OriginatorOrg: epic.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH7PR17MB7026.namprd17.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4dfce298-3e69-4b52-3412-08decc981400 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2026 17:44:27.5741 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d8d598e0-2fb2-4605-8514-1967b50e2bd6 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: KA2fBNv6ilijOOFrd+xldx4cHUhNdXX0uYBuU10D0HVMEG2wGVFnIrK3/IW1BPn0qvz6oXJO2nEX8YC7Ac3KbQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR17MB5620 X-Authority-Analysis: v=2.4 cv=c8Cbhx9l c=1 sm=1 tr=0 ts=6a32dcfe cx=c_pps a=Yf+1g9CPtaneS6NJHGTLjg==:117 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=fLxXaBswY2kA:10 a=VkNPw1HP01LnGYTKEx00:22 a=HcFE1RN0hNOP7eReKWeE:22 a=0jqxnJFvnUSGxo1zAUCy:22 a=nqngphQYAAAA:8 a=cWRNjhkoAAAA:8 a=tHz9FfFoAAAA:8 a=KiA8O_NwAAAA:8 a=GXlsYMYiqhGXY-vyWRcA:9 a=lqcHg5cX4UMA:10 a=wPNLvfGTeEIA:10 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=vWrzgcSVSFaXOwdeQxoA:9 a=wOY9h_w_h4bZZTSK:21 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K0A:10 a=frz4AuCg-hUA:10 a=l3Kf0c7r5vjhVLBHvrpp:22 a=sVa6W5Aao32NNC1mekxh:22 a=E2LB0w4p2F9oaE3r9NTf:22 X-Proofpoint-GUID: pilTbyKAlecp8OVSxTzVYbtPhE3ZmiY7 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjE3MDE3MCBTYWx0ZWRfX4p0JcRNQBlB6 hrWvN5d0m+sr28tyQGKNBylRz9JSF34XIhfmewiphaKrLgKPlpnyE6ExOpxVOOVEtu+BDc/Y7EL CNyQevnWEvx3Xi/HDSYueumeBUoN7h4= X-Proofpoint-ORIG-GUID: pilTbyKAlecp8OVSxTzVYbtPhE3ZmiY7 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjE3MDE3MCBTYWx0ZWRfXyem1Jl5WIAdl DVctUkusJ2srQaO8wgc+R2HwjbBtu9Jn9TMfFSwfZQclvcENT59T77l6+n03foaOpSFaYPsr0fl mI334qO9oa6+H6N7I3uRbKKJwN3+m+WDdoY++ugAmCyfaRFQ2zKItdktxmqVTecwrcTsAk7dO+7 68mMGproASnPr3udPQXwdMlWnx/nCBZVRxhjkeq7a1qS2IXDTjw/OpefVXgl9T+QBYQLP3H6yru OE+Q5Ug9XIbH779o03DJvMtgzSkqX+s059Y9ZtYPRjqo0Kbf/tVMvb73AnfXucA0bKhOwbEK3n/ IqsBpfiPU/krQjIRn+mqKsxVXHIHq8PTstAOL/gIDLg0Yp5o99FXwIduYDdm7G/frAKkxUOqIIf 9vGcaYCojvnYP03QqmS2vpKbWf6XemuEPthSCFos4TcmLLC255HplCM66kb0cfploY7GMcI0YLS wVzUXUdBLrOMEky1pgw== X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 suspectscore=0 priorityscore=1501 adultscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2606150000 definitions=main-2606170170 X-purgate-ID: tlsNG-d25034/1781718274-DA776CF5-84ECCF90/0/0 X-purgate-type: clean X-purgate-size: 14531 --_000_PH7PR17MB70261C4B092175F99F546259C0E42PH7PR17MB7026namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello! I am checking back in on this request. --Jake From: Jake Vondra Sent: Thursday, May 28, 2026 12:00 PM To: predisclosure-applications@lists.xenproject.org Cc: Darryl Voss ; alex.brett@citrix.com Subject: Epic Hosting - Xen Pre-Disclosure Submission I am writing to request an addition to the Pre-Disclosure program - my resp= onses to the requested prompts are in bold below. * The name of your organization: Epic Hosting LLC * Domain name(s) which you use to provide Xen software/services: epicho= sted.com * A brief description of why you fit the criteria: we are a large scale= enterprise delivering our integrated healthcare software * If not all of your products/services use Xen, a list of (some of) you= r products/services (or categories thereof) which do: we largely deliver th= e application presentation layer via XenServer * Link(s) to current public web pages, belonging to your organisation, = for each of following pieces of information: * Evidence of your status as a service/software provider: https://ww= w.epic.com/ * If you are a public hosting provider, your public rates or how to = get a quote: NA * If you are a software provider, how your software can be downloade= d or purchased: https://www.epic.com/contact/ * If you are an open-source project, a mailing list archive and/or vers= ion control repository, with active development: NA * Evidence of your status as a user/distributor of Xen: NA * Statements about, or descriptions of, your eligible production ser= vices or released software, from which it is immediately evident that they = use Xen. * Information about your handling of security problems: https://www.epi= c.com/epic/page/reporting-potential-security-vulnerability/ * Your invitation to members of the public, who discover security pr= oblems with your products/services, to report them in confidence to you; * Specifically, the contact information (email addresses or other co= ntact instructions) which such a member of the public should use. * A statement to the effect that you have read this policy and agree to= abide by the terms for inclusion in the list, specifically the requirement= s to regarding confidentiality during an embargo period: Acknowledged - thi= s has been reviewed * The single (non-personal) email alias you wish added to the predisclo= sure list: XenServer-Notices@epic.com Regards, Jake Vondra Epic | Hosting | 608-271-9000 --_000_PH7PR17MB70261C4B092175F99F546259C0E42PH7PR17MB7026namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello! I am checking back in on this request. <= /o:p>

 

 

--Jake

 

From: Jake Vondra
Sent: Thursday, May 28, 2026 12:00 PM
To: predisclosure-applications@lists.xenproject.org
Cc: Darryl Voss <Darryl@epic.com>; alex.brett@citrix.com
Subject: Epic Hosting - Xen Pre-Disclosure Submission

 

I am writing to request an addition to the Pre-Discl= osure program – my responses to the requested prompts are in bold bel= ow.

 

--_000_PH7PR17MB70261C4B092175F99F546259C0E42PH7PR17MB7026namp_--