From xen-announce-bounces@lists.xen.org Tue Sep 01 13:20:24 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 01 Sep 2015 13:20:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZWlT5-0001kj-2H; Tue, 01 Sep 2015 13:19:19 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlT3-0001kR-Jg; Tue, 01 Sep 2015 13:19:17 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	20/D4-02380-4D5A5E55; Tue, 01 Sep 2015 13:19:16 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-6.tower-206.messagelabs.com!1441113554!31946775!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15192 invoked from network); 1 Sep 2015 13:19:15 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-6.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	1 Sep 2015 13:19:15 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlSu-0003WO-0H; Tue, 01 Sep 2015 13:19:08 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlSt-00030m-NL; Tue, 01 Sep 2015 13:19:07 +0000
Date: Tue, 01 Sep 2015 13:19:07 +0000
Message-Id: <E1ZWlSt-00030m-NL@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 141 (CVE-2015-6654) - printk
 is not rate-limited in xenmem_add_to_physmap_one
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-6654 / XSA-141
                              version 3

         printk is not rate-limited in xenmem_add_to_physmap_one

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

XENMAPSPACE_gmfn_foreign dumps the p2m, on ARM, when it fails to get a
reference on the foreign page.  However, dump_p2m_lookup does not use
rate-limited printk.

A malicious infrastructure domain, which is allowed to map memory of
a foreign guest, would be able to flood the Xen console.

IMPACT
======

Domains deliberately given partial management control may be able to
deny service to other parts of the system.

As a result, in a system designed to enhance security by radically
disaggregating the management, the security may be reduced.  But, the
security will be no worse than a non-disaggregated design.

VULNERABLE SYSTEMS
==================

This issue is only relevant to systems which intend to increase
security through the use of advanced disaggregated management
techniques.

This does not include systems using libxl, libvirt, xm/xend,
XCP/XenServer, OpenStack or CloudStack (unless substantially modified
or supplemented, as compared to versions supplied by the respective
upstreams).

This issue is not relevant to stub device models, driver domains, or
stub xenstored.  Those disaggregation techniques do not rely on
granting the semi-privileged support domains access to the affected
hypercall, and are believed to provide the intended security benefits.

Only ARM systems are potentially affected.  All Xen versions which
support ARM are potentially affected.

MITIGATION
==========

Reducing the hypervisor log level can be used to suppress messages.

Switching from disaggregated to a non-disaggregated operation does NOT
mitigate these vulnerabilities.  Rather, it simply recategorises the
vulnerability to hostile management code, regarding it "as designed";
thus it merely reclassifies these issues as "not a bug".  Users and
vendors of disaggregated systems should not change their
configuration.

CREDITS
=======

This issue was discovered by Julien Grall of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa141.patch        Xen 4.4.x, 4.5.x, xen-unstable

$ sha256sum xsa141*.patch
12358565dc443e1855a1b5776fa9008c5ea5e5854bd4e93b88ab4178c698fc2a  xsa141.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJV5aV+AAoJEIP+FMlX6CvZz74H/jn2L3URqeatI7eBXRtpC9SL
DshKXMZRC746x5W06nsFp9dxr/ggSrMG1avM3q/V2dF5Sb/RDyH3A4D8DVhZOFQh
jxYScztKJI2OjRmPJvPatVR9oYBQhLpwg8yE3ye6//ObHCO3PSqX28VqWkS8gZha
E3Cr3PpbWN1nO1PkHZBqq9BRT7B6Nq/1HE3TnbgjYVWUryWMUUp6GZOZ9QYOTbQB
F5I7oimZ/mW2B4PL9p2lCKnCBDJIELpeE6sZAmv8yeQg7Lq7UhwWnB57U8gOOe1I
uzV5z852a9Hqdn8flUOGn0eQxputFRdOTamaMqQ2UtG2f0E+l2R6ahD1CGyTmBM=
=pKQu
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa141.patch"
Content-Disposition: attachment; filename="xsa141.patch"
Content-Transfer-Encoding: base64

RnJvbTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAY2l0cml4LmNvbT4K
RGF0ZTogVGh1LCAxMyBBdWcgMjAxNSAxMjowMzo0MyArMDEwMApTdWJqZWN0
OiBbUEFUQ0hdIHhlbi9hcm06IG1tOiBEbyBub3QgZHVtcCB0aGUgcDJtIHdo
ZW4gbWFwcGluZyBhIGZvcmVpZ24gZ2ZuCgpUaGUgcGh5c21hcCBvcGVyYXRp
b24gWEVOTUFQU1BBQ0VfZ2Ztbl9mb3JlaWduIGlzIGR1bXBpbmcgdGhlIHAy
bSB3aGVuCmFuIGVycm9yIG9jY3VyZWQgYnkgY2FsbGluZyBkdW1wX3AybV9s
b29rdXAuIEJ1dCB0aGlzIGZ1bmN0aW9uIGlzIG5vdAp1c2luZyByYXRlbGlt
aXRlZCBwcmludGsuCgpBbnkgZG9tYWluIGFibGUgdG8gbWFwIGZvcmVpZ24g
Z2ZtbiB3b3VsZCBiZSBhYmxlIHRvIGZsb29kIHRoZSBYZW4KY29uc29sZS4K
ClRoZSBpbmZvcm1hdGlvbiB3YXNuJ3Qgbm90IHVzZWZ1bCBzbyBkcm9wIGl0
LgoKVGhpcyBpcyBYU0EtMTQxLgoKU2lnbmVkLW9mZi1ieTogSnVsaWVuIEdy
YWxsIDxqdWxpZW4uZ3JhbGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD
YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogeGVuL2Fy
Y2gvYXJtL21tLmMgfCAxIC0KIDEgZmlsZSBjaGFuZ2VkLCAxIGRlbGV0aW9u
KC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL21tLmMgYi94ZW4vYXJj
aC9hcm0vbW0uYwppbmRleCBhZTBmMzRjLi5kMDBkNTI2IDEwMDY0NAotLS0g
YS94ZW4vYXJjaC9hcm0vbW0uYworKysgYi94ZW4vYXJjaC9hcm0vbW0uYwpA
QCAtMTExNCw3ICsxMTE0LDYgQEAgaW50IHhlbm1lbV9hZGRfdG9fcGh5c21h
cF9vbmUoCiAgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2dmbihvZCwg
aWR4LCAmcDJtdCwgUDJNX0FMTE9DKTsKICAgICAgICAgaWYgKCAhcGFnZSAp
CiAgICAgICAgIHsKLSAgICAgICAgICAgIGR1bXBfcDJtX2xvb2t1cChvZCwg
cGZuX3RvX3BhZGRyKGlkeCkpOwogICAgICAgICAgICAgcmN1X3VubG9ja19k
b21haW4ob2QpOwogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAg
ICAgIH0KLS0gCjIuMS40Cgo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Sep 01 13:20:24 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 01 Sep 2015 13:20:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZWlT5-0001kj-2H; Tue, 01 Sep 2015 13:19:19 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlT3-0001kR-Jg; Tue, 01 Sep 2015 13:19:17 +0000
Received: from [85.158.139.211] by server-17.bemta-5.messagelabs.com id
	20/D4-02380-4D5A5E55; Tue, 01 Sep 2015 13:19:16 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-6.tower-206.messagelabs.com!1441113554!31946775!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15192 invoked from network); 1 Sep 2015 13:19:15 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-6.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	1 Sep 2015 13:19:15 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlSu-0003WO-0H; Tue, 01 Sep 2015 13:19:08 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZWlSt-00030m-NL; Tue, 01 Sep 2015 13:19:07 +0000
Date: Tue, 01 Sep 2015 13:19:07 +0000
Message-Id: <E1ZWlSt-00030m-NL@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 141 (CVE-2015-6654) - printk
 is not rate-limited in xenmem_add_to_physmap_one
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-6654 / XSA-141
                              version 3

         printk is not rate-limited in xenmem_add_to_physmap_one

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

XENMAPSPACE_gmfn_foreign dumps the p2m, on ARM, when it fails to get a
reference on the foreign page.  However, dump_p2m_lookup does not use
rate-limited printk.

A malicious infrastructure domain, which is allowed to map memory of
a foreign guest, would be able to flood the Xen console.

IMPACT
======

Domains deliberately given partial management control may be able to
deny service to other parts of the system.

As a result, in a system designed to enhance security by radically
disaggregating the management, the security may be reduced.  But, the
security will be no worse than a non-disaggregated design.

VULNERABLE SYSTEMS
==================

This issue is only relevant to systems which intend to increase
security through the use of advanced disaggregated management
techniques.

This does not include systems using libxl, libvirt, xm/xend,
XCP/XenServer, OpenStack or CloudStack (unless substantially modified
or supplemented, as compared to versions supplied by the respective
upstreams).

This issue is not relevant to stub device models, driver domains, or
stub xenstored.  Those disaggregation techniques do not rely on
granting the semi-privileged support domains access to the affected
hypercall, and are believed to provide the intended security benefits.

Only ARM systems are potentially affected.  All Xen versions which
support ARM are potentially affected.

MITIGATION
==========

Reducing the hypervisor log level can be used to suppress messages.

Switching from disaggregated to a non-disaggregated operation does NOT
mitigate these vulnerabilities.  Rather, it simply recategorises the
vulnerability to hostile management code, regarding it "as designed";
thus it merely reclassifies these issues as "not a bug".  Users and
vendors of disaggregated systems should not change their
configuration.

CREDITS
=======

This issue was discovered by Julien Grall of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa141.patch        Xen 4.4.x, 4.5.x, xen-unstable

$ sha256sum xsa141*.patch
12358565dc443e1855a1b5776fa9008c5ea5e5854bd4e93b88ab4178c698fc2a  xsa141.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJV5aV+AAoJEIP+FMlX6CvZz74H/jn2L3URqeatI7eBXRtpC9SL
DshKXMZRC746x5W06nsFp9dxr/ggSrMG1avM3q/V2dF5Sb/RDyH3A4D8DVhZOFQh
jxYScztKJI2OjRmPJvPatVR9oYBQhLpwg8yE3ye6//ObHCO3PSqX28VqWkS8gZha
E3Cr3PpbWN1nO1PkHZBqq9BRT7B6Nq/1HE3TnbgjYVWUryWMUUp6GZOZ9QYOTbQB
F5I7oimZ/mW2B4PL9p2lCKnCBDJIELpeE6sZAmv8yeQg7Lq7UhwWnB57U8gOOe1I
uzV5z852a9Hqdn8flUOGn0eQxputFRdOTamaMqQ2UtG2f0E+l2R6ahD1CGyTmBM=
=pKQu
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa141.patch"
Content-Disposition: attachment; filename="xsa141.patch"
Content-Transfer-Encoding: base64

RnJvbTogSnVsaWVuIEdyYWxsIDxqdWxpZW4uZ3JhbGxAY2l0cml4LmNvbT4K
RGF0ZTogVGh1LCAxMyBBdWcgMjAxNSAxMjowMzo0MyArMDEwMApTdWJqZWN0
OiBbUEFUQ0hdIHhlbi9hcm06IG1tOiBEbyBub3QgZHVtcCB0aGUgcDJtIHdo
ZW4gbWFwcGluZyBhIGZvcmVpZ24gZ2ZuCgpUaGUgcGh5c21hcCBvcGVyYXRp
b24gWEVOTUFQU1BBQ0VfZ2Ztbl9mb3JlaWduIGlzIGR1bXBpbmcgdGhlIHAy
bSB3aGVuCmFuIGVycm9yIG9jY3VyZWQgYnkgY2FsbGluZyBkdW1wX3AybV9s
b29rdXAuIEJ1dCB0aGlzIGZ1bmN0aW9uIGlzIG5vdAp1c2luZyByYXRlbGlt
aXRlZCBwcmludGsuCgpBbnkgZG9tYWluIGFibGUgdG8gbWFwIGZvcmVpZ24g
Z2ZtbiB3b3VsZCBiZSBhYmxlIHRvIGZsb29kIHRoZSBYZW4KY29uc29sZS4K
ClRoZSBpbmZvcm1hdGlvbiB3YXNuJ3Qgbm90IHVzZWZ1bCBzbyBkcm9wIGl0
LgoKVGhpcyBpcyBYU0EtMTQxLgoKU2lnbmVkLW9mZi1ieTogSnVsaWVuIEdy
YWxsIDxqdWxpZW4uZ3JhbGxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBD
YW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogeGVuL2Fy
Y2gvYXJtL21tLmMgfCAxIC0KIDEgZmlsZSBjaGFuZ2VkLCAxIGRlbGV0aW9u
KC0pCgpkaWZmIC0tZ2l0IGEveGVuL2FyY2gvYXJtL21tLmMgYi94ZW4vYXJj
aC9hcm0vbW0uYwppbmRleCBhZTBmMzRjLi5kMDBkNTI2IDEwMDY0NAotLS0g
YS94ZW4vYXJjaC9hcm0vbW0uYworKysgYi94ZW4vYXJjaC9hcm0vbW0uYwpA
QCAtMTExNCw3ICsxMTE0LDYgQEAgaW50IHhlbm1lbV9hZGRfdG9fcGh5c21h
cF9vbmUoCiAgICAgICAgIHBhZ2UgPSBnZXRfcGFnZV9mcm9tX2dmbihvZCwg
aWR4LCAmcDJtdCwgUDJNX0FMTE9DKTsKICAgICAgICAgaWYgKCAhcGFnZSAp
CiAgICAgICAgIHsKLSAgICAgICAgICAgIGR1bXBfcDJtX2xvb2t1cChvZCwg
cGZuX3RvX3BhZGRyKGlkeCkpOwogICAgICAgICAgICAgcmN1X3VubG9ja19k
b21haW4ob2QpOwogICAgICAgICAgICAgcmV0dXJuIC1FSU5WQUw7CiAgICAg
ICAgIH0KLS0gCjIuMS40Cgo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Wed Sep 09 14:08:25 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 09 Sep 2015 14:08:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZZg1m-0008Kw-Vv; Wed, 09 Sep 2015 14:07:10 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=6876f1e97=wei.liu2@citrix.com>)
	id 1ZZfBm-0002t7-2M; Wed, 09 Sep 2015 13:13:26 +0000
Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id
	EF/DB-15765-47030F55; Wed, 09 Sep 2015 13:13:24 +0000
X-Env-Sender: prvs=6876f1e97=wei.liu2@citrix.com
X-Msg-Ref: server-3.tower-27.messagelabs.com!1441804402!48149312!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 8385 invoked from network); 9 Sep 2015 13:13:23 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	9 Sep 2015 13:13:23 -0000
X-IronPort-AV: E=Sophos;i="5.17,496,1437436800"; d="scan'208";a="302364759"
Date: Wed, 9 Sep 2015 14:12:07 +0100
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-announce@lists.xenproject.org>,
	<xen-users@lists.xenproject.org>
Message-ID: <20150909131207.GO12714@zion.uk.xensource.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-DLP: MIA1
X-Mailman-Approved-At: Wed, 09 Sep 2015 14:07:09 +0000
Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC3
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Hi all

Xen 4.6 RC3 has been tagged. You can check out the tag 4.6.0-rc3 in xen.git.

The tarball can be downloaded from:

http://bits.xensource.com/oss-xen/release/4.6.0-rc3/xen-4.6.0-rc3.tar.gz

Signature for tarball:

http://bits.xensource.com/oss-xen/release/4.6.0-rc3/xen-4.6.0-rc3.tar.gz.sig

When reporting bugs, please send your bug report to
xen-devel@lists.xenproject.org, present as much information as possible, tag it
with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant
maintainers.

Annoucement for test day will be made separately.

Known issues / pending patches:

Subject: [PATCH v2] efi: introduce efi_arch_flush_dcache_area
Message-ID: <1441708697-578-1-git-send-email-stefano.stabellini@eu.citrix.com>

Subject: [PATCH for 4.6] x86/VPMU: Set VPMU context pointer to NULL when freeing it
Message-ID: <1441767352-9022-1-git-send-email-boris.ostrovsky@oracle.com>

Subject: [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
Message-ID: <1441763998-4937-1-git-send-email-tiejun.chen@intel.com>

Subject: [Xen-devel] [PATCH] x86/hvm: fix saved pmtimer value
Message-ID: <87egi8kpzy.fsf@pingu.sky.yk.fujitsu.co.jp>

Guest with vNUMA configured can't be saved because save record doesn't contain
node information. Patches under development.

./configure --enable-systemd won't fail even if no systemd development files
are found. Patch to be developed.

Wei.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Wed Sep 09 14:08:25 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Wed, 09 Sep 2015 14:08:25 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZZg1m-0008Kw-Vv; Wed, 09 Sep 2015 14:07:10 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=6876f1e97=wei.liu2@citrix.com>)
	id 1ZZfBm-0002t7-2M; Wed, 09 Sep 2015 13:13:26 +0000
Received: from [193.109.254.147] by server-11.bemta-14.messagelabs.com id
	EF/DB-15765-47030F55; Wed, 09 Sep 2015 13:13:24 +0000
X-Env-Sender: prvs=6876f1e97=wei.liu2@citrix.com
X-Msg-Ref: server-3.tower-27.messagelabs.com!1441804402!48149312!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 8385 invoked from network); 9 Sep 2015 13:13:23 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	9 Sep 2015 13:13:23 -0000
X-IronPort-AV: E=Sophos;i="5.17,496,1437436800"; d="scan'208";a="302364759"
Date: Wed, 9 Sep 2015 14:12:07 +0100
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-announce@lists.xenproject.org>,
	<xen-users@lists.xenproject.org>
Message-ID: <20150909131207.GO12714@zion.uk.xensource.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
X-DLP: MIA1
X-Mailman-Approved-At: Wed, 09 Sep 2015 14:07:09 +0000
Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC3
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Hi all

Xen 4.6 RC3 has been tagged. You can check out the tag 4.6.0-rc3 in xen.git.

The tarball can be downloaded from:

http://bits.xensource.com/oss-xen/release/4.6.0-rc3/xen-4.6.0-rc3.tar.gz

Signature for tarball:

http://bits.xensource.com/oss-xen/release/4.6.0-rc3/xen-4.6.0-rc3.tar.gz.sig

When reporting bugs, please send your bug report to
xen-devel@lists.xenproject.org, present as much information as possible, tag it
with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant
maintainers.

Annoucement for test day will be made separately.

Known issues / pending patches:

Subject: [PATCH v2] efi: introduce efi_arch_flush_dcache_area
Message-ID: <1441708697-578-1-git-send-email-stefano.stabellini@eu.citrix.com>

Subject: [PATCH for 4.6] x86/VPMU: Set VPMU context pointer to NULL when freeing it
Message-ID: <1441767352-9022-1-git-send-email-boris.ostrovsky@oracle.com>

Subject: [v2][PATCH] xen/vtd/iommu: permit group devices to passthrough in relaxed mode
Message-ID: <1441763998-4937-1-git-send-email-tiejun.chen@intel.com>

Subject: [Xen-devel] [PATCH] x86/hvm: fix saved pmtimer value
Message-ID: <87egi8kpzy.fsf@pingu.sky.yk.fujitsu.co.jp>

Guest with vNUMA configured can't be saved because save record doesn't contain
node information. Patches under development.

./configure --enable-systemd won't fail even if no systemd development files
are found. Patch to be developed.

Wei.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Mon Sep 14 11:18:24 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 14 Sep 2015 11:18:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZbRlD-0005uB-5S; Mon, 14 Sep 2015 11:17:23 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=692576423=Ian.Jackson@citrix.com>)
	id 1ZbRlC-0005tb-A1; Mon, 14 Sep 2015 11:17:22 +0000
Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id
	8F/24-01421-DBCA6F55; Mon, 14 Sep 2015 11:17:17 +0000
X-Env-Sender: prvs=692576423=Ian.Jackson@citrix.com
X-Msg-Ref: server-5.tower-31.messagelabs.com!1442229434!44133534!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10190 invoked from network); 14 Sep 2015 11:17:16 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-5.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	14 Sep 2015 11:17:16 -0000
X-IronPort-AV: E=Sophos;i="5.17,527,1437436800"; d="scan'208";a="303391297"
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
MIME-Version: 1.0
Message-ID: <22006.44179.784995.855059@mariner.uk.xensource.com>
Date: Mon, 14 Sep 2015 12:16:35 +0100
To: Lars Kurth <lars.kurth@citrix.com>
In-Reply-To: <20150914111325.GE2294@zion.uk.xensource.com>
References: <20150909131207.GO12714@zion.uk.xensource.com>
	<CAFLBxZYJQv-31GZ7nW8RiBr1SANv6RMNVscZpxSg=8GCAbvQYQ@mail.gmail.com>
	<20150914111325.GE2294@zion.uk.xensource.com>
X-Mailer: VM 8.1.0 under 23.4.1 (i486-pc-linux-gnu)
X-DLP: MIA1
Cc: xen-devel <xen-devel@lists.xenproject.org>,
	George Dunlap <dunlapg@umich.edu>, xen-announce@lists.xenproject.org,
	xen-users@lists.xenproject.org
Subject: Re: [Xen-announce] [Xen-devel] ANNOUNCEMENT: Xen 4.6 RC3
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Wei Liu writes ("Re: [Xen-devel] ANNOUNCEMENT: Xen 4.6 RC3"):
> On Mon, Sep 14, 2015 at 12:11:47PM +0100, George Dunlap wrote:
> > I realize they all point the same place, but shouldn't we ideally be
> > using xenproject.org rather than xensource.com?  Particularly as the
> > latter hasn't actually existed as an entity for nearly 8 years? :-)
> 
> CC Ian.

"bits.xensource.com" is an akamai service which is being paid for by
Citrix and contains a variety of ... stuff.

I have no idea how much our download bandwidth is, which means I don't
know if we can host our tarballs etc. on xenbits.

Ian.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Mon Sep 14 11:18:24 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 14 Sep 2015 11:18:24 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZbRlD-0005uB-5S; Mon, 14 Sep 2015 11:17:23 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=692576423=Ian.Jackson@citrix.com>)
	id 1ZbRlC-0005tb-A1; Mon, 14 Sep 2015 11:17:22 +0000
Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id
	8F/24-01421-DBCA6F55; Mon, 14 Sep 2015 11:17:17 +0000
X-Env-Sender: prvs=692576423=Ian.Jackson@citrix.com
X-Msg-Ref: server-5.tower-31.messagelabs.com!1442229434!44133534!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10190 invoked from network); 14 Sep 2015 11:17:16 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-5.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	14 Sep 2015 11:17:16 -0000
X-IronPort-AV: E=Sophos;i="5.17,527,1437436800"; d="scan'208";a="303391297"
From: Ian Jackson <Ian.Jackson@eu.citrix.com>
MIME-Version: 1.0
Message-ID: <22006.44179.784995.855059@mariner.uk.xensource.com>
Date: Mon, 14 Sep 2015 12:16:35 +0100
To: Lars Kurth <lars.kurth@citrix.com>
In-Reply-To: <20150914111325.GE2294@zion.uk.xensource.com>
References: <20150909131207.GO12714@zion.uk.xensource.com>
	<CAFLBxZYJQv-31GZ7nW8RiBr1SANv6RMNVscZpxSg=8GCAbvQYQ@mail.gmail.com>
	<20150914111325.GE2294@zion.uk.xensource.com>
X-Mailer: VM 8.1.0 under 23.4.1 (i486-pc-linux-gnu)
X-DLP: MIA1
Cc: xen-devel <xen-devel@lists.xenproject.org>,
	George Dunlap <dunlapg@umich.edu>, xen-announce@lists.xenproject.org,
	xen-users@lists.xenproject.org
Subject: Re: [Xen-announce] [Xen-devel] ANNOUNCEMENT: Xen 4.6 RC3
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Wei Liu writes ("Re: [Xen-devel] ANNOUNCEMENT: Xen 4.6 RC3"):
> On Mon, Sep 14, 2015 at 12:11:47PM +0100, George Dunlap wrote:
> > I realize they all point the same place, but shouldn't we ideally be
> > using xenproject.org rather than xensource.com?  Particularly as the
> > latter hasn't actually existed as an entity for nearly 8 years? :-)
> 
> CC Ian.

"bits.xensource.com" is an akamai service which is being paid for by
Citrix and contains a variety of ... stuff.

I have no idea how much our download bandwidth is, which means I don't
know if we can host our tarballs etc. on xenbits.

Ian.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Tue Sep 22 10:11:32 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 22 Sep 2015 10:11:32 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZeKWj-0007aF-Ve; Tue, 22 Sep 2015 10:10:21 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWi-0007a0-3I; Tue, 22 Sep 2015 10:10:20 +0000
Received: from [85.158.139.211] by server-2.bemta-5.messagelabs.com id
	8D/4B-31450-B0921065; Tue, 22 Sep 2015 10:10:19 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-12.tower-206.messagelabs.com!1442916617!36840700!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 17711 invoked from network); 22 Sep 2015 10:10:18 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-12.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	22 Sep 2015 10:10:18 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWT-0007LT-44; Tue, 22 Sep 2015 10:10:09 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWR-0000te-26; Tue, 22 Sep 2015 10:10:03 +0000
Date: Tue, 22 Sep 2015 10:10:03 +0000
Message-Id: <E1ZeKWR-0000te-26@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 142 - libxl fails to honour
 readonly flag on disks with qemu-xen
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-142

        libxl fails to honour readonly flag on disks with qemu-xen

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the
guest.  However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable.  The
affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
   device_model_version="qemu-xen-traditional"
in the xl configuration file.

Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
   device_model_stubdomain_override=true
in the xl configuration file.

Either of these mitigations is liable to have other guest-visible
effects or even regressions.

It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.

RESOLUTION
==========

There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.

The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest.  Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.

xsa142-4.6.patch                 Xen 4.6.x and later
xsa142-4.5.patch                 Xen 4.3.x to 4.5.x inclusive

$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124  xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1  xsa142-4.6.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public in the Red Hat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=1257893

CREDITS
=======

Thanks to Michael Young of Durham University for bring this problem to
our attention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWASalAAoJEIP+FMlX6CvZkVgIAKUhbsVLSK95wRJzNdOrcVgU
c1lCtgZRX2kbc9f05rxbNyadVsQYyT1/i+0wErAsXUKWgNKiKYUFAUaN8382Uim0
1UaJVEcjj5PWWB8rT6EoXqK84ODaLfUwXQosBEhbwKTEMMb0GQu2tIlh4Bc58KI6
SzMFF2IQPvKcHGQFGLmPmxUARXjHXN7WXrAlFn9hXfNmepHnJsOR2MjvFvucYgr0
2tTiZBkRVt8XRH7Ll1nKFD7zu9LlfHA8WHAdddNCawkSO9mxbc58k+0zg1i2gaMx
locAjLK8UXYaFJEi52kqz7qGWItXfFMY8bTmAhexMpbwUu170stsWQfCxyGiWtU=
=BFh1
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa142-4.5.patch"
Content-Disposition: attachment; filename="xsa142-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbSAwN2NhMDA3MDNmNzZhZDM5MmVkYTVlZTUyY2NlMTE5N2NmNDljMzBh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW5vIFN0YWJl
bGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgpTdWJq
ZWN0OiBbUEFUQ0ggdjIuMSBmb3ItNC41XSBsaWJ4bDogaGFuZGxlIHJlYWQt
b25seSBkcml2ZXMgd2l0aCBxZW11LXhlbgoKVGhlIGN1cnJlbnQgbGlieGwg
Y29kZSBkb2Vzbid0IGRlYWwgd2l0aCByZWFkLW9ubHkgZHJpdmVzIGF0IGFs
bC4KClVwc3RyZWFtIFFFTVUgYW5kIHFlbXUteGVuIG9ubHkgc3VwcG9ydCBy
ZWFkLW9ubHkgY2Ryb20gZHJpdmVzOiBtYWtlCnN1cmUgdG8gc3BlY2lmeSAi
cmVhZG9ubHk9b24iIGZvciBjZHJvbSBkcml2ZXMgYW5kIHJldHVybiBlcnJv
ciBpbiBjYXNlCnRoZSB1c2VyIHJlcXVlc3RlZCBhIG5vbi1jZHJvbSByZWFk
LW9ubHkgZHJpdmUuCgpUaGlzIGlzIFhTQS0xNDIsIGRpc2NvdmVyZWQgYnkg
TGluIExpdQooaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVn
LmNnaT9pZD0xMjU3ODkzKS4KClNpZ25lZC1vZmYtYnk6IFN0ZWZhbm8gU3Rh
YmVsbGluaSA8c3RlZmFuby5zdGFiZWxsaW5pQGV1LmNpdHJpeC5jb20+CgpC
YWNrcG9ydCB0byBYZW4gNC41IGFuZCBlYXJsaWVyLCBhcHJvcG9zIG9mIHJl
cG9ydCBhbmQgcmV2aWV3IGZyb20KTWljaGFlbCBZb3VuZy4KClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsrKysrKysr
Ky0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyksIDQgZGVs
ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggYjRjZTUyMy4uZDc0
ZmIxNCAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0uYworKysg
Yi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC03OTcsMTMgKzc5NywxOCBA
QCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2aWNlX21vZGVsX2Fy
Z3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uaXNfY2Ryb20pIHsKICAgICAgICAgICAgICAgICBpZiAoZGlza3NbaV0u
Zm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKQogICAgICAgICAg
ICAgICAgICAgICBkcml2ZSA9IGxpYnhsX19zcHJpbnRmCi0gICAgICAgICAg
ICAgICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQsbWVkaWE9Y2Ry
b20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAg
ICAgICAgICAgICAgZGlzaywgZGV2X251bWJlcik7CisgICAgICAgICAgICAg
ICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMs
bWVkaWE9Y2Ryb20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAg
ICAgICAgICAgICAgICAgICAgICAgZGlzaywgZGlza3NbaV0ucmVhZHdyaXRl
ID8gIm9mZiIgOiAib24iLCBkZXZfbnVtYmVyKTsKICAgICAgICAgICAgICAg
ICBlbHNlCiAgICAgICAgICAgICAgICAgICAgIGRyaXZlID0gbGlieGxfX3Nw
cmludGYKLSAgICAgICAgICAgICAgICAgICAgICAgIChnYywgImZpbGU9JXMs
aWY9aWRlLGluZGV4PSVkLG1lZGlhPWNkcm9tLGZvcm1hdD0lcyxjYWNoZT13
cml0ZWJhY2ssaWQ9aWRlLSVpIiwKLSAgICAgICAgICAgICAgICAgICAgICAg
ICBkaXNrc1tpXS5wZGV2X3BhdGgsIGRpc2ssIGZvcm1hdCwgZGV2X251bWJl
cik7CisgICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxlPSVzLGlm
PWlkZSxpbmRleD0lZCxyZWFkb25seT0lcyxtZWRpYT1jZHJvbSxmb3JtYXQ9
JXMsY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAgICAgICAgICAg
ICAgICAgICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBkaXNrc1tp
XS5yZWFkd3JpdGUgPyAib2ZmIiA6ICJvbiIsIGZvcm1hdCwgZGV2X251bWJl
cik7CiAgICAgICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgICAgIGlm
ICghZGlza3NbaV0ucmVhZHdyaXRlKSB7CisgICAgICAgICAgICAgICAgICAg
IExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX0VSUk9SLCAicWVtdS14ZW4g
ZG9lc24ndCBzdXBwb3J0IHJlYWQtb25seSBkaXNrIGRyaXZlcnMiKTsKKyAg
ICAgICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7CisgICAgICAgICAgICAg
ICAgfQorCiAgICAgICAgICAgICAgICAgaWYgKGRpc2tzW2ldLmZvcm1hdCA9
PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkgewogICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19XQVJOSU5HLCAiY2Fu
bm90IHN1cHBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IiBlbXB0eSBkaXNrIGZvcm1hdCBmb3IgJXMiLCBkaXNrc1tpXS52ZGV2KTsK
LS0gCjEuNy4xMC40Cgo=

--=separator
Content-Type: application/octet-stream; name="xsa142-4.6.patch"
Content-Disposition: attachment; filename="xsa142-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlA
ZXUuY2l0cml4LmNvbT4KU3ViamVjdDogW1BBVENIIHYyIGZvci00LjZdIGxp
YnhsOiBoYW5kbGUgcmVhZC1vbmx5IGRyaXZlcyB3aXRoIHFlbXUteGVuCkRh
dGU6IFR1ZSwgMTUgU2VwIDIwMTUgMTA6NTI6MTQgKzAxMDAKClRoZSBjdXJy
ZW50IGxpYnhsIGNvZGUgZG9lc24ndCBkZWFsIHdpdGggcmVhZC1vbmx5IGRy
aXZlcyBhdCBhbGwuCgpVcHN0cmVhbSBRRU1VIGFuZCBxZW11LXhlbiBvbmx5
IHN1cHBvcnQgcmVhZC1vbmx5IGNkcm9tIGRyaXZlczogbWFrZQpzdXJlIHRv
IHNwZWNpZnkgInJlYWRvbmx5PW9uIiBmb3IgY2Ryb20gZHJpdmVzIGFuZCBy
ZXR1cm4gZXJyb3IgaW4gY2FzZQp0aGUgdXNlciByZXF1ZXN0ZWQgYSBub24t
Y2Ryb20gcmVhZC1vbmx5IGRyaXZlLgoKVGhpcyBpcyBYU0EtMTQyLCBkaXNj
b3ZlcmVkIGJ5IExpbiBMaXUKKGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNv
bS9zaG93X2J1Zy5jZ2k/aWQ9MTI1Nzg5MykuCgpTaWduZWQtb2ZmLWJ5OiBT
dGVmYW5vIFN0YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRy
aXguY29tPgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsr
KysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyks
IDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGli
eGxfZG0uYyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggMDJjMDE2
Mi4uNDY4ZmY5YyAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YworKysgYi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC0xMTEwLDEzICsx
MTEwLDE4IEBAIHN0YXRpYyBpbnQgbGlieGxfX2J1aWxkX2RldmljZV9tb2Rl
bF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICAgICAgaWYgKGRp
c2tzW2ldLmlzX2Nkcm9tKSB7CiAgICAgICAgICAgICAgICAgaWYgKGRpc2tz
W2ldLmZvcm1hdCA9PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkKICAgICAg
ICAgICAgICAgICAgICAgZHJpdmUgPSBsaWJ4bF9fc3ByaW50ZgotICAgICAg
ICAgICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLG1lZGlh
PWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAotICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2ssIGRldl9udW1iZXIpOworICAgICAgICAg
ICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLHJlYWRvbmx5
PSVzLG1lZGlhPWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAor
ICAgICAgICAgICAgICAgICAgICAgICAgIGRpc2ssIGRpc2tzW2ldLnJlYWR3
cml0ZSA/ICJvZmYiIDogIm9uIiwgZGV2X251bWJlcik7CiAgICAgICAgICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICBkcml2ZSA9IGxpYnhs
X19zcHJpbnRmCi0gICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxl
PSVzLGlmPWlkZSxpbmRleD0lZCxtZWRpYT1jZHJvbSxmb3JtYXQ9JXMsY2Fj
aGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAgICAgICAg
ICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBmb3JtYXQsIGRldl9u
dW1iZXIpOworICAgICAgICAgICAgICAgICAgICAgICAgKGdjLCAiZmlsZT0l
cyxpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMsbWVkaWE9Y2Ryb20sZm9y
bWF0PSVzLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAorICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2tzW2ldLnBkZXZfcGF0aCwgZGlzaywgZGlz
a3NbaV0ucmVhZHdyaXRlID8gIm9mZiIgOiAib24iLCBmb3JtYXQsIGRldl9u
dW1iZXIpOwogICAgICAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgICAg
ICBpZiAoIWRpc2tzW2ldLnJlYWR3cml0ZSkgeworICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgInFlbXUt
eGVuIGRvZXNuJ3Qgc3VwcG9ydCByZWFkLW9ubHkgZGlzayBkcml2ZXJzIik7
CisgICAgICAgICAgICAgICAgICAgIHJldHVybiBFUlJPUl9JTlZBTDsKKyAg
ICAgICAgICAgICAgICB9CisKICAgICAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uZm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKSB7CiAgICAg
ICAgICAgICAgICAgICAgIExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX1dB
Uk5JTkcsICJjYW5ub3Qgc3VwcG9ydCIKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAiIGVtcHR5IGRpc2sgZm9ybWF0IGZvciAlcyIsIGRpc2tz
W2ldLnZkZXYpOwotLSAKMS43LjEwLjQK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Sep 22 10:11:32 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 22 Sep 2015 10:11:32 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZeKWj-0007aF-Ve; Tue, 22 Sep 2015 10:10:21 +0000
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWi-0007a0-3I; Tue, 22 Sep 2015 10:10:20 +0000
Received: from [85.158.139.211] by server-2.bemta-5.messagelabs.com id
	8D/4B-31450-B0921065; Tue, 22 Sep 2015 10:10:19 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-12.tower-206.messagelabs.com!1442916617!36840700!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 17711 invoked from network); 22 Sep 2015 10:10:18 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-12.tower-206.messagelabs.com with AES256-SHA encrypted SMTP;
	22 Sep 2015 10:10:18 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWT-0007LT-44; Tue, 22 Sep 2015 10:10:09 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZeKWR-0000te-26; Tue, 22 Sep 2015 10:10:03 +0000
Date: Tue, 22 Sep 2015 10:10:03 +0000
Message-Id: <E1ZeKWR-0000te-26@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 142 - libxl fails to honour
 readonly flag on disks with qemu-xen
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-142

        libxl fails to honour readonly flag on disks with qemu-xen

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the
guest.  However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable.  The
affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
   device_model_version="qemu-xen-traditional"
in the xl configuration file.

Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
   device_model_stubdomain_override=true
in the xl configuration file.

Either of these mitigations is liable to have other guest-visible
effects or even regressions.

It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.

RESOLUTION
==========

There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.

The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest.  Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.

xsa142-4.6.patch                 Xen 4.6.x and later
xsa142-4.5.patch                 Xen 4.3.x to 4.5.x inclusive

$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124  xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1  xsa142-4.6.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public in the Red Hat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=1257893

CREDITS
=======

Thanks to Michael Young of Durham University for bring this problem to
our attention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWASalAAoJEIP+FMlX6CvZkVgIAKUhbsVLSK95wRJzNdOrcVgU
c1lCtgZRX2kbc9f05rxbNyadVsQYyT1/i+0wErAsXUKWgNKiKYUFAUaN8382Uim0
1UaJVEcjj5PWWB8rT6EoXqK84ODaLfUwXQosBEhbwKTEMMb0GQu2tIlh4Bc58KI6
SzMFF2IQPvKcHGQFGLmPmxUARXjHXN7WXrAlFn9hXfNmepHnJsOR2MjvFvucYgr0
2tTiZBkRVt8XRH7Ll1nKFD7zu9LlfHA8WHAdddNCawkSO9mxbc58k+0zg1i2gaMx
locAjLK8UXYaFJEi52kqz7qGWItXfFMY8bTmAhexMpbwUu170stsWQfCxyGiWtU=
=BFh1
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa142-4.5.patch"
Content-Disposition: attachment; filename="xsa142-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbSAwN2NhMDA3MDNmNzZhZDM5MmVkYTVlZTUyY2NlMTE5N2NmNDljMzBh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW5vIFN0YWJl
bGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgpTdWJq
ZWN0OiBbUEFUQ0ggdjIuMSBmb3ItNC41XSBsaWJ4bDogaGFuZGxlIHJlYWQt
b25seSBkcml2ZXMgd2l0aCBxZW11LXhlbgoKVGhlIGN1cnJlbnQgbGlieGwg
Y29kZSBkb2Vzbid0IGRlYWwgd2l0aCByZWFkLW9ubHkgZHJpdmVzIGF0IGFs
bC4KClVwc3RyZWFtIFFFTVUgYW5kIHFlbXUteGVuIG9ubHkgc3VwcG9ydCBy
ZWFkLW9ubHkgY2Ryb20gZHJpdmVzOiBtYWtlCnN1cmUgdG8gc3BlY2lmeSAi
cmVhZG9ubHk9b24iIGZvciBjZHJvbSBkcml2ZXMgYW5kIHJldHVybiBlcnJv
ciBpbiBjYXNlCnRoZSB1c2VyIHJlcXVlc3RlZCBhIG5vbi1jZHJvbSByZWFk
LW9ubHkgZHJpdmUuCgpUaGlzIGlzIFhTQS0xNDIsIGRpc2NvdmVyZWQgYnkg
TGluIExpdQooaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVn
LmNnaT9pZD0xMjU3ODkzKS4KClNpZ25lZC1vZmYtYnk6IFN0ZWZhbm8gU3Rh
YmVsbGluaSA8c3RlZmFuby5zdGFiZWxsaW5pQGV1LmNpdHJpeC5jb20+CgpC
YWNrcG9ydCB0byBYZW4gNC41IGFuZCBlYXJsaWVyLCBhcHJvcG9zIG9mIHJl
cG9ydCBhbmQgcmV2aWV3IGZyb20KTWljaGFlbCBZb3VuZy4KClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsrKysrKysr
Ky0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyksIDQgZGVs
ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggYjRjZTUyMy4uZDc0
ZmIxNCAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0uYworKysg
Yi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC03OTcsMTMgKzc5NywxOCBA
QCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2aWNlX21vZGVsX2Fy
Z3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uaXNfY2Ryb20pIHsKICAgICAgICAgICAgICAgICBpZiAoZGlza3NbaV0u
Zm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKQogICAgICAgICAg
ICAgICAgICAgICBkcml2ZSA9IGxpYnhsX19zcHJpbnRmCi0gICAgICAgICAg
ICAgICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQsbWVkaWE9Y2Ry
b20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAg
ICAgICAgICAgICAgZGlzaywgZGV2X251bWJlcik7CisgICAgICAgICAgICAg
ICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMs
bWVkaWE9Y2Ryb20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAg
ICAgICAgICAgICAgICAgICAgICAgZGlzaywgZGlza3NbaV0ucmVhZHdyaXRl
ID8gIm9mZiIgOiAib24iLCBkZXZfbnVtYmVyKTsKICAgICAgICAgICAgICAg
ICBlbHNlCiAgICAgICAgICAgICAgICAgICAgIGRyaXZlID0gbGlieGxfX3Nw
cmludGYKLSAgICAgICAgICAgICAgICAgICAgICAgIChnYywgImZpbGU9JXMs
aWY9aWRlLGluZGV4PSVkLG1lZGlhPWNkcm9tLGZvcm1hdD0lcyxjYWNoZT13
cml0ZWJhY2ssaWQ9aWRlLSVpIiwKLSAgICAgICAgICAgICAgICAgICAgICAg
ICBkaXNrc1tpXS5wZGV2X3BhdGgsIGRpc2ssIGZvcm1hdCwgZGV2X251bWJl
cik7CisgICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxlPSVzLGlm
PWlkZSxpbmRleD0lZCxyZWFkb25seT0lcyxtZWRpYT1jZHJvbSxmb3JtYXQ9
JXMsY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAgICAgICAgICAg
ICAgICAgICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBkaXNrc1tp
XS5yZWFkd3JpdGUgPyAib2ZmIiA6ICJvbiIsIGZvcm1hdCwgZGV2X251bWJl
cik7CiAgICAgICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgICAgIGlm
ICghZGlza3NbaV0ucmVhZHdyaXRlKSB7CisgICAgICAgICAgICAgICAgICAg
IExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX0VSUk9SLCAicWVtdS14ZW4g
ZG9lc24ndCBzdXBwb3J0IHJlYWQtb25seSBkaXNrIGRyaXZlcnMiKTsKKyAg
ICAgICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7CisgICAgICAgICAgICAg
ICAgfQorCiAgICAgICAgICAgICAgICAgaWYgKGRpc2tzW2ldLmZvcm1hdCA9
PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkgewogICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19XQVJOSU5HLCAiY2Fu
bm90IHN1cHBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IiBlbXB0eSBkaXNrIGZvcm1hdCBmb3IgJXMiLCBkaXNrc1tpXS52ZGV2KTsK
LS0gCjEuNy4xMC40Cgo=

--=separator
Content-Type: application/octet-stream; name="xsa142-4.6.patch"
Content-Disposition: attachment; filename="xsa142-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlA
ZXUuY2l0cml4LmNvbT4KU3ViamVjdDogW1BBVENIIHYyIGZvci00LjZdIGxp
YnhsOiBoYW5kbGUgcmVhZC1vbmx5IGRyaXZlcyB3aXRoIHFlbXUteGVuCkRh
dGU6IFR1ZSwgMTUgU2VwIDIwMTUgMTA6NTI6MTQgKzAxMDAKClRoZSBjdXJy
ZW50IGxpYnhsIGNvZGUgZG9lc24ndCBkZWFsIHdpdGggcmVhZC1vbmx5IGRy
aXZlcyBhdCBhbGwuCgpVcHN0cmVhbSBRRU1VIGFuZCBxZW11LXhlbiBvbmx5
IHN1cHBvcnQgcmVhZC1vbmx5IGNkcm9tIGRyaXZlczogbWFrZQpzdXJlIHRv
IHNwZWNpZnkgInJlYWRvbmx5PW9uIiBmb3IgY2Ryb20gZHJpdmVzIGFuZCBy
ZXR1cm4gZXJyb3IgaW4gY2FzZQp0aGUgdXNlciByZXF1ZXN0ZWQgYSBub24t
Y2Ryb20gcmVhZC1vbmx5IGRyaXZlLgoKVGhpcyBpcyBYU0EtMTQyLCBkaXNj
b3ZlcmVkIGJ5IExpbiBMaXUKKGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNv
bS9zaG93X2J1Zy5jZ2k/aWQ9MTI1Nzg5MykuCgpTaWduZWQtb2ZmLWJ5OiBT
dGVmYW5vIFN0YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRy
aXguY29tPgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsr
KysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyks
IDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGli
eGxfZG0uYyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggMDJjMDE2
Mi4uNDY4ZmY5YyAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YworKysgYi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC0xMTEwLDEzICsx
MTEwLDE4IEBAIHN0YXRpYyBpbnQgbGlieGxfX2J1aWxkX2RldmljZV9tb2Rl
bF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICAgICAgaWYgKGRp
c2tzW2ldLmlzX2Nkcm9tKSB7CiAgICAgICAgICAgICAgICAgaWYgKGRpc2tz
W2ldLmZvcm1hdCA9PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkKICAgICAg
ICAgICAgICAgICAgICAgZHJpdmUgPSBsaWJ4bF9fc3ByaW50ZgotICAgICAg
ICAgICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLG1lZGlh
PWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAotICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2ssIGRldl9udW1iZXIpOworICAgICAgICAg
ICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLHJlYWRvbmx5
PSVzLG1lZGlhPWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAor
ICAgICAgICAgICAgICAgICAgICAgICAgIGRpc2ssIGRpc2tzW2ldLnJlYWR3
cml0ZSA/ICJvZmYiIDogIm9uIiwgZGV2X251bWJlcik7CiAgICAgICAgICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICBkcml2ZSA9IGxpYnhs
X19zcHJpbnRmCi0gICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxl
PSVzLGlmPWlkZSxpbmRleD0lZCxtZWRpYT1jZHJvbSxmb3JtYXQ9JXMsY2Fj
aGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAgICAgICAg
ICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBmb3JtYXQsIGRldl9u
dW1iZXIpOworICAgICAgICAgICAgICAgICAgICAgICAgKGdjLCAiZmlsZT0l
cyxpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMsbWVkaWE9Y2Ryb20sZm9y
bWF0PSVzLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAorICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2tzW2ldLnBkZXZfcGF0aCwgZGlzaywgZGlz
a3NbaV0ucmVhZHdyaXRlID8gIm9mZiIgOiAib24iLCBmb3JtYXQsIGRldl9u
dW1iZXIpOwogICAgICAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgICAg
ICBpZiAoIWRpc2tzW2ldLnJlYWR3cml0ZSkgeworICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgInFlbXUt
eGVuIGRvZXNuJ3Qgc3VwcG9ydCByZWFkLW9ubHkgZGlzayBkcml2ZXJzIik7
CisgICAgICAgICAgICAgICAgICAgIHJldHVybiBFUlJPUl9JTlZBTDsKKyAg
ICAgICAgICAgICAgICB9CisKICAgICAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uZm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKSB7CiAgICAg
ICAgICAgICAgICAgICAgIExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX1dB
Uk5JTkcsICJjYW5ub3Qgc3VwcG9ydCIKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAiIGVtcHR5IGRpc2sgZm9ybWF0IGZvciAlcyIsIGRpc2tz
W2ldLnZkZXYpOwotLSAKMS43LjEwLjQK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Sep 22 15:17:23 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 22 Sep 2015 15:17:23 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZePIk-0003A7-I3; Tue, 22 Sep 2015 15:16:14 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIj-00039Y-2f; Tue, 22 Sep 2015 15:16:13 +0000
Received: from [193.109.254.147] by server-6.bemta-14.messagelabs.com id
	F2/1E-16618-CB071065; Tue, 22 Sep 2015 15:16:12 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-27.messagelabs.com!1442934963!40618599!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 23239 invoked from network); 22 Sep 2015 15:16:04 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	22 Sep 2015 15:16:04 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIS-0002Aw-Jx; Tue, 22 Sep 2015 15:15:56 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIS-0005E3-Cb; Tue, 22 Sep 2015 15:15:56 +0000
Date: Tue, 22 Sep 2015 15:15:56 +0000
Message-Id: <E1ZePIS-0005E3-Cb@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 142 (CVE-2015-7311) - libxl
 fails to honour readonly flag on disks with qemu-xen
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-7311 / XSA-142
                              version 2

        libxl fails to honour readonly flag on disks with qemu-xen

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the
guest.  However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable.  The
affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
   device_model_version="qemu-xen-traditional"
in the xl configuration file.

Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
   device_model_stubdomain_override=true
in the xl configuration file.

Either of these mitigations is liable to have other guest-visible
effects or even regressions.

It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.

RESOLUTION
==========

There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.

The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest.  Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.

xsa142-4.6.patch                 Xen 4.6.x and later
xsa142-4.5.patch                 Xen 4.3.x to 4.5.x inclusive

$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124  xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1  xsa142-4.6.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public in the Red Hat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=1257893

CREDITS
=======

Thanks to Michael Young of Durham University for bring this problem to
our attention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWAXCcAAoJEIP+FMlX6CvZ1asH/0yJQ9+33gZtE69Bxicms3C2
uSepfkZVBUym+eEBqGKd2hiapngIAInotOTk+iI7DDo41wvfnJxq1eaEaQ9XurKK
kylHOb8eHmYw+HwTW2kJV2g6ffeGBMIcI5mpK35yBa5NnNHHJz0b9ZeRzddR9rSR
0eQpuP4DlN1/2/z6obXmYms84Q1oiIzMDz+MzJA/zPtfL7Q/tBjUmMfPj67zNKwe
vIfIstI5IbCRgnXSEL9EjTckqNFszyr3pH4z/Y97UXWlbTg233ewAS11Wz/CwJKT
yzS4uJGpckqTRC3YKyS1unKCP39yAVIBTx4QoPu9hrWyzUJpZUD/FvmrIHhr8co=
=kHPH
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa142-4.5.patch"
Content-Disposition: attachment; filename="xsa142-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbSAwN2NhMDA3MDNmNzZhZDM5MmVkYTVlZTUyY2NlMTE5N2NmNDljMzBh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW5vIFN0YWJl
bGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgpTdWJq
ZWN0OiBbUEFUQ0ggdjIuMSBmb3ItNC41XSBsaWJ4bDogaGFuZGxlIHJlYWQt
b25seSBkcml2ZXMgd2l0aCBxZW11LXhlbgoKVGhlIGN1cnJlbnQgbGlieGwg
Y29kZSBkb2Vzbid0IGRlYWwgd2l0aCByZWFkLW9ubHkgZHJpdmVzIGF0IGFs
bC4KClVwc3RyZWFtIFFFTVUgYW5kIHFlbXUteGVuIG9ubHkgc3VwcG9ydCBy
ZWFkLW9ubHkgY2Ryb20gZHJpdmVzOiBtYWtlCnN1cmUgdG8gc3BlY2lmeSAi
cmVhZG9ubHk9b24iIGZvciBjZHJvbSBkcml2ZXMgYW5kIHJldHVybiBlcnJv
ciBpbiBjYXNlCnRoZSB1c2VyIHJlcXVlc3RlZCBhIG5vbi1jZHJvbSByZWFk
LW9ubHkgZHJpdmUuCgpUaGlzIGlzIFhTQS0xNDIsIGRpc2NvdmVyZWQgYnkg
TGluIExpdQooaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVn
LmNnaT9pZD0xMjU3ODkzKS4KClNpZ25lZC1vZmYtYnk6IFN0ZWZhbm8gU3Rh
YmVsbGluaSA8c3RlZmFuby5zdGFiZWxsaW5pQGV1LmNpdHJpeC5jb20+CgpC
YWNrcG9ydCB0byBYZW4gNC41IGFuZCBlYXJsaWVyLCBhcHJvcG9zIG9mIHJl
cG9ydCBhbmQgcmV2aWV3IGZyb20KTWljaGFlbCBZb3VuZy4KClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsrKysrKysr
Ky0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyksIDQgZGVs
ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggYjRjZTUyMy4uZDc0
ZmIxNCAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0uYworKysg
Yi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC03OTcsMTMgKzc5NywxOCBA
QCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2aWNlX21vZGVsX2Fy
Z3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uaXNfY2Ryb20pIHsKICAgICAgICAgICAgICAgICBpZiAoZGlza3NbaV0u
Zm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKQogICAgICAgICAg
ICAgICAgICAgICBkcml2ZSA9IGxpYnhsX19zcHJpbnRmCi0gICAgICAgICAg
ICAgICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQsbWVkaWE9Y2Ry
b20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAg
ICAgICAgICAgICAgZGlzaywgZGV2X251bWJlcik7CisgICAgICAgICAgICAg
ICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMs
bWVkaWE9Y2Ryb20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAg
ICAgICAgICAgICAgICAgICAgICAgZGlzaywgZGlza3NbaV0ucmVhZHdyaXRl
ID8gIm9mZiIgOiAib24iLCBkZXZfbnVtYmVyKTsKICAgICAgICAgICAgICAg
ICBlbHNlCiAgICAgICAgICAgICAgICAgICAgIGRyaXZlID0gbGlieGxfX3Nw
cmludGYKLSAgICAgICAgICAgICAgICAgICAgICAgIChnYywgImZpbGU9JXMs
aWY9aWRlLGluZGV4PSVkLG1lZGlhPWNkcm9tLGZvcm1hdD0lcyxjYWNoZT13
cml0ZWJhY2ssaWQ9aWRlLSVpIiwKLSAgICAgICAgICAgICAgICAgICAgICAg
ICBkaXNrc1tpXS5wZGV2X3BhdGgsIGRpc2ssIGZvcm1hdCwgZGV2X251bWJl
cik7CisgICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxlPSVzLGlm
PWlkZSxpbmRleD0lZCxyZWFkb25seT0lcyxtZWRpYT1jZHJvbSxmb3JtYXQ9
JXMsY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAgICAgICAgICAg
ICAgICAgICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBkaXNrc1tp
XS5yZWFkd3JpdGUgPyAib2ZmIiA6ICJvbiIsIGZvcm1hdCwgZGV2X251bWJl
cik7CiAgICAgICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgICAgIGlm
ICghZGlza3NbaV0ucmVhZHdyaXRlKSB7CisgICAgICAgICAgICAgICAgICAg
IExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX0VSUk9SLCAicWVtdS14ZW4g
ZG9lc24ndCBzdXBwb3J0IHJlYWQtb25seSBkaXNrIGRyaXZlcnMiKTsKKyAg
ICAgICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7CisgICAgICAgICAgICAg
ICAgfQorCiAgICAgICAgICAgICAgICAgaWYgKGRpc2tzW2ldLmZvcm1hdCA9
PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkgewogICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19XQVJOSU5HLCAiY2Fu
bm90IHN1cHBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IiBlbXB0eSBkaXNrIGZvcm1hdCBmb3IgJXMiLCBkaXNrc1tpXS52ZGV2KTsK
LS0gCjEuNy4xMC40Cgo=

--=separator
Content-Type: application/octet-stream; name="xsa142-4.6.patch"
Content-Disposition: attachment; filename="xsa142-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlA
ZXUuY2l0cml4LmNvbT4KU3ViamVjdDogW1BBVENIIHYyIGZvci00LjZdIGxp
YnhsOiBoYW5kbGUgcmVhZC1vbmx5IGRyaXZlcyB3aXRoIHFlbXUteGVuCkRh
dGU6IFR1ZSwgMTUgU2VwIDIwMTUgMTA6NTI6MTQgKzAxMDAKClRoZSBjdXJy
ZW50IGxpYnhsIGNvZGUgZG9lc24ndCBkZWFsIHdpdGggcmVhZC1vbmx5IGRy
aXZlcyBhdCBhbGwuCgpVcHN0cmVhbSBRRU1VIGFuZCBxZW11LXhlbiBvbmx5
IHN1cHBvcnQgcmVhZC1vbmx5IGNkcm9tIGRyaXZlczogbWFrZQpzdXJlIHRv
IHNwZWNpZnkgInJlYWRvbmx5PW9uIiBmb3IgY2Ryb20gZHJpdmVzIGFuZCBy
ZXR1cm4gZXJyb3IgaW4gY2FzZQp0aGUgdXNlciByZXF1ZXN0ZWQgYSBub24t
Y2Ryb20gcmVhZC1vbmx5IGRyaXZlLgoKVGhpcyBpcyBYU0EtMTQyLCBkaXNj
b3ZlcmVkIGJ5IExpbiBMaXUKKGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNv
bS9zaG93X2J1Zy5jZ2k/aWQ9MTI1Nzg5MykuCgpTaWduZWQtb2ZmLWJ5OiBT
dGVmYW5vIFN0YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRy
aXguY29tPgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsr
KysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyks
IDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGli
eGxfZG0uYyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggMDJjMDE2
Mi4uNDY4ZmY5YyAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YworKysgYi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC0xMTEwLDEzICsx
MTEwLDE4IEBAIHN0YXRpYyBpbnQgbGlieGxfX2J1aWxkX2RldmljZV9tb2Rl
bF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICAgICAgaWYgKGRp
c2tzW2ldLmlzX2Nkcm9tKSB7CiAgICAgICAgICAgICAgICAgaWYgKGRpc2tz
W2ldLmZvcm1hdCA9PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkKICAgICAg
ICAgICAgICAgICAgICAgZHJpdmUgPSBsaWJ4bF9fc3ByaW50ZgotICAgICAg
ICAgICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLG1lZGlh
PWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAotICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2ssIGRldl9udW1iZXIpOworICAgICAgICAg
ICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLHJlYWRvbmx5
PSVzLG1lZGlhPWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAor
ICAgICAgICAgICAgICAgICAgICAgICAgIGRpc2ssIGRpc2tzW2ldLnJlYWR3
cml0ZSA/ICJvZmYiIDogIm9uIiwgZGV2X251bWJlcik7CiAgICAgICAgICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICBkcml2ZSA9IGxpYnhs
X19zcHJpbnRmCi0gICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxl
PSVzLGlmPWlkZSxpbmRleD0lZCxtZWRpYT1jZHJvbSxmb3JtYXQ9JXMsY2Fj
aGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAgICAgICAg
ICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBmb3JtYXQsIGRldl9u
dW1iZXIpOworICAgICAgICAgICAgICAgICAgICAgICAgKGdjLCAiZmlsZT0l
cyxpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMsbWVkaWE9Y2Ryb20sZm9y
bWF0PSVzLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAorICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2tzW2ldLnBkZXZfcGF0aCwgZGlzaywgZGlz
a3NbaV0ucmVhZHdyaXRlID8gIm9mZiIgOiAib24iLCBmb3JtYXQsIGRldl9u
dW1iZXIpOwogICAgICAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgICAg
ICBpZiAoIWRpc2tzW2ldLnJlYWR3cml0ZSkgeworICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgInFlbXUt
eGVuIGRvZXNuJ3Qgc3VwcG9ydCByZWFkLW9ubHkgZGlzayBkcml2ZXJzIik7
CisgICAgICAgICAgICAgICAgICAgIHJldHVybiBFUlJPUl9JTlZBTDsKKyAg
ICAgICAgICAgICAgICB9CisKICAgICAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uZm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKSB7CiAgICAg
ICAgICAgICAgICAgICAgIExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX1dB
Uk5JTkcsICJjYW5ub3Qgc3VwcG9ydCIKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAiIGVtcHR5IGRpc2sgZm9ybWF0IGZvciAlcyIsIGRpc2tz
W2ldLnZkZXYpOwotLSAKMS43LjEwLjQK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Tue Sep 22 15:17:23 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Tue, 22 Sep 2015 15:17:23 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZePIk-0003A7-I3; Tue, 22 Sep 2015 15:16:14 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIj-00039Y-2f; Tue, 22 Sep 2015 15:16:13 +0000
Received: from [193.109.254.147] by server-6.bemta-14.messagelabs.com id
	F2/1E-16618-CB071065; Tue, 22 Sep 2015 15:16:12 +0000
X-Env-Sender: iwj@xenbits.xen.org
X-Msg-Ref: server-5.tower-27.messagelabs.com!1442934963!40618599!1
X-Originating-IP: [50.57.168.107]
X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 23239 invoked from network); 22 Sep 2015 15:16:04 -0000
Received: from mail.xen.org (HELO mail.xen.org) (50.57.168.107)
	by server-5.tower-27.messagelabs.com with AES256-SHA encrypted SMTP;
	22 Sep 2015 15:16:04 -0000
Received: from xenbits.xen.org ([50.57.170.242])
	by mail.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIS-0002Aw-Jx; Tue, 22 Sep 2015 15:15:56 +0000
Received: from iwj by xenbits.xen.org with local (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>)
	id 1ZePIS-0005E3-Cb; Tue, 22 Sep 2015 15:15:56 +0000
Date: Tue, 22 Sep 2015 15:15:56 +0000
Message-Id: <E1ZePIS-0005E3-Cb@xenbits.xen.org>
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
To: xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
From: Xen.org security team <security@xen.org>
Cc: "Xen.org security team" <security@xen.org>
Subject: [Xen-announce] Xen Security Advisory 142 (CVE-2015-7311) - libxl
 fails to honour readonly flag on disks with qemu-xen
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Xen Security Advisory CVE-2015-7311 / XSA-142
                              version 2

        libxl fails to honour readonly flag on disks with qemu-xen

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Callers of libxl can specify that a disk should be read-only to the
guest.  However, there is no code in libxl to pass this information to
qemu-xen (the upstream-based qemu); and indeed there is no way in qemu
to make a disk read-only.

The vulnerability is exploitable only via devices emulated by the
device model, not the parallel PV devices for supporting PVHVM.
Normally the PVHVM device unplug protocol renders the emulated devices
inaccessible early in boot.

IMPACT
======

Malicious guest administrators or (in some situations) users may be
able to write to supposedly read-only disk images.

CDROM devices (that is, devices specified to be presented to the guest
as CDROMs, regardless of the nature of the backing storage on the
host) are not affected.

VULNERABLE SYSTEMS
==================

Only systems using qemu-xen (rather than qemu-xen-traditional) as the
device model version are vulnerable.

Only systems using libxl or libxl-based toolstacks are vulnerable.
(This includes xl, and libvirt with the libxl driver.)

All versions of libxl which support qemu-xen are vulnerable.  The
affected code was introduced in Xen 4.1.

If the host and guest together usually support PVHVM, the issue is
exploitable only if the malicious guest administrator has control of
the guest kernel or guest kernel command line.

MITIGATION
==========

Switching to qemu-xen-traditional will avoid this vulnerability.
This can be done with
   device_model_version="qemu-xen-traditional"
in the xl configuration file.

Using stub domain device models (which necessarily involves switching
to qemu-xen-traditional) will also avoid this vulnerability.
This can be done with
   device_model_stubdomain_override=true
in the xl configuration file.

Either of these mitigations is liable to have other guest-visible
effects or even regressions.

It may be possible, depending on the configuration, to make the
underlying storage object readonly, or to make it reject writes.

RESOLUTION
==========

There is no reasonable resolution because Qemu does not (at the time
of writing) support presenting a read-only block device to a guest as
a disk.

The attached patch corrects the weakness in the libxl code, by
rejecting the unsupported configurations, rather than allowing them to
run but with the device perhaps writeable by the guest.  Applying it
should increase confidence and avoid future configuration errors, but
will break affected configurations specifying read-only disk devices.

xsa142-4.6.patch                 Xen 4.6.x and later
xsa142-4.5.patch                 Xen 4.3.x to 4.5.x inclusive

$ sha256sum xsa142*.patch
9ec0649f39720bc692be03c87ebea0506d6ec574f339fc745e41b31643240124  xsa142-4.5.patch
65f01167bfc141048261f56b99ed9b48ec7ff6e98155454ced938a17ec20e7d1  xsa142-4.6.patch
$

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was discussed in public in the Red Hat bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=1257893

CREDITS
=======

Thanks to Michael Young of Durham University for bring this problem to
our attention.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWAXCcAAoJEIP+FMlX6CvZ1asH/0yJQ9+33gZtE69Bxicms3C2
uSepfkZVBUym+eEBqGKd2hiapngIAInotOTk+iI7DDo41wvfnJxq1eaEaQ9XurKK
kylHOb8eHmYw+HwTW2kJV2g6ffeGBMIcI5mpK35yBa5NnNHHJz0b9ZeRzddR9rSR
0eQpuP4DlN1/2/z6obXmYms84Q1oiIzMDz+MzJA/zPtfL7Q/tBjUmMfPj67zNKwe
vIfIstI5IbCRgnXSEL9EjTckqNFszyr3pH4z/Y97UXWlbTg233ewAS11Wz/CwJKT
yzS4uJGpckqTRC3YKyS1unKCP39yAVIBTx4QoPu9hrWyzUJpZUD/FvmrIHhr8co=
=kHPH
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa142-4.5.patch"
Content-Disposition: attachment; filename="xsa142-4.5.patch"
Content-Transfer-Encoding: base64

RnJvbSAwN2NhMDA3MDNmNzZhZDM5MmVkYTVlZTUyY2NlMTE5N2NmNDljMzBh
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW5vIFN0YWJl
bGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRyaXguY29tPgpTdWJq
ZWN0OiBbUEFUQ0ggdjIuMSBmb3ItNC41XSBsaWJ4bDogaGFuZGxlIHJlYWQt
b25seSBkcml2ZXMgd2l0aCBxZW11LXhlbgoKVGhlIGN1cnJlbnQgbGlieGwg
Y29kZSBkb2Vzbid0IGRlYWwgd2l0aCByZWFkLW9ubHkgZHJpdmVzIGF0IGFs
bC4KClVwc3RyZWFtIFFFTVUgYW5kIHFlbXUteGVuIG9ubHkgc3VwcG9ydCBy
ZWFkLW9ubHkgY2Ryb20gZHJpdmVzOiBtYWtlCnN1cmUgdG8gc3BlY2lmeSAi
cmVhZG9ubHk9b24iIGZvciBjZHJvbSBkcml2ZXMgYW5kIHJldHVybiBlcnJv
ciBpbiBjYXNlCnRoZSB1c2VyIHJlcXVlc3RlZCBhIG5vbi1jZHJvbSByZWFk
LW9ubHkgZHJpdmUuCgpUaGlzIGlzIFhTQS0xNDIsIGRpc2NvdmVyZWQgYnkg
TGluIExpdQooaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVn
LmNnaT9pZD0xMjU3ODkzKS4KClNpZ25lZC1vZmYtYnk6IFN0ZWZhbm8gU3Rh
YmVsbGluaSA8c3RlZmFuby5zdGFiZWxsaW5pQGV1LmNpdHJpeC5jb20+CgpC
YWNrcG9ydCB0byBYZW4gNC41IGFuZCBlYXJsaWVyLCBhcHJvcG9zIG9mIHJl
cG9ydCBhbmQgcmV2aWV3IGZyb20KTWljaGFlbCBZb3VuZy4KClNpZ25lZC1v
ZmYtYnk6IElhbiBKYWNrc29uIDxpYW4uamFja3NvbkBldS5jaXRyaXguY29t
PgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsrKysrKysr
Ky0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyksIDQgZGVs
ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggYjRjZTUyMy4uZDc0
ZmIxNCAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0uYworKysg
Yi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC03OTcsMTMgKzc5NywxOCBA
QCBzdGF0aWMgY2hhciAqKiBsaWJ4bF9fYnVpbGRfZGV2aWNlX21vZGVsX2Fy
Z3NfbmV3KGxpYnhsX19nYyAqZ2MsCiAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uaXNfY2Ryb20pIHsKICAgICAgICAgICAgICAgICBpZiAoZGlza3NbaV0u
Zm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKQogICAgICAgICAg
ICAgICAgICAgICBkcml2ZSA9IGxpYnhsX19zcHJpbnRmCi0gICAgICAgICAg
ICAgICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQsbWVkaWE9Y2Ry
b20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAg
ICAgICAgICAgICAgZGlzaywgZGV2X251bWJlcik7CisgICAgICAgICAgICAg
ICAgICAgICAgICAoZ2MsICJpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMs
bWVkaWE9Y2Ryb20sY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAg
ICAgICAgICAgICAgICAgICAgICAgZGlzaywgZGlza3NbaV0ucmVhZHdyaXRl
ID8gIm9mZiIgOiAib24iLCBkZXZfbnVtYmVyKTsKICAgICAgICAgICAgICAg
ICBlbHNlCiAgICAgICAgICAgICAgICAgICAgIGRyaXZlID0gbGlieGxfX3Nw
cmludGYKLSAgICAgICAgICAgICAgICAgICAgICAgIChnYywgImZpbGU9JXMs
aWY9aWRlLGluZGV4PSVkLG1lZGlhPWNkcm9tLGZvcm1hdD0lcyxjYWNoZT13
cml0ZWJhY2ssaWQ9aWRlLSVpIiwKLSAgICAgICAgICAgICAgICAgICAgICAg
ICBkaXNrc1tpXS5wZGV2X3BhdGgsIGRpc2ssIGZvcm1hdCwgZGV2X251bWJl
cik7CisgICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxlPSVzLGlm
PWlkZSxpbmRleD0lZCxyZWFkb25seT0lcyxtZWRpYT1jZHJvbSxmb3JtYXQ9
JXMsY2FjaGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCisgICAgICAgICAgICAg
ICAgICAgICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBkaXNrc1tp
XS5yZWFkd3JpdGUgPyAib2ZmIiA6ICJvbiIsIGZvcm1hdCwgZGV2X251bWJl
cik7CiAgICAgICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgICAgIGlm
ICghZGlza3NbaV0ucmVhZHdyaXRlKSB7CisgICAgICAgICAgICAgICAgICAg
IExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX0VSUk9SLCAicWVtdS14ZW4g
ZG9lc24ndCBzdXBwb3J0IHJlYWQtb25seSBkaXNrIGRyaXZlcnMiKTsKKyAg
ICAgICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7CisgICAgICAgICAgICAg
ICAgfQorCiAgICAgICAgICAgICAgICAgaWYgKGRpc2tzW2ldLmZvcm1hdCA9
PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkgewogICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19XQVJOSU5HLCAiY2Fu
bm90IHN1cHBvcnQiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IiBlbXB0eSBkaXNrIGZvcm1hdCBmb3IgJXMiLCBkaXNrc1tpXS52ZGV2KTsK
LS0gCjEuNy4xMC40Cgo=

--=separator
Content-Type: application/octet-stream; name="xsa142-4.6.patch"
Content-Disposition: attachment; filename="xsa142-4.6.patch"
Content-Transfer-Encoding: base64

RnJvbTogU3RlZmFubyBTdGFiZWxsaW5pIDxzdGVmYW5vLnN0YWJlbGxpbmlA
ZXUuY2l0cml4LmNvbT4KU3ViamVjdDogW1BBVENIIHYyIGZvci00LjZdIGxp
YnhsOiBoYW5kbGUgcmVhZC1vbmx5IGRyaXZlcyB3aXRoIHFlbXUteGVuCkRh
dGU6IFR1ZSwgMTUgU2VwIDIwMTUgMTA6NTI6MTQgKzAxMDAKClRoZSBjdXJy
ZW50IGxpYnhsIGNvZGUgZG9lc24ndCBkZWFsIHdpdGggcmVhZC1vbmx5IGRy
aXZlcyBhdCBhbGwuCgpVcHN0cmVhbSBRRU1VIGFuZCBxZW11LXhlbiBvbmx5
IHN1cHBvcnQgcmVhZC1vbmx5IGNkcm9tIGRyaXZlczogbWFrZQpzdXJlIHRv
IHNwZWNpZnkgInJlYWRvbmx5PW9uIiBmb3IgY2Ryb20gZHJpdmVzIGFuZCBy
ZXR1cm4gZXJyb3IgaW4gY2FzZQp0aGUgdXNlciByZXF1ZXN0ZWQgYSBub24t
Y2Ryb20gcmVhZC1vbmx5IGRyaXZlLgoKVGhpcyBpcyBYU0EtMTQyLCBkaXNj
b3ZlcmVkIGJ5IExpbiBMaXUKKGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNv
bS9zaG93X2J1Zy5jZ2k/aWQ9MTI1Nzg5MykuCgpTaWduZWQtb2ZmLWJ5OiBT
dGVmYW5vIFN0YWJlbGxpbmkgPHN0ZWZhbm8uc3RhYmVsbGluaUBldS5jaXRy
aXguY29tPgotLS0KIHRvb2xzL2xpYnhsL2xpYnhsX2RtLmMgfCAgIDEzICsr
KysrKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA5IGluc2VydGlvbnMoKyks
IDQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvdG9vbHMvbGlieGwvbGli
eGxfZG0uYyBiL3Rvb2xzL2xpYnhsL2xpYnhsX2RtLmMKaW5kZXggMDJjMDE2
Mi4uNDY4ZmY5YyAxMDA2NDQKLS0tIGEvdG9vbHMvbGlieGwvbGlieGxfZG0u
YworKysgYi90b29scy9saWJ4bC9saWJ4bF9kbS5jCkBAIC0xMTEwLDEzICsx
MTEwLDE4IEBAIHN0YXRpYyBpbnQgbGlieGxfX2J1aWxkX2RldmljZV9tb2Rl
bF9hcmdzX25ldyhsaWJ4bF9fZ2MgKmdjLAogICAgICAgICAgICAgaWYgKGRp
c2tzW2ldLmlzX2Nkcm9tKSB7CiAgICAgICAgICAgICAgICAgaWYgKGRpc2tz
W2ldLmZvcm1hdCA9PSBMSUJYTF9ESVNLX0ZPUk1BVF9FTVBUWSkKICAgICAg
ICAgICAgICAgICAgICAgZHJpdmUgPSBsaWJ4bF9fc3ByaW50ZgotICAgICAg
ICAgICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLG1lZGlh
PWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAotICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2ssIGRldl9udW1iZXIpOworICAgICAgICAg
ICAgICAgICAgICAgICAgKGdjLCAiaWY9aWRlLGluZGV4PSVkLHJlYWRvbmx5
PSVzLG1lZGlhPWNkcm9tLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAor
ICAgICAgICAgICAgICAgICAgICAgICAgIGRpc2ssIGRpc2tzW2ldLnJlYWR3
cml0ZSA/ICJvZmYiIDogIm9uIiwgZGV2X251bWJlcik7CiAgICAgICAgICAg
ICAgICAgZWxzZQogICAgICAgICAgICAgICAgICAgICBkcml2ZSA9IGxpYnhs
X19zcHJpbnRmCi0gICAgICAgICAgICAgICAgICAgICAgICAoZ2MsICJmaWxl
PSVzLGlmPWlkZSxpbmRleD0lZCxtZWRpYT1jZHJvbSxmb3JtYXQ9JXMsY2Fj
aGU9d3JpdGViYWNrLGlkPWlkZS0laSIsCi0gICAgICAgICAgICAgICAgICAg
ICAgICAgZGlza3NbaV0ucGRldl9wYXRoLCBkaXNrLCBmb3JtYXQsIGRldl9u
dW1iZXIpOworICAgICAgICAgICAgICAgICAgICAgICAgKGdjLCAiZmlsZT0l
cyxpZj1pZGUsaW5kZXg9JWQscmVhZG9ubHk9JXMsbWVkaWE9Y2Ryb20sZm9y
bWF0PSVzLGNhY2hlPXdyaXRlYmFjayxpZD1pZGUtJWkiLAorICAgICAgICAg
ICAgICAgICAgICAgICAgIGRpc2tzW2ldLnBkZXZfcGF0aCwgZGlzaywgZGlz
a3NbaV0ucmVhZHdyaXRlID8gIm9mZiIgOiAib24iLCBmb3JtYXQsIGRldl9u
dW1iZXIpOwogICAgICAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgICAg
ICBpZiAoIWRpc2tzW2ldLnJlYWR3cml0ZSkgeworICAgICAgICAgICAgICAg
ICAgICBMSUJYTF9fTE9HKGN0eCwgTElCWExfX0xPR19FUlJPUiwgInFlbXUt
eGVuIGRvZXNuJ3Qgc3VwcG9ydCByZWFkLW9ubHkgZGlzayBkcml2ZXJzIik7
CisgICAgICAgICAgICAgICAgICAgIHJldHVybiBFUlJPUl9JTlZBTDsKKyAg
ICAgICAgICAgICAgICB9CisKICAgICAgICAgICAgICAgICBpZiAoZGlza3Nb
aV0uZm9ybWF0ID09IExJQlhMX0RJU0tfRk9STUFUX0VNUFRZKSB7CiAgICAg
ICAgICAgICAgICAgICAgIExJQlhMX19MT0coY3R4LCBMSUJYTF9fTE9HX1dB
Uk5JTkcsICJjYW5ub3Qgc3VwcG9ydCIKICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAiIGVtcHR5IGRpc2sgZm9ybWF0IGZvciAlcyIsIGRpc2tz
W2ldLnZkZXYpOwotLSAKMS43LjEwLjQK

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce
--=separator--


From xen-announce-bounces@lists.xen.org Mon Sep 28 15:41:48 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 28 Sep 2015 15:41:48 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZgaXC-0007yl-4w; Mon, 28 Sep 2015 15:40:10 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=706e92641=wei.liu2@citrix.com>)
	id 1ZgaI1-0005N9-84; Mon, 28 Sep 2015 15:24:29 +0000
Received: from [193.109.254.147] by server-16.bemta-14.messagelabs.com id
	E1/2C-05427-BAB59065; Mon, 28 Sep 2015 15:24:27 +0000
X-Env-Sender: prvs=706e92641=wei.liu2@citrix.com
X-Msg-Ref: server-13.tower-27.messagelabs.com!1443453865!27144390!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 2955 invoked from network); 28 Sep 2015 15:24:26 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-13.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	28 Sep 2015 15:24:26 -0000
X-IronPort-AV: E=Sophos;i="5.17,603,1437436800"; d="scan'208";a="306576365"
Date: Mon, 28 Sep 2015 16:24:23 +0100
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-announce@lists.xenproject.org>,
	<xen-users@lists.xenproject.org>
Message-ID: <20150928152423.GK13821@zion.uk.xensource.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-DLP: MIA1
X-Mailman-Approved-At: Mon, 28 Sep 2015 15:40:08 +0000
Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC4 (testday on October 1)
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Hi all

Xen 4.6 RC4 has been tagged. You can check out the tag 4.6.0-rc4 in xen.git.

The tarball can be downloaded from:

http://bits.xensource.com/oss-xen/release/4.6.0-rc4/xen-4.6.0-rc4.tar.gz

Signature for tarball:

http://bits.xensource.com/oss-xen/release/4.6.0-rc4/xen-4.6.0-rc4.tar.gz.sig

When reporting bugs, please send your bug report to
xen-devel@lists.xenproject.org, present as much information as possible, tag it
with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant
maintainers.

We will have a test day for RC4 on Thursday, October 1.

Test instructions on:

http://wiki.xenproject.org/wiki/Xen_4.6_RC4_test_instructions

Known issues / pending patches:

Regression on Intel Avoton platform due to erratum AVR41. This issue is being
discussed and patch is under development.

Subject: [PATCH for Xen 4.6 0/5] Several PSR fixes in libxl
Message-ID: <1443441293-4287-1-git-send-email-chao.p.peng@linux.intel.com>
Newer version is expected.

Wei.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce

From xen-announce-bounces@lists.xen.org Mon Sep 28 15:41:48 2015
Return-path: <xen-announce-bounces@lists.xen.org>
Envelope-to: archives@lists.xen.org
Delivery-date: Mon, 28 Sep 2015 15:41:48 +0000
Received: from localhost ([127.0.0.1] helo=lists.xen.org)
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <xen-announce-bounces@lists.xen.org>)
	id 1ZgaXC-0007yl-4w; Mon, 28 Sep 2015 15:40:10 +0000
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <prvs=706e92641=wei.liu2@citrix.com>)
	id 1ZgaI1-0005N9-84; Mon, 28 Sep 2015 15:24:29 +0000
Received: from [193.109.254.147] by server-16.bemta-14.messagelabs.com id
	E1/2C-05427-BAB59065; Mon, 28 Sep 2015 15:24:27 +0000
X-Env-Sender: prvs=706e92641=wei.liu2@citrix.com
X-Msg-Ref: server-13.tower-27.messagelabs.com!1443453865!27144390!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: 
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 2955 invoked from network); 28 Sep 2015 15:24:26 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-13.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	28 Sep 2015 15:24:26 -0000
X-IronPort-AV: E=Sophos;i="5.17,603,1437436800"; d="scan'208";a="306576365"
Date: Mon, 28 Sep 2015 16:24:23 +0100
From: Wei Liu <wei.liu2@citrix.com>
To: <xen-devel@lists.xenproject.org>, <xen-announce@lists.xenproject.org>,
	<xen-users@lists.xenproject.org>
Message-ID: <20150928152423.GK13821@zion.uk.xensource.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-DLP: MIA1
X-Mailman-Approved-At: Mon, 28 Sep 2015 15:40:08 +0000
Subject: [Xen-announce] ANNOUNCEMENT: Xen 4.6 RC4 (testday on October 1)
X-BeenThere: xen-announce@lists.xen.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: "Xen announcements \(low volume\)" <xen-announce.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-announce@lists.xen.org>
List-Help: <mailto:xen-announce-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-announce>, 
	<mailto:xen-announce-request@lists.xen.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: xen-announce-bounces@lists.xen.org
Errors-To: xen-announce-bounces@lists.xen.org

Hi all

Xen 4.6 RC4 has been tagged. You can check out the tag 4.6.0-rc4 in xen.git.

The tarball can be downloaded from:

http://bits.xensource.com/oss-xen/release/4.6.0-rc4/xen-4.6.0-rc4.tar.gz

Signature for tarball:

http://bits.xensource.com/oss-xen/release/4.6.0-rc4/xen-4.6.0-rc4.tar.gz.sig

When reporting bugs, please send your bug report to
xen-devel@lists.xenproject.org, present as much information as possible, tag it
with "BUG-4.6" and CC release manager (wei.liu2@citrix.com) and relevant
maintainers.

We will have a test day for RC4 on Thursday, October 1.

Test instructions on:

http://wiki.xenproject.org/wiki/Xen_4.6_RC4_test_instructions

Known issues / pending patches:

Regression on Intel Avoton platform due to erratum AVR41. This issue is being
discussed and patch is under development.

Subject: [PATCH for Xen 4.6 0/5] Several PSR fixes in libxl
Message-ID: <1443441293-4287-1-git-send-email-chao.p.peng@linux.intel.com>
Newer version is expected.

Wei.

_______________________________________________
Xen-announce mailing list
Xen-announce@lists.xen.org
http://lists.xen.org/xen-announce