[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] PATCH: CVE-2007-0998: Remove access to QEMU monitor in VNC server



19 May 2007 Cts tarihinde, Keir Fraser ÅunlarÄ yazmÄÅtÄ: 
> On 19/5/07 00:39, "S.ÃaÄlar Onur" <caglar@xxxxxxxxxxxxx> wrote:
> > 19 Mar 2007 Pts tarihinde, Daniel P. Berrange ÅunlarÄ yazmÄÅtÄ:
> >> This patch fixes a security issue present in any Xen 3.0.3 or later when
> >> the VNC server is enabled for a HVM guest.
> >>
> >> cf CVE-2007-0998 / the RHEL-5 security errata:
> >>
> >>    http://rhn.redhat.com/errata/RHSA-2007-0114.html
> >
> > Same patch applies cleanly on Xen-3.1.0, is it forgetton?
>
> The patch is in 3.1.0.

Hmm, is that solved another way? Cause according to HG history its first 
committed [1] then reverted [2]?

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> 
sha1sum /var/cache/pisi/archives/xen-3.1.0-src.tgz
fa4b54c36626f2cce9b15dc99cafda0b42c54777  
/var/cache/pisi/archives/xen-3.1.0-src.tgz

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen]> tar 
xvf /var/cache/pisi/archives/xen-3.1.0-src.tgz
...

[caglar@zangetsu][~/svk/devel/applications/virtualization/xen/xen-3.1.0-src]> 
patch -p1 < ../files/CVE-2007-0998.patch
patching file tools/ioemu/Makefile.target
patching file tools/ioemu/vnc.c

[1] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3375391fb0c9
[2] http://xenbits.xensource.com/xen-3.0.5-testing.hg?rev/3d7a4ac397b1

Cheers
-- 
S.ÃaÄlar Onur <caglar@xxxxxxxxxxxxx>
http://cekirdek.pardus.org.tr/~caglar/

Linux is like living in a teepee. No Windows, no Gates and an Apache in house!

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.