[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] PV privilege escalation - advisory

To: Peter Braun <xenware@xxxxxxxxx>
From: "Fajar A. Nugraha" <list@xxxxxxxxx>
Date: Thu, 14 Jun 2012 13:54:05 +0700
Cc: Xen List <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 14 Jun 2012 06:55:21 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On Thu, Jun 14, 2012 at 1:35 PM, Peter Braun <xenware@xxxxxxxxx> wrote:
> Hello,
>
> we are using 3.4.3 from Gitco.de on 64bit Centos 5.8 and we have PV
> guests 64bit.
>
> According to described security bug we are in danger.
>
>
> What do you suggest? Wait for gitco update or build xen own with patch?

It depends :)

If you use newer AMD processor, it shouldn't matter.
If you control all of your domU, you could probably wait, as it
requires root privilege on domU to trigger the bug.
However if you run (e.g.) a VPS-hosting where other people have
control of the domU, you should build your own upgraded package
immediately.

FWIW, this is one of the example on how using vendor-provided packages
would be useful. Redhat already released updated that address that
vulnerability:
https://access.redhat.com/security/cve/CVE-2012-0217
https://rhn.redhat.com/errata/RHSA-2012-0721.html

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

Follow-Ups:
- Re: [Xen-users] PV privilege escalation - advisory
  - From: Peter Braun

References:
- [Xen-users] PV privilege escalation - advisory
  - From: Peter Braun

Prev by Date: [Xen-users] PV privilege escalation - advisory
Next by Date: Re: [Xen-users] PV privilege escalation - advisory
Previous by thread: [Xen-users] PV privilege escalation - advisory
Next by thread: Re: [Xen-users] PV privilege escalation - advisory
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.