-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-64859a826b 2020-12-25 01:21:55.445209 --------------------------------------------------------------------------------
Name : xen Product : Fedora 33 Version : 4.14.0 Release : 14.fc33 URL : http://xen.org/ Summary : Xen is a virtual machine monitor Description : This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor
-------------------------------------------------------------------------------- Update Information:
xenstore watch notifications lacking permission checks [XSA-115, CVE-2020-29480] (#1908091) Xenstore: new domains inheriting existing node permissions [XSA-322, CVE-2020-29481] (#1908095) Xenstore: wrong path length check [XSA-323, CVE-2020-29482] (#1908096) Xenstore: guests can crash xenstored via watchs [XSA-324, CVE-2020-29484] (#1908088) Xenstore: guests can disturb domain cleanup [XSA-325, CVE-2020-29483] (#1908087) oxenstored memory leak in reset_watches [XSA-330, CVE-2020-29485] (#1908000) undue recursion in x86 HVM context switch code [XSA-348, CVE-2020-29566] (#1908085) oxenstored: node ownership can be changed by unprivileged clients [XSA-352, CVE-2020-29486] (#1908003) oxenstored: permissions not checked on root node [XSA-353, CVE-2020-29479] (#1908002) infinite loop when cleaning up IRQ vectors [XSA-356, CVE-2020-29567] (#1907932) FIFO event channels control block related ordering [XSA-358, CVE-2020-29570] (#1907931) FIFO event channels control structure ordering [XSA-359, CVE-2020-29571] (#1908089) -------------------------------------------------------------------------------- ChangeLog:
* Tue Dec 15 2020 Michael Young m.a.young@durham.ac.uk - 4.14.0-14 - xenstore watch notifications lacking permission checks [XSA-115, CVE-2020-29480] (#1908091) - Xenstore: new domains inheriting existing node permissions [XSA-322, CVE-2020-29481] (#1908095) - Xenstore: wrong path length check [XSA-323, CVE-2020-29482] (#1908096) - Xenstore: guests can crash xenstored via watchs [XSA-324, CVE-2020-29484] (#1908088) - Xenstore: guests can disturb domain cleanup [XSA-325, CVE-2020-29483] (#1905648) - oxenstored memory leak in reset_watches [XSA-330, CVE-2020-29485] (#1908000) - undue recursion in x86 HVM context switch code [XSA-348, CVE-2020-29566] (#1908085) - oxenstored: node ownership can be changed by unprivileged clients [XSA-352, CVE-2020-29486] (#1908003) - oxenstored: permissions not checked on root node [XSA-353, CVE-2020-29479] (#1908003) - infinite loop when cleaning up IRQ vectors [XSA-356, CVE-2020-29567] (#1907932) - FIFO event channels control block related ordering [XSA-358, CVE-2020-29570] (#1907931) - FIFO event channels control structure ordering [XSA-359, CVE-2020-29571] (#1908089) * Sat Dec 5 2020 Jeff Law law@redhat.com - 4.14.0-13 - Work around another gcc-11 stringop-overflow diagnostic -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1905623 - CVE-2020-29485 xen: oxenstored memory leak in reset_watches (XSA-330) https://bugzilla.redhat.com/show_bug.cgi?id=1905623 [ 2 ] Bug #1905626 - CVE-2020-29482 xen: Xenstore: wrong path length check (XSA-323) https://bugzilla.redhat.com/show_bug.cgi?id=1905626 [ 3 ] Bug #1905632 - CVE-2020-29481 xen: Xenstore: new domains inheriting existing node permissions (XSA-322) https://bugzilla.redhat.com/show_bug.cgi?id=1905632 [ 4 ] Bug #1905635 - CVE-2020-29484 xen: Xenstore: guests can crash xenstored via watchs (XSA-324) https://bugzilla.redhat.com/show_bug.cgi?id=1905635 [ 5 ] Bug #1905648 - CVE-2020-29483 xen: Xenstore: guests can disturb domain cleanup (XSA-325) https://bugzilla.redhat.com/show_bug.cgi?id=1905648 [ 6 ] Bug #1905652 - CVE-2020-29486 xen: oxenstored: node ownership can be changed by unprivileged clients (XSA-352) https://bugzilla.redhat.com/show_bug.cgi?id=1905652 [ 7 ] Bug #1905656 - CVE-2020-29567 xen: infinite loop when cleaning up IRQ vectors (XSA-356) https://bugzilla.redhat.com/show_bug.cgi?id=1905656 [ 8 ] Bug #1905668 - CVE-2020-29479 xen: oxenstored: permissions not checked on root node (XSA-353) https://bugzilla.redhat.com/show_bug.cgi?id=1905668 [ 9 ] Bug #1905669 - CVE-2020-29566 xen: undue recursion in x86 HVM context switch code (XSA-348) https://bugzilla.redhat.com/show_bug.cgi?id=1905669 [ 10 ] Bug #1905672 - CVE-2020-29480 xen: xenstore watch notifications lacking permission checks (XSA-115) https://bugzilla.redhat.com/show_bug.cgi?id=1905672 [ 11 ] Bug #1905675 - CVE-2020-29570 xen: FIFO event channels control block related ordering (XSA-358) https://bugzilla.redhat.com/show_bug.cgi?id=1905675 [ 12 ] Bug #1905676 - CVE-2020-29571 xen: FIFO event channels control structure ordering https://bugzilla.redhat.com/show_bug.cgi?id=1905676 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-64859a826b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org