Skip to content


Xen 4.2.3 released

I am pleased to announce the release of Xen 4.2.3. This is available immediately from its git repository xenbits.xen.org (tag RELEASE-4.2.3) or from the Xen Project download pages.

This release fixes the following critical vulnerabilities:

  • CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible
  • CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges
  • CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs
  • CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR
  • CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV
  • CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling
  • CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend
  • CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys
  • CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes
  • XSA-61: libxl partially sets up HVM passthrough even with disabled iommu

The following minor vulnerability is also being addressed:

  • CVE-2013-2007 / XSA-51: qemu guest agent (qga) insecure file permissions

We recommend all users of the 4.2 stable series to update to this latest point release. Among many bug fixes and improvements:

  • addressing a regression from the fix for XSA-46
  • bug fixes to low level system state handling, including certain hardware errata workarounds

Be Sociable and Share!

Posted in Announcements.

Tagged with .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. Обновление Xen 4.2.3 с устранением 13 уязвимостей | AllUNIX.ru — Всероссийский портал о UNIX-системах linked to this post on September 9, 2013

    [...] Доступно корректирующее обновление свободного гипервизора Xen 4.2.3, в котором отмечено устранение 13 уязвимостей, из которых 12 помечены как критические. Среди уязвимостей имеются проблемы, позволяющие получить доступ к хост-системе из гостевого окружения, повысить свои привилегии в гостевой системе и инициировать крах хост-системы из гостевого окружения. [...]

You must be logged in to post a comment.