Debian Bug report logs -
#784011
xen: CVE-2015-3340: Information leak through XEN_DOMCTL_gettscinfo (XSA-132)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 May 2015 05:09:02 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in version xen/4.4.1-9
Fixed in version xen/4.5.1~rc1-1
Done: Ian Campbell <ijc@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#784011; Package src:xen.
(Sat, 02 May 2015 05:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Sat, 02 May 2015 05:09:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xen
Version: 4.4.1-9
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xen.
CVE-2015-3340[0]:
| Xen 4.2.x through 4.5.x does not initialize certain fields, which
| allows certain remote service domains to obtain sensitive information
| from memory via a (1) XEN_DOMCTL_gettscinfo or (2)
| XEN_SYSCTL_getdomaininfolist request.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3340
[1] http://xenbits.xen.org/xsa/advisory-132.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#784011; Package src:xen.
(Sat, 02 May 2015 12:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Sat, 02 May 2015 12:06:04 GMT) (full text, mbox, link).
Message #10 received at 784011@bugs.debian.org (full text, mbox, reply):
On Sat, May 02, 2015 at 07:04:34AM +0200, Salvatore Bonaccorso wrote:
> the following vulnerability was published for xen.
I consider this issue as unimportant. Not sure how I can mark it this
way in the security tracker.
Bastian
--
Knowledge, sir, should be free to all!
-- Harry Mudd, "I, Mudd", stardate 4513.3
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#784011; Package src:xen.
(Sat, 02 May 2015 13:21:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Sat, 02 May 2015 13:21:08 GMT) (full text, mbox, link).
Message #15 received at 784011@bugs.debian.org (full text, mbox, reply):
Hi Bastian,
On Sat, May 02, 2015 at 02:03:10PM +0200, Bastian Blank wrote:
> On Sat, May 02, 2015 at 07:04:34AM +0200, Salvatore Bonaccorso wrote:
> > the following vulnerability was published for xen.
>
> I consider this issue as unimportant. Not sure how I can mark it this
> way in the security tracker.
Basically the severities behind the status in brackets. But note that
in this case it was already marked low, with the meaning of severities
in
http://security-team.debian.org/security_tracker.html#severity-levels
Basically then adding (unimportant) in the line for the package, in
this case
- xen <unfixed> (unimportant; bug #784011).
I have changed that now, refering to your comment in this bug.
Regards,
Salvatore
Marked as fixed in versions xen/4.5.1~rc1-1.
Request was from Ian Campbell <ijc@debian.org>
to control@bugs.debian.org.
(Thu, 05 Nov 2015 14:57:09 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Ian Campbell <ijc@debian.org>
to control@bugs.debian.org.
(Thu, 05 Nov 2015 14:57:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 05 Nov 2015 14:57:11 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#784011.
(Thu, 05 Nov 2015 14:57:16 GMT) (full text, mbox, link).
Message #24 received at 784011-submitter@bugs.debian.org (full text, mbox, reply):
close 784011 4.5.1~rc1-1
thanks
This was fixed in the 4.5.1-rc1 release, git commit f2e08aa5b1bb upstream.
Thanks,
Ian.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Dec 2015 07:26:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:07:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon