Debian Bug report logs -
#800128
xen: CVE-2015-6654: printk is not rate-limited in xenmem_add_to_physmap_one
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 27 Sep 2015 07:33:05 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Found in version xen/4.4.1-9
Fixed in version 4.8.0~rc5-1
Done: Ian Jackson <ian.jackson@eu.citrix.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#800128; Package src:xen.
(Sun, 27 Sep 2015 07:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Sun, 27 Sep 2015 07:33:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xen
Version: 4.4.1-9
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for xen.
CVE-2015-6654[0]:
| The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x,
| 4.4.x, and earlier does not limit the number of printk console
| messages when reporting a failure to retrieve a reference on a foreign
| page, which allows remote domains to cause a denial of service by
| leveraging permissions to map the memory of a foreign guest.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-6654
[1] http://xenbits.xen.org/xsa/advisory-141.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#800128; Package src:xen.
(Wed, 21 Dec 2016 15:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ian Jackson <ian.jackson@eu.citrix.com>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Wed, 21 Dec 2016 15:57:03 GMT) (full text, mbox, link).
Message #10 received at 800128@bugs.debian.org (full text, mbox, reply):
Version: 4.8.0~rc5-1
In sid, this was fixed (at least) in this version.
Thanks,
Ian.
Reply sent
to Ian Jackson <ian.jackson@eu.citrix.com>:
You have taken responsibility.
(Wed, 21 Dec 2016 16:00:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 21 Dec 2016 16:00:04 GMT) (full text, mbox, link).
Message #15 received at 800128-done@bugs.debian.org (full text, mbox, reply):
Version: 4.8.0~rc5-1
In sid, this was fixed (at least) in this version.
Thanks,
Ian.
(let's try this BTS message again)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 30 Jan 2017 07:30:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon