Debian Bug report logs -
#848713
xen: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep during emulation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 19 Dec 2016 19:06:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version xen/4.4.1-6
Fixed in version xen/4.8.0-1
Done: Ian Jackson <ian.jackson@eu.citrix.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#848713; Package src:xen.
(Mon, 19 Dec 2016 19:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>.
(Mon, 19 Dec 2016 19:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xen
Version: 4.4.1-6
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for xen.
CVE-2016-10013[0]:
x86: Mishandling of SYSCALL singlestep during emulation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10013
[1] https://xenbits.xen.org/xsa/advisory-204.html
Regards,
Salvatore
Added tag(s) pending.
Request was from Ian Jackson <Ian.Jackson@eu.citrix.com>
to control@bugs.debian.org.
(Wed, 21 Dec 2016 15:09:11 GMT) (full text, mbox, link).
Reply sent
to Ian Jackson <ian.jackson@eu.citrix.com>:
You have taken responsibility.
(Thu, 22 Dec 2016 18:51:37 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 22 Dec 2016 18:51:37 GMT) (full text, mbox, link).
Message #12 received at 848713-close@bugs.debian.org (full text, mbox, reply):
Source: xen
Source-Version: 4.8.0-1
We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Jackson <ian.jackson@eu.citrix.com> (supplier of updated xen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 22 Dec 2016 14:51:46 +0000
Source: xen
Binary: libxen-4.8 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common xen-utils-4.8 xen-hypervisor-4.8-amd64 xen-system-amd64 xen-hypervisor-4.8-arm64 xen-system-arm64 xen-hypervisor-4.8-armhf xen-system-armhf
Architecture: all amd64 source
Version: 4.8.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Ian Jackson <ian.jackson@eu.citrix.com>
Closes: 763102 764912 770456 796370 812166 818129 818525 844419 845667 845669 848713
Description:
libxen-4.8 - Public libs for Xen
libxen-dev - Public headers and libs for Xen
libxenstore3.0 - Xenstore communications library for Xen
xen-hypervisor-4.8-amd64 - Xen Hypervisor on AMD64
xen-hypervisor-4.8-arm64 - Xen Hypervisor on ARM64
xen-hypervisor-4.8-armhf - Xen Hypervisor on ARMHF
xen-system-amd64 - Xen System on AMD64 (meta-package)
xen-system-arm64 - Xen System on ARM64 (meta-package)
xen-system-armhf - Xen System on ARMHF (meta-package)
xen-utils-4.8 - XEN administrative tools
xen-utils-common - Xen administrative tools - common files
xenstore-utils - Xenstore command line utilities for Xen
Changes:
xen (4.8.0-1) unstable; urgency=high
.
* Update to upstream Xen 4.8.0.
Includes the following security fixes:
XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
XSA-198 CVE-2016-9379 CVE-2016-9380
XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669
XSA-195 CVE-2016-9383
XSA-194 CVE-2016-9384 Closes:#845667
XSA-193 CVE-2016-9385
XSA-192 CVE-2016-9382
XSA-191 CVE-2016-9386
Includes other bugfixes too:
Closes:#812166, Closes:#818525.
.
Cherry picks from upstream:
* Security fixes:
XSA-204 CVE-2016-10013 Closes:#848713
XSA-203 CVE-2016-10025
XSA-202 CVE-2016-10024
For completeness, the following XSAs do not apply here:
XSA-197 CVE-2016-9381 Bug is in qemu
XSA-199 CVE-2016-9637 Bug is in qemu
XSA-200 CVE-2016-9932 Xen 4.8 is not affected
* Cherry pick a build failure fix:
"x86/emul: add likely()/unlikely() to test harness"
.
[ Ian Jackson ]
* Drop -lcrypto search from upstream configure, and from our
Build-Depends. Closes:#844419.
* Change my own email address to my work (Citrix) address. When
uploading, I will swap hats to effectively sponsor my own upload.
.
[ Ian Campbell ]
* Start a qemu process in dom0 to service the toolstacks loopback disk
attaches. (Closes: #770456)
* Remove correct pidfile when stopping xenconsoled.
* Check that xenstored has actually started before talking to it.
Incorporate a timeout so as not to block boot (Mitigates #737613)
* Correct syntax error in xen-init-list when running with xend
(Closes: #763102)
* Apply SELinux labels to directories created by initscripts. Patch from
Russell Coker. (Closes: #764912)
* Include a reportbug control file to redirect bugs to src:xen for
packages which contain the Xen version in the name. Closes:#796370.
.
[ Lubomir Host ]
* Fix xen-init-name to not fail looking for a nonexistent 'config'
entry in xl's JSON output. Closes:#818129.
Checksums-Sha1:
f50cffc81437849c472665223aa774bcacbebb8a 2695 xen_4.8.0-1.dsc
68af11f47eb9044e720238043a35bde8ff801bae 5539854 xen_4.8.0.orig.tar.gz
3c2c5f9ce7187aaf8c33032406e61aae159a7154 54204 xen_4.8.0-1.debian.tar.xz
d307a194c0cb743c7aa2c139436f3d74e7f21d62 1608156 libxen-4.8-dbgsym_4.8.0-1_amd64.deb
854b8fc58b8a9e200298eb920128a727e93c0d40 409422 libxen-4.8_4.8.0-1_amd64.deb
a471592e1f56e3764cb930cfe7d4721a19b62d9a 648860 libxen-dev_4.8.0-1_amd64.deb
607463987384afe0d38211b4db712a722d34fa68 25182 libxenstore3.0-dbgsym_4.8.0-1_amd64.deb
70ee242885bd4a7722f8504a8d98b66c6cb4d39e 32278 libxenstore3.0_4.8.0-1_amd64.deb
897e85213311c2fd8b7df07b958307007966f6c9 1826404 xen-hypervisor-4.8-amd64_4.8.0-1_amd64.deb
bbf6b1bb4ee9d50e74a916942f40b86cca54982a 21332 xen-system-amd64_4.8.0-1_amd64.deb
075c3db99290dfbdcff40fcf79a32661efdfa58b 845480 xen-utils-4.8-dbgsym_4.8.0-1_amd64.deb
938490827bb37c32336372368b5cb18904ec4ee1 418246 xen-utils-4.8_4.8.0-1_amd64.deb
7dab9089bf16058ebec751b982994ce24d6b242a 278366 xen-utils-common_4.8.0-1_all.deb
1df6f71af44234d0c458c41700931a335aad370b 9547 xen_4.8.0-1_amd64.buildinfo
88fcbf292683f1185523377158e6c552755dc6cb 13372 xenstore-utils-dbgsym_4.8.0-1_amd64.deb
753399d983b19994f87c2047f2869f740c8bdda0 28042 xenstore-utils_4.8.0-1_amd64.deb
Checksums-Sha256:
a2e5d83d62e07c1f19ee2104ed714842fd06145fdc3d3aaf3fa94783d0f0bbe5 2695 xen_4.8.0-1.dsc
a124b20919f669ff24a0b38c4798b1391d2d5e23a30a97cf867c80d31fc6aff5 5539854 xen_4.8.0.orig.tar.gz
2d5d31e657a549593ea7f3374a51c2837f74a550aa7dd27c79c3b020c071c685 54204 xen_4.8.0-1.debian.tar.xz
e076e00fc3fad05b5a746e27ca317335d59c41408530f423c1d1633c295c42d6 1608156 libxen-4.8-dbgsym_4.8.0-1_amd64.deb
64b51afec988cba19c22b650ef6d3b4740532498fa7dd20937ed6ef4d3278809 409422 libxen-4.8_4.8.0-1_amd64.deb
431651cdb5e70bd058363e78a8807a1997f48b11df23893452d9911bc0b2c500 648860 libxen-dev_4.8.0-1_amd64.deb
63d1a01e0182ed896cf455d7f656b0b76f41854e357b0851fd1d0ba4b023e5ec 25182 libxenstore3.0-dbgsym_4.8.0-1_amd64.deb
bbc6accbce8dc129a05cdcea7c0426fce233b479fe35273b7ed6cc5e051c62cf 32278 libxenstore3.0_4.8.0-1_amd64.deb
3e7b346912e3966be90b7ff3b1a69f3d10845f88fbad19e43762beda3e55c128 1826404 xen-hypervisor-4.8-amd64_4.8.0-1_amd64.deb
635f6ffd5424dcdd6ac3b94ed92f2b1051e4ef7acd9f8f8b7ffc5c6ddd93b554 21332 xen-system-amd64_4.8.0-1_amd64.deb
4facff8cc51078501b280ffd6bdd7653c14effdfd9d379249efec4e86bb10aa8 845480 xen-utils-4.8-dbgsym_4.8.0-1_amd64.deb
a7e5510e2e15fe330fb4cb39772d48094866f8fc3cdc0f7311c970829226333c 418246 xen-utils-4.8_4.8.0-1_amd64.deb
4691b276bbddc6c0e8787537e9d2ba233a79020de4636f282ff1e0d4362136ef 278366 xen-utils-common_4.8.0-1_all.deb
f43c9ab2b84f86afc20f7062bbb0a8c6982cf284641037300af77e9f69ed33e9 9547 xen_4.8.0-1_amd64.buildinfo
c0b394f288110c4595f6ce9060d99753562c9e76e195825e48476280d91d17d3 13372 xenstore-utils-dbgsym_4.8.0-1_amd64.deb
9bcc1bc9ece775bb4d0b51889f4f3fa1649c7b4315f6ab54f1e57789b527fea6 28042 xenstore-utils_4.8.0-1_amd64.deb
Files:
23f9209113d1eeea2a0437d3fad90d3c 2695 kernel optional xen_4.8.0-1.dsc
e1781f0c2520460a491773514ed7b240 5539854 kernel optional xen_4.8.0.orig.tar.gz
8d3339429b2ba64444f99a5c3b3d822b 54204 kernel optional xen_4.8.0-1.debian.tar.xz
aa7605fb2abadb85caa9bf0fec33fb0a 1608156 debug extra libxen-4.8-dbgsym_4.8.0-1_amd64.deb
eef6d1ee34d7ce29b2b7d76b93587e8e 409422 libs optional libxen-4.8_4.8.0-1_amd64.deb
a462a75ea58fa6d26bc2742ac4b017cb 648860 libdevel optional libxen-dev_4.8.0-1_amd64.deb
fae8fae0b98038cf8edc4d8837898136 25182 debug extra libxenstore3.0-dbgsym_4.8.0-1_amd64.deb
eff71541e8a5c57367aa078eb83e8438 32278 libs optional libxenstore3.0_4.8.0-1_amd64.deb
7f018d1f7090a9ad1b1a740681e239e1 1826404 kernel optional xen-hypervisor-4.8-amd64_4.8.0-1_amd64.deb
8dc166c2219ae276077f98dc5977b044 21332 kernel optional xen-system-amd64_4.8.0-1_amd64.deb
52926b763b56303b5cd2d9e07fe6557d 845480 debug extra xen-utils-4.8-dbgsym_4.8.0-1_amd64.deb
5cb23919571225f1bd657f5ec921e735 418246 kernel optional xen-utils-4.8_4.8.0-1_amd64.deb
dc4190bc68b40e9e3823df5e777c2945 278366 kernel optional xen-utils-common_4.8.0-1_all.deb
1cce32a4697824fb3c0fb16611a867fe 9547 kernel optional xen_4.8.0-1_amd64.buildinfo
926c2579760edc5b7146df656b9d9b11 13372 debug extra xenstore-utils-dbgsym_4.8.0-1_amd64.deb
21d134175b79cdca9e90e592fd70ada4 28042 admin optional xenstore-utils_4.8.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAlhcHLQACgkQ4+M5I0i1
DTkdzwgAtpnrjhKRtYsjiwwSlhuMptwIisg0F7nqpdIq9cyAPGDDu06IX6Emu01M
Eep95w6Y0XgvhWBKCCPXgGRrdxHLRwCyfc3dQfXtxpaneCaJlzf/QzKI2lFqnvXk
reGawlsqQTXtxRQbpL7rlzEN6PWkgGrxE0nj2WGPsze1pTsSFPr+Dt1Z/QOqZ7D8
96xQHzsh9Y2O2uZT+iLd/3uVPmGZK1w8n3WB0l0cJcPgEayAajEOFtGxiyLchIen
gqVypm/Z5YxMQwkBjUazjZoi7owNoIxKnb5BUprNH13l8eYbug6Xe/pGnLh/VxQL
JupVMf3z7WCUft3MOBNpdOxufqkJVg==
=HXGO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 30 Jan 2017 07:27:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:40:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon