alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2019-07-23T13:39:55Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5175[3.1] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman sec...2019-07-23T13:39:55ZAlicha CH[3.1] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length (CVE-2016-0739)libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long,...libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024
and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant
steps, Pollard’s rho) that can solve this problem in O (2^63)
operations.
### Fixed In Version:
libssh 0.7.3
### References:
https://www.libssh.org/security/advisories/CVE-2016-0739.txt
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0739
*(from redmine: issue id 5175, created on 2016-02-24, closed on 2016-03-01)*
* Relations:
* parent #5171
* Changesets:
* Revision ac98067334bc13e50408a0ae33e4416c12d30e35 on 2016-02-26T11:05:20Z:
```
main/libssh: upgrade to 0.6.5, security fix (CVE-2016-0739). Fixes #5175
(cherry picked from commit 8fd14512598c4438817e0c3b405cfa648fc72898)
```3.1.5Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5174[3.2] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman sec...2019-07-23T13:39:56ZAlicha CH[3.2] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length (CVE-2016-0739)libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long,...libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024
and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant
steps, Pollard’s rho) that can solve this problem in O (2^63)
operations.
### Fixed In Version:
libssh 0.7.3
### References:
https://www.libssh.org/security/advisories/CVE-2016-0739.txt
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0739
*(from redmine: issue id 5174, created on 2016-02-24, closed on 2016-03-01)*
* Relations:
* parent #5171
* Changesets:
* Revision 8fd14512598c4438817e0c3b405cfa648fc72898 on 2016-02-25T11:22:06Z:
```
main/libssh: security fix (CVE-2016-0739). Fixes #5174
```3.2.4Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5173[3.3] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman sec...2019-07-23T13:39:57ZAlicha CH[3.3] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length (CVE-2016-0739)libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long,...libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024
and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant
steps, Pollard’s rho) that can solve this problem in O (2^63)
operations.
### Fixed In Version:
libssh 0.7.3
### References:
https://www.libssh.org/security/advisories/CVE-2016-0739.txt
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0739
*(from redmine: issue id 5173, created on 2016-02-24, closed on 2016-03-01)*
* Relations:
* parent #5171
* Changesets:
* Revision 3ffde6161c4951006a14b23b6b89131114c846d4 on 2016-02-25T10:30:33Z:
```
main/libssh: security upgrade to 0.7.3 (CVE-2016-0739). Fixes #5173
(cherry picked from commit 8967b28bae04756e804afa403733139e2adedfdb)
```3.3.2Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5172[3.4] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman sec...2019-07-23T13:39:58ZAlicha CH[3.4] libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length (CVE-2016-0739)libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long,...libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024
and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant
steps, Pollard’s rho) that can solve this problem in O (2^63)
operations.
### Fixed In Version:
libssh 0.7.3
### References:
https://www.libssh.org/security/advisories/CVE-2016-0739.txt
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0739
*(from redmine: issue id 5172, created on 2016-02-24, closed on 2016-03-01)*
* Relations:
* parent #5171
* Changesets:
* Revision 8967b28bae04756e804afa403733139e2adedfdb on 2016-02-24T15:55:20Z:
```
main/libssh: security upgrade to 0.7.3 (CVE-2016-0739). Fixes #5172
```3.4.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5171libssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret le...2019-07-23T13:39:59ZAlicha CHlibssh: bits/bytes confusion resulting in truncated Difffie-Hellman secret length (CVE-2016-0739)libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long,...libssh versions 0.1 and above have a bits/bytes confusion bug and
generate the
an anormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024
and 2048 bits respectively. There are practical algorithms (Baby
steps/Giant
steps, Pollard’s rho) that can solve this problem in O (2^63)
operations.
### Fixed In Version:
libssh 0.7.3
### References:
https://www.libssh.org/security/advisories/CVE-2016-0739.txt
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-0739
*(from redmine: issue id 5171, created on 2016-02-24, closed on 2016-03-01)*
* Relations:
* child #5172
* child #5173
* child #5174
* child #5175
* child #5176Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5170[3.0] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2...2019-07-23T13:40:00ZAlicha CH[3.0] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5170, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* parent #5165
* Changesets:
* Revision dffdb25189c631ad6bfce4965c741df5964e446d on 2016-02-26T12:56:30Z:
```
main/nettle: security fix (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805). Fixes #5170
(cherry picked from commit bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7)
```3.0.7https://gitlab.alpinelinux.org/alpine/aports/-/issues/5169[3.1] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2...2019-07-23T13:40:01ZAlicha CH[3.1] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5169, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* parent #5165
* Changesets:
* Revision bc1b8cdb81f24f01d962fc29e48ca02bf09d6ec7 on 2016-02-26T11:01:34Z:
```
main/nettle: security fix (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805). Fixes #5169
```3.1.5https://gitlab.alpinelinux.org/alpine/aports/-/issues/5168[3.2] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2...2019-07-23T13:40:02ZAlicha CH[3.2] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5168, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* parent #5165
* Changesets:
* Revision 775b25076f747d4d008d25adbc59ec3bedd69e39 on 2016-02-25T11:22:06Z:
```
main/nettle: security upgrade to 3.2 (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805). Fixes #5168
https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
```3.2.4https://gitlab.alpinelinux.org/alpine/aports/-/issues/5167[3.3] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2...2019-07-23T13:40:03ZAlicha CH[3.3] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5167, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* parent #5165
* Changesets:
* Revision a3c775d5c379bde11788b2a3dee651e5e87f1b3e on 2016-02-25T10:54:58Z:
```
main/nettle: security upgrade to 3.2 (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805). Fixes #5167
https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/5166[3.4] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2...2019-07-23T13:40:04ZAlicha CH[3.4] nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5166, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* parent #5165
* Changesets:
* Revision 3a2031b005debb4b0e0c83896d3719b53b2ed0b8 on 2016-02-24T15:52:13Z:
```
main/nettle: security upgrade to 3.2 (CVE-2015-8803, CVE-2015-8805, CVE-2015-8804). Fixes #5166
```3.4.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/5165nettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-88...2019-07-23T13:40:05ZAlicha CHnettle: Miscomputations of elliptic curve scalar multiplications (CVE-2015-8803, CVE-2015-8804, CVE-2015-8805)**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lys...**CVE-2015-8803, CVE-2015-8805:** secp256 calculation bug
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d.patch
**CVE-2015-8804:** miscalculations on secp384 curve
Patch:
https://git.lysator.liu.se/nettle/nettle/commit/fa269b6ad06dd13c901dbd84a12e52b918a09cd7.patch
They affect the NIST P-256 and P-384 curves. The P-256 bug is
in the C code and affects multiple architectures. The P-384 bug is in
the assembly code and only affects 64 bit x86.
### Fixed In Version:
Nettle 3.2 fixes all three bugs.
### References:
http://seclists.org/oss-sec/2016/q1/266
https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
https://bugzilla.redhat.com/show\_bug.cgi?id=1304303
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8804
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8805
*(from redmine: issue id 5165, created on 2016-02-23, closed on 2016-03-01)*
* Relations:
* child #5166
* child #5167
* child #5168
* child #5169
* child #5170https://gitlab.alpinelinux.org/alpine/aports/-/issues/5164[Raspberry Pi] Missing Module.symvers file for RPI 2 (Arm v7 architecture)2019-07-23T13:40:06ZRay Davis[Raspberry Pi] Missing Module.symvers file for RPI 2 (Arm v7 architecture)Dear Admin
As I understand both -rpi and -rpi2 have different configs, which could
cause symvers to be different. The current linux-rpi-dev-4.1.15-r1.apk
cannot cater to v7 arm RPI2 cpu.
Unless we have Module.symvers file for RPI2 eith...Dear Admin
As I understand both -rpi and -rpi2 have different configs, which could
cause symvers to be different. The current linux-rpi-dev-4.1.15-r1.apk
cannot cater to v7 arm RPI2 cpu.
Unless we have Module.symvers file for RPI2 either within the
linux-rpi-dev-4.1.15-r1.apk or as a separate package, we cannot compile
many things.
Please treat this with urgency. My idea of filing these bugs/testing and
trying to push is only to make sure the Alpine distro for RPI the best
possible distro.
Thank you
*(from redmine: issue id 5164, created on 2016-02-22, closed on 2016-03-18)*
* Changesets:
* Revision bd65e126faa05089bd18b7f19c5d63392d709118 by Timo Teräs on 2016-02-23T18:08:56Z:
```
main/linux-rpi: upgrade to 4.1.18, and ship -rpi2-dev
fixes #5164
```
* Revision e3d1986a4484d0676a0c150549440bc2b6388de1 by Timo Teräs on 2016-03-02T15:47:32Z:
```
main/linux-rpi: upgrade to 4.1.18, and ship -rpi2-dev
fixes #5164
(cherry picked from commit bd65e126faa05089bd18b7f19c5d63392d709118)
```3.3.2https://gitlab.alpinelinux.org/alpine/aports/-/issues/5163[3.0] xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:07ZAlicha CH[3.0] xen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5163, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* parent #5158
* Changesets:
* Revision 7b7ecda52be8a1674088597c992f7faa3ff38f97 on 2016-02-26T12:51:21Z:
```
main/xen: security fixes. Fixes #5163 (partially)
(CVE-2016-2270, XSA-154)
(CVE-2015-8339, CVE-2015-8340, XSA-159)
(CVE-2015-8341, XSA-160)
(CVE-2015-8555, XSA-165)
(CVE-2016-1570, XSA-167)
(CVE-2016-1571, XSA 168)
(CVE-2016-2271, XSA-170)
```3.0.7Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5162[3.1] xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:09ZAlicha CH[3.1] xen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5162, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* parent #5158
* Changesets:
* Revision 5c6f6540495a819f4ee6722fa9299f96060b713f on 2016-02-25T12:59:17Z:
```
main/xen: security fixes. Fixes #5162 (partially)
(CVE-2016-2270, XSA-154)
(CVE-2015-8339, CVE-2015-8340, XSA-159)
(CVE-2015-8341, XSA-160)
(CVE-2015-8555, XSA-165)
(CVE-2016-1570, XSA-167)
(CVE-2016-1571, XSA 168)
(CVE-2016-2271, XSA-170)
```3.1.5Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5161[3.2] xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:10ZAlicha CH[3.2] xen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5161, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* parent #5158
* Changesets:
* Revision 9587e8ddfc6cb1922e75282409fec378bee93a86 on 2016-02-24T10:27:02Z:
```
main/xen: security fix multiple vulnerabilities. Fixes #5161
(CVE-2016-2270, XSA-154)
(CVE-2015-8550, XSA-155)
(CVE-2015-8339, CVE-2015-8340, XSA-159)
(CVE-2015-8341, XSA-160)
(CVE-2015-8555, XSA-165)
(CVE-2016-1570, XSA-167)
(CVE-2016-1571, XSA 168)
(CVE-2015-8615, XSA-169)
(CVE-2016-2271, XSA-170)
```
* Revision a145cb0cac7f44ec96bad04dc0dadd4d8c6f632b on 2016-02-24T11:33:57Z:
```
main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5161
(cherry picked from commit 561bee69490ba198a8875f13eeba68964043ad1d)
```
* Revision 06df930789bedccfba2146420a9f2f943e9015f2 on 2016-02-24T13:14:16Z:
```
main/linux-grsec: security fix (CVE-2015-8550, xsa-155). Fixes #5161
```
* Revision 308e70ec22018c4261570b300675d9145dfea9f0 on 2016-02-25T11:24:14Z:
```
main/linux-vanilla: security fix (CVE-2015-8550, xsa-155). Fixes #5161
```
* Revision a27a1dfef88c02a9ccc3443b59f9907d630dc82f on 2016-02-26T08:43:23Z:
```
main/linux-grsec: security fix (CVE-2015-8551, CVE-2015-8552, XSA-157). Fixes #5161
```3.2.4Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5160[3.3] xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:11ZAlicha CH[3.3] xen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2015-8615, XSA-169) x86: unintentional logging upon guest changing callback method
HYPERVISOR\_hvm\_op sub-op HVMOP\_set\_param’s
HVM\_PARAM\_CALLBACK\_IRQ
operation intends to log the new callback method in debug builds only.
The full message, however, is split into two parts, the second one of
which didn’t get suppressed on non-debug builds as would have been
intended.
### References:
http://xenbits.xen.org/xsa/advisory-169.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5160, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* parent #5158
* Changesets:
* Revision 88cebe5b4fb6780c496cfce923046c833b0237ff on 2016-02-24T09:40:16Z:
```
main/xen: security fix multiple vulnerabilties. Fixes #5160
(CVE-2016-2270, XSA-154)
(CVE-2015-8550, XSA-155)
(CVE-2015-8339, CVE-2015-8340, XSA-159)
(CVE-2015-8341, XSA-160)
(CVE-2015-8555, XSA-165)
(CVE-2016-1570, XSA-167)
(CVE-2016-1571, XSA 168)
(CVE-2015-8615, XSA-169)
(CVE-2016-2271, XSA-170)
(cherry picked from commit ccba2d08cc9d7de25cfa2eccbe943cb2e4ced400)
```
* Revision 7e224e4ae1720e18573440dfbecc06d0b2fdee56 on 2016-02-24T10:12:35Z:
```
main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5160
(cherry picked from commit 561bee69490ba198a8875f13eeba68964043ad1d)
```
* Revision 5de48aa6054001fbbb268a8b9dfde035c7478b6a on 2016-02-24T12:56:13Z:
```
main/linux-grsec: security fix (CVE-2015-8550, xsa-155). Fixes #5160
(cherry picked from commit ed9dc5651926188f0fe277a0e5a51961ee5545f1)
```
* Revision f4daf7f71ebcae92286f454de52a9eed33c1903d on 2016-02-25T13:43:53Z:
```
main/linux-grsec: security fix (CVE-2015-8551, CVE-2015-8552, XSA-157). Fixes #5160
(cherry picked from commit 1ab17fee115046c3923d9b2abeb1ff2677caaf76)
```3.3.2Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5159[3.4] xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:13ZAlicha CH[3.4] xen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2015-8615, XSA-169) x86: unintentional logging upon guest changing callback method
HYPERVISOR\_hvm\_op sub-op HVMOP\_set\_param’s
HVM\_PARAM\_CALLBACK\_IRQ
operation intends to log the new callback method in debug builds only.
The full message, however, is split into two parts, the second one of
which didn’t get suppressed on non-debug builds as would have been
intended.
### References:
http://xenbits.xen.org/xsa/advisory-169.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5159, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* parent #5158
* Changesets:
* Revision ccba2d08cc9d7de25cfa2eccbe943cb2e4ced400 on 2016-02-24T08:31:30Z:
```
main/xen: security fix multiple vulnerabilties. Fixes #5159
(CVE-2016-2270, XSA-154)
(CVE-2015-8550, XSA-155)
(CVE-2015-8339, CVE-2015-8340, XSA-159)
(CVE-2015-8341, XSA-160)
(CVE-2015-8555, XSA-165)
(CVE-2016-1570, XSA-167)
(CVE-2016-1571, XSA 168)
(CVE-2015-8615, XSA-169)
(CVE-2016-2271, XSA-170)
```
* Revision 561bee69490ba198a8875f13eeba68964043ad1d on 2016-02-24T09:25:07Z:
```
main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5159
```
* Revision ed9dc5651926188f0fe277a0e5a51961ee5545f1 on 2016-02-24T10:37:15Z:
```
main/linux-grsec: security fix (CVE-2015-8550, xsa-155). Fixes #5159
```
* Revision a148c910b9b3d31765e4d315b0db4f5195ffeb82 on 2016-02-24T11:29:47Z:
```
main/linux-vanilla: security fix (CVE-2015-8550, xsa-155). Fixes #5159
```
* Revision 1ab17fee115046c3923d9b2abeb1ff2677caaf76 on 2016-02-25T13:23:24Z:
```
main/linux-grsec: security fix (CVE-2015-8551, CVE-2015-8552, XSA-157). Fixes #5159
```3.4.0Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5158xen: Multiple security issues (xsa-154 - xsa-170)2019-07-23T13:40:14ZAlicha CHxen: Multiple security issues (xsa-154 - xsa-170)### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affe...### (CVE-2016-2270, xsa-154) x86: inconsistent cachability flags on guest mappings
Multiple mappings of the same physical page with different cachability
setting can cause problems. While one category (risk of using stale
data) affects only guests themselves (and hence avoiding this can be
left for them to control), the other category being Machine Check
exceptions can be fatal to entire hosts.
### References:
http://xenbits.xen.org/xsa/advisory-154.html
### (CVE-2015-8550, xsa-155) paravirtualized drivers incautious about shared memory contents
The compiler can emit optimizations in the PV backend drivers which
can lead to double fetch vulnerabilities. Specifically the shared
memory between the frontend and backend can be fetched twice (during
which time the frontend can alter the contents) possibly leading to
arbitrary code execution in backend.
### References:
http://xenbits.xen.org/xsa/advisory-155.html
### (CVE-2015-5307, CVE-2015-8104, xsa-156) x86: CPU lockup during exception delivery
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results
in
an infinite loop inside the CPU, which (in the virtualized case) can
be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
### References:
http://xenbits.xen.org/xsa/advisory-156.html
### (CVE-2015-8551, CVE-2015-8552, xsa-157) Linux pciback missing sanity checks leading to crash
Xen PCI backend driver does not perform proper sanity checks on the
device’s state.
Which in turn allows the generic MSI code (called by Xen PCI backend) to
be
called incorrectly leading to hitting BUG conditions or causing NULL
pointer
exceptions in the MSI code. (CVE-2015-8551)
To exploit this the guest can craft specific sequence of
XEN\_PCI\_OP\_\*
operations which will trigger this.
Furthermore the frontend can also craft an continous stream of
XEN\_PCI\_OP\_enable\_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the
logging
in the initial domain to exhaust disk space. (CVE-2015-8552)
### References:
http://xenbits.xen.org/xsa/advisory-157.html
### (CVE-2015-8339, CVE-2015-8340, xsa-159) XENMEM\_exchange error handling issues
Error handling in the operation may involve handing back pages to
the domain. This operation may fail when in parallel the domain gets
torn down. So far this failure unconditionally resulted in the host
being brought down due to an internal error being assumed. This is
CVE-2015-8339.
Furthermore error handling so far wrongly included the release of a
lock. That lock, however, was either not acquired or already released
on all paths leading to the error handling sequence. This is
CVE-2015-8340.
### References:
http://xenbits.xen.org/xsa/advisory-159.html
### (CVE-2015-8341, xsa – 160) libxl leak of pv kernel and initrd on error
When constructing a guest which is configured to use a PV bootloader
which runs as a userspace process in the toolstack domain
(e.g. pygrub) libxl creates a mapping of the files to be used as
kernel and initial ramdisk when building the guest domain.
### References:
http://xenbits.xen.org/xsa/advisory-160.html
### (CVE-2015-7504, xsa-162) heap buffer overflow vulnerability in pcnet emulator
The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving
packets in loopback mode, appends CRC code to the receive buffer.
If the data size given is same as the buffer size(4096), the appended
CRC code overwrites 4 bytes after the s->buffer,
making the adjacent ‘s->irq’ object point to a new location.
### References:
http://xenbits.xen.org/xsa/advisory-162.html
### (CVE-2015-8554, XSA-164) qemu-dm buffer overrun in MSI-X handling
“qemu-xen-traditional” (aka qemu-dm) tracks state for each MSI-X table
entry of a passed through device. This is used/updated on
(intercepted) accesses to the page(s) containing the MSI-X table.
### References:
http://xenbits.xen.org/xsa/advisory-164.html
### (CVE-2015-8555, XSA-165) information leak in legacy x86 FPU/XMM initialization
When XSAVE/XRSTOR are not in use by Xen to manage guest extended
register state, the initial values in the FPU stack and XMM registers
seen by the guest upon first use are those left there by the previous
user of those registers.
### References:
http://xenbits.xen.org/xsa/advisory-165.html
### (CVE-2016-1570, XSA-167) PV superpage functionality missing sanity checks
The PV superpage functionality lacks certain validity checks on data
being passed to the hypervisor by guests. This is the case for the
page identifier (MFN) passed to MMUEXT\_MARK\_SUPER and
MMUEXT\_UNMARK\_SUPER sub-ops of the HYPERVISOR\_mmuext\_op hypercall
as
well as for various forms of page table updates.
### References:
http://xenbits.xen.org/xsa/advisory-167.html
### (CVE-2016-1571, XSA 168) VMX: intercept issue with INVLPG on non-canonical address
While INVLPG does not cause a General Protection Fault when used on a
non-canonical address, INVVPID in its “individual address” variant,
which is used to back the intercepted INVLPG in certain cases, fails
in
such cases. Failure of INVVPID results in a hypervisor bug check.
### References:
http://xenbits.xen.org/xsa/advisory-168.html
### (CVE-2015-8615, XSA-169) x86: unintentional logging upon guest changing callback method
HYPERVISOR\_hvm\_op sub-op HVMOP\_set\_param’s
HVM\_PARAM\_CALLBACK\_IRQ
operation intends to log the new callback method in debug builds only.
The full message, however, is split into two parts, the second one of
which didn’t get suppressed on non-debug builds as would have been
intended.
### References:
http://xenbits.xen.org/xsa/advisory-169.html
### (CVE-2016-2271, XSA-170) VMX: guest user mode may crash guest with non-canonical RIP
VMX refuses attempts to enter a guest with an instruction pointer
which
doesn’t satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in
64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad
instruction
pointer would possibly never get used for other than pushing onto the
exception handler’s stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure,
however,
is fatal to the guest.
### References:
http://xenbits.xen.org/xsa/advisory-170.html
*(from redmine: issue id 5158, created on 2016-02-22, closed on 2016-03-01)*
* Relations:
* child #5159
* child #5160
* child #5161
* child #5162
* child #5163Ariadne Conillariadne@ariadne.spaceAriadne Conillariadne@ariadne.spacehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5157[3.0] nodejs: Security issues (CVE-2016-2086, CVE-2016-2216)2019-07-23T13:40:15ZAlicha CH[3.0] nodejs: Security issues (CVE-2016-2086, CVE-2016-2216)### (CVE-2016-2086) Request smuggling vulnerability
A request smuggling vulnerability was found in Node.js
that can be exploited under certain unspecified circumstances.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4...### (CVE-2016-2086) Request smuggling vulnerability
A request smuggling vulnerability was found in Node.js
that can be exploited under certain unspecified circumstances.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
### (CVE-2016-2216) Response splitting vulnerability using Unicode characters
It was reported that HTTP header parsing in Node.js is vulnerable to
response splitting attacks.
While Node.js has been protecting against response splitting attacks by
checking for CRLF characters,
it is possible to compose response headers using Unicode characters that
decompose to these characters,
bypassing the checks previously in place.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
### References:
https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2086
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2216
*(from redmine: issue id 5157, created on 2016-02-22, closed on 2016-02-24)*
* Relations:
* parent #5153
* Changesets:
* Revision 175b1af08edcdb18fcc874a6d375bb7cd623db61 on 2016-02-23T15:07:04Z:
```
main/nodejs: security upgrade to 0.10.42 (CVE-2016-2086, CVE-2016-2216). Fixes #5157
```3.0.7Eivind UggedalEivind Uggedalhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5156[3.1] nodejs: Security issues (CVE-2016-2086, CVE-2016-2216)2019-07-23T13:40:16ZAlicha CH[3.1] nodejs: Security issues (CVE-2016-2086, CVE-2016-2216)### (CVE-2016-2086) Request smuggling vulnerability
A request smuggling vulnerability was found in Node.js
that can be exploited under certain unspecified circumstances.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4...### (CVE-2016-2086) Request smuggling vulnerability
A request smuggling vulnerability was found in Node.js
that can be exploited under certain unspecified circumstances.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
### (CVE-2016-2216) Response splitting vulnerability using Unicode characters
It was reported that HTTP header parsing in Node.js is vulnerable to
response splitting attacks.
While Node.js has been protecting against response splitting attacks by
checking for CRLF characters,
it is possible to compose response headers using Unicode characters that
decompose to these characters,
bypassing the checks previously in place.
### Fixed In Version:
nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0
### References:
https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2086
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-2216
*(from redmine: issue id 5156, created on 2016-02-22, closed on 2016-02-24)*
* Relations:
* parent #5153
* Changesets:
* Revision 58bef3151de8d3e10ce83de635f5451e73161b72 on 2016-02-23T15:04:19Z:
```
main/nodejs: security upgrade to 0.10.42 (CVE-2016-2086, CVE-2016-2216). Fixes #5156
```3.1.5Eivind UggedalEivind Uggedal