Debian Bug report logs - #683279
CVE-2012-3432

version graph

Package: xen; Maintainer for xen is Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Mon, 30 Jul 2012 13:27:02 UTC

Severity: important

Tags: security

Fixed in versions xen/4.0.1-5.3, xen/4.1.3-1

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#683279; Package xen. (Mon, 30 Jul 2012 13:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Mon, 30 Jul 2012 13:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2012-3432
Date: Mon, 30 Jul 2012 15:24:55 +0200
Package: xen
Severity: grave
Tags: security

Please see
http://www.openwall.com/lists/oss-security/2012/07/26/4 

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#683279; Package xen. (Mon, 30 Jul 2012 14:21:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Mon, 30 Jul 2012 14:21:13 GMT) Full text and rfc822 format available.

Message #10 received at 683279@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 683279@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#683279: CVE-2012-3432
Date: Mon, 30 Jul 2012 16:09:21 +0200
Control: severity -1 important

On Mon, Jul 30, 2012 at 03:24:55PM +0200, Moritz Muehlenhoff wrote:
> Please see
> http://www.openwall.com/lists/oss-security/2012/07/26/4 

This can only be used to crash a client from within.

Bastian

-- 
He's dead, Jim.
		-- McCoy, "The Devil in the Dark", stardate 3196.1



Severity set to 'important' from 'grave' Request was from Bastian Blank <waldi@debian.org> to 683279-submit@bugs.debian.org. (Mon, 30 Jul 2012 14:21:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#683279; Package xen. (Fri, 10 Aug 2012 07:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Fri, 10 Aug 2012 07:48:03 GMT) Full text and rfc822 format available.

Message #17 received at 683279@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Bastian Blank <waldi@debian.org>
Cc: security@debian.org, 683279@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#683279: CVE-2012-3432
Date: Fri, 10 Aug 2012 09:43:05 +0200
On Mon, Jul 30, 2012 at 04:09:21PM +0200, Bastian Blank wrote:
> Control: severity -1 important
> 
> On Mon, Jul 30, 2012 at 03:24:55PM +0200, Moritz Muehlenhoff wrote:
> > Please see
> > http://www.openwall.com/lists/oss-security/2012/07/26/4 
> 
> This can only be used to crash a client from within.

Additional issue:
http://www.openwall.com/lists/oss-security/2012/08/09/3

Cheers,
        Moritz



Reply sent to Guido Trotter <ultrotter@debian.org>:
You have taken responsibility. (Tue, 14 Aug 2012 21:21:09 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Tue, 14 Aug 2012 21:21:09 GMT) Full text and rfc822 format available.

Message #22 received at 683279-close@bugs.debian.org (full text, mbox):

From: Guido Trotter <ultrotter@debian.org>
To: 683279-close@bugs.debian.org
Subject: Bug#683279: fixed in xen 4.0.1-5.3
Date: Tue, 14 Aug 2012 21:17:33 +0000
Source: xen
Source-Version: 4.0.1-5.3

We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Trotter <ultrotter@debian.org> (supplier of updated xen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 14 Aug 2012 14:47:43 +0000
Source: xen
Binary: xen-docs-4.0 libxenstore3.0 libxen-dev xenstore-utils xen-utils-4.0 xen-hypervisor-4.0-amd64 xen-hypervisor-4.0-i386
Architecture: source all amd64
Version: 4.0.1-5.3
Distribution: stable-security
Urgency: high
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Guido Trotter <ultrotter@debian.org>
Description: 
 libxen-dev - Public headers and libs for Xen
 libxenstore3.0 - Xenstore communications library for Xen
 xen-docs-4.0 - Documentation for Xen
 xen-hypervisor-4.0-amd64 - The Xen Hypervisor on AMD64
 xen-hypervisor-4.0-i386 - The Xen Hypervisor on i386
 xen-utils-4.0 - XEN administrative tools
 xenstore-utils - Xenstore utilities for Xen
Closes: 683279
Changes: 
 xen (4.0.1-5.3) stable-security; urgency=high
 .
   * Apply patch for CVE-2012-3432 (closes: #683279)
   * Apply patch for CVE-2012-3433
Checksums-Sha1: 
 47f436edb5340f22de8c84c2415af17051d2f463 1450 xen_4.0.1-5.3.dsc
 6a1a570aa98360379670ce206bb72f936b33b803 62203 xen_4.0.1-5.3.debian.tar.gz
 57cc26f7cf411c52675c4437d284e487d479c317 1317510 xen-docs-4.0_4.0.1-5.3_all.deb
 2321ab3b47b0ab7a7ffb2608314d2b87c125e8e2 689498 xen-hypervisor-4.0-amd64_4.0.1-5.3_amd64.deb
 e93e9fc5032e9a49701006debf8df91d3c34cb10 259720 libxen-dev_4.0.1-5.3_amd64.deb
 169173339157a1fc5d17cbff0a949d7d9f69f9d9 24360 libxenstore3.0_4.0.1-5.3_amd64.deb
 c07881087959080d514d79905f0b88152a20a168 1005158 xen-utils-4.0_4.0.1-5.3_amd64.deb
 d0897eab4a592d7962a45649a875060616eacd27 21266 xenstore-utils_4.0.1-5.3_amd64.deb
Checksums-Sha256: 
 f5636167f11bf20313a0f7358fe545071e5c76ac192e0d8e0bc9224b45697cf6 1450 xen_4.0.1-5.3.dsc
 78ef90e1e58275a8f9bb25d580b56b1e08362bcf94def4a8253d7f4fe51cd4e2 62203 xen_4.0.1-5.3.debian.tar.gz
 d06ecd1abb8c3ae00911e39ddb21dd8e8f0041141292d78d629128e3837ab312 1317510 xen-docs-4.0_4.0.1-5.3_all.deb
 b4dcec3af7f228c1f644693d5151205d9436d28c352fa5ab2f53c2da8caca70f 689498 xen-hypervisor-4.0-amd64_4.0.1-5.3_amd64.deb
 1db360b53a1c2d1f6e97ea78bb4622c299b1bc6832e40365125b2517cf4ca506 259720 libxen-dev_4.0.1-5.3_amd64.deb
 48d16ce741eb349525907457adff315ae87b1e189a3b7d74f0f411d38b4e9430 24360 libxenstore3.0_4.0.1-5.3_amd64.deb
 b88aab333fb0c3c6d7904cf87f04a12e87d9ff3c633b0c30144626545477efcc 1005158 xen-utils-4.0_4.0.1-5.3_amd64.deb
 03a8baad4bf55e92b840f9c8935736ad4260f6acde40099703f5b84ff3ed7b98 21266 xenstore-utils_4.0.1-5.3_amd64.deb
Files: 
 2a2af855321e80278a64e7a70e347853 1450 kernel optional xen_4.0.1-5.3.dsc
 a8244b6a1b839e518b9bcfdb92dcb5b1 62203 kernel optional xen_4.0.1-5.3.debian.tar.gz
 c0d0530075aea8e2c3810e4f7e52b83d 1317510 doc optional xen-docs-4.0_4.0.1-5.3_all.deb
 8e77bc60b38b5f5a33129c6d104ff1a6 689498 kernel optional xen-hypervisor-4.0-amd64_4.0.1-5.3_amd64.deb
 8f0287770a78404c0ba4106e2c77be6e 259720 libdevel optional libxen-dev_4.0.1-5.3_amd64.deb
 401b3b585b182ea93c8a9d9c76b328fe 24360 libs optional libxenstore3.0_4.0.1-5.3_amd64.deb
 76b73db1569fa0e8ad591aeb0eb8069b 1005158 kernel optional xen-utils-4.0_4.0.1-5.3_amd64.deb
 fa180118d950091a473eabeccdfc558e 21266 admin optional xenstore-utils_4.0.1-5.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlAqbVwACgkQhImxTYgHUpvi9gCfYTsU0qqkJ8i+CYDxQif2+kLY
RfQAn23UFuX9XyoKe5Ru8YCVtd4axdRO
=yVyP
-----END PGP SIGNATURE-----




Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Fri, 17 Aug 2012 22:48:49 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Fri, 17 Aug 2012 22:48:49 GMT) Full text and rfc822 format available.

Message #27 received at 683279-close@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 683279-close@bugs.debian.org
Subject: Bug#683279: fixed in xen 4.1.3-1
Date: Fri, 17 Aug 2012 22:39:47 +0000
Source: xen
Source-Version: 4.1.3-1

We believe that the bug you reported is fixed in the latest version of
xen, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 17 Aug 2012 11:25:02 +0200
Source: xen
Binary: xen-docs-4.1 libxen-4.1 libxenstore3.0 libxen-dev xenstore-utils libxen-ocaml libxen-ocaml-dev xen-utils-common xen-utils-4.1 xen-hypervisor-4.1-amd64 xen-system-amd64 xen-hypervisor-4.1-i386 xen-system-i386
Architecture: source amd64 all
Version: 4.1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description: 
 libxen-4.1 - Public libs for Xen
 libxen-dev - Public headers and libs for Xen
 libxen-ocaml - OCaml libraries for controlling Xen
 libxen-ocaml-dev - OCaml libraries for controlling Xen (devel package)
 libxenstore3.0 - Xenstore communications library for Xen
 xen-docs-4.1 - Documentation for Xen
 xen-hypervisor-4.1-amd64 - Xen Hypervisor on AMD64
 xen-hypervisor-4.1-i386 - Xen Hypervisor on i386
 xen-system-amd64 - Xen System on AMD64 (meta-package)
 xen-system-i386 - Xen System on i386 (meta-package)
 xen-utils-4.1 - XEN administrative tools
 xen-utils-common - Xen administrative tools - common files
 xenstore-utils - Xenstore utilities for Xen
Closes: 683279 683286
Changes: 
 xen (4.1.3-1) unstable; urgency=medium
 .
   * New upstream release: (closes: #683286)
     - Don't leave the x86 emulation in a bad state. (closes: #683279)
       CVE-2012-3432
     - Only check for shared pages while any exist on teardown.
       CVE-2012-3433
     - Fix error handling for unexpected conditions.
     - Update CPUID masking to latest Intel spec.
     - Allow large ACPI ids.
     - Fix IOMMU support for PCI-to-PCIe bridges.
     - Disallow access to some sensitive IO-ports.
     - Fix wrong address in IOTLB.
     - Fix deadlock on CPUs without working cpufreq driver.
     - Use uncached disk access in qemu.
     - Fix buffer size on emulated e1000 device in qemu.
   * Fixup broken and remove applied patches.
Checksums-Sha1: 
 e97644760c2e3917abb3cf9d7f7ee720e5747bdc 2389 xen_4.1.3-1.dsc
 f9845688d47233a103917d59d50db212018f76fe 3152416 xen_4.1.3.orig-qemu.tar.gz
 a2a707a70d70a7a22e42a2ad069043b90136d601 6612060 xen_4.1.3.orig.tar.gz
 d3991ed4be0e9ed5785f326a5570ee5b0435bc44 109542 xen_4.1.3-1.debian.tar.gz
 7a607b011bc2b23ffcae27d2391d3a3a8acaec68 749460 xen-hypervisor-4.1-amd64_4.1.3-1_amd64.deb
 3f544c7af6ef3c01fdbad4a916655b6865662fc7 16866 xen-system-amd64_4.1.3-1_amd64.deb
 a13de46f984f6f90874e0b714cfe6965bed70486 1170930 xen-docs-4.1_4.1.3-1_all.deb
 69e95c8d8d0e31c2c1fcd9dc130970db64b2c8c8 78144 xen-utils-common_4.1.3-1_all.deb
 bd73b8087f5876d4ce9813f1a59bb793b2667b9f 289066 libxen-dev_4.1.3-1_amd64.deb
 e5289b3999e73b84bcc2d9331c46c2299add8ed1 87652 libxen-ocaml-dev_4.1.3-1_amd64.deb
 45fbbab6742aaf82d275a703463359224bc5af25 28278 libxenstore3.0_4.1.3-1_amd64.deb
 700f480c491c2daae6bbf74df49a86c8b201734e 137800 libxen-4.1_4.1.3-1_amd64.deb
 bc2f1cf33dbbfef6777d39f700217346936f3e07 62020 libxen-ocaml_4.1.3-1_amd64.deb
 0eec5b031c56aedb0693ddadc6992aed9279d156 25594 xenstore-utils_4.1.3-1_amd64.deb
 b0628673645e20045b960e310eb13ea28af96c7d 1606732 xen-utils-4.1_4.1.3-1_amd64.deb
Checksums-Sha256: 
 16aeb0167ddd72f94718b03b70f7a960b3cc78a089c960933647884123716970 2389 xen_4.1.3-1.dsc
 ea6f65c64e8163f030e3e800e28faf074a74d8039a68db9b34f2b176933b515e 3152416 xen_4.1.3.orig-qemu.tar.gz
 620794ee60d22deac19e54923fddf0925d3f4f48f9a117feed8ca859fb836172 6612060 xen_4.1.3.orig.tar.gz
 7a911a72627c50095e9bf09ea22879bd87695a28ac9b4a4c49d88757aae34ec3 109542 xen_4.1.3-1.debian.tar.gz
 67f8e3f6351e679f8b285129b156f16bd4c61be11d9f964dd83cdaf414bb9986 749460 xen-hypervisor-4.1-amd64_4.1.3-1_amd64.deb
 3bbabf7d0076622b21d7065193d741042a61e55a2eeba5bdb0bef13ea2e8075d 16866 xen-system-amd64_4.1.3-1_amd64.deb
 4a9d0338e88ac623f27161b0b8ed7f69f3c93686b1c4f067eeede6cb7a795d21 1170930 xen-docs-4.1_4.1.3-1_all.deb
 3cc86c3eed6c13b660d1ccf55282cc1c5737465db5a8cec1d85eb3b88fef1534 78144 xen-utils-common_4.1.3-1_all.deb
 17ef6bdacd267f4aef3811b1949e538ef73288074b4860129d52536a36bf836b 289066 libxen-dev_4.1.3-1_amd64.deb
 584f3aaa81b05301f10bbc2f2f87b9b3934ad11ef7f1b84dcc2eefac419a2049 87652 libxen-ocaml-dev_4.1.3-1_amd64.deb
 d971e6a7774aa791995d8d88818492b19e2b0ae72d4f7a05d5712975c06c40f3 28278 libxenstore3.0_4.1.3-1_amd64.deb
 6ee0fc44aa135fd3a9674ed64294fef4a382d6bad3d318201691daa278fe215c 137800 libxen-4.1_4.1.3-1_amd64.deb
 f3e59693b3bbee9aa50c7890eb4a8f9ad521bdb71627a8de391b6fb921f01a85 62020 libxen-ocaml_4.1.3-1_amd64.deb
 297875a20fd937c5137ec0e312c69ef14476dcd7ea5ef6b25e3bbcf24532ca0d 25594 xenstore-utils_4.1.3-1_amd64.deb
 66f2130babede7f6bb082f48905da4b7deb30e146bb144d8cbe0f186b7bd35a9 1606732 xen-utils-4.1_4.1.3-1_amd64.deb
Files: 
 fc3f990ed98466c58ab5dd246ddb047e 2389 kernel optional xen_4.1.3-1.dsc
 36d5351afd2dc7abb43045f60d2aac7b 3152416 kernel optional xen_4.1.3.orig-qemu.tar.gz
 38525db033a944ccd424c54f124e9a60 6612060 kernel optional xen_4.1.3.orig.tar.gz
 b7e60f4984c40cc66fcea7c346fd380f 109542 kernel optional xen_4.1.3-1.debian.tar.gz
 5e280221b20447809fcb304709afb083 749460 kernel optional xen-hypervisor-4.1-amd64_4.1.3-1_amd64.deb
 e2b82a41bbd720a54de2b8d2e86cd13f 16866 kernel optional xen-system-amd64_4.1.3-1_amd64.deb
 33ea9e0ce32601b87d47b81bb49c6ae0 1170930 doc optional xen-docs-4.1_4.1.3-1_all.deb
 2f02623bf4d64fc3d766d7d1c3f7b920 78144 kernel optional xen-utils-common_4.1.3-1_all.deb
 f77d0b8ca4f4f97d88e20282dddd74ab 289066 libdevel optional libxen-dev_4.1.3-1_amd64.deb
 1a98261c1cbcd985b57b4aa9cb354e5b 87652 ocaml optional libxen-ocaml-dev_4.1.3-1_amd64.deb
 03644c510b530fc54bd838a705fe3327 28278 libs optional libxenstore3.0_4.1.3-1_amd64.deb
 cff83ab11c46aa0d7f1767ab45163dc9 137800 libs optional libxen-4.1_4.1.3-1_amd64.deb
 a38d0899d4dac3295842353606cab404 62020 ocaml optional libxen-ocaml_4.1.3-1_amd64.deb
 2158776b853a89b79bde56009a408c0f 25594 admin optional xenstore-utils_4.1.3-1_amd64.deb
 a7570e7b2a376aa47b3038a27cf5ff5d 1606732 kernel optional xen-utils-4.1_4.1.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlAuE8QACgkQLkAIIn9ODhFkOgCdHbBpu3N5NPJifF3a5BEBNcVi
k+kAoIyz9t4ZPNBMZmu8Ll6k92yY0XTU
=hzNS
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 11 Oct 2012 07:27:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:11:08 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.