XEN Security Update XSA-191/192/193/195/197/198/199, CVE-2016-9386/9382/9385/9383/9381/9379/9380/9637
Issue | Summary | Affected Versions | Fixed | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Static Compute Resources | CloudBoot Compute Resources | Static Compute Resources | CloudBoot Compute Resources | ||||||
| CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | CentOS 5.x | CentOS 6.x | ||
| XSA-191/CVE-2016-9386 | X86 null segments not always treated as unusable | ✓* | ✓* | ✓* | ✓* | ✓ | ✓ | ✓ | ✓ |
| XSA-192/CVE-2016-9382 | X86 task switch to VM86 mode mis-handeled | - | ✓** | - | ✓** | - | ✓ | - | ✓ |
XSA-193/CVE-2016-9385 | X86 segment base write emulation lacking canonical address checks | - | ✓*** | - | ✓*** | - | ✓ | - | ✓ |
XSA-195/CVE-2016-9383 | X86 64-bit test instruction emulation broken | ✓**** | ✓**** | ✓**** | ✓**** | ✓ | ✓ | ✓ | ✓ |
| XSA-197/CVE-2016-9381 | QEMU incautious about shared ring processing | ✓* | ✓* | ✓* | ✓* | ✓ | ✓ | ✓ | ✓ |
XSA-198/CVE-2016-9379,CVE-2016-9380 | Delimiter injection vulnerabilities in PyGrub | ✓***** | ✓***** | ✓***** | ✓***** | ✓ | ✓ | ✓ | ✓ |
XSA-199/CVE-2016-9637 | Qemu IO port array overflow | ✓* | ✓* | ✓* | ✓* | ✓ | - | ✓ | - |
* Both Static and CloudBoot Xen compute resources, under CentOS 5.x, 6.x are affected, all running guests on HVM (FreeBSD, Windows, Recovery, Boot from ISO or Build from ISO modes) are vulnerable.
** Both Static and CloudBoot compute resources under CentOS 6.x (Xen versions from 4.0 onward) are affected, all running x86 (32bit) guests on HVM (FreeBSD, Windows, Boot from ISO or Build from ISO modes) are vulnerable.
*** Both Static and CloudBoot compute resources under CentOS 6.x are affected, all running x86 (32bit) guests on PV mode (all Linux i386) are vulnerable.
**** Both Static and CloudBoot compute resources, both under CentOS 5.x, 6.x are affected, all running 64bit guests both on PV and HVM (Linux, FreeBSD, Windows, Recovery, Boot from ISO or Build from ISO modes) are vulnerable.
***** Both Static and CloudBoot Xen compute resources, both under CentOS 5.x, 6.x are affected, all running guests on PV mode (Linux guests) are vulnerable.
Static Compute Resources
For customers willing to upgrade to the latest compute resource tools (corresponding to OnApp version installed)
This step applies to CentOS 5.x Xen compute resources only. Run the following command:
1 2# rm -f /etc/yum.repos.d/GITCO-*.repo # yum update onapp-hv-installRun the OnApp Xen Compute Resource installer
1# /onapp/onapp-hv-install/onapp-hv-xen-install.shReboot all compute resources.
For customers which are using latest compute resource tools or do not want to upgrade them:
CentOS 5.x
1# yum update xen xen-libsThis should update to the xen-3.4.4-27.el5.onapp.x86_64 version.
CentOS 6.x
1# yum update xen xen-hypervisor- For versions of OnApp HV tools prior to version 4.2.0 this should update to the xen-4.2.5-38.33.onapp.el6.x86_64 version.
- For versions of OnApp HV tools after version 4.2.0 the fix is provided by CentOS.org. The command above should update to the 4.4.4-14 version.
Reboot all compute resources.
CloudBoot Compute resources
To eliminate the security issue for Cloudboot Compute Resources, see CloudBoot Compute Resources and CloudBoot Backup Server upgrade procedures.
This should update to the following version:
CentOS | |
|---|---|
| Xen |
|
