Security update for xen SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1403-1 Final 1 1 2019-05-16T09:23:37Z current 2019-05-16T09:23:37Z 2019-05-16T09:23:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) These updates contain the XEN Hypervisor adjustments, that additionaly also use CPU Microcode updates. The mitigation can be controlled via the 'mds' commandline option, see the documentation. For more information on this set of vulnerabilities, check out https://www.suse.com/support/kb/doc/?id=7023736 Other fixes: - Added code to change LIBXL_HOTPLUG_TIMEOUT at runtime. The included README has details about the impact of this change (bsc#1120095) - Fixes in Live migrating PV domUs An earlier change broke live migration of PV domUs without a device model. The migration would stall for 10 seconds while the domU was paused, which caused network connections to drop. Fix this by tracking the need for a device model within libxl. (bsc#1079730, bsc#1098403, bsc#1111025) - Libvirt segfault when crash triggered on top of HVM guest (bsc#1120067) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1403 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00038.html E-Mail link for openSUSE-SU-2019:1403-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1027519 SUSE Bug 1027519 https://bugzilla.suse.com/1079730 SUSE Bug 1079730 https://bugzilla.suse.com/1098403 SUSE Bug 1098403 https://bugzilla.suse.com/1111025 SUSE Bug 1111025 https://bugzilla.suse.com/1111331 SUSE Bug 1111331 https://bugzilla.suse.com/1120067 SUSE Bug 1120067 https://bugzilla.suse.com/1120095 SUSE Bug 1120095 https://www.suse.com/security/cve/CVE-2018-12126/ SUSE CVE CVE-2018-12126 page https://www.suse.com/security/cve/CVE-2018-12127/ SUSE CVE CVE-2018-12127 page https://www.suse.com/security/cve/CVE-2018-12130/ SUSE CVE CVE-2018-12130 page https://www.suse.com/security/cve/CVE-2019-11091/ SUSE CVE CVE-2019-11091 page openSUSE Leap 15.0 xen-4.10.3_04-lp150.2.19.1 xen-devel-4.10.3_04-lp150.2.19.1 xen-doc-html-4.10.3_04-lp150.2.19.1 xen-libs-4.10.3_04-lp150.2.19.1 xen-libs-32bit-4.10.3_04-lp150.2.19.1 xen-tools-4.10.3_04-lp150.2.19.1 xen-tools-domU-4.10.3_04-lp150.2.19.1 xen-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-devel-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-doc-html-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-libs-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-libs-32bit-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-tools-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 xen-tools-domU-4.10.3_04-lp150.2.19.1 as a component of openSUSE Leap 15.0 Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2018-12126 openSUSE Leap 15.0:xen-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-devel-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-doc-html-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-32bit-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-domU-4.10.3_04-lp150.2.19.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00038.html https://www.suse.com/security/cve/CVE-2018-12126.html CVE-2018-12126 https://bugzilla.suse.com/1103186 SUSE Bug 1103186 https://bugzilla.suse.com/1111331 SUSE Bug 1111331 https://bugzilla.suse.com/1132686 SUSE Bug 1132686 https://bugzilla.suse.com/1135409 SUSE Bug 1135409 https://bugzilla.suse.com/1135524 SUSE Bug 1135524 https://bugzilla.suse.com/1137916 SUSE Bug 1137916 https://bugzilla.suse.com/1138534 SUSE Bug 1138534 https://bugzilla.suse.com/1141977 SUSE Bug 1141977 https://bugzilla.suse.com/1149725 SUSE Bug 1149725 https://bugzilla.suse.com/1149726 SUSE Bug 1149726 https://bugzilla.suse.com/1149729 SUSE Bug 1149729 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1201877 SUSE Bug 1201877 Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2018-12127 openSUSE Leap 15.0:xen-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-devel-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-doc-html-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-32bit-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-domU-4.10.3_04-lp150.2.19.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00038.html https://www.suse.com/security/cve/CVE-2018-12127.html CVE-2018-12127 https://bugzilla.suse.com/1103186 SUSE Bug 1103186 https://bugzilla.suse.com/1111331 SUSE Bug 1111331 https://bugzilla.suse.com/1132686 SUSE Bug 1132686 https://bugzilla.suse.com/1135409 SUSE Bug 1135409 https://bugzilla.suse.com/1138534 SUSE Bug 1138534 https://bugzilla.suse.com/1141977 SUSE Bug 1141977 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1201877 SUSE Bug 1201877 Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2018-12130 openSUSE Leap 15.0:xen-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-devel-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-doc-html-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-32bit-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-domU-4.10.3_04-lp150.2.19.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00038.html https://www.suse.com/security/cve/CVE-2018-12130.html CVE-2018-12130 https://bugzilla.suse.com/1103186 SUSE Bug 1103186 https://bugzilla.suse.com/1111331 SUSE Bug 1111331 https://bugzilla.suse.com/1132686 SUSE Bug 1132686 https://bugzilla.suse.com/1135409 SUSE Bug 1135409 https://bugzilla.suse.com/1137916 SUSE Bug 1137916 https://bugzilla.suse.com/1138534 SUSE Bug 1138534 https://bugzilla.suse.com/1141977 SUSE Bug 1141977 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1201877 SUSE Bug 1201877 Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf CVE-2019-11091 openSUSE Leap 15.0:xen-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-devel-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-doc-html-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-32bit-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-libs-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-4.10.3_04-lp150.2.19.1 openSUSE Leap 15.0:xen-tools-domU-4.10.3_04-lp150.2.19.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00038.html https://www.suse.com/security/cve/CVE-2019-11091.html CVE-2019-11091 https://bugzilla.suse.com/1103186 SUSE Bug 1103186 https://bugzilla.suse.com/1111331 SUSE Bug 1111331 https://bugzilla.suse.com/1132686 SUSE Bug 1132686 https://bugzilla.suse.com/1133319 SUSE Bug 1133319 https://bugzilla.suse.com/1135394 SUSE Bug 1135394 https://bugzilla.suse.com/1138043 SUSE Bug 1138043 https://bugzilla.suse.com/1138534 SUSE Bug 1138534 https://bugzilla.suse.com/1141977 SUSE Bug 1141977 https://bugzilla.suse.com/1178658 SUSE Bug 1178658 https://bugzilla.suse.com/1201877 SUSE Bug 1201877