[SECURITY] Fedora Core 5 Update: xen-3.0.3-5.fc5

Daniel Berrange berrange at redhat.com
Mon Mar 19 22:58:37 UTC 2007

Fedora Update Notification

Product     : Fedora Core 5
Name        : xen
Version     : 3.0.3
Release     : 5.fc5
Summary     : Xen is a virtual machine monitor
Description :
This package contains the Xen hypervisor and Xen tools, needed to
run virtual machines on x86 systems, together with the kernel-xen*
packages.  Information on how to use Xen can be found at the Xen
project pages.

Virtualisation can be used to run multiple versions or multiple
Linux distributions on one system, or to test untrusted applications
in a sandboxed environment.

Update Information:

A flaw was found affecting the VNC server code in QEMU. On a
fullyvirtualized guest VM, where qemu monitor mode is
enabled, a user who had access to the VNC server could gain
the ability to read arbitrary files as root in the host
filesystem. (CVE-2007-0998) 
* Wed Mar 14 2007 Daniel P. Berrange <berrange at redhat.com> - 3.0.3-5.fc5
- Disable access to QEMU monitor over VNC (CVE-2007-0998, bz 230295)
* Tue Mar  6 2007 Daniel P. Berrange <berrange at redhat.com> - 3.0.3-4.fc5
- Ensure PVFB daemon terminates if domain doesn't startup (bz 230634)
- Close QEMU file handles when running network script
- Improve hotplug error reporting
- Don't start PVFB daemon for HVM guests
- disable ipv6 autoconf on xenbr* devices (rhbz#216504)
- Fixed destroyDevice callers
- Workaround 'Cannot allocate memory' HVM bug
- Santize man pages
* Tue Jan 30 2007 Markus Armbruster <armbru at redhat.com>
- Update Xen paravirt framebuffer patch to upstream xen-unstable
  changeset 13066.  This changes the protocol to the one accepted
- Add compatibility with guests running our initial protocol.
* Tue Jan  9 2007 Daniel P. Berrange <berrange at redhat.com> - 3.0.3-3.fc5
- fix core dumps of 32 bit guests >2GB RAM (bz 215796)
- write the /local/domain/vm node early in the startup process (bz 215269)
- fix memory boundary checking in qemu-dm (bz 221119)
- add --force option to xenbus device detach code (bz 217853)
- fix keeping track of HVM vnc password (bz 218050)
- enable DMA on HVM virtual cdrom drive (bz 218357)
- new paravirt framebuffer, as merged upstream (bz 218050)
- more cosmetic pygrub fixing (bz 215316)
- make ballooning work right (bz 212069)
- do not auto-start a domain that was restored from a save (bz 217295)
- use log level info for messages that are not errors (bz 218759)
- Allows HTTP request to dump core of a domain (bz 214913)
- catch it when an HVM guest tries to use hde (bz 217736)
- make "xm list" display how much memory a domain really has (bz 217443)
- pass qemu and blktap I/O errors back to the guest (bz 217765, 217859)
- fix 2TB overflow/wraparound in blktap (bz 217580)
- various fixes from Herbert Xu's security audit
- allow HVM virtual floppy to be a device on dom0 (bz 216449)
- make uppercase characters always work in HVM console (bz 217554)
- move the dump path to /var/lib/xen (bug 212558)
* Tue Nov 14 2006 Juan Quintela <quintela at redhat.com> - 3.0.3-2.fc5
- add vmxassist fix from RHEL5.
* Mon Oct 30 2006 Daniel P. Berrange <berrange at redhat.com> - 3.0.3-1.fc5
- Update to xen-3.0.3 changeset 11774
- Pull in paravirt framebuffer patches
- Pull in VNC password patches for full & para-virt framebuffer
- Fix xenguest-install.py to use a read-write libvirt connection
- Make /etc/xen & /var/log/xen mode 0700 restricted to protect VNC password
- Add /var/lib/xen/images as a dir for storing file based disk images
- Added pygrub fixes for many kernels & cursor cosmetics
* Wed Sep 20 2006 Juan Quintela <quintela at redhat.com> - 3.0.2-4.FC5
- Update to xen-unstable cset: 11540.
* Wed Jun 21 2006 Daniel Veillard <veillard at redhat.com> - 3.0.2-3.FC5
- Add missing xen-compat.h needed to compile on the new xen sources
* Tue Jun 20 2006 Stephen C. Tweedie <sct at redhat.com> - 3.0.2-2.FC5
- Add BuildRequires: for gnu/stubs-32.h so that x86_64 builds pick up
  glibc32 correctly
- Update to xen-unstable cset 10278 (from rawhide) to enable kernel rebase

This update can be downloaded from:

c297d6797d1ce0661faa6aba24d935dad39f802a  SRPMS/xen-3.0.3-5.fc5.src.rpm
c297d6797d1ce0661faa6aba24d935dad39f802a  noarch/xen-3.0.3-5.fc5.src.rpm
539fcaf6c27e935ba71438a24d73e254e10fe485  x86_64/debug/xen-debuginfo-3.0.3-5.fc5.x86_64.rpm
547908d63701c29026d4bda11aad298c0f4be761  x86_64/xen-3.0.3-5.fc5.x86_64.rpm
513513621d4fb375f982abfbe5ee78d5bc503094  i386/xen-3.0.3-5.fc5.i386.rpm
5a70730cc08d4bdc342f21e614cbe0d0e240b11c  i386/debug/xen-debuginfo-3.0.3-5.fc5.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.

More information about the Fedora-package-announce mailing list