Announcing Xen 4.3.2 and 4.2.4 Releases

jbeulich

jbeulich

3 min read

The Xen Project is pleased to announce the availability of  two maintenance releases: Xen 4.3.2 and Xen 4.2.4.

Xen 4.3.2 Release

This release is available immediately from the git repository:

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.2)

or from the XenProject download page:

http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-432.html

This fixes the following critical vulnerabilities:

  • CVE-2013-2212 / XSA-60    Excessive time to disable caching with HVM guests with PCI passthrough
  • CVE-2013-4494 / XSA-73    Lock order reversal between page allocation and grant table locks
  • CVE-2013-4553 / XSA-74    Lock order reversal between page_alloc_lock and mm_rwlock
  • CVE-2013-4551 / XSA-75     Host crash due to guest VMX instruction execution
  • CVE-2013-4554 / XSA-76     Hypercalls exposed to privilege rings 1 and 2 of HVM guests
  • CVE-2013-6375 / XSA-78     Insufficient TLB flushing in VT-d (iommu) code
  • CVE-2013-6400 / XSA-80     IOMMU TLB flushing may be inadvertently suppressed
  • CVE-2013-6885 / XSA-82      Guest triggerable AMD CPU erratum may cause host hang
  • CVE-2014-1642 / XSA-83     Out-of-memory condition yielding memory corruption during IRQ setup
  • CVE-2014-1891 / XSA-84     integer overflow in several XSM/Flask hypercalls
  • CVE-2014-1895 / XSA-85     Off-by-one error in FLASK_AVC_CACHESTAT hypercall
  • CVE-2014-1896 / XSA-86     libvchan failure handling malicious ring indexes
  • CVE-2014-1666 / XSA-87     PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
  • CVE-2014-1950 / XSA-88     use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.3 stable series to update to this latest point release.  If you intend to stay with the 4.2 codebase, please examine the release below.
 

Xen 4.2.4 Release

This release is available immediately from the git repository:

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.4)

or from the XenProject download page:

http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-424.html

This fixes the following critical vulnerabilities:

  • CVE-2013-2212 / XSA-60     Excessive time to disable caching with HVM guests with PCI passthrough
  • CVE-2013-1442 / XSA-62     Information leak on AVX and/or LWP capable CPUs
  • CVE-2013-4355 / XSA-63     Information leaks through I/O instruction emulation
  • CVE-2013-4361 / XSA-66     Information leak through fbld instruction emulation
  • CVE-2013-4368 / XSA-67     Information leak through outs instruction emulation
  • CVE-2013-4369 / XSA-68     possible null dereference when parsing vif ratelimiting info
  • CVE-2013-4370 / XSA-69     misplaced free in ocaml xc_vcpu_getaffinity stub
  • CVE-2013-4371 / XSA-70     use-after-free in libxl_list_cpupool under memory pressure
  • CVE-2013-4375 / XSA-71     qemu disk backend (qdisk) resource leak
  • CVE-2013-4416 / XSA-72     ocaml xenstored mishandles oversized message replies
  • CVE-2013-4494 / XSA-73     Lock order reversal between page allocation and grant table locks
  • CVE-2013-4553 / XSA-74     Lock order reversal between page_alloc_lock and mm_rwlock
  • CVE-2013-4551 / XSA-75     Host crash due to guest VMX instruction execution
  • CVE-2013-4554 / XSA-76     Hypercalls exposed to privilege rings 1 and 2 of HVM guests
  • CVE-2013-6375 / XSA-78     Insufficient TLB flushing in VT-d (iommu) code
  • CVE-2013-6400 / XSA-80     IOMMU TLB flushing may be inadvertently suppressed
  • CVE-2013-6885 / XSA-82     Guest triggerable AMD CPU erratum may cause host hang
  • CVE-2014-1642 / XSA-83     Out-of-memory condition yielding memory corruption during IRQ setup
  • CVE-2014-1891 / XSA-84     integer overflow in several XSM/Flask hypercalls
  • CVE-2014-1895 / XSA-85     Off-by-one error in FLASK_AVC_CACHESTAT hypercall
  • CVE-2014-1896 / XSA-86     libvchan failure handling malicious ring indexes
  • CVE-2014-1666 / XSA-87     PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
  • CVE-2014-1950 / XSA-88     use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.2 stable series to update to this latest point release.
 

Read more

🛠️ Xen Summit 2025: Find Your Place in the Future of Virtualization
06/27/2025

The annual Xen Summit is right around the corner, and there has never been a more exciting time to be part of the Xen Project. As enterprise and industrial needs shift and proprietary vendors rethink their licensing, the industry is ready for strong, open alternatives. Xen stands out not only

Read more
Let’s Grow Xen Together!
03/18/2025

Xen is open, secure, and built for the future. As the new Community Manager, I’m focused on growing the Xen community, welcoming new contributors, and ensuring a thriving ecosystem. Let’s build the future of virtualization together!

Read more
Xen Project 4.20: A Step Forward in Open Source Virtualization
03/11/2025

The Xen Project has released Xen 4.20 🎉! This release introduces a range of enhancements that further solidify its position as the premier open-source hypervisor. It delivers important security updates, improved performance, and broader hardware support. Xen has doubled down as the best choice for cloud providers, enterprise users, and

Read more
Xen Project Winter Meetup
02/13/2025

We just wrapped up the Xen Winter Meetup 2025. It was an amazing opportunity to push Xen forward in a way that can only happen when people get together in person. Organized by Vates, we hosted it at the University of Grenoble IMAG building, a great spot for cutting-edge research

Read more