Announcing Xen 4.3.2 and 4.2.4 Releases
The Xen Project is pleased to announce the availability of  two maintenance releases: Xen 4.3.2 and Xen 4.2.4.
Xen 4.3.2 Release
This release is available immediately from the git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3Â (tag RELEASE-4.3.2)
or from the XenProject download page:
http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-432.html
This fixes the following critical vulnerabilities:
- CVE-2013-2212 / XSA-60Â Â Excessive time to disable caching with HVM guests with PCI passthrough
- CVE-2013-4494 / XSA-73Â Â Lock order reversal between page allocation and grant table locks
- CVE-2013-4553 / XSA-74 Â Â Lock order reversal between page_alloc_lock and mm_rwlock
- CVE-2013-4551 / XSA-75 Â Â Â Host crash due to guest VMX instruction execution
- CVE-2013-4554 / XSA-76 Â Â Â Hypercalls exposed to privilege rings 1 and 2 of HVM guests
- CVE-2013-6375 / XSA-78 Â Â Â Insufficient TLB flushing in VT-d (iommu) code
- CVE-2013-6400 / XSA-80 Â Â Â IOMMU TLB flushing may be inadvertently suppressed
- CVE-2013-6885 / XSA-82 Â Â Â Guest triggerable AMD CPU erratum may cause host hang
- CVE-2014-1642 / XSA-83 Â Â Â Out-of-memory condition yielding memory corruption during IRQ setup
- CVE-2014-1891 / XSA-84 Â Â Â integer overflow in several XSM/Flask hypercalls
- CVE-2014-1895 / XSA-85 Â Â Â Off-by-one error in FLASK_AVC_CACHESTAT hypercall
- CVE-2014-1896 / XSA-86 Â Â Â libvchan failure handling malicious ring indexes
- CVE-2014-1666 / XSA-87 Â Â Â PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
- CVE-2014-1950 / XSA-88 Â Â Â use-after-free in xc_cpupool_getinfo() under memory pressure
Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.3 stable series to update to this latest point release. Â If you intend to stay with the 4.2 codebase, please examine the release below.
Xen 4.2.4 Release
This release is available immediately from the git repository:
http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2Â (tag RELEASE-4.2.4)
or from the XenProject download page:
http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-424.html
This fixes the following critical vulnerabilities:
- CVE-2013-2212 / XSA-60 Â Â Â Excessive time to disable caching with HVM guests with PCI passthrough
- CVE-2013-1442 / XSA-62 Â Â Â Information leak on AVX and/or LWP capable CPUs
- CVE-2013-4355 / XSA-63 Â Â Â Information leaks through I/O instruction emulation
- CVE-2013-4361 / XSA-66 Â Â Â Information leak through fbld instruction emulation
- CVE-2013-4368 / XSA-67 Â Â Â Information leak through outs instruction emulation
- CVE-2013-4369 / XSA-68 Â Â Â possible null dereference when parsing vif ratelimiting info
- CVE-2013-4370 / XSA-69 Â Â Â misplaced free in ocaml xc_vcpu_getaffinity stub
- CVE-2013-4371 / XSA-70 Â Â Â use-after-free in libxl_list_cpupool under memory pressure
- CVE-2013-4375 / XSA-71 Â Â Â qemu disk backend (qdisk) resource leak
- CVE-2013-4416 / XSA-72 Â Â Â ocaml xenstored mishandles oversized message replies
- CVE-2013-4494 / XSA-73 Â Â Â Lock order reversal between page allocation and grant table locks
- CVE-2013-4553 / XSA-74 Â Â Â Lock order reversal between page_alloc_lock and mm_rwlock
- CVE-2013-4551 / XSA-75 Â Â Â Host crash due to guest VMX instruction execution
- CVE-2013-4554 / XSA-76 Â Â Â Hypercalls exposed to privilege rings 1 and 2 of HVM guests
- CVE-2013-6375 / XSA-78 Â Â Â Insufficient TLB flushing in VT-d (iommu) code
- CVE-2013-6400 / XSA-80 Â Â Â IOMMU TLB flushing may be inadvertently suppressed
- CVE-2013-6885 / XSA-82 Â Â Â Guest triggerable AMD CPU erratum may cause host hang
- CVE-2014-1642 / XSA-83 Â Â Â Out-of-memory condition yielding memory corruption during IRQ setup
- CVE-2014-1891 / XSA-84 Â Â Â integer overflow in several XSM/Flask hypercalls
- CVE-2014-1895 / XSA-85 Â Â Â Off-by-one error in FLASK_AVC_CACHESTAT hypercall
- CVE-2014-1896 / XSA-86 Â Â Â libvchan failure handling malicious ring indexes
- CVE-2014-1666 / XSA-87 Â Â Â PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
- CVE-2014-1950 / XSA-88 Â Â Â use-after-free in xc_cpupool_getinfo() under memory pressure
Apart from those there are many further bug fixes and improvements.
We recommend all users of the 4.2 stable series to update to this latest point release.