Debian Security Advisory DSA 4602-1 (xen - security update)

Published: 2020-01-14 04:00:38
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Summary:
The remote host is missing an update for the 'xen' Linux Distribution Package(s) announced via the DSA-4602-1 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. In addition this update provides mitigations for the TSX Asynchronous Abort speculative side channel attack. Please see the references for additional information.

Affected Versions:
'xen' Linux Distribution Package(s) on Debian Linux.

Recommendations:
For the oldstable distribution (stretch), these problems have been fixed in version 4.8.5.final+shim4.10.4-1+deb9u12. Note that this will be the last security update for Xen in the oldstable distribution, upstream support for the 4.8.x branch ended by the end of December 2019. If you rely on security support for your Xen installation an update to the stable distribution (buster) is recommended. For the stable distribution (buster), these problems have been fixed in version 4.11.3+24-g14b62ab3e5-1~deb10u1. We recommend that you upgrade your xen Linux Distribution Packages.

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2018-12126
https://nvd.nist.gov/vuln/detail/CVE-2018-12127
https://nvd.nist.gov/vuln/detail/CVE-2018-12130
https://nvd.nist.gov/vuln/detail/CVE-2018-12207
https://nvd.nist.gov/vuln/detail/CVE-2019-11091
https://nvd.nist.gov/vuln/detail/CVE-2019-11135
https://nvd.nist.gov/vuln/detail/CVE-2019-17340
https://nvd.nist.gov/vuln/detail/CVE-2019-17341
https://nvd.nist.gov/vuln/detail/CVE-2019-17342
https://nvd.nist.gov/vuln/detail/CVE-2019-17343
https://nvd.nist.gov/vuln/detail/CVE-2019-17344
https://nvd.nist.gov/vuln/detail/CVE-2019-17345
https://nvd.nist.gov/vuln/detail/CVE-2019-17346
https://nvd.nist.gov/vuln/detail/CVE-2019-17347
https://nvd.nist.gov/vuln/detail/CVE-2019-17348
https://nvd.nist.gov/vuln/detail/CVE-2019-17349
https://nvd.nist.gov/vuln/detail/CVE-2019-17350
https://nvd.nist.gov/vuln/detail/CVE-2019-18420
https://nvd.nist.gov/vuln/detail/CVE-2019-18421
https://nvd.nist.gov/vuln/detail/CVE-2019-18422
https://nvd.nist.gov/vuln/detail/CVE-2019-18423
https://nvd.nist.gov/vuln/detail/CVE-2019-18424
https://nvd.nist.gov/vuln/detail/CVE-2019-18425
https://nvd.nist.gov/vuln/detail/CVE-2019-19577
https://nvd.nist.gov/vuln/detail/CVE-2019-19578
https://nvd.nist.gov/vuln/detail/CVE-2019-19579
https://nvd.nist.gov/vuln/detail/CVE-2019-19580
https://nvd.nist.gov/vuln/detail/CVE-2019-19581
https://nvd.nist.gov/vuln/detail/CVE-2019-19582
https://nvd.nist.gov/vuln/detail/CVE-2019-19583

References:

https://www.debian.org/security/2020/dsa-4602.html
https://security-tracker.debian.org/tracker/DSA-4602-1
https://xenbits.xen.org/xsa/advisory-305.html

Search
Severity
High
CVSS Score
9.3

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.