major.io words of wisdom from a systems engineer

Xen’s XSA-108 patch and Fedora

Xen LogoXen’s latest vulnerability, XSA-108, has generated a lot of buzz over the last week. Most of the attention has come from the reboot notifications from large cloud providers (including my employer).

The vulnerability allows a user within a guest to potentially read memory from another guest or the hypervisor itself. The window of available memory is small but it could be read many times over - much like how the Heartbleed vulnerability was exploited. In some situations, these actions could cause the guest or the hypervisor to crash.

The fix involves a small patch to the Xen hypervisor kernel. The patch is essentially a one-liner since the write operation was merely a no-op already.

Thanks to the efforts of Michael Young, new packages are in testing for Fedora 19, 20, and 21:

If you’d like to test these packages now, you can install koji and download the RPM’s directly:

yum -y install koji
koji download-build --arch=x86_64 xen-4.2.5-3.fc19  # For Fedora 19
koji download-build --arch=x86_64 xen-4.3.3-3.fc20  # For Fedora 20
koji download-build --arch=x86_64 xen-4.4.1-6.fc21  # For Fedora 21

Use yum or rpm to install the new packages. Some servers may need to install all of the downloaded RPM’s or only a portion of them. All of that depends on which Xen-related packages were installed already.

After testing, please leave karma in Bodhi on the appropriate package page.