The vulnerability allows a user within a guest to potentially read memory from another guest or the hypervisor itself. The window of available memory is small but it could be read many times over - much like how the Heartbleed vulnerability was exploited. In some situations, these actions could cause the guest or the hypervisor to crash.
The fix involves a small patch to the Xen hypervisor kernel. The patch is essentially a one-liner since the write operation was merely a no-op already.
Thanks to the efforts of Michael Young, new packages are in testing for Fedora 19, 20, and 21:
If you’d like to test these packages now, you can install koji and download the RPM’s directly:
yum -y install koji koji download-build --arch=x86_64 xen-4.2.5-3.fc19 # For Fedora 19 koji download-build --arch=x86_64 xen-4.3.3-3.fc20 # For Fedora 20 koji download-build --arch=x86_64 xen-4.4.1-6.fc21 # For Fedora 21
Use yum or rpm to install the new packages. Some servers may need to install all of the downloaded RPM’s or only a portion of them. All of that depends on which Xen-related packages were installed already.
After testing, please leave karma in Bodhi on the appropriate package page.