Your message dated Thu, 18 May 2023 20:46:41 +0000 with message-id <e1pzkwh-005p7s...@fasolo.debian.org> and subject line Bug#1034842: fixed in xen 4.17.1+2-gb773c48e36-1 has caused the Debian Bug report #1034842, regarding xen: CVE-2022-42335 (XSA-430) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034842: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034842 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xen Version: 4.17.0+74-g3eac216e6e-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for xen, affects only 4.17. Filling as RC, to make it on the radar for the bookworm release (and make IMHO sense to try to get it in before release). CVE-2022-42335[0]: | x86 shadow paging arbitrary pointer dereference In environments where | host assisted address translation is necessary but Hardware Assisted | Paging (HAP) is unavailable, Xen will run guests in so called shadow | mode. Due to too lax a check in one of the hypervisor routines used | for shadow page handling it is possible for a guest with a PCI device | passed through to cause the hypervisor to access an arbitrary pointer | partially under guest control. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-42335 https://www.cve.org/CVERecord?id=CVE-2022-42335 [1] https://www.openwall.com/lists/oss-security/2023/04/25/1 [2] https://xenbits.xen.org/xsa/advisory-430.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xen Source-Version: 4.17.1+2-gb773c48e36-1 Done: Maximilian Engelhardt <m...@daemonizer.de> We believe that the bug you reported is fixed in the latest version of xen, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Maximilian Engelhardt <m...@daemonizer.de> (supplier of updated xen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 May 2023 21:26:30 +0200 Source: xen Architecture: source Version: 4.17.1+2-gb773c48e36-1 Distribution: unstable Urgency: medium Maintainer: Debian Xen Team <pkg-xen-de...@lists.alioth.debian.org> Changed-By: Maximilian Engelhardt <m...@daemonizer.de> Closes: 1034842 Changes: xen (4.17.1+2-gb773c48e36-1) unstable; urgency=medium . * Update to new upstream version 4.17.1+2-gb773c48e36, which also contains security fixes for the following issues: - x86 shadow paging arbitrary pointer dereference XSA-430 CVE-2022-42335 (Closes: #1034842) - Mishandling of guest SSBD selection on AMD hardware XSA-431 CVE-2022-42336 Checksums-Sha1: cf6e0a473c82f7068f6465bb8e98c936815ab92e 4474 xen_4.17.1+2-gb773c48e36-1.dsc a8aa94204a7ca017ad3e5f223a90df41eb71da70 4657444 xen_4.17.1+2-gb773c48e36.orig.tar.xz de10ac1a5e3a30c5bf934588868df3af606a3616 136776 xen_4.17.1+2-gb773c48e36-1.debian.tar.xz Checksums-Sha256: 8aede813bd03dae9ca51706056fb0fac8005965b164561d4e3fe759ac7c18f45 4474 xen_4.17.1+2-gb773c48e36-1.dsc 3ae62de663574000789ed4bc13285f3ca998324175ca1ceedfba810f12b916f8 4657444 xen_4.17.1+2-gb773c48e36.orig.tar.xz 9a866fad654f5376ac10bc6309204059f82977a04146016d46c34af6b2f060bf 136776 xen_4.17.1+2-gb773c48e36-1.debian.tar.xz Files: 8f6c691ea2394b17957a635ba8402c15 4474 admin optional xen_4.17.1+2-gb773c48e36-1.dsc cf7f3092587b23e1dc616e61360d040e 4657444 admin optional xen_4.17.1+2-gb773c48e36.orig.tar.xz 109ef6512612630ede88d57f03e6c37b 136776 admin optional xen_4.17.1+2-gb773c48e36-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESWyddwNaG9637koYssHfcmNhX2wFAmRmhNkACgkQssHfcmNh X2xooA/+LrjnHxwxxuOA4FoP3eGWfNDrVAwPZJOWozu7FcOAjxugK2ny+DmMpj+L vjmb7kFrV9mLzdZ389M54RyzKEJZHJgyWacjE+Q1QkP0r+mtbdpyRWYOgAZRxmmX cEHErVYjAU9L+Sarhs9S9Kyxn+l/kaG21UydohZ5HI1KxL61iF6NF2/Xv4sa4Z55 fvoGNCUG0fPNM9WkoS/GmEzo86nwV2DhXfwe8/N5FdaJyBK6n4LDHUiGQMWmCOjO llPOecAR2lza07RiueUszS2QCVQkvXUx34R41JPFTBQ3PW7T2rEbUrVyecjRLhuH iiy4vvOEW1/5VZBBoZ1WdyC98I16qEyXuMm6GqGVPNypH/QNHlGqk4df9+jlkdwa ewwoAK8wHVXhj8tagAX2fMpKKDLFu5fzMgEsPRF0NH1hX3Q16xyowZDH10tngleT InNnWsCTDjPpaw1jkrpxbqi8nsGDBZI39Nzu8QJNPNNTkokzwkbaWXLXyuy/qhc1 LTHEvDzVnVTTqxV8kczGLSKH8vHajN8oKxTrvWlQ72cZtR1EvC5/HcTfgSmJ+SNA hxknc1Rj32PA/jNHo1qB4Cc6A5pAPUGkgza3pxifphQckj39IfRgjXHshslFhJdQ 3dwTPG3Y0Z6Gsk6VnyCznuF4UELxbo/iHtAUDbS4dNKFyyPgZfg= =S0Ui -----END PGP SIGNATURE-----
--- End Message ---
