Security update for xen

Announcement ID:	SUSE-SU-2018:1981-1
Rating:	important
References:	bsc#1027519 bsc#1079730 bsc#1087289 bsc#1095242 bsc#1097521 bsc#1097522 bsc#1097523 bsc#1098403
Cross-References:	CVE-2018-12891 CVE-2018-12892 CVE-2018-12893 CVE-2018-3665
CVSS scores:	CVE-2018-12891 ( SUSE ): 2.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-12891 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2018-12892 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2018-12892 ( NVD ): 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2018-12893 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-12893 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2018-3665 ( SUSE ): 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVE-2018-3665 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:	Basesystem Module 15 Server Applications Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has four security fixes can now be installed.

Description:

This update for xen fixes the following issues:

Security issues fixed:

• CVE-2018-3665: Fix Lazy FP Save/Restore issue (XSA-267) (bsc#1095242).
• CVE-2018-12891: Fix possible Denial of Service (DoS) via certain PV MMU operations that affect the entire host (XSA-264) (bsc#1097521).
• CVE-2018-12892: Fix libxl to honour the readonly flag on HVM emulated SCSI disks (XSA-266) (bsc#1097523).
• CVE-2018-12893: Fix crash/Denial of Service (DoS) via safety check (XSA-265) (bsc#1097522).

Bug fixes:

• bsc#1027519: Add upstream patches from January.
• bsc#1098403: Fix regression introduced by changes for bsc#1079730. A PV domU without qcow2 and/or vfb has no qemu attached. Ignore QMP errors for PV domUs to handle PV domUs with and without an attached qemu-xen.
• bsc#1087289: Fix xen scheduler crash.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1342=1
• Server Applications Module 15
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2018-1342=1

Package List:

• Basesystem Module 15 (x86_64)
  • xen-debugsource-4.10.1_06-3.3.1
  • xen-libs-4.10.1_06-3.3.1
  • xen-libs-debuginfo-4.10.1_06-3.3.1
  • xen-tools-domU-debuginfo-4.10.1_06-3.3.1
  • xen-tools-domU-4.10.1_06-3.3.1
• Server Applications Module 15 (x86_64)
  • xen-debugsource-4.10.1_06-3.3.1
  • xen-tools-debuginfo-4.10.1_06-3.3.1
  • xen-devel-4.10.1_06-3.3.1
  • xen-tools-4.10.1_06-3.3.1
  • xen-4.10.1_06-3.3.1

References:

• https://www.suse.com/security/cve/CVE-2018-12891.html
• https://www.suse.com/security/cve/CVE-2018-12892.html
• https://www.suse.com/security/cve/CVE-2018-12893.html
• https://www.suse.com/security/cve/CVE-2018-3665.html
• https://bugzilla.suse.com/show_bug.cgi?id=1027519
• https://bugzilla.suse.com/show_bug.cgi?id=1079730
• https://bugzilla.suse.com/show_bug.cgi?id=1087289
• https://bugzilla.suse.com/show_bug.cgi?id=1095242
• https://bugzilla.suse.com/show_bug.cgi?id=1097521
• https://bugzilla.suse.com/show_bug.cgi?id=1097522
• https://bugzilla.suse.com/show_bug.cgi?id=1097523
• https://bugzilla.suse.com/show_bug.cgi?id=1098403