Your message dated Thu, 19 Jun 2008 20:05:01 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: [Pkg-xen-devel] Bug#487095: xen-3: multiple security issues
has caused the Debian Bug report #487095,
regarding xen-3: multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
487095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487095
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: xen-3
Version: 3.2.1-1
Severity: grave
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for xen-3.
CVE-2008-1943[0]:
| Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
| Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
| of service (crash) and possibly execute arbitrary code via a crafted
| description of a shared framebuffer.
CVE-2008-1944[1]:
| Buffer overflow in the backend framebuffer of XenSource Xen
| Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
| local users to cause a denial of service (SDL crash) and possibly
| execute arbitrary code via "bogus screen updates," related to missing
| validation of the "format of messages."
CVE-2008-1952[2]:
| ** RESERVED **
| This candidate has been reserved by an organization or individual that
| will use it when announcing a new security problem. When the
| candidate has been publicized, the details for this candidate will be
| provided.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1943
http://security-tracker.debian.net/tracker/CVE-2008-1943
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1944
http://security-tracker.debian.net/tracker/CVE-2008-1944
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1952
http://security-tracker.debian.net/tracker/CVE-2008-1952
These issues are fixed within the following patch for fedora:
http://cvs.fedoraproject.org/viewcvs/rpms/xen/F-9/xen-pvfb-validate-fb.patch?view=markup
Kind regards,
Thomas.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On Thu, Jun 19, 2008 at 04:56:54PM +0200, Thomas Bläsing wrote:
> CVE-2008-1943[0]:
> | Buffer overflow in the backend of XenSource Xen Para Virtualized Frame
> | Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial
> | of service (crash) and possibly execute arbitrary code via a crafted
> | description of a shared framebuffer.
3.1.2 < 3.2
> CVE-2008-1944[1]:
> | Buffer overflow in the backend framebuffer of XenSource Xen
> | Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows
> | local users to cause a denial of service (SDL crash) and possibly
> | execute arbitrary code via "bogus screen updates," related to missing
> | validation of the "format of messages."
3.0.3 < 3.2
> CVE-2008-1952[2]:
> | ** RESERVED **
> | This candidate has been reserved by an organization or individual that
> | will use it when announcing a new security problem. When the
> | candidate has been publicized, the details for this candidate will be
> | provided.
No information.
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
There is nothing to fix.
Bastian
--
Deflector shields just came on, Captain.
--- End Message ---
