Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Significant Xen Security Bug
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Significant Xen Security Bug

https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-022-2015.txt - found via https://news.ycombinator.com/item?id=10471912 where you might find useful discussion.

Looks like any guest VM can compromise an unpatched host (and therefore other guests) in a complete and untraceable manner.

If you use Xen, patch now or at least investigate to prove that the version/configuration you are running is not affected, if you have not already done so. If you use a service provider that uses Xen who has not already patched or announced plans to do so, drop them a line in case they have not yet been informed.

Comments

  • perennateperennate Member, Host Rep
    edited October 2015

    @AnthonySmith mentioned that most hosts won't be affected by this; is it specific to some configuration (other than only PV)?

  • @perennate said:
    AnthonySmith mentioned that most hosts won't be affected by this; is it specific to some configuration (other than only PV)?

    Could it be that he was meaning most hosts, bigger name players at least, won't be affected by this any more having been informed earlier than the public announcement and already patched?

  • AnthonySmithAnthonySmith Member, Patron Provider

    The complexity involved in 148 is insane, I am patched up anyway but regardless you need to keep in mind that this 'security concern' has been present in Xen for 7 years, anyone smart enough to put it to any use already has.

    Thanked by 1perennate
  • winnervpswinnervps Member, Host Rep
    edited October 2015

    I felt that 'security concern' has been everywhere around the universe. Well, especially after 09 / 11. XSA has been published this hole around sometime ago.

  • rm_rm_ IPv6 Advocate, Veteran
    edited October 2015

    AnthonySmith said: keep in mind that this 'security concern' has been present in Xen for 7 years, anyone smart enough to put it to any use already has.

    i.e.: If you used any Xen VPS whatsoever over the past 7 years, you can't be certain that whatever was on it isn't leaked or tampered with.

Sign In or Register to comment.