Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Significant Xen Security Bug
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Significant Xen Security Bug

https://raw.githubusercontent.com/QubesOS/qubes-secpack/master/QSBs/qsb-022-2015.txt - found via https://news.ycombinator.com/item?id=10471912 where you might find useful discussion.

Looks like any guest VM can compromise an unpatched host (and therefore other guests) in a complete and untraceable manner.

If you use Xen, patch now or at least investigate to prove that the version/configuration you are running is not affected, if you have not already done so. If you use a service provider that uses Xen who has not already patched or announced plans to do so, drop them a line in case they have not yet been informed.

Comments

  • perennateperennate Member, Provider
    edited October 2015

    @AnthonySmith mentioned that most hosts won't be affected by this; is it specific to some configuration (other than only PV)?

  • @perennate said:
    AnthonySmith mentioned that most hosts won't be affected by this; is it specific to some configuration (other than only PV)?

    Could it be that he was meaning most hosts, bigger name players at least, won't be affected by this any more having been informed earlier than the public announcement and already patched?

  • AnthonySmithAnthonySmith Top Provider

    The complexity involved in 148 is insane, I am patched up anyway but regardless you need to keep in mind that this 'security concern' has been present in Xen for 7 years, anyone smart enough to put it to any use already has.

    Thanked by 1perennate

    I am no longer active here, find me at https://talk.lowendspirit.com (Just like LET without the scams)

  • winnervpswinnervps Member, Provider
    edited October 2015

    I felt that 'security concern' has been everywhere around the universe. Well, especially after 09 / 11. XSA has been published this hole around sometime ago.

    WINNERvps | Jakarta Tier3 DataCenter and Network Services

  • rm_rm_ Member
    edited October 2015

    AnthonySmith said: keep in mind that this 'security concern' has been present in Xen for 7 years, anyone smart enough to put it to any use already has.

    i.e.: If you used any Xen VPS whatsoever over the past 7 years, you can't be certain that whatever was on it isn't leaked or tampered with.

Sign In or Register to comment.