Supported Xen Project 4.2 series

Supported Xen Project 4.2 series

Categories

Xen Project 4.2.4

We are pleased to announce the release of Xen Project 4.2.4. This is available immediately from its git repository

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.4)

This fixes the following critical vulnerabilities:

  • CVE-2013-2212 / XSA-60 Excessive time to disable caching with HVM guests with PCI passthrough
  • CVE-2013-1442 / XSA-62 Information leak on AVX and/or LWP capable CPUs
  • CVE-2013-4355 / XSA-63 Information leaks through I/O instruction emulation
  • CVE-2013-4361 / XSA-66 Information leak through fbld instruction emulation
  • CVE-2013-4368 / XSA-67 Information leak through outs instruction emulation
  • CVE-2013-4369 / XSA-68 possible null dereference when parsing vif ratelimiting info
  • CVE-2013-4370 / XSA-69 misplaced free in ocaml xc_vcpu_getaffinity stub
  • CVE-2013-4371 / XSA-70 use-after-free in libxl_list_cpupool under memory pressure
  • CVE-2013-4375 / XSA-71 qemu disk backend (qdisk) resource leak
  • CVE-2013-4416 / XSA-72 ocaml xenstored mishandles oversized message replies
  • CVE-2013-4494 / XSA-73 Lock order reversal between page allocation and grant table locks
  • CVE-2013-4553 / XSA-74 Lock order reversal between page_alloc_lock and mm_rwlock
  • CVE-2013-4551 / XSA-75 Host crash due to guest VMX instruction execution
  • CVE-2013-4554 / XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM guests
  • CVE-2013-6375 / XSA-78 Insufficient TLB flushing in VT-d (iommu) code
  • CVE-2013-6400 / XSA-80 IOMMU TLB flushing may be inadvertently suppressed
  • CVE-2013-6885 / XSA-82 Guest triggerable AMD CPU erratum may cause host hang
  • CVE-2014-1642 / XSA-83 Out-of-memory condition yielding memory corruption during IRQ setup
  • CVE-2014-1891 / XSA-84 integer overflow in several XSM/Flask hypercalls
  • CVE-2014-1895 / XSA-85 Off-by-one error in FLASK_AVC_CACHESTAT hypercall
  • CVE-2014-1896 / XSA-86 libvchan failure handling malicious ring indexes
  • CVE-2014-1666 / XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
  • CVE-2014-1950 / XSA-88 use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.2 stable series to update to the latest point release.

Xen Project 4.2.3

Xen Project 4.2.3 is a maintenance release in the 4.2 series and contains: We recommend that all users of Xen Project 4.2.2 upgrade to Xen Project 4.2.3.

This release fixes the following critical vulnerabilities:

  • CVE-2013-1918 / XSA-45: Several long latency operations are not preemptible
  • CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw for bridges
  • CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs
  • CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception recovery on XRSTOR
  • CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception recovery on XSETBV
  • CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple vulnerabilities in libelf PV kernel handling
  • CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings affecting xend
  • CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive console related xenstore keys
  • CVE-2013-1432 / XSA-58: Page reference counting error due to XSA-45/CVE-2013-1918 fixes XSA-61: libxl partially sets up HVM passthrough even with disabled iommu
  • CVE-2013-2007 / XSA-51: qemu guest agent (qga) insecure file permissions

This release contains many bug fixes and improvements. The highlights are:

  • addressing a regression from the fix for XSA-46
  • bug fixes to low level system state handling, including certain hardware errata workarounds

You can also get this release from the git repository: git://xenbits.xenproject.org/xen.git (tag RELEASE-4.2.3)

Release information for other releases in the Xen Project 4.2 series

Xen Project 4.2.2

Xen Project 4.2.2 is a maintenance release in the 4.2 series and contains: We recommend that all users of Xen Project 4.2.1 upgrade to Xen Project 4.2.2.

  • This release fixes the following critical vulnerabilities:
    • CVE-2012-5634 / XSA-33: VT-d interrupt remapping source validation flaw
    • CVE-2013-0151 / XSA-34: nested virtualization on 32-bit exposes host crash
    • CVE-2013-0152 / XSA-35: Nested HVM exposes host to being driven out of memory by guest
    • CVE-2013-0153 / XSA-36: interrupt remap entries shared and old ones not cleared on AMD IOMMUs
    • CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect ASSERT (debug build only)
    • CVE-2013-0215 / XSA-38: oxenstored incorrect handling of certain Xenbus ring states
    • CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer overflow when processing large packets
    • CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
    • CVE-2013-1919 / XSA-46: Several access permission issues with IRQs for unprivileged guests
    • CVE-2013-1920 / XSA-47: Potential use of freed memory in event channel operations
    • CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing format specification
  • This release contains many bug fixes and improvements (around 100 since Xen Project 4.2.1). The highlights are:
    • ACPI APEI/ERST finally working on production systems
    • Bug fixes for other low level system state handling
    • Bug fixes and improvements to the libxl tool stack
    • Bug fixes to nested virtualization

You can also get this release from the git repository: git://xenbits.xen.org/xen.git (tag RELEASE-4.2.2)

Release information for other releases in the Xen Project 4.2 series

Xen Project 4.2.1

Xen Project 4.2.1 is a maintenance release in the 4.2 series and contains: We recommend that all users of Xen Project 4.2.0 upgrade to Xen Project 4.2.1.

  • The release fixes the following critical vulnerabilities:
    • CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
    • CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
    • CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
    • CVE-2012-4539 / XSA-24: Grant table hypercall infinite loop DoS vulnerability
    • CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder Out-of-memory due to malicious kernel/ramdisk
    • CVE-2012-5510 / XSA-26: Grant table version switch list corruption vulnerability
    • CVE-2012-5511 / XSA-27: Several HVM operations do not validate the range of their inputs
    • CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
    • CVE-2012-5514 / XSA-30: Broken error handling in guest_physmap_mark_populate_on_demand()
    • CVE-2012-5515 / XSA-31: Several memory hypercall operations allow invalid extent order values
    • CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
  • Among many bug fixes and improvements (around 100 since Xen Project 4.2.0):
    • A fix for a long standing time management issue
    • Bug fixes for S3 (suspend to RAM) handling
    • Bug fixes for other low level system state handling
    • Bug fixes and improvements to the libxl tool stack
    • Bug fixes to nested virtualization

The Xen Project 4.2 release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation.

  • XL is now the default toolstack: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison. As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP's xapi to make full use of this functionality in the future.
  • Large Systems: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems.
  • Improved security: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements.
  • Documentation: The Xen documentation has been much improved, both the in-tree documentation and the wiki. This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part.

You can find more information in the Xen 4.2 release notes, the Xen 4.2 feature list and the Also see the Xen 4.x Feature Matrix.

Xen Project Hypervisor 4.2 Acknowledgements

Contributions were made to this release by 124 individuals from 43 organizations, not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way. For a complete breakdown of community contributions, see Xen 4.2 Acknowledgements.

Xen Project 4.2.0

The Xen Project 4.2 release contains a number of important new features and updates including:

The release incorporates many new features and improvements to existing features. There are improvements across the board including to Security, Scalability, Performance and Documentation.

  • XL is now the default toolstack: Significant effort has gone in to the XL tool toolstack in this release and it is now feature complete and robust enough that we have made it the default. This toolstack can now replace xend in the majority of deployments, see XL vs Xend Feature Comparison. As well as improving XL the underlying libxl library has been significantly improved and supports the majority of the most common toolstack features. In addition the API has been declared stable which should make it even easier for external toolstack such as libvirt and XCP's xapi to make full use of this functionality in the future.
  • Large Systems: Following on from the improvements made in 4.1 Xen now supports even larger systems, with up to 4095 host CPUs and up to 512 guest CPUs. In addition toolstack feature like the ability to automatically create a CPUPOOL per NUMA node and more intelligent placement of guest VCPUs on NUMA nodes have further improved the Xen experience on large systems. Other new features, such as multiple PCI segment support have also made a positive impact on such systems.
  • Improved security: The XSM/Flask subsystem has seen several enhancements, including improved support for disaggregated systems and a rewritten example policy which is clearer and simpler to modify to suit local requirements.
  • Documentation: The Xen documentation has been much improved, both the in-tree documentation and the wiki. This is in no small part down to the success of the Xen Document Days so thanks to all who have taken part.

You can find more information in the Xen 4.2 release notes, the Xen 4.2 feature list and the Also see the Xen 4.x Feature Matrix.

Xen Project Hypervisor 4.2 Acknowledgements

Contributions were made to this release by 124 individuals from 43 organizations, not counting contributions to external projects such as the BSDs, Linux or qemu. Many thanks to everyone who contributed to this release, either through code, testing, documentation or in any other way.

The diagram below shows organisations which contributed more than 1% in lines of code to the Xen Project 4.2 release. Several items in the diagram discribe groups of people or organisations: Individual covers contributions by individuals whose affiliation is unknown, Misc covers contributions by commercial organisations which did not go above 1% individually and University covers contributions by Universities which did not go above 1% individually.Xen 4 2 Contribution Stats

For a complete breakdown of community contributions, see Xen 4.2 Acknowledgements.