A Xen security update has been released for Debian GNU/Linux

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2337-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
November 6, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xen
Vulnerability : several vulnerabilities
Problem type : local
Debian-specific: no
CVE ID : CVE-2011-1166 CVE-2011-1583 CVE-2011-1898 CVE-2011-3262

Several vulnerabilities were discovered in the Xen virtual machine
hypervisor.

CVE-2011-1166

A 64-bit guest can get one of its vCPU'ss into non-kernel
mode without first providing a valid non-kernel pagetable,
thereby locking up the host system.

CVE-2011-1583, CVE-2011-3262

Local users can cause a denial of service and possibly execute
arbitrary code via a crafted paravirtualised guest kernel image.

CVE-2011-1898

When using PCI passthrough on Intel VT-d chipsets that do not
have interrupt remapping, guest OS can users to gain host OS
privileges by writing to the interrupt injection registers.

The oldstable distribution (lenny) contains a different version of Xen
not affected by these problems.

For the stable distribution (squeeze), this problem has been fixed in
version 4.0.1-4.

For the testing (wheezy) and unstable distribution (sid), this problem
has been fixed in version 4.1.1-1.

We recommend that you upgrade your xen packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/