Описание
Security update for xen
This update for xen fixes the following issues:
- CVE-2024-31145: Fixed error handling in x86 IOMMU identity mapping (XSA-460, bsc#1228574)
- CVE-2024-31146: Fixed PCI device pass-through with shared resources (XSA-461, bsc#1228575)
Other fixes:
- Update to Xen 4.18.3 security bug fix release (bsc#1027519)
Список пакетов
Image SLES15-SP6
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Azure-Basic
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Azure-Standard
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-Aliyun
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-GDC
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-CHOST-BYOS-SAP-CCloud
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-EC2-ECS-HVM
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-BYOS
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-HPC-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Hardened-BYOS
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Hardened-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Hardened-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Hardened-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Azure-LI-BYOS
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Azure-LI-BYOS-Production
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Azure-VLI-BYOS
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-BYOS
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-BYOS
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-BYOS-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-BYOS-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-BYOS-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAP-Hardened-GCE
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAPCAL
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAPCAL-Azure
xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAPCAL-EC2
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
Image SLES15-SP6-SAPCAL-GCE
xen-libs-4.18.3_02-150600.3.6.1
SUSE Linux Enterprise Module for Basesystem 15 SP6
xen-libs-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
SUSE Linux Enterprise Module for Server Applications 15 SP6
xen-4.18.3_02-150600.3.6.1
xen-devel-4.18.3_02-150600.3.6.1
xen-tools-4.18.3_02-150600.3.6.1
xen-tools-xendomains-wait-disk-4.18.3_02-150600.3.6.1
openSUSE Leap 15.6
xen-4.18.3_02-150600.3.6.1
xen-devel-4.18.3_02-150600.3.6.1
xen-doc-html-4.18.3_02-150600.3.6.1
xen-libs-4.18.3_02-150600.3.6.1
xen-libs-32bit-4.18.3_02-150600.3.6.1
xen-tools-4.18.3_02-150600.3.6.1
xen-tools-domU-4.18.3_02-150600.3.6.1
xen-tools-xendomains-wait-disk-4.18.3_02-150600.3.6.1
Ссылки
- Link for SUSE-SU-2024:3113-1
- E-Mail link for SUSE-SU-2024:3113-1
- SUSE Security Ratings
- SUSE Bug 1027519
- SUSE Bug 1228574
- SUSE Bug 1228575
- SUSE CVE CVE-2024-31145 page
- SUSE CVE CVE-2024-31146 page
Описание
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to.
Затронутые продукты
Image SLES15-SP6-Azure-Basic:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Azure-Standard:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-Azure:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-EC2:xen-libs-4.18.3_02-150600.3.6.1
Ссылки
- CVE-2024-31145
- SUSE Bug 1228574
Описание
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines.
Затронутые продукты
Image SLES15-SP6-Azure-Basic:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-Azure-Standard:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-Azure:xen-libs-4.18.3_02-150600.3.6.1
Image SLES15-SP6-BYOS-EC2:xen-libs-4.18.3_02-150600.3.6.1
Ссылки
- CVE-2024-31146
- SUSE Bug 1228575