Synopsis:	Moderate: xen security and bug fix update
Issue date:	2009-01-07
CVE Names:	CVE-2008-4405 CVE-2008-4993

Xen was found to allow unprivileged DomU domains to overwrite xenstore
values which should only be changeable by the privileged Dom0 domain. An
attacker controlling a DomU domain could, potentially, use this flaw to
kill arbitrary processes in Dom0 or trick a Dom0 user into accessing the
text console of a different domain running on the same host. This update
makes certain parts of the xenstore tree read-only to the unprivileged DomU
domains. (CVE-2008-4405)

It was discovered that the qemu-dm.debug script created a temporary file in
/tmp in an insecure way. A local attacker in Dom0 could, potentially, use
this flaw to overwrite arbitrary files via a symlink attack. Note: This
script is not needed in production deployments and therefore was removed
and is not shipped with updated xen packages. (CVE-2008-4993)

This update also fixes the following bug:

* xen calculates its running time by adding the hypervisor's up-time to the
hypervisor's boot-time record. In live migrations of para-virtualized
guests, however, the guest would over-write the new hypervisor's boot-time
record with the boot-time of the previous hypervisor. This caused
time-dependent processes on the guests to fail (for example, crond would
fail to start cron jobs). With this update, the new hypervisor's boot-time
record is no longer over-written during live migrations.

The Xen host must be restarted for the update to take effect.

SL 5.x

    SRPMS:
xen-3.0.3-64.el5_2.9.src.rpm
    i386:
xen-3.0.3-64.el5_2.9.i386.rpm
xen-devel-3.0.3-64.el5_2.9.i386.rpm
xen-libs-3.0.3-64.el5_2.9.i386.rpm
    x86_64:
xen-3.0.3-64.el5_2.9.x86_64.rpm
xen-devel-3.0.3-64.el5_2.9.i386.rpm
xen-devel-3.0.3-64.el5_2.9.x86_64.rpm
xen-libs-3.0.3-64.el5_2.9.i386.rpm
xen-libs-3.0.3-64.el5_2.9.x86_64.rpm

-Connie Sieh
-Troy Dawson