We needed this right now (Xen vulnerability)

kaniini

Beware the bunny-rabbit!
Verified Provider
Regarding CVE-2013-1964, Xen 4.2 is unaffected, and the transitive grants code is experimental, and thus shouldn't be enabled on any production hosts.

The other is mitigated by using PV-GRUB for untrusted kernel images, as PV-GRUB does the ELF parsing, not Xen itself.

In my opinion, not a big deal.
 

Francisco

Company Lube
Verified Provider
Regarding CVE-2013-1964, Xen 4.2 is unaffected, and the transitive grants code is experimental, and thus shouldn't be enabled on any production hosts.

The other is mitigated by using PV-GRUB for untrusted kernel images, as PV-GRUB does the ELF parsing, not Xen itself.

In my opinion, not a big deal.
Pretty sure most people are using XEN 3.x on solus.

Francisco
 

kaniini

Beware the bunny-rabbit!
Verified Provider
Pretty sure most people are using XEN 3.x on solus.


Francisco
They won't be affected by CVE-2013-1964 at all then, as Xen 3 does not have anything other than non-transitive grants.

As for the other, using PV-GRUB mitigates it on any version of Xen, and as I recall it, Solus does somehow magically support using PV-GRUB.
 

maounique

Active Member
They won't be affected by CVE-2013-1964 at all then, as Xen 3 does not have anything other than non-transitive grants.

As for the other, using PV-GRUB mitigates it on any version of Xen, and as I recall it, Solus does somehow magically support using PV-GRUB.
I didnt say it affects providers using solus, just that a proof that any code is exploitable, no matter who made it, no matter if obfuscated or open source.

If you are looking at exploit lists, you wish you were a farmer instead.
 

Francisco

Company Lube
Verified Provider
I didnt say it affects providers using solus, just that a proof that any code is exploitable, no matter who made it, no matter if obfuscated or open source.

If you are looking at exploit lists, you wish you were a farmer instead.
XEN has been exploited a ton of times though.

Francisco
 

kaniini

Beware the bunny-rabbit!
Verified Provider
I look at exploit lists from the perspective of whether or not they will affect my livelyhood.  Is there some other way I should be looking at them?
 

kaniini

Beware the bunny-rabbit!
Verified Provider
XEN has been exploited a ton of times though.


Francisco
Indeed, the vmsplice() Linux root exploit had a nice effect where it would crash some hypervisors by trashing the grant tables, in a similar way to CVE-2013-1964.  The good news is that the necessary codepath is usually disabled in that case :)
 

Marc M.

Phoenix VPS
Verified Provider
We run Xen 4.1 on CentOS 6 with SolusVM.

I have patched Xen 4.1 against those vulnerabilities and made packages for CentOS 6 available here: http://repo.phoenixrpm.com

I've also posted this, however most people have missed it (my guess is that talking about security issues is more important to some than actually fixing them):

http://vpsboard.com/topic/896-phoenix-rpm-repository-updated-with-new-packages-nginx-naxsi-12-14-php-53-54-xen-41-xsa-55-patched-kernel-xen-34-for-centos-and-much-more/
 

MannDude

Just a dude
vpsBoard Founder
Moderator
We run Xen 4.1 on CentOS 6 with SolusVM.

I have patched Xen 4.1 against those vulnerabilities and made packages for CentOS 6 available here: http://repo.phoenixrpm.com

I've also posted this, however most people have missed it (my guess is that talking about security issues is more important to some than actually fixing them):

http://vpsboard.com/topic/896-phoenix-rpm-repository-updated-with-new-packages-nginx-naxsi-12-14-php-53-54-xen-41-xsa-55-patched-kernel-xen-34-for-centos-and-much-more/
Probably because Xen isn't as commonly used around here. Bulk majority utilize OpenVZ, then KVM, then Xen. +1 though for the patch, and I hope it comes in handy. Hopefully those searching Google for a patch will stumble upon your thread.
 
Last edited by a moderator:

Marc M.

Phoenix VPS
Verified Provider
@MannDude whei I said this:

my guess is that talking about security issues is more important to some than actually fixing them
I was referring that those nginx packages in my repository could be used with SolusVM and WHMCS to add a bit more security. Also, adding a htpasswd to the administration paths for WHMCS and SolusVM improves security quite a bit. If you want to really secure your installs you should also limit the IPs that can connect to the administration areas, as well as enable CloudFlare for SolusVM and WHMCS.
 
Top