Pretty sure most people are using XEN 3.x on solus.Regarding CVE-2013-1964, Xen 4.2 is unaffected, and the transitive grants code is experimental, and thus shouldn't be enabled on any production hosts.
The other is mitigated by using PV-GRUB for untrusted kernel images, as PV-GRUB does the ELF parsing, not Xen itself.
In my opinion, not a big deal.
They won't be affected by CVE-2013-1964 at all then, as Xen 3 does not have anything other than non-transitive grants.Pretty sure most people are using XEN 3.x on solus.
I didnt say it affects providers using solus, just that a proof that any code is exploitable, no matter who made it, no matter if obfuscated or open source.They won't be affected by CVE-2013-1964 at all then, as Xen 3 does not have anything other than non-transitive grants.
As for the other, using PV-GRUB mitigates it on any version of Xen, and as I recall it, Solus does somehow magically support using PV-GRUB.
XEN has been exploited a ton of times though.I didnt say it affects providers using solus, just that a proof that any code is exploitable, no matter who made it, no matter if obfuscated or open source.
If you are looking at exploit lists, you wish you were a farmer instead.
Indeed, the vmsplice() Linux root exploit had a nice effect where it would crash some hypervisors by trashing the grant tables, in a similar way to CVE-2013-1964. The good news is that the necessary codepath is usually disabled in that caseXEN has been exploited a ton of times though.
I'm not saying KVM is perfect, just that XEN has had their hands messy more than a few timesWhile KVM not:
As for ovz... who needs exploits when it DoSes itself from time to time...
Probably because Xen isn't as commonly used around here. Bulk majority utilize OpenVZ, then KVM, then Xen. +1 though for the patch, and I hope it comes in handy. Hopefully those searching Google for a patch will stumble upon your thread.We run Xen 4.1 on CentOS 6 with SolusVM.
I have patched Xen 4.1 against those vulnerabilities and made packages for CentOS 6 available here: http://repo.phoenixrpm.com
I've also posted this, however most people have missed it (my guess is that talking about security issues is more important to some than actually fixing them):
I was referring that those nginx packages in my repository could be used with SolusVM and WHMCS to add a bit more security. Also, adding a htpasswd to the administration paths for WHMCS and SolusVM improves security quite a bit. If you want to really secure your installs you should also limit the IPs that can connect to the administration areas, as well as enable CloudFlare for SolusVM and WHMCS.my guess is that talking about security issues is more important to some than actually fixing them