[Oraclevm-errata] OVMSA-2023-0005 Important: Oracle VM 3 Extended Lifecycle Support (ELS) xen security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed Mar 22 17:47:37 UTC 2023
Oracle VM Security Advisory OVMSA-2023-0005
The following updated rpms for Oracle VM 3 Extended Lifecycle Support (ELS) have been uploaded to the Unbreakable Linux Network:
x86_64:
xen-4.4.4-222.0.51.el6.x86_64.rpm
xen-tools-4.4.4-222.0.51.el6.x86_64.rpm
Related CVEs:
CVE-2022-42309
CVE-2022-42310
CVE-2022-42311
CVE-2022-42312
CVE-2022-42313
CVE-2022-42314
CVE-2022-42315
CVE-2022-42316
CVE-2022-42317
CVE-2022-42318
CVE-2022-42319
CVE-2022-42320
CVE-2022-42321
CVE-2022-42322
CVE-2022-42323
CVE-2022-42325
CVE-2022-42326
Description of changes:
[4.4.4-222.0.51.el6]
- BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8
- BUILDINFO: xen commit=78d8dad5a481c5b94794ede5fbad2eb0bd5e7f7f
- BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff
- BUILDINFO: QEMU traditional commit=4a8ded640f04b41cdb15ce7c4c0a2c812c1b9e4d
- BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e
- BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee
- tools/xenstore: harden transaction finalization against errors (Juergen Gross) [Orabug: 35151957] {CVE-2022-42326} {CVE-2022-42325} {CVE-2022-42326}
- tools/xenstore: fix deleting node in transaction (Juergen Gross) [Orabug: 35151957] {CVE-2022-42325} {CVE-2022-42325} {CVE-2022-42326}
- docs: enhance xenstore.txt with permissions description (Juergen Gross) [Orabug: 35151949] {CVE-2022-42322} {CVE-2022-42323}
- tools/xenstore: make the internal memory data base the default (Juergen Gross) [Orabug: 35151949] {CVE-2022-42322} {CVE-2022-42323}
- tools/xenstore: remove nodes owned by destroyed domain (Juergen Gross) [Orabug: 35151949] {CVE-2022-42322} {CVE-2022-42322} {CVE-2022-42323}
- tools/xenstore: start with empty data base (Juergen Gross) [Orabug: 35151949]
- tools/xenstore: use treewalk for deleting nodes (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: use treewalk for check_store() (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: simplify check_store() (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: add generic treewalk function (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: don't let remove_child_entry() call corrupt() (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: remove recursion from construct_node() (Juergen Gross) [Orabug: 35151934] {CVE-2022-42321} {CVE-2022-42321}
- tools/xenstore: fix checking node permissions (Juergen Gross) [Orabug: 35151927] {CVE-2022-42320} {CVE-2022-42320}
- tools/xenstore: don't use conn->in as context for temporary allocations (Juergen Gross) [Orabug: 35151915] {CVE-2022-42319} {CVE-2022-42319}
- tools/xenstore: add control command for setting and showing quota (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add exports for quota variables (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add memory accounting for nodes (Juergen Gross) [Orabug: 35151880] {CVE-2022-42315} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add memory accounting for watches (Juergen Gross) [Orabug: 35151880] {CVE-2022-42315} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add memory accounting for responses (Juergen Gross) [Orabug: 35151880] {CVE-2022-42315} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add infrastructure to keep track of per domain memory usage (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: move the call of setup_structure() to dom0 introduction (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: limit max number of nodes accessed in a transaction (Juergen Gross) [Orabug: 35151880] {CVE-2022-42314} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: simplify and fix per domain node accounting (Juergen Gross) [Orabug: 35151880] {CVE-2022-42313} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: fix connection->id usage (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: don't buffer multiple identical watch events (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: limit outstanding requests (Juergen Gross) [Orabug: 35151880] {CVE-2022-42312} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: let unread watch events time out (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: reduce number of watch events (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: add helpers to free struct buffered_data (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: split up send_reply() (Juergen Gross) [Orabug: 35151880] {CVE-2022-42311} {CVE-2022-42312} {CVE-2022-42313} {CVE-2022-42314} {CVE-2022-42315} {CVE-2022-42316} {CVE-2022-42317} {CVE-2022-42318}
- tools/xenstore: Fail a transaction if it is not possible to create a node (Julien Grall) [Orabug: 35151876] {CVE-2022-42310} {CVE-2022-42310}
- tools/xenstore: create_node: Don't defer work to undo any changes on failure (Julien Grall) [Orabug: 35151863] {CVE-2022-42309} {CVE-2022-42309}
More information about the Oraclevm-errata
mailing list