Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14702-1 Final 1 1 2021-04-19T14:36:41Z current 2021-04-19T14:36:41Z 2021-04-19T14:36:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: - CVE-2021-3419: Fixed a stack overflow induced by infinite recursion issue (bsc#1182975). - CVE-2021-20257: Fixed an infinite loop in the e1000 NIC emulator (bsc#1182846) - xenstored crashing with segfault (bsc#1182155). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slessp4-xen-14702 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114702-1/ Link for SUSE-SU-2021:14702-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008656.html E-Mail link for SUSE-SU-2021:14702-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182155 SUSE Bug 1182155 https://bugzilla.suse.com/1182846 SUSE Bug 1182846 https://bugzilla.suse.com/1182975 SUSE Bug 1182975 https://www.suse.com/security/cve/CVE-2021-20257/ SUSE CVE CVE-2021-20257 page https://www.suse.com/security/cve/CVE-2021-3419/ SUSE CVE CVE-2021-3419 page SUSE Linux Enterprise Server 11 SP4-LTSS xen-4.4.4_48-61.64.1 xen-doc-html-4.4.4_48-61.64.1 xen-kmp-default-4.4.4_48_3.0.101_108.123-61.64.1 xen-kmp-pae-4.4.4_48_3.0.101_108.123-61.64.1 xen-libs-4.4.4_48-61.64.1 xen-libs-32bit-4.4.4_48-61.64.1 xen-tools-4.4.4_48-61.64.1 xen-tools-domU-4.4.4_48-61.64.1 xen-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-doc-html-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-kmp-default-4.4.4_48_3.0.101_108.123-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-kmp-pae-4.4.4_48_3.0.101_108.123-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-libs-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-libs-32bit-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-tools-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS xen-tools-domU-4.4.4_48-61.64.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2021-20257 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-doc-html-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-kmp-default-4.4.4_48_3.0.101_108.123-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-kmp-pae-4.4.4_48_3.0.101_108.123-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-libs-32bit-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-libs-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-tools-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-tools-domU-4.4.4_48-61.64.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114702-1/ https://www.suse.com/security/cve/CVE-2021-20257.html CVE-2021-20257 https://bugzilla.suse.com/1182577 SUSE Bug 1182577 https://bugzilla.suse.com/1182846 SUSE Bug 1182846 DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none CVE-2021-3419 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-doc-html-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-kmp-default-4.4.4_48_3.0.101_108.123-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-kmp-pae-4.4.4_48_3.0.101_108.123-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-libs-32bit-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-libs-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-tools-4.4.4_48-61.64.1 SUSE Linux Enterprise Server 11 SP4-LTSS:xen-tools-domU-4.4.4_48-61.64.1 moderate 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114702-1/ https://www.suse.com/security/cve/CVE-2021-3419.html CVE-2021-3419 https://bugzilla.suse.com/1182968 SUSE Bug 1182968 https://bugzilla.suse.com/1182975 SUSE Bug 1182975