Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2017-10911: kernel: xen: blkif responses leak backend stack data (XSA-216)|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Johannes Segitz <jsegitz>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||bpetkov, jbeulich, jgross, ohering, tiwai, wolfgang.frisch|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Johannes Segitz 2017-06-08 08:25:07 UTC
Comment 2 Johannes Segitz 2017-06-20 13:04:07 UTC
Comment 4 Takashi Iwai 2017-06-23 08:42:40 UTC
The kernel fix was already merged, but with the reference to the original bug 1042863. At least for SLE12-SP2/SP3.
Comment 5 Jürgen Groß 2017-07-05 07:22:25 UTC
As Takashi already stated: fix is in SLE12 SP2/3
Comment 7 Jürgen Groß 2017-07-21 06:51:27 UTC
Jan, I think the patch is missing in the xen kernel.
Comment 8 Jan Beulich 2017-08-09 13:46:22 UTC
Which branch(es) are you talking about? SLE11 SP4 and SLE12 SP1 both have patches.xen/xsa216.patch, and even some of the LTSS/TD branches have obtained it already afaik.
Comment 9 Jürgen Groß 2017-08-09 14:16:02 UTC
(In reply to Jan Beulich from comment #8) > Which branch(es) are you talking about? SLE11 SP4 and SLE12 SP1 both have > patches.xen/xsa216.patch, and even some of the LTSS/TD branches have > obtained it already afaik. Sorry, must have either overlooked it or looked at the wrong branch. Sorry for the noise.
Comment 10 Jan Beulich 2017-08-10 10:15:59 UTC
Handing on then - Ales, I hope you're the right person for the LTSS branches.
Comment 11 Ales Novak 2017-08-10 10:49:13 UTC
SLE11-SP3-LTSS: the patch is there, I did the merge initially wrong, but since there are no "indirect blkif requests" (whatever that is), I think that the fix should look like what Jan pushed to cve/linux-3.0. SLE12-SP1-LTSS: has the patch SLE12-LTSS: does not (perhaps it better should've went through cve/linux-3.12). As it applies & compiles, I assume it's safe to just take it.
Comment 12 Ales Novak 2019-02-05 17:48:54 UTC
This has been merged -> closing.