xen-4.19.0_02-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14283-1 Final 1 1 2024-08-20T00:00:00Z current 2024-08-20T00:00:00Z 2024-08-20T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z xen-4.19.0_02-1.1 on GA media These are all security issues fixed in the xen-4.19.0_02-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14283 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-31145/ SUSE CVE CVE-2024-31145 page https://www.suse.com/security/cve/CVE-2024-31146/ SUSE CVE CVE-2024-31146 page openSUSE Tumbleweed xen-4.19.0_02-1.1 xen-devel-4.19.0_02-1.1 xen-doc-html-4.19.0_02-1.1 xen-libs-4.19.0_02-1.1 xen-tools-4.19.0_02-1.1 xen-tools-domU-4.19.0_02-1.1 xen-tools-xendomains-wait-disk-4.19.0_02-1.1 xen-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-devel-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-doc-html-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-libs-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-domU-4.19.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-xendomains-wait-disk-4.19.0_02-1.1 as a component of openSUSE Tumbleweed Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVE-2024-31145 openSUSE Tumbleweed:xen-4.19.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.19.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.19.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.19.0_02-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31145.html CVE-2024-31145 https://bugzilla.suse.com/1228574 SUSE Bug 1228574 When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVE-2024-31146 openSUSE Tumbleweed:xen-4.19.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.19.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.19.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.19.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.19.0_02-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-31146.html CVE-2024-31146 https://bugzilla.suse.com/1228575 SUSE Bug 1228575