Tag Archives: release

Xen Project Maintenance Releases Available (Versions 4.4.1, 4.3.3, 4.2.5)

I am pleased to announce the release of Xen 4.4.1, 4.3.3 and 4.2.5. We recommend that all users of the 4.4, 4.3 and 4.2 stable series update to the latest point release.

Xen 4.4.1

Xen 4.4.1 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4
(tag RELEASE-4.4.1) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-44-series/xen-441.html

This release fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3125 / XSA-91: Hardware timer context is not properly context switched on ARM
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-2915 / XSA-93: Hardware features unintentionally exposed to guests on ARM
  • CVE-2014-2986 / XSA-94: ARM hypervisor crash on guest interrupt controller access
  • CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95: input handling vulnerabilities loading guest kernel on ARM
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-3969 / XSA-98: insufficient permissions checks accessing guest memory on ARM
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests
  • CVE-2014-4022 / XSA-101: information leak via gnttab_setup_table on ARM
  • CVE-2014-5147 / XSA-102: Flaws in handling traps from 32-bit userspace on 64-bit ARM
  • CVE-2014-5148 / XSA-103: Flaw in handling unknown system register access from 64-bit userspace on ARM

Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can’t guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

Xen 4.3.3

Xen 4.3.3 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.3) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-43-series/xen-433.html

This fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests

Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can’t guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

Xen 4.2.5

Xen 4.2.5 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.2
(tag RELEASE-4.2.5) or from the XenProject download page http://www.xenproject.org/downloads/xen-archives/supported-xen-42-series/xen-425.html

Note that this is expected to be the last release of the 4.2 stable series. The tree will be switched to security only maintenance mode after this release.

This fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89: HVMOP_set_mem_access is not preemptible
  • CVE-2014-3124 / XSA-92: HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-3967,CVE-2014-3968 / XSA-96: Vulnerabilities in HVM MSI injection
  • CVE-2014-4021 / XSA-100: Hypervisor heap contents leaked to guests

Apart from those there are many further bug fixes and improvements.

Mirage OS v2.0: The new features

The first release of Mirage OS back in December 2013 introduced the prototype of the unikernel concept, which realised the promise of a safe, flexible mechanism to build highly optimized software stacks purpose-built for deployment in the public cloud (see the overview of Mirage OS for some background). Since then, we’ve been hard at work using and extending Mirage for real projects and the community has been steadily growing.

Today, we’re thrilled to announce the release of Mirage OS v2.0! Over the past few weeks the team has been hard at work writing about all the new features in this latest release, which I’ve been busy co-ordinating. Below are summaries of those features and links to in-depth blog posts where you can learn more:

Thomas Leonard's Cubieboard2

Thomas Leonard’s Cubieboard2

ARM device support: While the first version of Mirage was specialised towards conventional x86 clouds, the code generation and boot libraries have now been made portable enough to operate on low-power embedded ARM devices such as the Cubieboard 2. This is a key part of our efforts to build a safe, unified multiscale programming model for both cloud and mobile workloads as part of the Nymote project. We also upstreamed the changes required to the Xen Project so that other unikernel efforts like HalVM or ClickOS can benefit.

Irmin – distributed, branchable storage: Unikernels usually execute in a distributed, disconnection-prone environment (particularly with the new mobile ARM support). We therefore built the Irmin library to explicitly make synchronization easier via a Git-like persistence model that can be used to build and easily trace the operation of distributed applications across all of these diverse environments.

OCaml TLS: The philosophy of Mirage is to construct the entire operating system in a safe programming style, from the device drivers up. This continues in this release with a comprehensive OCaml implementation of Transport Layer Security, the most widely deployed end-to-end encryption protocol on the Internet (and one that is very prone to bad security holes). The series of posts is written by Hannes Mehnert and David Kaloper.

Modularity and communication: Mirage is built on the concept of a library operating system, and this release provides many new libraries to flexibly extend applications with new functionality.

  • Fitting the modular Mirage TCP/IP stack together” by Mindy Preston explains the rather unique modular architecture of our TCP/IP stack that lets you swap between the conventional Unix sockets API, or a complete implementation of TCP/IP in pure OCaml.
  • Vchan: low-latency inter-VM communication channels” by Jon Ludlam shows how unikernels can communicate efficiently with each other to form distributed clusters on a multicore Xen host, by establishing shared memory rings with each other.
  • Modular foreign function bindings” by Jeremy Yallop continues the march towards abstraction by expaining how to interface safely with code written in C, without having to write any unsafe C bindings! This forms the basis for allowing Xen unikernels to communicate with existing libraries that they may want to keep at arm’s length for security reasons.

All the libraries required for these new features are regularly released into the OPAM package manager, so just follow the installation instructions to give them a spin. A release this size probably introduces minor hiccups that may cause build failures, so we very much encourage bug reports on our issue tracker or questions to our mailing lists. Don’t be shy: no question is too basic, and we’d love to hear of any weird and wacky uses you put this new release to! And finally, the lifeblood of Mirage is about sharing and publishing libraries that add new functionality to the framework, so do get involved and open-source your own efforts.

Xen.org Welcomes a New Community Manager

Xen.org is pleased and excited to announce that Lars Kurth will be our new Community Manager. Lars has lots of experience helping to organize and promote open source communities, and we’re confident that he’ll make a very positive impact.

We asked Lars to provide an introduction of himself so that you can get to know him a little bit better.

“Hi, my name is Lars Kurth and I am looking forward to being the new community manager for Xen.org. In the last 9 years I have worked with various open source communities (Symbian, Symbian DevCo, Eclipse, GNU) and have developed a great passion for working in or with open source communites. My career has been quite diverse, covering roles such as community manager for Symbian, product manager, chief architect, engineering manager and software developer. This enabled me to learn to solve and understand many different business and community problems: such as building and leading virtual engineering teams, planning and executing change programs impacting 1000+ users and developing marketing and communications programs. I have mostly worked on different aspects of tooling and development infrastructure for silicon and mobile vendors helping developers be more effective.  In any case, I don’t want to bore you too much: if you want to know more check out my LinkedIn profile on uk.linkedin.com/in/larskurth

Personally, I have a wide range of interests such as literature, theatre, cinema, cooking and gardening. I am particularly fascinated by orchids and carnivorous plants and have built a rather large collection of plants from all over the world which I grow in a small greenhouse. My love for plants extends into a passion for travel: I enjoy travelling to exotic places to see plants grow in their native habitats.

I won’t start at Xen.org for a few weeks. If you see me on-line on

Drop me a line and say hello. And I am looking forward to work with you in the New Year.

Lars”

Project Golden Ratio – August 2010 Data Released

Here is the August 2010 Project Golden Ratio data…

GR_StatsAugust2010

Quick highlights for those of you not interested in all the details:

  • 20,874 views of the Xen.org Blog
  • 80.08% Answer rate on xen-users
  • 171 new users on the three main mailing lists (xen-users/xen-devel/xen-api)
  • 3,951 hits on the Xen.org Solution Search Tool with 590 click thrus to product website (15% rate!!!)
  • 80,378 unique visitors to Xen.org web site

Xen Directions South America – Update

Xen Directions South America in Sao Paulo is underway with plenty of great speakers from Cloud Providers, Google, Citrix, and Ian Pratt giving his standard opening thoughts on the future of Xen.org and associated technologies. Many people are taking pictures so I will be sure to post links to these once I get the information from the Xen.org members taking pictures. In the meantime, here are two shots I took with my not very good iPhone:

\

The second shot is myself with some Xen.org leaders in South America. Prize to the first person who can name everyone in the picture in the comment!