Tag Archives: XSA-192

What You Need to Know about Recent Xen Project Security Advisories

Today the Xen Project announced eight security advisories: XSA-191 to XSA-198. The bulk of these security advisories were discovered and fixed during the hardening phase of the Xen Project Hypervisor 4.8 release (expected to come out in early December). The Xen Project has implemented a security-first approach when publishing new releases.

In order to increase the security of future releases, members of the Xen Project Security Team and key contributors to the Xen Project, actively search and fix security bugs in code areas where vulnerability were found in past releases. The contributors use techniques such as code inspections, static code analysis, and additional testing using fuzzers such as American Fuzzy Lop. These fixes are then backported to older Xen Project releases with security support and published in bulk to make it easier for downstreams consumers to apply security fixes.

Before we declare a new Xen Project feature as supported, we perform a security assessment (see declare the Credit2 scheduler as supported). In addition, the contributors focused on security have started crafting tests for each vulnerability and integrated them into our automated regression testing system run regularly on all maintained versions of Xen. This ensures that the patch will be applied to every version which is vulnerable, and also ensures that no bug is accidentally reintroduced as development continues to go forward.

The Xen Project’s mature and robust security response process is optimized for cloud environments and downstream Xen Project consumers to maximize fairness, effectiveness and transparency. This includes not publicly discussing any details with security implications during our embargo period. This encourages anyone to report bugs they find to the Xen Project Security team, and allows the Xen Project Security team to assess, respond, and prepare patches, before before public disclosure and broad compromise occurs.

During the embargo period, the Xen Project does not publicly discuss any details with security implications except:

  • when co-opting technical assistance from other parties;
  • when issuing a Xen Project Security Advisory (XSA). This is pre-disclosed to only members on the Xen Project Pre-Disclosure List (see www.xenproject.org/security-policy.html); and
  • when necessary to coordinate with other projects affected

The Xen Project security team will assign and publicly release numbers for vulnerabilities. This is the only information that is shared publicly during the embargo period. See this url for “XSA Advisories, Publicly Released or Pre-Released”: xenbits.xen.org/xsa.

Xen’s latest XSA-191, XSA-192, XSA-193, XSA-194, XSA-195, XSA-196, XSA-197 and XSA-198 Advisory can all be found here:
xenbits.xen.org/xsa

Any Xen-based public cloud is eligible to be on our “pre-disclosure” list. Cloud providers on the list were notified of the vulnerability and provided a patch two weeks before the public announcement in order to make sure they all had time to apply the patch to their servers.

Distributions and other major software vendors of Xen Project software were also given the patch in advance to make sure they had updated packages ready to download as soon as the vulnerability was announced. Private clouds and individuals are urged to apply the patch or update their packages as soon as possible.

All of the above XSAs that affect the hypervisor can be deployed using the Xen Project LivePatching functionality, which enables re-boot free deployment of security patches to minimize disruption and downtime during security upgrades for system administrators and DevOps practitioners. The Xen Project encourages its users to download these patches.

More information about the Xen Project’s Security Vulnerability Process, including the embargo and disclosure schedule, policies around embargoed information, information sharing among pre-disclosed list members, a list of pre-disclosure list members, and the application process to join the list, can be found at: www.xenproject.org/security-policy.html

Xen Summit North America at AMD – Agenda Announced

The final (or just about final) agenda for Xen Summit North America at AMD is now available. The agenda has 26 presentations over 2 days (April 28-29) and provides attendees with a variety of topics of interest to the Xen.org community. Speaker profiles and topic abstracts are also now available for your consumption.

You can register for $235 at http://www.regonline.com/xen_summit_amd.

Xen Summit North America at AMD – Are You Attending?

Have you signed up at https://www.regonline.com/xen_summit_amd for Xen Summit yet? Yes, well then ignore the rest of this post and I look forward to seeing you in a few weeks. If not, please read on…

This year’s Xen Summit at AMD looks to be a great event for technologists and developers interested in not just the Xen hypervisor but also the Xen Cloud Platform. In fact, we have several sessions planned for XCP including:

  • Jonathan Ludlam – XCP Status and Roadmap – where is Xen.org going with XCP?
  • Marco Sinhoreli – Case Study on IaaS using XCP and XAPI  ; Marco is our Brazilian Xen.org User Group Leader and has tremendous knowledge on running cloud systems on Xen
  • Hirokazu TakahasiVastSky: Cluster Storage System for XCP ; New open source project for cluster storage systems made for the cloud and XCP
  • Sheng Liang - Building an Infrastructure as a Service Cloud on XCP from the founder of VMOps
  • Pradeep Padala – XRM: Event based resource management framework for XCP

In addition, we have two speakers on Day 2 to focus on cloud computing:

  • Paul Lappas – GoGrid and Xen; VP of Engineering for GoGrid
  • Bernard Golden – Open Source Cloud Computing; more on Bernard here

So, why not take 2 days out of the week on April 28-29 and join with the Xen.org community to learn more about our open source solutions and technologies and how you can take part. Registration is $235 at https://www.regonline.com/xen_summit_amd.

Xen Summit NA at AMD Registration Open

I have activated the Xen Summit at AMD event registration site at http://www.regonline.com/xen_summit_amd for next month’s Xen Summit in Sunnyvale, CA from April 28-29, 2010. The event cost is $235 which includes food and snacks on both days during the sessions, an evening at Dave and Buster’s on the 28th, a Xen giveaway, and a small contribution toward the registration costs for 10 college students. Speakers already committed include Ian Pratt (Xen.org Community Update), Keir Fraser (Xen Status on 4.0.0+), AMD Executive, Dave Scott (XCP), George Dunlap (Scheduler), and others to be named later. A list of nearby hotels is available at http://www.xen.org/files/xensummit_amd10/HotelListing.pdf.   If you have any questions please don’t hesitate to contact me.

Finally, we are still taking speaker/topic submissions at http://xensummit.org.

I look forward to seeing you at AMD next month in California.

Have you registered for Xen Summit at Oracle?

Xen Community:

If you haven’t registered for Xen Summit at Oracle, what are you waiting for? I just booked my hotel at the Extended Stay in San Carlos for $85 a night which includes a full kitchen, queen bed, and office area – not bad in CA for $85 a night. There is also a post from Dan M in the blog about another hotel nearby for $45 a night. Very affordable. If you are looking to share a room with someone in CA for the event, let me know and I can try and match you up.

As for the event itself, $215 for 2 days of great conversation as well as an evening out with food and drinks (plenty of beer) at the Computer Museum and a great Xen jacket for all attendees. I also have slots for 15 college students looking to attend at no charge – just email me if you would like a slot.

Event Registration – http://www.regonline.com/Checkin.asp?EventId=681795