Skip to main content


Xen Project 4.2.4

We are pleased to announce the release of Xen Project 4.2.4. This is available immediately from its git repository;a=shortlog;h=refs/heads/stable-4.2 (tag RELEASE-4.2.4)

This fixes the following critical vulnerabilities:

CVE-2013-2212 / XSA-60 Excessive time to disable caching with HVM guests with PCI passthrough
CVE-2013-1442 / XSA-62 Information leak on AVX and/or LWP capable CPUs
CVE-2013-4355 / XSA-63 Information leaks through I/O instruction emulation
CVE-2013-4361 / XSA-66 Information leak through fbld instruction emulation
CVE-2013-4368 / XSA-67 Information leak through outs instruction emulation
CVE-2013-4369 / XSA-68 possible null dereference when parsing vif ratelimiting info
CVE-2013-4370 / XSA-69 misplaced free in ocaml xc_vcpu_getaffinity stub
CVE-2013-4371 / XSA-70 use-after-free in libxl_list_cpupool under memory pressure
CVE-2013-4375 / XSA-71 qemu disk backend (qdisk) resource leak
CVE-2013-4416 / XSA-72 ocaml xenstored mishandles oversized message replies
CVE-2013-4494 / XSA-73 Lock order reversal between page allocation and grant table locks
CVE-2013-4553 / XSA-74 Lock order reversal between page_alloc_lock and mm_rwlock
CVE-2013-4551 / XSA-75 Host crash due to guest VMX instruction execution
CVE-2013-4554 / XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM guests
CVE-2013-6375 / XSA-78 Insufficient TLB flushing in VT-d (iommu) code
CVE-2013-6400 / XSA-80 IOMMU TLB flushing may be inadvertently suppressed
CVE-2013-6885 / XSA-82 Guest triggerable AMD CPU erratum may cause host hang
CVE-2014-1642 / XSA-83 Out-of-memory condition yielding memory corruption during IRQ setup
CVE-2014-1891 / XSA-84 integer overflow in several XSM/Flask hypercalls
CVE-2014-1895 / XSA-85 Off-by-one error in FLASK_AVC_CACHESTAT hypercall
CVE-2014-1896 / XSA-86 libvchan failure handling malicious ring indexes
CVE-2014-1666 / XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
CVE-2014-1950 / XSA-88 use-after-free in xc_cpupool_getinfo() under memory pressure

Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.2 stable series to update to the latest point release.