Downloads

Xen Project 4.3.1

Release Information
We are pleased to announce the release of Xen Project 4.3.1. This is available immediately from its git repository:
http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.1)
This fixes the following critical vulnerabilities:

CVE-2013-1922 / XSA-48 qemu-nbd format-guessing due to missing format specification
CVE-2013-2007 / XSA-51 qemu guest agent (qga) insecure file permissions
CVE-2013-1442 / XSA-62 Information leak on AVX and/or LWP capable CPUs
CVE-2013-4355 / XSA-63 Information leaks through I/O instruction emulation
CVE-2013-4356 / XSA-64 Memory accessible by 64-bit PV guests under live migration
CVE-2013-4361 / XSA-66 Information leak through fbld instruction emulation
CVE-2013-4368 / XSA-67 Information leak through outs instruction emulation
CVE-2013-4369 / XSA-68 possible null dereference when parsing vif ratelimiting info
CVE-2013-4370 / XSA-69 misplaced free in ocaml xc_vcpu_getaffinity stub
CVE-2013-4371 / XSA-70 use-after-free in libxl_list_cpupool under memory pressure
CVE-2013-4375 / XSA-71 qemu disk backend (qdisk) resource leak
CVE-2013-4416 / XSA-72 ocaml xenstored mishandles oversized message replies

We recommend all users of the 4.2 stable series to update to this latest point release.
Among the bug fixes and improvements (around 80 since Xen Project 4.3.0):

Adjustments to XSAVE management
Bug fixes to nested virtualization
Bug fixes for other low level system state handling
Bug fixes to the libxl tool stack