We patched or are otherwise not vulnerable for the following advisories announced today:
No downtime was required to patch these.
XSA-313 addresses two vulnerabilities: one is an information disclosure, and the other is a privilege escalation.
The privilege escalation is only available if a specific feature is explicitly enabled, which we have never done. Therefore it did not affect us.
The information disclosure is in a data buffer that was not cleared after being allocated. This buffer is used only during code profiling, and is allocated only if the VPS asks for it. The only distribution we found with this profiling support was CentOS 5, and allocating the buffer still required explicit user action.
We checked for the buffer allocation while live-patching the issue. No running VPSes had this buffer allocated.
XSA-314 affects ARM only. On ARM, memory accesses don’t always happen on real hardware in the same order as they happen in the program. If memory accesses need to happen in a particular order for the program to work in a multi-core environment, such as when data is protected by a software lock, that ordering must be explicitly enforced by the program. That ordering was missing in some places.
XSA-316 is a denial of service. The fix is changing a single line of code to move a parenthesis. XSA-316 may not have happened if the code had used a style resembling:
int rc; rc = function(); if (rc != OK) ...
as opposed to:
int rc; if ((rc = function()) != OK) ...
The above style of assignment inside an “if” statement is explicitly allowed by the SEI CERT C Coding Standard, but demonstrably was still a problem.
XSA-318 is a logic error leading to incorrect behavior, but probably not a privilege escalation.
We thank the Xen security team for providing fixes for these issues.