We have patched, or are otherwise not vulnerable for, the following advisories announced on Tuesday 2020-07-07:
XSA-317 is a denial of service attack that occurs when the system runs out of free memory. It is not present in the default xen configuration. The vulnerability is caused by not handling all possible error codes returned by a function. It was introduced in 2018.
XSA-319 is a denial of service attack from HVM systems using “shadow” paging, which is not really used anymore. It also requires a virtual display device to be in active use. The vulnerability is caused by an inverted error check. It may have been introduced by a copy/paste or search/replace error during a refactor. It was introduced in 2016.
XSA-321 is a privilege escalation vulnerability. It applies only to Intel and requires both PCI passthrough and page table sharing to be enabled. It is caused by not flushing memory caches when required. It was likely introduced after the PCI passthrough and page table features were added.
XSA-327 is an Arm-only denial of service attack - a missing alignment check for an address. It has been present since 2013. It may have been introduced due to x86 code being made common without the code being reviewed for additional Arm restrictions.
XSA-328 is a privilege escalation specific to Intel and HVM systems using hardware assisted paging. This vulnerability depends on compiler behavior. It is doubtful that any version of GCC produces vulnerable code. The vulnerability has likely been present since before 2010, when hardware-assisted paging was added. From the code comments, it may have been introduced due to an assumption that writes to memory happen in source-code order. Even when there is no reordering in hardware, it is not safe to assume this in all cases without explicitly adding compiler memory barriers. The problem was fixed by writing to a temporary variable which is then written atomically.
We thank the Xen security team for providing fixes for these issues.