Tech

Xen Project explains missing security patch update failure

Xen has called absent security patches in the latest release an "oversight."

Written by Charlie Osborne, Contributing Writer Feb. 18, 2016 at 6:11 a.m. PT

The Xen Project has released a new maintenance release for version 4.6.1 of its virtualization software, but has admitted some important security fixes are missing.

On Wednesday, the organization said fixes for two flaws have only been "partially applied" to the release, as well as the former 4.4.4 release -- and has also attempted to explain what went wrong.

The Xen Project is an open-source hypervisor for running different instances of an operating system on a single host machine, which supports a variety of operating systems and cloud software including Windows, Linux, CloudStack and OpenStack.

The virtualization and cloud software is used by millions of hosting and cloud vendors, individuals and research institutions.

Earlier this week, the Xen Project released Xen version 4.6.1, which was meant to include patches for two rather serious security flaws.

Security

The first vulnerability, XSA-155 is a bug relating to backend drivers which can lead to double fetch vulnerabilities and as far as remote code execution.

The second issue, named as XSA-162, is a heap buffer overflow vulnerability which could allow an attacker to change backend configuration settings.

However, full patches to fix these problems fully were curiously absent, and the latest update only includes partial solutions for these security issues.

In a blog post, the organization's team said the missing patches were detected before the official release, but towards the point of the release process -- and so it was too late to fix the "oversight." Rather than making a new release which would have meant skipping a release number -- and potentially confusing users -- Xen decided the safest option was to stay on track with the original release.

Xen commented:

"Normally, after testing succeeds we create a signed tag in the git tree. This means that there is a secure way of accounting for where the tarball came from. We then rebuild and do additional testing, write the release notes, do some more checking and sign the tarballs.

The missing patches were discovered on Thursday, before the official release on Monday, but after we created the signed tag. Signed tags cannot be removed, as they have to be tamper-proof, which makes everyone more secure."

It seems that a partial release with some protection is better than no update at all, and so we shall have to see when these security problems are fully resolved. The patches, however, are available nonetheless, and can be downloaded separately on the XSA-155 and XSA-162 advisories.