back to article Xen Project blunder blows own embargo with premature bug report

The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.” The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason. Xen is very widely used by big cloud …

  1. This post has been deleted by its author

  2. John Robson Silver badge

    Hope the patch can be applied fast?

    And without taking down whoever it is that uses AWS?

    (I've lost track of the people who use it, not implying that no-one does)

    1. Tom Samplonius

      Re: Hope the patch can be applied fast?

      "And without taking down whoever it is that uses AWS?"

      If your app can't recover after a reboot, it shouldn't be running on AWS. Netflix famously designed Chaos Monkey, which picks a random instance and reboots its.

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Not a policy breach

    The article and the XSA state: “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.”

    If you look at, section 2b, you will see it says "If the vulnerability is not already public, security@xenproject will negotiate with discoverer regarding embargo date and disclosure schedule. See below for detailed discussion." ... In this case, an issue was posted on the list without realising it may be a security issue. Later it was discovered that the issue constitutes a security issue. The project did in fact not breach its own policy and as such the article is wrong.

    This happened once in the entire time the project had the vulnerability process, which is quite a good record IMHO.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like