Xen Project blunder blows own embargo with premature bug report

The Xen Project has reported a new bug, XSA-169, that means “A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.”

The fix is simple – running only paravirtualised guests – but the bug is a big blunder for another reason.

Xen is very widely used by big cloud operators, principally Amazon Web Services. Xen bugs are therefore very, very valuable to criminals because if they can learn of a vulnerability they have millions of targets to attack. The Xen Project therefore cooked up new rules designed specifically to ensure that big operators get a couple of weeks in which to sort things out before world+dog is told about the bug.

Those processes weren't followed for XSA-169, as the notice of the bug sheepishly admits “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.”

That's far from a complete breakdown in the Project's processes, but also not a good look for an effort that provides critical code to a great many people around the world.

The good news is that a patch is already available. ®