While lots of the world was easing in to a new year of work in the week of January 4th, big cloud concerns running customer-facing Xen rigs were probably patching two new bugs in the hypervisor.

The Xen Project's policy is to let big cloud operators and others on a pre-disclosure list know about bugs two weeks before the rest of us, so that the bug can be quashed before bad guys try to exploit it. January 20th, US time, saw the release of the bugs to those of us with less-sensitive Xen rigs. Which means cloud operators got wind of them on the 6th, which may have been rather a stern post-holidays jump-starter.

There's two bugs this time around. XSA-167 comes about because “The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests.”

Xen folks say “unknown effects” are the result, “ranging from information leaks through Denial of Service to privilege escalation.”

None of which are pleasant or desirable. So grab this patch if you're running Xen 4.3 through Xen-unstable.

XSA-168 is also nasty, as the priveliged INVLPG instruction can fail under some circumstances, creating a hypervisor bug check that in turn means “A malicious guest can crash the host, leading to a Denial of Service.”

This one's an oldie, but a baddie: Xen versions from 3.3 up need patching. ®