Xen warns of nine embargo-worthy bugs

We won't know what they are for a fortnight, but clouds are warning of VM reboots

The Xen Project has announced nine – as in 3^2 – embargo-worthy bugs. Details of the problems, with fixes for all, will be revealed on June 20.

Xen's security policy sees it announce the existence of bugs two weeks before it releases patches to the world. But detailed news of the bugs is revealed to big Xen users, which makes sense because the likes of Amazon Web Services use the open source hypervisor to power millions of virtual machines. The policy was adopted because releasing news of a bug before big users can fix it would all-but invite criminals to go on the attack.

One big Xen user, Linode, has says the bugs are bad enough that its VMs will need a reboot. That won't be the case for all Xen VMs, as the project added non-disruptive patching to version 4.7 in 2016.

Xen's had big patch releases before: in November 2016 it announced eight. The Project has also pondered releasing news of fewer security SNAFUs, in part to reduce press coverage of such problems

Linode's suggested response to these problems is to ditch Xen and move to KVM, which it makes possible without disruption. If patches keep landing nine at a time, it may not be the only cloud handing out such advice. ?


Biting the hand that feeds IT ? 1998–2017