CVE-2009-3525

NameCVE-2009-3525
DescriptionThe pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xen-3source(unstable)(unfixed)unimportant
xen-unstablesource(unstable)(unfixed)unimportant

Notes

This is an enhancement, not a security issue.
A user must have access to a guest hard drive image in order to boot it,
so he can simply mount the drive and remove the password option.
Search for package or bug name: Reporting problems