CVE-2020-28368

NameCVE-2020-28368
DescriptionXen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xen (PTS)stretch (security), stretch4.8.5.final+shim4.10.4-1+deb9u12vulnerable
buster4.11.4+24-gddaaccbbab-1~deb10u1vulnerable
buster (security)4.11.4+37-g3263f257ca-1vulnerable
bullseye4.11.4+24-gddaaccbbab-1vulnerable
sid4.14.0+80-gd101b417b7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xensourcestretch(unfixed)end-of-life
xensource(unstable)4.14.0+80-gd101b417b7-1

Notes

[stretch] - xen <end-of-life> (DSA 4602-1)
https://xenbits.xen.org/xsa/advisory-351.html

Search for package or bug name: Reporting problems