The xen packages contain the Xen tools and management daemons needed tomanage virtual machines running on Red Hat Enterprise Linux.Xen was found to allow unprivileged DomU domains to overwrite xenstorevalues which should only be changeable by the privileged Dom0 domain. Anattacker controlling a DomU domain could, potentially, use this flaw tokill arbitrary processes in Dom0 or trick a Dom0 user into accessing thetext console of a different domain running on the same host. This updatemakes certain parts of the xenstore tree read-only to the unprivileged DomUdomains. (CVE-2008-4405)It was discovered that the qemu-dm.debug script created a temporary file in/tmp in an insecure way. A local attacker in Dom0 could, potentially, usethis flaw to overwrite arbitrary files via a symlink attack. Note: Thisscript is not needed in production deployments and therefore was removedand is not shipped with updated xen packages. (CVE-2008-4993)This update also fixes the following bug:All xen users are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. The Xen host must berestarted for the update to take effect.