The libxenlight (libxl) toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being implicitly trusted. Acknowledgements: Red Hat would like to thank the Xen project for reporting this issue.
Statement: Not vulnerable. This issue does not affect the versions of the xen package as shipped with Red Hat Enterprise Linux 5 as it does not provide support for the libxl toolstack. This issue does not affect Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG.
Now public via: http://seclists.org/oss-sec/2013/q2/608
Created xen tracking bugs for this issue Affects: fedora-all [bug 976779]
CVE id has been assigned: http://seclists.org/oss-sec/2013/q2/612