diff --git a/xen.spec b/xen.spec
index 4b53c0f..78be419 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -105,6 +105,7 @@ Patch21: xen.64.bit.hyp.on.ix86.patch
 Patch22: xsa104.patch
 Patch23: xsa105.patch
 Patch24: xsa106.patch
+Patch25: xsa108.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -293,6 +294,7 @@ manage Xen virtual machines.
 %patch22 -p1
 %patch23 -p1
 %patch24 -p1
+%patch25 -p1
 
 %patch100 -p1
 
@@ -864,6 +866,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Oct 01 2014 Michael Young <m.a.young@durham.ac.uk> - 4.3.3-3
+- Improper MSR range used for x2APIC emulation [XSA-108, CVE-2014-7188]
+	(#1148465)
+
 * Tue Sep 23 2014 Michael Young <m.a.young@durham.ac.uk> - 4.3.3-2
 - Race condition in HVMOP_track_dirty_vram [XSA-104, CVE-2014-7154] (#1145736)
 - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
diff --git a/xsa108.patch b/xsa108.patch
new file mode 100644
index 0000000..e162185
--- /dev/null
+++ b/xsa108.patch
@@ -0,0 +1,36 @@
+x86/HVM: properly bound x2APIC MSR range
+
+While the write path change appears to be purely cosmetic (but still
+gets done here for consistency), the read side mistake permitted
+accesses beyond the virtual APIC page.
+
+Note that while this isn't fully in line with the specification
+(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
+possible fix addressing the security issue and getting x2APIC related
+code into a consistent shape (elsewhere a 256 rather than 1024 wide
+window is being used too). This will be dealt with subsequently.
+
+This is XSA-108.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int 
+         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
+             goto gp_fault;
+         break;
+@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
+         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
+         break;
+ 
+-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
++    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
+             goto gp_fault;
+         break;