The Xen Project has publicly released XSA-138:
All users using HVM (fully virtualized) guests with emulated CDROM
drives are advised to upgrade.
There are signed versions of Xen4CentOS6 packages uploaded to the mirror system.
There are also unsigned packages available on the CBS: