This bug was fixed in the package qemu - 1:4.2-1ubuntu1 --------------- qemu (1:4.2-1ubuntu1) focal; urgency=medium * Merge with Debian testing, Among many other things this fixes LP Bugs: LP: #1847806 - add mff* instructions to not break on ppc64 with newer glibc LP: #1812822 - avoid crashes on detaching vhost_net interfaces LP: #1852744 - Crypto Passthrough Interrupt Support LP: #1853316 - CCW IPL Support Remaining changes: - qemu-kvm to systemd unit - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm, hugepages and architecture specifics - d/qemu-system-common.qemu-kvm.service: systemd unit to call qemu-kvm-init - d/qemu-system-common.install: install helper script - d/qemu-system-common.maintscript: clean old sysv and upstart scripts - d/qemu-system-common.qemu-kvm.default: defaults for /etc/default/qemu-kvm - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm - Distribution specific machine type (LP: 1304107 1621042) - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine types - d/qemu-system-x86.NEWS Info on fixed machine type definitions for host-phys-bits=true (LP: 1776189) - add an info about -hpb machine type in debian/qemu-system-x86.NEWS - provide pseries-bionic-2.11-sxxm type as convenience with all meltdown/spectre workarounds enabled by default. (LP: 1761372). - Enable nesting by default - d/p/ubuntu/expose-vmx_qemu64cpu.patch: expose nested kvm by default in qemu64 cpu type. - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default in qemu64 on amd [ No more strictly needed, but required for backward compatibility ] - improved dependencies - Make qemu-system-common depend on qemu-block-extra - Make qemu-utils depend on qemu-block-extra - let qemu-utils recommend sharutils - s390x support - Create qemu-system-s390x package - Enable numa support for s390x - d/rules: build s390-ccw.img with upstream Makefile - d/rules: build s390-netboot.img with upstream Makefile - arch aware kvm wrappers - d/control: update VCS links - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490) - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types reference 256k path - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to handle incoming migrations from former releases. - d/control-in: Disable capstone disassembler library support (universe) - d/control: disable bluetooth being deprecated - d/not-installed: ignore new interop docs and extra icons for now - d/not-installed: do not install elf2dmp until namespaced - d/qemu-utils.install: install new tools qemu-edid and qemu-keymap - d/control-in: promote qemu-efi/ovmf in Ubuntu (LP 1570617) - d/binfmt-update-in: fix binfmt being called in some containers (LP 1840956) - Dropped changes (in Debian) - qemu-guest-agent: freeze-hook fixes (LP: 1484990) - d/qemu-guest-agent.install: provide /etc/qemu/fsfreeze-hook - d/qemu-guest-agent.dirs: provide /etc/qemu/fsfreeze-hook.d - d/control-in: enable RDMA support in qemu (LP: 1692476) - enable RDMA config option - add libibumad-dev build-dep - d/p/ubuntu/lp-1790901-partial-SLOF-for-s390x-netboot.patch: bring back some SLOF bits stripped in DFSG to be able to build s390x-netboot roms As that hack to build s390-ccw.img rom can't build s390x-netboot.img replace it with a build-indep using the upstream makefiles. This is less prone to miss future changes/fixes that are done to the makefiles - remove /dev/kvm permission handling (moved to systemd 239-6) (#892945) - d/p/debianize-qemu-guest-service.patch: fix path of qemu-ga - d/rules: fix qemu-kvm service for debhelper compat >=12 - Refreshed patches for v4.0 context changes - d/control*: remove sdlabi which was removed upstream - d/control*: enable docs (now explicit) and provide new build-dep python3-sphinx - d/qemu-system-data.install: use new paths for formerly used icons - Merge with Upstream release of qemu 4.0 - d/p/ubuntu/lp-1790901-partial-SLOF-for-s390x-netboot.patch - Dropped changes (Upstream) - d/p/ubuntu/lp-1830243-*: s390x Secure Linux Boot Toleration (LP 1830243) - d/p/ubuntu/lp-1830238-*: s390x hardware cpu model (LP 1830238) - d/p/ubuntu/linux-user-fix-__NR_semtimedop-undeclared-error.patch: fix i386 build error - d/p/ubuntu/lp-1836066-s390-cpumodel-fix-description-for-the-new-vector-fac: fix naming of the new vector facitlity (LP 1836066) - d/p/ubuntu/lp-1836159-fix-with-latest-kernel.patch: fix build issues for missing SIOCGSTAMP definition; final fix is still in discussion upstream (LP: 1836159) - d/p/ubuntu/lp-1836154-*: further fixups for HW CPU model for newer s390x machines (LP 1836154) - d/p/ubuntu/lp-1841066-*: fix detection of arch_capability flags (LP 1841066) - d/p/lp-1842774-s390x-cpumodel-Add-the-z15-name-to-the-description-o.patch: update the z15 model name (LP 1842774) - d/p/ubuntu/lp-1848556-curl-Handle-success-in-multi_check_completion.patch: fix a potential hang when qemu or qemu-img where accessing http backed disks via libcurl (LP 1848556) - d/p/u/lp-1848497-virtio-balloon-fix-QEMU-4.0-config-size-migration-*: fix migration issue from qemu <4.0 when using virtio-balloon (LP 1848497) - d/p/ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch toleration for future machines (LP 1830704) - SECURITY UPDATE: Add support for exposing md-clear functionality to guests - d/p/ubuntu/enable-md-clear.patch - d/p/ubuntu/enable-md-no.patch - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - SECURITY UPDATE: heap overflow when loading device tree blob - d/p/ubuntu/CVE-2018-20815.patch: specify how large the buffer to copy the device tree blob into is. - CVE-2018-20815 - SECURITY UPDATE: device driver denial of service via NULL pointer dereference - d/p/ubuntu/CVE-2019-5008.patch: Define skeleton 'power_mem_read' routine - CVE-2019-5008 - SECURITY UPDATE: information leak in SLiRP - d/p/ubuntu/CVE-2019-9824.patch: check sscanf result when emulating ident. - CVE-2019-9824 - d/p/ubuntu/lp-1812384-s390x-Return-specification-exception-for- unimplement.patch: properly return architecture defined exception on bad subcodes of diag 308 (LP 1812384) * Dropped changes (no more needed) - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for mv_conffile since the new path is a directory in the old package version which can not be handled by mv_conffile. [ only needed between disco and eoan ] - disable pvrdma [ CVEs all fixed now ] - d/p/ubuntu/Revert-target-i386-kvm-add-VMX-migration-blocker.patch: avoid misdetection of simplified nesting blocking all migrations [ qemu now detects and handles nesting - needs kernel >=4.20 ] - Enable nesting by default - d/qemu-system-x86.modprobe: set nested=1 module option on intel. (is default on amd) - d/qemu-system-x86.postinst: re-load kvm_intel.ko if it was loaded without nested=1 [ nesting is default in kernel modules and default selected cpu types ] * Added changes - d/control: regenerate debian/control out of control-in - updated ubuntu machine types to match qemu 4.2 in Ubuntu 20.04 Focal - added ubuntu focal types for qemu 4.2 - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type - d/p/ubuntu/lp-1857033-*: add support for Cooper Lake cpu model (LP: #1857033) - d/qemu-system-x86.README.Debian: add info about updated nesting changes - d/control*, d/rules: disable xen by default, but provide universe package qemu-system-x86-xen as alternative - fix typos in changelog and d/qemu-system-x86.NEWS - d/p/lp-1859527-*: avoid breakage on high virtqueue counts (LP: #1859527) - d/control*: enable libpmem support for nvdimms (LP: #1790856) qemu (1:4.2-1) unstable; urgency=medium * new upstream release (4.2.0) * removed patches: v4.1.1.diff, enable-pschange-mc-no.patch * do not make sgabios.bin executable (lintian) * add s390-netboot.img lintian overrides for qemu-system-data * build qboot (bios-microvm.bin) * build-depend-indep on libc6-dev-i386 for qboot (includes some system headers) qemu (1:4.1-3) unstable; urgency=medium * mention #939869 (CVE-2019-15890) in previous changelog entry * add Provides: sgabios to qemu-data (Closes: #945924) * fix qemu-debootsrtap (add hppa arch, print correct error message) thanks to Helge Deller (Closes: #923410) * enable long binfmt masks again for mips/mips32 (Closes: #829243) qemu (1:4.1-2) unstable; urgency=medium * build sgabios in build-indep, conflict with sgabios package * qemu-system-ppc: build and install canyonlands.dtb in addition to bamboo.dtb * remove duplicated CVE-2018-20123 & CVE-2018-20124 in prev changelog * move s390 firmware build rules to debian/s390fw.mak, build s390-netboot.img * imported v4.1.1.diff - upstream stable branch Closes: CVE-2019-12068 Closes: #945258, #945072 * enable-pschange-mc-no.patch: i386: add PSCHANGE_MC_NO feature to allow disabling ITLB multihit mitigations in nested hypervisors Closes: #944623 * build-depend on nettle-dev, enable nettle, and clarify --enable-lzo * switch to system libslirp, build-depend on libslirp-dev Closes: #939869, CVE-2019-15890 qemu (1:4.1-1) unstable; urgency=medium * new upstream release v4.1 Closes: #933741, CVE-2019-14378 (slirp buff overflow in packet reassembly) (use internal slirp copy for now) Closes: #931351, CVE-2019-13164 (qemu-bridge-helper long IFNAME) Closes: #922923, CVE-2019-8934 (ppc64 emulator leaks hw identity) Closes: #916442, CVE-2018-20123 (pvrdma memory leak in device hotplug) Closes: #922461, CVE-2018-20124 (pvrdma num_sge can exceed MAX_SGE) Closes: #927924 (new upstream version) Closes: #897054 (AMD Zen CPU support) Closes: #935324 (FTBFS due to gluster API change) Closes: CVE-2018-20125 (pvrdma: DoS in create_cq_ring|create_qp_rings) Closes: CVE-2018-20126 (pvrdma: memleaks in create_cq_ring|create_qp_rings) Closes: CVE-2018-20191 (pvrdma: DoS due to missing read operation impl.) Closes: CVE-2018-20216 (pvrdma: infinite loop in pvrdma_dev_ring.c) * remove patches which are applied upstream, refresh remaining patches (bt-use-size_t-...-CVE-2018-19665.patch hasn't been applied upstream, bluetooth subsystem is going to be removed, we keep it for now) * debian/source/options: ignore slirp/ submodule * use python3 for building, not python * debian/optionrom.mk: add pvh.bin * switch from libssh2 to libssh, and enable libssh support in ubuntu * bump spice version requiriment to 0.12.5 * enable pvrdma * debian/control-in: remove reference to libsdl * debian/rules: add new objects for s390-ccw fw * debian/control: add build dependency on python3-sphinx for docs * install ui/icons/qemu.svg and qemu.desktop * debian/rules: remove pc-bios/bamboo.dtb before building it * install vhost-user-gpu binary and 50-qemu-gpu.json * debian/rules: remove old maintscript-helper invocations, not needed anymore * remove +dfsg for now, upload whole upstream source, will trim it later -- Christian Ehrhardt