New changelog entries:
* Merge from Debian/Sid. Remaining changes:
- Enforce python2 usage
- Build-depend on python2-dev.
- Build using python2.
- Build-depend on lmodern.
- Recommend qemu-system-x86-xen
- Force fcf-protection off when using -mindirect-branch
- Strip .note.gnu.property section for intermediate files
- Add transitional packages for upgrades
- Handle config file moving between packages
New changelog entries:
* Update to new upstream version 4.11.3+24-g14b62ab3e5, which also
contains the following security fixes: (Closes: #947944)
- Unlimited Arm Atomics Operations
XSA-295 CVE-2019-17349 CVE-2019-17350
- VCPUOP_initialise DoS
XSA-296 CVE-2019-18420
- missing descriptor table limit checking in x86 PV emulation
XSA-298 CVE-2019-18425
- Issues with restartable PV type change operations
XSA-299 CVE-2019-18421
- add-to-physmap can be abused to DoS Arm hosts
XSA-301 CVE-2019-18423
- passed through PCI devices may corrupt host memory after deassignment
XSA-302 CVE-2019-18424
- ARM: Interrupts are unconditionally unmasked in exception handlers
XSA-303 CVE-2019-18422
- x86: Machine Check Error on Page Size Change DoS
XSA-304 CVE-2018-12207
- TSX Asynchronous Abort speculative side channel
XSA-305 CVE-2019-11135
- Device quarantine for alternate pci assignment methods
XSA-306 CVE-2019-19579
- find_next_bit() issues
XSA-307 CVE-2019-19581 CVE-2019-19582
- VMX: VMentry failure with debug exceptions and blocked states
XSA-308 CVE-2019-19583
- Linear pagetable use / entry miscounts
XSA-309 CVE-2019-19578
- Further issues with restartable PV type change operations
XSA-310 CVE-2019-19580
- Bugs in dynamic height handling for AMD IOMMU pagetables
XSA-311 CVE-2019-19577
* Add missing CVE numbers to previous changelog entries
New changelog entries:
* Mention MDS and the need for updated microcode and disabling
hyper-threading in NEWS.
* Mention the ucode=scan option in the grub.d/xen documentation.
New changelog entries:
* Update to new upstream version 4.11.1+92-g6c33308a8d, which also
contains the following security fixes:
- Fix: grant table transfer issues on large hosts
XSA-284 (no CVE yet) (Closes: #929991)
- Fix: race with pass-through device hotplug
XSA-285 (no CVE yet) (Closes: #929998)
- Fix: x86: steal_page violates page_struct access discipline
XSA-287 (no CVE yet) (Closes: #930001)
- Fix: x86: Inconsistent PV IOMMU discipline
XSA-288 (no CVE yet) (Closes: #929994)
- Fix: missing preemption in x86 PV page table unvalidation
XSA-290 (no CVE yet) (Closes: #929996)
- Fix: x86/PV: page type reference counting issue with failed IOMMU update
XSA-291 (no CVE yet) (Closes: #929995)
- Fix: x86: insufficient TLB flushing when using PCID
XSA-292 (no CVE yet) (Closes: #929993)
- Fix: x86: PV kernel context switch corruption
XSA-293 (no CVE yet) (Closes: #929999)
- Fix: x86 shadow: Insufficient TLB flushing when using PCID
XSA-294 (no CVE yet) (Closes: #929992)
- Fix: Microarchitectural Data Sampling speculative side channel
XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
(Closes: #929129)
* Note that the fixes for XSA-297 will only have effect when also loading
updated cpu microcode with MD_CLEAR functionality. When using the
intel-microcode package to include microcode in the dom0 initrd, it has to
be loaded by Xen. Please refer to the hypervisor command line
documentation about the 'ucode=scan' option.
* Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the
next upload.
New changelog entries:
Minor useability improvements and fixes:
* bash-completion: also complete 'xen' [Hans van Kranenburg]
* /etc/default/xen: Handle with ucf again, like in stretch.
Closes:#923401. [Ian Jackson]
Build fix:
* Fix FTBFS when building only arch-indep binaries (eg
dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed.
Closes:#923013. [Hans van Kranenburg; report from Santiago Vila]
Documentation fix:
* grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg]
New changelog entries:
* Packaging change: override spurious lintian warning about
fsimage.so rpath.
Significant changes:
* Update to new upstream version 4.11.1+26-g87f51bf366.
(This is from the upstream stable branch.) [Ian Jackson]
* Build and use oxenstored rather than the C xenstored by default.
[Ian Jackson and Hans van Kranenburg]
* xen init script: rewrite and reorganise xenstored start logic.
[Hans van Kranenburg]
Documentation etc. improvements:
* Refresh hypervisor and dom0 command line options documentation.
(Closes: #919758) [Hans van Kranenburg; report from Gergely]
* Ship /etc/default/xen, a striped and tidied version of upstream
sysconfig.xencommons.in. [Hans van Kranenburg]
Significant bugfixes:
* xen init script: Do nothing if running for wrong Xen package.
Avoids mystery loss of xenconsoled. Closes:#851654.
[Ian Jackson; report from Wolodja Wentland]
* Make pygrub work again (by fixing python module and shared library
paths). Closes:#912381. [Ian Jackson; earlier, Bastian Blank;
report from Dimitar Angelov, also Torben Schou Jensen]
Packaging bugfixes:
* Have xen-utils-common suggest xen-doc, because it contains a broken
symlink to it. Closes:#911046.
[Hans van Kranenburg; report from Andreas Beckmann]
* Have xenstore-utils declare Breaks on xen-utils-common to make
piuparts happy. Closes:#911045.
[Hans van Kranenburg, report from Andreas Beckmann]
* hotplug-common: Strip arch-specific libdir from config file
Closes:#862236. [Ian Jackson; report from Stefan Bühler]
* xendomains init script; Add dependency on $network.
Closes:#798510. [Francois Lesueur]
* xendomains init script; Add should-dependency on nfs-kernel-server
Closes:#826871. [Geoffrey McRae]
Packaging minor fixes and improvements [Hans van Kranenburg]:
* debian/libxenstore3.0.symbols: revert ea2334dfe0
* debian/control: add dh-python build-dep
* d/xen-utils-V...: override xen-shim-syms lintian
* debian/control: bump debhelper builddep to 10
* debian/.gitignore: ignore more debhelper snippets
* bash-completion: install completion rules for xl
* xen init script: don't fail when being run in domU
* Remove xend cruft from various init scripts etc.
Packaging minor fixes and improvements [Ian Jackson]:
* xen version/upgrade handling: Improve an error message
* xen init script: silently exit status 0 if not running under xen
* xen init script: Tidy up wrong/missing Xen version error handling
* debian/rules: Fix tiny typos
* hotplug-common: Do not adjust LD_LIBRARY_PATH
New changelog entries:
* debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
(Closes: #911457)
* grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
* debian/rules: Don't exclude the actual pygrub script.
* Update to new upstream version 4.11.1, which also contains:
- Fix: insufficient TLB flushing / improper large page mappings with AMD
IOMMUs
XSA-275 CVE-2018-19961 CVE-2018-19962
- Fix: resource accounting issues in x86 IOREQ server handling
XSA-276 CVE-2018-19963
- Fix: x86: incorrect error handling for guest p2m page removals
XSA-277 CVE-2018-19964
- Fix: x86: Nested VT-x usable even when disabled
XSA-278 CVE-2018-18883
- Fix: x86: DoS from attempting to use INVPCID with a non-canonical
addresses
XSA-279 CVE-2018-19965
- Fix for XSA-240 conflicts with shadow paging
XSA-280 CVE-2018-19966
- Fix: guest use of HLE constructs may lock up host
XSA-282 CVE-2018-19967
* Update version handling patching to put the team mailing list address in
the first hypervisor log line and fix broken other substitutions.
* Disable handle_iptable hook in vif-common script. See #894013 for more
information.