Last commit made on 2019-06-24
Get this branch:
git clone -b debian/buster https://git.launchpad.net/ubuntu/+source/xen
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

9472efd... by Hans van Kranenburg on 2019-06-22

Import patches-unapplied version 4.11.1+92-g6c33308a8d-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d55339a884ee949599dea4c1d17aefd24829fe59

New changelog entries:
  * Mention MDS and the need for updated microcode and disabling
    hyper-threading in NEWS.
  * Mention the ucode=scan option in the grub.d/xen documentation.

d55339a... by Hans van Kranenburg on 2019-06-18

Import patches-unapplied version 4.11.1+92-g6c33308a8d-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6883c4993933bfca76d8644da97dfc2feccda644

New changelog entries:
  * Update to new upstream version 4.11.1+92-g6c33308a8d, which also
    contains the following security fixes:
    - Fix: grant table transfer issues on large hosts
      XSA-284 (no CVE yet) (Closes: #929991)
    - Fix: race with pass-through device hotplug
      XSA-285 (no CVE yet) (Closes: #929998)
    - Fix: x86: steal_page violates page_struct access discipline
      XSA-287 (no CVE yet) (Closes: #930001)
    - Fix: x86: Inconsistent PV IOMMU discipline
      XSA-288 (no CVE yet) (Closes: #929994)
    - Fix: missing preemption in x86 PV page table unvalidation
      XSA-290 (no CVE yet) (Closes: #929996)
    - Fix: x86/PV: page type reference counting issue with failed IOMMU update
      XSA-291 (no CVE yet) (Closes: #929995)
    - Fix: x86: insufficient TLB flushing when using PCID
      XSA-292 (no CVE yet) (Closes: #929993)
    - Fix: x86: PV kernel context switch corruption
      XSA-293 (no CVE yet) (Closes: #929999)
    - Fix: x86 shadow: Insufficient TLB flushing when using PCID
      XSA-294 (no CVE yet) (Closes: #929992)
    - Fix: Microarchitectural Data Sampling speculative side channel
      XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
      (Closes: #929129)
  * Note that the fixes for XSA-297 will only have effect when also loading
    updated cpu microcode with MD_CLEAR functionality. When using the
    intel-microcode package to include microcode in the dom0 initrd, it has to
    be loaded by Xen. Please refer to the hypervisor command line
    documentation about the 'ucode=scan' option.
  * Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the
    next upload.

6883c49... by Ian Jackson on 2019-02-28

Import patches-unapplied version 4.11.1+26-g87f51bf366-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 11c1c2b66cb7aa97e44a897cf039f080f7410e89

New changelog entries:
  Minor useability improvements and fixes:
  * bash-completion: also complete 'xen' [Hans van Kranenburg]
  * /etc/default/xen: Handle with ucf again, like in stretch.
    Closes:#923401. [Ian Jackson]
  Build fix:
  * Fix FTBFS when building only arch-indep binaries (eg
    dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed.
    Closes:#923013. [Hans van Kranenburg; report from Santiago Vila]
  Documentation fix:
  * grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg]

11c1c2b... by Ian Jackson on 2019-02-22

Import patches-unapplied version 4.11.1+26-g87f51bf366-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1990c515c804cf7bfe734e8433ebd7411ec9accf

New changelog entries:
  * Packaging change: override spurious lintian warning about
    fsimage.so rpath.
  Significant changes:
  * Update to new upstream version 4.11.1+26-g87f51bf366.
    (This is from the upstream stable branch.) [Ian Jackson]
  * Build and use oxenstored rather than the C xenstored by default.
    [Ian Jackson and Hans van Kranenburg]
  * xen init script: rewrite and reorganise xenstored start logic.
    [Hans van Kranenburg]
  Documentation etc. improvements:
  * Refresh hypervisor and dom0 command line options documentation.
    (Closes: #919758) [Hans van Kranenburg; report from Gergely]
  * Ship /etc/default/xen, a striped and tidied version of upstream
    sysconfig.xencommons.in. [Hans van Kranenburg]
  Significant bugfixes:
  * xen init script: Do nothing if running for wrong Xen package.
    Avoids mystery loss of xenconsoled. Closes:#851654.
    [Ian Jackson; report from Wolodja Wentland]
  * Make pygrub work again (by fixing python module and shared library
    paths). Closes:#912381. [Ian Jackson; earlier, Bastian Blank;
    report from Dimitar Angelov, also Torben Schou Jensen]
  Packaging bugfixes:
  * Have xen-utils-common suggest xen-doc, because it contains a broken
    symlink to it. Closes:#911046.
    [Hans van Kranenburg; report from Andreas Beckmann]
  * Have xenstore-utils declare Breaks on xen-utils-common to make
    piuparts happy. Closes:#911045.
    [Hans van Kranenburg, report from Andreas Beckmann]
  * hotplug-common: Strip arch-specific libdir from config file
    Closes:#862236. [Ian Jackson; report from Stefan B├╝hler]
  * xendomains init script; Add dependency on $network.
    Closes:#798510. [Francois Lesueur]
  * xendomains init script; Add should-dependency on nfs-kernel-server
    Closes:#826871. [Geoffrey McRae]
  Packaging minor fixes and improvements [Hans van Kranenburg]:
  * debian/libxenstore3.0.symbols: revert ea2334dfe0
  * debian/control: add dh-python build-dep
  * d/xen-utils-V...: override xen-shim-syms lintian
  * debian/control: bump debhelper builddep to 10
  * debian/.gitignore: ignore more debhelper snippets
  * bash-completion: install completion rules for xl
  * xen init script: don't fail when being run in domU
  * Remove xend cruft from various init scripts etc.
  Packaging minor fixes and improvements [Ian Jackson]:
  * xen version/upgrade handling: Improve an error message
  * xen init script: silently exit status 0 if not running under xen
  * xen init script: Tidy up wrong/missing Xen version error handling
  * debian/rules: Fix tiny typos
  * hotplug-common: Do not adjust LD_LIBRARY_PATH

1990c51... by Hans van Kranenburg on 2019-01-02

Import patches-unapplied version 4.11.1-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: cf9b310535d9f0a85386be4c9c6578c7b8b6dd55

New changelog entries:
  * debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
    (Closes: #911457)
  * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
  * debian/rules: Don't exclude the actual pygrub script.
  * Update to new upstream version 4.11.1, which also contains:
    - Fix: insufficient TLB flushing / improper large page mappings with AMD
      XSA-275 CVE-2018-19961 CVE-2018-19962
    - Fix: resource accounting issues in x86 IOREQ server handling
      XSA-276 CVE-2018-19963
    - Fix: x86: incorrect error handling for guest p2m page removals
      XSA-277 CVE-2018-19964
    - Fix: x86: Nested VT-x usable even when disabled
      XSA-278 CVE-2018-18883
    - Fix: x86: DoS from attempting to use INVPCID with a non-canonical
      XSA-279 CVE-2018-19965
    - Fix for XSA-240 conflicts with shadow paging
      XSA-280 CVE-2018-19966
    - Fix: guest use of HLE constructs may lock up host
      XSA-282 CVE-2018-19967
  * Update version handling patching to put the team mailing list address in
    the first hypervisor log line and fix broken other substitutions.
  * Disable handle_iptable hook in vif-common script. See #894013 for more

cf9b310... by Ian Jackson on 2018-10-15

Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d89dc524620d33669117d1e48415b762b0676a1e

New changelog entries:
  * debian/rules: Cope if xen-utils-common not being built
    (Fixes binary-indep FTBFS.)

d89dc52... by Ian Jackson on 2018-10-15

Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e94312153998ddd83facf618a5756b490c8edb43

New changelog entries:
  * Many packaging fixes to fix FTBFS on all arches other than amd64.
  * xen-vbd-interface(7): Provide properly-formatted NAME section
  * Add pandoc and markdown to Build-Depends - fixes missing docs.
  * Revert "tools-xenstore-compatibility.diff" apropos of discussion

e943121... by Ian Jackson on 2018-10-12

Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 496c84bc8e65e89f1cd3c3189807ff6c7039eb1f

New changelog entries:
  * hypervisor package postinst: Actually install (avoids need to
    run update-grub by hand).
  * debian/control: Adding Section to source stanza
  * debian/control: Add missing Replaces on old xen-utils-common
  * debian/rules: Add a -n to a gzip rune to improve reproducibility

496c84b... by Ian Jackson on 2018-10-05

Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 158515e9f52baac3b64f68e7dfb89a3ab74ebccf

New changelog entries:
  * Redo as an upload with binaries, because source-only uploads to NEW
    are not allowed.
  * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg;
    merging in 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1.
  * Completely overhauled the packaging. In the source package, things
    are very much simpler now with only a few hundred loc of templating
    and scriptery. In the binary packages the resulting changes are:
     - We now provide -dbgsym packages in the standard way
      - Shared libraries with unstable ABI upstream (ie, whose
        ABI changes with the Xen version) are now in
        libxen<version>-misc rather than libxen<version> and
        have more conventional-looking filenames.
     - Shared libraries with a stable ABI upstream are now each in their
       own package, named after the soname (ABI version), as is
       conventional. The sonames and minor versions of these are
       no longer mangled.
     - xs.h, replaced upstream by xenstore.h, is now in
       /usr/include/xenstore-compat (as shipped upstream), with
       symlinks left behind.
     - fsimage*.h is no longer shipped (it's namespace-grabbish).
     - libxenvchan.h is in /usr/include as it is in upstream,
       not buried in /usr/include/xen/io
     - /etc/xen/cpupool, a not very interesting example config file,
       has been moved into /usr/share/doc/.
     - There is a new xen-doc package, in which the upstream HTML
       documentation, and various other bits, is now provided. This
       replaces the text format documentation previously provided in
       xen-utils-common (but the manpages are still there).
     - Utilities which use on libraries with stable ABIs upstream
       are no longer subjected to the Xen version wrapper.
     - Several utilities are now provided in /usr/bin which were
       previously only available buried in /usr/lib/xen-<version>:
          xen-detect xenalyze xencons xencov_split xen-cpuid
       (version-wrapped, where necessary).
     - Likewise very many utilities and daemons in /usr/sbin:
          gdbsx xen-bugtool xen-ringwatch xen-tmem-list-parse
          xenmon xenpmd flask-* xen-kdd xen-diag xen-hptool
          xen-hvmcrash xen-hvmctx xen-livepatch xen-lowmemd
          xen-mfndump xenbaked xenconsoled xencov xenlockprof
          xenstored xenwatchdogd
     - xend and xm are long gone, so remove the support for the
       TOOLSTACK setting in /etc/default/xen. /usr/sbin/xen just
       runs xl now. Remove mentions of xend-config.sxp and all
       *.sxp files. Drop the xend init script.
     - There is no longer any Built-Using. This is no longer true for
       seabios, which is depended on and used at runtime, rather than
       being embedded into hvmloader. (The source package also previously
       tried to mention ipxe-qemu in Built-Using but that's (i) dependent
       upstream on CONFIG_ROMBIOS which we disable, and not a
       build-dependency either.)
     - The hvmloader and xen-shim binaries no longer have their .note
       and .comment section(s) stripped. .note is needed for xen-shim
       to work properly and to find the corresponding debug files.
       And .comment is tiny and harmless AFAICT.
     - Hypervisor debug map files are installed in /usr/lib/debug.
     - The xl bash_completion file from upstream is installed.
     - libxenvchan.h is installed.
     - We install xen-*.efi in /boot.
     - Sections of some packages have been rationalised.
     - We install a doc-base control file.

158515e... by Hans van Kranenburg on 2018-09-11

Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 3fb68988c4b590a521631bf6c82457cf32e23964

New changelog entries:
  * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg.
  * Remove stubdom/grub.patches/00cvs from the upstream source because it's
    not DFSG compliant. (license-problem-gfdl-invariants)
  * Override statically-linked-binary lintian error about
  [ Hans van Kranenburg ]
  * Update to 4.11.1-pre commit 733450b39b, which also contains:
    - Additional fix for: Unlimited recursion in linear pagetable de-typing
      XSA-240 CVE-2017-15595 (listed as xsa240-4.8/0004)
    - Fix x86 PV guests may gain access to internally used pages
      XSA-248 CVE-2017-17566
    - Fix broken x86 shadow mode refcount overflow check
      XSA-249 CVE-2017-17563
    - Fix improper x86 shadow mode refcount error handling
      XSA-250 CVE-2017-17564
    - Fix improper bug check in x86 log-dirty handling
      XSA-251 CVE-2017-17565
    - Fix: DoS via non-preemptable L3/L4 pagetable freeing
      XSA-252 CVE-2018-7540
    - Fix x86: memory leak with MSR emulation
      XSA-253 CVE-2018-5244
    - Multiple parts of fixes for...
      Information leak via side effects of speculative execution
      XSA-254 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
      - XPTI stage 1 a.k.a. 'Meltdown band-aid', XPTI-S1 or XPTI-lite
      - Branch predictor hardening for ARM CPUs
      - Support compiling with indirect branch thunks (e.g. retpoline)
      - Report details of speculative mitigations in boot logging
    - Fix: grant table v2 -> v1 transition may crash Xen
      XSA-255 CVE-2018-7541
    - Fix: x86 PVH guest without LAPIC may DoS the host
      XSA-256 CVE-2018-7542
    - The "Comet" shim, which can be used as a mitigation for Meltdown to
      shield the hypervisor against 64-bit PV guests.
    - Fix: Information leak via crafted user-supplied CDROM
      XSA-258 CVE-2018-10472
    - Fix: x86: PV guest may crash Xen with XPTI
      XSA-259 CVE-2018-10471
    - Fix: x86: mishandling of debug exceptions
      XSA-260 CVE-2018-8897
    - Fix: x86 vHPET interrupt injection errors
      XSA-261 CVE-2018-10982
    - Fix: qemu may drive Xen into unbounded loop
      XSA-262 CVE-2018-10981
    - Fix: Speculative Store Bypass
      XSA-263 CVE-2018-3639
    - Fix: preemption checks bypassed in x86 PV MM handling
      XSA-264 CVE-2018-12891
    - Fix: x86: #DB exception safety check can be triggered by a guest
      XSA-265 CVE-2018-12893
    - Fix: libxl fails to honour readonly flag on HVM emulated SCSI disks
      XSA-266 CVE-2018-12892
    - Fix: Speculative register leakage from lazy FPU context switching
      XSA-267 CVE-2018-3665
    - Fix: Use of v2 grant tables may cause crash on ARM
      XSA-268 CVE-2018-15469
    - Fix: x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS
      XSA-269 CVE-2018-15468
    - Fix: oxenstored does not apply quota-maxentity
      XSA-272 CVE-2018-15470
    - Fix: L1 Terminal Fault speculative side channel
      XSA-273 CVE-2018-3620
  * Merge changes for 4.9 from the ubuntu packaging (thanks, Stefan Bader):
    - Rebase patches against upstream source (line numbers etc).
    - debian/rules.real:
      - Add a call to build common tool headers.
      - Add a call to install common tool headers.
    - debian/libxen-dev.install, d/p/ubuntu-tools-libs-abiname.diff:
      - Add additional modifications for new libxendevicemodel.
    - debian/patches/tools-fake-xs-restrict.patch:
      - Re-introduce (fake) xs_restrict call to keep libxenstore version at
        3.0 for now.
    - debian/libxenstore3.0.symbols: add xs_control_command
  * Rebase patches against 4.10 upstream source.
  * Rebase patches against 4.11 upstream source.
  * Add README.source.md to document how the packaging works.
  * This package builds correctly with gcc 7. (Closes: #853710)
  * Fix grub config file conflict when upgrading from Stretch. (Closes: #852545)
  * Init scripts: Do not kill per-domain qemu processes. (Closes: #879751)
  * debian/patches: Fix "'vwprintw' is deprecated" gcc 8 compilation error
  [ Mark Pryor ]
  * Fix shared library build dependencies for the new xentoolcore library.
  [ John Keates ]
  * Enable OVMF (Closes: #858962)