-
158515e...
by
Hans van Kranenburg
on 2018-09-11
-
Import patches-unapplied version 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1 to debian/experimental
Imported using git-ubuntu import.
Changelog parent: 3fb68988c4b590a521631bf6c82457cf32e23964
New changelog entries:
* Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg.
* Remove stubdom/grub.patches/00cvs from the upstream source because it's
not DFSG compliant. (license-problem-gfdl-invariants)
* Override statically-linked-binary lintian error about
usr/lib/xen-4.11/boot/xen-shim
[ Hans van Kranenburg ]
* Update to 4.11.1-pre commit 733450b39b, which also contains:
- Additional fix for: Unlimited recursion in linear pagetable de-typing
XSA-240 CVE-2017-15595 (listed as xsa240-4.8/0004)
- Fix x86 PV guests may gain access to internally used pages
XSA-248 CVE-2017-17566
- Fix broken x86 shadow mode refcount overflow check
XSA-249 CVE-2017-17563
- Fix improper x86 shadow mode refcount error handling
XSA-250 CVE-2017-17564
- Fix improper bug check in x86 log-dirty handling
XSA-251 CVE-2017-17565
- Fix: DoS via non-preemptable L3/L4 pagetable freeing
XSA-252 CVE-2018-7540
- Fix x86: memory leak with MSR emulation
XSA-253 CVE-2018-5244
- Multiple parts of fixes for...
Information leak via side effects of speculative execution
XSA-254 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
- XPTI stage 1 a.k.a. 'Meltdown band-aid', XPTI-S1 or XPTI-lite
- Branch predictor hardening for ARM CPUs
- Support compiling with indirect branch thunks (e.g. retpoline)
- Report details of speculative mitigations in boot logging
- Fix: grant table v2 -> v1 transition may crash Xen
XSA-255 CVE-2018-7541
- Fix: x86 PVH guest without LAPIC may DoS the host
XSA-256 CVE-2018-7542
- The "Comet" shim, which can be used as a mitigation for Meltdown to
shield the hypervisor against 64-bit PV guests.
- Fix: Information leak via crafted user-supplied CDROM
XSA-258 CVE-2018-10472
- Fix: x86: PV guest may crash Xen with XPTI
XSA-259 CVE-2018-10471
- Fix: x86: mishandling of debug exceptions
XSA-260 CVE-2018-8897
- Fix: x86 vHPET interrupt injection errors
XSA-261 CVE-2018-10982
- Fix: qemu may drive Xen into unbounded loop
XSA-262 CVE-2018-10981
- Fix: Speculative Store Bypass
XSA-263 CVE-2018-3639
- Fix: preemption checks bypassed in x86 PV MM handling
XSA-264 CVE-2018-12891
- Fix: x86: #DB exception safety check can be triggered by a guest
XSA-265 CVE-2018-12893
- Fix: libxl fails to honour readonly flag on HVM emulated SCSI disks
XSA-266 CVE-2018-12892
- Fix: Speculative register leakage from lazy FPU context switching
XSA-267 CVE-2018-3665
- Fix: Use of v2 grant tables may cause crash on ARM
XSA-268 CVE-2018-15469
- Fix: x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS
XSA-269 CVE-2018-15468
- Fix: oxenstored does not apply quota-maxentity
XSA-272 CVE-2018-15470
- Fix: L1 Terminal Fault speculative side channel
XSA-273 CVE-2018-3620
* Merge changes for 4.9 from the ubuntu packaging (thanks, Stefan Bader):
- Rebase patches against upstream source (line numbers etc).
- debian/rules.real:
- Add a call to build common tool headers.
- Add a call to install common tool headers.
- debian/libxen-dev.install, d/p/ubuntu-tools-libs-abiname.diff:
- Add additional modifications for new libxendevicemodel.
- debian/patches/tools-fake-xs-restrict.patch:
- Re-introduce (fake) xs_restrict call to keep libxenstore version at
3.0 for now.
- debian/libxenstore3.0.symbols: add xs_control_command
* Rebase patches against 4.10 upstream source.
* Rebase patches against 4.11 upstream source.
* Add README.source.md to document how the packaging works.
* This package builds correctly with gcc 7. (Closes: #853710)
* Fix grub config file conflict when upgrading from Stretch. (Closes: #852545)
* Init scripts: Do not kill per-domain qemu processes. (Closes: #879751)
* debian/patches: Fix "'vwprintw' is deprecated" gcc 8 compilation error
[ Mark Pryor ]
* Fix shared library build dependencies for the new xentoolcore library.
[ John Keates ]
* Enable OVMF (Closes: #858962)
-
3fb6898...
by
Ian Jackson
on 2017-11-25
-
Import patches-unapplied version 4.8.2+xsa245-0+deb9u1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 1e6b7336901a0bb4dd9816525fbd06639f206266
New changelog entries:
* Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2
plus a number of bugfixes and security fixes.
Result is that we now include security fixes for:
XSA-231 CVE-2017-14316
XSA-232 CVE-2017-14318
XSA-233 CVE-2017-14317
XSA-234 CVE-2017-14319
(235 already included in 4.8.1-1+deb9u3)
XSA-236 CVE-2017-15597
XSA-237 CVE-2017-15590
XSA-238 (no CVE yet)
XSA-239 CVE-2017-15589
XSA-240 CVE-2017-15595
XSA-241 CVE-2017-15588
XSA-242 CVE-2017-15593
XSA-243 CVE-2017-15592
XSA-244 CVE-2017-15594
XSA-245 (no CVE yet)
and a number of upstream functionality fixes, which are not easily
disentangled from the security fixes.
* Apply two more security fixes:
XSA-246 (no CVE yet)
XSA-247 (no CVE yet)
-
1e6b733...
by
Ian Jackson <email address hidden>
on 2017-09-07
-
Import patches-unapplied version 4.8.1-1+deb9u3 to debian/stretch
Imported using git-ubuntu import.
Changelog parent: 24e5e9e766ba2738ab4b9b6f385d8193568353cc
New changelog entries:
* Security fixes for
XSA-226 CVE-2017-12135
XSA-227 CVE-2017-12137
XSA-228 CVE-2017-12136
XSA-230 CVE-2017-12855
XSA-235 (no CVE yet)
* Adjust changelog entry for 4.8.1-1+deb9u2 to record
that XSA-225 fix was indeed included.
* Security fix for XSA-229 not included as that bug is in Linux, not Xen.
* Security fixes for XSA-231..234 inc. not inclued as still embargoed.
* Security fixes for
XSA-216 XSA-217 XSA-218 XSA-219 XSA-220
XSA-221 XSA-222 XSA-223 XSA-224 XSA-225
-
24e5e9e...
by
Ian Jackson <email address hidden>
on 2017-05-02
-
Import patches-unapplied version 4.8.1-1+deb9u1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 96a3f91495abd3ebb9f2bcaba7c3a6664b57c667
New changelog entries:
* Security fixes for XSA-213 (Closes:#861659) and XSA-214
(Closes:#861660). (Xen 4.7 and later is not affected by XSA-215.)
-
96a3f91...
by
Ian Jackson <email address hidden>
on 2017-04-18
-
Import patches-unapplied version 4.8.1-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 451bcaa74f430bcdac2709fb4edc563d5e6de48e
New changelog entries:
* Update to upstream 4.8.1 release.
Changes include numerous bugfixes, including security fixes for:
XSA-212 / CVE-2017-7228 Closes:#859560
XSA-207 / no cve yet Closes:#856229
XSA-206 / no cve yet no Debian bug
-
451bcaa...
by
Ian Jackson <email address hidden>
on 2017-01-23
-
Import patches-unapplied version 4.8.1~pre.2017.01.23-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: de88f23aef33fe9959ae1200841003ba24c68df6
New changelog entries:
* Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre).
Contains bugfixes.
* debian/control-real etc.: debian.py: Allow version numbers like this.
-
de88f23...
by
Ian Jackson <email address hidden>
on 2016-12-22
-
Import patches-unapplied version 4.8.0-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 055dfce789cbccde9477fcc8bc6e36e2caa62efc
New changelog entries:
* Update to upstream Xen 4.8.0.
Includes the following security fixes:
XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
XSA-198 CVE-2016-9379 CVE-2016-9380
XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669
XSA-195 CVE-2016-9383
XSA-194 CVE-2016-9384 Closes:#845667
XSA-193 CVE-2016-9385
XSA-192 CVE-2016-9382
XSA-191 CVE-2016-9386
Includes other bugfixes too:
Closes:#812166, Closes:#818525.
Cherry picks from upstream:
* Security fixes:
XSA-204 CVE-2016-10013 Closes:#848713
XSA-203 CVE-2016-10025
XSA-202 CVE-2016-10024
For completeness, the following XSAs do not apply here:
XSA-197 CVE-2016-9381 Bug is in qemu
XSA-199 CVE-2016-9637 Bug is in qemu
XSA-200 CVE-2016-9932 Xen 4.8 is not affected
* Cherry pick a build failure fix:
"x86/emul: add likely()/unlikely() to test harness"
[ Ian Jackson ]
* Drop -lcrypto search from upstream configure, and from our
Build-Depends. Closes:#844419.
* Change my own email address to my work (Citrix) address. When
uploading, I will swap hats to effectively sponsor my own upload.
[ Ian Campbell ]
* Start a qemu process in dom0 to service the toolstacks loopback disk
attaches. (Closes: #770456)
* Remove correct pidfile when stopping xenconsoled.
* Check that xenstored has actually started before talking to it.
Incorporate a timeout so as not to block boot (Mitigates #737613)
* Correct syntax error in xen-init-list when running with xend
(Closes: #763102)
* Apply SELinux labels to directories created by initscripts. Patch from
Russell Coker. (Closes: #764912)
* Include a reportbug control file to redirect bugs to src:xen for
packages which contain the Xen version in the name. Closes:#796370.
[ Lubomir Host ]
* Fix xen-init-name to not fail looking for a nonexistent 'config'
entry in xl's JSON output. Closes:#818129.
-
055dfce...
by
Ian Jackson
on 2016-11-11
-
Import patches-unapplied version 4.8.0~rc5-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 6a57aaac4bb7e777957358fa12343acc7819e568
New changelog entries:
* New upstream version, Xen 4.8.0 RC5.
-
6a57aaa...
by
Ian Jackson
on 2016-11-05
-
Import patches-unapplied version 4.8.0~rc3-1 to debian/sid
Imported using git-ubuntu import.
Changelog parent: 849568c9a860403c587448dc382d075502515ca3
New changelog entries:
* Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not
update to that in the middle of the Xen 4.6 -> 4.8 transition.)
* No source changes.
-
849568c...
by
Ian Jackson
on 2016-11-01
-
Import patches-unapplied version 4.8.0~rc3-0exp2 to debian/experimental
Imported using git-ubuntu import.
Changelog parent: b3aaf9a9500cd009e1601d83f36110c260f5d174
New changelog entries:
* Build-Depend on iasl on all architectures. ARM has ACPI now.
Fixes FTBFS on arm64 (at least).
* Add qemu-utils and seabios to Suggests.
* Pass -no-pie -fno-pic to x86 emulator test build. (Patch
also submitted upstream.) Fixes FTBFS on i386 with GCC6.
* Add myself to Uploaders.
