ubuntu/+source/xen:ubuntu/zesty-security

Last commit made on 2017-10-16
Get this branch:
git clone -b ubuntu/zesty-security https://git.launchpad.net/ubuntu/+source/xen
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/zesty-security
Repository:
lp:ubuntu/+source/xen

Recent commits

874e2d1... by Stefan Bader on 2017-10-11

Import patches-unapplied version 4.8.0-1ubuntu2.4 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 9c0d1c665d31f74059d0a1f3dc8071908587108e

New changelog entries:
  * Applying Xen Security Advisories:
    - CVE-2017-14316 / XSA-231
      - xen/mm: make sure node is less than MAX_NUMNODES
    - CVE-2017-14318 / XSA-232
      - grant_table: fix GNTTABOP_cache_flush handling
    - CVE-2017-14317 / XSA-233
      - tools/xenstore: dont unlink connection object twice
    - CVE-2017-14319 / XSA-234
      - gnttab: also validate PTE permissions upon destroy/replace
    - XSA-235
      - arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
    - XSA-237
      - x86: don't allow MSI pIRQ mapping on unowned device
      - x86: enforce proper privilege when (un)mapping pIRQ-s
      - x86/MSI: disallow redundant enabling
      - x86/IRQ: conditionally preserve irq <-> pirq mapping on map error
        paths
      - x86/FLASK: fix unmap-domain-IRQ XSM hook
    - XSA-238
      - x86/ioreq server: correctly handle bogus
        XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments
    - XSA-239
      - x86/HVM: prefill partially used variable on emulation paths
    - XSA-240
      - x86: limit linear page table use to a single level
      - x86/mm: Disable PV linear pagetables by default
    - XSA-241
      - x86: don't store possibly stale TLB flush time stamp
    - XSA-242
      - x86: don't allow page_unlock() to drop the last type reference
    - XSA-243
      - x86/shadow: Don't create self-linear shadow mappings for 4-level
        translated guests
    - XSA-244
      - x86/cpu: Fix IST handling during PCPU bringup
    - XSA-245
      - xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn
      - xen/arm: Correctly report the memory region in the dummy NUMA helpers
  * Applying Xen Security Advisories:
    - XSA-226 / CVE-2017-12135
      - gnttab: don't use possibly unbounded tail calls
      - gnttab: fix transitive grant handling
    - XSA-227 / CVE-2017-12137
      - x86/grant: Disallow misaligned PTEs
    - XSA-228 / CVE-2017-12136
      - gnttab: split maptrack lock to make it fulfill its purpose again
    - XSA-230 / CVE-2017-12855
      - gnttab: correct pin status fixup for copy

9c0d1c6... by Stefan Bader on 2017-07-03

Import patches-unapplied version 4.8.0-1ubuntu2.2 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 035840865f3021b85a89a869c686dea7abcaf725

New changelog entries:
  * Applying Xen Security Advisories:
    - XSA-217
      - x86/mm: disallow page stealing from HVM domains
    - XSA-218
      - gnttab: fix unmap pin accounting race
      - gnttab: Avoid potential double-put of maptrack entry
      - gnttab: correct maptrack table accesses
    - XSA-219
      - 86/shadow: Hold references for the duration of emulated writes
    - XSA-220
      - x86: avoid leaking PKRU and BND* between vCPU-s
    - XSA-221
      - evtchn: avoid NULL derefs
    - XSA-222
      - xen/memory: Fix return value handing of guest_remove_page()
      - guest_physmap_remove_page() needs its return value checked
    - XSA-223
      - arm: vgic: Don't update the LR when the IRQ is not enabled
    - XSA-224
      - gnttab: Fix handling of dev_bus_addr during unmap
      - gnttab: never create host mapping unless asked to
      - gnttab: correct logic to get page references during map requests
      - gnttab: __gnttab_unmap_common_complete() is all-or-nothing
    - XSA-225
      - xen/arm: vgic: Sanitize target mask used to send SGI

0358408... by Stefan Bader on 2017-05-09

Import patches-unapplied version 4.8.0-1ubuntu2.1 to ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 5dd3690880997ad3c6c8aa5590c28a87fdf04b7f

New changelog entries:
  * Applying Xen Security Advisories:
    - XSA-206
      * xenstored: apply a write transaction rate limit
      * xenstored: Log when the write transaction rate limit bites
      * oxenstored: comments explaining some variables
      * oxenstored: handling of domain conflict-credit
      * oxenstored: ignore domains with no conflict-credit
      * oxenstored: add transaction info relevant to history tracking
      * oxenstored: support commit history tracking
      * oxenstored: only record operations with side-effects in history
      * oxenstored: discard old commit-history on txn end
      * oxenstored: track commit history
      * oxenstored: blame the connection that caused a transaction conflict
      * oxenstored: allow self-conflicts
      * oxenstored: do not commit read-only transactions
      * oxenstored: don't wake to issue no conflict-credit
      * oxenstored transaction conflicts: improve logging
      * oxenstored: trim history in the frequent_ops function
    - XSA-207
      * IOMMU: always call teardown callback
    - XSA-210
      * arm/p2m: remove the page from p2m->pages list before freeing it
    - CVE-2017-7228 / XSA-212
      * memory: properly check guest memory ranges in XENMEM_exchange handling
    - XSA-213
      * multicall: deal with early exit conditions
    - XSA-214
      * x86: discard type information when stealing pages

5dd3690... by Stefan Bader on 2017-03-14

Import patches-unapplied version 4.8.0-1ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 83ccf175472aac65d990ae0e1e7b2bd00b4af464

New changelog entries:
  * Cherry-pick upstream change to fix TSC_ADJUST MSR handling in HVM
    guests running on Intel based hosts (LP: #1671760)

83ccf17... by Stefan Bader on 2017-01-26

Import patches-unapplied version 4.8.0-1ubuntu1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: de88f23aef33fe9959ae1200841003ba24c68df6

New changelog entries:
  * Merge from Debian unstable. Remaining changes:
    - Add transitional package definitions to debian/control and
      debian/rules.gen (force hypervisor upgrade).
    - Split xen.init into xenstored.init and xen.init
      * xen.init depends in xenstored.init and optionally schedules itself
        before libvirtd.
      * xenstored.init additionally modprobes xen-acpi-processor
    - Remove update-alternatives call from xen utils (postinst/prerm) scripts.
    - Copy contents of debian/build/install-utils_$(ARCH)/usr/sbin into
      debian/build/install-utils_$ARCH/usr/lib/xen-$(VERSION) (LP: #1396670).

de88f23... by Ian Jackson <email address hidden> on 2016-12-22

Import patches-unapplied version 4.8.0-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 055dfce789cbccde9477fcc8bc6e36e2caa62efc

New changelog entries:
  * Update to upstream Xen 4.8.0.
    Includes the following security fixes:
        XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
        XSA-198 CVE-2016-9379 CVE-2016-9380
        XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669
        XSA-195 CVE-2016-9383
        XSA-194 CVE-2016-9384 Closes:#845667
        XSA-193 CVE-2016-9385
        XSA-192 CVE-2016-9382
        XSA-191 CVE-2016-9386
    Includes other bugfixes too:
        Closes:#812166, Closes:#818525.
  Cherry picks from upstream:
  * Security fixes:
        XSA-204 CVE-2016-10013 Closes:#848713
        XSA-203 CVE-2016-10025
        XSA-202 CVE-2016-10024
    For completeness, the following XSAs do not apply here:
        XSA-197 CVE-2016-9381 Bug is in qemu
        XSA-199 CVE-2016-9637 Bug is in qemu
        XSA-200 CVE-2016-9932 Xen 4.8 is not affected
  * Cherry pick a build failure fix:
      "x86/emul: add likely()/unlikely() to test harness"
  [ Ian Jackson ]
  * Drop -lcrypto search from upstream configure, and from our
    Build-Depends. Closes:#844419.
  * Change my own email address to my work (Citrix) address. When
    uploading, I will swap hats to effectively sponsor my own upload.
  [ Ian Campbell ]
  * Start a qemu process in dom0 to service the toolstacks loopback disk
    attaches. (Closes: #770456)
  * Remove correct pidfile when stopping xenconsoled.
  * Check that xenstored has actually started before talking to it.
    Incorporate a timeout so as not to block boot (Mitigates #737613)
  * Correct syntax error in xen-init-list when running with xend
    (Closes: #763102)
  * Apply SELinux labels to directories created by initscripts. Patch from
    Russell Coker. (Closes: #764912)
  * Include a reportbug control file to redirect bugs to src:xen for
    packages which contain the Xen version in the name. Closes:#796370.
  [ Lubomir Host ]
  * Fix xen-init-name to not fail looking for a nonexistent 'config'
    entry in xl's JSON output. Closes:#818129.

055dfce... by Ian Jackson on 2016-11-11

Import patches-unapplied version 4.8.0~rc5-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6a57aaac4bb7e777957358fa12343acc7819e568

New changelog entries:
  * New upstream version, Xen 4.8.0 RC5.

6a57aaa... by Ian Jackson on 2016-11-05

Import patches-unapplied version 4.8.0~rc3-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 849568c9a860403c587448dc382d075502515ca3

New changelog entries:
  * Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not
    update to that in the middle of the Xen 4.6 -> 4.8 transition.)
  * No source changes.

849568c... by Ian Jackson on 2016-11-01

Import patches-unapplied version 4.8.0~rc3-0exp2 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b3aaf9a9500cd009e1601d83f36110c260f5d174

New changelog entries:
  * Build-Depend on iasl on all architectures. ARM has ACPI now.
    Fixes FTBFS on arm64 (at least).
  * Add qemu-utils and seabios to Suggests.
  * Pass -no-pie -fno-pic to x86 emulator test build. (Patch
    also submitted upstream.) Fixes FTBFS on i386 with GCC6.
  * Add myself to Uploaders.

b3aaf9a... by Ian Jackson on 2016-10-24

Import patches-unapplied version 4.8.0~rc3-0exp1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 38cdaf6a6157895d96dc9845570fa78d74b5207c

New changelog entries:
  * New upstream version, Xen 4.8.0 RC3.
    Fixes many outstanding CVEs.
  * Incorporated many changes from 4.8.0-0ubuntu2
    - libxen-dev is M-A: same
    - Work around grep bug http://bugs.launchpad.net/bugs/1547466
    - debian/xen-hypervisor-4.6.xen.cfg:
      Additional config file to simplify grub configuration.
    - Use new library/abiname scheme.
    - Document what xl and xm are in default.xen
    - Add libvirtd dependency to xendomains init script
    (Thanks to Stefan Bader and others.)