Change log for xen package in Debian
1 → 75 of 158 results | First • Previous • Next • Last |
Published in sid-release |
xen (4.17.3+36-g54dacb5c02-1) unstable; urgency=medium * Update to new upstream version 4.17.3+36-g54dacb5c02, which also contains security fixes for the following issues: - x86: shadow stack vs exceptions from emulation stubs XSA-451 CVE-2023-46841 * Properly incorporate NMU changes. * Pick upstream commit b33a5c5929 ("tools/xenstore/xenstored_control.c: correctly print time_t") to fix a FTBFS on armhf with 64 bits time_t. (Closes: #1065794) -- Hans van Kranenburg <email address hidden> Sat, 09 Mar 2024 22:03:11 +0100
Superseded in sid-release |
xen (4.17.3+10-g091466ba55-1.1) unstable; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. Closes: #1063270 -- Steve Langasek <email address hidden> Thu, 29 Feb 2024 07:08:41 +0000
Available diffs
Deleted in experimental-release (Reason: None provided.) |
xen (4.17.3+10-g091466ba55-1.1~exp2) experimental; urgency=medium * debian/shuffle-binaries: handle rename of debian/libxenmiscV.install.vsn-in -- Steve Langasek <email address hidden> Sat, 24 Feb 2024 02:53:03 +0000
Published in bookworm-release |
xen (4.17.3+10-g091466ba55-1~deb12u1) bookworm; urgency=medium * Rebuild 4.17.3+10-g091466ba55-1 for Bookworm to address the security issues since last Debian stable update. -- Hans van Kranenburg <email address hidden> Sun, 04 Feb 2024 16:31:59 +0100
Superseded in experimental-release |
xen (4.17.3+10-g091466ba55-1.1~exp1) experimental; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. -- Steve Langasek <email address hidden> Mon, 05 Feb 2024 23:01:29 +0000
Superseded in sid-release |
xen (4.17.3+10-g091466ba55-1) unstable; urgency=medium * Update to new upstream version 4.17.3+10-g091466ba55, which also contains security fixes for the following issues: - arm32: The cache may not be properly cleaned/invalidated (take two) XSA-447 CVE-2023-46837 - pci: phantom functions assigned to incorrect contexts XSA-449 CVE-2023-46839 - VT-d: Failure to quarantine devices in !HVM builds XSA-450 CVE-2023-46840 * Note that the following XSA are not listed, because... - XSA-448 has patches for the Linux kernel. * Compilation with Python 3.12 has been fixed in upstream commit 4000522008 ("Only compile the hypervisor with -Wdeclaration-after-statement") (Closes: #1062048) -- Hans van Kranenburg <email address hidden> Sun, 04 Feb 2024 13:45:17 +0100
Available diffs
Superseded in bookworm-release |
xen (4.17.2+76-ge1f9cb16e2-1~deb12u1) bookworm; urgency=medium * Rebuild for bookworm to address the security issues since 4.17.1+2-gb773c48e36-1 listed below. * d/salsa-ci.yml: Set RELEASE variable to bookworm -- Maximilian Engelhardt <email address hidden> Sat, 02 Dec 2023 17:58:08 +0100
Superseded in sid-release |
xen (4.17.2+76-ge1f9cb16e2-1) unstable; urgency=medium * Update to new upstream version 4.17.2-76-ge1f9cb16e2, which also contains security fixes for the following issues: (Closes: #1056928) - x86/AMD: mismatch in IOMMU quarantine page table levels XSA-445 CVE-2023-46835 - x86: BTC/SRSO fixes not fully effective XSA-446 CVE-2023-46836 -- Maximilian Engelhardt <email address hidden> Wed, 29 Nov 2023 20:17:30 +0100
Available diffs
Superseded in sid-release |
xen (4.17.2+55-g0b56bed864-1) unstable; urgency=medium * Update to new upstream version 4.17.2+55-g0b56bed864, which also contains security fixes for the following issues: - arm32: The cache may not be properly cleaned/invalidated XSA-437 CVE-2023-34321 - top-level shadow reference dropped too early for 64-bit PV guests XSA-438 CVE-2023-34322 - x86/AMD: Divide speculative information leak XSA-439 CVE-2023-20588 - xenstored: A transaction conflict can crash C Xenstored XSA-440 CVE-2023-34323 - x86/AMD: missing IOMMU TLB flushing XSA-442 CVE-2023-34326 - Multiple vulnerabilities in libfsimage disk handling XSA-443 CVE-2023-34325 - x86/AMD: Debug Mask handling XSA-444 CVE-2023-34327 CVE-2023-34328 * Note that the following XSA are not listed, because... - XSA-441 has patches for the Linux kernel. -- Hans van Kranenburg <email address hidden> Thu, 12 Oct 2023 19:25:55 +0200
Available diffs
xen (4.14.6-1) bullseye; urgency=medium * Update to new upstream version 4.14.6, which also contains security fixes for the following issues: - x86/AMD: Zenbleed XSA-433 CVE-2023-20593 - x86/AMD: Speculative Return Stack Overflow XSA-434 CVE-2023-20569 - x86/Intel: Gather Data Sampling XSA-435 CVE-2022-40982 * Note that the following XSA are not listed, because... - XSA-430 and XSA-431 only apply to Xen 4.17 - XSA-432 has patches for the Linux kernel. * Also, note that upstream security support for Xen 4.14 has ended with this release. This also means that Xen security support for Debian Bullseye has ended. -- Hans van Kranenburg <email address hidden> Thu, 21 Sep 2023 16:55:59 +0200
xen (4.17.2-1) unstable; urgency=medium * Update to new upstream version 4.17.2, which also contains security fixes for the following issues: (Closes: #1042102) - x86/AMD: Zenbleed XSA-433 CVE-2023-20593 - x86/AMD: Speculative Return Stack Overflow XSA-434 CVE-2023-20569 - x86/Intel: Gather Data Sampling XSA-435 CVE-2022-40982 - arm: Guests can trigger a deadlock on Cortex-A77 XSA-436 CVE-2023-34320 * Note that the following XSA are not listed, because... - XSA-432 has patches for the Linux kernel. -- Maximilian Engelhardt <email address hidden> Sun, 20 Aug 2023 16:08:59 +0200
Available diffs
- diff from 4.17.1+2-gb773c48e36-1 to 4.17.2-1 (71.7 KiB)
xen (4.17.1+2-gb773c48e36-1) unstable; urgency=medium * Update to new upstream version 4.17.1+2-gb773c48e36, which also contains security fixes for the following issues: - x86 shadow paging arbitrary pointer dereference XSA-430 CVE-2022-42335 (Closes: #1034842) - Mishandling of guest SSBD selection on AMD hardware XSA-431 CVE-2022-42336 -- Maximilian Engelhardt <email address hidden> Thu, 18 May 2023 21:26:30 +0200
Available diffs
Superseded in bullseye-release |
xen (4.14.5+94-ge49571868d-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+94-ge49571868d, which also contains security fixes for the following issues: (Closes: #1033297) - x86: Multiple speculative security issues XSA-422 CVE-2022-23824 - x86 shadow plus log-dirty mode use-after-free XSA-427 CVE-2022-42332 - x86/HVM pinned cache attributes mis-handling XSA-428 CVE-2022-42333 CVE-2022-42334 - x86: speculative vulnerability in 32bit SYSCALL path XSA-429 CVE-2022-42331 * Note that the following XSA are not listed, because... - XSA-423 and XSA-424 have patches for the Linux kernel. - XSA-425 only applies to Xen 4.17 and newer - XSA-426 only applies to Xen 4.16 and newer -- Maximilian Engelhardt <email address hidden> Thu, 23 Mar 2023 20:40:49 +0100
Superseded in sid-release |
xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium * Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains security fixes for the following issues: (Closes: #1033297) - x86 shadow plus log-dirty mode use-after-free XSA-427 CVE-2022-42332 - x86/HVM pinned cache attributes mis-handling XSA-428 CVE-2022-42333 CVE-2022-42334 - x86: speculative vulnerability in 32bit SYSCALL path XSA-429 CVE-2022-42331 -- Maximilian Engelhardt <email address hidden> Thu, 23 Mar 2023 22:22:48 +0100
Available diffs
Superseded in sid-release |
xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium * Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains security fixes for the following issues: - x86: Cross-Thread Return Address Predictions XSA-426 CVE-2022-27672 (Closes: #1031567) * debian/shuffle-boot-files: fix typo * debian/changelog: Fix bug number typo. * debian/changelog: Remove duplicate 'Note that' -- Hans van Kranenburg <email address hidden> Fri, 24 Feb 2023 18:06:42 +0100
Superseded in sid-release |
xen (4.17.0+24-g2f8851c37f-2) unstable; urgency=medium * Upload to unstable now, since we got message from the OCaml team that we are not bothering them while they're doing their stack rebuild. -- Hans van Kranenburg <email address hidden> Mon, 06 Feb 2023 14:27:40 +0100
Available diffs
Deleted in experimental-release (Reason: None provided.) |
xen (4.17.0+24-g2f8851c37f-2~exp1) experimental; urgency=medium * Upload to experimental NEW to avoid disrupting ocaml transition. -- Ian Jackson <email address hidden> Sun, 05 Feb 2023 13:07:44 +0000
xen (4.17.0-1) unstable; urgency=medium * Update to new upstream version 4.17.0. * No new security fixes are included. * Note that the following XSA are not listed, because... - XSA-423 and XSA-424 have patches for the Linux kernel. * debian/control: update Standards-Version to 4.6.2 * debian/control: update Build-Depends for ocaml -- Maximilian Engelhardt <email address hidden> Wed, 21 Dec 2022 22:34:51 +0100
Available diffs
Superseded in bullseye-release |
xen (4.14.5+86-g1c354767d5-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+86-g1c354767d5, which also contains security fixes for the following issues: (Closes: #1021668) - Xenstore: guests can let run xenstored out of memory XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318 - insufficient TLB flush for x86 PV guests in shadow mode XSA-408 CVE-2022-33745 - Arm: unbounded memory consumption for 2nd-level page tables XSA-409 CVE-2022-33747 - P2M pool freeing may take excessively long XSA-410 CVE-2022-33746 - lock order inversion in transitive grant copy handling XSA-411 CVE-2022-33748 - Xenstore: Guests can crash xenstored XSA-414 CVE-2022-42309 - Xenstore: Guests can create orphaned Xenstore nodes XSA-415 CVE-2022-42310 - Xenstore: Guests can cause Xenstore to not free temporary memory XSA-416 CVE-2022-42319 - Xenstore: Guests can get access to Xenstore nodes of deleted domains XSA-417 CVE-2022-42320 - Xenstore: Guests can crash xenstored via exhausting the stack XSA-418 CVE-2022-42321 - Xenstore: Cooperating guests can create arbitrary numbers of nodes XSA-419 CVE-2022-42322 CVE-2022-42323 - Oxenstored 32->31 bit integer truncation issues XSA-420 CVE-2022-42324 - Xenstore: Guests can create arbitrary number of nodes via transactions XSA-421 CVE-2022-42325 CVE-2022-42326 * The upstream Xen changes now also contain the first mentioned patch of XSA-403 ("Linux disk/nic frontends data leaks") for stable branch lines. For more information, please refer to the XSA-403 advisory text. * Note that the following XSA are not listed, because... - XSA-412 only applies to Xen 4.16 and newer - XSA-413 applies to XAPI which is not included in Debian * Correct a typo in the previous changelog entry. -- Hans van Kranenburg <email address hidden> Fri, 04 Nov 2022 20:25:46 +0100
Deleted in experimental-release (Reason: None provided.) |
xen (4.17.0~rc4-1~exp1) experimental; urgency=medium Significant changes: * Update to new upstream version 4.17.0~rc4. Changes related to upgrading to Xen 4.17: * debian/control: adjust to 4.17 * Drop "libxl: Fix unneededly rebuilding build.o(pic)", no longer needed * Refresh remaining patches if needed -- Maximilian Engelhardt <email address hidden> Wed, 07 Dec 2022 21:01:04 +0100
Superseded in sid-release |
xen (4.16.2+90-g0d39a6d1ae-1) unstable; urgency=medium * Update to new upstream version 4.16.2+90-g0d39a6d1ae, which also contains security fixes for the following issues: - Xenstore: guests can let run xenstored out of memory XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318 - Arm: unbounded memory consumption for 2nd-level page tables XSA-409 CVE-2022-33747 - P2M pool freeing may take excessively long XSA-410 CVE-2022-33746 - lock order inversion in transitive grant copy handling XSA-411 CVE-2022-33748 - x86: unintended memory sharing between guests XSA-412 CVE-2022-42327 - Xenstore: Guests can crash xenstored XSA-414 CVE-2022-42309 - Xenstore: Guests can create orphaned Xenstore nodes XSA-415 CVE-2022-42310 - Xenstore: Guests can cause Xenstore to not free temporary memory XSA-416 CVE-2022-42319 - Xenstore: Guests can get access to Xenstore nodes of deleted domains XSA-417 CVE-2022-42320 - Xenstore: Guests can crash xenstored via exhausting the stack XSA-418 CVE-2022-42321 - Xenstore: Cooperating guests can create arbitrary numbers of nodes XSA-419 CVE-2022-42322 CVE-2022-42323 - Oxenstored 32->31 bit integer truncation issues XSA-420 CVE-2022-42324 - Xenstore: Guests can create arbitrary number of nodes via transactions XSA-421 CVE-2022-42325 CVE-2022-42326 - x86: Multiple speculative security issues XSA-422 CVE-2022-23824 * Note that the following XSA are not listed, because... - XSA-413 applies to XAPI which is not included in Debian * Drop the "x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1" patch again because it's included in upstream changes now. -- Hans van Kranenburg <email address hidden> Wed, 16 Nov 2022 12:50:33 +0100
Available diffs
xen (4.16.2-2) unstable; urgency=medium * debian/control: Add libzstd-dev as Build-Depends * Pick upstream commit c3bd0b83ea ("x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1") to fix compatibility with Linux 5.19. (Closes: #1020787) -- Hans van Kranenburg <email address hidden> Wed, 28 Sep 2022 19:03:14 +0200
Available diffs
- diff from 4.16.2-1 to 4.16.2-2 (1.5 KiB)
Superseded in bullseye-release |
xen (4.14.5+24-g87d90d511c-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+24-g87d90d511c, which also contains security fixes for the following issues: for the following issues: - x86 pv: Race condition in typeref acquisition XSA-401 CVE-2022-26362 - x86 pv: Insufficient care with non-coherent mappings XSA-402 CVE-2022-26363 CVE-2022-26364 - x86: MMIO Stale Data vulnerabilities XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 - Retbleed - arbitrary speculative code execution with return instructions XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900 * Note that the following XSA are not listed, because... - XSA-403 patches are not applied to stable branch lines. - XSA-405 and XSA-406 have patches for the Linux kernel. -- Hans van Kranenburg <email address hidden> Wed, 13 Jul 2022 16:28:39 +0200
xen (4.16.2-1) unstable; urgency=medium * Update to new upstream version 4.16.2, which also contains security fixes for the following issues: - x86 pv: Race condition in typeref acquisition XSA-401 CVE-2022-26362 - x86 pv: Insufficient care with non-coherent mappings XSA-402 CVE-2022-26363 CVE-2022-26364 - Linux disk/nic frontends data leaks XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 Note that this XSA also contains patches that have to be applied to the Linux kernel to make use of the new mitigations. - x86: MMIO Stale Data vulnerabilities XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 - Retbleed - arbitrary speculative code execution with return instructions XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900 - insufficient TLB flush for x86 PV guests in shadow mode XSA-408 CVE-2022-33745 * Note that the following XSA are not listed, because... - XSA-405 and XSA-406 have patches for the Linux kernel. * d/.../grub.d/xen.cfg: Redirect output when running grub-mkconfig so that we do not wrongly cause text to end up being part of the generated grub configuration. (Closes: #1016547) * Clean up lintian overrides that are reported as unused. * Move comments about lintian overrides above the override line itself, instead of being below, as instructed by the lintian documentation. * Deal with formatting changes in lintian output, which invalidate overrides we have. Also see Debian bug #1007002 for more information. -- Hans van Kranenburg <email address hidden> Tue, 23 Aug 2022 13:25:38 +0200
Available diffs
- diff from 4.16.1-1 to 4.16.2-1 (41.4 KiB)
Superseded in bullseye-release |
xen (4.14.4+74-gd7b22226b5-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.4+74-gd7b22226b5, which also contains security fixes for the following issues: - arm: guest_physmap_remove_page not removing the p2m mappings XSA-393 CVE-2022-23033 - A PV guest could DoS Xen while unmapping a grant XSA-394 CVE-2022-23034 - Insufficient cleanup of passed-through device IRQs XSA-395 CVE-2022-23035 - Racy interactions between dirty vram tracking and paging log dirty hypercalls XSA-397 CVE-2022-26356 - Multiple speculative security issues XSA-398 (no CVE yet) - race in VT-d domain ID cleanup XSA-399 CVE-2022-26357 - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 * Note that the following XSA are not listed, because... - XSA-391, XSA-392 and XSA-396 have patches for the Linux kernel. -- Hans van Kranenburg <email address hidden> Fri, 08 Apr 2022 11:40:51 +0200
xen (4.16.1-1) unstable; urgency=medium * Update to new upstream version 4.16.1, which also contains security fixes for the following issues: - Racy interactions between dirty vram tracking and paging log dirty hypercalls XSA-397 CVE-2022-26356 - Multiple speculative security issues XSA-398 (no CVE yet) - race in VT-d domain ID cleanup XSA-399 CVE-2022-26357 - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 * Note that the following XSA are not listed, because... - XSA-396 has patches for the Linux kernel. * Don't ship NEWS in libxen* packages. Instead, only ship relevant NEWS items for actual hypervisor and/or utils packages they belong to. (Closes: #962267) * d/control: make xen-hypervisor-common arch specific, just like xen-utils-common. * d/control: stop recommending qemu-system-x86 on arm, because qemu is not being built with xen support on arm... * Add a patch for tools/libs/light/Makefile which prevents build.o and build.opic to be rebuilt unneededly during the package install phase, causing a FTBFS because it triggers the use of ccache, which is not allowed in the install phase of building the Debian packages. Improvements related to Qemu integration: [Michael Tokarev] * d/xen-utils-common.xen.init: properly disable qemu monitor/serial/parallel devices for qemu started at boot. * debian: switch from recommending qemu-system-x86 to qemu-system-xen and mention this change in the NEWS file. * Add patch "give meaningful error message if qemu device model is unavailable" to give a useful error message only in case the domU needs the qemu device model which is not installed, instead of giving a warning about missing qemu even if it is not used by this domain. Documentation, grammar and spelling fixes and improvements: * d/control: drop obsolete paragraph about separate xen linux kernel package * d/control: Harmonize the capitalization of the 'Xen' word [Diederik de Haas] * d/control: Improve spelling and grammar [Diederik de Haas]` -- Hans van Kranenburg <email address hidden> Mon, 09 May 2022 22:29:23 +0200
Available diffs
Superseded in sid-release |
xen (4.16.0+51-g0941d6cb-1) unstable; urgency=medium * Update to new upstream version 4.16.0+51-g0941d6cb, which also contains security fixes for the following issues: - arm: guest_physmap_remove_page not removing the p2m mappings XSA-393 CVE-2022-23033 - A PV guest could DoS Xen while unmapping a grant XSA-394 CVE-2022-23034 - Insufficient cleanup of passed-through device IRQs XSA-395 CVE-2022-23035 * Note that the following XSA are not listed, because... - XSA-391 and XSA-392 have patches for the Linux kernel. * Upload to unstable now, which obsoletes the Xen 4.14 FTBFS issue. (Closes: #1002658) -- Hans van Kranenburg <email address hidden> Sat, 19 Feb 2022 20:29:32 +0100
Deleted in experimental-release (Reason: None provided.) |
xen (4.16.0-1~exp1) experimental; urgency=medium Significant changes: * Update to new upstream version 4.16.0. This also includes a security fix for the following issue, which was not applicable to Xen 4.14 yet: - certain VT-d IOMMUs may not work in shared page table mode XSA-390 CVE-2021-28710 * No longer build any package for the i386 architecture. It was already not possible to use x86_32 hardware because the i386 packages already shipped a 64-bit hypervisor and PV shim. Running 32-bit utils with a 64-bit hypervisor requires using a compatibility layer that is fragile and becomes harder to maintain and test upstream. This change ends the 'grace period' in which users should have moved to using a fully 64-bit dom0. - debian/{control,rules,salsa-ci.yml,xen-utils-V.install.vsn-in}: make the necessary changes - Remove the Recommends on libc6-xen, which already actually does not exist any more. (Closes: #992909) - Drop patch "tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on x86_32" because it is not relevant any more. Changes related to upgrading to Xen 4.16: * debian/control: adjust to 4.16 [Maximilian Engelhardt] * Drop patches that have been applied upstream * Refresh remaining patches if needed * debian: follow upstream removal of '.sh' suffix in xl bash_completion file [Maximilian Engelhardt] * debian/control, debian/libxenstore*: ship a libxenstore4 package instead of libxenstore3.0, since upstream bumped the soname [Maximilian Engelhardt] Packaging minor fixes and improvements [Maximilian Engelhardt]: * debian/rules: set SOURCE_BASE_DIR to the top level build dir so that the "Display Debian package version in hypervisor log" patch can use it. * Add patch "xen/arch/x86: make objdump output user locale agnostic" to fix reproducable builds. This patch will also be sent upstream. * d/rules: remove reproducible=+fixfilepath from DEB_BUILD_MAINT_OPTIONS * d/salsa-ci.yml: Explicitly set RELEASE variable to unstable * d/salsa-ci.yml: disable cross building as it's currently not working * debian: call update-grub when installing/removing xen-hypervisor-common (Closes: #988901) * debian: fix dependency generation for python after dh-python was fixed first. (Closes: #976597) * debian/rules: remove unused pybuild settings Packaging minor fixes and improvements: * Improve patches for building the PV shim separately. This enables to drop the extra Revert of an upstream commit that was done in 4.14.0+80-gd101b417b7-1~exp1: - Drop patch: Revert "pvshim: make PV shim build selectable from configure" - Update patch "[...] Respect caller's CONFIG_PV_SHIM" to follow moving of a line to a different file - Drop patch: "tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on x86_64" because that's now already the default upstream * debian/control.md5sum: remove this obsolete file * Merge patches "vif-common: disable handle_iptable" and "t/h/L/vif-common.sh: fix handle_iptable return value" into a single patch, since the latter was a fix for the first. * debian/control: change the Uploaders email address for Ian Jackson, since he does not work at Citrix any more now -- Hans van Kranenburg <email address hidden> Mon, 17 Jan 2022 18:36:02 +0100
Superseded in bullseye-release |
xen (4.14.3+32-g9de3671772-1~deb11u1) bullseye-security; urgency=medium * d/salsa-ci.yml: Set RELEASE variable to bullseye * Rebuild for bullseye-security -- Hans van Kranenburg <email address hidden> Thu, 02 Dec 2021 21:45:55 +0100
Superseded in sid-release |
xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium * Update to new upstream version 4.14.3+32-g9de3671772, which also contains security fixes for the following issues: - guests may exceed their designated memory limit XSA-385 CVE-2021-28706 - PCI devices with RMRRs not deassigned correctly XSA-386 CVE-2021-28702 - PoD operations on misaligned GFNs XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708 - issues with partially successful P2M updates on x86 XSA-389 CVE-2021-28705 CVE-2021-28709 * Note that the following XSA are not listed, because... - XSA-387 only applies to Xen 4.13 and older - XSA-390 only applies to Xen 4.15 * Pick the following upstream commits to fix a regression which prevents amd64 type hardware to fully power off. The issue was introduced in version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to improve Raspberry Pi 4 support. (Closes: #994899): - 8b6d55c126 ("x86/ACPI: fix mapping of FACS") - f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb") - 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping") - 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector cannot be determined") -- Hans van Kranenburg <email address hidden> Sat, 27 Nov 2021 15:09:47 +0100
Published in buster-release |
xen (4.11.4+107-gef32c7afa2-1) buster-security; urgency=high * Update to new upstream version 4.11.4+107-gef32c7afa2, which also contains security fixes for the following issues: - inappropriate x86 IOMMU timeout detection / handling XSA-373 CVE-2021-28692 - Speculative Code Store Bypass XSA-375 CVE-2021-0089 CVE-2021-26313 - x86: TSX Async Abort protections not restored after S3 XSA-377 CVE-2021-28690 * Note that the following XSA are not listed, because... - XSA-370 does not contain code changes. - XSA-371 and XSA-374 have patches for the Linux kernel. - XSA-372 only applies to Xen 4.12 and newer. -- Hans van Kranenburg <email address hidden> Mon, 14 Jun 2021 16:41:01 +0200
Superseded in bullseye-release |
xen (4.14.3-1~deb11u1) bullseye-security; urgency=medium * Rebuild for bullseye-security -- Hans van Kranenburg <email address hidden> Mon, 13 Sep 2021 16:28:21 +0200
xen (4.14.3-1) unstable; urgency=high * Update to new upstream version 4.14.3, which also contains security fixes for the following issues: - IOMMU page mapping issues on x86 XSA-378 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 - grant table v2 status pages may remain accessible after de-allocation XSA-379 CVE-2021-28697 - long running loops in grant table handling XSA-380 CVE-2021-28698 - inadequate grant-v2 status frames array bounds check XSA-382 CVE-2021-28699 - xen/arm: No memory limit for dom0less domUs XSA-383 CVE-2021-28700 - Another race in XENMAPSPACE_grant_table handling XSA-384 CVE-2021-28701 -- Hans van Kranenburg <email address hidden> Mon, 13 Sep 2021 11:51:20 +0200
xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium * Add README.Debian.security containing a note about the end of upstream security support for Xen 4.14. Install it into xen-hypervisor-common. -- Hans van Kranenburg <email address hidden> Fri, 30 Jul 2021 16:57:52 +0200
Superseded in sid-release |
xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium * Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains security fixes for the following issues: - HVM soft-reset crashes toolstack XSA-368 CVE-2021-28687 - xen/arm: Boot modules are not scrubbed XSA-372 CVE-2021-28693 - inappropriate x86 IOMMU timeout detection / handling XSA-373 CVE-2021-28692 - Speculative Code Store Bypass XSA-375 CVE-2021-0089 CVE-2021-26313 - x86: TSX Async Abort protections not restored after S3 XSA-377 CVE-2021-28690 * Note that the following XSA are not listed, because... - XSA-370 does not contain code changes. - XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the Linux kernel. - XSA-366 only applies to Xen 4.11. -- Hans van Kranenburg <email address hidden> Sun, 11 Jul 2021 14:29:13 +0200
Superseded in buster-release |
xen (4.11.4+99-g8bce4698f6-1) buster-security; urgency=high * Update to new upstream version 4.11.4+99-g8bce4698f6, which also contains security fixes for the following issues: - arm: The cache may not be cleaned for newly allocated scrubbed pages XSA-364 CVE-2021-26933 - missed flush in XSA-321 backport XSA-366 CVE-2021-27379 * Note that the following XSA are not listed, because... - XSA-360 and XSA-368 only apply to Xen 4.12 and newer. - XSA-361, XSA-362, XSA-363, XSA-365, XSA-367 and XSA-369 have patches for the Linux kernel. * Drop separate patches for XSAs up to 359 that are now included in the upstream stable branch. * Fix cosmetics wrt. XSA/CVE text formatting in the previous entry. -- Hans van Kranenburg <email address hidden> Wed, 24 Mar 2021 19:52:15 +0100
xen (4.14.1+11-gb0b734a8b3-1) unstable; urgency=medium * Update to new upstream version 4.14.1+11-gb0b734a8b3, which also contains security fixes for the following issues: - IRQ vector leak on x86 XSA-360 CVE-2021-3308 (Closes: #981052) - arm: The cache may not be cleaned for newly allocated scrubbed pages XSA-364 CVE-2021-26933 * Drop separate patches for XSAs up to 359 that are now included in the upstream stable branch. Packaging bugfixes and improvements [Elliott Mitchell]: * debian/rules: Set CC/LD to enable cross-building * d/shuffle-binaries: Fix binary shuffling script for cross-building * Rework "debian/rules: Do not try to move EFI binaries on armhf" * debian/scripts: Optimize runtime scripts * debian/xen-utils-common.examples: Remove xm examples * d/shuffle-boot-files: make it POSIX compliant [Hans van Kranenburg, based on a patch by Elliott Mitchell] * d/shuffle-binaries: Switch loop from for to while * d/shuffle-binaries: Switch to POSIX shell, instead of Bash * d/shuffle-boot-files: Switch to POSIX shell, instead of Bash * debian/xendomains.init: Pipe xen-init-list instead of tmp file Make the package build reproducibly [Maximilian Engelhardt]: * debian/salsa-ci.yml: enable salsa-ci * debian/salsa-ci.yml: enable diffoscope in reprotest * debian/rules: use SOURCE_DATE_EPOCH for xen build dates * debian/rules: don't include build path in binaries * debian/rules: reproducibly build oxenstored * Pick the following upstream commits: - 5816d327e4 ("xen: don't have timestamp inserted in config.gz") - ee41b5c450 ("x86/EFI: don't insert timestamp when SOURCE_DATE_EPOCH is defined") - e18dadc5b7 ("docs: use predictable ordering in generated documentation") * Include upstream patch that is not committed yet, but needed: - docs: set date to SOURCE_DATE_EPOCH if available * debian/salsa-ci.yml: don't allow reprotest to fail Packaging bugfixes and improvements: * d/shuffle-boot-files: Document more inner workings -- Hans van Kranenburg <email address hidden> Sun, 28 Feb 2021 19:49:45 +0100
Superseded in buster-release |
xen (4.11.4+57-g41a822c392-2) buster-security; urgency=high * Apply security fixes for the following issues: - oxenstored: permissions not checked on root node XSA-353 (CVE-2020-29479) - xenstore watch notifications lacking permission checks XSA-115 (CVE-2020-29480) - Xenstore: new domains inheriting existing node permissions XSA-322 (CVE-2020-29481) - Xenstore: wrong path length check XSA-323 (CVE-2020-29482) - Xenstore: guests can crash xenstored via watchs XSA-324 (CVE-2020-29484) - Xenstore: guests can disturb domain cleanup XSA-325 (CVE-2020-29483) - oxenstored memory leak in reset_watches XSA-330 (CVE-2020-29485) - oxenstored: node ownership can be changed by unprivileged clients XSA-352 (CVE-2020-29486) - undue recursion in x86 HVM context switch code XSA-348 (CVE-2020-29566) - FIFO event channels control block related ordering XSA-358 (CVE-2020-29570) - FIFO event channels control structure ordering XSA-359 (CVE-2020-29571) * Note that the following XSA are not listed, because... - XSA-349 and XSA-350 have patches for the Linux kernel - XSA-354 has patches for the XAPI toolstack - XSA-356 only applies to Xen 4.14 -- Hans van Kranenburg <email address hidden> Fri, 11 Dec 2020 22:10:09 +0100
Superseded in sid-release |
xen (4.14.0+88-g1d1d1f5391-2) unstable; urgency=high * For now, revert "debian/rules: Set CC/LD to enable cross-building", since it causes an FTBFS on i386. -- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 14:57:41 +0100
Superseded in sid-release |
xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high * Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains security fixes for the following issues: - stack corruption from XSA-346 change XSA-355 CVE-2020-29040 (Closes: #976109) * Apply security fixes for the following issues: - oxenstored: permissions not checked on root node XSA-353 CVE-2020-29479 - xenstore watch notifications lacking permission checks XSA-115 CVE-2020-29480 - Xenstore: new domains inheriting existing node permissions XSA-322 CVE-2020-29481 - Xenstore: wrong path length check XSA-323 CVE-2020-29482 - Xenstore: guests can crash xenstored via watchs XSA-324 CVE-2020-29484 - Xenstore: guests can disturb domain cleanup XSA-325 CVE-2020-29483 - oxenstored memory leak in reset_watches XSA-330 CVE-2020-29485 - oxenstored: node ownership can be changed by unprivileged clients XSA-352 CVE-2020-29486 - undue recursion in x86 HVM context switch code XSA-348 CVE-2020-29566 - infinite loop when cleaning up IRQ vectors XSA-356 CVE-2020-29567 - FIFO event channels control block related ordering XSA-358 CVE-2020-29570 - FIFO event channels control structure ordering XSA-359 CVE-2020-29571 * Note that the following XSA are not listed, because... - XSA-349 and XSA-350 have patches for the Linux kernel - XSA-354 has patches for the XAPI toolstack Packaging bugfixes and improvements: * d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611) * Add missing CVE numbers to the previous changelog entries Packaging bugfixes and improvements [Elliott Mitchell]: * d/shuffle-binaries: Make error detection/message overt * d/shuffle-binaries: Add quoting for potentially changeable variables * d/shuffle-boot-files: Add lots of double-quotes when handling variables * debian/rules: Set CC/LD to enable cross-building * debian/xen.init: Load xen_acpi_processor on boot * d/shuffle-binaries: Remove useless extra argument being passed in Packaging bugfixes and improvements [Maximilian Engelhardt]: * d/xen-hypervisor-V-F.postinst.vsn-in: use reboot-required (Closes: #862408) * d/xen-hypervisor-V-F.postrm: actually install script * d/xen-hypervisor-V.*: clean up unused files * d/xen-hypervisor-V.bug-control.vsn-in: actually install script * debian/rules: enable verbose build Fixes to patches for upstream code: * t/h/L/vif-common.sh: force handle_iptable return value to be 0 (Closes: #955994) * Pick the following upstream commits to improve Raspberry Pi 4 support, requested by Elliott Mitchell: - 25849c8b16 ("xen/rpi4: implement watchdog-based reset") - 17d192e023 ("tools/python: Pass linker to Python build process") - 861f0c1109 ("xen/arm: acpi: Don't fail if SPCR table is absent") - 1c4aa69ca1 ("xen/acpi: Rework acpi_os_map_memory() and acpi_os_unmap_memory()") - 4d625ff3c3 ("xen/arm: acpi: The fixmap area should always be cleared during failure/unmap") - dac867bf9a ("xen/arm: Check if the platform is not using ACPI before initializing Dom0less") - 9c2bc0f24b ("xen/arm: Introduce fw_unreserved_regions() and use it") - 7056f2f89f ("xen/arm: acpi: add BAD_MADT_GICC_ENTRY() macro") - 957708c2d1 ("xen/arm: traps: Don't panic when receiving an unknown debug trap") * Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik. -- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 13:00:00 +0100
Superseded in buster-release |
xen (4.11.4+37-g3263f257ca-1) buster-security; urgency=high * Update to new upstream version 4.11.4+37-g3263f257ca, which also contains security fixes for the following issues: - x86 pv: Crash when handling guest access to MSR_MISC_ENABLE XSA-333 CVE-2020-25602 - race when migrating timers between x86 HVM vCPU-s XSA-336 CVE-2020-25604 - PCI passthrough code reading back hardware registers XSA-337 CVE-2020-25595 - once valid event channels may not turn invalid XSA-338 CVE-2020-25597 - x86 pv guest kernel DoS via SYSENTER XSA-339 CVE-2020-25596 - Missing memory barriers when accessing/allocating an event channel XSA-340 CVE-2020-25603 - out of bounds event channels available to 32-bit x86 domains XSA-342 CVE-2020-25600 - races with evtchn_reset() XSA-343 CVE-2020-25599 - lack of preemption in evtchn_reset() / evtchn_destroy() XSA-344 CVE-2020-25601 * Note that with this update, we will be detaching the Buster updates from the Xen version in Debian unstable, which will get a newer Xen version RSN. -- Hans van Kranenburg <email address hidden> Thu, 01 Oct 2020 14:50:58 +0200
Superseded in sid-release |
xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium * Re-upload to unstable for rebuild. -- Ian Jackson <email address hidden> Tue, 24 Nov 2020 10:28:22 +0000
Deleted in experimental-release (Reason: None provided.) |
xen (4.14.0+80-gd101b417b7-1~exp2) experimental; urgency=medium * Re-upload since apparently DMs aren't allowed NEW? -- Ian Jackson <email address hidden> Mon, 23 Nov 2020 13:24:17 +0000
Superseded in experimental-release |
xen (4.14.0-1~exp1) experimental; urgency=medium Significant changes: * Update to new upstream version 4.14.0. (Closes: #866380) about removal of broken xen-bugtool * debian/{rules,control}: switch to python 3 (Closes: #938843) about python 2 removal in bullseye * debian/control: Fix python dependancy to use python3-dev:any and libpython3-dev [Elliott Mitchell] Changes related to upgrading to Xen 4.14: * debian/control: adjust to 4.14 * debian/rules: remove install commands for pkgconfig files, since those files are not present any more * debian/: Follow fsimage -> xenfsimage renaming * debian/xen-utils-V.*: Use @version@ instead of hardcoded version * debian/control: add flex, bison * debian/control: add libxenhypfs[1] [Ian Jackson] * debian/libxenstore3.0.symbols: drop xprintf (Closes: #968965) [Ian Jackson; also reported by Gianfranco Costamagna] * d/scripts/xen-init-name, d/scripts/xen-init-list: rewrite these two scripts, hugely simplify them and make them use python 3 * Pick upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2 maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix -Werror=stringop-truncation in libxl__prepare_sockaddr_un") to fix gcc 10 FTBFS * tools: don't build/ship xenmon, it can't work with python 3 Packaging minor fixes and improvements: * debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell (Closes: #939560) [Ian Jackson; report from Guillem Jover] * debian/rules: Improve comment about hardening options (Closes: #939560) [Ian Jackson; report from Guillem Jover] * debian/rules: Drop redundant sequence numbers in dh_installinit (Closes: #939560) [Ian Jackson; report from Guillem Jover] * d/xen-utils-common.xen.init: add important notes to keep in mind when changing this script, related to multi-version handling * debian/control: cleanup Uploaders and add myself * debian/control: s/libncurses5-dev/libncurses-dev/ * xen-utils-V scripts: remove update-alternatives command * xen-utils-V.postinst.vsn-in: whitespace cosmetics * d/xen-utils-common.xen.init: disable oom killer for xenstored (Closes: #961511) * debian/rules: Combine shared Make args [Elliott Mitchell] Fixes and improvements for cross-compiling [Elliott Mitchell]: * debian/rules: Add --host to tools configure target * Pick upstream commit 69953e285638 ('tools: Partially revert "Cross-compilation fixes."') Lintian related fixes: * debian/changelog: trim trailing whitespace. [Debian Janitor] * debian/pycompat: remove obsolete file. [Debian Janitor] * debian/rules: Avoid using $(PWD) variable. [Debian Janitor] * debian/control: hardcode xen-utils-4.14 python3 dependency because dh_python can't figure out how to add it * debian/control: xen-doc: add ${misc:Depends} * d/xen-hypervisor-V-F.lintian-overrides.vsn-in: fix override to use the newer debug-suffix-not-dbg tag and correct the file path used so it matches again * debian/control: remove XS-Python-Version which is deprecated * debian/control: drop autotools-dev build dependency because debhelper already takes care of this * d/xen-utils-V.lintian-overrides.vsn-in: fix rpath override because the xenfsimage python .so filename changed from xenfsimage.so into xenfsimage.cpython-38-x86_64-linux-gnu.so now, make it match again * d/xen-utils-V.lintian-overrides.vsn-in: s/fsimage/xenfsimage/ which is a left over change from the rename in some comment lines * d/xen-utils-common.xen.init: use /run instead of /var/run because we don't expect anyone on a pre-stretch system to build and use these packages * debian/control: update Standards-Version to 4.5.0 -- Hans van Kranenburg <email address hidden> Thu, 17 Sep 2020 18:59:28 +0200
Superseded in buster-release |
xen (4.11.4+24-gddaaccbbab-1~deb10u1) buster-security; urgency=high * Rebuild as Buster security update. -- Hans van Kranenburg <email address hidden> Fri, 10 Jul 2020 18:54:34 +0200
Superseded in sid-release |
xen (4.11.4+24-gddaaccbbab-1) unstable; urgency=medium * Update to new upstream version 4.11.4+24-gddaaccbbab, which also contains security fixes for the following issues: - inverted code paths in x86 dirty VRAM tracking XSA-319 CVE-2020-15563 - Special Register Buffer speculative side channel XSA-320 CVE-2020-0543 N.B: To mitigate this issue, new cpu microcode is required. The changes in Xen provide a workaround for affected hardware that is not receiving a vendor microcode update. Please refer to the upstream XSA-320 Advisory text for more details. - insufficient cache write-back under VT-d XSA-321 CVE-2020-15565 - Missing alignment check in VCPUOP_register_vcpu_info XSA-327 CVE-2020-15564 - non-atomic modification of live EPT PTE XSA-328 CVE-2020-15567 -- Hans van Kranenburg <email address hidden> Tue, 07 Jul 2020 16:07:39 +0200
xen (4.11.4-1) unstable; urgency=medium * Update to new upstream version 4.11.4, which also contains security fixes for the following issues: - arm: a CPU may speculate past the ERET instruction XSA-312 (no CVE yet) - multiple xenoprof issues XSA-313 CVE-2020-11740 CVE-2020-11741 - Missing memory barriers in read-write unlock paths XSA-314 CVE-2020-11739 - Bad error path in GNTTABOP_map_grant XSA-316 CVE-2020-11743 - Bad continuation handling in GNTTABOP_copy XSA-318 CVE-2020-11742 * xen-utils and xen-utils-common maint scripts: Replace the previous fix in the xen init script with a better fix in the xen-utils package instead, to prevent calling the init script stop action (resulting in a disappeared xenconsoled) when removing a xen-utils package that belongs to a previous (not currently runing) Xen version. Also prevent the xen-utils-common package from inadvertently calling stop and start actions because dh_installinit would add code for that. (Closes: #932759) * debian/NEWS: Mention fixing #932759 and how to deal with the bug -- Hans van Kranenburg <email address hidden> Tue, 26 May 2020 13:33:17 +0200
Published in stretch-release |
xen (4.8.5.final+shim4.10.4-1+deb9u12) stretch-security; urgency=medium * *NOTE* this will probably be the *LAST UPDATE* for Xen in Debian 9.x (stretch), since this is the last batch of security patches from upstream, where Xen 4.8 is out of security support. * Update to new upstream final tip of 4.8 stable branch, which I have dubbed upstream/stable-4.8.5.final. And shim 4.10.4. * This includes fixes to: XSA-311 CVE-2019-19577 XSA-310 CVE-2019-19580 XSA-309 CVE-2019-19578 XSA-308 CVE-2019-19583 XSA-307 CVE-2019-19581 CVE-2019-19582 XSA-306 CVE-2019-19579 XSA-305 CVE-2019-11135 XSA-304 CVE-2018-12207 XSA-303 CVE-2019-18422 XSA-302 CVE-2019-18424 XSA-301 CVE-2019-18423 XSA-299 CVE-2019-18421 XSA-298 CVE-2019-18425 XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 XSA-296 CVE-2019-18420 XSA-295 CVE-2019-17349 CVE-2019-17350 XSA-294 CVE-2019-17348 XSA-293 CVE-2019-17347 XSA-292 CVE-2019-17346 XSA-291 CVE-2019-17345 XSA-290 CVE-2019-17344 XSA-288 CVE-2019-17343 XSA-287 CVE-2019-17342 XSA-285 CVE-2019-17341 XSA-284 CVE-2019-17340 * For completeness, the following are not applicable: XSA-300 CVE-2019-17351 Bug is in Linux XSA-289 Spectre V1 + L1TF combo; no new fixes XSA-283 Withdrawn XSA number XSA-281 Withdrawn XSA number * The following is *not* fixed at this time: XSA-286 Still embargoed. * README.comet: remove line about PVH support. [Hans van Kranenburg] Closes:#908453. -- Ian Jackson <email address hidden> Fri, 10 Jan 2020 17:09:30 +0000
Superseded in buster-release |
xen (4.11.3+24-g14b62ab3e5-1~deb10u1) buster-security; urgency=high * Rebuild for buster-security -- Hans van Kranenburg <email address hidden> Wed, 08 Jan 2020 13:21:23 +0100
Superseded in sid-release |
xen (4.11.3+24-g14b62ab3e5-1) unstable; urgency=high * Update to new upstream version 4.11.3+24-g14b62ab3e5, which also contains the following security fixes: (Closes: #947944) - Unlimited Arm Atomics Operations XSA-295 CVE-2019-17349 CVE-2019-17350 - VCPUOP_initialise DoS XSA-296 CVE-2019-18420 - missing descriptor table limit checking in x86 PV emulation XSA-298 CVE-2019-18425 - Issues with restartable PV type change operations XSA-299 CVE-2019-18421 - add-to-physmap can be abused to DoS Arm hosts XSA-301 CVE-2019-18423 - passed through PCI devices may corrupt host memory after deassignment XSA-302 CVE-2019-18424 - ARM: Interrupts are unconditionally unmasked in exception handlers XSA-303 CVE-2019-18422 - x86: Machine Check Error on Page Size Change DoS XSA-304 CVE-2018-12207 - TSX Asynchronous Abort speculative side channel XSA-305 CVE-2019-11135 - Device quarantine for alternate pci assignment methods XSA-306 CVE-2019-19579 - find_next_bit() issues XSA-307 CVE-2019-19581 CVE-2019-19582 - VMX: VMentry failure with debug exceptions and blocked states XSA-308 CVE-2019-19583 - Linear pagetable use / entry miscounts XSA-309 CVE-2019-19578 - Further issues with restartable PV type change operations XSA-310 CVE-2019-19580 - Bugs in dynamic height handling for AMD IOMMU pagetables XSA-311 CVE-2019-19577 * Add missing CVE numbers to previous changelog entries -- Hans van Kranenburg <email address hidden> Wed, 08 Jan 2020 12:41:42 +0100
xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high * Mention MDS and the need for updated microcode and disabling hyper-threading in NEWS. * Mention the ucode=scan option in the grub.d/xen documentation. -- Hans van Kranenburg <email address hidden> Sat, 22 Jun 2019 11:15:08 +0200
Superseded in sid-release |
xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high * Update to new upstream version 4.11.1+92-g6c33308a8d, which also contains the following security fixes: - Fix: grant table transfer issues on large hosts XSA-284 (no CVE yet) (Closes: #929991) - Fix: race with pass-through device hotplug XSA-285 (no CVE yet) (Closes: #929998) - Fix: x86: steal_page violates page_struct access discipline XSA-287 (no CVE yet) (Closes: #930001) - Fix: x86: Inconsistent PV IOMMU discipline XSA-288 (no CVE yet) (Closes: #929994) - Fix: missing preemption in x86 PV page table unvalidation XSA-290 (no CVE yet) (Closes: #929996) - Fix: x86/PV: page type reference counting issue with failed IOMMU update XSA-291 (no CVE yet) (Closes: #929995) - Fix: x86: insufficient TLB flushing when using PCID XSA-292 (no CVE yet) (Closes: #929993) - Fix: x86: PV kernel context switch corruption XSA-293 (no CVE yet) (Closes: #929999) - Fix: x86 shadow: Insufficient TLB flushing when using PCID XSA-294 (no CVE yet) (Closes: #929992) - Fix: Microarchitectural Data Sampling speculative side channel XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 (Closes: #929129) * Note that the fixes for XSA-297 will only have effect when also loading updated cpu microcode with MD_CLEAR functionality. When using the intel-microcode package to include microcode in the dom0 initrd, it has to be loaded by Xen. Please refer to the hypervisor command line documentation about the 'ucode=scan' option. * Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the next upload. -- Hans van Kranenburg <email address hidden> Tue, 18 Jun 2019 09:50:19 +0200
xen (4.11.1+26-g87f51bf366-3) unstable; urgency=medium Minor useability improvements and fixes: * bash-completion: also complete 'xen' [Hans van Kranenburg] * /etc/default/xen: Handle with ucf again, like in stretch. Closes:#923401. [Ian Jackson] Build fix: * Fix FTBFS when building only arch-indep binaries (eg dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed. Closes:#923013. [Hans van Kranenburg; report from Santiago Vila] Documentation fix: * grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg] -- Ian Jackson <email address hidden> Thu, 28 Feb 2019 16:37:04 +0000
Superseded in sid-release |
xen (4.11.1+26-g87f51bf366-2) unstable; urgency=medium * Packaging change: override spurious lintian warning about fsimage.so rpath. -- Ian Jackson <email address hidden> Fri, 22 Feb 2019 16:07:37 +0000
Superseded in stretch-release |
xen (4.8.5+shim4.10.2+xsa282-1+deb9u11) stretch-security; urgency=medium * Update to new upstream versions: * Main tree updated to Xen 4.8.5 * Shim updated to current upstream stable-4.10 branch, to avoid errors trying to cherry-pick security patches. * This includes fixes to: XSA-282 CVE-2018-19967 Xen 4.8 and 4.10 shim XSA-280 CVE-2018-19966 Xen 4.8 and 4.10 shim XSA-279 CVE-2018-19965 Xen 4.8 and 4.10 shim XSA-275 CVE-2018-19961 CVE-2018-19962 Xen 4.8 and 4.10 shim XSA-278 CVE-2018-18883 Xen 4.10 shim only * For completeness, the following fixes are not applicable: XSA-274 CVE-2018-14678 Bug is in Linux XSA-270 CVE-2018-15471 Bug is in Linux XSA-271 CVE-2018-14007 Bug is in XAPI (not in Debian) XSA-277 CVE-2018-19964 Bug not in either 4.8 or 4.10 XSA-276 CVE-2018-19963 Bug not in either 4.8 or 4.10 * Added CVEs to previous changelog entries: 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 -- Ian Jackson <email address hidden> Fri, 11 Jan 2019 18:01:30 +0000
xen (4.11.1-1) unstable; urgency=medium * debian/control: Add Homepage, Vcs-Browser and Vcs-Git. (Closes: #911457) * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086) * debian/rules: Don't exclude the actual pygrub script. * Update to new upstream version 4.11.1, which also contains: - Fix: insufficient TLB flushing / improper large page mappings with AMD IOMMUs XSA-275 CVE-2018-19961 CVE-2018-19962 - Fix: resource accounting issues in x86 IOREQ server handling XSA-276 CVE-2018-19963 - Fix: x86: incorrect error handling for guest p2m page removals XSA-277 CVE-2018-19964 - Fix: x86: Nested VT-x usable even when disabled XSA-278 CVE-2018-18883 - Fix: x86: DoS from attempting to use INVPCID with a non-canonical addresses XSA-279 CVE-2018-19965 - Fix for XSA-240 conflicts with shadow paging XSA-280 CVE-2018-19966 - Fix: guest use of HLE constructs may lock up host XSA-282 CVE-2018-19967 * Update version handling patching to put the team mailing list address in the first hypervisor log line and fix broken other substitutions. * Disable handle_iptable hook in vif-common script. See #894013 for more information. -- Hans van Kranenburg <email address hidden> Wed, 02 Jan 2019 20:59:40 +0100
Superseded in stretch-release |
xen (4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) stretch-security; urgency=medium * Update to new upstream version 4.8.4+xsa273+shim4.10.1+xsa273. XSA-273 (CVE-2018-3620,CVE-2018-3646) XSA-272 (no CVE yet) XSA-269 (no CVE yet) XSA-268 (no CVE yet) This version is, again, a combination of staging-4.8 and staging-4.10 for Xen and shim respectively as in previous versions. -- Wolodja Wentland <email address hidden> Wed, 15 Aug 2018 23:51:28 +0100
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium * debian/rules: Cope if xen-utils-common not being built (Fixes binary-indep FTBFS.) -- Ian Jackson <email address hidden> Mon, 15 Oct 2018 18:07:11 +0100
Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-4) unstable; urgency=medium * Many packaging fixes to fix FTBFS on all arches other than amd64. * xen-vbd-interface(7): Provide properly-formatted NAME section * Add pandoc and markdown to Build-Depends - fixes missing docs. * Revert "tools-xenstore-compatibility.diff" apropos of discussion https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg00838.html -- Ian Jackson <email address hidden> Mon, 15 Oct 2018 12:15:36 +0100
Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-3) unstable; urgency=medium * hypervisor package postinst: Actually install (avoids need to run update-grub by hand). * debian/control: Adding Section to source stanza * debian/control: Add missing Replaces on old xen-utils-common * debian/rules: Add a -n to a gzip rune to improve reproducibility -- Ian Jackson <email address hidden> Fri, 12 Oct 2018 16:55:48 +0100
Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-2) unstable; urgency=medium * Redo as an upload with binaries, because source-only uploads to NEW are not allowed. -- Ian Jackson <email address hidden> Fri, 05 Oct 2018 19:38:52 +0100
Deleted in experimental-release (Reason: None provided.) |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1) experimental; urgency=medium * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg. * Remove stubdom/grub.patches/00cvs from the upstream source because it's not DFSG compliant. (license-problem-gfdl-invariants) * Override statically-linked-binary lintian error about usr/lib/xen-4.11/boot/xen-shim -- Hans van Kranenburg <email address hidden> Tue, 11 Sep 2018 15:34:34 +0200
xen (4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9) stretch-security; urgency=high * Security upload [thanks to Wolodja Wentland]: XSA-264 (no CVE yet) XSA-265 (no CVE yet) XSA-266 (no CVE yet) -- Ian Jackson <email address hidden> Fri, 22 Jun 2018 16:38:39 +0100
xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) stretch-security; urgency=high * Security fixes from upstream XSAs: XSA-252 CVE-2018-7540 XSA-255 CVE-2018-7541 XSA-256 CVE-2018-7542 The upstream BTI changes from XSA-254 (Spectre v2 mitigation) are *not* included. They are currently failing in upstream CI. * init scripts: Do not kill per-domain qemu processes. Closes:#879751. * Install Meltdown READMEs on all architectures. Closes:#890488. * Ship xen-diag (by cherry-picking the appropriate commits from upstream). This can help with diagnosis of #880554. -- Ian Jackson <email address hidden> Fri, 02 Mar 2018 16:07:18 +0000
Published in jessie-release |
xen (4.4.1-9+deb8u10) jessie-security; urgency=medium Security updates, including some very important fixes: * XSA-217 CVE-2017-10912 * XSA-218 CVE-2017-10913 CVE-2017-10914 * XSA-219 CVE-2017-10915 * XSA-221 CVE-2017-10917 * XSA-222 CVE-2017-10918 * XSA-224 CVE-2017-10919 * XSA-226 CVE-2017-12135 * XSA-227 CVE-2017-12137 * XSA-230 CVE-2017-12855 * XSA-235 no CVE assigned yet Bugfixes: * evtchn: don't reuse ports that are still "busy" (for XSA-221 patch) FYI, XSAs which remain outstanding because no patch is available. * XSA-223: armhf/arm64 guest-induced host crash vulnerability FYI, inapplicable XSAs, for which no patch is included: * XSA-216: Bugs are in Linux and Qemu, not Xen * XSA-220: Xen 4.4 is not vulnerable * XSA-225: Xen 4.4 is not vulnerable * XSA-228: Xen 4.4 is not vulnerable * XSA-229: Bug is in Linux, not Xen -- Ian Jackson <email address hidden> Tue, 05 Sep 2017 18:35:04 +0100
xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high * Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2 plus a number of bugfixes and security fixes. Result is that we now include security fixes for: XSA-231 CVE-2017-14316 XSA-232 CVE-2017-14318 XSA-233 CVE-2017-14317 XSA-234 CVE-2017-14319 (235 already included in 4.8.1-1+deb9u3) XSA-236 CVE-2017-15597 XSA-237 CVE-2017-15590 XSA-238 (no CVE yet) XSA-239 CVE-2017-15589 XSA-240 CVE-2017-15595 XSA-241 CVE-2017-15588 XSA-242 CVE-2017-15593 XSA-243 CVE-2017-15592 XSA-244 CVE-2017-15594 XSA-245 (no CVE yet) and a number of upstream functionality fixes, which are not easily disentangled from the security fixes. * Apply two more security fixes: XSA-246 (no CVE yet) XSA-247 (no CVE yet) -- Ian Jackson <email address hidden> Sat, 25 Nov 2017 11:26:37 +0000
xen (4.8.1-1+deb9u3) stretch-security; urgency=high * Security fixes for XSA-226 CVE-2017-12135 XSA-227 CVE-2017-12137 XSA-228 CVE-2017-12136 XSA-230 CVE-2017-12855 XSA-235 (no CVE yet) * Adjust changelog entry for 4.8.1-1+deb9u2 to record that XSA-225 fix was indeed included. * Security fix for XSA-229 not included as that bug is in Linux, not Xen. * Security fixes for XSA-231..234 inc. not inclued as still embargoed. -- Ian Jackson <email address hidden> Thu, 07 Sep 2017 19:17:58 +0100
Superseded in jessie-release |
xen (4.4.1-9+deb8u9) jessie-security; urgency=medium Security updates: * XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size * XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts * XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep * XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange() * XSA-213: Closes:#861659: 64bit PV guest breakout * XSA-214: Closes:#861660: grant transfer PV privilege escalation * XSA-215: Closes:#861662: memory corruption via failsafe callback -- Ian Jackson <email address hidden> Mon, 08 May 2017 15:04:37 +0100
xen (4.8.1-1+deb9u1) unstable; urgency=medium * Security fixes for XSA-213 (Closes:#861659) and XSA-214 (Closes:#861660). (Xen 4.7 and later is not affected by XSA-215.) -- Ian Jackson <email address hidden> Tue, 02 May 2017 12:19:57 +0100
xen (4.8.1-1) unstable; urgency=high * Update to upstream 4.8.1 release. Changes include numerous bugfixes, including security fixes for: XSA-212 / CVE-2017-7228 Closes:#859560 XSA-207 / no cve yet Closes:#856229 XSA-206 / no cve yet no Debian bug -- Ian Jackson <email address hidden> Tue, 18 Apr 2017 18:05:00 +0100
xen (4.8.1~pre.2017.01.23-1) unstable; urgency=medium * Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre). Contains bugfixes. * debian/control-real etc.: debian.py: Allow version numbers like this. -- Ian Jackson <email address hidden> Mon, 23 Jan 2017 16:03:31 +0000
Superseded in jessie-release |
xen (4.4.1-9+deb8u8) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-7777: CR0.TS and CR0.EM not always honored for x86 HVM guests * CVE-2016-9386: x86 null segments not always treated as unusable (Closes: #845663) * CVE-2016-9382: x86 task switch to VM86 mode mis-handled (Closes: #845664) * CVE-2016-9385: x86 segment base write emulation lacking canonical address checks (Closes: #845665) * CVE-2016-9383: x86 64-bit bit test instruction emulation broken (Closes: #845668) * CVE-2016-9379, CVE-2016-9380: delimiter injection vulnerabilities in pygrub (Closes: #845670) -- Salvatore Bonaccorso <email address hidden> Sat, 03 Dec 2016 12:12:53 +0100
xen (4.8.0-1) unstable; urgency=high * Update to upstream Xen 4.8.0. Includes the following security fixes: XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 XSA-198 CVE-2016-9379 CVE-2016-9380 XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669 XSA-195 CVE-2016-9383 XSA-194 CVE-2016-9384 Closes:#845667 XSA-193 CVE-2016-9385 XSA-192 CVE-2016-9382 XSA-191 CVE-2016-9386 Includes other bugfixes too: Closes:#812166, Closes:#818525. Cherry picks from upstream: * Security fixes: XSA-204 CVE-2016-10013 Closes:#848713 XSA-203 CVE-2016-10025 XSA-202 CVE-2016-10024 For completeness, the following XSAs do not apply here: XSA-197 CVE-2016-9381 Bug is in qemu XSA-199 CVE-2016-9637 Bug is in qemu XSA-200 CVE-2016-9932 Xen 4.8 is not affected * Cherry pick a build failure fix: "x86/emul: add likely()/unlikely() to test harness" [ Ian Jackson ] * Drop -lcrypto search from upstream configure, and from our Build-Depends. Closes:#844419. * Change my own email address to my work (Citrix) address. When uploading, I will swap hats to effectively sponsor my own upload. [ Ian Campbell ] * Start a qemu process in dom0 to service the toolstacks loopback disk attaches. (Closes: #770456) * Remove correct pidfile when stopping xenconsoled. * Check that xenstored has actually started before talking to it. Incorporate a timeout so as not to block boot (Mitigates #737613) * Correct syntax error in xen-init-list when running with xend (Closes: #763102) * Apply SELinux labels to directories created by initscripts. Patch from Russell Coker. (Closes: #764912) * Include a reportbug control file to redirect bugs to src:xen for packages which contain the Xen version in the name. Closes:#796370. [ Lubomir Host ] * Fix xen-init-name to not fail looking for a nonexistent 'config' entry in xl's JSON output. Closes:#818129. -- Ian Jackson <email address hidden> Thu, 22 Dec 2016 14:51:46 +0000
xen (4.8.0~rc5-1) unstable; urgency=medium * New upstream version, Xen 4.8.0 RC5. -- Ian Jackson <email address hidden> Fri, 11 Nov 2016 15:26:58 +0000
xen (4.8.0~rc3-1) unstable; urgency=medium * Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not update to that in the middle of the Xen 4.6 -> 4.8 transition.) * No source changes. -- Ian Jackson <email address hidden> Sat, 05 Nov 2016 15:08:47 +0000
1 → 75 of 158 results | First • Previous • Next • Last |