Change log for xen package in Debian
| 1 → 75 of 158 results | First • Previous • Next • Last |
| Published in sid-release |
xen (4.17.3+36-g54dacb5c02-1) unstable; urgency=medium
* Update to new upstream version 4.17.3+36-g54dacb5c02, which also contains
security fixes for the following issues:
- x86: shadow stack vs exceptions from emulation stubs
XSA-451 CVE-2023-46841
* Properly incorporate NMU changes.
* Pick upstream commit b33a5c5929 ("tools/xenstore/xenstored_control.c:
correctly print time_t") to fix a FTBFS on armhf with 64 bits time_t.
(Closes: #1065794)
-- Hans van Kranenburg <email address hidden> Sat, 09 Mar 2024 22:03:11 +0100
| Superseded in sid-release |
xen (4.17.3+10-g091466ba55-1.1) unstable; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. Closes: #1063270 -- Steve Langasek <email address hidden> Thu, 29 Feb 2024 07:08:41 +0000
Available diffs
| Deleted in experimental-release (Reason: None provided.) |
xen (4.17.3+10-g091466ba55-1.1~exp2) experimental; urgency=medium
* debian/shuffle-binaries: handle rename of
debian/libxenmiscV.install.vsn-in
-- Steve Langasek <email address hidden> Sat, 24 Feb 2024 02:53:03 +0000
| Published in bookworm-release |
xen (4.17.3+10-g091466ba55-1~deb12u1) bookworm; urgency=medium
* Rebuild 4.17.3+10-g091466ba55-1 for Bookworm to address the security
issues since last Debian stable update.
-- Hans van Kranenburg <email address hidden> Sun, 04 Feb 2024 16:31:59 +0100
| Superseded in experimental-release |
xen (4.17.3+10-g091466ba55-1.1~exp1) experimental; urgency=medium * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. -- Steve Langasek <email address hidden> Mon, 05 Feb 2024 23:01:29 +0000
| Superseded in sid-release |
xen (4.17.3+10-g091466ba55-1) unstable; urgency=medium
* Update to new upstream version 4.17.3+10-g091466ba55, which also contains
security fixes for the following issues:
- arm32: The cache may not be properly cleaned/invalidated (take two)
XSA-447 CVE-2023-46837
- pci: phantom functions assigned to incorrect contexts
XSA-449 CVE-2023-46839
- VT-d: Failure to quarantine devices in !HVM builds
XSA-450 CVE-2023-46840
* Note that the following XSA are not listed, because...
- XSA-448 has patches for the Linux kernel.
* Compilation with Python 3.12 has been fixed in upstream commit 4000522008
("Only compile the hypervisor with -Wdeclaration-after-statement")
(Closes: #1062048)
-- Hans van Kranenburg <email address hidden> Sun, 04 Feb 2024 13:45:17 +0100
Available diffs
| Superseded in bookworm-release |
xen (4.17.2+76-ge1f9cb16e2-1~deb12u1) bookworm; urgency=medium
* Rebuild for bookworm to address the security issues since
4.17.1+2-gb773c48e36-1 listed below.
* d/salsa-ci.yml: Set RELEASE variable to bookworm
-- Maximilian Engelhardt <email address hidden> Sat, 02 Dec 2023 17:58:08 +0100
| Superseded in sid-release |
xen (4.17.2+76-ge1f9cb16e2-1) unstable; urgency=medium
* Update to new upstream version 4.17.2-76-ge1f9cb16e2, which also contains
security fixes for the following issues: (Closes: #1056928)
- x86/AMD: mismatch in IOMMU quarantine page table levels
XSA-445 CVE-2023-46835
- x86: BTC/SRSO fixes not fully effective
XSA-446 CVE-2023-46836
-- Maximilian Engelhardt <email address hidden> Wed, 29 Nov 2023 20:17:30 +0100
Available diffs
| Superseded in sid-release |
xen (4.17.2+55-g0b56bed864-1) unstable; urgency=medium
* Update to new upstream version 4.17.2+55-g0b56bed864, which also contains
security fixes for the following issues:
- arm32: The cache may not be properly cleaned/invalidated
XSA-437 CVE-2023-34321
- top-level shadow reference dropped too early for 64-bit PV guests
XSA-438 CVE-2023-34322
- x86/AMD: Divide speculative information leak
XSA-439 CVE-2023-20588
- xenstored: A transaction conflict can crash C Xenstored
XSA-440 CVE-2023-34323
- x86/AMD: missing IOMMU TLB flushing
XSA-442 CVE-2023-34326
- Multiple vulnerabilities in libfsimage disk handling
XSA-443 CVE-2023-34325
- x86/AMD: Debug Mask handling
XSA-444 CVE-2023-34327 CVE-2023-34328
* Note that the following XSA are not listed, because...
- XSA-441 has patches for the Linux kernel.
-- Hans van Kranenburg <email address hidden> Thu, 12 Oct 2023 19:25:55 +0200
Available diffs
xen (4.14.6-1) bullseye; urgency=medium
* Update to new upstream version 4.14.6, which also contains
security fixes for the following issues:
- x86/AMD: Zenbleed
XSA-433 CVE-2023-20593
- x86/AMD: Speculative Return Stack Overflow
XSA-434 CVE-2023-20569
- x86/Intel: Gather Data Sampling
XSA-435 CVE-2022-40982
* Note that the following XSA are not listed, because...
- XSA-430 and XSA-431 only apply to Xen 4.17
- XSA-432 has patches for the Linux kernel.
* Also, note that upstream security support for Xen 4.14 has ended with this
release. This also means that Xen security support for Debian Bullseye has
ended.
-- Hans van Kranenburg <email address hidden> Thu, 21 Sep 2023 16:55:59 +0200
xen (4.17.2-1) unstable; urgency=medium
* Update to new upstream version 4.17.2, which also contains
security fixes for the following issues: (Closes: #1042102)
- x86/AMD: Zenbleed
XSA-433 CVE-2023-20593
- x86/AMD: Speculative Return Stack Overflow
XSA-434 CVE-2023-20569
- x86/Intel: Gather Data Sampling
XSA-435 CVE-2022-40982
- arm: Guests can trigger a deadlock on Cortex-A77
XSA-436 CVE-2023-34320
* Note that the following XSA are not listed, because...
- XSA-432 has patches for the Linux kernel.
-- Maximilian Engelhardt <email address hidden> Sun, 20 Aug 2023 16:08:59 +0200
Available diffs
- diff from 4.17.1+2-gb773c48e36-1 to 4.17.2-1 (71.7 KiB)
xen (4.17.1+2-gb773c48e36-1) unstable; urgency=medium
* Update to new upstream version 4.17.1+2-gb773c48e36, which also contains
security fixes for the following issues:
- x86 shadow paging arbitrary pointer dereference
XSA-430 CVE-2022-42335
(Closes: #1034842)
- Mishandling of guest SSBD selection on AMD hardware
XSA-431 CVE-2022-42336
-- Maximilian Engelhardt <email address hidden> Thu, 18 May 2023 21:26:30 +0200
Available diffs
| Superseded in bullseye-release |
xen (4.14.5+94-ge49571868d-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.5+94-ge49571868d, which also contains
security fixes for the following issues: (Closes: #1033297)
- x86: Multiple speculative security issues
XSA-422 CVE-2022-23824
- x86 shadow plus log-dirty mode use-after-free
XSA-427 CVE-2022-42332
- x86/HVM pinned cache attributes mis-handling
XSA-428 CVE-2022-42333 CVE-2022-42334
- x86: speculative vulnerability in 32bit SYSCALL path
XSA-429 CVE-2022-42331
* Note that the following XSA are not listed, because...
- XSA-423 and XSA-424 have patches for the Linux kernel.
- XSA-425 only applies to Xen 4.17 and newer
- XSA-426 only applies to Xen 4.16 and newer
-- Maximilian Engelhardt <email address hidden> Thu, 23 Mar 2023 20:40:49 +0100
| Superseded in sid-release |
xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium
* Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains
security fixes for the following issues: (Closes: #1033297)
- x86 shadow plus log-dirty mode use-after-free
XSA-427 CVE-2022-42332
- x86/HVM pinned cache attributes mis-handling
XSA-428 CVE-2022-42333 CVE-2022-42334
- x86: speculative vulnerability in 32bit SYSCALL path
XSA-429 CVE-2022-42331
-- Maximilian Engelhardt <email address hidden> Thu, 23 Mar 2023 22:22:48 +0100
Available diffs
| Superseded in sid-release |
xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium
* Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains
security fixes for the following issues:
- x86: Cross-Thread Return Address Predictions
XSA-426 CVE-2022-27672
(Closes: #1031567)
* debian/shuffle-boot-files: fix typo
* debian/changelog: Fix bug number typo.
* debian/changelog: Remove duplicate 'Note that'
-- Hans van Kranenburg <email address hidden> Fri, 24 Feb 2023 18:06:42 +0100
| Superseded in sid-release |
xen (4.17.0+24-g2f8851c37f-2) unstable; urgency=medium
* Upload to unstable now, since we got message from the OCaml team that we
are not bothering them while they're doing their stack rebuild.
-- Hans van Kranenburg <email address hidden> Mon, 06 Feb 2023 14:27:40 +0100
Available diffs
| Deleted in experimental-release (Reason: None provided.) |
xen (4.17.0+24-g2f8851c37f-2~exp1) experimental; urgency=medium * Upload to experimental NEW to avoid disrupting ocaml transition. -- Ian Jackson <email address hidden> Sun, 05 Feb 2023 13:07:44 +0000
xen (4.17.0-1) unstable; urgency=medium
* Update to new upstream version 4.17.0.
* No new security fixes are included.
* Note that the following XSA are not listed, because...
- XSA-423 and XSA-424 have patches for the Linux kernel.
* debian/control: update Standards-Version to 4.6.2
* debian/control: update Build-Depends for ocaml
-- Maximilian Engelhardt <email address hidden> Wed, 21 Dec 2022 22:34:51 +0100
Available diffs
| Superseded in bullseye-release |
xen (4.14.5+86-g1c354767d5-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.5+86-g1c354767d5, which also contains
security fixes for the following issues: (Closes: #1021668)
- Xenstore: guests can let run xenstored out of memory
XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
- insufficient TLB flush for x86 PV guests in shadow mode
XSA-408 CVE-2022-33745
- Arm: unbounded memory consumption for 2nd-level page tables
XSA-409 CVE-2022-33747
- P2M pool freeing may take excessively long
XSA-410 CVE-2022-33746
- lock order inversion in transitive grant copy handling
XSA-411 CVE-2022-33748
- Xenstore: Guests can crash xenstored
XSA-414 CVE-2022-42309
- Xenstore: Guests can create orphaned Xenstore nodes
XSA-415 CVE-2022-42310
- Xenstore: Guests can cause Xenstore to not free temporary memory
XSA-416 CVE-2022-42319
- Xenstore: Guests can get access to Xenstore nodes of deleted domains
XSA-417 CVE-2022-42320
- Xenstore: Guests can crash xenstored via exhausting the stack
XSA-418 CVE-2022-42321
- Xenstore: Cooperating guests can create arbitrary numbers of nodes
XSA-419 CVE-2022-42322 CVE-2022-42323
- Oxenstored 32->31 bit integer truncation issues
XSA-420 CVE-2022-42324
- Xenstore: Guests can create arbitrary number of nodes via transactions
XSA-421 CVE-2022-42325 CVE-2022-42326
* The upstream Xen changes now also contain the first mentioned patch of
XSA-403 ("Linux disk/nic frontends data leaks") for stable branch lines.
For more information, please refer to the XSA-403 advisory text.
* Note that the following XSA are not listed, because...
- XSA-412 only applies to Xen 4.16 and newer
- XSA-413 applies to XAPI which is not included in Debian
* Correct a typo in the previous changelog entry.
-- Hans van Kranenburg <email address hidden> Fri, 04 Nov 2022 20:25:46 +0100
| Deleted in experimental-release (Reason: None provided.) |
xen (4.17.0~rc4-1~exp1) experimental; urgency=medium Significant changes: * Update to new upstream version 4.17.0~rc4. Changes related to upgrading to Xen 4.17: * debian/control: adjust to 4.17 * Drop "libxl: Fix unneededly rebuilding build.o(pic)", no longer needed * Refresh remaining patches if needed -- Maximilian Engelhardt <email address hidden> Wed, 07 Dec 2022 21:01:04 +0100
| Superseded in sid-release |
xen (4.16.2+90-g0d39a6d1ae-1) unstable; urgency=medium
* Update to new upstream version 4.16.2+90-g0d39a6d1ae, which also contains
security fixes for the following issues:
- Xenstore: guests can let run xenstored out of memory
XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
- Arm: unbounded memory consumption for 2nd-level page tables
XSA-409 CVE-2022-33747
- P2M pool freeing may take excessively long
XSA-410 CVE-2022-33746
- lock order inversion in transitive grant copy handling
XSA-411 CVE-2022-33748
- x86: unintended memory sharing between guests
XSA-412 CVE-2022-42327
- Xenstore: Guests can crash xenstored
XSA-414 CVE-2022-42309
- Xenstore: Guests can create orphaned Xenstore nodes
XSA-415 CVE-2022-42310
- Xenstore: Guests can cause Xenstore to not free temporary memory
XSA-416 CVE-2022-42319
- Xenstore: Guests can get access to Xenstore nodes of deleted domains
XSA-417 CVE-2022-42320
- Xenstore: Guests can crash xenstored via exhausting the stack
XSA-418 CVE-2022-42321
- Xenstore: Cooperating guests can create arbitrary numbers of nodes
XSA-419 CVE-2022-42322 CVE-2022-42323
- Oxenstored 32->31 bit integer truncation issues
XSA-420 CVE-2022-42324
- Xenstore: Guests can create arbitrary number of nodes via transactions
XSA-421 CVE-2022-42325 CVE-2022-42326
- x86: Multiple speculative security issues
XSA-422 CVE-2022-23824
* Note that the following XSA are not listed, because...
- XSA-413 applies to XAPI which is not included in Debian
* Drop the "x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1"
patch again because it's included in upstream changes now.
-- Hans van Kranenburg <email address hidden> Wed, 16 Nov 2022 12:50:33 +0100
Available diffs
xen (4.16.2-2) unstable; urgency=medium
* debian/control: Add libzstd-dev as Build-Depends
* Pick upstream commit c3bd0b83ea ("x86/CPUID: surface suitable value in EBX
of XSTATE subleaf 1") to fix compatibility with Linux 5.19.
(Closes: #1020787)
-- Hans van Kranenburg <email address hidden> Wed, 28 Sep 2022 19:03:14 +0200
Available diffs
- diff from 4.16.2-1 to 4.16.2-2 (1.5 KiB)
| Superseded in bullseye-release |
xen (4.14.5+24-g87d90d511c-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.5+24-g87d90d511c, which also contains
security fixes for the following issues:
for the following issues:
- x86 pv: Race condition in typeref acquisition
XSA-401 CVE-2022-26362
- x86 pv: Insufficient care with non-coherent mappings
XSA-402 CVE-2022-26363 CVE-2022-26364
- x86: MMIO Stale Data vulnerabilities
XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
- Retbleed - arbitrary speculative code execution with return instructions
XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
* Note that the following XSA are not listed, because...
- XSA-403 patches are not applied to stable branch lines.
- XSA-405 and XSA-406 have patches for the Linux kernel.
-- Hans van Kranenburg <email address hidden> Wed, 13 Jul 2022 16:28:39 +0200
xen (4.16.2-1) unstable; urgency=medium
* Update to new upstream version 4.16.2, which also contains
security fixes for the following issues:
- x86 pv: Race condition in typeref acquisition
XSA-401 CVE-2022-26362
- x86 pv: Insufficient care with non-coherent mappings
XSA-402 CVE-2022-26363 CVE-2022-26364
- Linux disk/nic frontends data leaks
XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742
Note that this XSA also contains patches that have to be applied to the
Linux kernel to make use of the new mitigations.
- x86: MMIO Stale Data vulnerabilities
XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
- Retbleed - arbitrary speculative code execution with return instructions
XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
- insufficient TLB flush for x86 PV guests in shadow mode
XSA-408 CVE-2022-33745
* Note that the following XSA are not listed, because...
- XSA-405 and XSA-406 have patches for the Linux kernel.
* d/.../grub.d/xen.cfg: Redirect output when running grub-mkconfig so that
we do not wrongly cause text to end up being part of the generated grub
configuration. (Closes: #1016547)
* Clean up lintian overrides that are reported as unused.
* Move comments about lintian overrides above the override line itself,
instead of being below, as instructed by the lintian documentation.
* Deal with formatting changes in lintian output, which invalidate
overrides we have. Also see Debian bug #1007002 for more information.
-- Hans van Kranenburg <email address hidden> Tue, 23 Aug 2022 13:25:38 +0200
Available diffs
- diff from 4.16.1-1 to 4.16.2-1 (41.4 KiB)
| Superseded in bullseye-release |
xen (4.14.4+74-gd7b22226b5-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.4+74-gd7b22226b5, which also contains
security fixes for the following issues:
- arm: guest_physmap_remove_page not removing the p2m mappings
XSA-393 CVE-2022-23033
- A PV guest could DoS Xen while unmapping a grant
XSA-394 CVE-2022-23034
- Insufficient cleanup of passed-through device IRQs
XSA-395 CVE-2022-23035
- Racy interactions between dirty vram tracking and paging log dirty
hypercalls
XSA-397 CVE-2022-26356
- Multiple speculative security issues
XSA-398 (no CVE yet)
- race in VT-d domain ID cleanup
XSA-399 CVE-2022-26357
- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues
XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361
* Note that the following XSA are not listed, because...
- XSA-391, XSA-392 and XSA-396 have patches for the Linux kernel.
-- Hans van Kranenburg <email address hidden> Fri, 08 Apr 2022 11:40:51 +0200
xen (4.16.1-1) unstable; urgency=medium
* Update to new upstream version 4.16.1, which also contains security fixes
for the following issues:
- Racy interactions between dirty vram tracking and paging log dirty
hypercalls
XSA-397 CVE-2022-26356
- Multiple speculative security issues
XSA-398 (no CVE yet)
- race in VT-d domain ID cleanup
XSA-399 CVE-2022-26357
- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues
XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361
* Note that the following XSA are not listed, because...
- XSA-396 has patches for the Linux kernel.
* Don't ship NEWS in libxen* packages. Instead, only ship relevant NEWS
items for actual hypervisor and/or utils packages they belong to.
(Closes: #962267)
* d/control: make xen-hypervisor-common arch specific, just like
xen-utils-common.
* d/control: stop recommending qemu-system-x86 on arm, because qemu is not
being built with xen support on arm...
* Add a patch for tools/libs/light/Makefile which prevents build.o and
build.opic to be rebuilt unneededly during the package install phase,
causing a FTBFS because it triggers the use of ccache, which is not
allowed in the install phase of building the Debian packages.
Improvements related to Qemu integration: [Michael Tokarev]
* d/xen-utils-common.xen.init: properly disable qemu monitor/serial/parallel
devices for qemu started at boot.
* debian: switch from recommending qemu-system-x86 to qemu-system-xen and
mention this change in the NEWS file.
* Add patch "give meaningful error message if qemu device model is
unavailable" to give a useful error message only in case the domU needs
the qemu device model which is not installed, instead of giving a warning
about missing qemu even if it is not used by this domain.
Documentation, grammar and spelling fixes and improvements:
* d/control: drop obsolete paragraph about separate xen linux kernel package
* d/control: Harmonize the capitalization of the 'Xen' word [Diederik de Haas]
* d/control: Improve spelling and grammar [Diederik de Haas]`
-- Hans van Kranenburg <email address hidden> Mon, 09 May 2022 22:29:23 +0200
Available diffs
| Superseded in sid-release |
xen (4.16.0+51-g0941d6cb-1) unstable; urgency=medium
* Update to new upstream version 4.16.0+51-g0941d6cb, which also contains
security fixes for the following issues:
- arm: guest_physmap_remove_page not removing the p2m mappings
XSA-393 CVE-2022-23033
- A PV guest could DoS Xen while unmapping a grant
XSA-394 CVE-2022-23034
- Insufficient cleanup of passed-through device IRQs
XSA-395 CVE-2022-23035
* Note that the following XSA are not listed, because...
- XSA-391 and XSA-392 have patches for the Linux kernel.
* Upload to unstable now, which obsoletes the Xen 4.14 FTBFS issue.
(Closes: #1002658)
-- Hans van Kranenburg <email address hidden> Sat, 19 Feb 2022 20:29:32 +0100
| Deleted in experimental-release (Reason: None provided.) |
xen (4.16.0-1~exp1) experimental; urgency=medium
Significant changes:
* Update to new upstream version 4.16.0. This also includes a security fix
for the following issue, which was not applicable to Xen 4.14 yet:
- certain VT-d IOMMUs may not work in shared page table mode
XSA-390 CVE-2021-28710
* No longer build any package for the i386 architecture. It was already not
possible to use x86_32 hardware because the i386 packages already
shipped a 64-bit hypervisor and PV shim. Running 32-bit utils with a
64-bit hypervisor requires using a compatibility layer that is fragile and
becomes harder to maintain and test upstream. This change ends the 'grace
period' in which users should have moved to using a fully 64-bit dom0.
- debian/{control,rules,salsa-ci.yml,xen-utils-V.install.vsn-in}: make the
necessary changes
- Remove the Recommends on libc6-xen, which already actually does not
exist any more. (Closes: #992909)
- Drop patch "tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on
x86_32" because it is not relevant any more.
Changes related to upgrading to Xen 4.16:
* debian/control: adjust to 4.16 [Maximilian Engelhardt]
* Drop patches that have been applied upstream
* Refresh remaining patches if needed
* debian: follow upstream removal of '.sh' suffix in xl bash_completion file
[Maximilian Engelhardt]
* debian/control, debian/libxenstore*: ship a libxenstore4 package instead
of libxenstore3.0, since upstream bumped the soname
[Maximilian Engelhardt]
Packaging minor fixes and improvements [Maximilian Engelhardt]:
* debian/rules: set SOURCE_BASE_DIR to the top level build dir so that the
"Display Debian package version in hypervisor log" patch can use it.
* Add patch "xen/arch/x86: make objdump output user locale agnostic" to fix
reproducable builds. This patch will also be sent upstream.
* d/rules: remove reproducible=+fixfilepath from DEB_BUILD_MAINT_OPTIONS
* d/salsa-ci.yml: Explicitly set RELEASE variable to unstable
* d/salsa-ci.yml: disable cross building as it's currently not working
* debian: call update-grub when installing/removing xen-hypervisor-common
(Closes: #988901)
* debian: fix dependency generation for python after dh-python was fixed
first. (Closes: #976597)
* debian/rules: remove unused pybuild settings
Packaging minor fixes and improvements:
* Improve patches for building the PV shim separately. This enables to
drop the extra Revert of an upstream commit that was done in
4.14.0+80-gd101b417b7-1~exp1:
- Drop patch: Revert "pvshim: make PV shim build selectable from
configure"
- Update patch "[...] Respect caller's CONFIG_PV_SHIM" to follow moving
of a line to a different file
- Drop patch: "tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on
x86_64" because that's now already the default upstream
* debian/control.md5sum: remove this obsolete file
* Merge patches "vif-common: disable handle_iptable" and
"t/h/L/vif-common.sh: fix handle_iptable return value" into a single
patch, since the latter was a fix for the first.
* debian/control: change the Uploaders email address for Ian Jackson,
since he does not work at Citrix any more now
-- Hans van Kranenburg <email address hidden> Mon, 17 Jan 2022 18:36:02 +0100
| Superseded in bullseye-release |
xen (4.14.3+32-g9de3671772-1~deb11u1) bullseye-security; urgency=medium * d/salsa-ci.yml: Set RELEASE variable to bullseye * Rebuild for bullseye-security -- Hans van Kranenburg <email address hidden> Thu, 02 Dec 2021 21:45:55 +0100
| Superseded in sid-release |
xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium
* Update to new upstream version 4.14.3+32-g9de3671772, which also contains
security fixes for the following issues:
- guests may exceed their designated memory limit
XSA-385 CVE-2021-28706
- PCI devices with RMRRs not deassigned correctly
XSA-386 CVE-2021-28702
- PoD operations on misaligned GFNs
XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708
- issues with partially successful P2M updates on x86
XSA-389 CVE-2021-28705 CVE-2021-28709
* Note that the following XSA are not listed, because...
- XSA-387 only applies to Xen 4.13 and older
- XSA-390 only applies to Xen 4.15
* Pick the following upstream commits to fix a regression which prevents
amd64 type hardware to fully power off. The issue was introduced in
version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to
improve Raspberry Pi 4 support. (Closes: #994899):
- 8b6d55c126 ("x86/ACPI: fix mapping of FACS")
- f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb")
- 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping")
- 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector
cannot be determined")
-- Hans van Kranenburg <email address hidden> Sat, 27 Nov 2021 15:09:47 +0100
| Published in buster-release |
xen (4.11.4+107-gef32c7afa2-1) buster-security; urgency=high
* Update to new upstream version 4.11.4+107-gef32c7afa2, which also contains
security fixes for the following issues:
- inappropriate x86 IOMMU timeout detection / handling
XSA-373 CVE-2021-28692
- Speculative Code Store Bypass
XSA-375 CVE-2021-0089 CVE-2021-26313
- x86: TSX Async Abort protections not restored after S3
XSA-377 CVE-2021-28690
* Note that the following XSA are not listed, because...
- XSA-370 does not contain code changes.
- XSA-371 and XSA-374 have patches for the Linux kernel.
- XSA-372 only applies to Xen 4.12 and newer.
-- Hans van Kranenburg <email address hidden> Mon, 14 Jun 2021 16:41:01 +0200
| Superseded in bullseye-release |
xen (4.14.3-1~deb11u1) bullseye-security; urgency=medium * Rebuild for bullseye-security -- Hans van Kranenburg <email address hidden> Mon, 13 Sep 2021 16:28:21 +0200
xen (4.14.3-1) unstable; urgency=high
* Update to new upstream version 4.14.3, which also contains security fixes
for the following issues:
- IOMMU page mapping issues on x86
XSA-378 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696
- grant table v2 status pages may remain accessible after de-allocation
XSA-379 CVE-2021-28697
- long running loops in grant table handling
XSA-380 CVE-2021-28698
- inadequate grant-v2 status frames array bounds check
XSA-382 CVE-2021-28699
- xen/arm: No memory limit for dom0less domUs
XSA-383 CVE-2021-28700
- Another race in XENMAPSPACE_grant_table handling
XSA-384 CVE-2021-28701
-- Hans van Kranenburg <email address hidden> Mon, 13 Sep 2021 11:51:20 +0200
xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium
* Add README.Debian.security containing a note about the end of upstream
security support for Xen 4.14. Install it into xen-hypervisor-common.
-- Hans van Kranenburg <email address hidden> Fri, 30 Jul 2021 16:57:52 +0200
| Superseded in sid-release |
xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium
* Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains
security fixes for the following issues:
- HVM soft-reset crashes toolstack
XSA-368 CVE-2021-28687
- xen/arm: Boot modules are not scrubbed
XSA-372 CVE-2021-28693
- inappropriate x86 IOMMU timeout detection / handling
XSA-373 CVE-2021-28692
- Speculative Code Store Bypass
XSA-375 CVE-2021-0089 CVE-2021-26313
- x86: TSX Async Abort protections not restored after S3
XSA-377 CVE-2021-28690
* Note that the following XSA are not listed, because...
- XSA-370 does not contain code changes.
- XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the
Linux kernel.
- XSA-366 only applies to Xen 4.11.
-- Hans van Kranenburg <email address hidden> Sun, 11 Jul 2021 14:29:13 +0200
| Superseded in buster-release |
xen (4.11.4+99-g8bce4698f6-1) buster-security; urgency=high
* Update to new upstream version 4.11.4+99-g8bce4698f6, which also contains
security fixes for the following issues:
- arm: The cache may not be cleaned for newly allocated scrubbed pages
XSA-364 CVE-2021-26933
- missed flush in XSA-321 backport
XSA-366 CVE-2021-27379
* Note that the following XSA are not listed, because...
- XSA-360 and XSA-368 only apply to Xen 4.12 and newer.
- XSA-361, XSA-362, XSA-363, XSA-365, XSA-367 and XSA-369 have patches for
the Linux kernel.
* Drop separate patches for XSAs up to 359 that are now included in the
upstream stable branch.
* Fix cosmetics wrt. XSA/CVE text formatting in the previous entry.
-- Hans van Kranenburg <email address hidden> Wed, 24 Mar 2021 19:52:15 +0100
xen (4.14.1+11-gb0b734a8b3-1) unstable; urgency=medium
* Update to new upstream version 4.14.1+11-gb0b734a8b3, which also contains
security fixes for the following issues:
- IRQ vector leak on x86
XSA-360 CVE-2021-3308 (Closes: #981052)
- arm: The cache may not be cleaned for newly allocated scrubbed pages
XSA-364 CVE-2021-26933
* Drop separate patches for XSAs up to 359 that are now included in the
upstream stable branch.
Packaging bugfixes and improvements [Elliott Mitchell]:
* debian/rules: Set CC/LD to enable cross-building
* d/shuffle-binaries: Fix binary shuffling script for cross-building
* Rework "debian/rules: Do not try to move EFI binaries on armhf"
* debian/scripts: Optimize runtime scripts
* debian/xen-utils-common.examples: Remove xm examples
* d/shuffle-boot-files: make it POSIX compliant [Hans van Kranenburg, based
on a patch by Elliott Mitchell]
* d/shuffle-binaries: Switch loop from for to while
* d/shuffle-binaries: Switch to POSIX shell, instead of Bash
* d/shuffle-boot-files: Switch to POSIX shell, instead of Bash
* debian/xendomains.init: Pipe xen-init-list instead of tmp file
Make the package build reproducibly [Maximilian Engelhardt]:
* debian/salsa-ci.yml: enable salsa-ci
* debian/salsa-ci.yml: enable diffoscope in reprotest
* debian/rules: use SOURCE_DATE_EPOCH for xen build dates
* debian/rules: don't include build path in binaries
* debian/rules: reproducibly build oxenstored
* Pick the following upstream commits:
- 5816d327e4 ("xen: don't have timestamp inserted in config.gz")
- ee41b5c450 ("x86/EFI: don't insert timestamp when SOURCE_DATE_EPOCH is
defined")
- e18dadc5b7 ("docs: use predictable ordering in generated documentation")
* Include upstream patch that is not committed yet, but needed:
- docs: set date to SOURCE_DATE_EPOCH if available
* debian/salsa-ci.yml: don't allow reprotest to fail
Packaging bugfixes and improvements:
* d/shuffle-boot-files: Document more inner workings
-- Hans van Kranenburg <email address hidden> Sun, 28 Feb 2021 19:49:45 +0100
| Superseded in buster-release |
xen (4.11.4+57-g41a822c392-2) buster-security; urgency=high
* Apply security fixes for the following issues:
- oxenstored: permissions not checked on root node
XSA-353 (CVE-2020-29479)
- xenstore watch notifications lacking permission checks
XSA-115 (CVE-2020-29480)
- Xenstore: new domains inheriting existing node permissions
XSA-322 (CVE-2020-29481)
- Xenstore: wrong path length check
XSA-323 (CVE-2020-29482)
- Xenstore: guests can crash xenstored via watchs
XSA-324 (CVE-2020-29484)
- Xenstore: guests can disturb domain cleanup
XSA-325 (CVE-2020-29483)
- oxenstored memory leak in reset_watches
XSA-330 (CVE-2020-29485)
- oxenstored: node ownership can be changed by unprivileged clients
XSA-352 (CVE-2020-29486)
- undue recursion in x86 HVM context switch code
XSA-348 (CVE-2020-29566)
- FIFO event channels control block related ordering
XSA-358 (CVE-2020-29570)
- FIFO event channels control structure ordering
XSA-359 (CVE-2020-29571)
* Note that the following XSA are not listed, because...
- XSA-349 and XSA-350 have patches for the Linux kernel
- XSA-354 has patches for the XAPI toolstack
- XSA-356 only applies to Xen 4.14
-- Hans van Kranenburg <email address hidden> Fri, 11 Dec 2020 22:10:09 +0100
| Superseded in sid-release |
xen (4.14.0+88-g1d1d1f5391-2) unstable; urgency=high
* For now, revert "debian/rules: Set CC/LD to enable cross-building", since
it causes an FTBFS on i386.
-- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 14:57:41 +0100
| Superseded in sid-release |
xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high
* Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains
security fixes for the following issues:
- stack corruption from XSA-346 change
XSA-355 CVE-2020-29040 (Closes: #976109)
* Apply security fixes for the following issues:
- oxenstored: permissions not checked on root node
XSA-353 CVE-2020-29479
- xenstore watch notifications lacking permission checks
XSA-115 CVE-2020-29480
- Xenstore: new domains inheriting existing node permissions
XSA-322 CVE-2020-29481
- Xenstore: wrong path length check
XSA-323 CVE-2020-29482
- Xenstore: guests can crash xenstored via watchs
XSA-324 CVE-2020-29484
- Xenstore: guests can disturb domain cleanup
XSA-325 CVE-2020-29483
- oxenstored memory leak in reset_watches
XSA-330 CVE-2020-29485
- oxenstored: node ownership can be changed by unprivileged clients
XSA-352 CVE-2020-29486
- undue recursion in x86 HVM context switch code
XSA-348 CVE-2020-29566
- infinite loop when cleaning up IRQ vectors
XSA-356 CVE-2020-29567
- FIFO event channels control block related ordering
XSA-358 CVE-2020-29570
- FIFO event channels control structure ordering
XSA-359 CVE-2020-29571
* Note that the following XSA are not listed, because...
- XSA-349 and XSA-350 have patches for the Linux kernel
- XSA-354 has patches for the XAPI toolstack
Packaging bugfixes and improvements:
* d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611)
* Add missing CVE numbers to the previous changelog entries
Packaging bugfixes and improvements [Elliott Mitchell]:
* d/shuffle-binaries: Make error detection/message overt
* d/shuffle-binaries: Add quoting for potentially changeable variables
* d/shuffle-boot-files: Add lots of double-quotes when handling variables
* debian/rules: Set CC/LD to enable cross-building
* debian/xen.init: Load xen_acpi_processor on boot
* d/shuffle-binaries: Remove useless extra argument being passed in
Packaging bugfixes and improvements [Maximilian Engelhardt]:
* d/xen-hypervisor-V-F.postinst.vsn-in: use reboot-required
(Closes: #862408)
* d/xen-hypervisor-V-F.postrm: actually install script
* d/xen-hypervisor-V.*: clean up unused files
* d/xen-hypervisor-V.bug-control.vsn-in: actually install script
* debian/rules: enable verbose build
Fixes to patches for upstream code:
* t/h/L/vif-common.sh: force handle_iptable return value to be 0
(Closes: #955994)
* Pick the following upstream commits to improve Raspberry Pi 4 support,
requested by Elliott Mitchell:
- 25849c8b16 ("xen/rpi4: implement watchdog-based reset")
- 17d192e023 ("tools/python: Pass linker to Python build process")
- 861f0c1109 ("xen/arm: acpi: Don't fail if SPCR table is absent")
- 1c4aa69ca1 ("xen/acpi: Rework acpi_os_map_memory() and
acpi_os_unmap_memory()")
- 4d625ff3c3 ("xen/arm: acpi: The fixmap area should always be cleared
during failure/unmap")
- dac867bf9a ("xen/arm: Check if the platform is not using ACPI before
initializing Dom0less")
- 9c2bc0f24b ("xen/arm: Introduce fw_unreserved_regions() and use it")
- 7056f2f89f ("xen/arm: acpi: add BAD_MADT_GICC_ENTRY() macro")
- 957708c2d1 ("xen/arm: traps: Don't panic when receiving an unknown debug
trap")
* Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik.
-- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 13:00:00 +0100
| Superseded in buster-release |
xen (4.11.4+37-g3263f257ca-1) buster-security; urgency=high
* Update to new upstream version 4.11.4+37-g3263f257ca, which also contains
security fixes for the following issues:
- x86 pv: Crash when handling guest access to MSR_MISC_ENABLE
XSA-333 CVE-2020-25602
- race when migrating timers between x86 HVM vCPU-s
XSA-336 CVE-2020-25604
- PCI passthrough code reading back hardware registers
XSA-337 CVE-2020-25595
- once valid event channels may not turn invalid
XSA-338 CVE-2020-25597
- x86 pv guest kernel DoS via SYSENTER
XSA-339 CVE-2020-25596
- Missing memory barriers when accessing/allocating an event channel
XSA-340 CVE-2020-25603
- out of bounds event channels available to 32-bit x86 domains
XSA-342 CVE-2020-25600
- races with evtchn_reset()
XSA-343 CVE-2020-25599
- lack of preemption in evtchn_reset() / evtchn_destroy()
XSA-344 CVE-2020-25601
* Note that with this update, we will be detaching the Buster updates from
the Xen version in Debian unstable, which will get a newer Xen version
RSN.
-- Hans van Kranenburg <email address hidden> Thu, 01 Oct 2020 14:50:58 +0200
| Superseded in sid-release |
xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium * Re-upload to unstable for rebuild. -- Ian Jackson <email address hidden> Tue, 24 Nov 2020 10:28:22 +0000
| Deleted in experimental-release (Reason: None provided.) |
xen (4.14.0+80-gd101b417b7-1~exp2) experimental; urgency=medium * Re-upload since apparently DMs aren't allowed NEW? -- Ian Jackson <email address hidden> Mon, 23 Nov 2020 13:24:17 +0000
| Superseded in experimental-release |
xen (4.14.0-1~exp1) experimental; urgency=medium
Significant changes:
* Update to new upstream version 4.14.0.
(Closes: #866380) about removal of broken xen-bugtool
* debian/{rules,control}: switch to python 3
(Closes: #938843) about python 2 removal in bullseye
* debian/control: Fix python dependancy to use python3-dev:any and
libpython3-dev [Elliott Mitchell]
Changes related to upgrading to Xen 4.14:
* debian/control: adjust to 4.14
* debian/rules: remove install commands for pkgconfig files, since those
files are not present any more
* debian/: Follow fsimage -> xenfsimage renaming
* debian/xen-utils-V.*: Use @version@ instead of hardcoded version
* debian/control: add flex, bison
* debian/control: add libxenhypfs[1] [Ian Jackson]
* debian/libxenstore3.0.symbols: drop xprintf
(Closes: #968965) [Ian Jackson; also reported by Gianfranco Costamagna]
* d/scripts/xen-init-name, d/scripts/xen-init-list: rewrite these two
scripts, hugely simplify them and make them use python 3
* Pick upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2
maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix
-Werror=stringop-truncation in libxl__prepare_sockaddr_un") to fix gcc 10
FTBFS
* tools: don't build/ship xenmon, it can't work with python 3
Packaging minor fixes and improvements:
* debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell
(Closes: #939560) [Ian Jackson; report from Guillem Jover]
* debian/rules: Improve comment about hardening options
(Closes: #939560) [Ian Jackson; report from Guillem Jover]
* debian/rules: Drop redundant sequence numbers in dh_installinit
(Closes: #939560) [Ian Jackson; report from Guillem Jover]
* d/xen-utils-common.xen.init: add important notes to keep in mind when
changing this script, related to multi-version handling
* debian/control: cleanup Uploaders and add myself
* debian/control: s/libncurses5-dev/libncurses-dev/
* xen-utils-V scripts: remove update-alternatives command
* xen-utils-V.postinst.vsn-in: whitespace cosmetics
* d/xen-utils-common.xen.init: disable oom killer for xenstored
(Closes: #961511)
* debian/rules: Combine shared Make args [Elliott Mitchell]
Fixes and improvements for cross-compiling [Elliott Mitchell]:
* debian/rules: Add --host to tools configure target
* Pick upstream commit 69953e285638 ('tools: Partially revert
"Cross-compilation fixes."')
Lintian related fixes:
* debian/changelog: trim trailing whitespace. [Debian Janitor]
* debian/pycompat: remove obsolete file. [Debian Janitor]
* debian/rules: Avoid using $(PWD) variable. [Debian Janitor]
* debian/control: hardcode xen-utils-4.14 python3 dependency because
dh_python can't figure out how to add it
* debian/control: xen-doc: add ${misc:Depends}
* d/xen-hypervisor-V-F.lintian-overrides.vsn-in: fix override to use the
newer debug-suffix-not-dbg tag and correct the file path used so it
matches again
* debian/control: remove XS-Python-Version which is deprecated
* debian/control: drop autotools-dev build dependency because debhelper
already takes care of this
* d/xen-utils-V.lintian-overrides.vsn-in: fix rpath override because the
xenfsimage python .so filename changed from xenfsimage.so into
xenfsimage.cpython-38-x86_64-linux-gnu.so now, make it match again
* d/xen-utils-V.lintian-overrides.vsn-in: s/fsimage/xenfsimage/ which is a
left over change from the rename in some comment lines
* d/xen-utils-common.xen.init: use /run instead of /var/run because we don't
expect anyone on a pre-stretch system to build and use these packages
* debian/control: update Standards-Version to 4.5.0
-- Hans van Kranenburg <email address hidden> Thu, 17 Sep 2020 18:59:28 +0200
| Superseded in buster-release |
xen (4.11.4+24-gddaaccbbab-1~deb10u1) buster-security; urgency=high * Rebuild as Buster security update. -- Hans van Kranenburg <email address hidden> Fri, 10 Jul 2020 18:54:34 +0200
| Superseded in sid-release |
xen (4.11.4+24-gddaaccbbab-1) unstable; urgency=medium
* Update to new upstream version 4.11.4+24-gddaaccbbab, which also contains
security fixes for the following issues:
- inverted code paths in x86 dirty VRAM tracking
XSA-319 CVE-2020-15563
- Special Register Buffer speculative side channel
XSA-320 CVE-2020-0543
N.B: To mitigate this issue, new cpu microcode is required. The changes
in Xen provide a workaround for affected hardware that is not receiving
a vendor microcode update. Please refer to the upstream XSA-320 Advisory
text for more details.
- insufficient cache write-back under VT-d
XSA-321 CVE-2020-15565
- Missing alignment check in VCPUOP_register_vcpu_info
XSA-327 CVE-2020-15564
- non-atomic modification of live EPT PTE
XSA-328 CVE-2020-15567
-- Hans van Kranenburg <email address hidden> Tue, 07 Jul 2020 16:07:39 +0200
xen (4.11.4-1) unstable; urgency=medium
* Update to new upstream version 4.11.4, which also contains security fixes
for the following issues:
- arm: a CPU may speculate past the ERET instruction
XSA-312 (no CVE yet)
- multiple xenoprof issues
XSA-313 CVE-2020-11740 CVE-2020-11741
- Missing memory barriers in read-write unlock paths
XSA-314 CVE-2020-11739
- Bad error path in GNTTABOP_map_grant
XSA-316 CVE-2020-11743
- Bad continuation handling in GNTTABOP_copy
XSA-318 CVE-2020-11742
* xen-utils and xen-utils-common maint scripts: Replace the previous fix in
the xen init script with a better fix in the xen-utils package instead, to
prevent calling the init script stop action (resulting in a disappeared
xenconsoled) when removing a xen-utils package that belongs to a previous
(not currently runing) Xen version. Also prevent the xen-utils-common
package from inadvertently calling stop and start actions because
dh_installinit would add code for that. (Closes: #932759)
* debian/NEWS: Mention fixing #932759 and how to deal with the bug
-- Hans van Kranenburg <email address hidden> Tue, 26 May 2020 13:33:17 +0200
| Published in stretch-release |
xen (4.8.5.final+shim4.10.4-1+deb9u12) stretch-security; urgency=medium
* *NOTE* this will probably be the *LAST UPDATE* for Xen in Debian 9.x
(stretch), since this is the last batch of security patches from
upstream, where Xen 4.8 is out of security support.
* Update to new upstream final tip of 4.8 stable branch, which I have
dubbed upstream/stable-4.8.5.final. And shim 4.10.4.
* This includes fixes to:
XSA-311 CVE-2019-19577
XSA-310 CVE-2019-19580
XSA-309 CVE-2019-19578
XSA-308 CVE-2019-19583
XSA-307 CVE-2019-19581 CVE-2019-19582
XSA-306 CVE-2019-19579
XSA-305 CVE-2019-11135
XSA-304 CVE-2018-12207
XSA-303 CVE-2019-18422
XSA-302 CVE-2019-18424
XSA-301 CVE-2019-18423
XSA-299 CVE-2019-18421
XSA-298 CVE-2019-18425
XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
XSA-296 CVE-2019-18420
XSA-295 CVE-2019-17349 CVE-2019-17350
XSA-294 CVE-2019-17348
XSA-293 CVE-2019-17347
XSA-292 CVE-2019-17346
XSA-291 CVE-2019-17345
XSA-290 CVE-2019-17344
XSA-288 CVE-2019-17343
XSA-287 CVE-2019-17342
XSA-285 CVE-2019-17341
XSA-284 CVE-2019-17340
* For completeness, the following are not applicable:
XSA-300 CVE-2019-17351 Bug is in Linux
XSA-289 Spectre V1 + L1TF combo; no new fixes
XSA-283 Withdrawn XSA number
XSA-281 Withdrawn XSA number
* The following is *not* fixed at this time:
XSA-286 Still embargoed.
* README.comet: remove line about PVH support.
[Hans van Kranenburg] Closes:#908453.
-- Ian Jackson <email address hidden> Fri, 10 Jan 2020 17:09:30 +0000
| Superseded in buster-release |
xen (4.11.3+24-g14b62ab3e5-1~deb10u1) buster-security; urgency=high * Rebuild for buster-security -- Hans van Kranenburg <email address hidden> Wed, 08 Jan 2020 13:21:23 +0100
| Superseded in sid-release |
xen (4.11.3+24-g14b62ab3e5-1) unstable; urgency=high
* Update to new upstream version 4.11.3+24-g14b62ab3e5, which also
contains the following security fixes: (Closes: #947944)
- Unlimited Arm Atomics Operations
XSA-295 CVE-2019-17349 CVE-2019-17350
- VCPUOP_initialise DoS
XSA-296 CVE-2019-18420
- missing descriptor table limit checking in x86 PV emulation
XSA-298 CVE-2019-18425
- Issues with restartable PV type change operations
XSA-299 CVE-2019-18421
- add-to-physmap can be abused to DoS Arm hosts
XSA-301 CVE-2019-18423
- passed through PCI devices may corrupt host memory after deassignment
XSA-302 CVE-2019-18424
- ARM: Interrupts are unconditionally unmasked in exception handlers
XSA-303 CVE-2019-18422
- x86: Machine Check Error on Page Size Change DoS
XSA-304 CVE-2018-12207
- TSX Asynchronous Abort speculative side channel
XSA-305 CVE-2019-11135
- Device quarantine for alternate pci assignment methods
XSA-306 CVE-2019-19579
- find_next_bit() issues
XSA-307 CVE-2019-19581 CVE-2019-19582
- VMX: VMentry failure with debug exceptions and blocked states
XSA-308 CVE-2019-19583
- Linear pagetable use / entry miscounts
XSA-309 CVE-2019-19578
- Further issues with restartable PV type change operations
XSA-310 CVE-2019-19580
- Bugs in dynamic height handling for AMD IOMMU pagetables
XSA-311 CVE-2019-19577
* Add missing CVE numbers to previous changelog entries
-- Hans van Kranenburg <email address hidden> Wed, 08 Jan 2020 12:41:42 +0100
xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high
* Mention MDS and the need for updated microcode and disabling
hyper-threading in NEWS.
* Mention the ucode=scan option in the grub.d/xen documentation.
-- Hans van Kranenburg <email address hidden> Sat, 22 Jun 2019 11:15:08 +0200
| Superseded in sid-release |
xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
* Update to new upstream version 4.11.1+92-g6c33308a8d, which also
contains the following security fixes:
- Fix: grant table transfer issues on large hosts
XSA-284 (no CVE yet) (Closes: #929991)
- Fix: race with pass-through device hotplug
XSA-285 (no CVE yet) (Closes: #929998)
- Fix: x86: steal_page violates page_struct access discipline
XSA-287 (no CVE yet) (Closes: #930001)
- Fix: x86: Inconsistent PV IOMMU discipline
XSA-288 (no CVE yet) (Closes: #929994)
- Fix: missing preemption in x86 PV page table unvalidation
XSA-290 (no CVE yet) (Closes: #929996)
- Fix: x86/PV: page type reference counting issue with failed IOMMU update
XSA-291 (no CVE yet) (Closes: #929995)
- Fix: x86: insufficient TLB flushing when using PCID
XSA-292 (no CVE yet) (Closes: #929993)
- Fix: x86: PV kernel context switch corruption
XSA-293 (no CVE yet) (Closes: #929999)
- Fix: x86 shadow: Insufficient TLB flushing when using PCID
XSA-294 (no CVE yet) (Closes: #929992)
- Fix: Microarchitectural Data Sampling speculative side channel
XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
(Closes: #929129)
* Note that the fixes for XSA-297 will only have effect when also loading
updated cpu microcode with MD_CLEAR functionality. When using the
intel-microcode package to include microcode in the dom0 initrd, it has to
be loaded by Xen. Please refer to the hypervisor command line
documentation about the 'ucode=scan' option.
* Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the
next upload.
-- Hans van Kranenburg <email address hidden> Tue, 18 Jun 2019 09:50:19 +0200
xen (4.11.1+26-g87f51bf366-3) unstable; urgency=medium
Minor useability improvements and fixes:
* bash-completion: also complete 'xen' [Hans van Kranenburg]
* /etc/default/xen: Handle with ucf again, like in stretch.
Closes:#923401. [Ian Jackson]
Build fix:
* Fix FTBFS when building only arch-indep binaries (eg
dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed.
Closes:#923013. [Hans van Kranenburg; report from Santiago Vila]
Documentation fix:
* grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg]
-- Ian Jackson <email address hidden> Thu, 28 Feb 2019 16:37:04 +0000
| Superseded in sid-release |
xen (4.11.1+26-g87f51bf366-2) unstable; urgency=medium
* Packaging change: override spurious lintian warning about
fsimage.so rpath.
-- Ian Jackson <email address hidden> Fri, 22 Feb 2019 16:07:37 +0000
| Superseded in stretch-release |
xen (4.8.5+shim4.10.2+xsa282-1+deb9u11) stretch-security; urgency=medium
* Update to new upstream versions:
* Main tree updated to Xen 4.8.5
* Shim updated to current upstream stable-4.10 branch, to
avoid errors trying to cherry-pick security patches.
* This includes fixes to:
XSA-282 CVE-2018-19967 Xen 4.8 and 4.10 shim
XSA-280 CVE-2018-19966 Xen 4.8 and 4.10 shim
XSA-279 CVE-2018-19965 Xen 4.8 and 4.10 shim
XSA-275 CVE-2018-19961 CVE-2018-19962 Xen 4.8 and 4.10 shim
XSA-278 CVE-2018-18883 Xen 4.10 shim only
* For completeness, the following fixes are not applicable:
XSA-274 CVE-2018-14678 Bug is in Linux
XSA-270 CVE-2018-15471 Bug is in Linux
XSA-271 CVE-2018-14007 Bug is in XAPI (not in Debian)
XSA-277 CVE-2018-19964 Bug not in either 4.8 or 4.10
XSA-276 CVE-2018-19963 Bug not in either 4.8 or 4.10
* Added CVEs to previous changelog entries:
4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10
4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9
-- Ian Jackson <email address hidden> Fri, 11 Jan 2019 18:01:30 +0000
xen (4.11.1-1) unstable; urgency=medium
* debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
(Closes: #911457)
* grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
* debian/rules: Don't exclude the actual pygrub script.
* Update to new upstream version 4.11.1, which also contains:
- Fix: insufficient TLB flushing / improper large page mappings with AMD
IOMMUs
XSA-275 CVE-2018-19961 CVE-2018-19962
- Fix: resource accounting issues in x86 IOREQ server handling
XSA-276 CVE-2018-19963
- Fix: x86: incorrect error handling for guest p2m page removals
XSA-277 CVE-2018-19964
- Fix: x86: Nested VT-x usable even when disabled
XSA-278 CVE-2018-18883
- Fix: x86: DoS from attempting to use INVPCID with a non-canonical
addresses
XSA-279 CVE-2018-19965
- Fix for XSA-240 conflicts with shadow paging
XSA-280 CVE-2018-19966
- Fix: guest use of HLE constructs may lock up host
XSA-282 CVE-2018-19967
* Update version handling patching to put the team mailing list address in
the first hypervisor log line and fix broken other substitutions.
* Disable handle_iptable hook in vif-common script. See #894013 for more
information.
-- Hans van Kranenburg <email address hidden> Wed, 02 Jan 2019 20:59:40 +0100
| Superseded in stretch-release |
xen (4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10) stretch-security; urgency=medium
* Update to new upstream version 4.8.4+xsa273+shim4.10.1+xsa273.
XSA-273 (CVE-2018-3620,CVE-2018-3646)
XSA-272 (no CVE yet)
XSA-269 (no CVE yet)
XSA-268 (no CVE yet)
This version is, again, a combination of staging-4.8 and staging-4.10
for Xen and shim respectively as in previous versions.
-- Wolodja Wentland <email address hidden> Wed, 15 Aug 2018 23:51:28 +0100
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium
* debian/rules: Cope if xen-utils-common not being built
(Fixes binary-indep FTBFS.)
-- Ian Jackson <email address hidden> Mon, 15 Oct 2018 18:07:11 +0100
| Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-4) unstable; urgency=medium
* Many packaging fixes to fix FTBFS on all arches other than amd64.
* xen-vbd-interface(7): Provide properly-formatted NAME section
* Add pandoc and markdown to Build-Depends - fixes missing docs.
* Revert "tools-xenstore-compatibility.diff" apropos of discussion
https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg00838.html
-- Ian Jackson <email address hidden> Mon, 15 Oct 2018 12:15:36 +0100
| Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-3) unstable; urgency=medium
* hypervisor package postinst: Actually install (avoids need to
run update-grub by hand).
* debian/control: Adding Section to source stanza
* debian/control: Add missing Replaces on old xen-utils-common
* debian/rules: Add a -n to a gzip rune to improve reproducibility
-- Ian Jackson <email address hidden> Fri, 12 Oct 2018 16:55:48 +0100
| Superseded in sid-release |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-2) unstable; urgency=medium
* Redo as an upload with binaries, because source-only uploads to NEW
are not allowed.
-- Ian Jackson <email address hidden> Fri, 05 Oct 2018 19:38:52 +0100
| Deleted in experimental-release (Reason: None provided.) |
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1) experimental; urgency=medium
* Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg.
* Remove stubdom/grub.patches/00cvs from the upstream source because it's
not DFSG compliant. (license-problem-gfdl-invariants)
* Override statically-linked-binary lintian error about
usr/lib/xen-4.11/boot/xen-shim
-- Hans van Kranenburg <email address hidden> Tue, 11 Sep 2018 15:34:34 +0200
xen (4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9) stretch-security; urgency=high
* Security upload [thanks to Wolodja Wentland]:
XSA-264 (no CVE yet)
XSA-265 (no CVE yet)
XSA-266 (no CVE yet)
-- Ian Jackson <email address hidden> Fri, 22 Jun 2018 16:38:39 +0100
xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) stretch-security; urgency=high
* Security fixes from upstream XSAs:
XSA-252 CVE-2018-7540
XSA-255 CVE-2018-7541
XSA-256 CVE-2018-7542
The upstream BTI changes from XSA-254 (Spectre v2 mitigation)
are *not* included. They are currently failing in upstream CI.
* init scripts: Do not kill per-domain qemu processes. Closes:#879751.
* Install Meltdown READMEs on all architectures. Closes:#890488.
* Ship xen-diag (by cherry-picking the appropriate commits from
upstream). This can help with diagnosis of #880554.
-- Ian Jackson <email address hidden> Fri, 02 Mar 2018 16:07:18 +0000
| Published in jessie-release |
xen (4.4.1-9+deb8u10) jessie-security; urgency=medium Security updates, including some very important fixes: * XSA-217 CVE-2017-10912 * XSA-218 CVE-2017-10913 CVE-2017-10914 * XSA-219 CVE-2017-10915 * XSA-221 CVE-2017-10917 * XSA-222 CVE-2017-10918 * XSA-224 CVE-2017-10919 * XSA-226 CVE-2017-12135 * XSA-227 CVE-2017-12137 * XSA-230 CVE-2017-12855 * XSA-235 no CVE assigned yet Bugfixes: * evtchn: don't reuse ports that are still "busy" (for XSA-221 patch) FYI, XSAs which remain outstanding because no patch is available. * XSA-223: armhf/arm64 guest-induced host crash vulnerability FYI, inapplicable XSAs, for which no patch is included: * XSA-216: Bugs are in Linux and Qemu, not Xen * XSA-220: Xen 4.4 is not vulnerable * XSA-225: Xen 4.4 is not vulnerable * XSA-228: Xen 4.4 is not vulnerable * XSA-229: Bug is in Linux, not Xen -- Ian Jackson <email address hidden> Tue, 05 Sep 2017 18:35:04 +0100
xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high
* Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2
plus a number of bugfixes and security fixes.
Result is that we now include security fixes for:
XSA-231 CVE-2017-14316
XSA-232 CVE-2017-14318
XSA-233 CVE-2017-14317
XSA-234 CVE-2017-14319
(235 already included in 4.8.1-1+deb9u3)
XSA-236 CVE-2017-15597
XSA-237 CVE-2017-15590
XSA-238 (no CVE yet)
XSA-239 CVE-2017-15589
XSA-240 CVE-2017-15595
XSA-241 CVE-2017-15588
XSA-242 CVE-2017-15593
XSA-243 CVE-2017-15592
XSA-244 CVE-2017-15594
XSA-245 (no CVE yet)
and a number of upstream functionality fixes, which are not easily
disentangled from the security fixes.
* Apply two more security fixes:
XSA-246 (no CVE yet)
XSA-247 (no CVE yet)
-- Ian Jackson <email address hidden> Sat, 25 Nov 2017 11:26:37 +0000
xen (4.8.1-1+deb9u3) stretch-security; urgency=high
* Security fixes for
XSA-226 CVE-2017-12135
XSA-227 CVE-2017-12137
XSA-228 CVE-2017-12136
XSA-230 CVE-2017-12855
XSA-235 (no CVE yet)
* Adjust changelog entry for 4.8.1-1+deb9u2 to record
that XSA-225 fix was indeed included.
* Security fix for XSA-229 not included as that bug is in Linux, not Xen.
* Security fixes for XSA-231..234 inc. not inclued as still embargoed.
-- Ian Jackson <email address hidden> Thu, 07 Sep 2017 19:17:58 +0100
| Superseded in jessie-release |
xen (4.4.1-9+deb8u9) jessie-security; urgency=medium Security updates: * XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size * XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts * XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep * XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange() * XSA-213: Closes:#861659: 64bit PV guest breakout * XSA-214: Closes:#861660: grant transfer PV privilege escalation * XSA-215: Closes:#861662: memory corruption via failsafe callback -- Ian Jackson <email address hidden> Mon, 08 May 2017 15:04:37 +0100
xen (4.8.1-1+deb9u1) unstable; urgency=medium
* Security fixes for XSA-213 (Closes:#861659) and XSA-214
(Closes:#861660). (Xen 4.7 and later is not affected by XSA-215.)
-- Ian Jackson <email address hidden> Tue, 02 May 2017 12:19:57 +0100
xen (4.8.1-1) unstable; urgency=high
* Update to upstream 4.8.1 release.
Changes include numerous bugfixes, including security fixes for:
XSA-212 / CVE-2017-7228 Closes:#859560
XSA-207 / no cve yet Closes:#856229
XSA-206 / no cve yet no Debian bug
-- Ian Jackson <email address hidden> Tue, 18 Apr 2017 18:05:00 +0100
xen (4.8.1~pre.2017.01.23-1) unstable; urgency=medium
* Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre).
Contains bugfixes.
* debian/control-real etc.: debian.py: Allow version numbers like this.
-- Ian Jackson <email address hidden> Mon, 23 Jan 2017 16:03:31 +0000
| Superseded in jessie-release |
xen (4.4.1-9+deb8u8) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2016-7777: CR0.TS and CR0.EM not always honored for x86 HVM guests
* CVE-2016-9386: x86 null segments not always treated as unusable
(Closes: #845663)
* CVE-2016-9382: x86 task switch to VM86 mode mis-handled (Closes: #845664)
* CVE-2016-9385: x86 segment base write emulation lacking canonical address
checks (Closes: #845665)
* CVE-2016-9383: x86 64-bit bit test instruction emulation broken
(Closes: #845668)
* CVE-2016-9379, CVE-2016-9380: delimiter injection vulnerabilities in
pygrub (Closes: #845670)
-- Salvatore Bonaccorso <email address hidden> Sat, 03 Dec 2016 12:12:53 +0100
xen (4.8.0-1) unstable; urgency=high
* Update to upstream Xen 4.8.0.
Includes the following security fixes:
XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
XSA-198 CVE-2016-9379 CVE-2016-9380
XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669
XSA-195 CVE-2016-9383
XSA-194 CVE-2016-9384 Closes:#845667
XSA-193 CVE-2016-9385
XSA-192 CVE-2016-9382
XSA-191 CVE-2016-9386
Includes other bugfixes too:
Closes:#812166, Closes:#818525.
Cherry picks from upstream:
* Security fixes:
XSA-204 CVE-2016-10013 Closes:#848713
XSA-203 CVE-2016-10025
XSA-202 CVE-2016-10024
For completeness, the following XSAs do not apply here:
XSA-197 CVE-2016-9381 Bug is in qemu
XSA-199 CVE-2016-9637 Bug is in qemu
XSA-200 CVE-2016-9932 Xen 4.8 is not affected
* Cherry pick a build failure fix:
"x86/emul: add likely()/unlikely() to test harness"
[ Ian Jackson ]
* Drop -lcrypto search from upstream configure, and from our
Build-Depends. Closes:#844419.
* Change my own email address to my work (Citrix) address. When
uploading, I will swap hats to effectively sponsor my own upload.
[ Ian Campbell ]
* Start a qemu process in dom0 to service the toolstacks loopback disk
attaches. (Closes: #770456)
* Remove correct pidfile when stopping xenconsoled.
* Check that xenstored has actually started before talking to it.
Incorporate a timeout so as not to block boot (Mitigates #737613)
* Correct syntax error in xen-init-list when running with xend
(Closes: #763102)
* Apply SELinux labels to directories created by initscripts. Patch from
Russell Coker. (Closes: #764912)
* Include a reportbug control file to redirect bugs to src:xen for
packages which contain the Xen version in the name. Closes:#796370.
[ Lubomir Host ]
* Fix xen-init-name to not fail looking for a nonexistent 'config'
entry in xl's JSON output. Closes:#818129.
-- Ian Jackson <email address hidden> Thu, 22 Dec 2016 14:51:46 +0000
xen (4.8.0~rc5-1) unstable; urgency=medium * New upstream version, Xen 4.8.0 RC5. -- Ian Jackson <email address hidden> Fri, 11 Nov 2016 15:26:58 +0000
xen (4.8.0~rc3-1) unstable; urgency=medium
* Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not
update to that in the middle of the Xen 4.6 -> 4.8 transition.)
* No source changes.
-- Ian Jackson <email address hidden> Sat, 05 Nov 2016 15:08:47 +0000
| 1 → 75 of 158 results | First • Previous • Next • Last |
