Changelog
xen (4.14.5+86-g1c354767d5-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.5+86-g1c354767d5, which also contains
security fixes for the following issues: (Closes: #1021668)
- Xenstore: guests can let run xenstored out of memory
XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
- insufficient TLB flush for x86 PV guests in shadow mode
XSA-408 CVE-2022-33745
- Arm: unbounded memory consumption for 2nd-level page tables
XSA-409 CVE-2022-33747
- P2M pool freeing may take excessively long
XSA-410 CVE-2022-33746
- lock order inversion in transitive grant copy handling
XSA-411 CVE-2022-33748
- Xenstore: Guests can crash xenstored
XSA-414 CVE-2022-42309
- Xenstore: Guests can create orphaned Xenstore nodes
XSA-415 CVE-2022-42310
- Xenstore: Guests can cause Xenstore to not free temporary memory
XSA-416 CVE-2022-42319
- Xenstore: Guests can get access to Xenstore nodes of deleted domains
XSA-417 CVE-2022-42320
- Xenstore: Guests can crash xenstored via exhausting the stack
XSA-418 CVE-2022-42321
- Xenstore: Cooperating guests can create arbitrary numbers of nodes
XSA-419 CVE-2022-42322 CVE-2022-42323
- Oxenstored 32->31 bit integer truncation issues
XSA-420 CVE-2022-42324
- Xenstore: Guests can create arbitrary number of nodes via transactions
XSA-421 CVE-2022-42325 CVE-2022-42326
* The upstream Xen changes now also contain the first mentioned patch of
XSA-403 ("Linux disk/nic frontends data leaks") for stable branch lines.
For more information, please refer to the XSA-403 advisory text.
* Note that the following XSA are not listed, because...
- XSA-412 only applies to Xen 4.16 and newer
- XSA-413 applies to XAPI which is not included in Debian
* Correct a typo in the previous changelog entry.
-- Hans van Kranenburg <email address hidden> Fri, 04 Nov 2022 20:25:46 +0100
