Changelog
xen (4.16.2+90-g0d39a6d1ae-1) unstable; urgency=medium
* Update to new upstream version 4.16.2+90-g0d39a6d1ae, which also contains
security fixes for the following issues:
- Xenstore: guests can let run xenstored out of memory
XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
- Arm: unbounded memory consumption for 2nd-level page tables
XSA-409 CVE-2022-33747
- P2M pool freeing may take excessively long
XSA-410 CVE-2022-33746
- lock order inversion in transitive grant copy handling
XSA-411 CVE-2022-33748
- x86: unintended memory sharing between guests
XSA-412 CVE-2022-42327
- Xenstore: Guests can crash xenstored
XSA-414 CVE-2022-42309
- Xenstore: Guests can create orphaned Xenstore nodes
XSA-415 CVE-2022-42310
- Xenstore: Guests can cause Xenstore to not free temporary memory
XSA-416 CVE-2022-42319
- Xenstore: Guests can get access to Xenstore nodes of deleted domains
XSA-417 CVE-2022-42320
- Xenstore: Guests can crash xenstored via exhausting the stack
XSA-418 CVE-2022-42321
- Xenstore: Cooperating guests can create arbitrary numbers of nodes
XSA-419 CVE-2022-42322 CVE-2022-42323
- Oxenstored 32->31 bit integer truncation issues
XSA-420 CVE-2022-42324
- Xenstore: Guests can create arbitrary number of nodes via transactions
XSA-421 CVE-2022-42325 CVE-2022-42326
- x86: Multiple speculative security issues
XSA-422 CVE-2022-23824
* Note that the following XSA are not listed, because...
- XSA-413 applies to XAPI which is not included in Debian
* Drop the "x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1"
patch again because it's included in upstream changes now.
-- Hans van Kranenburg <email address hidden> Wed, 16 Nov 2022 12:50:33 +0100