-
xen (4.17.3+36-g54dacb5c02-1) unstable; urgency=medium
* Update to new upstream version 4.17.3+36-g54dacb5c02, which also contains
security fixes for the following issues:
- x86: shadow stack vs exceptions from emulation stubs
XSA-451 CVE-2023-46841
* Properly incorporate NMU changes.
* Pick upstream commit b33a5c5929 ("tools/xenstore/xenstored_control.c:
correctly print time_t") to fix a FTBFS on armhf with 64 bits time_t.
(Closes: #1065794)
-- Hans van Kranenburg <email address hidden> Sat, 09 Mar 2024 22:03:11 +0100
-
xen (4.17.3+10-g091466ba55-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1063270
-- Steve Langasek <email address hidden> Thu, 29 Feb 2024 07:08:41 +0000
-
xen (4.17.3+10-g091466ba55-1) unstable; urgency=medium
* Update to new upstream version 4.17.3+10-g091466ba55, which also contains
security fixes for the following issues:
- arm32: The cache may not be properly cleaned/invalidated (take two)
XSA-447 CVE-2023-46837
- pci: phantom functions assigned to incorrect contexts
XSA-449 CVE-2023-46839
- VT-d: Failure to quarantine devices in !HVM builds
XSA-450 CVE-2023-46840
* Note that the following XSA are not listed, because...
- XSA-448 has patches for the Linux kernel.
* Compilation with Python 3.12 has been fixed in upstream commit 4000522008
("Only compile the hypervisor with -Wdeclaration-after-statement")
(Closes: #1062048)
-- Hans van Kranenburg <email address hidden> Sun, 04 Feb 2024 13:45:17 +0100
-
xen (4.17.2+76-ge1f9cb16e2-1) unstable; urgency=medium
* Update to new upstream version 4.17.2-76-ge1f9cb16e2, which also contains
security fixes for the following issues: (Closes: #1056928)
- x86/AMD: mismatch in IOMMU quarantine page table levels
XSA-445 CVE-2023-46835
- x86: BTC/SRSO fixes not fully effective
XSA-446 CVE-2023-46836
-- Maximilian Engelhardt <email address hidden> Wed, 29 Nov 2023 20:17:30 +0100
-
xen (4.17.2+55-g0b56bed864-1) unstable; urgency=medium
* Update to new upstream version 4.17.2+55-g0b56bed864, which also contains
security fixes for the following issues:
- arm32: The cache may not be properly cleaned/invalidated
XSA-437 CVE-2023-34321
- top-level shadow reference dropped too early for 64-bit PV guests
XSA-438 CVE-2023-34322
- x86/AMD: Divide speculative information leak
XSA-439 CVE-2023-20588
- xenstored: A transaction conflict can crash C Xenstored
XSA-440 CVE-2023-34323
- x86/AMD: missing IOMMU TLB flushing
XSA-442 CVE-2023-34326
- Multiple vulnerabilities in libfsimage disk handling
XSA-443 CVE-2023-34325
- x86/AMD: Debug Mask handling
XSA-444 CVE-2023-34327 CVE-2023-34328
* Note that the following XSA are not listed, because...
- XSA-441 has patches for the Linux kernel.
-- Hans van Kranenburg <email address hidden> Thu, 12 Oct 2023 19:25:55 +0200
-
xen (4.17.2-1) unstable; urgency=medium
* Update to new upstream version 4.17.2, which also contains
security fixes for the following issues: (Closes: #1042102)
- x86/AMD: Zenbleed
XSA-433 CVE-2023-20593
- x86/AMD: Speculative Return Stack Overflow
XSA-434 CVE-2023-20569
- x86/Intel: Gather Data Sampling
XSA-435 CVE-2022-40982
- arm: Guests can trigger a deadlock on Cortex-A77
XSA-436 CVE-2023-34320
* Note that the following XSA are not listed, because...
- XSA-432 has patches for the Linux kernel.
-- Maximilian Engelhardt <email address hidden> Sun, 20 Aug 2023 16:08:59 +0200
-
xen (4.17.1+2-gb773c48e36-1) unstable; urgency=medium
* Update to new upstream version 4.17.1+2-gb773c48e36, which also contains
security fixes for the following issues:
- x86 shadow paging arbitrary pointer dereference
XSA-430 CVE-2022-42335
(Closes: #1034842)
- Mishandling of guest SSBD selection on AMD hardware
XSA-431 CVE-2022-42336
-- Maximilian Engelhardt <email address hidden> Thu, 18 May 2023 21:26:30 +0200
-
xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium
* Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains
security fixes for the following issues: (Closes: #1033297)
- x86 shadow plus log-dirty mode use-after-free
XSA-427 CVE-2022-42332
- x86/HVM pinned cache attributes mis-handling
XSA-428 CVE-2022-42333 CVE-2022-42334
- x86: speculative vulnerability in 32bit SYSCALL path
XSA-429 CVE-2022-42331
-- Maximilian Engelhardt <email address hidden> Thu, 23 Mar 2023 22:22:48 +0100
-
xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium
* Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains
security fixes for the following issues:
- x86: Cross-Thread Return Address Predictions
XSA-426 CVE-2022-27672
(Closes: #1031567)
* debian/shuffle-boot-files: fix typo
* debian/changelog: Fix bug number typo.
* debian/changelog: Remove duplicate 'Note that'
-- Hans van Kranenburg <email address hidden> Fri, 24 Feb 2023 18:06:42 +0100
-
xen (4.17.0+24-g2f8851c37f-2) unstable; urgency=medium
* Upload to unstable now, since we got message from the OCaml team that we
are not bothering them while they're doing their stack rebuild.
-- Hans van Kranenburg <email address hidden> Mon, 06 Feb 2023 14:27:40 +0100
-
xen (4.17.0-1) unstable; urgency=medium
* Update to new upstream version 4.17.0.
* No new security fixes are included.
* Note that the following XSA are not listed, because...
- XSA-423 and XSA-424 have patches for the Linux kernel.
* debian/control: update Standards-Version to 4.6.2
* debian/control: update Build-Depends for ocaml
-- Maximilian Engelhardt <email address hidden> Wed, 21 Dec 2022 22:34:51 +0100
-
xen (4.16.2+90-g0d39a6d1ae-1) unstable; urgency=medium
* Update to new upstream version 4.16.2+90-g0d39a6d1ae, which also contains
security fixes for the following issues:
- Xenstore: guests can let run xenstored out of memory
XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
- Arm: unbounded memory consumption for 2nd-level page tables
XSA-409 CVE-2022-33747
- P2M pool freeing may take excessively long
XSA-410 CVE-2022-33746
- lock order inversion in transitive grant copy handling
XSA-411 CVE-2022-33748
- x86: unintended memory sharing between guests
XSA-412 CVE-2022-42327
- Xenstore: Guests can crash xenstored
XSA-414 CVE-2022-42309
- Xenstore: Guests can create orphaned Xenstore nodes
XSA-415 CVE-2022-42310
- Xenstore: Guests can cause Xenstore to not free temporary memory
XSA-416 CVE-2022-42319
- Xenstore: Guests can get access to Xenstore nodes of deleted domains
XSA-417 CVE-2022-42320
- Xenstore: Guests can crash xenstored via exhausting the stack
XSA-418 CVE-2022-42321
- Xenstore: Cooperating guests can create arbitrary numbers of nodes
XSA-419 CVE-2022-42322 CVE-2022-42323
- Oxenstored 32->31 bit integer truncation issues
XSA-420 CVE-2022-42324
- Xenstore: Guests can create arbitrary number of nodes via transactions
XSA-421 CVE-2022-42325 CVE-2022-42326
- x86: Multiple speculative security issues
XSA-422 CVE-2022-23824
* Note that the following XSA are not listed, because...
- XSA-413 applies to XAPI which is not included in Debian
* Drop the "x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1"
patch again because it's included in upstream changes now.
-- Hans van Kranenburg <email address hidden> Wed, 16 Nov 2022 12:50:33 +0100
-
xen (4.16.2-2) unstable; urgency=medium
* debian/control: Add libzstd-dev as Build-Depends
* Pick upstream commit c3bd0b83ea ("x86/CPUID: surface suitable value in EBX
of XSTATE subleaf 1") to fix compatibility with Linux 5.19.
(Closes: #1020787)
-- Hans van Kranenburg <email address hidden> Wed, 28 Sep 2022 19:03:14 +0200
-
xen (4.16.2-1) unstable; urgency=medium
* Update to new upstream version 4.16.2, which also contains
security fixes for the following issues:
- x86 pv: Race condition in typeref acquisition
XSA-401 CVE-2022-26362
- x86 pv: Insufficient care with non-coherent mappings
XSA-402 CVE-2022-26363 CVE-2022-26364
- Linux disk/nic frontends data leaks
XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742
Note that this XSA also contains patches that have to be applied to the
Linux kernel to make use of the new mitigations.
- x86: MMIO Stale Data vulnerabilities
XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
- Retbleed - arbitrary speculative code execution with return instructions
XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
- insufficient TLB flush for x86 PV guests in shadow mode
XSA-408 CVE-2022-33745
* Note that the following XSA are not listed, because...
- XSA-405 and XSA-406 have patches for the Linux kernel.
* d/.../grub.d/xen.cfg: Redirect output when running grub-mkconfig so that
we do not wrongly cause text to end up being part of the generated grub
configuration. (Closes: #1016547)
* Clean up lintian overrides that are reported as unused.
* Move comments about lintian overrides above the override line itself,
instead of being below, as instructed by the lintian documentation.
* Deal with formatting changes in lintian output, which invalidate
overrides we have. Also see Debian bug #1007002 for more information.
-- Hans van Kranenburg <email address hidden> Tue, 23 Aug 2022 13:25:38 +0200
-
xen (4.16.1-1) unstable; urgency=medium
* Update to new upstream version 4.16.1, which also contains security fixes
for the following issues:
- Racy interactions between dirty vram tracking and paging log dirty
hypercalls
XSA-397 CVE-2022-26356
- Multiple speculative security issues
XSA-398 (no CVE yet)
- race in VT-d domain ID cleanup
XSA-399 CVE-2022-26357
- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues
XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361
* Note that the following XSA are not listed, because...
- XSA-396 has patches for the Linux kernel.
* Don't ship NEWS in libxen* packages. Instead, only ship relevant NEWS
items for actual hypervisor and/or utils packages they belong to.
(Closes: #962267)
* d/control: make xen-hypervisor-common arch specific, just like
xen-utils-common.
* d/control: stop recommending qemu-system-x86 on arm, because qemu is not
being built with xen support on arm...
* Add a patch for tools/libs/light/Makefile which prevents build.o and
build.opic to be rebuilt unneededly during the package install phase,
causing a FTBFS because it triggers the use of ccache, which is not
allowed in the install phase of building the Debian packages.
Improvements related to Qemu integration: [Michael Tokarev]
* d/xen-utils-common.xen.init: properly disable qemu monitor/serial/parallel
devices for qemu started at boot.
* debian: switch from recommending qemu-system-x86 to qemu-system-xen and
mention this change in the NEWS file.
* Add patch "give meaningful error message if qemu device model is
unavailable" to give a useful error message only in case the domU needs
the qemu device model which is not installed, instead of giving a warning
about missing qemu even if it is not used by this domain.
Documentation, grammar and spelling fixes and improvements:
* d/control: drop obsolete paragraph about separate xen linux kernel package
* d/control: Harmonize the capitalization of the 'Xen' word [Diederik de Haas]
* d/control: Improve spelling and grammar [Diederik de Haas]`
-- Hans van Kranenburg <email address hidden> Mon, 09 May 2022 22:29:23 +0200
-
xen (4.16.0+51-g0941d6cb-1) unstable; urgency=medium
* Update to new upstream version 4.16.0+51-g0941d6cb, which also contains
security fixes for the following issues:
- arm: guest_physmap_remove_page not removing the p2m mappings
XSA-393 CVE-2022-23033
- A PV guest could DoS Xen while unmapping a grant
XSA-394 CVE-2022-23034
- Insufficient cleanup of passed-through device IRQs
XSA-395 CVE-2022-23035
* Note that the following XSA are not listed, because...
- XSA-391 and XSA-392 have patches for the Linux kernel.
* Upload to unstable now, which obsoletes the Xen 4.14 FTBFS issue.
(Closes: #1002658)
-- Hans van Kranenburg <email address hidden> Sat, 19 Feb 2022 20:29:32 +0100
-
xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium
* Update to new upstream version 4.14.3+32-g9de3671772, which also contains
security fixes for the following issues:
- guests may exceed their designated memory limit
XSA-385 CVE-2021-28706
- PCI devices with RMRRs not deassigned correctly
XSA-386 CVE-2021-28702
- PoD operations on misaligned GFNs
XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708
- issues with partially successful P2M updates on x86
XSA-389 CVE-2021-28705 CVE-2021-28709
* Note that the following XSA are not listed, because...
- XSA-387 only applies to Xen 4.13 and older
- XSA-390 only applies to Xen 4.15
* Pick the following upstream commits to fix a regression which prevents
amd64 type hardware to fully power off. The issue was introduced in
version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to
improve Raspberry Pi 4 support. (Closes: #994899):
- 8b6d55c126 ("x86/ACPI: fix mapping of FACS")
- f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb")
- 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping")
- 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector
cannot be determined")
-- Hans van Kranenburg <email address hidden> Sat, 27 Nov 2021 15:09:47 +0100
-
xen (4.14.3-1) unstable; urgency=high
* Update to new upstream version 4.14.3, which also contains security fixes
for the following issues:
- IOMMU page mapping issues on x86
XSA-378 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696
- grant table v2 status pages may remain accessible after de-allocation
XSA-379 CVE-2021-28697
- long running loops in grant table handling
XSA-380 CVE-2021-28698
- inadequate grant-v2 status frames array bounds check
XSA-382 CVE-2021-28699
- xen/arm: No memory limit for dom0less domUs
XSA-383 CVE-2021-28700
- Another race in XENMAPSPACE_grant_table handling
XSA-384 CVE-2021-28701
-- Hans van Kranenburg <email address hidden> Mon, 13 Sep 2021 11:51:20 +0200
-
xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium
* Add README.Debian.security containing a note about the end of upstream
security support for Xen 4.14. Install it into xen-hypervisor-common.
-- Hans van Kranenburg <email address hidden> Fri, 30 Jul 2021 16:57:52 +0200
-
xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium
* Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains
security fixes for the following issues:
- HVM soft-reset crashes toolstack
XSA-368 CVE-2021-28687
- xen/arm: Boot modules are not scrubbed
XSA-372 CVE-2021-28693
- inappropriate x86 IOMMU timeout detection / handling
XSA-373 CVE-2021-28692
- Speculative Code Store Bypass
XSA-375 CVE-2021-0089 CVE-2021-26313
- x86: TSX Async Abort protections not restored after S3
XSA-377 CVE-2021-28690
* Note that the following XSA are not listed, because...
- XSA-370 does not contain code changes.
- XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the
Linux kernel.
- XSA-366 only applies to Xen 4.11.
-- Hans van Kranenburg <email address hidden> Sun, 11 Jul 2021 14:29:13 +0200
-
xen (4.14.1+11-gb0b734a8b3-1) unstable; urgency=medium
* Update to new upstream version 4.14.1+11-gb0b734a8b3, which also contains
security fixes for the following issues:
- IRQ vector leak on x86
XSA-360 CVE-2021-3308 (Closes: #981052)
- arm: The cache may not be cleaned for newly allocated scrubbed pages
XSA-364 CVE-2021-26933
* Drop separate patches for XSAs up to 359 that are now included in the
upstream stable branch.
Packaging bugfixes and improvements [Elliott Mitchell]:
* debian/rules: Set CC/LD to enable cross-building
* d/shuffle-binaries: Fix binary shuffling script for cross-building
* Rework "debian/rules: Do not try to move EFI binaries on armhf"
* debian/scripts: Optimize runtime scripts
* debian/xen-utils-common.examples: Remove xm examples
* d/shuffle-boot-files: make it POSIX compliant [Hans van Kranenburg, based
on a patch by Elliott Mitchell]
* d/shuffle-binaries: Switch loop from for to while
* d/shuffle-binaries: Switch to POSIX shell, instead of Bash
* d/shuffle-boot-files: Switch to POSIX shell, instead of Bash
* debian/xendomains.init: Pipe xen-init-list instead of tmp file
Make the package build reproducibly [Maximilian Engelhardt]:
* debian/salsa-ci.yml: enable salsa-ci
* debian/salsa-ci.yml: enable diffoscope in reprotest
* debian/rules: use SOURCE_DATE_EPOCH for xen build dates
* debian/rules: don't include build path in binaries
* debian/rules: reproducibly build oxenstored
* Pick the following upstream commits:
- 5816d327e4 ("xen: don't have timestamp inserted in config.gz")
- ee41b5c450 ("x86/EFI: don't insert timestamp when SOURCE_DATE_EPOCH is
defined")
- e18dadc5b7 ("docs: use predictable ordering in generated documentation")
* Include upstream patch that is not committed yet, but needed:
- docs: set date to SOURCE_DATE_EPOCH if available
* debian/salsa-ci.yml: don't allow reprotest to fail
Packaging bugfixes and improvements:
* d/shuffle-boot-files: Document more inner workings
-- Hans van Kranenburg <email address hidden> Sun, 28 Feb 2021 19:49:45 +0100
-
xen (4.14.0+88-g1d1d1f5391-2) unstable; urgency=high
* For now, revert "debian/rules: Set CC/LD to enable cross-building", since
it causes an FTBFS on i386.
-- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 14:57:41 +0100
-
xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high
* Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains
security fixes for the following issues:
- stack corruption from XSA-346 change
XSA-355 CVE-2020-29040 (Closes: #976109)
* Apply security fixes for the following issues:
- oxenstored: permissions not checked on root node
XSA-353 CVE-2020-29479
- xenstore watch notifications lacking permission checks
XSA-115 CVE-2020-29480
- Xenstore: new domains inheriting existing node permissions
XSA-322 CVE-2020-29481
- Xenstore: wrong path length check
XSA-323 CVE-2020-29482
- Xenstore: guests can crash xenstored via watchs
XSA-324 CVE-2020-29484
- Xenstore: guests can disturb domain cleanup
XSA-325 CVE-2020-29483
- oxenstored memory leak in reset_watches
XSA-330 CVE-2020-29485
- oxenstored: node ownership can be changed by unprivileged clients
XSA-352 CVE-2020-29486
- undue recursion in x86 HVM context switch code
XSA-348 CVE-2020-29566
- infinite loop when cleaning up IRQ vectors
XSA-356 CVE-2020-29567
- FIFO event channels control block related ordering
XSA-358 CVE-2020-29570
- FIFO event channels control structure ordering
XSA-359 CVE-2020-29571
* Note that the following XSA are not listed, because...
- XSA-349 and XSA-350 have patches for the Linux kernel
- XSA-354 has patches for the XAPI toolstack
Packaging bugfixes and improvements:
* d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611)
* Add missing CVE numbers to the previous changelog entries
Packaging bugfixes and improvements [Elliott Mitchell]:
* d/shuffle-binaries: Make error detection/message overt
* d/shuffle-binaries: Add quoting for potentially changeable variables
* d/shuffle-boot-files: Add lots of double-quotes when handling variables
* debian/rules: Set CC/LD to enable cross-building
* debian/xen.init: Load xen_acpi_processor on boot
* d/shuffle-binaries: Remove useless extra argument being passed in
Packaging bugfixes and improvements [Maximilian Engelhardt]:
* d/xen-hypervisor-V-F.postinst.vsn-in: use reboot-required
(Closes: #862408)
* d/xen-hypervisor-V-F.postrm: actually install script
* d/xen-hypervisor-V.*: clean up unused files
* d/xen-hypervisor-V.bug-control.vsn-in: actually install script
* debian/rules: enable verbose build
Fixes to patches for upstream code:
* t/h/L/vif-common.sh: force handle_iptable return value to be 0
(Closes: #955994)
* Pick the following upstream commits to improve Raspberry Pi 4 support,
requested by Elliott Mitchell:
- 25849c8b16 ("xen/rpi4: implement watchdog-based reset")
- 17d192e023 ("tools/python: Pass linker to Python build process")
- 861f0c1109 ("xen/arm: acpi: Don't fail if SPCR table is absent")
- 1c4aa69ca1 ("xen/acpi: Rework acpi_os_map_memory() and
acpi_os_unmap_memory()")
- 4d625ff3c3 ("xen/arm: acpi: The fixmap area should always be cleared
during failure/unmap")
- dac867bf9a ("xen/arm: Check if the platform is not using ACPI before
initializing Dom0less")
- 9c2bc0f24b ("xen/arm: Introduce fw_unreserved_regions() and use it")
- 7056f2f89f ("xen/arm: acpi: add BAD_MADT_GICC_ENTRY() macro")
- 957708c2d1 ("xen/arm: traps: Don't panic when receiving an unknown debug
trap")
* Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik.
-- Hans van Kranenburg <email address hidden> Tue, 15 Dec 2020 13:00:00 +0100
-
xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium
* Re-upload to unstable for rebuild.
-- Ian Jackson <email address hidden> Tue, 24 Nov 2020 10:28:22 +0000
-
xen (4.11.4+24-gddaaccbbab-1) unstable; urgency=medium
* Update to new upstream version 4.11.4+24-gddaaccbbab, which also contains
security fixes for the following issues:
- inverted code paths in x86 dirty VRAM tracking
XSA-319 CVE-2020-15563
- Special Register Buffer speculative side channel
XSA-320 CVE-2020-0543
N.B: To mitigate this issue, new cpu microcode is required. The changes
in Xen provide a workaround for affected hardware that is not receiving
a vendor microcode update. Please refer to the upstream XSA-320 Advisory
text for more details.
- insufficient cache write-back under VT-d
XSA-321 CVE-2020-15565
- Missing alignment check in VCPUOP_register_vcpu_info
XSA-327 CVE-2020-15564
- non-atomic modification of live EPT PTE
XSA-328 CVE-2020-15567
-- Hans van Kranenburg <email address hidden> Tue, 07 Jul 2020 16:07:39 +0200
-
xen (4.11.4-1) unstable; urgency=medium
* Update to new upstream version 4.11.4, which also contains security fixes
for the following issues:
- arm: a CPU may speculate past the ERET instruction
XSA-312 (no CVE yet)
- multiple xenoprof issues
XSA-313 CVE-2020-11740 CVE-2020-11741
- Missing memory barriers in read-write unlock paths
XSA-314 CVE-2020-11739
- Bad error path in GNTTABOP_map_grant
XSA-316 CVE-2020-11743
- Bad continuation handling in GNTTABOP_copy
XSA-318 CVE-2020-11742
* xen-utils and xen-utils-common maint scripts: Replace the previous fix in
the xen init script with a better fix in the xen-utils package instead, to
prevent calling the init script stop action (resulting in a disappeared
xenconsoled) when removing a xen-utils package that belongs to a previous
(not currently runing) Xen version. Also prevent the xen-utils-common
package from inadvertently calling stop and start actions because
dh_installinit would add code for that. (Closes: #932759)
* debian/NEWS: Mention fixing #932759 and how to deal with the bug
-- Hans van Kranenburg <email address hidden> Tue, 26 May 2020 13:33:17 +0200
-
xen (4.11.3+24-g14b62ab3e5-1) unstable; urgency=high
* Update to new upstream version 4.11.3+24-g14b62ab3e5, which also
contains the following security fixes: (Closes: #947944)
- Unlimited Arm Atomics Operations
XSA-295 CVE-2019-17349 CVE-2019-17350
- VCPUOP_initialise DoS
XSA-296 CVE-2019-18420
- missing descriptor table limit checking in x86 PV emulation
XSA-298 CVE-2019-18425
- Issues with restartable PV type change operations
XSA-299 CVE-2019-18421
- add-to-physmap can be abused to DoS Arm hosts
XSA-301 CVE-2019-18423
- passed through PCI devices may corrupt host memory after deassignment
XSA-302 CVE-2019-18424
- ARM: Interrupts are unconditionally unmasked in exception handlers
XSA-303 CVE-2019-18422
- x86: Machine Check Error on Page Size Change DoS
XSA-304 CVE-2018-12207
- TSX Asynchronous Abort speculative side channel
XSA-305 CVE-2019-11135
- Device quarantine for alternate pci assignment methods
XSA-306 CVE-2019-19579
- find_next_bit() issues
XSA-307 CVE-2019-19581 CVE-2019-19582
- VMX: VMentry failure with debug exceptions and blocked states
XSA-308 CVE-2019-19583
- Linear pagetable use / entry miscounts
XSA-309 CVE-2019-19578
- Further issues with restartable PV type change operations
XSA-310 CVE-2019-19580
- Bugs in dynamic height handling for AMD IOMMU pagetables
XSA-311 CVE-2019-19577
* Add missing CVE numbers to previous changelog entries
-- Hans van Kranenburg <email address hidden> Wed, 08 Jan 2020 12:41:42 +0100
-
xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high
* Mention MDS and the need for updated microcode and disabling
hyper-threading in NEWS.
* Mention the ucode=scan option in the grub.d/xen documentation.
-- Hans van Kranenburg <email address hidden> Sat, 22 Jun 2019 11:15:08 +0200
-
xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
* Update to new upstream version 4.11.1+92-g6c33308a8d, which also
contains the following security fixes:
- Fix: grant table transfer issues on large hosts
XSA-284 (no CVE yet) (Closes: #929991)
- Fix: race with pass-through device hotplug
XSA-285 (no CVE yet) (Closes: #929998)
- Fix: x86: steal_page violates page_struct access discipline
XSA-287 (no CVE yet) (Closes: #930001)
- Fix: x86: Inconsistent PV IOMMU discipline
XSA-288 (no CVE yet) (Closes: #929994)
- Fix: missing preemption in x86 PV page table unvalidation
XSA-290 (no CVE yet) (Closes: #929996)
- Fix: x86/PV: page type reference counting issue with failed IOMMU update
XSA-291 (no CVE yet) (Closes: #929995)
- Fix: x86: insufficient TLB flushing when using PCID
XSA-292 (no CVE yet) (Closes: #929993)
- Fix: x86: PV kernel context switch corruption
XSA-293 (no CVE yet) (Closes: #929999)
- Fix: x86 shadow: Insufficient TLB flushing when using PCID
XSA-294 (no CVE yet) (Closes: #929992)
- Fix: Microarchitectural Data Sampling speculative side channel
XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
(Closes: #929129)
* Note that the fixes for XSA-297 will only have effect when also loading
updated cpu microcode with MD_CLEAR functionality. When using the
intel-microcode package to include microcode in the dom0 initrd, it has to
be loaded by Xen. Please refer to the hypervisor command line
documentation about the 'ucode=scan' option.
* Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the
next upload.
-- Hans van Kranenburg <email address hidden> Tue, 18 Jun 2019 09:50:19 +0200
-
xen (4.11.1+26-g87f51bf366-3) unstable; urgency=medium
Minor useability improvements and fixes:
* bash-completion: also complete 'xen' [Hans van Kranenburg]
* /etc/default/xen: Handle with ucf again, like in stretch.
Closes:#923401. [Ian Jackson]
Build fix:
* Fix FTBFS when building only arch-indep binaries (eg
dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed.
Closes:#923013. [Hans van Kranenburg; report from Santiago Vila]
Documentation fix:
* grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg]
-- Ian Jackson <email address hidden> Thu, 28 Feb 2019 16:37:04 +0000
-
xen (4.11.1+26-g87f51bf366-2) unstable; urgency=medium
* Packaging change: override spurious lintian warning about
fsimage.so rpath.
-- Ian Jackson <email address hidden> Fri, 22 Feb 2019 16:07:37 +0000
-
xen (4.11.1-1) unstable; urgency=medium
* debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
(Closes: #911457)
* grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
* debian/rules: Don't exclude the actual pygrub script.
* Update to new upstream version 4.11.1, which also contains:
- Fix: insufficient TLB flushing / improper large page mappings with AMD
IOMMUs
XSA-275 CVE-2018-19961 CVE-2018-19962
- Fix: resource accounting issues in x86 IOREQ server handling
XSA-276 CVE-2018-19963
- Fix: x86: incorrect error handling for guest p2m page removals
XSA-277 CVE-2018-19964
- Fix: x86: Nested VT-x usable even when disabled
XSA-278 CVE-2018-18883
- Fix: x86: DoS from attempting to use INVPCID with a non-canonical
addresses
XSA-279 CVE-2018-19965
- Fix for XSA-240 conflicts with shadow paging
XSA-280 CVE-2018-19966
- Fix: guest use of HLE constructs may lock up host
XSA-282 CVE-2018-19967
* Update version handling patching to put the team mailing list address in
the first hypervisor log line and fix broken other substitutions.
* Disable handle_iptable hook in vif-common script. See #894013 for more
information.
-- Hans van Kranenburg <email address hidden> Wed, 02 Jan 2019 20:59:40 +0100
-
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium
* debian/rules: Cope if xen-utils-common not being built
(Fixes binary-indep FTBFS.)
-- Ian Jackson <email address hidden> Mon, 15 Oct 2018 18:07:11 +0100
-
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-4) unstable; urgency=medium
* Many packaging fixes to fix FTBFS on all arches other than amd64.
* xen-vbd-interface(7): Provide properly-formatted NAME section
* Add pandoc and markdown to Build-Depends - fixes missing docs.
* Revert "tools-xenstore-compatibility.diff" apropos of discussion
https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg00838.html
-- Ian Jackson <email address hidden> Mon, 15 Oct 2018 12:15:36 +0100
-
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-3) unstable; urgency=medium
* hypervisor package postinst: Actually install (avoids need to
run update-grub by hand).
* debian/control: Adding Section to source stanza
* debian/control: Add missing Replaces on old xen-utils-common
* debian/rules: Add a -n to a gzip rune to improve reproducibility
-- Ian Jackson <email address hidden> Fri, 12 Oct 2018 16:55:48 +0100
-
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-2) unstable; urgency=medium
* Redo as an upload with binaries, because source-only uploads to NEW
are not allowed.
-- Ian Jackson <email address hidden> Fri, 05 Oct 2018 19:38:52 +0100
-
xen (4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9) stretch-security; urgency=high
* Security upload [thanks to Wolodja Wentland]:
XSA-264 (no CVE yet)
XSA-265 (no CVE yet)
XSA-266 (no CVE yet)
-- Ian Jackson <email address hidden> Fri, 22 Jun 2018 16:38:39 +0100
-
xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) stretch-security; urgency=high
* Security fixes from upstream XSAs:
XSA-252 CVE-2018-7540
XSA-255 CVE-2018-7541
XSA-256 CVE-2018-7542
The upstream BTI changes from XSA-254 (Spectre v2 mitigation)
are *not* included. They are currently failing in upstream CI.
* init scripts: Do not kill per-domain qemu processes. Closes:#879751.
* Install Meltdown READMEs on all architectures. Closes:#890488.
* Ship xen-diag (by cherry-picking the appropriate commits from
upstream). This can help with diagnosis of #880554.
-- Ian Jackson <email address hidden> Fri, 02 Mar 2018 16:07:18 +0000
-
xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high
* Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2
plus a number of bugfixes and security fixes.
Result is that we now include security fixes for:
XSA-231 CVE-2017-14316
XSA-232 CVE-2017-14318
XSA-233 CVE-2017-14317
XSA-234 CVE-2017-14319
(235 already included in 4.8.1-1+deb9u3)
XSA-236 CVE-2017-15597
XSA-237 CVE-2017-15590
XSA-238 (no CVE yet)
XSA-239 CVE-2017-15589
XSA-240 CVE-2017-15595
XSA-241 CVE-2017-15588
XSA-242 CVE-2017-15593
XSA-243 CVE-2017-15592
XSA-244 CVE-2017-15594
XSA-245 (no CVE yet)
and a number of upstream functionality fixes, which are not easily
disentangled from the security fixes.
* Apply two more security fixes:
XSA-246 (no CVE yet)
XSA-247 (no CVE yet)
-- Ian Jackson <email address hidden> Sat, 25 Nov 2017 11:26:37 +0000
-
xen (4.8.1-1+deb9u3) stretch-security; urgency=high
* Security fixes for
XSA-226 CVE-2017-12135
XSA-227 CVE-2017-12137
XSA-228 CVE-2017-12136
XSA-230 CVE-2017-12855
XSA-235 (no CVE yet)
* Adjust changelog entry for 4.8.1-1+deb9u2 to record
that XSA-225 fix was indeed included.
* Security fix for XSA-229 not included as that bug is in Linux, not Xen.
* Security fixes for XSA-231..234 inc. not inclued as still embargoed.
-- Ian Jackson <email address hidden> Thu, 07 Sep 2017 19:17:58 +0100
-
xen (4.8.1-1+deb9u1) unstable; urgency=medium
* Security fixes for XSA-213 (Closes:#861659) and XSA-214
(Closes:#861660). (Xen 4.7 and later is not affected by XSA-215.)
-- Ian Jackson <email address hidden> Tue, 02 May 2017 12:19:57 +0100
-
xen (4.8.1-1) unstable; urgency=high
* Update to upstream 4.8.1 release.
Changes include numerous bugfixes, including security fixes for:
XSA-212 / CVE-2017-7228 Closes:#859560
XSA-207 / no cve yet Closes:#856229
XSA-206 / no cve yet no Debian bug
-- Ian Jackson <email address hidden> Tue, 18 Apr 2017 18:05:00 +0100
-
xen (4.8.1~pre.2017.01.23-1) unstable; urgency=medium
* Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre).
Contains bugfixes.
* debian/control-real etc.: debian.py: Allow version numbers like this.
-- Ian Jackson <email address hidden> Mon, 23 Jan 2017 16:03:31 +0000
-
xen (4.8.0-1) unstable; urgency=high
* Update to upstream Xen 4.8.0.
Includes the following security fixes:
XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
XSA-198 CVE-2016-9379 CVE-2016-9380
XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669
XSA-195 CVE-2016-9383
XSA-194 CVE-2016-9384 Closes:#845667
XSA-193 CVE-2016-9385
XSA-192 CVE-2016-9382
XSA-191 CVE-2016-9386
Includes other bugfixes too:
Closes:#812166, Closes:#818525.
Cherry picks from upstream:
* Security fixes:
XSA-204 CVE-2016-10013 Closes:#848713
XSA-203 CVE-2016-10025
XSA-202 CVE-2016-10024
For completeness, the following XSAs do not apply here:
XSA-197 CVE-2016-9381 Bug is in qemu
XSA-199 CVE-2016-9637 Bug is in qemu
XSA-200 CVE-2016-9932 Xen 4.8 is not affected
* Cherry pick a build failure fix:
"x86/emul: add likely()/unlikely() to test harness"
[ Ian Jackson ]
* Drop -lcrypto search from upstream configure, and from our
Build-Depends. Closes:#844419.
* Change my own email address to my work (Citrix) address. When
uploading, I will swap hats to effectively sponsor my own upload.
[ Ian Campbell ]
* Start a qemu process in dom0 to service the toolstacks loopback disk
attaches. (Closes: #770456)
* Remove correct pidfile when stopping xenconsoled.
* Check that xenstored has actually started before talking to it.
Incorporate a timeout so as not to block boot (Mitigates #737613)
* Correct syntax error in xen-init-list when running with xend
(Closes: #763102)
* Apply SELinux labels to directories created by initscripts. Patch from
Russell Coker. (Closes: #764912)
* Include a reportbug control file to redirect bugs to src:xen for
packages which contain the Xen version in the name. Closes:#796370.
[ Lubomir Host ]
* Fix xen-init-name to not fail looking for a nonexistent 'config'
entry in xl's JSON output. Closes:#818129.
-- Ian Jackson <email address hidden> Thu, 22 Dec 2016 14:51:46 +0000
-
xen (4.8.0~rc5-1) unstable; urgency=medium
* New upstream version, Xen 4.8.0 RC5.
-- Ian Jackson <email address hidden> Fri, 11 Nov 2016 15:26:58 +0000
-
xen (4.8.0~rc3-1) unstable; urgency=medium
* Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not
update to that in the middle of the Xen 4.6 -> 4.8 transition.)
* No source changes.
-- Ian Jackson <email address hidden> Sat, 05 Nov 2016 15:08:47 +0000
-
xen (4.6.0-1+nmu2) unstable; urgency=medium
* Ensure debian/control.md5sum is correctly updated. Fixes FTBFS of
4.6.0-1+nmu1 on buildds where linux-support-4.2.0-1 is not expected to be
installed.
-- Ian Campbell <email address hidden> Tue, 09 Feb 2016 16:41:16 +0000
-
xen (4.6.0-1+nmu1) unstable; urgency=medium
* Non-maintainer upload.
* Drop unused patching in of $(PREFIX), $(SBINDIR) and $(BINDIR)
which are no longer used by the upstream build system.
* Use correct/consistent LIBEXEC dirs throughout build
(Closes: #805508).
-- Ian Campbell <email address hidden> Tue, 19 Jan 2016 14:43:54 +0000
-
xen (4.6.0-1) unstable; urgency=medium
* New upstream release.
* CVE-2015-7812
* CVE-2015-7813
* CVE-2015-7814
* CVE-2015-7835
* CVE-2015-7969
* CVE-2015-7970
* CVE-2015-7971
* CVE-2015-7972
-- Bastian Blank <email address hidden> Sun, 01 Nov 2015 21:49:07 +0100
-
xen (4.4.1-9+deb8u1) jessie-security; urgency=medium
* Apply fix for CVE-2015-4163 (XSA 134)
- gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
... avoiding NULL derefs when the version to use wasn't set yet
* Apply fix for CVE-2015-4164 (XSA 136)
- x86/traps: loop in the correct direction in compat_iret()
-- Guido Trotter <email address hidden> Wed, 10 Jun 2015 18:16:26 +0000
-
xen (4.4.1-9) unstable; urgency=high
* Explicitly disable graphics for qemu. (closes: #780975)
CVE-2015-2152
* Update fix for insufficient permissions checks on arm.
CVE-2014-3969
* Break apart long latenty MMIO operations. (closes: #781620)
CVE-2015-2752
* Disallow certain domain control operations. (closes: #781620)
CVE-2015-2751
-- Bastian Blank <email address hidden> Mon, 06 Apr 2015 20:22:59 +0200
-
xen (4.4.1-8) unstable; urgency=high
* Fix uninitialized return from wrong-sized reads from system devices.
CVE-2015-2044
* Fix hypervisor memory leak in uninitialized structures.
CVE-2015-2045
* Fix hypervisor memory corruption in x86 emulation. (closes: #780227)
CVE-2015-2151
-- Bastian Blank <email address hidden> Wed, 11 Mar 2015 20:59:23 +0100
-
xen (4.4.1-7) unstable; urgency=medium
[ Bastian Blank ]
* Fix use after free on guest shutdown.
CVE-2015-0361
* Fix rate limits of guest triggered locking.
CVE-2015-1563
[ Ian Campbell ]
* Use xen-init-dom0 from initscript when it is available.
-- Bastian Blank <email address hidden> Sun, 01 Mar 2015 00:56:58 +0100
-
xen (4.4.1-6) unstable; urgency=medium
* Fix starvation of writers in locks.
CVE-2014-9065
-- Bastian Blank <email address hidden> Thu, 11 Dec 2014 15:56:08 +0100
-
xen (4.4.1-5) unstable; urgency=medium
* Fix excessive checks of hypercall arguments.
CVE-2014-8866
* Fix boundary checks of emulated MMIO access.
CVE-2014-8867
* Fix additional memory leaks in xl. (closes: #767295)
-- Bastian Blank <email address hidden> Sun, 30 Nov 2014 20:13:32 +0100
-
xen (4.4.1-4) unstable; urgency=medium
[ Bastian Blank ]
* Make operations pre-emptible.
CVE-2014-5146, CVE-2014-5149
* Don't allow page table updates from non-PV page tables.
CVE-2014-8594
* Enforce privilege level while loading code segment.
CVE-2014-8595
* Fix reference counter leak.
CVE-2014-9030
* Use linux 3.16.0-4 stuff.
* Fix memory leak in xl. (closes: #767295)
[ Ian Campbell ]
* Add licensing for tools/python/logging to debian/copyright.
(Closes: #759384)
* Correctly include xen-init-name in xen-utils-common. (Closes: #769543)
* xen-utils recommends grub-xen-host package (Closes: #770460)
-- Bastian Blank <email address hidden> Thu, 27 Nov 2014 20:17:36 +0100
-
xen (4.4.1-3) unstable; urgency=medium
[ Bastian Blank ]
* Remove unused build-depencencies.
* Extend list affected systems for broken interrupt assignment.
CVE-2013-3495
* Fix race in hvm memory management.
CVE-2014-7154
* Fix missing privilege checks on instruction emulation.
CVE-2014-7155, CVE-2014-7156
* Fix uninitialized control structures in FIFO handling.
CVE-2014-6268
* Fix MSR range check in emulation.
CVE-2014-7188
[ Ian Campbell ]
* Install xen.efi into /boot for amd64 builds.
-- Bastian Blank <email address hidden> Fri, 17 Oct 2014 16:27:46 +0200
-
xen (4.4.1-2) unstable; urgency=medium
* Re-build with correct content.
* Use dh_lintian.
-- Bastian Blank <email address hidden> Wed, 24 Sep 2014 20:23:14 +0200
-
xen (4.4.1-1) unstable; urgency=medium
* New upstream release.
- Fix several vulnerabilities. (closes: #757724)
CVE-2014-2599, CVE-2014-3124,
CVE-2014-3967, CVE-2014-3968,
CVE-2014-4021
-- Bastian Blank <email address hidden> Sun, 21 Sep 2014 10:45:47 +0200
-
xen (4.4.0-5) unstable; urgency=medium
[ Ian Campbell ]
* Expand on the descriptions of some packages. (Closes: #466683)
* Clarify where xen-utils-common is required. (Closes: #612403)
* No longer depend on gawk. Xen can now use any awk one of which is always
present. (Closes: #589176)
* Put core dumps in /var/lib/xen/dump and ensure it exists.
(Closes: #444000)
[ Bastian Blank ]
* Handle JSON output from xl in xendomains init script.
-- Bastian Blank <email address hidden> Sat, 06 Sep 2014 22:11:20 +0200
-
xen (4.4.0-4) unstable; urgency=medium
[ Bastian Blank ]
* Also remove unused OCaml packages from control file.
* Make library packages multi-arch: same. (closes: #730417)
* Use debhelper compat level 9. (closes: #692352)
[ Ian Campbell ]
* Correct contents of /etc/xen/scripts/hotplugpath.sh (Closes: #706283)
* Drop references cpuperf-xen and cpuperf-perfcntr. (Closes: #733847)
* Install xentrace_format(1), xentrace(8) and xentop(1). (Closes: #407143)
-- Bastian Blank <email address hidden> Sat, 30 Aug 2014 13:34:04 +0200
-
xen (4.4.0-3) unstable; urgency=medium
[ Ian Campbell ]
* Use correct SeaBIOS binary which supports Xen (Closes: #737905).
[ Bastian Blank ]
* Really update config.{sub,guess}.
-- Bastian Blank <email address hidden> Fri, 29 Aug 2014 16:33:19 +0200
-
xen (4.4.0-2) unstable; urgency=medium
* Remove broken and unused OCaml-support.
-- Bastian Blank <email address hidden> Mon, 18 Aug 2014 15:18:42 +0200
-
xen (4.4.0-1) unstable; urgency=medium
[ Bastian Blank ]
* New upstream release.
- Update scripts for compatiblity with latest coreutils.
(closes: #718898)
- Fix guest reboot with xl toolstack. (closes: #727100)
- CVE-2013-6375: Insufficient TLB flushing in VT-d (iommu) code.
(closes: #730254)
- xl support for global VNC options. (closes: #744157)
- vif scripts can now be named relative to /etc/xen/scripts.
(closes: #744160)
- Support for arbitrary sized SeaBIOS binaries. (closes: #737905)
- pygrub searches for extlinux.conf in the expected places.
(closes: #697407)
- Update scripts to use correct syntax for ip command.
(closes: #705659)
* Fix install of xend configs to not break compatibility.
[ Ian Campbell ]
* Disable blktap1 support using new configure option instead of by patching.
* Disable qemu-traditional and rombios support using new configure option
instead of by patching. No need to build-depend on ipxe any more.
* Use system qemu-xen via new configure option instead of patching.
* Use system seabios via new configure option instead of patching.
* Use EXTRA_CFLAGS_XEN_TOOLS and APPEND_{CPPFLAGS,LDFLAGS} during build.
* Add support for armhf and arm64.
* Update config.{sub,guess}.
-- Bastian Blank <email address hidden> Sat, 09 Aug 2014 13:09:00 +0200
-
xen (4.3.0-3) unstable; urgency=low
* Revive hypervisor on i386.
-- Bastian Blank <email address hidden> Fri, 18 Oct 2013 00:15:16 +0200
-
xen (4.3.0-2) unstable; urgency=low
* Force proper install order. (closes: #721999)
-- Bastian Blank <email address hidden> Sat, 05 Oct 2013 15:03:36 +0000
-
xen (4.3.0-1) unstable; urgency=low
* New upstream release.
- Fix HVM PCI passthrough. (closes: #706543)
* Call configure with proper arguments.
* Remove now empty xen-docs package.
* Disable external code retrieval.
* Drop all i386 hypervisor packages.
* Drop complete blktap support.
* Create /run/xen.
* Make xen-utils recommend qemu-system-x86. (closes: #688311)
- This version comes with audio support. (closes: #635166)
* Make libxenlight and libxlutil public. (closes: #644390)
- Set versioned ABI name.
- Install headers.
- Move libs into normal library path.
* Use build flags in the tools build.
- Fix fallout from harderning flags.
* Update Standards-Version to 3.9.4. No changes.
-- Bastian Blank <email address hidden> Thu, 05 Sep 2013 13:54:03 +0200
-
xen (4.2.2-1) unstable; urgency=low
* New upstream release.
- Fix build with gcc 4.8. (closes: #712376)
* Build-depend on libssl-dev. (closes: #712366)
* Enable hardening as much as possible.
* Re-enable ocaml build fixes. (closes: #695176)
* Check for out-of-bound values in CPU affinity setup.
CVE-2013-2072
* Fix information leak on AMD CPUs.
CVE-2013-2076
* Recover from faults on XRSTOR.
CVE-2013-2077
* Properly check guest input to XSETBV.
CVE-2013-2078
-- Bastian Blank <email address hidden> Thu, 11 Jul 2013 00:28:24 +0200
-
xen (4.2.1-2) unstable; urgency=low
* Actually upload to unstable.
-- Bastian Blank <email address hidden> Sun, 12 May 2013 00:20:58 +0200
-
xen (4.1.4-4) unstable; urgency=high
* Make several long runing operations preemptible.
CVE-2013-1918
* Fix source validation for VT-d interrupt remapping.
CVE-2013-1952
-- Bastian Blank <email address hidden> Thu, 02 May 2013 14:30:29 +0200
-
xen (4.1.4-3) unstable; urgency=high
* Fix return from SYSENTER.
CVE-2013-1917
* Fix various problems with guest interrupt handling.
CVE-2013-1919
* Only save pointer after access checks.
CVE-2013-1920
* Fix domain locking for transitive grants.
CVE-2013-1964
-- Bastian Blank <email address hidden> Fri, 19 Apr 2013 13:01:57 +0200
-
xen (4.1.4-2) unstable; urgency=low
* Use pre-device interrupt remapping mode per default. Fix removing old
remappings.
CVE-2013-0153
-- Bastian Blank <email address hidden> Wed, 06 Feb 2013 13:04:52 +0100
-
xen (4.1.4-1) unstable; urgency=low
* New upstream release.
- Disable process-context identifier support in newer CPUs for all
domains.
- Add workarounds for AMD errata.
- Don't allow any non-canonical addresses.
- Use Multiboot memory map if BIOS emulation does not provide one.
- Fix several problems in tmem.
CVE-2012-3497
- Fix error handling in domain creation.
- Adjust locking and interrupt handling during S3 resume.
- Tighten more resource and memory range checks.
- Reset performance counters. (closes: #698651)
- Remove special-case for first IO-APIC.
- Fix MSI handling for HVM domains. (closes: #695123)
- Revert cache value of disks in HVM domains.
-- Bastian Blank <email address hidden> Thu, 31 Jan 2013 15:44:50 +0100
-
xen (4.1.3-8) unstable; urgency=high
* Fix error in VT-d interrupt remapping source validation.
CVE-2012-5634
* Fix buffer overflow in qemu e1000 emulation.
CVE-2012-6075
* Update patch, mention second CVE.
CVE-2012-5511, CVE-2012-6333
-- Bastian Blank <email address hidden> Sat, 19 Jan 2013 13:55:07 +0100
-
xen (4.1.3-7) unstable; urgency=low
* Fix clock jump due to incorrect annotated inline assembler.
(closes: #599161)
* Add support for XZ compressed Linux kernels to hypervisor and userspace
based loaders, it is needed for any Linux kernels newer then Wheezy.
(closes: #695056)
-- Bastian Blank <email address hidden> Tue, 11 Dec 2012 18:54:59 +0100
-
xen (4.1.3-6) unstable; urgency=high
* Fix error handling in physical to machine memory mapping.
CVE-2012-5514
-- Bastian Blank <email address hidden> Tue, 04 Dec 2012 10:51:43 +0100
-
xen (4.1.3-5) unstable; urgency=high
* Fix state corruption due to incomplete grant table switch.
CVE-2012-5510
* Check range of arguments to several HVM operations.
CVE-2012-5511
* Check array index before using it in HVM memory operation.
CVE-2012-5512
* Check memory range in memory exchange operation.
CVE-2012-5513
* Don't allow too large memory size and avoid busy looping.
CVE-2012-5515
-- Bastian Blank <email address hidden> Mon, 03 Dec 2012 19:37:38 +0100
-
xen (4.1.3-4) unstable; urgency=high
* Use linux 3.2.0-4 stuff.
* Fix overflow in timer calculations.
CVE-2012-4535
* Check value of physical interrupts parameter before using it.
CVE-2012-4536
* Error out on incorrect memory mapping updates.
CVE-2012-4537
* Check if toplevel page tables are present.
CVE-2012-4538
* Fix infinite loop in compatibility code.
CVE-2012-4539
* Limit maximum kernel and ramdisk size.
CVE-2012-2625, CVE-2012-4544
-- Bastian Blank <email address hidden> Tue, 20 Nov 2012 15:51:01 +0100
-
xen (4.1.3-3) unstable; urgency=low
* Xen domain init script:
- Make sure Open vSwitch is started before any domain.
- Properly handle and show output of failed migration and save.
- Ask all domains to shut down before checking them.
-- Bastian Blank <email address hidden> Tue, 18 Sep 2012 13:26:32 +0200
-
xen (4.1.3-2) unstable; urgency=medium
* Don't allow writing reserved bits in debug register.
CVE-2012-3494
* Fix error handling in interrupt assignment.
CVE-2012-3495
* Don't trigger bug messages on invalid flags.
CVE-2012-3496
* Check array bounds in interrupt assignment.
CVE-2012-3498
* Properly check bounds while setting the cursor in qemu.
CVE-2012-3515
* Disable monitor in qemu by default.
CVE-2012-4411
-- Bastian Blank <email address hidden> Fri, 07 Sep 2012 19:41:46 +0200
-
xen (4.1.3-1) unstable; urgency=medium
* New upstream release: (closes: #683286)
- Don't leave the x86 emulation in a bad state. (closes: #683279)
CVE-2012-3432
- Only check for shared pages while any exist on teardown.
CVE-2012-3433
- Fix error handling for unexpected conditions.
- Update CPUID masking to latest Intel spec.
- Allow large ACPI ids.
- Fix IOMMU support for PCI-to-PCIe bridges.
- Disallow access to some sensitive IO-ports.
- Fix wrong address in IOTLB.
- Fix deadlock on CPUs without working cpufreq driver.
- Use uncached disk access in qemu.
- Fix buffer size on emulated e1000 device in qemu.
* Fixup broken and remove applied patches.
-- Bastian Blank <email address hidden> Fri, 17 Aug 2012 11:25:02 +0200
-
xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-5) unstable; urgency=low
[ Ian Campbell ]
* Set tap device MAC addresses to fe:ff:ff:ff:ff:ff (Closes: #671018)
* Only run xendomains initscript if toolstack is xl or xm (Closes: #680528)
[ Bastian Blank ]
* Actually build-depend on new enough version of dpkg-dev.
* Add xen-sytem-* meta-packages. We are finally in a position to do
automatic upgrades and this package is missing. (closes: #681376)
-- Bastian Blank <email address hidden> Sat, 28 Jul 2012 10:23:26 +0200
-
xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-4) unstable; urgency=low
* Add Build-Using info to xen-utils package.
* Fix build-arch target.
-- Bastian Blank <email address hidden> Sun, 01 Jul 2012 19:52:30 +0200
-
xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-2) unstable; urgency=low
* Fix pointer missmatch in interrupt functions. Fixes build on i386.
-- Bastian Blank <email address hidden> Fri, 15 Jun 2012 18:00:51 +0200
-
xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-1) unstable; urgency=low
* New upstream snapshot.
- Fix privilege escalation and syscall/sysenter DoS while using
non-canonical addresses by untrusted PV guests. (closes: #677221)
CVE-2012-0217
CVE-2012-0218
- Disable Xen on CPUs affected by AMD Erratum #121. PV guests can
cause a DoS of the host.
* Don't fail if standard toolstacks are not available. (closes: #677244)
-- Bastian Blank <email address hidden> Thu, 14 Jun 2012 17:06:25 +0200
-
xen (4.1.2-7) unstable; urgency=low
* Really use ucf.
* Update init script dependencies:
- Start $syslog before xen.
- Start drbd and iscsi before xendomains. (closes: #626356)
- Start corosync and heartbeat after xendomains.
* Remove /var/log/xen on purge. (closes: #656216)
-- Bastian Blank <email address hidden> Tue, 22 May 2012 10:44:41 +0200
-
xen (4.1.2-6) unstable; urgency=low
* Fix generation of architectures for hypervisor packages.
* Remove information about loop devices, it is incorrect. (closes: #503044)
* Update xendomains init script:
- Create directory for domain images only root readable. (closes: #596048)
- Add missing sanity checks for variables. (closes: #671750)
- Remove not longer supported config options.
- Don't fail if no config is available.
- Remove extra output if domain was restored.
-- Bastian Blank <email address hidden> Sun, 06 May 2012 20:07:41 +0200
-
xen (4.1.2-5) unstable; urgency=low
* Actually force init script rename. (closes: #669341)
* Fix long output from xl.
* Move complete init script setup.
* Rewrite xendomains init script:
- Use LSB output functions.
- Make output more clear.
- Use xen toolstack wrapper.
- Use a python script to properly read domain details.
* Set name for Domain-0.
-- Bastian Blank <email address hidden> Mon, 23 Apr 2012 11:56:45 +0200
-
xen (4.1.2-4) unstable; urgency=low
[ Bastian Blank ]
* Build-depend on ipxe-qemu instead of ipxe. (closes: #665070)
* Don't longer use a4wide latex package.
* Use ucf for /etc/default/xen.
* Remove handling for old udev rules link and xenstored directory.
* Rename xend init script to xen.
[ Lionel Elie Mamane ]
* Fix toolstack script to work with old dash. (closes: #648029)
-- Bastian Blank <email address hidden> Mon, 16 Apr 2012 08:47:29 +0000
-
xen (4.1.2-3) unstable; urgency=low
* Merge xen-common source package.
* Remove xend wrapper, it should not be called by users.
* Support xl in init script.
* Restart xen daemons on upgrade.
* Restart and stop xenconsoled in init script.
* Load xen-gntdev module.
* Create /var/lib/xen. (closes: #658101)
* Cleanup udev rules. (closes: #657745)
-- Bastian Blank <email address hidden> Wed, 01 Feb 2012 19:28:28 +0100
-
xen (4.1.2-2) unstable; urgency=low
[ Jon Ludlam ]
* Import (partially reworked) upstream changes for OCaml support.
- Rename the ocamlfind packages.
- Remove uuid and log libraries.
- Fix 2 bit-twiddling bugs and an off-by-one
* Fix build of OCaml libraries.
* Add OCaml library and development package.
* Include some missing headers.
-- Bastian Blank <email address hidden> Sat, 10 Dec 2011 19:13:25 +0000
-
xen (4.1.2-1) unstable; urgency=low
* New upstream release.
* Build-depend on pkg-config.
* Add package libxen-4.1. Includes some shared libs.
-- Bastian Blank <email address hidden> Sat, 26 Nov 2011 18:28:06 +0100
-
xen (4.1.1-3) unstable; urgency=low
[ Julien Danjou ]
* Remove Julien Danjou from the Uploaders field. (closes: #590439)
[ Bastian Blank ]
* Use current version of python. (closes: #646660)
* Build-depend against liblzma-dev, it is used if available.
(closes: #646694)
* Update Standards-Version to 3.9.2. No changes.
* Don't use brace-expansion in debhelper install files.
-- Bastian Blank <email address hidden> Wed, 26 Oct 2011 14:42:33 +0200
-
xen (4.1.1-2) unstable; urgency=low
* Fix hvmloader with gcc 4.6.
-- Bastian Blank <email address hidden> Fri, 05 Aug 2011 23:58:36 +0200
-
xen (4.1.1-1) unstable; urgency=low
* New upstream release. * Don't use qemu-dm if it is not needed. (Backport from xen-unstable.) * Use dh_python2. -- Bastian Blank <email address hidden> Mon, 18 Jul 2011 19:38:38 +0200
-
xen (4.1.0-3) unstable; urgency=low
* Add ghostscript to build-deps. * Enable qemu-dm build. - Add qemu as another orig tar. - Remove blktap1, bluetooth and sdl support from qemu. - Recommend qemu-keymaps and qemu-utils. -- Bastian Blank <email address hidden> Thu, 28 Apr 2011 15:20:45 +0200
-
xen (4.1.0-2) unstable; urgency=low
* Re-enable hvmloader: - Use packaged ipxe. * Workaround incompatibility with xenstored of Xen 4.0. -- Bastian Blank <email address hidden> Fri, 15 Apr 2011 11:38:25 +0200
-
xen (4.1.0-1) unstable; urgency=low
* New upstream release. -- Bastian Blank <email address hidden> Sun, 27 Mar 2011 18:09:28 +0000
-
xen (4.1.0~rc6-1) unstable; urgency=low
* New upstream release candidate. * Build documentation using pdflatex. * Use python 2.6. (closes: #596545) * Fix lintian override. * Install new tools: xl, xenpaging. * Enable blktap2. - Use own md5 implementation. - Fix includes. - Fix linking of blktap2 binaries. - Remove optimization setting. * Temporarily disable hvmloader, wants to download ipxe. * Remove xenstored pid check from xl. -- Bastian Blank <email address hidden> Thu, 17 Mar 2011 16:12:45 +0100
-
xen (4.0.1-2) unstable; urgency=low
* Fix races in memory management. * Make sure that frame-table compression leaves enough alligned. * Disable XSAVE support. (closes: #595490) * Check for dying domain instead of raising an assertion. * Add C6 state with EOI errata for Intel. * Make some memory management interrupt safe. Unsure if really needed. * Raise bar for inter-socket migrations on mostly-idle systems. * Fix interrupt handling for legacy routed interrupts. * Allow to set maximal domain memory even during a running change. * Support new partition name in pygrub. (closes: #599243) * Fix some comparisions "< 0" that may be optimized away. * Check for MWAIT support before using it. * Fix endless loop on interrupts on Nehalem cpus. * Don't crash upon direct GDT/LDT access. (closes: #609531) CVE-2010-4255 * Don't loose timer ticks after domain restore. * Reserve some space for IOMMU area in dom0. (closes: #608715) * Fix hypercall arguments after trace callout. * Fix some error paths in vtd support. Memory leak. * Reinstate ACPI DMAR table. -- Bastian Blank <email address hidden> Wed, 12 Jan 2011 15:01:40 +0100
-
xen (4.0.1-1) unstable; urgency=low
* New upstream release.
- Fix IOAPIC S3 with interrupt remapping enabled.
-- Bastian Blank <email address hidden> Fri, 03 Sep 2010 17:14:28 +0200
-
xen (4.0.1~rc6-1) unstable; urgency=low
* New upstream release candidate.
- Add some missing locks for page table walk.
- Fix NMU injection into guest.
- Fix ioapic updates for vt-d.
- Add check for GRUB2 commandline behaviour.
- Fix handling of invalid kernel images.
- Allow usage of powernow.
* Remove lowlevel python modules usage from pygrub. (closes: #588811)
-- Bastian Blank <email address hidden> Tue, 17 Aug 2010 23:15:34 +0200
-
xen (4.0.1~rc5-1) unstable; urgency=low
* New upstream release candidate.
-- Bastian Blank <email address hidden> Mon, 02 Aug 2010 17:06:27 +0200
-
xen (4.0.1~rc3-1) unstable; urgency=low
* New upstream release candidate.
* Call dh_pyversion with the correct version.
* Restart xen daemon on upgrade.
-- Bastian Blank <email address hidden> Wed, 30 Jun 2010 16:30:47 +0200
-
xen (4.0.0-2) unstable; urgency=low
* Fix python dependency. (closes: #586666)
- Use python-support.
- Hardcode to use python 2.5 for now.
-- Bastian Blank <email address hidden> Mon, 21 Jun 2010 17:23:16 +0200
-
xen (4.0.0-1) unstable; urgency=low
* Update to unstable.
* Fix spelling in README.
* Remove unnecessary build-depends.
* Fixup xend to use different filename lookup.
-- Bastian Blank <email address hidden> Thu, 17 Jun 2010 11:16:55 +0200
