- xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5+rpi1) buster-staging; urgency=medium
++xen (4.11.1-1+rpi1) buster-staging; urgency=medium
+
+ [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Wed, 07 Feb 2018 17:50:45 +0000]
+ * Update to new upstream version 4.8.3+comet2+shim4.10.0+comet3.
+ Specifically, this is two upstreams:
+ - Upstream Xen 4.8.3 "git merge"d with upstream
+ Xen Security Team (XSA-254) 4.8.3pre-shim-comet-2, in `.'
+ - Upstream Xen 4.10.0-shim-comet-3 in `shim'.
+ The upstream tarballs are from `git archive' with the
+ gitattributes for mangling .gitarchive-info disabled.
+ Therefore, we include these security fixes:
+ XSA-254 CVE-2017-5754 but SP3 "Meltdown" only
+ XSA-253 CVE-2018-5244
+ XSA-251 CVE-2017-17565
+ XSA-250 CVE-2017-17564
+ XSA-249 CVE-2017-17563
+ XSA-248 CVE-2017-17566
+ * Ship README.pti and README.comet from the upstream XSA-254
+ advisory in /usr/share/doc/xen-utils/common/.
+
+ [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Fri, 09 Feb 2018 14:42:57 +0000]
+ * Fix builds on other than amd64.
+
+ [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Fri, 02 Mar 2018 16:07:18 +0000]
+ * Security fixes from upstream XSAs:
+ XSA-252 CVE-2018-7540
+ XSA-255 CVE-2018-7541
+ XSA-256 CVE-2018-7542
+ The upstream BTI changes from XSA-254 (Spectre v2 mitigation)
+ are *not* included. They are currently failing in upstream CI.
+ * init scripts: Do not kill per-domain qemu processes. Closes:#879751.
+ * Install Meltdown READMEs on all architectures. Closes:#890488.
+ * Ship xen-diag (by cherry-picking the appropriate commits from
+ upstream). This can help with diagnosis of #880554.
+
+ [changes brought forward from 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Thu, 10 May 2018 16:50:52 +0100]
+ * Update to new upstream version 4.8.3+xsa262+shim4.10.0+comet3.
+ (This is the upstream staging-4.8 branch, which is ahead of the
+ upstream CI-tested stable-4.8 branch by precisely the three
+ most recent XSA fixes. We are switching away from the special
+ upstream 4.8 comet branch.)
+
+ * Resulting security fixes:
+ XSA-258 CVE-2018-10472
+ XSA-259 CVE-2018-10471
+ XSA-260 CVE-2018-8897
+ XSA-261 CVE-2018-10982
+ XSA-262 CVE-2018-10981
+
+ * Apply two further build fixes from upstream staging-4.8.
+
+ [changes brought forward from 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Tue, 22 May 2018 18:41:33 +0100]
+ * Include upstream XSA-263 (speculative store bypass) fixes for x86.
+ I hear that ARM fixes will be forthcoming RSN. Ie,
+ XSA-263 CVE-2018-3639 (amd64/i386; armhf/arm64 still vuln.)
+
+ * Include a number of upstream bugfixes, including fixes to previous
+ security fixes, some of which are security-relevant:
+ x86: correct ordering of operations during S3 resume
+ x86: suppress BTI mitigations around S3 suspend/resume
+ x86/spec_ctrl: Updates to retpoline-safety decision making
+ x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids)
+ x86/HVM: never retain emulated insn cache when exiting back to guest
+ xpti: fix bug in double fault handling
+ x86/cpuidle: don't init stats lock more than once
+ xen: Introduce vcpu_sleep_nosync_locked()
+ xen/schedule: Fix races in vcpu migration
+ x86: Fix "x86: further CPUID handling adjustments"
+
+ The result is very similar to upstream staging-4.8. However, as
+ upstream staging-4.8 has not yet passed upstream CI, I have chosen to
+ cherry pick fixes so that I can drop a couple that don't look
+ immediately important. We will expect to resynchronise with
+ upstream's 4.8 stable branch soon.
+
+ * Drop our patch `tools: fix arm build after bdf693ee61b48' (which was
+ needed to build the upstream 4.8 comet branch on ARM but is not needed
+ for the the upstream staging/stable branch). Closes:#898898.
+
+ * Update changelog for 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 to
+ mention branch switch from upstream 4.8 comet to upstream main 4.8,
+ and add some missing CVEs.
+
+ [changes brought forward from 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 by Ian Jackson <ian.jackson@citrix.com> at Mon, 18 Jun 2018 16:10:38 +0100]
+ * Update to new upstream version 4.8.3+xsa267+shim4.10.1+xsa267.
+ XSA-267 CVE-2018-3665
+
+ I have actually taken upstream's staging-4.8 CI input branch, which is
+ identical to the CI-tested stable-4.8 except that it also has the
+ XSA-267 patches. There are additional patches in upstream's
+ stable-4.8 branch, beyond what was in the previous Debian stretch
+ security update, which are prerequisites for the XSA-267 patches.
+
+ For the shim, I have updated to upstream's staging-4.10, which is
+ identical to the CI-tested stable-4.10q except, again, for
+ XSA-267-related patches. The 4.10.0-comet branch lacks speculation
+ control entirely and has been superseded upstream.
+
+ [changes brought forward from 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 by Ian Jackson <ijackson@chiark.greenend.org.uk> at Fri, 22 Jun 2018 16:38:39 +0100]
+ * Security upload [thanks to Wolodja Wentland]:
+ XSA-264 (no CVE yet)
+ XSA-265 (no CVE yet)
+ XSA-266 (no CVE yet)
+
+ [changes brought forward from 4.4.1-9+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sun, 30 Aug 2015 15:43:16 +0000]
+ * replace "dmb" with "mcr p15, #0, r0, c7, c10, #5" for armv6
+
+ [changes introduced in 4.6.0-1+rpi1 by Peter Michael Green]
+ * Use kernel 3.18 for now as I haven't dealt with 4.x yet.
+
+ [changes introduced in 4.8.0-1+rpi1 by Peter Micheal Green]
+ * Add build-depends on ghostscript.
+
- -- Raspbian forward porter <root@raspbian.org> Thu, 25 Oct 2018 20:13:19 +0000
++ -- Raspbian forward porter <root@raspbian.org> Sat, 19 Jan 2019 11:47:24 +0000
++
+ xen (4.11.1-1) unstable; urgency=medium
+
+ * debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
+ (Closes: #911457)
+ * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
+ * debian/rules: Don't exclude the actual pygrub script.
+ * Update to new upstream version 4.11.1, which also contains:
+ - Fix: insufficient TLB flushing / improper large page mappings with AMD
+ IOMMUs
+ XSA-275 CVE-2018-19961 CVE-2018-19962
+ - Fix: resource accounting issues in x86 IOREQ server handling
+ XSA-276 CVE-2018-19963
+ - Fix: x86: incorrect error handling for guest p2m page removals
+ XSA-277 CVE-2018-19964
+ - Fix: x86: Nested VT-x usable even when disabled
+ XSA-278 CVE-2018-18883
+ - Fix: x86: DoS from attempting to use INVPCID with a non-canonical
+ addresses
+ XSA-279 CVE-2018-19965
+ - Fix for XSA-240 conflicts with shadow paging
+ XSA-280 CVE-2018-19966
+ - Fix: guest use of HLE constructs may lock up host
+ XSA-282 CVE-2018-19967
+ * Update version handling patching to put the team mailing list address in
+ the first hypervisor log line and fix broken other substitutions.
+ * Disable handle_iptable hook in vif-common script. See #894013 for more
+ information.
+
+ -- Hans van Kranenburg <hans@knorrie.org> Wed, 02 Jan 2019 20:59:40 +0100
xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium
projects / xen.git / commitdiff