From: Raspbian automatic forward porter Date: Sat, 19 Jan 2019 11:47:26 +0000 (+0000) Subject: Merge version 4.11.1~pre.20180911.5acdd26fdc+dfsg-5+rpi1 and 4.11.1-1 to produce... X-Git-Tag: archive/raspbian/4.11.1-1+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=8aca58aecccfbeec1368b84b21841f162c39869e;p=xen.git Merge version 4.11.1~pre.20180911.5acdd26fdc+dfsg-5+rpi1 and 4.11.1-1 to produce 4.11.1-1+rpi1 --- 8aca58aecccfbeec1368b84b21841f162c39869e diff --cc debian/changelog index 323c033e1d,96e0800441..decfcd9656 --- a/debian/changelog +++ b/debian/changelog @@@ -1,117 -1,32 +1,147 @@@ - xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5+rpi1) buster-staging; urgency=medium ++xen (4.11.1-1+rpi1) buster-staging; urgency=medium + + [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4 by Ian Jackson at Wed, 07 Feb 2018 17:50:45 +0000] + * Update to new upstream version 4.8.3+comet2+shim4.10.0+comet3. + Specifically, this is two upstreams: + - Upstream Xen 4.8.3 "git merge"d with upstream + Xen Security Team (XSA-254) 4.8.3pre-shim-comet-2, in `.' + - Upstream Xen 4.10.0-shim-comet-3 in `shim'. + The upstream tarballs are from `git archive' with the + gitattributes for mangling .gitarchive-info disabled. + Therefore, we include these security fixes: + XSA-254 CVE-2017-5754 but SP3 "Meltdown" only + XSA-253 CVE-2018-5244 + XSA-251 CVE-2017-17565 + XSA-250 CVE-2017-17564 + XSA-249 CVE-2017-17563 + XSA-248 CVE-2017-17566 + * Ship README.pti and README.comet from the upstream XSA-254 + advisory in /usr/share/doc/xen-utils/common/. + + [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1 by Ian Jackson at Fri, 09 Feb 2018 14:42:57 +0000] + * Fix builds on other than amd64. + + [changes brought forward from 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 by Ian Jackson at Fri, 02 Mar 2018 16:07:18 +0000] + * Security fixes from upstream XSAs: + XSA-252 CVE-2018-7540 + XSA-255 CVE-2018-7541 + XSA-256 CVE-2018-7542 + The upstream BTI changes from XSA-254 (Spectre v2 mitigation) + are *not* included. They are currently failing in upstream CI. + * init scripts: Do not kill per-domain qemu processes. Closes:#879751. + * Install Meltdown READMEs on all architectures. Closes:#890488. + * Ship xen-diag (by cherry-picking the appropriate commits from + upstream). This can help with diagnosis of #880554. + + [changes brought forward from 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 by Ian Jackson at Thu, 10 May 2018 16:50:52 +0100] + * Update to new upstream version 4.8.3+xsa262+shim4.10.0+comet3. + (This is the upstream staging-4.8 branch, which is ahead of the + upstream CI-tested stable-4.8 branch by precisely the three + most recent XSA fixes. We are switching away from the special + upstream 4.8 comet branch.) + + * Resulting security fixes: + XSA-258 CVE-2018-10472 + XSA-259 CVE-2018-10471 + XSA-260 CVE-2018-8897 + XSA-261 CVE-2018-10982 + XSA-262 CVE-2018-10981 + + * Apply two further build fixes from upstream staging-4.8. + + [changes brought forward from 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 by Ian Jackson at Tue, 22 May 2018 18:41:33 +0100] + * Include upstream XSA-263 (speculative store bypass) fixes for x86. + I hear that ARM fixes will be forthcoming RSN. Ie, + XSA-263 CVE-2018-3639 (amd64/i386; armhf/arm64 still vuln.) + + * Include a number of upstream bugfixes, including fixes to previous + security fixes, some of which are security-relevant: + x86: correct ordering of operations during S3 resume + x86: suppress BTI mitigations around S3 suspend/resume + x86/spec_ctrl: Updates to retpoline-safety decision making + x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) + x86/HVM: never retain emulated insn cache when exiting back to guest + xpti: fix bug in double fault handling + x86/cpuidle: don't init stats lock more than once + xen: Introduce vcpu_sleep_nosync_locked() + xen/schedule: Fix races in vcpu migration + x86: Fix "x86: further CPUID handling adjustments" + + The result is very similar to upstream staging-4.8. However, as + upstream staging-4.8 has not yet passed upstream CI, I have chosen to + cherry pick fixes so that I can drop a couple that don't look + immediately important. We will expect to resynchronise with + upstream's 4.8 stable branch soon. + + * Drop our patch `tools: fix arm build after bdf693ee61b48' (which was + needed to build the upstream 4.8 comet branch on ARM but is not needed + for the the upstream staging/stable branch). Closes:#898898. + + * Update changelog for 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 to + mention branch switch from upstream 4.8 comet to upstream main 4.8, + and add some missing CVEs. + + [changes brought forward from 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 by Ian Jackson at Mon, 18 Jun 2018 16:10:38 +0100] + * Update to new upstream version 4.8.3+xsa267+shim4.10.1+xsa267. + XSA-267 CVE-2018-3665 + + I have actually taken upstream's staging-4.8 CI input branch, which is + identical to the CI-tested stable-4.8 except that it also has the + XSA-267 patches. There are additional patches in upstream's + stable-4.8 branch, beyond what was in the previous Debian stretch + security update, which are prerequisites for the XSA-267 patches. + + For the shim, I have updated to upstream's staging-4.10, which is + identical to the CI-tested stable-4.10q except, again, for + XSA-267-related patches. The 4.10.0-comet branch lacks speculation + control entirely and has been superseded upstream. + + [changes brought forward from 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 by Ian Jackson at Fri, 22 Jun 2018 16:38:39 +0100] + * Security upload [thanks to Wolodja Wentland]: + XSA-264 (no CVE yet) + XSA-265 (no CVE yet) + XSA-266 (no CVE yet) + + [changes brought forward from 4.4.1-9+rpi1 by Peter Michael Green at Sun, 30 Aug 2015 15:43:16 +0000] + * replace "dmb" with "mcr p15, #0, r0, c7, c10, #5" for armv6 + + [changes introduced in 4.6.0-1+rpi1 by Peter Michael Green] + * Use kernel 3.18 for now as I haven't dealt with 4.x yet. + + [changes introduced in 4.8.0-1+rpi1 by Peter Micheal Green] + * Add build-depends on ghostscript. + - -- Raspbian forward porter Thu, 25 Oct 2018 20:13:19 +0000 ++ -- Raspbian forward porter Sat, 19 Jan 2019 11:47:24 +0000 ++ + xen (4.11.1-1) unstable; urgency=medium + + * debian/control: Add Homepage, Vcs-Browser and Vcs-Git. + (Closes: #911457) + * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086) + * debian/rules: Don't exclude the actual pygrub script. + * Update to new upstream version 4.11.1, which also contains: + - Fix: insufficient TLB flushing / improper large page mappings with AMD + IOMMUs + XSA-275 CVE-2018-19961 CVE-2018-19962 + - Fix: resource accounting issues in x86 IOREQ server handling + XSA-276 CVE-2018-19963 + - Fix: x86: incorrect error handling for guest p2m page removals + XSA-277 CVE-2018-19964 + - Fix: x86: Nested VT-x usable even when disabled + XSA-278 CVE-2018-18883 + - Fix: x86: DoS from attempting to use INVPCID with a non-canonical + addresses + XSA-279 CVE-2018-19965 + - Fix for XSA-240 conflicts with shadow paging + XSA-280 CVE-2018-19966 + - Fix: guest use of HLE constructs may lock up host + XSA-282 CVE-2018-19967 + * Update version handling patching to put the team mailing list address in + the first hypervisor log line and fix broken other substitutions. + * Disable handle_iptable hook in vif-common script. See #894013 for more + information. + + -- Hans van Kranenburg Wed, 02 Jan 2019 20:59:40 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium diff --cc debian/patches/series index be6d9f7a5b,e4a304bb22..0b0ae4c9cb --- a/debian/patches/series +++ b/debian/patches/series @@@ -41,4 -41,5 +41,6 @@@ prefix-abiname/tools-libfsimage-prefix. 0041-tools-firmware-Makefile-CONFIG_PV_SHIM-enable-only-o.patch 0042-docs-man-xen-vbd-interface.7-Provide-properly-format.patch 0043-Revert-tools-xenstore-compatibility.diff.patch + 0044-Fix-empty-fields-in-first-hypervisor-log-line.patch + 0045-vif-common-disable-handle_iptable.patch +armv6.diff