From: Raspbian forward pporter Date: Sun, 27 May 2018 13:50:49 +0000 (+0100) Subject: Merge version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5+rpi1 and 4.8.3+xsa262+shim4... X-Git-Tag: archive/raspbian/4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7+rpi1^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=8e816f5cfa95ef1d1e46fed985497b3b77959a80;p=xen.git Merge version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5+rpi1 and 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 to produce 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7+rpi1 --- 8e816f5cfa95ef1d1e46fed985497b3b77959a80 diff --cc debian/changelog index fd7500257f,af5f9bfee6..97a356fb6e --- a/debian/changelog +++ b/debian/changelog @@@ -1,15 -1,56 +1,69 @@@ - xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5+rpi1) stretch-staging; urgency=medium ++xen (4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7+rpi1) stretch-staging; urgency=medium + + [changes brought forward from 4.4.1-9+rpi1 by Peter Michael Green at Sun, 30 Aug 2015 15:43:16 +0000] + * replace "dmb" with "mcr p15, #0, r0, c7, c10, #5" for armv6 + + [changes introduced in 4.6.0-1+rpi1 by Peter Michael Green] + * Use kernel 3.18 for now as I haven't dealt with 4.x yet. + + [changes introduced in 4.8.0-1+rpi1 by Peter Micheal Green] + * Add build-depends on ghostscript. + - -- Raspbian forward porter Mon, 12 Mar 2018 14:09:24 +0000 ++ -- Raspbian forward porter Sun, 27 May 2018 13:50:48 +0000 ++ + xen (4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7) stretch-security; urgency=high + + * Include upstream XSA-263 (speculative store bypass) fixes for x86. + I hear that ARM fixes will be forthcoming RSN. Ie, + XSA-263 CVE-2018-3639 (amd64/i386; armhf/arm64 still vuln.) + + * Include a number of upstream bugfixes, including fixes to previous + security fixes, some of which are security-relevant: + x86: correct ordering of operations during S3 resume + x86: suppress BTI mitigations around S3 suspend/resume + x86/spec_ctrl: Updates to retpoline-safety decision making + x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) + x86/HVM: never retain emulated insn cache when exiting back to guest + xpti: fix bug in double fault handling + x86/cpuidle: don't init stats lock more than once + xen: Introduce vcpu_sleep_nosync_locked() + xen/schedule: Fix races in vcpu migration + x86: Fix "x86: further CPUID handling adjustments" + + The result is very similar to upstream staging-4.8. However, as + upstream staging-4.8 has not yet passed upstream CI, I have chosen to + cherry pick fixes so that I can drop a couple that don't look + immediately important. We will expect to resynchronise with + upstream's 4.8 stable branch soon. + + * Drop our patch `tools: fix arm build after bdf693ee61b48' (which was + needed to build the upstream 4.8 comet branch on ARM but is not needed + for the the upstream staging/stable branch). Closes:#898898. + + * Update changelog for 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 to + mention branch switch from upstream 4.8 comet to upstream main 4.8, + and add some missing CVEs. + + -- Ian Jackson Tue, 22 May 2018 18:41:33 +0100 + + xen (4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6) stretch-security; urgency=high + + * Update to new upstream version 4.8.3+xsa262+shim4.10.0+comet3. + (This is the upstream staging-4.8 branch, which is ahead of the + upstream CI-tested stable-4.8 branch by precisely the three + most recent XSA fixes. We are switching away from the special + upstream 4.8 comet branch.) + + * Resulting security fixes: + XSA-258 CVE-2018-10472 + XSA-259 CVE-2018-10471 + XSA-260 CVE-2018-8897 + XSA-261 CVE-2018-10982 + XSA-262 CVE-2018-10981 + + * Apply two further build fixes from upstream staging-4.8. + + -- Ian Jackson Thu, 10 May 2018 16:50:52 +0100 xen (4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) stretch-security; urgency=high diff --cc debian/patches/series index 5656997be1,389a124ecc..851dbff03c --- a/debian/patches/series +++ b/debian/patches/series @@@ -27,11 -27,30 +27,31 @@@ tools-xenstore-compatibility.dif ubuntu-tools-libs-abiname.diff toolstestsx86_emulator-pass--no-pie--fno.patch copy-readme.pti-and-readme.comet-from-th.patch - tools-fix-arm-build-after-bdf693ee61b48.patch tools-utility-to-dump-guest-grant-table-.patch gitignore-add-toolsmiscxen-diag-to-.giti.patch - memory-dont-implicitly-unpin-for-decreas.patch - gnttabarm-dont-corrupt-shared-gfn-array.patch - gnttab-dont-blindly-free-status-pages-up.patch - x86hvm-disallow-the-creation-of-hvm-doma.patch + x86emul-fix-emulator-test-harness-build-.patch + x86emul-fix-emulator-test-harness-build-.patch1 + x86-correct-ordering-of-operations-durin.patch + x86-suppress-bti-mitigations-around-s3-s.patch + x86spec_ctrl-updates-to-retpoline-safety.patch + x86hpet-fix-race-triggering-assertcpu--n.patch + x86hvm-never-retain-emulated-insn-cache-.patch + xpti-fix-bug-in-double-fault-handling.patch + x86cpuidle-dont-init-stats-lock-more-tha.patch + xen-introduce-vcpu_sleep_nosync_locked.patch + xenschedule-fix-races-in-vcpu-migration.patch + x86-fix-x86-further-cpuid-handling-adjus.patch + x86spec_ctrl-read-msr_arch_capabilities-.patch + x86spec_ctrl-express-xens-choice-of-msr_.patch + x86spec_ctrl-merge-bti_ist_info-and-use_.patch + x86spec_ctrl-fold-the-xen_ibrs_setclear-.patch + x86spec_ctrl-rename-bits-of-infrastructu.patch + x86spec_ctrl-elide-msr_spec_ctrl-handlin.patch + x86spec_ctrl-split-x86_feature_sc_msr-in.patch + x86spec_ctrl-explicitly-set-xens-default.patch + x86cpuid-improvements-to-guest-policies-.patch + x86spec_ctrl-introduce-a-new-spec-ctrl=-.patch + x86amd-mitigations-for-gpz-sp4---specula.patch + x86intel-mitigations-for-gpz-sp4---specu.patch + x86msr-virtualise-msr_spec_ctrl.ssbd-for.patch +armv6.diff