From f5c80615ab161fe43d34431b3e39d3f6f5ae6cf1 Mon Sep 17 00:00:00 2001
From: Hans van Kranenburg <hans@knorrie.org>
Date: Tue, 15 Dec 2020 12:33:32 +0100
Subject: [PATCH] debian/changelog: finish 4.14.0+88-g1d1d1f5391-1

We're setting urgency=high for this one, because of the security issues.

Signed-off-by: Hans van Kranenburg <hans@knorrie.org>
---
 debian/changelog | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 14eafa651d..b530de4f1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,37 @@
-xen (4.14.0+88-g1d1d1f5391-1) UNRELEASED; urgency=medium
+xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high
 
   * Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains
     security fixes for the following issues:
     - stack corruption from XSA-346 change
       XSA-355 CVE-2020-29040 (Closes: #976109)
+  * Apply security fixes for the following issues:
+    - oxenstored: permissions not checked on root node
+      XSA-353 CVE-2020-29479
+    - xenstore watch notifications lacking permission checks
+      XSA-115 CVE-2020-29480
+    - Xenstore: new domains inheriting existing node permissions
+      XSA-322 CVE-2020-29481
+    - Xenstore: wrong path length check
+      XSA-323 CVE-2020-29482
+    - Xenstore: guests can crash xenstored via watchs
+      XSA-324 CVE-2020-29484
+    - Xenstore: guests can disturb domain cleanup
+      XSA-325 CVE-2020-29483
+    - oxenstored memory leak in reset_watches
+      XSA-330 CVE-2020-29485
+    - oxenstored: node ownership can be changed by unprivileged clients
+      XSA-352 CVE-2020-29486
+    - undue recursion in x86 HVM context switch code
+      XSA-348 CVE-2020-29566
+    - infinite loop when cleaning up IRQ vectors
+      XSA-356 CVE-2020-29567
+    - FIFO event channels control block related ordering
+      XSA-358 CVE-2020-29570
+    - FIFO event channels control structure ordering
+      XSA-359 CVE-2020-29571
+  * Note that the following XSA are not listed, because...
+    - XSA-349 and XSA-350 have patches for the Linux kernel
+    - XSA-354 has patches for the XAPI toolstack
 
   Packaging bugfixes and improvements:
   * d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611)
@@ -47,7 +75,7 @@ xen (4.14.0+88-g1d1d1f5391-1) UNRELEASED; urgency=medium
 
   * Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik.
 
- -- Hans van Kranenburg <hans@knorrie.org>  Tue, 15 Dec 2020 10:15:41 +0100
+ -- Hans van Kranenburg <hans@knorrie.org>  Tue, 15 Dec 2020 13:00:00 +0100
 
 xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium
 
-- 
2.30.2