[Pkg-xen-devel] stretch security update (again)

Ian Jackson ijackson at chiark.greenend.org.uk
Tue May 22 16:55:52 BST 2018 

I have an update in preparation for XSA-263.  It's currently being
tested by Wolodja (thanks).  See below for a copy the changelog entry
I have on my working branch.

Subject to successful tests, I expect to upload this RSN.  (It is not
embargoed, as you can tell from the CC list.)

Thanks,
Ian.

xen (4.8.3+xsa263+shim4.10.0+comet3-1+deb9u7~) unstable; urgency=medium

  * Include upstream XSA-263 (speculative store bypass) fixes for x86.
    I hear that ARM fixes will be forthcoming RSN.  Ie,
       XSA-263 CVE-2018-3639 (amd64/i386; armhf/arm64 still vuln.)

  * Include a number of upstream bugfixes, including fixes to previous
    security fixes, some of which are security-relevant:
      x86: correct ordering of operations during S3 resume
      x86: suppress BTI mitigations around S3 suspend/resume
      x86/spec_ctrl: Updates to retpoline-safety decision making
      x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids)
      x86/HVM: never retain emulated insn cache when exiting back to guest
      xpti: fix bug in double fault handling
      x86/cpuidle: don't init stats lock more than once
      xen: Introduce vcpu_sleep_nosync_locked()
      xen/schedule: Fix races in vcpu migration
      x86: Fix "x86: further CPUID handling adjustments"

    The result is very similar to upstream staging-4.8.  However, as
    upstream staging-4.8 has not yet passed upstream CI, I have chosen to
    cherry pick fixes so that I can drop a couple that don't look
    immediately important.  We will expect to resynchronise with
    upstream's 4.8 stable branch soon.

  * Drop our patch `tools: fix arm build after bdf693ee61b48' (which was
    needed to build the upstream 4.8 comet branch on ARM but is not needed
    for the the upstream staging/stable branch).  Closes:#898898.

  * Update changelog for 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 to
    mention branch switch from upstream 4.8 comet to upstream main 4.8,
    and add some missing CVEs.


-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

More information about the Pkg-xen-devel mailing list