[Pkg-xen-devel] unblock: xen/4.11.1+92-g6c33308a8d-1

Hans van Kranenburg hans at knorrie.org
Thu Jun 20 20:14:52 BST 2019 

Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package src:xen

Hi release team,

Yesterday we uploaded a security update for Xen. This update also
contains the mitigations for Microarchitectural Data Sampling.

The upstream source is forwarded from commit 87f51bf366 to commit
6c33308a8d:
https://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;hp=87f51bf366;h=6c33308a8d

There are no further packaging changes (except for the changelog, of
course):

---- >8 ----

xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high

  * Update to new upstream version 4.11.1+92-g6c33308a8d, which also
    contains the following security fixes:
    - Fix: grant table transfer issues on large hosts
      XSA-284 (no CVE yet) (Closes: #929991)
    - Fix: race with pass-through device hotplug
      XSA-285 (no CVE yet) (Closes: #929998)
    - Fix: x86: steal_page violates page_struct access discipline
      XSA-287 (no CVE yet) (Closes: #930001)
    - Fix: x86: Inconsistent PV IOMMU discipline
      XSA-288 (no CVE yet) (Closes: #929994)
    - Fix: missing preemption in x86 PV page table unvalidation
      XSA-290 (no CVE yet) (Closes: #929996)
    - Fix: x86/PV: page type reference counting issue with failed IOMMU
update
      XSA-291 (no CVE yet) (Closes: #929995)
    - Fix: x86: insufficient TLB flushing when using PCID
      XSA-292 (no CVE yet) (Closes: #929993)
    - Fix: x86: PV kernel context switch corruption
      XSA-293 (no CVE yet) (Closes: #929999)
    - Fix: x86 shadow: Insufficient TLB flushing when using PCID
      XSA-294 (no CVE yet) (Closes: #929992)
    - Fix: Microarchitectural Data Sampling speculative side channel
      XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
      (Closes: #929129)
  * Note that the fixes for XSA-297 will only have effect when also loading
    updated cpu microcode with MD_CLEAR functionality. When using the
    intel-microcode package to include microcode in the dom0 initrd, it
has to
    be loaded by Xen. Please refer to the hypervisor command line
    documentation about the 'ucode=scan' option.
  * Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added
in the
    next upload.

 -- Hans van Kranenburg <hans at knorrie.org>  Tue, 18 Jun 2019 09:50:19 +0200

---- >8 ----

We prefer to keep releasing from the upstream stable release branches,
because:

(i) upstream only put bugfixes and security fixes on their stable
branches (ii) trying to assemble our own subset of the patches is
riskier than taking upstream's collection (iii) the upstream stable
release branch has undergone extensive testing, which we cannot repeat
in Debian.

The binary packages built from src:xen are:

libxencall1
libxencall1-dbgsym
libxen-dev
libxendevicemodel1
libxendevicemodel1-dbgsym
libxenevtchn1
libxenevtchn1-dbgsym
libxenforeignmemory1
libxenforeignmemory1-dbgsym
libxengnttab1
libxengnttab1-dbgsym
libxenmisc4.11
libxenmisc4.11-dbgsym
libxenstore3.0
libxenstore3.0-dbgsym
libxentoolcore1
libxentoolcore1-dbgsym
libxentoollog1
libxentoollog1-dbgsym
xen-doc
xen-hypervisor-4.11-amd64
xen-hypervisor-common
xenstore-utils
xenstore-utils-dbgsym
xen-system-amd64
xen-utils-4.11
xen-utils-4.11-dbgsym
xen-utils-common
xen-utils-common-dbgsym

The source debdiff is attached for sake of completeness.

Please unblock.

Thanks a lot,
Hans van Kranenburg
Debian Xen Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff_xen_4.11.1+26-g87f51bf366-3_xen_4.11.1+92-g6c33308a8d-1.txt.gz
Type: application/gzip
Size: 43054 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-xen-devel/attachments/20190620/5c80fbf0/attachment-0001.gz>

More information about the Pkg-xen-devel mailing list