diff -Nru qemu-2.5+dfsg/debian/changelog qemu-2.5+dfsg/debian/changelog
--- qemu-2.5+dfsg/debian/changelog	2019-04-23 09:19:55.000000000 +0000
+++ qemu-2.5+dfsg/debian/changelog	2019-05-09 06:52:55.000000000 +0000
@@ -1,3 +1,27 @@
+qemu (1:2.5+dfsg-5ubuntu10.38) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Add support for exposing md-clear functionality
+    to guests
+    - d/p/ubuntu/enable-md-clear.patch
+    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+  * SECURITY UPDATE: heap overflow when loading device tree blob
+    - d/p/ubuntu/CVE-2018-20815.patch: specify how large the buffer to
+      copy the device tree blob into is.
+    - CVE-2018-20815
+  * SECURITY UPDATE: information leak in SLiRP
+    - d/p/ubuntu/CVE-2019-9824.patch: check sscanf result when
+      emulating ident.
+    - CVE-2019-9824
+
+ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 08 May 2019 23:52:21 -0700
+
+qemu (1:2.5+dfsg-5ubuntu10.38~test.1) xenial-security; urgency=medium
+
+  * Add support for exposing md-clear functionality to guests
+    - d/u/enable-md-clear.patch
+
+ -- Steve Beattie <sbeattie@ubuntu.com>  Mon, 29 Apr 2019 15:30:26 -0700
+
 qemu (1:2.5+dfsg-5ubuntu10.37) xenial; urgency=medium
 
   * d/p/lp1823458/add-VirtIONet-vhost_stopped-flag-to-prevent-multiple.patch,
diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2018-20815.patch qemu-2.5+dfsg/debian/patches/CVE-2018-20815.patch
--- qemu-2.5+dfsg/debian/patches/CVE-2018-20815.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/CVE-2018-20815.patch	2019-05-09 06:53:16.000000000 +0000
@@ -0,0 +1,38 @@
+From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: [PATCH] device_tree.c: Don't use load_image()
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+
+CVE-2018-20815
+
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f6..296278e12a 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+     /* First allocate space in qemu for device tree */
+     fdt = g_malloc0(dt_size);
+ 
+-    dt_file_load_size = load_image(filename_path, fdt);
++    dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+     if (dt_file_load_size < 0) {
+         error_report("Unable to open device tree file '%s'",
+                      filename_path);
+-- 
+2.17.1
+
diff -Nru qemu-2.5+dfsg/debian/patches/CVE-2019-9824.patch qemu-2.5+dfsg/debian/patches/CVE-2019-9824.patch
--- qemu-2.5+dfsg/debian/patches/CVE-2019-9824.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/CVE-2019-9824.patch	2019-05-09 06:53:30.000000000 +0000
@@ -0,0 +1,49 @@
+From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: [PATCH] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+CVE-2019-9824
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 262a42d6c8..ef9d99c154 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 							break;
+ 						}
+ 					}
++					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++								 so_rcv->sb_datalen,
++								 "%d,%d\r\n", n1, n2);
++					so_rcv->sb_rptr = so_rcv->sb_data;
++					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;
+-- 
+2.17.1
+
diff -Nru qemu-2.5+dfsg/debian/patches/series qemu-2.5+dfsg/debian/patches/series
--- qemu-2.5+dfsg/debian/patches/series	2019-04-23 09:19:55.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/series	2019-05-09 06:53:30.000000000 +0000
@@ -280,3 +280,6 @@
 CVE-2019-6778.patch
 lp1823458/add-VirtIONet-vhost_stopped-flag-to-prevent-multiple.patch
 lp1823458/do-not-call-vhost_net_cleanup-on-running-net-from-ch.patch
+ubuntu/enable-md-clear.patch
+CVE-2018-20815.patch
+CVE-2019-9824.patch
diff -Nru qemu-2.5+dfsg/debian/patches/ubuntu/enable-md-clear.patch qemu-2.5+dfsg/debian/patches/ubuntu/enable-md-clear.patch
--- qemu-2.5+dfsg/debian/patches/ubuntu/enable-md-clear.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.5+dfsg/debian/patches/ubuntu/enable-md-clear.patch	2019-04-29 22:30:18.000000000 +0000
@@ -0,0 +1,46 @@
+>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 1 Mar 2019 21:40:52 +0100
+Subject: [qemu PATCH] target/i386: define md-clear bit
+
+md-clear is a new CPUID bit which is set when microcode provides the
+mechanism to invoke a flush of various exploitable CPU buffers by invoking
+the VERW instruction.  Add the new feature, and pass it down to
+Hypervisor.framework guests.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+[Backported to qemu 2.5 -- sbeattie]
+---
+	The last hunk is only needed for OS X, but anyway this is going
+	to be the patch that will be committed upstream.
+
+ target-i386/cpu.c           |    2 +-
+ target-i386/cpu.h           |    1 +
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: b/target/i386/cpu.c
+===================================================================
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -505,7 +505,7 @@ static FeatureWordInfo feature_word_info
+ 
+ static const char *cpuid_7_0_edx_feature_name[] = {
+     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+-    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
++    NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+     NULL, NULL, "spec-ctrl", NULL, NULL, NULL, NULL, "ssbd",
+ };
+Index: b/target/i386/cpu.h
+===================================================================
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATUR
+ #define CPUID_7_0_EBX_AVX512PF (1U << 26) /* AVX-512 Prefetch */
+ #define CPUID_7_0_EBX_AVX512ER (1U << 27) /* AVX-512 Exponential and Reciprocal */
+ #define CPUID_7_0_EBX_AVX512CD (1U << 28) /* AVX-512 Conflict Detection */
++#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
+ #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
+ #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
+