-
xen (4.4.1-9+deb8u10) jessie-security; urgency=medium
Security updates, including some very important fixes:
* XSA-217 CVE-2017-10912
* XSA-218 CVE-2017-10913 CVE-2017-10914
* XSA-219 CVE-2017-10915
* XSA-221 CVE-2017-10917
* XSA-222 CVE-2017-10918
* XSA-224 CVE-2017-10919
* XSA-226 CVE-2017-12135
* XSA-227 CVE-2017-12137
* XSA-230 CVE-2017-12855
* XSA-235 no CVE assigned yet
Bugfixes:
* evtchn: don't reuse ports that are still "busy" (for XSA-221 patch)
FYI, XSAs which remain outstanding because no patch is available.
* XSA-223: armhf/arm64 guest-induced host crash vulnerability
FYI, inapplicable XSAs, for which no patch is included:
* XSA-216: Bugs are in Linux and Qemu, not Xen
* XSA-220: Xen 4.4 is not vulnerable
* XSA-225: Xen 4.4 is not vulnerable
* XSA-228: Xen 4.4 is not vulnerable
* XSA-229: Bug is in Linux, not Xen
-- Ian Jackson <email address hidden> Tue, 05 Sep 2017 18:35:04 +0100
-
xen (4.4.1-9+deb8u9) jessie-security; urgency=medium
Security updates:
* XSA-200: Closes:#848081: CVE-2016-9932: x86 emulation operand size
* XSA-202: CVE-2016-10024: x86 PV guests may be able to mask interrupts
* XSA-204: CVE-2016-10013: x86: Mishandling of SYSCALL singlestep
* XSA-212: Closes:#859560: CVE-2017-7228: x86: broken memory_exchange()
* XSA-213: Closes:#861659: 64bit PV guest breakout
* XSA-214: Closes:#861660: grant transfer PV privilege escalation
* XSA-215: Closes:#861662: memory corruption via failsafe callback
-- Ian Jackson <email address hidden> Mon, 08 May 2017 15:04:37 +0100
-
xen (4.4.1-9+deb8u8) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2016-7777: CR0.TS and CR0.EM not always honored for x86 HVM guests
* CVE-2016-9386: x86 null segments not always treated as unusable
(Closes: #845663)
* CVE-2016-9382: x86 task switch to VM86 mode mis-handled (Closes: #845664)
* CVE-2016-9385: x86 segment base write emulation lacking canonical address
checks (Closes: #845665)
* CVE-2016-9383: x86 64-bit bit test instruction emulation broken
(Closes: #845668)
* CVE-2016-9379, CVE-2016-9380: delimiter injection vulnerabilities in
pygrub (Closes: #845670)
-- Salvatore Bonaccorso <email address hidden> Sat, 03 Dec 2016 12:12:53 +0100
-
xen (4.4.1-9+deb8u7) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2016-7092: x86: Disallow L3 recursive pagetable for 32-bit PV guests
(XSA-185)
* CVE-2016-7094: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187)
* CVE-2016-7154: use after free in FIFO event channel code (XSA-188)
-- Salvatore Bonaccorso <email address hidden> Wed, 07 Sep 2016 22:01:43 +0200
-
xen (4.4.1-9+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2016-3158, CVE-2016-3159: broken AMD FPU FIP/FDP/FOP leak
workaround
* CVE-2016-3960: x86 shadow pagetables: address width overflow
-- Salvatore Bonaccorso <email address hidden> Tue, 19 Apr 2016 20:42:09 +0200
-
xen (4.4.1-9+deb8u4) jessie-security; urgency=medium
* CVE-2015-8339
* CVE-2015-8340
* CVE-2015-8341
* CVE-2015-8550
* CVE-2015-8555
* CVE-2016-1570
* CVE-2016-1571
* CVE-2016-2270
* CVE-2016-2271
* XSA166
-- Moritz Mühlenhoff <email address hidden> Tue, 15 Mar 2016 22:18:35 +0100
-
xen (4.4.1-9+deb8u3) jessie-security; urgency=high
* Fix CVE-2015-3259 (XSA-137)
* Fix CVE-2015-3340 (XSA-132)
* Fix CVE-2015-6654 (XSA-141)
* Fix CVE-2015-7311 (XSA-142)
* Fix CVE-2015-7812 (XSA-145)
* Fix CVE-2015-7813 (XSA-146)
* Fix CVE-2015-7814 (XSA-147)
* Fix CVE-2015-7969 (XSA-151 and XSA-149)
* Fix CVE-2015-7970 (XSA-150)
* Fix CVE-2015-7971 (XSA-152)
* Fix CVE-2015-7972 (XSA-153)
* Fix CVE-2015-8104 and CVE-2015-5307 (XSA-156)
-- Guido Trotter <email address hidden> Wed, 25 Nov 2015 13:03:13 +0000
-
xen (4.4.1-9+deb8u1) jessie-security; urgency=medium
* Apply fix for CVE-2015-4163 (XSA 134)
- gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
... avoiding NULL derefs when the version to use wasn't set yet
* Apply fix for CVE-2015-4164 (XSA 136)
- x86/traps: loop in the correct direction in compat_iret()
-- Guido Trotter <email address hidden> Wed, 10 Jun 2015 18:16:26 +0000
-
xen (4.4.1-9) unstable; urgency=high
* Explicitly disable graphics for qemu. (closes: #780975)
CVE-2015-2152
* Update fix for insufficient permissions checks on arm.
CVE-2014-3969
* Break apart long latenty MMIO operations. (closes: #781620)
CVE-2015-2752
* Disallow certain domain control operations. (closes: #781620)
CVE-2015-2751
-- Bastian Blank <email address hidden> Mon, 06 Apr 2015 20:22:59 +0200
-
xen (4.4.1-8) unstable; urgency=high
* Fix uninitialized return from wrong-sized reads from system devices.
CVE-2015-2044
* Fix hypervisor memory leak in uninitialized structures.
CVE-2015-2045
* Fix hypervisor memory corruption in x86 emulation. (closes: #780227)
CVE-2015-2151
-- Bastian Blank <email address hidden> Wed, 11 Mar 2015 20:59:23 +0100
-
xen (4.4.1-7) unstable; urgency=medium
[ Bastian Blank ]
* Fix use after free on guest shutdown.
CVE-2015-0361
* Fix rate limits of guest triggered locking.
CVE-2015-1563
[ Ian Campbell ]
* Use xen-init-dom0 from initscript when it is available.
-- Bastian Blank <email address hidden> Sun, 01 Mar 2015 00:56:58 +0100
-
xen (4.4.1-6) unstable; urgency=medium
* Fix starvation of writers in locks.
CVE-2014-9065
-- Bastian Blank <email address hidden> Thu, 11 Dec 2014 15:56:08 +0100
-
xen (4.4.1-5) unstable; urgency=medium
* Fix excessive checks of hypercall arguments.
CVE-2014-8866
* Fix boundary checks of emulated MMIO access.
CVE-2014-8867
* Fix additional memory leaks in xl. (closes: #767295)
-- Bastian Blank <email address hidden> Sun, 30 Nov 2014 20:13:32 +0100
-
xen (4.4.1-3) unstable; urgency=medium
[ Bastian Blank ]
* Remove unused build-depencencies.
* Extend list affected systems for broken interrupt assignment.
CVE-2013-3495
* Fix race in hvm memory management.
CVE-2014-7154
* Fix missing privilege checks on instruction emulation.
CVE-2014-7155, CVE-2014-7156
* Fix uninitialized control structures in FIFO handling.
CVE-2014-6268
* Fix MSR range check in emulation.
CVE-2014-7188
[ Ian Campbell ]
* Install xen.efi into /boot for amd64 builds.
-- Bastian Blank <email address hidden> Fri, 17 Oct 2014 16:27:46 +0200
-
xen (4.4.1-2) unstable; urgency=medium
* Re-build with correct content.
* Use dh_lintian.
-- Bastian Blank <email address hidden> Wed, 24 Sep 2014 20:23:14 +0200
-
xen (4.4.0-5) unstable; urgency=medium
[ Ian Campbell ]
* Expand on the descriptions of some packages. (Closes: #466683)
* Clarify where xen-utils-common is required. (Closes: #612403)
* No longer depend on gawk. Xen can now use any awk one of which is always
present. (Closes: #589176)
* Put core dumps in /var/lib/xen/dump and ensure it exists.
(Closes: #444000)
[ Bastian Blank ]
* Handle JSON output from xl in xendomains init script.
-- Bastian Blank <email address hidden> Sat, 06 Sep 2014 22:11:20 +0200
-
xen (4.4.0-4) unstable; urgency=medium
[ Bastian Blank ]
* Also remove unused OCaml packages from control file.
* Make library packages multi-arch: same. (closes: #730417)
* Use debhelper compat level 9. (closes: #692352)
[ Ian Campbell ]
* Correct contents of /etc/xen/scripts/hotplugpath.sh (Closes: #706283)
* Drop references cpuperf-xen and cpuperf-perfcntr. (Closes: #733847)
* Install xentrace_format(1), xentrace(8) and xentop(1). (Closes: #407143)
-- Bastian Blank <email address hidden> Sat, 30 Aug 2014 13:34:04 +0200
-
xen (4.4.0-2) unstable; urgency=medium
* Remove broken and unused OCaml-support.
-- Bastian Blank <email address hidden> Mon, 18 Aug 2014 15:18:42 +0200
-
xen (4.3.0-3) unstable; urgency=low
* Revive hypervisor on i386.
-- Bastian Blank <email address hidden> Fri, 18 Oct 2013 00:15:16 +0200
-
xen (4.1.4-4) unstable; urgency=high
* Make several long runing operations preemptible.
CVE-2013-1918
* Fix source validation for VT-d interrupt remapping.
CVE-2013-1952
-- Bastian Blank <email address hidden> Thu, 02 May 2013 14:30:29 +0200