xen (4.6.0-1ubuntu4.3) xenial-security; urgency=low * Applying Xen Security Advisories: - CVE-2016-9386 / XSA-191 * x86/hvm: Fix the handling of non-present segments - CVE-2016-9382 / XSA-192 * x86/HVM: don't load LDTR with VM86 mode attrs during task switch - CVE-2016-9385 / XSA-193 * x86/PV: writes of %fs and %gs base MSRs require canonical addresses - CVE-2016-9383 / XSA-195 * x86emul: fix huge bit offset handling - CVE-2016-9377, CVE-2016-9378 / XSA-196 * x86/emul: Correct the IDT entry calculation in inject_swint() * x86/svm: Fix injection of software interrupts - CVE-2016-9379, CVE-2016-9380 / XSA-198 * pygrub: Properly quote results, when returning them to the caller - CVE-2016-9932 / XSA-200 * x86emul: CMPXCHG8B ignores operand size prefix - CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818 / XSA.201 * arm64: handle guest-generated EL1 asynchronous abort * arm64: handle async aborts delivered while at EL2 * arm: crash the guest when it traps on external abort * arm32: handle async aborts delivered while at HYP - CVE-2016-10024 / XSA-202 * x86: force EFLAGS.IF on when exiting to PV guests - CVE-2016-10025 / XSA-203 * x86/HVM: add missing NULL check before using VMFUNC hook - CVE-2016-10013 / XSA-204 * x86/emul: Correct the handling of eflags with SYSCALL -- Stefan Bader Tue, 10 Jan 2017 15:07:06 +0100 xen (4.6.0-1ubuntu4.2) xenial-security; urgency=low * Applying Xen Security Advisories: - CVE-2016-6258 / XSA-182 * x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath - CVE-2016-6259 / XSA-183 * x86/entry: Avoid SMAP violation in compat_create_bounce_frame() - CVE-2016-7092 / XSA-185 * x86/32on64: don't allow recursive page tables from L3 - CVE-2016-7094 / XSA-187 * x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] * x86/segment: Bounds check accesses to emulation ctxt->seg_reg[] - CVE-2016-7777 / XSA-190 * x86emul: honor guest CR0.TS and CR0.EM -- Stefan Bader Thu, 06 Oct 2016 15:32:01 +0200 xen (4.6.0-1ubuntu4.1) xenial-security; urgency=low * Applying Xen Security Advisories: - CVE-2016-3158, CVE-2016-3159 / XSA-172 * x86: fix information leak on AMD CPUs - CVE-2016-3960 / XSA-173 * x86: limit GFNs to 32 bits for shadowed superpages. - CVE-2016-4962 / XSA-175 * libxl: Record backend/frontend paths in /libxl/$DOMID * libxl: Provide libxl__backendpath_parse_domid * libxl: Do not trust frontend in libxl__devices_destroy * libxl: Do not trust frontend in libxl__device_nextid * libxl: Do not trust frontend for disk eject event * libxl: Do not trust frontend for disk in getinfo * libxl: Do not trust frontend for vtpm list * libxl: Do not trust frontend for vtpm in getinfo * libxl: Do not trust frontend for nic in libxl_devid_to_device_nic * libxl: Do not trust frontend for nic in getinfo * libxl: Do not trust frontend for channel in list * libxl: Do not trust frontend for channel in getinfo * libxl: Cleanup: Have libxl__alloc_vdev use /libxl * libxl: Document ~/serial/ correctly - CVE-2016-4480 / XSA-176 * x86/mm: fully honor PS bits in guest page table walks - CVE-2016-4963 / XSA-178 * libxl: Make copy of every xs backend in /libxl in _generic_add * libxl: Do not trust backend in libxl__device_exists * libxl: Do not trust backend for vtpm in getinfo (except uuid) * libxl: Do not trust backend for vtpm in getinfo (uuid) * libxl: cdrom eject and insert: write to /libxl * libxl: Do not trust backend for disk eject vdev * libxl: Do not trust backend for disk; fix driver domain disks list * libxl: Do not trust backend for disk in getinfo * libxl: Do not trust backend for cdrom insert * libxl: Do not trust backend for channel in getinfo * libxl: Rename libxl__device_{nic,channel}_from_xs_be to _from_xenstore * libxl: Rename READ_BACKEND to READ_LIBXLDEV * libxl: Have READ_LIBXLDEV use libxl_path rather than be_path * libxl: Do not trust backend in nic getinfo * libxl: Do not trust backend for nic in devid_to_device * libxl: Do not trust backend for nic in list * libxl: Do not trust backend in channel list * libxl: Cleanup: use libxl__backendpath_parse_domid in libxl__device_disk_from_xs_be * libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename - CVE-2016-5242 / XSA-181 * xen/arm: Don't free p2m->first_level in p2m_teardown() before it has been allocated -- Stefan Bader Wed, 01 Jun 2016 11:10:47 +0200 xen (4.6.0-1ubuntu4) xenial; urgency=low * d/rules.real: Set LANG=C.UTF-8 for the builds to avoid a grep bug. -- Stefan Bader Fri, 19 Feb 2016 12:08:31 +0100 xen (4.6.0-1ubuntu3) xenial; urgency=low * Fix unmount error message on shutdown and init script ordering issues: - d/xen-utils-common.xenstored.init: Introduce new init script which only starts xenstored (but also shuts it down on stop). Prevent this one to be run on upgrade. - d/xen-utils-common.xen.init: * Add X-Start-Before/X-Stop-After dependencies on libvirt-bin * Remove xenstored related code * d/scripts/xen-init-list: Revert back to unmodified version from Debian. With the ordering fixed, libvirt guests should be handled by its own script before xendomains is run. * d/control, d/libxen-dev.install and d/rules.real: Add xenlight.pc and xlutil.pc to be packaged as part of libxen-dev in multi-arch suitable location. Also declare libxen-dev as multi-arch same. * Additional Security Patches: - CVE-2016-2270 / XSA-154 * x86: enforce consistent cachability of MMIO mappings - CVE-2016-1570 / XSA-167 * x86/mm: PV superpage handling lacks sanity checks - CVE-2016-1571 / XSA-168 * x86/VMX: prevent INVVPID failure due to non-canonical guest address - CVE-2015-8615 / XSA-169 * x86: make debug output consistent in hvm_set_callback_via - CVE-2016-2271 / XSA-170 * x86/VMX: sanitize rIP before re-entering guest -- Stefan Bader Thu, 18 Feb 2016 18:20:38 +0100 xen (4.6.0-1ubuntu2) xenial; urgency=low * Applying Xen Security Advisories: - CVE-2015-8550 / XSA-155 * xen: Add RING_COPY_REQUEST() * blktap2: Use RING_COPY_REQUEST * libvchan: Read prod/cons only once. - CVE-2015-8338 / XSA-158 * memory: split and tighten maximum order permitted in memops - CVE-2015-8339, CVE-2015-8340 / XSA-159 * memory: fix XENMEM_exchange error handling - CVE-2015-8341 / XSA-160 * libxl: Fix bootloader-related virtual memory leak on pv build failure - CVE-2015-8555 / XSA-165 * x86: don't leak ST(n)/XMMn values to domains first using them - CVE-2015-???? / XSA-166 * x86/HVM: avoid reading ioreq state more than once -- Stefan Bader Wed, 16 Dec 2015 12:06:10 +0100 xen (4.6.0-1ubuntu1) xenial; urgency=low * Merge of Xen-4.6 from Debian. Remaining changes: - debian/control, debian/rules.gen: Generate transitional xen-hypervisor packages. - debian/rules.real: Install the grub.d config file. - debian/scripts/xen-init-list: Ignore libxl guests not created by the xl toolstack (e.g. libvirt). - debian/tree/xen-utils-common/usr/share/xen-utils-common/default.xen: Minor readability improvements (maybe get rid of those) - debian/xen-hypervisor-4.6.xen.cfg: Additional config file to simplify grub configuration. - debian/xen-utils-4.6.postinst, debian/xen-utils-4.6.prerm: Remove update-alternatives call. - debian/xen-utils-common.xen.init: Fix consoled_stop_real and additional code to start and attach a qemu instance to dom0 (needed for pygrub booting QCOW2 PVM guests). Note: Also contains a work-around for a kernel bug which should be dropped in the next release. - debian/patches/ubuntu-config-prefix-fix.patch: Modifies configure and tools/configure to use the correct (versioned) libexec path. - Additional security fixes: * XSA-156 / CVE-2015-5307 x86/HVM: always intercept #AC and #DB -- Stefan Bader Wed, 02 Dec 2015 18:57:48 +0100 xen (4.6.0-1) unstable; urgency=medium * New upstream release. * CVE-2015-7812 * CVE-2015-7813 * CVE-2015-7814 * CVE-2015-7835 * CVE-2015-7969 * CVE-2015-7970 * CVE-2015-7971 * CVE-2015-7972 -- Bastian Blank Sun, 01 Nov 2015 21:49:07 +0100 xen (4.5.1-0ubuntu2) xenial; urgency=low * Applying Xen Security Advisories: - CVE-2015-7311 / XSA-142 * libxl: handle read-only drives with qemu-xen - CVE-2015-7812 / XSA-145 * xen/arm: Support hypercall_create_continuation for multicall - CVE-2015-7813 / XSA-146 * xen: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. - CVE-2015-7814 / XSA-147 * xen: arm: handle races between relinquish_memory and free_domheap_pages - CVE-2015-7835 / XSA-148 * x86: guard against undue super page PTE creation - CVE-2015-7969 / XSA-149 * xen: free domain's vcpu array - CVE-2015-7970 / XSA-150 * x86/PoD: Eager sweep for zeroed pages - CVE-2015-7969 / XSA-151 * xenoprof: free domain's vcpu array - CVE-2015-7971 / XSA-152 * x86: rate-limit logging in do_xen{oprof,pmu}_op() - CVE-2015-7972 / XSA-153 * libxl: adjust PoD target by memory fudge, too - CVE-2015-5307 / XSA-156 * x86/HVM: always intercept #AC and #DB -- Stefan Bader Tue, 03 Nov 2015 08:39:07 -0600 xen (4.5.1-0ubuntu1) wily; urgency=low * New upstream stable release (4.5.1) - Replacing the following security changes by upstream versions: * CVE-2014-3969 / XSA-98 (update), CVE-2015-0268 / XSA-117, CVE-2015-1563 / XSA-118, CVE-2015-2152 / XSA-119, CVE-2015-2044 / XSA-121, CVE-2015-2045 / XSA-122, CVE-2015-2151 / XSA-123, CVE-2015-2752 / XSA-125, CVE-2015-2751 / XSA-127 - Included security changes which where not yet applied: * CVE-2015-4163 / XSA-134, CVE-2015-4164 / XSA-136 * Applying additional Xen Security Advisories: - CVE-2015-3259 / XSA-137 * xl: Sane handling of extra config file arguments - CVE-2015-6654 / XSA-141 * xen/arm: mm: Do not dump the p2m when mapping a foreign gfn -- Stefan Bader Wed, 02 Sep 2015 16:37:39 +0200 # For older changelog entries, run 'apt-get changelog libxenstore3.0'