xen (4.14.6-1) bullseye; urgency=medium * Update to new upstream version 4.14.6, which also contains security fixes for the following issues: - x86/AMD: Zenbleed XSA-433 CVE-2023-20593 - x86/AMD: Speculative Return Stack Overflow XSA-434 CVE-2023-20569 - x86/Intel: Gather Data Sampling XSA-435 CVE-2022-40982 * Note that the following XSA are not listed, because... - XSA-430 and XSA-431 only apply to Xen 4.17 - XSA-432 has patches for the Linux kernel. * Also, note that upstream security support for Xen 4.14 has ended with this release. This also means that Xen security support for Debian Bullseye has ended. -- Hans van Kranenburg Thu, 21 Sep 2023 16:55:59 +0200 xen (4.14.5+94-ge49571868d-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+94-ge49571868d, which also contains security fixes for the following issues: (Closes: #1033297) - x86: Multiple speculative security issues XSA-422 CVE-2022-23824 - x86 shadow plus log-dirty mode use-after-free XSA-427 CVE-2022-42332 - x86/HVM pinned cache attributes mis-handling XSA-428 CVE-2022-42333 CVE-2022-42334 - x86: speculative vulnerability in 32bit SYSCALL path XSA-429 CVE-2022-42331 * Note that the following XSA are not listed, because... - XSA-423 and XSA-424 have patches for the Linux kernel. - XSA-425 only applies to Xen 4.17 and newer - XSA-426 only applies to Xen 4.16 and newer -- Maximilian Engelhardt Thu, 23 Mar 2023 20:40:49 +0100 xen (4.14.5+86-g1c354767d5-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+86-g1c354767d5, which also contains security fixes for the following issues: (Closes: #1021668) - Xenstore: guests can let run xenstored out of memory XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318 - insufficient TLB flush for x86 PV guests in shadow mode XSA-408 CVE-2022-33745 - Arm: unbounded memory consumption for 2nd-level page tables XSA-409 CVE-2022-33747 - P2M pool freeing may take excessively long XSA-410 CVE-2022-33746 - lock order inversion in transitive grant copy handling XSA-411 CVE-2022-33748 - Xenstore: Guests can crash xenstored XSA-414 CVE-2022-42309 - Xenstore: Guests can create orphaned Xenstore nodes XSA-415 CVE-2022-42310 - Xenstore: Guests can cause Xenstore to not free temporary memory XSA-416 CVE-2022-42319 - Xenstore: Guests can get access to Xenstore nodes of deleted domains XSA-417 CVE-2022-42320 - Xenstore: Guests can crash xenstored via exhausting the stack XSA-418 CVE-2022-42321 - Xenstore: Cooperating guests can create arbitrary numbers of nodes XSA-419 CVE-2022-42322 CVE-2022-42323 - Oxenstored 32->31 bit integer truncation issues XSA-420 CVE-2022-42324 - Xenstore: Guests can create arbitrary number of nodes via transactions XSA-421 CVE-2022-42325 CVE-2022-42326 * The upstream Xen changes now also contain the first mentioned patch of XSA-403 ("Linux disk/nic frontends data leaks") for stable branch lines. For more information, please refer to the XSA-403 advisory text. * Note that the following XSA are not listed, because... - XSA-412 only applies to Xen 4.16 and newer - XSA-413 applies to XAPI which is not included in Debian * Correct a typo in the previous changelog entry. -- Hans van Kranenburg Fri, 04 Nov 2022 20:25:46 +0100 xen (4.14.5+24-g87d90d511c-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.5+24-g87d90d511c, which also contains security fixes for the following issues: - x86 pv: Race condition in typeref acquisition XSA-401 CVE-2022-26362 - x86 pv: Insufficient care with non-coherent mappings XSA-402 CVE-2022-26363 CVE-2022-26364 - x86: MMIO Stale Data vulnerabilities XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 - Retbleed - arbitrary speculative code execution with return instructions XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900 * Note that the following XSA are not listed, because... - XSA-403 patches are not applied to stable branch lines. - XSA-405 and XSA-406 have patches for the Linux kernel. -- Hans van Kranenburg Wed, 13 Jul 2022 16:28:39 +0200 xen (4.14.4+74-gd7b22226b5-1) bullseye-security; urgency=medium * Update to new upstream version 4.14.4+74-gd7b22226b5, which also contains security fixes for the following issues: - arm: guest_physmap_remove_page not removing the p2m mappings XSA-393 CVE-2022-23033 - A PV guest could DoS Xen while unmapping a grant XSA-394 CVE-2022-23034 - Insufficient cleanup of passed-through device IRQs XSA-395 CVE-2022-23035 - Racy interactions between dirty vram tracking and paging log dirty hypercalls XSA-397 CVE-2022-26356 - Multiple speculative security issues XSA-398 (no CVE yet) - race in VT-d domain ID cleanup XSA-399 CVE-2022-26357 - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 * Note that the following XSA are not listed, because... - XSA-391, XSA-392 and XSA-396 have patches for the Linux kernel. -- Hans van Kranenburg Fri, 08 Apr 2022 11:40:51 +0200 xen (4.14.3+32-g9de3671772-1~deb11u1) bullseye-security; urgency=medium * d/salsa-ci.yml: Set RELEASE variable to bullseye * Rebuild for bullseye-security -- Hans van Kranenburg Thu, 02 Dec 2021 21:45:55 +0100 xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium * Update to new upstream version 4.14.3+32-g9de3671772, which also contains security fixes for the following issues: - guests may exceed their designated memory limit XSA-385 CVE-2021-28706 - PCI devices with RMRRs not deassigned correctly XSA-386 CVE-2021-28702 - PoD operations on misaligned GFNs XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708 - issues with partially successful P2M updates on x86 XSA-389 CVE-2021-28705 CVE-2021-28709 * Note that the following XSA are not listed, because... - XSA-387 only applies to Xen 4.13 and older - XSA-390 only applies to Xen 4.15 * Pick the following upstream commits to fix a regression which prevents amd64 type hardware to fully power off. The issue was introduced in version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to improve Raspberry Pi 4 support. (Closes: #994899): - 8b6d55c126 ("x86/ACPI: fix mapping of FACS") - f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb") - 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping") - 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector cannot be determined") -- Hans van Kranenburg Sat, 27 Nov 2021 15:09:47 +0100 xen (4.14.3-1) unstable; urgency=high * Update to new upstream version 4.14.3, which also contains security fixes for the following issues: - IOMMU page mapping issues on x86 XSA-378 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 - grant table v2 status pages may remain accessible after de-allocation XSA-379 CVE-2021-28697 - long running loops in grant table handling XSA-380 CVE-2021-28698 - inadequate grant-v2 status frames array bounds check XSA-382 CVE-2021-28699 - xen/arm: No memory limit for dom0less domUs XSA-383 CVE-2021-28700 - Another race in XENMAPSPACE_grant_table handling XSA-384 CVE-2021-28701 -- Hans van Kranenburg Mon, 13 Sep 2021 11:51:20 +0200 xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium * Add README.Debian.security containing a note about the end of upstream security support for Xen 4.14. Install it into xen-hypervisor-common. -- Hans van Kranenburg Fri, 30 Jul 2021 16:57:52 +0200 xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium * Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains security fixes for the following issues: - HVM soft-reset crashes toolstack XSA-368 CVE-2021-28687 - xen/arm: Boot modules are not scrubbed XSA-372 CVE-2021-28693 - inappropriate x86 IOMMU timeout detection / handling XSA-373 CVE-2021-28692 - Speculative Code Store Bypass XSA-375 CVE-2021-0089 CVE-2021-26313 - x86: TSX Async Abort protections not restored after S3 XSA-377 CVE-2021-28690 * Note that the following XSA are not listed, because... - XSA-370 does not contain code changes. - XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the Linux kernel. - XSA-366 only applies to Xen 4.11. -- Hans van Kranenburg Sun, 11 Jul 2021 14:29:13 +0200 xen (4.14.1+11-gb0b734a8b3-1) unstable; urgency=medium * Update to new upstream version 4.14.1+11-gb0b734a8b3, which also contains security fixes for the following issues: - IRQ vector leak on x86 XSA-360 CVE-2021-3308 (Closes: #981052) - arm: The cache may not be cleaned for newly allocated scrubbed pages XSA-364 CVE-2021-26933 * Drop separate patches for XSAs up to 359 that are now included in the upstream stable branch. Packaging bugfixes and improvements [Elliott Mitchell]: * debian/rules: Set CC/LD to enable cross-building * d/shuffle-binaries: Fix binary shuffling script for cross-building * Rework "debian/rules: Do not try to move EFI binaries on armhf" * debian/scripts: Optimize runtime scripts * debian/xen-utils-common.examples: Remove xm examples * d/shuffle-boot-files: make it POSIX compliant [Hans van Kranenburg, based on a patch by Elliott Mitchell] * d/shuffle-binaries: Switch loop from for to while * d/shuffle-binaries: Switch to POSIX shell, instead of Bash * d/shuffle-boot-files: Switch to POSIX shell, instead of Bash * debian/xendomains.init: Pipe xen-init-list instead of tmp file Make the package build reproducibly [Maximilian Engelhardt]: * debian/salsa-ci.yml: enable salsa-ci * debian/salsa-ci.yml: enable diffoscope in reprotest * debian/rules: use SOURCE_DATE_EPOCH for xen build dates * debian/rules: don't include build path in binaries * debian/rules: reproducibly build oxenstored * Pick the following upstream commits: - 5816d327e4 ("xen: don't have timestamp inserted in config.gz") - ee41b5c450 ("x86/EFI: don't insert timestamp when SOURCE_DATE_EPOCH is defined") - e18dadc5b7 ("docs: use predictable ordering in generated documentation") * Include upstream patch that is not committed yet, but needed: - docs: set date to SOURCE_DATE_EPOCH if available * debian/salsa-ci.yml: don't allow reprotest to fail Packaging bugfixes and improvements: * d/shuffle-boot-files: Document more inner workings -- Hans van Kranenburg Sun, 28 Feb 2021 19:49:45 +0100 xen (4.14.0+88-g1d1d1f5391-2) unstable; urgency=high * For now, revert "debian/rules: Set CC/LD to enable cross-building", since it causes an FTBFS on i386. -- Hans van Kranenburg Tue, 15 Dec 2020 14:57:41 +0100 xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high * Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains security fixes for the following issues: - stack corruption from XSA-346 change XSA-355 CVE-2020-29040 (Closes: #976109) * Apply security fixes for the following issues: - oxenstored: permissions not checked on root node XSA-353 CVE-2020-29479 - xenstore watch notifications lacking permission checks XSA-115 CVE-2020-29480 - Xenstore: new domains inheriting existing node permissions XSA-322 CVE-2020-29481 - Xenstore: wrong path length check XSA-323 CVE-2020-29482 - Xenstore: guests can crash xenstored via watchs XSA-324 CVE-2020-29484 - Xenstore: guests can disturb domain cleanup XSA-325 CVE-2020-29483 - oxenstored memory leak in reset_watches XSA-330 CVE-2020-29485 - oxenstored: node ownership can be changed by unprivileged clients XSA-352 CVE-2020-29486 - undue recursion in x86 HVM context switch code XSA-348 CVE-2020-29566 - infinite loop when cleaning up IRQ vectors XSA-356 CVE-2020-29567 - FIFO event channels control block related ordering XSA-358 CVE-2020-29570 - FIFO event channels control structure ordering XSA-359 CVE-2020-29571 * Note that the following XSA are not listed, because... - XSA-349 and XSA-350 have patches for the Linux kernel - XSA-354 has patches for the XAPI toolstack Packaging bugfixes and improvements: * d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611) * Add missing CVE numbers to the previous changelog entries Packaging bugfixes and improvements [Elliott Mitchell]: * d/shuffle-binaries: Make error detection/message overt * d/shuffle-binaries: Add quoting for potentially changeable variables * d/shuffle-boot-files: Add lots of double-quotes when handling variables * debian/rules: Set CC/LD to enable cross-building * debian/xen.init: Load xen_acpi_processor on boot * d/shuffle-binaries: Remove useless extra argument being passed in Packaging bugfixes and improvements [Maximilian Engelhardt]: * d/xen-hypervisor-V-F.postinst.vsn-in: use reboot-required (Closes: #862408) * d/xen-hypervisor-V-F.postrm: actually install script * d/xen-hypervisor-V.*: clean up unused files * d/xen-hypervisor-V.bug-control.vsn-in: actually install script * debian/rules: enable verbose build Fixes to patches for upstream code: * t/h/L/vif-common.sh: force handle_iptable return value to be 0 (Closes: #955994) * Pick the following upstream commits to improve Raspberry Pi 4 support, requested by Elliott Mitchell: - 25849c8b16 ("xen/rpi4: implement watchdog-based reset") - 17d192e023 ("tools/python: Pass linker to Python build process") - 861f0c1109 ("xen/arm: acpi: Don't fail if SPCR table is absent") - 1c4aa69ca1 ("xen/acpi: Rework acpi_os_map_memory() and acpi_os_unmap_memory()") - 4d625ff3c3 ("xen/arm: acpi: The fixmap area should always be cleared during failure/unmap") - dac867bf9a ("xen/arm: Check if the platform is not using ACPI before initializing Dom0less") - 9c2bc0f24b ("xen/arm: Introduce fw_unreserved_regions() and use it") - 7056f2f89f ("xen/arm: acpi: add BAD_MADT_GICC_ENTRY() macro") - 957708c2d1 ("xen/arm: traps: Don't panic when receiving an unknown debug trap") * Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik. -- Hans van Kranenburg Tue, 15 Dec 2020 13:00:00 +0100 xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium * Re-upload to unstable for rebuild. -- Ian Jackson Tue, 24 Nov 2020 10:28:22 +0000 xen (4.14.0+80-gd101b417b7-1~exp2) experimental; urgency=medium * Re-upload since apparently DMs aren't allowed NEW? -- Ian Jackson Mon, 23 Nov 2020 13:24:17 +0000 xen (4.14.0+80-gd101b417b7-1~exp1) experimental; urgency=medium * Update to new upstream version 4.14.0+80-gd101b417b7, which also contains security fixes for the following issues: - Information leak via power sidechannel XSA-351 CVE-2020-28368 - x86 PV guest INVLPG-like flushes may leave stale TLB entries XSA-286 CVE-2020-27674 - unsafe AMD IOMMU page table updates XSA-347 CVE-2020-27670 - undue deferral of IOMMU TLB flushes XSA-346 CVE-2020-27671 - x86: Race condition in Xen mapping code XSA-345 CVE-2020-27672 - lack of preemption in evtchn_reset() / evtchn_destroy() XSA-344 CVE-2020-25601 - races with evtchn_reset() XSA-343 CVE-2020-25599 - out of bounds event channels available to 32-bit x86 domains XSA-342 CVE-2020-25600 - Missing memory barriers when accessing/allocating an event channel XSA-340 CVE-2020-25603 - x86 pv guest kernel DoS via SYSENTER XSA-339 CVE-2020-25596 - once valid event channels may not turn invalid XSA-338 CVE-2020-25597 - PCI passthrough code reading back hardware registers XSA-337 CVE-2020-25595 - race when migrating timers between x86 HVM vCPU-s XSA-336 CVE-2020-25604 - Missing unlock in XENMEM_acquire_resource error path XSA-334 CVE-2020-25598 - x86 pv: Crash when handling guest access to MSR_MISC_ENABLE XSA-333 CVE-2020-25602 * Updating to the most recent upstream stable-4.14 branch also fixes additional compiling issues with gcc 10 that we were running into. These were: upstream commit 5d45ecabe3c0 ("xen/arm64: force gcc 10+ to always inline generic atomics helpers") to fix a FTBFS at mem_access.c and upstream commit 0dfddb2116e3 ("tools/xenpmd: Fix gcc10 snprintf warning") to fix a FTBFS on armhf. (Closes: #970802) * Drop upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2 maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix -Werror=stringop-truncation in libxl__prepare_sockaddr_un") from our patch pile because these gcc 10 related fixes are in the upstream stable branch now. * Partially revert "debian/rules: Combine shared Make args" since it caused a FTBFS on i386. * Revert upstream commit a516bddbd3 ("tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on x86_64") and cherry-pick our previous commits 0b898ccc2 ("tools/firmware/Makfile: Respect caller's CONFIG_PV_SHIM") and a516bddbd3 ("tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on x86_64") again to work around a FTBFS where the shim would not be built during the i386 package build. * Now all FTBFS issues should be resolved, so we can do (Closes: #968965) Packaging minor fixes and improvements: * d/xen-utils-common.xen.init: Actually *really* include the change to disable oom killer for xenstored. It inadvertently got lost in 4.14.0-1~exp1. (Closes: #961511) Lintian related fixes: * debian/changelog: fix a typo in the previous changelog entry -- Hans van Kranenburg Sun, 22 Nov 2020 02:16:00 +0100 xen (4.14.0-1~exp1) experimental; urgency=medium Significant changes: * Update to new upstream version 4.14.0. (Closes: #866380) about removal of broken xen-bugtool * debian/{rules,control}: switch to python 3 (Closes: #938843) about python 2 removal in bullseye * debian/control: Fix python dependency to use python3-dev:any and libpython3-dev [Elliott Mitchell] Changes related to upgrading to Xen 4.14: * debian/control: adjust to 4.14 * debian/rules: remove install commands for pkgconfig files, since those files are not present any more * debian/: Follow fsimage -> xenfsimage renaming * debian/xen-utils-V.*: Use @version@ instead of hardcoded version * debian/control: add flex, bison * debian/control: add libxenhypfs[1] [Ian Jackson] * debian/libxenstore3.0.symbols: drop xprintf (Closes: #968965) [Ian Jackson; also reported by Gianfranco Costamagna] * d/scripts/xen-init-name, d/scripts/xen-init-list: rewrite these two scripts, hugely simplify them and make them use python 3 * Pick upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2 maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix -Werror=stringop-truncation in libxl__prepare_sockaddr_un") to fix gcc 10 FTBFS * tools: don't build/ship xenmon, it can't work with python 3 Packaging minor fixes and improvements: * debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell (Closes: #939560) [Ian Jackson; report from Guillem Jover] * debian/rules: Improve comment about hardening options (Closes: #939560) [Ian Jackson; report from Guillem Jover] * debian/rules: Drop redundant sequence numbers in dh_installinit (Closes: #939560) [Ian Jackson; report from Guillem Jover] * d/xen-utils-common.xen.init: add important notes to keep in mind when changing this script, related to multi-version handling * debian/control: cleanup Uploaders and add myself * debian/control: s/libncurses5-dev/libncurses-dev/ * xen-utils-V scripts: remove update-alternatives command * xen-utils-V.postinst.vsn-in: whitespace cosmetics * d/xen-utils-common.xen.init: disable oom killer for xenstored (Closes: #961511) * debian/rules: Combine shared Make args [Elliott Mitchell] Fixes and improvements for cross-compiling [Elliott Mitchell]: * debian/rules: Add --host to tools configure target * Pick upstream commit 69953e285638 ('tools: Partially revert "Cross-compilation fixes."') Lintian related fixes: * debian/changelog: trim trailing whitespace. [Debian Janitor] * debian/pycompat: remove obsolete file. [Debian Janitor] * debian/rules: Avoid using $(PWD) variable. [Debian Janitor] * debian/control: hardcode xen-utils-4.14 python3 dependency because dh_python can't figure out how to add it * debian/control: xen-doc: add ${misc:Depends} * d/xen-hypervisor-V-F.lintian-overrides.vsn-in: fix override to use the newer debug-suffix-not-dbg tag and correct the file path used so it matches again * debian/control: remove XS-Python-Version which is deprecated * debian/control: drop autotools-dev build dependency because debhelper already takes care of this * d/xen-utils-V.lintian-overrides.vsn-in: fix rpath override because the xenfsimage python .so filename changed from xenfsimage.so into xenfsimage.cpython-38-x86_64-linux-gnu.so now, make it match again * d/xen-utils-V.lintian-overrides.vsn-in: s/fsimage/xenfsimage/ which is a left over change from the rename in some comment lines * d/xen-utils-common.xen.init: use /run instead of /var/run because we don't expect anyone on a pre-stretch system to build and use these packages * debian/control: update Standards-Version to 4.5.0 -- Hans van Kranenburg Thu, 17 Sep 2020 18:59:28 +0200 xen (4.11.4+24-gddaaccbbab-1) unstable; urgency=medium * Update to new upstream version 4.11.4+24-gddaaccbbab, which also contains security fixes for the following issues: - inverted code paths in x86 dirty VRAM tracking XSA-319 CVE-2020-15563 - Special Register Buffer speculative side channel XSA-320 CVE-2020-0543 N.B: To mitigate this issue, new cpu microcode is required. The changes in Xen provide a workaround for affected hardware that is not receiving a vendor microcode update. Please refer to the upstream XSA-320 Advisory text for more details. - insufficient cache write-back under VT-d XSA-321 CVE-2020-15565 - Missing alignment check in VCPUOP_register_vcpu_info XSA-327 CVE-2020-15564 - non-atomic modification of live EPT PTE XSA-328 CVE-2020-15567 -- Hans van Kranenburg Tue, 07 Jul 2020 16:07:39 +0200 xen (4.11.4-1) unstable; urgency=medium * Update to new upstream version 4.11.4, which also contains security fixes for the following issues: - arm: a CPU may speculate past the ERET instruction XSA-312 (no CVE yet) - multiple xenoprof issues XSA-313 CVE-2020-11740 CVE-2020-11741 - Missing memory barriers in read-write unlock paths XSA-314 CVE-2020-11739 - Bad error path in GNTTABOP_map_grant XSA-316 CVE-2020-11743 - Bad continuation handling in GNTTABOP_copy XSA-318 CVE-2020-11742 * xen-utils and xen-utils-common maint scripts: Replace the previous fix in the xen init script with a better fix in the xen-utils package instead, to prevent calling the init script stop action (resulting in a disappeared xenconsoled) when removing a xen-utils package that belongs to a previous (not currently runing) Xen version. Also prevent the xen-utils-common package from inadvertently calling stop and start actions because dh_installinit would add code for that. (Closes: #932759) * debian/NEWS: Mention fixing #932759 and how to deal with the bug -- Hans van Kranenburg Tue, 26 May 2020 13:33:17 +0200 xen (4.11.3+24-g14b62ab3e5-1) unstable; urgency=high * Update to new upstream version 4.11.3+24-g14b62ab3e5, which also contains the following security fixes: (Closes: #947944) - Unlimited Arm Atomics Operations XSA-295 CVE-2019-17349 CVE-2019-17350 - VCPUOP_initialise DoS XSA-296 CVE-2019-18420 - missing descriptor table limit checking in x86 PV emulation XSA-298 CVE-2019-18425 - Issues with restartable PV type change operations XSA-299 CVE-2019-18421 - add-to-physmap can be abused to DoS Arm hosts XSA-301 CVE-2019-18423 - passed through PCI devices may corrupt host memory after deassignment XSA-302 CVE-2019-18424 - ARM: Interrupts are unconditionally unmasked in exception handlers XSA-303 CVE-2019-18422 - x86: Machine Check Error on Page Size Change DoS XSA-304 CVE-2018-12207 - TSX Asynchronous Abort speculative side channel XSA-305 CVE-2019-11135 - Device quarantine for alternate pci assignment methods XSA-306 CVE-2019-19579 - find_next_bit() issues XSA-307 CVE-2019-19581 CVE-2019-19582 - VMX: VMentry failure with debug exceptions and blocked states XSA-308 CVE-2019-19583 - Linear pagetable use / entry miscounts XSA-309 CVE-2019-19578 - Further issues with restartable PV type change operations XSA-310 CVE-2019-19580 - Bugs in dynamic height handling for AMD IOMMU pagetables XSA-311 CVE-2019-19577 * Add missing CVE numbers to previous changelog entries -- Hans van Kranenburg Wed, 08 Jan 2020 12:41:42 +0100 xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high * Mention MDS and the need for updated microcode and disabling hyper-threading in NEWS. * Mention the ucode=scan option in the grub.d/xen documentation. -- Hans van Kranenburg Sat, 22 Jun 2019 11:15:08 +0200 xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high * Update to new upstream version 4.11.1+92-g6c33308a8d, which also contains the following security fixes: - Fix: grant table transfer issues on large hosts XSA-284 CVE-2019-17340 (Closes: #929991) - Fix: race with pass-through device hotplug XSA-285 CVE-2019-17341 (Closes: #929998) - Fix: x86: steal_page violates page_struct access discipline XSA-287 CVE-2019-17342 (Closes: #930001) - Fix: x86: Inconsistent PV IOMMU discipline XSA-288 CVE-2019-17343 (Closes: #929994) - Fix: missing preemption in x86 PV page table unvalidation XSA-290 CVE-2019-17344 (Closes: #929996) - Fix: x86/PV: page type reference counting issue with failed IOMMU update XSA-291 CVE-2019-17345 (Closes: #929995) - Fix: x86: insufficient TLB flushing when using PCID XSA-292 CVE-2019-17346 (Closes: #929993) - Fix: x86: PV kernel context switch corruption XSA-293 CVE-2019-17347 (Closes: #929999) - Fix: x86 shadow: Insufficient TLB flushing when using PCID XSA-294 CVE-2019-17348 (Closes: #929992) - Fix: Microarchitectural Data Sampling speculative side channel XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 (Closes: #929129) * Note that the fixes for XSA-297 will only have effect when also loading updated cpu microcode with MD_CLEAR functionality. When using the intel-microcode package to include microcode in the dom0 initrd, it has to be loaded by Xen. Please refer to the hypervisor command line documentation about the 'ucode=scan' option. * Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the next upload. -- Hans van Kranenburg Tue, 18 Jun 2019 09:50:19 +0200 xen (4.11.1+26-g87f51bf366-3) unstable; urgency=medium Minor useability improvements and fixes: * bash-completion: also complete 'xen' [Hans van Kranenburg] * /etc/default/xen: Handle with ucf again, like in stretch. Closes:#923401. [Ian Jackson] Build fix: * Fix FTBFS when building only arch-indep binaries (eg dpkg-buildpackage -A). Was due to dh-exec bug wrt not-installed. Closes:#923013. [Hans van Kranenburg; report from Santiago Vila] Documentation fix: * grub.d/xen.cfg: dom0_mem max IS needed [Hans van Kranenburg] -- Ian Jackson Thu, 28 Feb 2019 16:37:04 +0000 xen (4.11.1+26-g87f51bf366-2) unstable; urgency=medium * Packaging change: override spurious lintian warning about fsimage.so rpath. -- Ian Jackson Fri, 22 Feb 2019 16:07:37 +0000 xen (4.11.1+26-g87f51bf366-1) unstable; urgency=medium Significant changes: * Update to new upstream version 4.11.1+26-g87f51bf366. (This is from the upstream stable branch.) [Ian Jackson] * Build and use oxenstored rather than the C xenstored by default. [Ian Jackson and Hans van Kranenburg] * xen init script: rewrite and reorganise xenstored start logic. [Hans van Kranenburg] Documentation etc. improvements: * Refresh hypervisor and dom0 command line options documentation. (Closes: #919758) [Hans van Kranenburg; report from Gergely] * Ship /etc/default/xen, a striped and tidied version of upstream sysconfig.xencommons.in. [Hans van Kranenburg] Significant bugfixes: * xen init script: Do nothing if running for wrong Xen package. Avoids mystery loss of xenconsoled. Closes:#851654. [Ian Jackson; report from Wolodja Wentland] * Make pygrub work again (by fixing python module and shared library paths). Closes:#912381. [Ian Jackson; earlier, Bastian Blank; report from Dimitar Angelov, also Torben Schou Jensen] Packaging bugfixes: * Have xen-utils-common suggest xen-doc, because it contains a broken symlink to it. Closes:#911046. [Hans van Kranenburg; report from Andreas Beckmann] * Have xenstore-utils declare Breaks on xen-utils-common to make piuparts happy. Closes:#911045. [Hans van Kranenburg, report from Andreas Beckmann] * hotplug-common: Strip arch-specific libdir from config file Closes:#862236. [Ian Jackson; report from Stefan Bühler] * xendomains init script; Add dependency on $network. Closes:#798510. [Francois Lesueur] * xendomains init script; Add should-dependency on nfs-kernel-server Closes:#826871. [Geoffrey McRae] Packaging minor fixes and improvements [Hans van Kranenburg]: * debian/libxenstore3.0.symbols: revert ea2334dfe0 * debian/control: add dh-python build-dep * d/xen-utils-V...: override xen-shim-syms lintian * debian/control: bump debhelper builddep to 10 * debian/.gitignore: ignore more debhelper snippets * bash-completion: install completion rules for xl * xen init script: don't fail when being run in domU * Remove xend cruft from various init scripts etc. Packaging minor fixes and improvements [Ian Jackson]: * xen version/upgrade handling: Improve an error message * xen init script: silently exit status 0 if not running under xen * xen init script: Tidy up wrong/missing Xen version error handling * debian/rules: Fix tiny typos * hotplug-common: Do not adjust LD_LIBRARY_PATH -- Ian Jackson Fri, 22 Feb 2019 15:11:45 +0000 xen (4.11.1-1) unstable; urgency=medium * debian/control: Add Homepage, Vcs-Browser and Vcs-Git. (Closes: #911457) * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086) * debian/rules: Don't exclude the actual pygrub script. * Update to new upstream version 4.11.1, which also contains: - Fix: insufficient TLB flushing / improper large page mappings with AMD IOMMUs XSA-275 CVE-2018-19961 CVE-2018-19962 - Fix: resource accounting issues in x86 IOREQ server handling XSA-276 CVE-2018-19963 - Fix: x86: incorrect error handling for guest p2m page removals XSA-277 CVE-2018-19964 - Fix: x86: Nested VT-x usable even when disabled XSA-278 CVE-2018-18883 - Fix: x86: DoS from attempting to use INVPCID with a non-canonical addresses XSA-279 CVE-2018-19965 - Fix for XSA-240 conflicts with shadow paging XSA-280 CVE-2018-19966 - Fix: guest use of HLE constructs may lock up host XSA-282 CVE-2018-19967 * Update version handling patching to put the team mailing list address in the first hypervisor log line and fix broken other substitutions. * Disable handle_iptable hook in vif-common script. See #894013 for more information. -- Hans van Kranenburg Wed, 02 Jan 2019 20:59:40 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium * debian/rules: Cope if xen-utils-common not being built (Fixes binary-indep FTBFS.) -- Ian Jackson Mon, 15 Oct 2018 18:07:11 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-4) unstable; urgency=medium * Many packaging fixes to fix FTBFS on all arches other than amd64. * xen-vbd-interface(7): Provide properly-formatted NAME section * Add pandoc and markdown to Build-Depends - fixes missing docs. * Revert "tools-xenstore-compatibility.diff" apropos of discussion https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg00838.html -- Ian Jackson Mon, 15 Oct 2018 12:15:36 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-3) unstable; urgency=medium * hypervisor package postinst: Actually install (avoids need to run update-grub by hand). * debian/control: Adding Section to source stanza * debian/control: Add missing Replaces on old xen-utils-common * debian/rules: Add a -n to a gzip rune to improve reproducibility -- Ian Jackson Fri, 12 Oct 2018 16:55:48 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-2) unstable; urgency=medium * Redo as an upload with binaries, because source-only uploads to NEW are not allowed. -- Ian Jackson Fri, 05 Oct 2018 19:38:52 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1) unstable; urgency=medium * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg; merging in 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1. -- Ian Jackson Fri, 05 Oct 2018 18:39:58 +0100 xen (4.11.1~pre+1.733450b39b-1) unstable; urgency=medium * Completely overhauled the packaging. In the source package, things are very much simpler now with only a few hundred loc of templating and scriptery. In the binary packages the resulting changes are: - We now provide -dbgsym packages in the standard way - Shared libraries with unstable ABI upstream (ie, whose ABI changes with the Xen version) are now in libxen-misc rather than libxen and have more conventional-looking filenames. - Shared libraries with a stable ABI upstream are now each in their own package, named after the soname (ABI version), as is conventional. The sonames and minor versions of these are no longer mangled. - xs.h, replaced upstream by xenstore.h, is now in /usr/include/xenstore-compat (as shipped upstream), with symlinks left behind. - fsimage*.h is no longer shipped (it's namespace-grabbish). - libxenvchan.h is in /usr/include as it is in upstream, not buried in /usr/include/xen/io - /etc/xen/cpupool, a not very interesting example config file, has been moved into /usr/share/doc/. - There is a new xen-doc package, in which the upstream HTML documentation, and various other bits, is now provided. This replaces the text format documentation previously provided in xen-utils-common (but the manpages are still there). - Utilities which use on libraries with stable ABIs upstream are no longer subjected to the Xen version wrapper. - Several utilities are now provided in /usr/bin which were previously only available buried in /usr/lib/xen-: xen-detect xenalyze xencons xencov_split xen-cpuid (version-wrapped, where necessary). - Likewise very many utilities and daemons in /usr/sbin: gdbsx xen-bugtool xen-ringwatch xen-tmem-list-parse xenmon xenpmd flask-* xen-kdd xen-diag xen-hptool xen-hvmcrash xen-hvmctx xen-livepatch xen-lowmemd xen-mfndump xenbaked xenconsoled xencov xenlockprof xenstored xenwatchdogd - xend and xm are long gone, so remove the support for the TOOLSTACK setting in /etc/default/xen. /usr/sbin/xen just runs xl now. Remove mentions of xend-config.sxp and all *.sxp files. Drop the xend init script. - There is no longer any Built-Using. This is no longer true for seabios, which is depended on and used at runtime, rather than being embedded into hvmloader. (The source package also previously tried to mention ipxe-qemu in Built-Using but that's (i) dependent upstream on CONFIG_ROMBIOS which we disable, and not a build-dependency either.) - The hvmloader and xen-shim binaries no longer have their .note and .comment section(s) stripped. .note is needed for xen-shim to work properly and to find the corresponding debug files. And .comment is tiny and harmless AFAICT. - Hypervisor debug map files are installed in /usr/lib/debug. - The xl bash_completion file from upstream is installed. - libxenvchan.h is installed. - We install xen-*.efi in /boot. - Sections of some packages have been rationalised. - We install a doc-base control file. -- Ian Jackson Wed, 03 Oct 2018 18:45:02 +0100 xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1) experimental; urgency=medium * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg. * Remove stubdom/grub.patches/00cvs from the upstream source because it's not DFSG compliant. (license-problem-gfdl-invariants) * Override statically-linked-binary lintian error about usr/lib/xen-4.11/boot/xen-shim -- Hans van Kranenburg Tue, 11 Sep 2018 15:34:34 +0200 xen (4.11.1~pre+1.733450b39b-1~exp1) experimental; urgency=medium [ Hans van Kranenburg ] * Update to 4.11.1-pre commit 733450b39b, which also contains: - Additional fix for: Unlimited recursion in linear pagetable de-typing XSA-240 CVE-2017-15595 (listed as xsa240-4.8/0004) - Fix x86 PV guests may gain access to internally used pages XSA-248 CVE-2017-17566 - Fix broken x86 shadow mode refcount overflow check XSA-249 CVE-2017-17563 - Fix improper x86 shadow mode refcount error handling XSA-250 CVE-2017-17564 - Fix improper bug check in x86 log-dirty handling XSA-251 CVE-2017-17565 - Fix: DoS via non-preemptable L3/L4 pagetable freeing XSA-252 CVE-2018-7540 - Fix x86: memory leak with MSR emulation XSA-253 CVE-2018-5244 - Multiple parts of fixes for... Information leak via side effects of speculative execution XSA-254 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 - XPTI stage 1 a.k.a. 'Meltdown band-aid', XPTI-S1 or XPTI-lite - Branch predictor hardening for ARM CPUs - Support compiling with indirect branch thunks (e.g. retpoline) - Report details of speculative mitigations in boot logging - Fix: grant table v2 -> v1 transition may crash Xen XSA-255 CVE-2018-7541 - Fix: x86 PVH guest without LAPIC may DoS the host XSA-256 CVE-2018-7542 - The "Comet" shim, which can be used as a mitigation for Meltdown to shield the hypervisor against 64-bit PV guests. - Fix: Information leak via crafted user-supplied CDROM XSA-258 CVE-2018-10472 - Fix: x86: PV guest may crash Xen with XPTI XSA-259 CVE-2018-10471 - Fix: x86: mishandling of debug exceptions XSA-260 CVE-2018-8897 - Fix: x86 vHPET interrupt injection errors XSA-261 CVE-2018-10982 - Fix: qemu may drive Xen into unbounded loop XSA-262 CVE-2018-10981 - Fix: Speculative Store Bypass XSA-263 CVE-2018-3639 - Fix: preemption checks bypassed in x86 PV MM handling XSA-264 CVE-2018-12891 - Fix: x86: #DB exception safety check can be triggered by a guest XSA-265 CVE-2018-12893 - Fix: libxl fails to honour readonly flag on HVM emulated SCSI disks XSA-266 CVE-2018-12892 - Fix: Speculative register leakage from lazy FPU context switching XSA-267 CVE-2018-3665 - Fix: Use of v2 grant tables may cause crash on ARM XSA-268 CVE-2018-15469 - Fix: x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS XSA-269 CVE-2018-15468 - Fix: oxenstored does not apply quota-maxentity XSA-272 CVE-2018-15470 - Fix: L1 Terminal Fault speculative side channel XSA-273 CVE-2018-3620 * Merge changes for 4.9 from the ubuntu packaging (thanks, Stefan Bader): - Rebase patches against upstream source (line numbers etc). - debian/rules.real: - Add a call to build common tool headers. - Add a call to install common tool headers. - debian/libxen-dev.install, d/p/ubuntu-tools-libs-abiname.diff: - Add additional modifications for new libxendevicemodel. - debian/patches/tools-fake-xs-restrict.patch: - Re-introduce (fake) xs_restrict call to keep libxenstore version at 3.0 for now. - debian/libxenstore3.0.symbols: add xs_control_command * Rebase patches against 4.10 upstream source. * Rebase patches against 4.11 upstream source. * Add README.source.md to document how the packaging works. * This package builds correctly with gcc 7. (Closes: #853710) * Fix grub config file conflict when upgrading from Stretch. (Closes: #852545) * Init scripts: Do not kill per-domain qemu processes. (Closes: #879751) * debian/patches: Fix "'vwprintw' is deprecated" gcc 8 compilation error [ Mark Pryor ] * Fix shared library build dependencies for the new xentoolcore library. [ John Keates ] * Enable OVMF (Closes: #858962) -- Hans van Kranenburg Sun, 08 Jul 2018 14:30:32 +0200 xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high * Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2 plus a number of bugfixes and security fixes. Result is that we now include security fixes for: XSA-231 CVE-2017-14316 XSA-232 CVE-2017-14318 XSA-233 CVE-2017-14317 XSA-234 CVE-2017-14319 (235 already included in 4.8.1-1+deb9u3) XSA-236 CVE-2017-15597 XSA-237 CVE-2017-15590 XSA-238 CVE-2017-15591 XSA-239 CVE-2017-15589 XSA-240 CVE-2017-15595 XSA-241 CVE-2017-15588 XSA-242 CVE-2017-15593 XSA-243 CVE-2017-15592 XSA-244 CVE-2017-15594 XSA-245 CVE-2017-17046 and a number of upstream functionality fixes, which are not easily disentangled from the security fixes. * Apply two more security fixes: XSA-246 CVE-2017-17044 XSA-247 CVE-2017-17045 -- Ian Jackson Sat, 25 Nov 2017 11:26:37 +0000 xen (4.8.1-1+deb9u3) stretch-security; urgency=high * Security fixes for XSA-226 CVE-2017-12135 XSA-227 CVE-2017-12137 XSA-228 CVE-2017-12136 XSA-230 CVE-2017-12855 XSA-235 CVE-2017-15596 * Adjust changelog entry for 4.8.1-1+deb9u2 to record that XSA-225 fix was indeed included. * Security fix for XSA-229 not included as that bug is in Linux, not Xen. * Security fixes for XSA-231..234 inc. not inclued as still embargoed. -- Ian Jackson Thu, 07 Sep 2017 19:17:58 +0100 xen (4.8.1-1+deb9u2) stretch-security; urgency=high * Security fixes for XSA-216 XSA-217 XSA-218 XSA-219 XSA-220 XSA-221 XSA-222 XSA-223 XSA-224 XSA-225 -- Ian Jackson Tue, 20 Jun 2017 14:06:34 +0100 xen (4.8.1-1+deb9u1) unstable; urgency=medium * Security fixes for XSA-213 (Closes:#861659) and XSA-214 (Closes:#861660). (Xen 4.7 and later is not affected by XSA-215.) -- Ian Jackson Tue, 02 May 2017 12:19:57 +0100 xen (4.8.1-1) unstable; urgency=high * Update to upstream 4.8.1 release. Changes include numerous bugfixes, including security fixes for: XSA-212 / CVE-2017-7228 Closes:#859560 XSA-207 / no cve yet Closes:#856229 XSA-206 / no cve yet no Debian bug -- Ian Jackson Tue, 18 Apr 2017 18:05:00 +0100 xen (4.8.1~pre.2017.01.23-1) unstable; urgency=medium * Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre). Contains bugfixes. * debian/control-real etc.: debian.py: Allow version numbers like this. -- Ian Jackson Mon, 23 Jan 2017 16:03:31 +0000 xen (4.8.0-1) unstable; urgency=high * Update to upstream Xen 4.8.0. Includes the following security fixes: XSA-201 CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818 XSA-198 CVE-2016-9379 CVE-2016-9380 XSA-196 CVE-2016-9378 CVE-2016-9377 Closes:#845669 XSA-195 CVE-2016-9383 XSA-194 CVE-2016-9384 Closes:#845667 XSA-193 CVE-2016-9385 XSA-192 CVE-2016-9382 XSA-191 CVE-2016-9386 Includes other bugfixes too: Closes:#812166, Closes:#818525. Cherry picks from upstream: * Security fixes: XSA-204 CVE-2016-10013 Closes:#848713 XSA-203 CVE-2016-10025 XSA-202 CVE-2016-10024 For completeness, the following XSAs do not apply here: XSA-197 CVE-2016-9381 Bug is in qemu XSA-199 CVE-2016-9637 Bug is in qemu XSA-200 CVE-2016-9932 Xen 4.8 is not affected * Cherry pick a build failure fix: "x86/emul: add likely()/unlikely() to test harness" [ Ian Jackson ] * Drop -lcrypto search from upstream configure, and from our Build-Depends. Closes:#844419. * Change my own email address to my work (Citrix) address. When uploading, I will swap hats to effectively sponsor my own upload. [ Ian Campbell ] * Start a qemu process in dom0 to service the toolstacks loopback disk attaches. (Closes: #770456) * Remove correct pidfile when stopping xenconsoled. * Check that xenstored has actually started before talking to it. Incorporate a timeout so as not to block boot (Mitigates #737613) * Correct syntax error in xen-init-list when running with xend (Closes: #763102) * Apply SELinux labels to directories created by initscripts. Patch from Russell Coker. (Closes: #764912) * Include a reportbug control file to redirect bugs to src:xen for packages which contain the Xen version in the name. Closes:#796370. [ Lubomir Host ] * Fix xen-init-name to not fail looking for a nonexistent 'config' entry in xl's JSON output. Closes:#818129. -- Ian Jackson Thu, 22 Dec 2016 14:51:46 +0000 xen (4.8.0~rc5-1) unstable; urgency=medium * New upstream version, Xen 4.8.0 RC5. -- Ian Jackson Fri, 11 Nov 2016 15:26:58 +0000 xen (4.8.0~rc3-1) unstable; urgency=medium * Upload 4.8.0~rc3 to unstable. (RC5 is out upstream, but let's not update to that in the middle of the Xen 4.6 -> 4.8 transition.) * No source changes. -- Ian Jackson Sat, 05 Nov 2016 15:08:47 +0000 xen (4.8.0~rc3-0exp2) experimental; urgency=medium * Build-Depend on iasl on all architectures. ARM has ACPI now. Fixes FTBFS on arm64 (at least). * Add qemu-utils and seabios to Suggests. * Pass -no-pie -fno-pic to x86 emulator test build. (Patch also submitted upstream.) Fixes FTBFS on i386 with GCC6. * Add myself to Uploaders. -- Ian Jackson Tue, 01 Nov 2016 18:00:25 +0000 xen (4.8.0~rc3-0exp1) experimental; urgency=high * New upstream version, Xen 4.8.0 RC3. Fixes many outstanding CVEs. * Incorporated many changes from 4.8.0-0ubuntu2 - libxen-dev is M-A: same - Work around grep bug http://bugs.launchpad.net/bugs/1547466 - debian/xen-hypervisor-4.6.xen.cfg: Additional config file to simplify grub configuration. - Use new library/abiname scheme. - Document what xl and xm are in default.xen - Add libvirtd dependency to xendomains init script (Thanks to Stefan Bader and others.) -- Ian Jackson Mon, 24 Oct 2016 17:31:27 +0100 xen (4.6.0-1+nmu2) unstable; urgency=medium * Ensure debian/control.md5sum is correctly updated. Fixes FTBFS of 4.6.0-1+nmu1 on buildds where linux-support-4.2.0-1 is not expected to be installed. -- Ian Campbell Tue, 09 Feb 2016 16:41:16 +0000 xen (4.6.0-1+nmu1) unstable; urgency=medium * Non-maintainer upload. * Drop unused patching in of $(PREFIX), $(SBINDIR) and $(BINDIR) which are no longer used by the upstream build system. * Use correct/consistent LIBEXEC dirs throughout build (Closes: #805508). -- Ian Campbell Tue, 19 Jan 2016 14:43:54 +0000 xen (4.6.0-1) unstable; urgency=medium * New upstream release. * CVE-2015-7812 * CVE-2015-7813 * CVE-2015-7814 * CVE-2015-7835 * CVE-2015-7969 * CVE-2015-7970 * CVE-2015-7971 * CVE-2015-7972 -- Bastian Blank Sun, 01 Nov 2015 21:49:07 +0100 xen (4.5.1~rc1-1) experimental; urgency=medium [ Ian Campbell ] * Use xen-init-dom0 from initscript when it is available. * Install some user facing docs in xen-utils-common. (Closes: #688308) [ Bastian Blank ] * New upstream release candidate. -- Bastian Blank Sun, 31 May 2015 21:59:56 +0200 xen (4.5.0-1) experimental; urgency=medium [ Ian Campbell ] * New upstream release -- Bastian Blank Wed, 21 Jan 2015 20:21:45 +0100 xen (4.5.0~rc3-1) experimental; urgency=medium * New upstream release candidate. * Re-add xend config. -- Bastian Blank Wed, 17 Dec 2014 22:37:23 +0100 xen (4.4.1-6) unstable; urgency=medium * Fix starvation of writers in locks. CVE-2014-9065 -- Bastian Blank Thu, 11 Dec 2014 15:56:08 +0100 xen (4.4.1-5) unstable; urgency=medium * Fix excessive checks of hypercall arguments. CVE-2014-8866 * Fix boundary checks of emulated MMIO access. CVE-2014-8867 * Fix additional memory leaks in xl. (closes: #767295) -- Bastian Blank Sun, 30 Nov 2014 20:13:32 +0100 xen (4.4.1-4) unstable; urgency=medium [ Bastian Blank ] * Make operations pre-emptible. CVE-2014-5146, CVE-2014-5149 * Don't allow page table updates from non-PV page tables. CVE-2014-8594 * Enforce privilege level while loading code segment. CVE-2014-8595 * Fix reference counter leak. CVE-2014-9030 * Use linux 3.16.0-4 stuff. * Fix memory leak in xl. (closes: #767295) [ Ian Campbell ] * Add licensing for tools/python/logging to debian/copyright. (Closes: #759384) * Correctly include xen-init-name in xen-utils-common. (Closes: #769543) * xen-utils recommends grub-xen-host package (Closes: #770460) -- Bastian Blank Thu, 27 Nov 2014 20:17:36 +0100 xen (4.4.1-3) unstable; urgency=medium [ Bastian Blank ] * Remove unused build-depencencies. * Extend list affected systems for broken interrupt assignment. CVE-2013-3495 * Fix race in hvm memory management. CVE-2014-7154 * Fix missing privilege checks on instruction emulation. CVE-2014-7155, CVE-2014-7156 * Fix uninitialized control structures in FIFO handling. CVE-2014-6268 * Fix MSR range check in emulation. CVE-2014-7188 [ Ian Campbell ] * Install xen.efi into /boot for amd64 builds. -- Bastian Blank Fri, 17 Oct 2014 16:27:46 +0200 xen (4.4.1-2) unstable; urgency=medium * Re-build with correct content. * Use dh_lintian. -- Bastian Blank Wed, 24 Sep 2014 20:23:14 +0200 xen (4.4.1-1) unstable; urgency=medium * New upstream release. - Fix several vulnerabilities. (closes: #757724) CVE-2014-2599, CVE-2014-3124, CVE-2014-3967, CVE-2014-3968, CVE-2014-4021 -- Bastian Blank Sun, 21 Sep 2014 10:45:47 +0200 xen (4.4.0-5) unstable; urgency=medium [ Ian Campbell ] * Expand on the descriptions of some packages. (Closes: #466683) * Clarify where xen-utils-common is required. (Closes: #612403) * No longer depend on gawk. Xen can now use any awk one of which is always present. (Closes: #589176) * Put core dumps in /var/lib/xen/dump and ensure it exists. (Closes: #444000) [ Bastian Blank ] * Handle JSON output from xl in xendomains init script. -- Bastian Blank Sat, 06 Sep 2014 22:11:20 +0200 xen (4.4.0-4) unstable; urgency=medium [ Bastian Blank ] * Also remove unused OCaml packages from control file. * Make library packages multi-arch: same. (closes: #730417) * Use debhelper compat level 9. (closes: #692352) [ Ian Campbell ] * Correct contents of /etc/xen/scripts/hotplugpath.sh (Closes: #706283) * Drop references cpuperf-xen and cpuperf-perfcntr. (Closes: #733847) * Install xentrace_format(1), xentrace(8) and xentop(1). (Closes: #407143) -- Bastian Blank Sat, 30 Aug 2014 13:34:04 +0200 xen (4.4.0-3) unstable; urgency=medium [ Ian Campbell ] * Use correct SeaBIOS binary which supports Xen (Closes: #737905). [ Bastian Blank ] * Really update config.{sub,guess}. -- Bastian Blank Fri, 29 Aug 2014 16:33:19 +0200 xen (4.4.0-2) unstable; urgency=medium * Remove broken and unused OCaml-support. -- Bastian Blank Mon, 18 Aug 2014 15:18:42 +0200 xen (4.4.0-1) unstable; urgency=medium [ Bastian Blank ] * New upstream release. - Update scripts for compatiblity with latest coreutils. (closes: #718898) - Fix guest reboot with xl toolstack. (closes: #727100) - CVE-2013-6375: Insufficient TLB flushing in VT-d (iommu) code. (closes: #730254) - xl support for global VNC options. (closes: #744157) - vif scripts can now be named relative to /etc/xen/scripts. (closes: #744160) - Support for arbitrary sized SeaBIOS binaries. (closes: #737905) - pygrub searches for extlinux.conf in the expected places. (closes: #697407) - Update scripts to use correct syntax for ip command. (closes: #705659) * Fix install of xend configs to not break compatibility. [ Ian Campbell ] * Disable blktap1 support using new configure option instead of by patching. * Disable qemu-traditional and rombios support using new configure option instead of by patching. No need to build-depend on ipxe any more. * Use system qemu-xen via new configure option instead of patching. * Use system seabios via new configure option instead of patching. * Use EXTRA_CFLAGS_XEN_TOOLS and APPEND_{CPPFLAGS,LDFLAGS} during build. * Add support for armhf and arm64. * Update config.{sub,guess}. -- Bastian Blank Sat, 09 Aug 2014 13:09:00 +0200 xen (4.3.0-3) unstable; urgency=low * Revive hypervisor on i386. -- Bastian Blank Fri, 18 Oct 2013 00:15:16 +0200 xen (4.3.0-2) unstable; urgency=low * Force proper install order. (closes: #721999) -- Bastian Blank Sat, 05 Oct 2013 15:03:36 +0000 xen (4.3.0-1) unstable; urgency=low * New upstream release. - Fix HVM PCI passthrough. (closes: #706543) * Call configure with proper arguments. * Remove now empty xen-docs package. * Disable external code retrieval. * Drop all i386 hypervisor packages. * Drop complete blktap support. * Create /run/xen. * Make xen-utils recommend qemu-system-x86. (closes: #688311) - This version comes with audio support. (closes: #635166) * Make libxenlight and libxlutil public. (closes: #644390) - Set versioned ABI name. - Install headers. - Move libs into normal library path. * Use build flags in the tools build. - Fix fallout from harderning flags. * Update Standards-Version to 3.9.4. No changes. -- Bastian Blank Thu, 05 Sep 2013 13:54:03 +0200 xen (4.2.2-1) unstable; urgency=low * New upstream release. - Fix build with gcc 4.8. (closes: #712376) * Build-depend on libssl-dev. (closes: #712366) * Enable hardening as much as possible. * Re-enable ocaml build fixes. (closes: #695176) * Check for out-of-bound values in CPU affinity setup. CVE-2013-2072 * Fix information leak on AMD CPUs. CVE-2013-2076 * Recover from faults on XRSTOR. CVE-2013-2077 * Properly check guest input to XSETBV. CVE-2013-2078 -- Bastian Blank Thu, 11 Jul 2013 00:28:24 +0200 xen (4.2.1-2) unstable; urgency=low * Actually upload to unstable. -- Bastian Blank Sun, 12 May 2013 00:20:58 +0200 xen (4.2.1-1) experimental; urgency=low * New upstream release. * Enable usage of seabios. * Fix some toolchain issues. -- Bastian Blank Sat, 11 May 2013 23:55:46 +0200 xen (4.2.0-2) experimental; urgency=low * Support JSON output in domain init script helper. -- Bastian Blank Mon, 01 Oct 2012 15:11:30 +0200 xen (4.2.0-1) experimental; urgency=low * New upstream release. -- Bastian Blank Tue, 18 Sep 2012 13:54:30 +0200 xen (4.2.0~rc3-1) experimental; urgency=low * New upstream snapshot. -- Bastian Blank Fri, 07 Sep 2012 20:28:46 +0200 xen (4.2.0~rc2-1) experimental; urgency=low * New upstream snapshot. * Build-depend against libglib2.0-dev and libyajl-dev. * Disable seabios build for now. * Remove support for Lenny and earlier. * Support build-arch and build-indep make targets. -- Bastian Blank Sun, 13 May 2012 12:21:10 +0000 xen (4.1.4-4) unstable; urgency=high * Make several long runing operations preemptible. CVE-2013-1918 * Fix source validation for VT-d interrupt remapping. CVE-2013-1952 -- Bastian Blank Thu, 02 May 2013 14:30:29 +0200 xen (4.1.4-3) unstable; urgency=high * Fix return from SYSENTER. CVE-2013-1917 * Fix various problems with guest interrupt handling. CVE-2013-1919 * Only save pointer after access checks. CVE-2013-1920 * Fix domain locking for transitive grants. CVE-2013-1964 -- Bastian Blank Fri, 19 Apr 2013 13:01:57 +0200 xen (4.1.4-2) unstable; urgency=low * Use pre-device interrupt remapping mode per default. Fix removing old remappings. CVE-2013-0153 -- Bastian Blank Wed, 06 Feb 2013 13:04:52 +0100 xen (4.1.4-1) unstable; urgency=low * New upstream release. - Disable process-context identifier support in newer CPUs for all domains. - Add workarounds for AMD errata. - Don't allow any non-canonical addresses. - Use Multiboot memory map if BIOS emulation does not provide one. - Fix several problems in tmem. CVE-2012-3497 - Fix error handling in domain creation. - Adjust locking and interrupt handling during S3 resume. - Tighten more resource and memory range checks. - Reset performance counters. (closes: #698651) - Remove special-case for first IO-APIC. - Fix MSI handling for HVM domains. (closes: #695123) - Revert cache value of disks in HVM domains. -- Bastian Blank Thu, 31 Jan 2013 15:44:50 +0100 xen (4.1.3-8) unstable; urgency=high * Fix error in VT-d interrupt remapping source validation. CVE-2012-5634 * Fix buffer overflow in qemu e1000 emulation. CVE-2012-6075 * Update patch, mention second CVE. CVE-2012-5511, CVE-2012-6333 -- Bastian Blank Sat, 19 Jan 2013 13:55:07 +0100 xen (4.1.3-7) unstable; urgency=low * Fix clock jump due to incorrect annotated inline assembler. (closes: #599161) * Add support for XZ compressed Linux kernels to hypervisor and userspace based loaders, it is needed for any Linux kernels newer then Wheezy. (closes: #695056) -- Bastian Blank Tue, 11 Dec 2012 18:54:59 +0100 xen (4.1.3-6) unstable; urgency=high * Fix error handling in physical to machine memory mapping. CVE-2012-5514 -- Bastian Blank Tue, 04 Dec 2012 10:51:43 +0100 xen (4.1.3-5) unstable; urgency=high * Fix state corruption due to incomplete grant table switch. CVE-2012-5510 * Check range of arguments to several HVM operations. CVE-2012-5511, CVE-2012-6333 * Check array index before using it in HVM memory operation. CVE-2012-5512 * Check memory range in memory exchange operation. CVE-2012-5513 * Don't allow too large memory size and avoid busy looping. CVE-2012-5515 -- Bastian Blank Mon, 03 Dec 2012 19:37:38 +0100 xen (4.1.3-4) unstable; urgency=high * Use linux 3.2.0-4 stuff. * Fix overflow in timer calculations. CVE-2012-4535 * Check value of physical interrupts parameter before using it. CVE-2012-4536 * Error out on incorrect memory mapping updates. CVE-2012-4537 * Check if toplevel page tables are present. CVE-2012-4538 * Fix infinite loop in compatibility code. CVE-2012-4539 * Limit maximum kernel and ramdisk size. CVE-2012-2625, CVE-2012-4544 -- Bastian Blank Tue, 20 Nov 2012 15:51:01 +0100 xen (4.1.3-3) unstable; urgency=low * Xen domain init script: - Make sure Open vSwitch is started before any domain. - Properly handle and show output of failed migration and save. - Ask all domains to shut down before checking them. -- Bastian Blank Tue, 18 Sep 2012 13:26:32 +0200 xen (4.1.3-2) unstable; urgency=medium * Don't allow writing reserved bits in debug register. CVE-2012-3494 * Fix error handling in interrupt assignment. CVE-2012-3495 * Don't trigger bug messages on invalid flags. CVE-2012-3496 * Check array bounds in interrupt assignment. CVE-2012-3498 * Properly check bounds while setting the cursor in qemu. CVE-2012-3515 * Disable monitor in qemu by default. CVE-2012-4411 -- Bastian Blank Fri, 07 Sep 2012 19:41:46 +0200 xen (4.1.3-1) unstable; urgency=medium * New upstream release: (closes: #683286) - Don't leave the x86 emulation in a bad state. (closes: #683279) CVE-2012-3432 - Only check for shared pages while any exist on teardown. CVE-2012-3433 - Fix error handling for unexpected conditions. - Update CPUID masking to latest Intel spec. - Allow large ACPI ids. - Fix IOMMU support for PCI-to-PCIe bridges. - Disallow access to some sensitive IO-ports. - Fix wrong address in IOTLB. - Fix deadlock on CPUs without working cpufreq driver. - Use uncached disk access in qemu. - Fix buffer size on emulated e1000 device in qemu. * Fixup broken and remove applied patches. -- Bastian Blank Fri, 17 Aug 2012 11:25:02 +0200 xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-5) unstable; urgency=low [ Ian Campbell ] * Set tap device MAC addresses to fe:ff:ff:ff:ff:ff (Closes: #671018) * Only run xendomains initscript if toolstack is xl or xm (Closes: #680528) [ Bastian Blank ] * Actually build-depend on new enough version of dpkg-dev. * Add xen-sytem-* meta-packages. We are finally in a position to do automatic upgrades and this package is missing. (closes: #681376) -- Bastian Blank Sat, 28 Jul 2012 10:23:26 +0200 xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-4) unstable; urgency=low * Add Build-Using info to xen-utils package. * Fix build-arch target. -- Bastian Blank Sun, 01 Jul 2012 19:52:30 +0200 xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-3) unstable; urgency=low * Remove /usr/lib/xen-default. It breaks systems if xenstored is not compatible. * Fix init script usage. * Fix udev rules for emulated network devices: - Force names of emulated network devices to a predictable name. -- Bastian Blank Sun, 01 Jul 2012 16:59:04 +0200 xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-2) unstable; urgency=low * Fix pointer missmatch in interrupt functions. Fixes build on i386. -- Bastian Blank Fri, 15 Jun 2012 18:00:51 +0200 xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-1) unstable; urgency=low * New upstream snapshot. - Fix privilege escalation and syscall/sysenter DoS while using non-canonical addresses by untrusted PV guests. (closes: #677221) CVE-2012-0217 CVE-2012-0218 - Disable Xen on CPUs affected by AMD Erratum #121. PV guests can cause a DoS of the host. CVE-2012-2934 * Don't fail if standard toolstacks are not available. (closes: #677244) -- Bastian Blank Thu, 14 Jun 2012 17:06:25 +0200 xen (4.1.2-7) unstable; urgency=low * Really use ucf. * Update init script dependencies: - Start $syslog before xen. - Start drbd and iscsi before xendomains. (closes: #626356) - Start corosync and heartbeat after xendomains. * Remove /var/log/xen on purge. (closes: #656216) -- Bastian Blank Tue, 22 May 2012 10:44:41 +0200 xen (4.1.2-6) unstable; urgency=low * Fix generation of architectures for hypervisor packages. * Remove information about loop devices, it is incorrect. (closes: #503044) * Update xendomains init script: - Create directory for domain images only root readable. (closes: #596048) - Add missing sanity checks for variables. (closes: #671750) - Remove not longer supported config options. - Don't fail if no config is available. - Remove extra output if domain was restored. -- Bastian Blank Sun, 06 May 2012 20:07:41 +0200 xen (4.1.2-5) unstable; urgency=low * Actually force init script rename. (closes: #669341) * Fix long output from xl. * Move complete init script setup. * Rewrite xendomains init script: - Use LSB output functions. - Make output more clear. - Use xen toolstack wrapper. - Use a python script to properly read domain details. * Set name for Domain-0. -- Bastian Blank Mon, 23 Apr 2012 11:56:45 +0200 xen (4.1.2-4) unstable; urgency=low [ Bastian Blank ] * Build-depend on ipxe-qemu instead of ipxe. (closes: #665070) * Don't longer use a4wide latex package. * Use ucf for /etc/default/xen. * Remove handling for old udev rules link and xenstored directory. * Rename xend init script to xen. [ Lionel Elie Mamane ] * Fix toolstack script to work with old dash. (closes: #648029) -- Bastian Blank Mon, 16 Apr 2012 08:47:29 +0000 xen (4.1.2-3) unstable; urgency=low * Merge xen-common source package. * Remove xend wrapper, it should not be called by users. * Support xl in init script. * Restart xen daemons on upgrade. * Restart and stop xenconsoled in init script. * Load xen-gntdev module. * Create /var/lib/xen. (closes: #658101) * Cleanup udev rules. (closes: #657745) -- Bastian Blank Wed, 01 Feb 2012 19:28:28 +0100 xen (4.1.2-2) unstable; urgency=low [ Jon Ludlam ] * Import (partially reworked) upstream changes for OCaml support. - Rename the ocamlfind packages. - Remove uuid and log libraries. - Fix 2 bit-twiddling bugs and an off-by-one * Fix build of OCaml libraries. * Add OCaml library and development package. * Include some missing headers. -- Bastian Blank Sat, 10 Dec 2011 19:13:25 +0000 xen (4.1.2-1) unstable; urgency=low * New upstream release. * Build-depend on pkg-config. * Add package libxen-4.1. Includes some shared libs. -- Bastian Blank Sat, 26 Nov 2011 18:28:06 +0100 xen (4.1.1-3) unstable; urgency=low [ Julien Danjou ] * Remove Julien Danjou from the Uploaders field. (closes: #590439) [ Bastian Blank ] * Use current version of python. (closes: #646660) * Build-depend against liblzma-dev, it is used if available. (closes: #646694) * Update Standards-Version to 3.9.2. No changes. * Don't use brace-expansion in debhelper install files. -- Bastian Blank Wed, 26 Oct 2011 14:42:33 +0200 xen (4.1.1-2) unstable; urgency=low * Fix hvmloader with gcc 4.6. -- Bastian Blank Fri, 05 Aug 2011 23:58:36 +0200 xen (4.1.1-1) unstable; urgency=low * New upstream release. * Don't use qemu-dm if it is not needed. (Backport from xen-unstable.) * Use dh_python2. -- Bastian Blank Mon, 18 Jul 2011 19:38:38 +0200 xen (4.1.0-3) unstable; urgency=low * Add ghostscript to build-deps. * Enable qemu-dm build. - Add qemu as another orig tar. - Remove blktap1, bluetooth and sdl support from qemu. - Recommend qemu-keymaps and qemu-utils. -- Bastian Blank Thu, 28 Apr 2011 15:20:45 +0200 xen (4.1.0-2) unstable; urgency=low * Re-enable hvmloader: - Use packaged ipxe. * Workaround incompatibility with xenstored of Xen 4.0. -- Bastian Blank Fri, 15 Apr 2011 11:38:25 +0200 xen (4.1.0-1) unstable; urgency=low * New upstream release. -- Bastian Blank Sun, 27 Mar 2011 18:09:28 +0000 xen (4.1.0~rc6-1) unstable; urgency=low * New upstream release candidate. * Build documentation using pdflatex. * Use python 2.6. (closes: #596545) * Fix lintian override. * Install new tools: xl, xenpaging. * Enable blktap2. - Use own md5 implementation. - Fix includes. - Fix linking of blktap2 binaries. - Remove optimization setting. * Temporarily disable hvmloader, wants to download ipxe. * Remove xenstored pid check from xl. -- Bastian Blank Thu, 17 Mar 2011 16:12:45 +0100 xen (4.0.1-2) unstable; urgency=low * Fix races in memory management. * Make sure that frame-table compression leaves enough alligned. * Disable XSAVE support. (closes: #595490) * Check for dying domain instead of raising an assertion. * Add C6 state with EOI errata for Intel. * Make some memory management interrupt safe. Unsure if really needed. * Raise bar for inter-socket migrations on mostly-idle systems. * Fix interrupt handling for legacy routed interrupts. * Allow to set maximal domain memory even during a running change. * Support new partition name in pygrub. (closes: #599243) * Fix some comparisions "< 0" that may be optimized away. * Check for MWAIT support before using it. * Fix endless loop on interrupts on Nehalem cpus. * Don't crash upon direct GDT/LDT access. (closes: #609531) CVE-2010-4255 * Don't loose timer ticks after domain restore. * Reserve some space for IOMMU area in dom0. (closes: #608715) * Fix hypercall arguments after trace callout. * Fix some error paths in vtd support. Memory leak. * Reinstate ACPI DMAR table. -- Bastian Blank Wed, 12 Jan 2011 15:01:40 +0100 xen (4.0.1-1) unstable; urgency=low * New upstream release. - Fix IOAPIC S3 with interrupt remapping enabled. -- Bastian Blank Fri, 03 Sep 2010 17:14:28 +0200 xen (4.0.1~rc6-1) unstable; urgency=low * New upstream release candidate. - Add some missing locks for page table walk. - Fix NMU injection into guest. - Fix ioapic updates for vt-d. - Add check for GRUB2 commandline behaviour. - Fix handling of invalid kernel images. - Allow usage of powernow. * Remove lowlevel python modules usage from pygrub. (closes: #588811) -- Bastian Blank Tue, 17 Aug 2010 23:15:34 +0200 xen (4.0.1~rc5-1) unstable; urgency=low * New upstream release candidate. -- Bastian Blank Mon, 02 Aug 2010 17:06:27 +0200 xen (4.0.1~rc3-1) unstable; urgency=low * New upstream release candidate. * Call dh_pyversion with the correct version. * Restart xen daemon on upgrade. -- Bastian Blank Wed, 30 Jun 2010 16:30:47 +0200 xen (4.0.0-2) unstable; urgency=low * Fix python dependency. (closes: #586666) - Use python-support. - Hardcode to use python 2.5 for now. -- Bastian Blank Mon, 21 Jun 2010 17:23:16 +0200 xen (4.0.0-1) unstable; urgency=low * Update to unstable. * Fix spelling in README. * Remove unnecessary build-depends. * Fixup xend to use different filename lookup. -- Bastian Blank Thu, 17 Jun 2010 11:16:55 +0200 xen (4.0.0-1~experimental.2) experimental; urgency=low * Merge changes from 3.4.3-1. -- Bastian Blank Fri, 28 May 2010 12:58:12 +0200 xen (4.0.0-1~experimental.1) experimental; urgency=low * New upstream version. * Rename source package to xen. * Build depend against iasl and uuid-dev. * Disable blktap2 support, it links against OpenSSL. * Update copyright file. -- Bastian Blank Thu, 06 May 2010 15:47:38 +0200 xen-3 (3.4.3-1) unstable; urgency=low * New upstream version. * Disable blktap support, it is unusable with current kernels. * Disable libaio, was only used by blktap. * Drop device creation support. (closes: #583283) -- Bastian Blank Fri, 28 May 2010 11:43:18 +0200 xen-3 (3.4.3~rc6-1) unstable; urgency=low * New upstream release candidate. - Relocate multiboot modules. (closes: #580045) - Support grub2 in pygrub. (closes: #573311) -- Bastian Blank Sat, 08 May 2010 11:32:29 +0200 xen-3 (3.4.3~rc3-2) unstable; urgency=low * Again list the complete version in the hypervisor. * Fix path detection for bootloader, document it. (closes: #481105) * Rewrite README. -- Bastian Blank Thu, 08 Apr 2010 16:14:58 +0200 xen-3 (3.4.3~rc3-1) unstable; urgency=low * New upstream release candidate. * Use 3.0 (quilt) source format. * Always use current python version. -- Bastian Blank Mon, 01 Mar 2010 22:14:22 +0100 xen-3 (3.4.2-2) unstable; urgency=low * Remove Jeremy T. Bouse from uploaders. * Export blktap lib and headers. * Build amd64 hypervisor on i386. (closes: #366315) -- Bastian Blank Sun, 22 Nov 2009 16:54:47 +0100 xen-3 (3.4.2-1) unstable; urgency=low * New upstream version. * Strip hvmloader by hand. * Remove extra license file from libxen-dev. -- Bastian Blank Mon, 16 Nov 2009 20:57:07 +0100 xen-3 (3.4.1-1) unstable; urgency=low * New upstream version. -- Bastian Blank Fri, 21 Aug 2009 21:34:38 +0200 xen-3 (3.4.0-2) unstable; urgency=low * Add symbols file for libxenstore3.0. (closes: #536173) * Document that ioemu is currently unsupported. (closes: #536175) * Fix location of fsimage plugins. (closes: #536174) -- Bastian Blank Sat, 18 Jul 2009 18:05:35 +0200 xen-3 (3.4.0-1) unstable; urgency=low [ Bastian Blank ] * New upstream version. * Remove ioemu for now. (closes: #490409, #496367) * Remove non-pae hypervisor. * Use debhelper compat level 7. * Make the init script start all daemons. -- Bastian Blank Tue, 30 Jun 2009 22:33:22 +0200 xen-3 (3.2.1-2) unstable; urgency=low * Use e2fslibs based ext2 support for pygrub. (closes: #476366) * Fix missing checks in pvfb code. See CVE-2008-1952. (closes: #487095) * Add support for loading bzImage files. (closes: #474509) * Enable TLS support in ioemu code. * Drop libcrypto usage because of GPL-incompatibility. * Remove AES code from blktap drivers. Considered broken. -- Bastian Blank Sat, 28 Jun 2008 11:30:43 +0200 xen-3 (3.2.1-1) unstable; urgency=low * New upstream version. * Set rpath relative to ${ORIGIN}. * Add lintian override to xen-utils package. -- Bastian Blank Thu, 22 May 2008 14:01:47 +0200 xen-3 (3.2.0-5) unstable; urgency=low * Provide correct directory to dh_pycentral. -- Bastian Blank Mon, 14 Apr 2008 21:43:49 +0200 xen-3 (3.2.0-4) unstable; urgency=low * Pull in newer xen-utils-common. * Fix missing size checks in the ioemu block driver. (closes: #469654) See: CVE-2008-0928 -- Bastian Blank Fri, 07 Mar 2008 14:21:38 +0100 xen-3 (3.2.0-3) unstable; urgency=low * Clean environment for build. * Add packages libxenstore3.0 and xenstore-utils. * Move docs package in docs section to match overwrites. * Make the hypervisor only recommend the utils. * Cleanup installation. (closes: #462989) -- Bastian Blank Tue, 12 Feb 2008 12:40:56 +0000 xen-3 (3.2.0-2) unstable; urgency=low * Fix broken patch. (closes: #462522) -- Bastian Blank Sat, 26 Jan 2008 17:21:52 +0000 xen-3 (3.2.0-1) unstable; urgency=low * New upstream version. * Add package libxen-dev. Including public headers and static libs. (closes: #402249) * Don't longer install xenfb, removed upstream. -- Bastian Blank Tue, 22 Jan 2008 12:51:49 +0000 xen-3 (3.1.2-2) unstable; urgency=low * Add missing rpath definitions. * Fix building of pae version. -- Bastian Blank Sat, 08 Dec 2007 12:07:42 +0000 xen-3 (3.1.2-1) unstable; urgency=high * New upstream release: - Move shared file into /var/run. (closes: #447795) See CVE-2007-3919. - x86: Fix various problems with debug-register handling. (closes: #451626) See CVE-2007-5906. -- Bastian Blank Sat, 24 Nov 2007 13:24:45 +0000 xen-3 (3.1.1-1) unstable; urgency=low * New upstream release: - Don't use exec with untrusted values in pygrub. (closes: #444430) See CVE-2007-4993. -- Bastian Blank Fri, 19 Oct 2007 16:02:37 +0000 xen-3 (3.1.0-2) unstable; urgency=low * Switch to texlive for documentation. * Drop unused transfig. * Drop unused latex features from documentation. * Build depend against gcc-multilib for amd64. (closes: #439662) -- Bastian Blank Fri, 31 Aug 2007 08:15:50 +0000 xen-3 (3.1.0-1) unstable; urgency=low [ Julien Danjou ] * New upstream version. [ Ralph Passgang ] * Added graphviz to Build-Indeps [ Bastian Blank ] * Upstream removed one part of the version. Do it also. * Merge utils packages. * Install blktap support. * Install pygrub. * Install xenfb tools. * xenconsoled startup is racy, wait a little bit. -- Bastian Blank Mon, 20 Aug 2007 15:05:08 +0000 xen-3.0 (3.0.4-1-1) unstable; urgency=low [ Bastian Blank ] * New upstream version (closes: #394411) [ Guido Trotter ] * Actually try to build and release xen 3.0.4 * Update build dependencies -- Guido Trotter Wed, 23 May 2007 11:57:29 +0100 xen-3.0 (3.0.3-0-2) unstable; urgency=medium [Bastian Blank] * Remove device recreate code. * Remove build dependency on linux-support-X [ Guido Trotter ] * Add missing build dependency on zlib1g-dev (closes: #396557) * Add missing build dependencies on libncurses5-dev and x11proto-core-dev (closes: #396561, #396567) -- Guido Trotter Thu, 2 Nov 2006 16:38:02 +0000 xen-3.0 (3.0.3-0-1) unstable; urgency=low * New upstream version. -- Bastian Blank Fri, 20 Oct 2006 11:04:35 +0000 xen-3.0 (3.0.3~rc4+hg11760-1) unstable; urgency=low * New upstream snapshot. * Ignore update-grub errors. (closes: #392534) -- Bastian Blank Sat, 14 Oct 2006 13:09:53 +0000 xen-3.0 (3.0.3~rc1+hg11686-1) unstable; urgency=low * New upstream snapshot. * Rename ioemu package to include the complete version. * Fix name of hypervisor. (closes: #391771) -- Bastian Blank Mon, 9 Oct 2006 12:48:13 +0000 xen-3.0 (3.0.2-3+hg9762-1) unstable; urgency=low * New upstream snapshot. * Rename hypervisor and utils packages to include the complete version. * Redo build environment. -- Bastian Blank Mon, 4 Sep 2006 18:43:12 +0000 xen-3.0 (3.0.2+hg9697-2) unstable; urgency=low [ Guido Trotter ] * Update xen-utils' README.Debian (closes: #372524) [ Bastian Blank ] * Adopt new python policy. (closes: #380990) * Add patch to make new kernels working on the hypervisor. -- Bastian Blank Tue, 15 Aug 2006 19:20:08 +0000 xen-3.0 (3.0.2+hg9697-1) unstable; urgency=low [ Guido Trotter ] * Update Standards Version * Merge upstream fixes trunk (upstream 3.0.2-3 + a couple of fixes) [ Bastian Blank ] * Add xen-ioemu-3.0 package to support HVM guests (closes: #368496) -- Guido Trotter Wed, 31 May 2006 10:50:05 +0200 xen-3.0 (3.0.2+hg9681-1) unstable; urgency=low * Update xen-hypervisor-3.0-i386 and xen-hypervisor-3.0-i386-pae descriptions, specifying what the difference between the two packages is (closes: #366019) * Merge upstream fixes trunk -- Guido Trotter Thu, 18 May 2006 15:25:02 +0200 xen-3.0 (3.0.2+hg9656-1) unstable; urgency=low * Merge upstream fixes trunk - This includes a fix for CVE-2006-1056 -- Guido Trotter Thu, 27 Apr 2006 17:34:03 +0200 xen-3.0 (3.0.2+hg9651-1) unstable; urgency=low * Merge upstream fixes trunk * Fix PAE disabled in pae build (Closes: #364875) -- Julien Danjou Wed, 26 Apr 2006 13:19:39 +0200 xen-3.0 (3.0.2+hg9646-1) unstable; urgency=low [ Guido Trotter ] * Merge upstream fixes trunk [ Bastian Blank ] * debian/patches/libdir.dpatch: Update to make xm save work -- Julien Danjou Mon, 24 Apr 2006 18:02:07 +0200 xen-3.0 (3.0.2+hg9611-1) unstable; urgency=low * Merge upstream bug fixes * Fix bug with xend init.d script -- Julien Danjou Wed, 12 Apr 2006 17:35:35 +0200 xen-3.0 (3.0.2+hg9598-1) unstable; urgency=low * New upstream release * Fix copyright file -- Julien Danjou Mon, 10 Apr 2006 17:02:55 +0200 xen-3.0 (3.0.1+hg8762-1) unstable; urgency=low * The "preserve our homes" release * Now cooperatively maintained by the Debian Xen Team * New upstream release (closes: #327493, #342249) * Build depend on transfig (closes: #321157) * Use gcc rather than gcc-3.4 to compile (closes: #323698) * Split xen-hypervisor-3.0 and xen-utils-3.0 * Build both normal and pae hypervisor packages * Change maintainer and add uploaders field * Add force-reload support for init script xendomains * Remove dependency against bash * Bump standards version to 3.6.2.2 * xen-utils-3.0 conflicts and replaces xen * Add dpatch structure to the package * Remove build-dependency on gcc (it's build essential anyway) * Make SrvServer.py not executable * Create NEWS.Debian file with important upgrade notices * Update copyright file * Remove the linux-patch-xen package * Removed useless build-dependencies: libncurses5-dev, wget * Changed xendomains config path to /etc/default * xen-utils-3.0 now provides xen-utils and xen-hypervisor-3.0-i386 & xen-hypervisor-3.0-i386-pae & xen-hypervizor-amd64 now provide xen-hypervisor * Made xen-utils-3.0.postinst more fault-tolerant, so that upgrading xen2 -> xen3 don't fail because of a running xen2 hypervisor * Updated the "Replaces & Conflicts" * Install only and correctly udev files * Compile date is no more in current locale * Add patch which add the debian version and maintainer in the version string and removes the banner. * Don't install unusable cruft in xen-utils * Remove libxen packages (no stable API/ABI) -- Julien Danjou Wed, 5 Apr 2006 16:05:07 +0200 xen (2.0.6-1) unstable; urgency=low * Patches applied upstream: non-xen-init-exit.patch, add-build.patch, python-install.patch, disable-html-docs.patch. * New upstream released. Closes: #311336. * Remove comparison to UML from xen short description. Closes: #317066. * Make packages conflicts with 1.2 doc debs. Closes: #304285. * Add iproute to xen depends, as it uses /bin/ip. Closes: #300488, #317468. -- Adam Heath Wed, 06 Jul 2005 12:35:50 -0500 xen (2.0.5-3) experimental; urgency=low * Change priority/section to match the overrides file. -- Adam Heath Fri, 18 Mar 2005 12:43:50 -0600 xen (2.0.5-2) experimental; urgency=low * Mike McCallister , Tommi Virtanen , Tom Hibbert : Fix missing '.' in update-rc.d call in xen.postinst. Closes: #299384 -- Adam Heath Fri, 18 Mar 2005 11:39:56 -0600 xen (2.0.5-1) experimental; urgency=low * New upstream. * Remove pic-lib.patch, tools-misc-TARGETS.patch, and clean-mttr.patch as they have been applied upstream(in various forms). * xend now starts at priority 20, stops at 21, while xendomains starts at 21, and stops at 20. -- Adam Heath Fri, 11 Mar 2005 14:33:33 -0600 xen (2.0.4-4) experimental; urgency=low * Bah, major booboo. Add /boot to debian/xen.install, so xen.gz will get shipped. Reported by Clint Adams . -- Adam Heath Tue, 15 Feb 2005 13:00:57 -0600 xen (2.0.4-3) experimental; urgency=low * Fix file overlap(/usr/share/doc/xen/examples/*) between xen and xen-docs. Reported by Tupshin Harper . -- Adam Heath Sun, 06 Feb 2005 01:22:45 -0600 xen (2.0.4-2) experimental; urgency=low * Fix kernel patch generation. It was broken when I integrated with debian's kernel source. I used a symlink, and diff doesn't follow those. -- Adam Heath Sat, 05 Feb 2005 18:16:35 -0600 xen (2.0.4-1) experimental; urgency=low * New upstream. * xen.deb can now install on a plain kernel; that is, the init scripts exit successfully if /proc/xen/privcmd doesn't exist. This allows for dual-boot setups. * Manpages do not yet exist xend, xenperf, xensv, xfrd, nor xm. xend xfrd are daemons, and take little if any options. I've not had a need to use xenperf nor xensv yet. xm has nice built in help(xm help). * Upstream now requires either linux 2.4.29, or 2.6.10. Since 2.4.29 is not yet in debian, disable the 2.4 patch generation. Closes: #271245. * Not certain how the kernel-patch-xen was empty. It's not now, with the repackaging. Closes: #272299. * Xen no longer produces kernel images, so problems about missing features are no longer valid. Closes: #253924. * Acknowledge nmu bugs: * No longer build-depend on gcc 3.3, as the default gcc works. Closes: #243048. -- Adam Heath Sat, 05 Feb 2005 18:04:27 -0600 xen (2.0.3-0.1) unstable; urgency=low * Changes from Tommi Virtanen: * Added dh-kpatches and libcurl3-dev to Build-Depends. * Add /etc/xen/sv/params.py and /etc/xen/xend/params.py. * Add xmexample1 and xmexample2 to xen/doc/examples. -- Adam Heath Wed, 26 Jan 2005 10:55:07 -0600 xen (2.0.3-0) unstable; urgency=low * New upstream. Closes: #280733. * Repackaged from scratch. * Using unreleased patch management system. See debian/README.build. * After extracting the .dsc, there are no special steps needed * Those wanting to change the source, use the normal procedures for any package, including using interdiff(or other tool) to send a patch to me or the bts. * No longer try to do anything fancy with regard to the layout of the built kernels. Now, only patches are distributed. Please make use of the xen support in kernel-package. * Early preview release to #debian-devel. -- Adam Heath Tue, 25 Jan 2005 13:24:54 -0600 xen (1.2-4.1) unstable; urgency=high * NMU * Remove gcc-3.2 from Build-Depends as isn't used during build (Closes: #243048) -- Frank Lichtenheld Sat, 21 Aug 2004 17:42:28 +0200 xen (1.2-4) unstable; urgency=low * Added xen-docs.README.Debian, which explains the kernel image layout, and contains references on the locations differ from what is mentioned by the upstream documentation. Closes: #230345. -- Adam Heath Fri, 26 Mar 2004 17:36:41 -0600 xen (1.2-3) unstable; urgency=low * Add kernel-source-2.4.25 and kernel-patch-debian-2.4.25 to Build-Depends-Indep. -- Adam Heath Tue, 23 Mar 2004 20:14:39 -0600 xen (1.2-2) unstable; urgency=low * xen: moved /boot/xen.gz to /usr/lib/kernels/xen-i386/images/vmlinuz * kernel-image, kernel-modules: swapped i386/xeno to xeno/i386 in /usr/lib/kernels. * Add kernel-patch-nfs-swap deb. * Apply additional patches to kernel-image-xen: * nfs-group * nfs-swap -- Adam Heath Thu, 04 Mar 2004 12:47:47 -0600 xen (1.2-1) unstable; urgency=low * Initial version. -- Adam Heath Tue, 02 Mar 2004 13:21:52 -0600