Problems found with existing digests:
Package memconf distfile memconf-2.16/memconf.gz
b6f4b736cac388dddc5070670351cf7262aba048 [recorded]
95748686a5ad8144232f4d4abc9bf052721a196f [calculated]
Problems found locating distfiles:
Package dc-tools: missing distfile dc-tools/abs0-dc-burn-netbsd-1.5-0-gae55ec9
Package ipw-firmware: missing distfile ipw2100-fw-1.2.tgz
Package iwi-firmware: missing distfile ipw2200-fw-2.3.tgz
Package nvnet: missing distfile nvnet-netbsd-src-20050620.tgz
Package syslog-ng: missing distfile syslog-ng-3.7.2.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
do a patch refresh in xentools42
rather than split the patches for pass-through.c over 5 files, delete
xentools42/patches/patch-CVE-2015-2756 and assemble all in
xentools42/patches/patch-qemu-xen-traditional_hw_pass-through.c
x86emul: fully ignore segment override for register-only operations
For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.
This is CVE-2015-2151 / XSA-123.
CVE-2014-8594/XSA-109:
x86: don't allow page table updates on non-PV page tables in do_mmu_update(),
fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
CVE-2014-8595/XSA-110:
x86emul: enforce privilege level restrictions when loading CS, fixing:
Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.
CVE-2014-8866/XSA-111:
x86: limit checks in hypercall_xlat_continuation() to actual arguments, fixing:
A buggy or malicious HVM guest can crash the host.
CVE-2014-8867/XSA-112:
x86/HVM: confine internally handled MMIO to solitary regions, fixing:
A buggy or malicious HVM guest can crash the host.
CVE-2014-9030/XSA-113:
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE, fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be
created
CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
pkgsrc also includes patches from the Xen Security Advisory:
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
of software interrupts
This fixes the following critical vulnerabilities:
- CVE-2013-2212 / XSA-60 Excessive time to disable caching with HVM guests with PCI passthrough
- CVE-2013-1442 / XSA-62 Information leak on AVX and/or LWP capable CPUs
- CVE-2013-4355 / XSA-63 Information leaks through I/O instruction emulation
- CVE-2013-4361 / XSA-66 Information leak through fbld instruction emulation
- CVE-2013-4368 / XSA-67 Information leak through outs instruction emulation
- CVE-2013-4369 / XSA-68 possible null dereference when parsing vif ratelimiting info
- CVE-2013-4370 / XSA-69 misplaced free in ocaml xc_vcpu_getaffinity stub
- CVE-2013-4371 / XSA-70 use-after-free in libxl_list_cpupool under memory pressure
- CVE-2013-4375 / XSA-71 qemu disk backend (qdisk) resource leak
- CVE-2013-4416 / XSA-72 ocaml xenstored mishandles oversized message replies
- CVE-2013-4494 / XSA-73 Lock order reversal between page allocation and grant table locks
- CVE-2013-4553 / XSA-74 Lock order reversal between page_alloc_lock and mm_rwlock
- CVE-2013-4551 / XSA-75 Host crash due to guest VMX instruction execution
- CVE-2013-4554 / XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM guests
- CVE-2013-6375 / XSA-78 Insufficient TLB flushing in VT-d (iommu) code
- CVE-2013-6400 / XSA-80 IOMMU TLB flushing may be inadvertently suppressed
- CVE-2013-6885 / XSA-82 Guest triggerable AMD CPU erratum may cause host hang
- CVE-2014-1642 / XSA-83 Out-of-memory condition yielding memory corruption during IRQ setup
- CVE-2014-1891 / XSA-84 integer overflow in several XSM/Flask hypercalls
- CVE-2014-1895 / XSA-85 Off-by-one error in FLASK_AVC_CACHESTAT hypercall
- CVE-2014-1896 / XSA-86 libvchan failure handling malicious ring indexes
- CVE-2014-1666 / XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests
- CVE-2014-1950 / XSA-88 use-after-free in xc_cpupool_getinfo() under memory pressure
Apart from those there are many further bug fixes and improvements.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
- Add warning if /kern/xen/privcmd is not readable
Fixes the following critical vulnerabilities:
* CVE-2013-1918 / XSA-45:
Several long latency operations are not preemptible
* CVE-2013-1952 / XSA-49:
VT-d interrupt remapping source validation flaw for bridges
* CVE-2013-2076 / XSA-52:
Information leak on XSAVE/XRSTOR capable AMD CPUs
* CVE-2013-2077 / XSA-53:
Hypervisor crash due to missing exception recovery on XRSTOR
* CVE-2013-2078 / XSA-54:
Hypervisor crash due to missing exception recovery on XSETBV
* CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
Multiple vulnerabilities in libelf PV kernel handling
* CVE-2013-2072 / XSA-56:
Buffer overflow in xencontrol Python bindings affecting xend
* CVE-2013-2211 / XSA-57:
libxl allows guest write access to sensitive console related xenstore keys
* CVE-2013-1432 / XSA-58:
Page reference counting error due to XSA-45/CVE-2013-1918 fixes
* XSA-61:
libxl partially sets up HVM passthrough even with disabled iommu
The following minor vulnerability is also being addressed:
* CVE-2013-2007 / XSA-51
qemu guest agent (qga) insecure file permissions
Among many bug fixes and improvements:
* addressing a regression from the fix for XSA-46
* bug fixes to low level system state handling, including certain
hardware errata workarounds
There are 5 versions of xen in pkgsrc, which is confusing. Explain in
DESCR which version is in which package (xenkernel3 contains 3.1), and
which versions support PCI passthrough (only 3.1). Explain which
versions support non-PAE (3.1) and PAE (3.3, 4.1, 4.2), because the
HOWTO is out of date and it's easy to end up with a non-working system
on a 3.1 to 3.3 update. Cuation that 2.0 is beyond crufty.
This is a DESCR-only change (with PKGREVISION++ of course).
(ok during freeze agc@)
---- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
