Removed patch-libxc_xc_dom_h: commited as cb08944a
This fixes the following critical vulnerabilities:
- CVE-2013-2212 / XSA-60 Excessive time to disable caching with HVM guests with
PCI passthrough
- CVE-2013-1442 / XSA-62 Information leak on AVX and/or LWP capable CPUs
- CVE-2013-4355 / XSA-63 Information leaks through I/O instruction emulation
- CVE-2013-4361 / XSA-66 Information leak through fbld instruction emulation
- CVE-2013-4368 / XSA-67 Information leak through outs instruction emulation
- CVE-2013-4369 / XSA-68 possible null dereference when parsing vif ratelimiting
info
- CVE-2013-4370 / XSA-69 misplaced free in ocaml xc_vcpu_getaffinity stub
- CVE-2013-4371 / XSA-70 use-after-free in libxl_list_cpupool under memory press
ure
- CVE-2013-4375 / XSA-71 qemu disk backend (qdisk) resource leak
- CVE-2013-4416 / XSA-72 ocaml xenstored mishandles oversized message replies
- CVE-2013-4494 / XSA-73 Lock order reversal between page allocation and grant t
able locks
- CVE-2013-4553 / XSA-74 Lock order reversal between page_alloc_lock and mm_rwlo
ck
- CVE-2013-4551 / XSA-75 Host crash due to guest VMX instruction execution
- CVE-2013-4554 / XSA-76 Hypercalls exposed to privilege rings 1 and 2 of HVM gu
ests
- CVE-2013-6375 / XSA-78 Insufficient TLB flushing in VT-d (iommu) code
- CVE-2013-6400 / XSA-80 IOMMU TLB flushing may be inadvertently suppressed
- CVE-2013-6885 / XSA-82 Guest triggerable AMD CPU erratum may cause host hang
- CVE-2014-1642 / XSA-83 Out-of-memory condition yielding memory corruption duri
ng IRQ setup
- CVE-2014-1891 / XSA-84 integer overflow in several XSM/Flask hypercalls
- CVE-2014-1895 / XSA-85 Off-by-one error in FLASK_AVC_CACHESTAT hypercall
- CVE-2014-1896 / XSA-86 libvchan failure handling malicious ring indexes
- CVE-2014-1666 / XSA-87 PHYSDEVOP_{prepare,release}_msix exposed to unprivilege
d guests
- CVE-2014-1950 / XSA-88 use-after-free in xc_cpupool_getinfo() under memory pre
ssure
Apart from those there are many further bug fixes and improvements.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
- Add warning if /kern/xen/privcmd is not readable
Fixes the following critical vulnerabilities:
* CVE-2013-1918 / XSA-45:
Several long latency operations are not preemptible
* CVE-2013-1952 / XSA-49:
VT-d interrupt remapping source validation flaw for bridges
* CVE-2013-2076 / XSA-52:
Information leak on XSAVE/XRSTOR capable AMD CPUs
* CVE-2013-2077 / XSA-53:
Hypervisor crash due to missing exception recovery on XRSTOR
* CVE-2013-2078 / XSA-54:
Hypervisor crash due to missing exception recovery on XSETBV
* CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55:
Multiple vulnerabilities in libelf PV kernel handling
* CVE-2013-2072 / XSA-56:
Buffer overflow in xencontrol Python bindings affecting xend
* CVE-2013-2211 / XSA-57:
libxl allows guest write access to sensitive console related xenstore keys
* CVE-2013-1432 / XSA-58:
Page reference counting error due to XSA-45/CVE-2013-1918 fixes
* XSA-61:
libxl partially sets up HVM passthrough even with disabled iommu
The following minor vulnerability is also being addressed:
* CVE-2013-2007 / XSA-51
qemu guest agent (qga) insecure file permissions
Among many bug fixes and improvements:
* addressing a regression from the fix for XSA-46
* bug fixes to low level system state handling, including certain
hardware errata workarounds
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
- added to MESSAGE advising of rc.d script changes
- added BASH as a tool
- fixed pygrub install so that it doesn't get overwritten with a symlink
- turned oxenstored.conf into a proper config file
functional for PV domains. Support for HVM domains and grant tables
is still to come. Note that xm/xend is deprecated in this version.
You should switch to using xl (which is tested to be working) if
you can.
----- 4.2.2
Xen 4.2.2 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.1 upgrade to Xen 4.2.2.
This release fixes the following critical vulnerabilities:
CVE-2012-5634 / XSA-33: VT-d interrupt remapping source
validation flaw
CVE-2013-0151 / XSA-34: nested virtualization on 32-bit
exposes host crash
CVE-2013-0152 / XSA-35: Nested HVM exposes host to being
driven out of memory by guest
CVE-2013-0153 / XSA-36: interrupt remap entries shared and
old ones not cleared on AMD IOMMUs
CVE-2013-0154 / XSA-37: Hypervisor crash due to incorrect
ASSERT (debug build only)
CVE-2013-0215 / XSA-38: oxenstored incorrect handling of
certain Xenbus ring states
CVE-2012-6075 / XSA-41: qemu (e1000 device driver): Buffer
overflow when processing large packets
CVE-2013-1917 / XSA-44: Xen PV DoS vulnerability with SYSENTER
CVE-2013-1919 / XSA-46: Several access permission issues with
IRQs for unprivileged guests
CVE-2013-1920 / XSA-47: Potential use of freed memory in event
channel operations
CVE-2013-1922 / XSA-48: qemu-nbd format-guessing due to missing
format specification
This release contains many bug fixes and improvements (around
100 since Xen 4.2.1). The highlights are:
ACPI APEI/ERST finally working on production systems
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.1
Xen 4.2.1 is a maintenance release in the 4.2 series and contains:
We recommend that all users of Xen 4.2.0 upgrade to Xen 4.2.1.
The release fixes the following critical vulnerabilities:
CVE-2012-4535 / XSA-20: Timer overflow DoS vulnerability
CVE-2012-4537 / XSA-22: Memory mapping failure DoS
vulnerability
CVE-2012-4538 / XSA-23: Unhooking empty PAE entries DoS
vulnerability
CVE-2012-4539 / XSA-24: Grant table hypercall infinite
loop DoS vulnerability
CVE-2012-4544, CVE-2012-2625 / XSA-25: Xen domain builder
Out-of-memory due to malicious kernel/ramdisk
CVE-2012-5510 / XSA-26: Grant table version switch list
corruption vulnerability
CVE-2012-5511 / XSA-27: Several HVM operations do not
validate the range of their inputs
CVE-2012-5513 / XSA-29: XENMEM_exchange may overwrite
hypervisor memory
CVE-2012-5514 / XSA-30: Broken error handling in
guest_physmap_mark_populate_on_demand()
CVE-2012-5515 / XSA-31: Several memory hypercall operations
allow invalid extent order values
CVE-2012-5525 / XSA-32: several hypercalls do not validate
input GFNs
Among many bug fixes and improvements (around 100 since Xen 4.2.0):
A fix for a long standing time management issue
Bug fixes for S3 (suspend to RAM) handling
Bug fixes for other low level system state handling
Bug fixes and improvements to the libxl tool stack
Bug fixes to nested virtualization
----- 4.2.0
The Xen 4.2 release contains a number of important new features
and updates including:
The release incorporates many new features and improvements to
existing features. There are improvements across the board including
to Security, Scalability, Performance and Documentation.
XL is now the default toolstack: Significant effort has gone
in to the XL tool toolstack in this release and it is now feature
complete and robust enough that we have made it the default. This
toolstack can now replace xend in the majority of deployments, see
XL vs Xend Feature Comparison. As well as improving XL the underlying
libxl library has been significantly improved and supports the
majority of the most common toolstack features. In addition the
API has been declared stable which should make it even easier for
external toolstack such as libvirt and XCP's xapi to make full use
of this functionality in the future.
Large Systems: Following on from the improvements made in 4.1
Xen now supports even larger systems, with up to 4095 host CPUs
and up to 512 guest CPUs. In addition toolstack feature like the
ability to automatically create a CPUPOOL per NUMA node and more
intelligent placement of guest VCPUs on NUMA nodes have further
improved the Xen experience on large systems. Other new features,
such as multiple PCI segment support have also made a positive
impact on such systems.
Improved security: The XSM/Flask subsystem has seen several
enhancements, including improved support for disaggregated systems
and a rewritten example policy which is clearer and simpler to
modify to suit local requirements.
Documentation: The Xen documentation has been much improved,
both the in-tree documentation and the wiki. This is in no small
part down to the success of the Xen Document Days so thanks to all
who have taken part.
