| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
bump PKGREVISION
|
|
xen 4.2 is not vulnerable to XSA-183.
|
|
16bit part as %r11w.
|
|
CVE-2015-8339 and CVE-2015-8340 aka XSA-159
XSA-166
CVE-2015-8550 aka XSA-155
CVE-2015-8554 aka XSA-164
Bump pkgrevision
|
|
|
|
Problems found with existing digests:
Package memconf distfile memconf-2.16/memconf.gz
b6f4b736cac388dddc5070670351cf7262aba048 [recorded]
95748686a5ad8144232f4d4abc9bf052721a196f [calculated]
Problems found locating distfiles:
Package dc-tools: missing distfile dc-tools/abs0-dc-burn-netbsd-1.5-0-gae55ec9
Package ipw-firmware: missing distfile ipw2100-fw-1.2.tgz
Package iwi-firmware: missing distfile ipw2200-fw-2.3.tgz
Package nvnet: missing distfile nvnet-netbsd-src-20050620.tgz
Package syslog-ng: missing distfile syslog-ng-3.7.2.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
CVE-2015-7835 aka XSA-148
CVE-2015-7869 aka XSA-149 + XSA-151
CVE-2015-7971 aka XSA-152
Bump PKGREVISION
|
|
|
|
XSA-125 Long latency MMIO mapping operations are not preemptible
XSA-126 Unmediated PCI command register access in qemu
|
|
x86emul: fully ignore segment override for register-only operations
For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.
This is CVE-2015-2151 / XSA-123.
|
|
|
|
|
|
CVE-2014-7188/XSA-108:
x86/HVM: properly bound x2APIC MSR range, fixing:
A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.
CVE-2014-8594/XSA-109:
x86: don't allow page table updates on non-PV page tables in do_mmu_update(),
fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
CVE-2014-8595/XSA-110:
x86emul: enforce privilege level restrictions when loading CS, fixing:
Malicious HVM guest user mode code may be able to elevate its
privileges to guest supervisor mode, or to crash the guest.
CVE-2014-8866/XSA-111:
x86: limit checks in hypercall_xlat_continuation() to actual arguments, fixing:
A buggy or malicious HVM guest can crash the host.
CVE-2014-8867/XSA-112:
x86/HVM: confine internally handled MMIO to solitary regions, fixing:
A buggy or malicious HVM guest can crash the host.
CVE-2014-9030/XSA-113:
x86/mm: fix a reference counting error in MMU_MACHPHYS_UPDATE, fixing:
Malicious or buggy stub domain kernels or tool stacks otherwise living
outside of Domain0 can mount a denial of service attack which, if
successful, can affect the whole system.
|
|
(CVE-2014-7188)
bump PKGREV
|
|
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram
XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT,
LIDT, and LMSW emulation
XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation
of software interrupts
bump PKGREVISION
|
|
bump PKGREV
|
|
The vulnerability is only exposed to service domains for HVM guests
which have privilege over the guest. In a usual configuration that
means only device model emulators (qemu-dm).
bump PKGREV
|
|
Processing of the HVMOP_set_mem_access HVM control operations does not
check the size of its input and can tie up a physical CPU for extended
periods of time.
bump PKGREV
|
|
makes the workaround for AMD CPU erratum 793 work not only on
64-bit hypervisors but also for 32bit
bump PKGREV
(compile tested only)
|
|
from the advisory:
Malicious or misbehaving unprivileged guests can cause the host or other
guests to malfunction. This can result in host-wide denial of service.
Privilege escalation, while seeming to be unlikely, cannot be excluded.
Only PV guests can take advantage of this vulnerability.
(CVE-2014-1666)
bump PKGREV
|
|
"Guest triggerable AMD CPU erratum may cause host hang"
bump PKGREV
|
|
-another lock inversion
-privilege escalation (not exploitable in standard setups)
bump PKGREV
|
|
to deadlock (CVE-2013-4494)
bump PKGREV
|
|
emulation (CVE-2013-4368)
bump PKGREV
|
|
-Information leak on AVX and/or LWP capable CPUs (CVE-2013-1442 / XSA-62)
-Information leaks through I/O instruction emulation
(CVE-2013-4355 / XSA-63)
-Information leak through fbld instruction emulation
(CVE-2013-4361 / XSA-66)
bump PKGREV
|
|
This release fixes the following critical vulnerabilities:
CVE-2013-1918 / XSA-45: Several long latency operations are not
preemptible
CVE-2013-1952 / XSA-49: VT-d interrupt remapping source validation flaw
for bridges
CVE-2013-2076 / XSA-52: Information leak on XSAVE/XRSTOR capable AMD CPUs
CVE-2013-2077 / XSA-53: Hypervisor crash due to missing exception
recovery on XRSTOR
CVE-2013-2078 / XSA-54: Hypervisor crash due to missing exception
recovery on XSETBV
CVE-2013-2194, CVE-2013-2195, CVE-2013-2196 / XSA-55: Multiple
vulnerabilities in libelf PV kernel handling
CVE-2013-2072 / XSA-56: Buffer overflow in xencontrol Python bindings
affecting xend
CVE-2013-2211 / XSA-57: libxl allows guest write access to sensitive
console related xenstore keys
CVE-2013-1432 / XSA-58: Page reference counting error due to
XSA-45/CVE-2013-1918 fixes
XSA-61: libxl partially sets up HVM passthrough even with disabled iommu
This release contains many bug fixes and improvements. The highlights are:
addressing a regression from the fix for XSA-21
addressing a regression from the fix for XSA-46
bug fixes to low level system state handling, including certain
hardware errata workarounds
(CVE-2013-1918 and CVE-2013-1952 were patched in pkgsrc before)
|
|
|
|
This integrates fixes for all vulnerabilities which were patched
in pkgsrc before.
Among many bug fixes and improvements (around 50 since Xen 4.1.4):
* ACPI APEI/ERST finally working on production systems
* Bug fixes for other low level system state handling
* Support for xz compressed Dom0 and DomU kernels
|
|
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00000.html
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00005.html
http://lists.xen.org/archives/html/xen-announce/2013-04/msg00006.html
bump PKGREVISION
|
|
xenkernel3, xenkernel41, xentools3 and xentools41 exposed by Clang
default warnings. Bump revisions for those.
|
|
bump PKGREV
|
|
changes:
-fixes for many vulnerabilities (were mostly patched in pkgsrc)
-bug fixes and improvements (almost 100 since Xen 4.1.3). Highlights are:
-A fix for a long standing time management issue
-Bug fixes for S3 (suspend to RAM) handling
-Bug fixes for other low level system state handling
pkgsrc note:
fixes for CVE-2012-5634 (interrupt issue on IOMMU systems)
and CVE-2012-6075 (oversized packets from e1000 driver)
are already included
|
|
bump PKGREV
|
|
(CVE-2012-4535..4539)
bump PKGREV
|
|
also add security patches from upstream (for CVE-2012-3497, no patches
are available yet)
changes:
-fixes for vulnerabilities were integrated
-many bug fixes and improvements, Highlights are:
-Updates for the latest Intel/AMD CPU revisions
-Bug fixes for IOMMU handling (device passthrough to HVM guests)
approved by maintainer
|
|
(CVE-2012-3433)
bump PKGREV
|
|
guest crashes by unprivileged users, only for HVM guests, and if
MMIO is granted to the user process (CVE-2012-3432)
bump PKGREV
|
|
PKGREVISION++
|
|
Fixes/features include:
* New XL toolstack
* kexec/kdump
* Remus
* Device passthrough to HVM guests
* Interrupt handling
* Support for Supervisor Mode Execution Protection (SMEP)
|
|
|
|
Failure has been reported to get fixed upstream.
|
|
* Security fixes including CVE-2011-1583 CVE-2011-1898
* Enhancements to guest introspection (VM single stepping support for very fine-grained access control)
* Many stability improvements, such as: PV-on-HVM stability fixes (fixing some IRQ issues), XSAVE cpu feature support for PV guests (allows safe use of latest multimedia instructions), RAS fixes for high availability, fixes for offlining bad pages and changes to libxc, mainly of benefit to libvirt
* Compatibility fixes for newer Linux guests, newer compilers, some old guest savefiles, newer Python, grub2, some hardware/BIOS bugs.
|
|
It uses -nostdinc and tries to use #include <stdarg.h> through
a local copy of stdarg.h, which can't work.
Fixed this by putting the relevant builtin stdarg definitions for
NetBSD in the local copy.
|
|
guests operating systems on a single machine. Guest OSes (also called "domains"
)
require a modified kernel which supports Xen hypercalls in replacement
to access to the physical hardware. At boot, the xen kernel is loaded
along with the guest kernel for the first domain (called domain0).
domain0 has privileges to access the physical hardware (PCI
and ISA devices), administrate other domains and provide virtual
devices (disks and network) to other domains.
This package contains the Xen4 kernel itself.
Release notes:
The Xen team is pleased to announce the release of Xen 4.1.
The result of nearly 12 months of development, new features include:
* A re-architected and improved XL toolstack replacing XM/XEND
* Prototype credit2 scheduler designed for latency-sensitive workloads and
very large systems.
* CPU Pools for advanced partitioning.
* Support for large systems (>255 processors)
* Support for x86 Advanced Vector eXtension (AVX).
* New Memory Access API enabling integration of 3rd party security
solutions into Xen virtualized environments.
* Many IOMMU fixes (both Intel VT-d IOMMU and AMD IOMMU).
* Many toolstack and buildsystem fixes for Linux and NetBSD hosts.
* Thirdparty libs: libvirt driver for libxl has been merged to upstream
libvirt.
* HVM guest PXE boot enhancements, replacing gPXE with iPXE.
* Even better stability through our new automated regression tests.
Detailed release notes, including a more extensive feature list:
http://wiki.xen.org/xenwiki/Xen4.1
To download tarballs:
http://xen.org/products/xen_source.html
Or the Mercurial source repository (tag 'RELEASE-4.1.0'):
http://xenbits.xen.org/xen-unstable.hg
And the announcement on the Xen blog:
http://blog.xen.org/index.php/2011/03/25/xen-4-1-releases/
Thanks to the many people who have contributed to this release!
Regards,
The Xen Team
|
