[ubuntu-cloud-archive/mitaka-proposed] xen (Accepted)

Corey Bryant corey.bryant at canonical.com
Tue Mar 13 13:07:08 UTC 2018


 xen (4.6.5-0ubuntu1.4~cloud0) trusty-mitaka; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 xen (4.6.5-0ubuntu1.4) xenial-security; urgency=medium
 .
   * Applying Xen Security Advisories:
     - CVE-2017-14316 / XSA-231
       - xen/mm: make sure node is less than MAX_NUMNODES
     - CVE-2017-14318 / XSA-232
       - grant_table: fix GNTTABOP_cache_flush handling
     - CVE-2017-14317 / XSA-233
       - tools/xenstore: dont unlink connection object twice
     - CVE-2017-14319 / XSA-234
       - gnttab: also validate PTE permissions upon destroy/replace
     - XSA-235
       - arm/mm: release grant lock on xenmem_add_to_physmap_one() error paths
     - XSA-237
       - x86: don't allow MSI pIRQ mapping on unowned device
       - x86: enforce proper privilege when (un)mapping pIRQ-s
       - x86/MSI: disallow redundant enabling
       - x86/IRQ: conditionally preserve irq <-> pirq mapping on map error
         paths
       - x86/FLASK: fix unmap-domain-IRQ XSM hook
     - XSA-238
       - x86/ioreq server: correctly handle bogus
         XEN_DMOP_{,un}map_io_range_to_ioreq_server arguments
     - XSA-239
       - x86/HVM: prefill partially used variable on emulation paths
     - XSA-240
       - x86: limit linear page table use to a single level
       - x86/mm: Disable PV linear pagetables by default
     - XSA-241
       - x86: don't store possibly stale TLB flush time stamp
     - XSA-242
       - x86: don't allow page_unlock() to drop the last type reference
     - XSA-243
       - x86: Disable the use of auto-translated PV guestsx86: Disable the use
         of auto-translated PV guests
       - x86/shadow: Don't create self-linear shadow mappings for 4-level
         translated guests
     - XSA-244
       - x86/cpu: Fix IST handling during PCPU bringup
     - XSA-245
       - xen/page_alloc: Cover memory unreserved after boot in first_valid_mfn
       - xen/arm: Correctly report the memory region in the dummy NUMA helpers
 .
 xen (4.6.5-0ubuntu1.3) xenial-security; urgency=medium
 .
   * Applying Xen Security Advisories:
     - XSA-226 / CVE-2017-12135
       - gnttab: don't use possibly unbounded tail calls
       - gnttab: fix transitive grant handling
     - XSA-227 / CVE-2017-12137
       - x86/grant: Disallow misaligned PTEs
     - XSA-228 / CVE-2017-12136
       - gnttab: split maptrack lock to make it fulfill its purpose again
     - XSA-230 / CVE-2017-12855
       - gnttab: correct pin status fixup for copy
 .
 xen (4.6.5-0ubuntu1.2) xenial-security; urgency=low
 .
   * Applying Xen Security Advisories:
     - XSA-217
       - x86/mm: disallow page stealing from HVM domains
     - XSA-218
       - IOMMU: handle IOMMU mapping and unmapping failures
       - gnttab: fix unmap pin accounting race
       - gnttab: Avoid potential double-put of maptrack entry
       - gnttab: correct maptrack table accesses
     - XSA-219
       - 86/shadow: Hold references for the duration of emulated writes
     - XSA-220
       - x86: avoid leaking PKRU and BND* between vCPU-s
     - XSA-221
       - evtchn: avoid NULL derefs
     - XSA-222
       - xen/memory: Fix return value handing of guest_remove_page()
       - guest_physmap_remove_page() needs its return value checked
     - XSA-223
       - arm: vgic: Don't update the LR when the IRQ is not enabled
     - XSA-224
       - gnttab: Fix handling of dev_bus_addr during unmap
       - gnttab: never create host mapping unless asked to
       - gnttab: correct logic to get page references during map requests
       - gnttab: __gnttab_unmap_common_complete() is all-or-nothing
     - XSA-225
       - xen/arm: vgic: Sanitize target mask used to send SGI
 .
 xen (4.6.5-0ubuntu1.1) xenial-security; urgency=low
 .
   * Applying Xen Security Advisories:
     - XSA-206
       * xenstored: apply a write transaction rate limit
       * xenstored: Log when the write transaction rate limit bites
       * oxenstored: refactor putting response on wire
       * oxenstored: remove some unused parameters
       * oxenstored: refactor request processing
       * oxenstored: keep track of each transaction's operations
       * oxenstored: move functions that process simple operations
       * oxenstored: replay transaction upon conflict
       * oxenstored: log request and response during transaction replay
       * oxenstored: allow compilation prior to OCaml 3.12.0
       * oxenstored: comments explaining some variables
       * oxenstored: handling of domain conflict-credit
       * oxenstored: ignore domains with no conflict-credit
       * oxenstored: add transaction info relevant to history-tracking
       * oxenstored: support commit history tracking
       * oxenstored: only record operations with side-effects in history
       * oxenstored: discard old commit-history on txn end
       * oxenstored: track commit history
       * oxenstored: blame the connection that caused a transaction conflict
       * oxenstored: allow self-conflicts
       * oxenstored: do not commit read-only transactions
       * oxenstored: don't wake to issue no conflict-credit
       * oxenstored transaction conflicts: improve logging
       * oxenstored: trim history in the frequent_ops function
     - CVE-2017-7228 / XSA-212
       * memory: properly check guest memory ranges in XENMEM_exchange handling
     - XSA-213
       * multicall: deal with early exit conditions
     - XSA-214
       * x86: discard type information when stealing pages
     - XSA-215
       * x86: correct create_bounce_frame
 .
 xen (4.6.5-0ubuntu1) xenial; urgency=medium
 .
   * Rebasing to upstream stable release 4.6.5 (LP: #1671864)
     https://www.xenproject.org/downloads/xen-archives/xen-46-series.html
     - Includes fix for booting 4.10 Linux kernels in HVM guests on Intel
       hosts which support the TSC_ADJUST MSR (LP: #1671760)
     - Additional security relevant changes:
       * CVE-2013-2076 / XSA-052 (update)
         - Information leak on XSAVE/XRSTOR capable AMD CPUs
       * CVE-2016-7093 / XSA-186 (4.6.3 became vulnerable)
         - x86: Mishandling of instruction pointer truncation during emulation
       * XSA-207
         - memory leak when destroying guest without PT devices
     - Replacing the following security fixes with the versions from the
       stable update:
       * CVE-2015-7812 / XSA-145
         - arm: Host crash when preempting a multicall
       * CVE-2015-7813 / XSA-146
         - arm: various unimplemented hypercalls log without rate limiting
       * CVE-2015-7814 / XSA-147
         - arm: Race between domain destruction and memory allocation decrease
       * CVE-2015-7835 / XSA-148
         - x86: Uncontrolled creation of large page mappings by PV guests
       * CVE-2015-7969 / XSA-149, XSA-151
         - leak of main per-domain vcpu pointer array
         - x86: leak of per-domain profiling-related vcpu pointer array
       * CVE-2015-7970 / XSA-150
         - x86: Long latency populate-on-demand operation is not preemptible
       * CVE-2015-7971 / XSA-152
         - x86: some pmu and profiling hypercalls log without rate limiting
       * CVE-2015-7972 / XSA-153
         - x86: populate-on-demand balloon size inaccuracy can crash guests
       * CVE-2016-2270 / XSA-154
         - x86: inconsistent cachability flags on guest mappings
       * CVE-2015-8550 / XSA-155
         - paravirtualized drivers incautious about shared memory contents
       * CVE-2015-5307, CVE-2015-8104 / XSA-156
         - x86: CPU lockup during exception delivery
       * CVE-2015-8338 / XSA-158
         - long running memory operations on ARM
       * CVE-2015-8339, CVE-2015-8340 / XSA-159
         XENMEM_exchange error handling issues
       * CVE-2015-8341 / XSA-160
         - libxl leak of pv kernel and initrd on error
       * CVE-2015-8555 / XSA-165
         - information leak in legacy x86 FPU/XMM initialization
       * XSA-166
         - ioreq handling possibly susceptible to multiple read issue
       * CVE-2016-1570 / XSA-167
         - PV superpage functionality missing sanity checks
       * CVE-2016-1571 / XSA-168
         - VMX: intercept issue with INVLPG on non-canonical address
       * CVE-2015-8615 / XSA-169
         - x86: unintentional logging upon guest changing callback method
       * CVE-2016-2271 / XSA-170
         - VMX: guest user mode may crash guest with non-canonical RIP
       * CVE-2016-3158, CVE-2016-3159 / XSA-172
         - broken AMD FPU FIP/FDP/FOP leak workaround
       * CVE-2016-3960 / XSA-173
         - x86 shadow pagetables: address width overflow
       * CVE-2016-4962 / XSA-175
         - Unsanitised guest input in libxl device handling code
       * CVE-2016-4480 / XSA-176
         - x86 software guest page walk PS bit handling flaw
       * CVE-2016-4963 / XSA-178
         - Unsanitised driver domain input in libxl device handling
       * CVE-2016-5242 / XSA-181
         - arm: Host crash caused by VMID exhaustion
       * CVE-2016-6258 / XSA-182
         - x86: Privilege escalation in PV guests
       * CVE-2016-6259 / XSA-183
         - x86: Missing SMAP whitelisting in 32-bit exception / event delivery
       * CVE-2016-7092 / XSA-185
         - x86: Disallow L3 recursive pagetable for 32-bit PV guests
       * CVE-2016-7094 / XSA-187
         - x86 HVM: Overflow of sh_ctxt->seg_reg[]
       * CVE-2016-7777 / XSA-190
         - CR0.TS and CR0.EM not always honored for x86 HVM guests
       * CVE-2016-9386 / XSA-191
         - x86 null segments not always treated as unusable
       * CVE-2016-9382 / XSA-192
         - x86 task switch to VM86 mode mis-handled
       * CVE-2016-9385 / XSA-193
         - x86 segment base write emulation lacking canonical address checks
       * CVE-2016-9383 / XSA-195
         - x86 64-bit bit test instruction emulation broken
       * CVE-2016-9377, CVE-2016-9378 / XSA-196
         - x86 software interrupt injection mis-handled
       * CVE-2016-9379, CVE-2016-9380 / XSA-198
         - delimiter injection vulnerabilities in pygrub
       * CVE-2016-9932 / XSA-200
         - x86 CMPXCHG8B emulation fails to ignore operand size override
       * CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818 / XSA-201
         - ARM guests may induce host asynchronous abort
       * CVE-2016-10024 / XSA-202
         - x86 PV guests may be able to mask interrupts
       * CVE-2016-10025 / XSA-203
         - x86: missing NULL pointer check in VMFUNC emulation
       * CVE-2016-10013 / XSA-204
         - x86: Mishandling of SYSCALL singlestep during emulation
 .
 xen (4.6.0-1ubuntu4.3) xenial-security; urgency=low
 .
   * Applying Xen Security Advisories:
     - CVE-2016-9386 / XSA-191
       * x86/hvm: Fix the handling of non-present segments
     - CVE-2016-9382 / XSA-192
       * x86/HVM: don't load LDTR with VM86 mode attrs during task switch
     - CVE-2016-9385 / XSA-193
       * x86/PV: writes of %fs and %gs base MSRs require canonical addresses
     - CVE-2016-9383 / XSA-195
       * x86emul: fix huge bit offset handling
     - CVE-2016-9377, CVE-2016-9378 / XSA-196
       * x86/emul: Correct the IDT entry calculation in inject_swint()
       * x86/svm: Fix injection of software interrupts
     - CVE-2016-9379, CVE-2016-9380 / XSA-198
       * pygrub: Properly quote results, when returning them to the caller
     - CVE-2016-9932 / XSA-200
       * x86emul: CMPXCHG8B ignores operand size prefix
     - CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818 / XSA.201
       * arm64: handle guest-generated EL1 asynchronous abort
       * arm64: handle async aborts delivered while at EL2
       * arm: crash the guest when it traps on external abort
       * arm32: handle async aborts delivered while at HYP
     - CVE-2016-10024 / XSA-202
       * x86: force EFLAGS.IF on when exiting to PV guests
     - CVE-2016-10025 / XSA-203
       * x86/HVM: add missing NULL check before using VMFUNC hook
     - CVE-2016-10013 / XSA-204
       * x86/emul: Correct the handling of eflags with SYSCALL
 .
 xen (4.6.0-1ubuntu4.2) xenial-security; urgency=low
 .
   * Applying Xen Security Advisories:
     - CVE-2016-6258 / XSA-182
       * x86/pv: Remove unsafe bits from the mod_l?_entry() fastpath
     - CVE-2016-6259 / XSA-183
       * x86/entry: Avoid SMAP violation in compat_create_bounce_frame()
     - CVE-2016-7092 / XSA-185
       * x86/32on64: don't allow recursive page tables from L3
     - CVE-2016-7094 / XSA-187
       * x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
       * x86/segment: Bounds check accesses to emulation ctxt->seg_reg[]
     - CVE-2016-7777 / XSA-190
       * x86emul: honor guest CR0.TS and CR0.EM
 .
 xen (4.6.0-1ubuntu4.1) xenial-security; urgency=low
 .
   * Applying Xen Security Advisories:
     - CVE-2016-3158, CVE-2016-3159 / XSA-172
       * x86: fix information leak on AMD CPUs
     - CVE-2016-3960 / XSA-173
       * x86: limit GFNs to 32 bits for shadowed superpages.
     - CVE-2016-4962 / XSA-175
       * libxl: Record backend/frontend paths in /libxl/$DOMID
       * libxl: Provide libxl__backendpath_parse_domid
       * libxl: Do not trust frontend in libxl__devices_destroy
       * libxl: Do not trust frontend in libxl__device_nextid
       * libxl: Do not trust frontend for disk eject event
       * libxl: Do not trust frontend for disk in getinfo
       * libxl: Do not trust frontend for vtpm list
       * libxl: Do not trust frontend for vtpm in getinfo
       * libxl: Do not trust frontend for nic in libxl_devid_to_device_nic
       * libxl: Do not trust frontend for nic in getinfo
       * libxl: Do not trust frontend for channel in list
       * libxl: Do not trust frontend for channel in getinfo
       * libxl: Cleanup: Have libxl__alloc_vdev use /libxl
       * libxl: Document ~/serial/ correctly
     - CVE-2016-4480 / XSA-176
       * x86/mm: fully honor PS bits in guest page table walks
     - CVE-2016-4963 / XSA-178
       * libxl: Make copy of every xs backend in /libxl in _generic_add
       * libxl: Do not trust backend in libxl__device_exists
       * libxl: Do not trust backend for vtpm in getinfo (except uuid)
       * libxl: Do not trust backend for vtpm in getinfo (uuid)
       * libxl: cdrom eject and insert: write to /libxl
       * libxl: Do not trust backend for disk eject vdev
       * libxl: Do not trust backend for disk; fix driver domain disks list
       * libxl: Do not trust backend for disk in getinfo
       * libxl: Do not trust backend for cdrom insert
       * libxl: Do not trust backend for channel in getinfo
       * libxl: Rename libxl__device_{nic,channel}_from_xs_be to _from_xenstore
       * libxl: Rename READ_BACKEND to READ_LIBXLDEV
       * libxl: Have READ_LIBXLDEV use libxl_path rather than be_path
       * libxl: Do not trust backend in nic getinfo
       * libxl: Do not trust backend for nic in devid_to_device
       * libxl: Do not trust backend for nic in list
       * libxl: Do not trust backend in channel list
       * libxl: Cleanup: use libxl__backendpath_parse_domid in
                libxl__device_disk_from_xs_be
       * libxl: Fix NULL pointer due to XSA-178 fix wrong XS nodename
     - CVE-2016-5242 / XSA-181
       * xen/arm: Don't free p2m->first_level in p2m_teardown() before
                  it has been allocated

Date: Fri, 16 Feb 2018 18:14:41 +0000
Changed-By: Openstack Ubuntu Testing Bot <openstack-testing-bot at ubuntu.com>
Signed-By: Openstack Ubuntu Testing Bot
Published-By: Corey Bryant <corey.bryant at canonical.com>


More information about the Cloud-archive-changes mailing list