Bug#1033676: unblock: xen/4.17.0+74-g3eac216e6e-1
Control: retitle -1 unblock: xen/4.17.0+74-g3eac216e6e-1 On Sonntag, 2. April 2023 21:51:11 CEST Sebastian Ramacher wrote: > On 2023-03-29 23:27:11 +0200, Maximilian Engelhardt wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: x...@packages.debian.org, m...@daemonizer.de, > > t...@security.debian.org Control: affects -1 + src:xen > > > > Please approve an upload of xen to unstable and later unblock package > > xen. See the "Other info" section below on why this is a pre-approval > > request. > > Please go ahead > > Cheers Thanks, xen/4.17.0+74-g3eac216e6e-1 has been uploaded to unstable and already built on all architectures. > > [ Reason ] > > Xen in bookworm (and unstable) is currently affected by CVE-2022-42331, > > CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297). > > > > [ Impact ] > > The above mentioned CVEs are not fixed. > > > > [ Tests ] > > The Debian package is based only on upstream commits that have passed > > the upstream automated tests. > > The Debian package has been successfully tested by the xen packaging > > team on their test machines. > > > > [ Risks ] > > There could be upstream changes unrelated to the above mentioned > > security fixes that cause regressions. However upstream has an automated > > testing machinery (osstest) that only allows a commit in the upstream > > stable branch if all test pass. > > > > [ Checklist ] > > > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > [ Other info ] > > This security fix is based on the latest upstream stable-4.17 branch. > > The branch in general only accepts bug fixes and does not allow new > > features, so the changes there are mainly security and other bug fixes. > > This does not exactly follow the "only targeted fixes" release policy, > > so we are asking for a pre-approval. > > The package we have prepared is exactly what we would have done as a > > security update in a stable release, what we have historically done > > together with the security team and are planning to continue to do. > > As upstream does extensive automated testing on their stable branches > > chances for unnoticed regressions are low. We believe this way the risk > > for bugs is lower than trying to manually pick and adjust patches > > without all the deep knowledge that upstream has. This approach is > > similar to what the linux package is doing. > > > > unblock xen/4.17.0+74-g3eac216e6e-1 > > > > Thanks > > signature.asc Description: This is a digitally signed message part.
Bug#1033676: unblock: xen/4.17.0+74-g3eac216e6e-1 (pre-approval)
On 2023-03-29 23:27:11 +0200, Maximilian Engelhardt wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: x...@packages.debian.org, m...@daemonizer.de, > t...@security.debian.org > Control: affects -1 + src:xen > > Please approve an upload of xen to unstable and later unblock package > xen. See the "Other info" section below on why this is a pre-approval > request. Please go ahead Cheers > > [ Reason ] > Xen in bookworm (and unstable) is currently affected by CVE-2022-42331, > CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297). > > [ Impact ] > The above mentioned CVEs are not fixed. > > [ Tests ] > The Debian package is based only on upstream commits that have passed > the upstream automated tests. > The Debian package has been successfully tested by the xen packaging > team on their test machines. > > [ Risks ] > There could be upstream changes unrelated to the above mentioned > security fixes that cause regressions. However upstream has an automated > testing machinery (osstest) that only allows a commit in the upstream > stable branch if all test pass. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > This security fix is based on the latest upstream stable-4.17 branch. > The branch in general only accepts bug fixes and does not allow new > features, so the changes there are mainly security and other bug fixes. > This does not exactly follow the "only targeted fixes" release policy, > so we are asking for a pre-approval. > The package we have prepared is exactly what we would have done as a > security update in a stable release, what we have historically done > together with the security team and are planning to continue to do. > As upstream does extensive automated testing on their stable branches > chances for unnoticed regressions are low. We believe this way the risk > for bugs is lower than trying to manually pick and adjust patches > without all the deep knowledge that upstream has. This approach is > similar to what the linux package is doing. > > unblock xen/4.17.0+74-g3eac216e6e-1 > > Thanks > diff -Nru xen-4.17.0+46-gaaf74a532c/debian/changelog > xen-4.17.0+74-g3eac216e6e/debian/changelog > --- xen-4.17.0+46-gaaf74a532c/debian/changelog2023-02-24 > 18:06:42.0 +0100 > +++ xen-4.17.0+74-g3eac216e6e/debian/changelog2023-03-23 > 22:22:48.0 +0100 > @@ -1,3 +1,16 @@ > +xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium > + > + * Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains > +security fixes for the following issues: (Closes: #1033297) > +- x86 shadow plus log-dirty mode use-after-free > + XSA-427 CVE-2022-42332 > +- x86/HVM pinned cache attributes mis-handling > + XSA-428 CVE-2022-42333 CVE-2022-42334 > +- x86: speculative vulnerability in 32bit SYSCALL path > + XSA-429 CVE-2022-42331 > + > + -- Maximilian Engelhardt Thu, 23 Mar 2023 22:22:48 > +0100 > + > xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium > >* Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains > diff -Nru xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc > xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc > --- xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc > 2023-02-22 15:14:33.0 +0100 > +++ xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc > 2023-03-21 13:47:52.0 +0100 > @@ -287,10 +287,15 @@ > protection. > > The option is available when `CONFIG_XEN_SHSTK` is compiled in, and > -defaults to `true` on hardware supporting CET-SS. Specifying > +generally defaults to `true` on hardware supporting CET-SS. Specifying > `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support > is available in hardware. > > +Some hardware suffers from an issue known as Supervisor Shadow Stack > +Fracturing. On such hardware, Xen will default to not using Shadow > Stacks > +when virtualised. Specifying `cet=shstk` will override this heuristic > and > +enable Shadow Stacks unilaterally. > + > * The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for > its own protection. > > @@ -721,6 +726,11 @@ > * `all`: just one runqueue shared by all the logical pCPUs of > the host > > +Regardless of the above choice, Xen attempts to respect > +`sched_credit2_max_cpus_runqueue` limit, which may mean more than one > runqueue > +for the `all` value. If that isn't intended, raise > +the `sched_credit2_max_cpus_runqueue` value. > + > ### dbgp > > `= ehci[ | @pci:. ]` > > `= xhci[ | @pci:. ][,share=|hwdom]` > @@ -2624,6 +2634,17 @@ > , and must be integers. The values will be > encoded in g
Bug#1033676: unblock: xen/4.17.0+74-g3eac216e6e-1 (pre-approval)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: x...@packages.debian.org, m...@daemonizer.de, t...@security.debian.org Control: affects -1 + src:xen Please approve an upload of xen to unstable and later unblock package xen. See the "Other info" section below on why this is a pre-approval request. [ Reason ] Xen in bookworm (and unstable) is currently affected by CVE-2022-42331, CVE-2022-42332, CVE-2022-42333 and CVE-2022-42334 (see #1033297). [ Impact ] The above mentioned CVEs are not fixed. [ Tests ] The Debian package is based only on upstream commits that have passed the upstream automated tests. The Debian package has been successfully tested by the xen packaging team on their test machines. [ Risks ] There could be upstream changes unrelated to the above mentioned security fixes that cause regressions. However upstream has an automated testing machinery (osstest) that only allows a commit in the upstream stable branch if all test pass. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This security fix is based on the latest upstream stable-4.17 branch. The branch in general only accepts bug fixes and does not allow new features, so the changes there are mainly security and other bug fixes. This does not exactly follow the "only targeted fixes" release policy, so we are asking for a pre-approval. The package we have prepared is exactly what we would have done as a security update in a stable release, what we have historically done together with the security team and are planning to continue to do. As upstream does extensive automated testing on their stable branches chances for unnoticed regressions are low. We believe this way the risk for bugs is lower than trying to manually pick and adjust patches without all the deep knowledge that upstream has. This approach is similar to what the linux package is doing. unblock xen/4.17.0+74-g3eac216e6e-1 Thanksdiff -Nru xen-4.17.0+46-gaaf74a532c/debian/changelog xen-4.17.0+74-g3eac216e6e/debian/changelog --- xen-4.17.0+46-gaaf74a532c/debian/changelog 2023-02-24 18:06:42.0 +0100 +++ xen-4.17.0+74-g3eac216e6e/debian/changelog 2023-03-23 22:22:48.0 +0100 @@ -1,3 +1,16 @@ +xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium + + * Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains +security fixes for the following issues: (Closes: #1033297) +- x86 shadow plus log-dirty mode use-after-free + XSA-427 CVE-2022-42332 +- x86/HVM pinned cache attributes mis-handling + XSA-428 CVE-2022-42333 CVE-2022-42334 +- x86: speculative vulnerability in 32bit SYSCALL path + XSA-429 CVE-2022-42331 + + -- Maximilian Engelhardt Thu, 23 Mar 2023 22:22:48 +0100 + xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium * Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains diff -Nru xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc --- xen-4.17.0+46-gaaf74a532c/docs/misc/xen-command-line.pandoc 2023-02-22 15:14:33.0 +0100 +++ xen-4.17.0+74-g3eac216e6e/docs/misc/xen-command-line.pandoc 2023-03-21 13:47:52.0 +0100 @@ -287,10 +287,15 @@ protection. The option is available when `CONFIG_XEN_SHSTK` is compiled in, and -defaults to `true` on hardware supporting CET-SS. Specifying +generally defaults to `true` on hardware supporting CET-SS. Specifying `cet=no-shstk` will cause Xen not to use Shadow Stacks even when support is available in hardware. +Some hardware suffers from an issue known as Supervisor Shadow Stack +Fracturing. On such hardware, Xen will default to not using Shadow Stacks +when virtualised. Specifying `cet=shstk` will override this heuristic and +enable Shadow Stacks unilaterally. + * The `ibt=` boolean controls whether Xen uses Indirect Branch Tracking for its own protection. @@ -721,6 +726,11 @@ * `all`: just one runqueue shared by all the logical pCPUs of the host +Regardless of the above choice, Xen attempts to respect +`sched_credit2_max_cpus_runqueue` limit, which may mean more than one runqueue +for the `all` value. If that isn't intended, raise +the `sched_credit2_max_cpus_runqueue` value. + ### dbgp > `= ehci[ | @pci:. ]` > `= xhci[ | @pci:. ][,share=|hwdom]` @@ -2624,6 +2634,17 @@ , and must be integers. The values will be encoded in guest CPUID 0x4002 if viridian enlightenments are enabled. +### vm-notify-window (Intel) +> `= ` + +> Default: `0` + +Specify the value of the VM Notify window used to detect locked VMs. Set to -1 +to disable the feature. Value is in units of crystal clock cycles. + +Note the hardware might add a threshold to the provided value in order to make +it safe