-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Nov 2019 12:18:59 +0000 Binary: linux-doc-4.9 linux-headers-4.9.0-11-common linux-headers-4.9.0-11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-11 Source: linux Architecture: all source Version: 4.9.189-3+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <ben@decadent.org.uk> Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-11-common - Common header files for Linux 4.9.0-11 linux-headers-4.9.0-11-common-rt - Common header files for Linux 4.9.0-11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-11 - Support files for Linux 4.9 Changes: linux (4.9.189-3+deb9u2) stretch-security; urgency=high . * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - KVM: x86: simplify ept_misconfig - KVM: x86: extend usage of RET_MMIO_PF_* constants - KVM: MMU: drop vcpu param in gpte_access - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: Add is_executable_pte() - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: kick out cmd_parser specific structs from i915_drv.h - drm/i915: cleanup use of INSTR_CLIENT_MASK - drm/i915: return EACCES for check_cmd() failures - drm/i915: don't whitelist oacontrol in cmd parser - drm/i915: Use the precomputed value for whether to enable command parsing - drm/i915/cmdparser: Limit clflush to active cachelines - drm/i915/gtt: Add read only pages to gen8_pte_encode - drm/i915/gtt: Read-only pages for insert_entries on bdw+ - drm/i915/gtt: Disable read-only support under GVT - drm/i915: Prevent writing into a read-only object via a GGTT mmap - drm/i915/cmdparser: Check reg_table_count before derefencing. - drm/i915/cmdparser: Do not check past the cmd length. - drm/i915: Silence smatch for cmdparser - drm/i915: Move engine->needs_cmd_parser to engine->flags - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA * drm/i915: Avoid ABI change for CVE-2019-0155 Checksums-Sha1: e85cadd25bb5abe5a02ad31fb2de8f07a9d6a695 125053 linux_4.9.189-3+deb9u2.dsc c922a954d78ab243ee9a469e61cfecd9d8df7cc8 2699452 linux_4.9.189-3+deb9u2.debian.tar.xz 48bad9939cf7ff42fc32ee88e73961654759b31b 37956 linux_4.9.189-3+deb9u2_source.buildinfo 573984c580fdbb458f4a400a72b2f77c58fef594 12539262 linux-doc-4.9_4.9.189-3+deb9u2_all.deb 1580527b1c058848dbb46335388e02680b5abfaa 5770260 linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb efc6d222bd6930668b9fd7af2256a1b49af11fe1 7704852 linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb 2c1c3c95352122d5f244b7e6e358acec0221d305 3224146 linux-manual-4.9_4.9.189-3+deb9u2_all.deb 53d402ffc3bd464dff1d2591d57dfae2856964da 96911448 linux-source-4.9_4.9.189-3+deb9u2_all.deb d85a4308d5bb8e5c7d23f49e9280de405c0e387d 704242 linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb Checksums-Sha256: c4cacfcfcbe73bb61796e75c767d89542cb85bcd8b9c0cb12c5b85f909df0e01 125053 linux_4.9.189-3+deb9u2.dsc 1ae7dacd952ddf39a6d54058f91384eb5214f37e7267deb67b269b66b8f94837 2699452 linux_4.9.189-3+deb9u2.debian.tar.xz 8fa107d5eaf6364030ae712c0d537028271c74858964b8a208b9b878eb0e6dce 37956 linux_4.9.189-3+deb9u2_source.buildinfo 5f353db1c863d30c6439dc63e89e24c7b34f772c21a72a2e2fafda4684270ad7 12539262 linux-doc-4.9_4.9.189-3+deb9u2_all.deb 67ec77a28bd8a5afc8127f6f0e412cf1c70e2cbc1083d8f2f20dfcbcc8a4d0bc 5770260 linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb 1d2c373755c7e792174d031b0d11b1295ca7134b9581bccc9f3212ac1b0a8ed1 7704852 linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb 730011179d564077a92cd6304590f5fab43b03920d334c7348d24dd5cc797afb 3224146 linux-manual-4.9_4.9.189-3+deb9u2_all.deb 2f7f391312e52b04e55be1f346d4889a8655257ed92968b813283107cb8f40e0 96911448 linux-source-4.9_4.9.189-3+deb9u2_all.deb e36becbc4ba465360120ffe978d20742c7c720d138327f648da83022d3a4c1e5 704242 linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb Files: 0f1a6857b802189041f82832b7ffad59 125053 kernel optional linux_4.9.189-3+deb9u2.dsc 1e770815ab87954640bb705b1e69cafb 2699452 kernel optional linux_4.9.189-3+deb9u2.debian.tar.xz 35cea95d34147d0d68d5e9caed9d2357 37956 kernel optional linux_4.9.189-3+deb9u2_source.buildinfo d25457e21a95d3027821d4ecd8093de6 12539262 doc optional linux-doc-4.9_4.9.189-3+deb9u2_all.deb 35ff22064be8c74e39414029e27ccfa8 5770260 kernel optional linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb 0fa45f22f26597bd4a7f899c864ea878 7704852 kernel optional linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb bc3fbe44227d7bf300d5eb0e3bb978d2 3224146 doc optional linux-manual-4.9_4.9.189-3+deb9u2_all.deb 5356a625c8f89c6f7202f1042e7f5d96 96911448 kernel optional linux-source-4.9_4.9.189-3+deb9u2_all.deb f222572b0e3bd2db716b3a801cd890f3 704242 devel optional linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3JknwACgkQ57/I7JWG EQmjEw//UZHNdlTDxV9xhSEF9MhFEwtuu5cmyq7sm9w9XaaKgghbA+Xw7v0FCmS2 O7qurw1fIF6Ee1DfFO4H08ve5DRKSKim4o2xuZHv+bR4Js7Vf4+ZaCOYft6Q/spx vjT76LTPpaStb5A7UduKjjkY2B08WxdQn1o5njHuYIo6gRy//TCWNTkDLrrw0P0Y hIsKJqnGnkZYZQZmtJ3L8VN/JoW91Fd1Li8jdDedxJZ5LncnCO81NlJlh2PnD160 zQejxz6DbfGe3LLhQEgZ7Bw1T0e+IGFr1y5PKG6TdQAODztAVYMiamh21y5pS7qY Sb5zYbbQpXKvi3c9ZHX8qKe5dNkTgOiLnGuDwyQSSzwx2obJFWw664iUqzuBT+C0 aT9q+FaX/GF9i2XvxXcrN7Vh9gr0QsniCxGrD3p6DC/DebNR1K9zL8AlydvMeY6H Z26tFN9oEp8MBOFezKKGS3JE+mgwpk6BDwWveuhGMZoLW3pfJSemrkCdxXQ+Drqx 3/vNTIAR/WTww7iR6oC7H9cwmF0HwhTk/N3QKfMKwEbM3GotfkIWZURsXl4x/EgT okouHJlUMQell+CRSuZ8V4FlxVgez+IzfSud+YXR/Bqk/nv6goMXRym22m5Gl9NU KDz3VfGyM4UOFnhSTXXFRej865D33d6drBGIgckQ8rI4OaxIwXQ= =4mlB -----END PGP SIGNATURE-----