-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Nov 2019 22:05:49 +0000 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3+deb9u2~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <ben@decadent.org.uk> Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3+deb9u2~deb8u1) jessie-security; urgency=medium . * Backport to jessie; no further changes required . linux (4.9.189-3+deb9u2) stretch-security; urgency=high . * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - KVM: x86: simplify ept_misconfig - KVM: x86: extend usage of RET_MMIO_PF_* constants - KVM: MMU: drop vcpu param in gpte_access - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: Add is_executable_pte() - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: kick out cmd_parser specific structs from i915_drv.h - drm/i915: cleanup use of INSTR_CLIENT_MASK - drm/i915: return EACCES for check_cmd() failures - drm/i915: don't whitelist oacontrol in cmd parser - drm/i915: Use the precomputed value for whether to enable command parsing - drm/i915/cmdparser: Limit clflush to active cachelines - drm/i915/gtt: Add read only pages to gen8_pte_encode - drm/i915/gtt: Read-only pages for insert_entries on bdw+ - drm/i915/gtt: Disable read-only support under GVT - drm/i915: Prevent writing into a read-only object via a GGTT mmap - drm/i915/cmdparser: Check reg_table_count before derefencing. - drm/i915/cmdparser: Do not check past the cmd length. - drm/i915: Silence smatch for cmdparser - drm/i915: Move engine->needs_cmd_parser to engine->flags - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA * drm/i915: Avoid ABI change for CVE-2019-0155 Checksums-Sha1: 4168501c46e22ef35ff11ea9c6512a7c53f39642 15751 linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc 029c6a8ba641dcb803650490d5e1564570f598a0 2084996 linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz fb99fc110ac08ba37dd39b61794dbe5dfd882857 7712096 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb 4ce08d7421f5440df9f6a851cff3adcfaa840d78 5768340 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb a08b617028344cd75343895e3253b5d66157a763 11458098 linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb 383abb7c53feaae0e1c4ddfd46b6787733aeface 710308 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb 1d35c9510b97e8d07c5c40aa24a8458a436d7e0e 3248266 linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb 5d27b8ef175326b2570ac54485ec9d0080aeacf6 96909574 linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb Checksums-Sha256: 2d1ec499687d10ca8843e9d96a1d96eac197418c3119f4120516e4175fbf94f6 15751 linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc a4e58756a7739db662cc71b476126d2a122941664db627875df8a257c7d4e2ae 2084996 linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz f644c99a609f3260c2408cac6cbdc4916f83f73007e0e08447472c94bca983a3 7712096 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb 65699356a0d199207284bb096018ea452d220844f3a37d32f142d8d6d0739cbc 5768340 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb 4a3b6317bcdd41f0851c72a4560665b78ed2b8a605e2a834d4e5332c2383bbc9 11458098 linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb e236d72fd77f485eabb0479aa198847633b9427f7b932e523bd20c8c679eec84 710308 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb 294f097154ceb579084bb4a81e1a9b94b0d7db6b510221f245067514555a5c06 3248266 linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb e3509811a92be6eb0cc2d56328996968116de49d41801b3bde05228dbf84410c 96909574 linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb Files: 46bd281fc73cffdedd30a2062e3cb39b 15751 kernel optional linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc 8d37e82cc49f01cf0c1995eeab58413d 2084996 kernel optional linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz 719a0066c14b2bcb74276399a6186d7a 7712096 kernel optional linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb 3ec136a8b17e558b38b78c29a82bd70f 5768340 kernel optional linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb 045ee2f7bcbc131ee245cc7f0a2d9c7f 11458098 doc optional linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb 7f9d70660e1cdb28cc423d4c72f9de75 710308 devel optional linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb 923a93ed862b1058a176ea1377466791 3248266 doc optional linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb eee81698f756eae3af6d4067a5072463 96909574 kernel optional linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3MJnAACgkQ57/I7JWG EQk1yA/+KNSVInbM7pzBG7yUWIyZXS0ab3+b4Z6xASpyrv8UrWZz0XoHpWO10/yd OzY4fgbMPtUums+Mmamqt9HtyBkcPBVrPaI7sozyTEZXFe+Zyu597IuFbrW0dSyX HHb1sCKaR/AlDJUL7r4jtW9JXli1T2ZmHhO+pCQ8uOs9Gj/c+/lVbv+v5uNYdVvF ZoXovyzPaTT+5/7OMZxmC4QtkxEcyv03i/sGCTxKB65TdgkfUbY4R96Z24zVyI7n azrvegZUbynDfwCRAvhtFAq32sB5kZuua7gq5qJdLmC95CMq8zXBQAyYlubovuPl i1Zh2zproA2l3QBU1dG6Xc+PkRuccZQ18Htmb86UKqvI2DKT/QM/HWBI73dhRSvd p6Pe/J4OIzYkM/AU95V8KtE+zwUkCBjqI9FfI4jIm51WDqPEWlq7XOFmUaNg7sXo yAbeqVfvzpTPjXg0pT2toJO4U4PS6pU0qZOzx+JH4mzu1ykh9RTlZHjg+QqLisxC OLsxbfHDZunl1HNb6Dgvs+p58Jwtf6pn+7WQqqERl2blts/c1xbvYJnX3j8J3htk G3mclsOVRsRmrGCkmWYxysGhic0nVdRHjmm9dTnh+qgG3kE4/QT0iFIQ0rK02xPd 9Rlh8R/ALIv8YHGVu2JRIJklViMqBoklDrfkFecebcLCXJHgWdU= =dy/3 -----END PGP SIGNATURE-----