-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Nov 2019 00:30:56 +0000 Source: linux Architecture: source Version: 4.19.67-2+deb10u2 Distribution: buster-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <ben@decadent.org.uk> Changes: linux (4.19.67-2+deb10u2) buster-security; urgency=high . * [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135): - KVM: x86: use Intel speculation bugs and features as derived in generic x86 code - x86/msr: Add the IA32_TSX_CTRL MSR - x86/cpu: Add a helper function x86_read_arch_cap_msr() - x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default - x86/speculation/taa: Add mitigation for TSX Async Abort - x86/speculation/taa: Add sysfs reporting for TSX Async Abort - kvm/x86: Export MDS_NO=0 to guests when TSX is enabled - x86/tsx: Add "auto" option to the tsx= cmdline parameter - x86/speculation/taa: Add documentation for TSX Async Abort - x86/tsx: Add config options to set tsx=on|off|auto - x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs TSX is now disabled by default; see Documentation/admin-guide/hw-vuln/tsx_async_abort.rst * [x86] KVM: Add mitigation for Machine Check Error on Page Size Change (aka iTLB multi-hit, CVE-2018-12207): - kvm: Convert kvm_lock to a mutex - kvm: x86: Do not release the page inside mmu_set_spte() - KVM: x86: make FNAME(fetch) and __direct_map more similar - KVM: x86: remove now unneeded hugepage gfn adjustment - KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON - KVM: x86: add tracepoints around __direct_map and FNAME(fetch) - kvm: x86, powerpc: do not allow clearing largepages debugfs entry - KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active - x86/bugs: Add ITLB_MULTIHIT bug infrastructure - cpu/speculation: Uninline and export CPU mitigations helpers - kvm: mmu: ITLB_MULTIHIT mitigation - kvm: Add helper function for creating VM worker threads - kvm: x86: mmu: Recovery of shattered NX large pages - Documentation: Add ITLB_MULTIHIT documentation * [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155): - drm/i915: Rename gen7 cmdparser tables - drm/i915: Disable Secure Batches for gen6+ - drm/i915: Remove Master tables from cmdparser - drm/i915: Add support for mandatory cmdparsing - drm/i915: Support ro ppgtt mapped cmdparser shadow buffers - drm/i915: Allow parsing of unsized batches - drm/i915: Add gen9 BCS cmdparsing - drm/i915/cmdparser: Use explicit goto for error paths - drm/i915/cmdparser: Add support for backward jumps - drm/i915/cmdparser: Ignore Length operands during command matching - drm/i915/cmdparser: Fix jump whitelist clearing * [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154): - drm/i915: Lower RM timeout to avoid DSI hard hangs - drm/i915/gen8+: Add RC6 CTX corruption WA Checksums-Sha1: aed5ee7b2b08d5cf9d8c4752103f802656642114 189156 linux_4.19.67-2+deb10u2.dsc c15929e80fba7b2f99e44b0f60d19c6367892eeb 3187788 linux_4.19.67-2+deb10u2.debian.tar.xz 22f68e379eaaa703c7d4dfb9bfb38a10871c701c 46505 linux_4.19.67-2+deb10u2_source.buildinfo Checksums-Sha256: ca806bfe98fe978838f65d3647dff1bb77ae32bb1d1beb4e5240533c2574afc3 189156 linux_4.19.67-2+deb10u2.dsc be1465883dbe1ec28f2da66eb3b3e43b5f7e733a98d5b3e4c341e1ab2b37756d 3187788 linux_4.19.67-2+deb10u2.debian.tar.xz 5e4bc29fd8b19166290d2b98043475d2e1b736e99d5894317a020f9005391cfc 46505 linux_4.19.67-2+deb10u2_source.buildinfo Files: 942a58933cb394bca6e63fc592a34b60 189156 kernel optional linux_4.19.67-2+deb10u2.dsc c0fefa198005df0113470135cf19ab89 3187788 kernel optional linux_4.19.67-2+deb10u2.debian.tar.xz 95ca61229f2b0f1d9d4014fa3f7a2b50 46505 kernel optional linux_4.19.67-2+deb10u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3JWo0ACgkQ57/I7JWG EQk3bA//Zad+Zj9i5/39L2EW5DvUWJzZStxKFNGjop53USEZZizYWHTIUEldxLBE z1eAdyM9E3Cim1TNxryIl6CADWPr6z43B9xISU0kXzhDRz34FGVabC02SEVqmWhu fccMfPfgiXlvsFLEqCKWLPdpF6ZjEK9UkZPJ7bur+o8bb7AKhZHg1paOC5EtXjcO DNOvUR4eBeMqNSlvJBbK9BSgYobxGUfe5mawdg3mBAIoDNhzD2xgkAcdRxW5GPWB XkX4tZapEIkzGxV96ylTVRFva71RDiI7mqfT8smNKQ/HKPCC/LhaXJQ8X7iStO60 FSMbjIhscAPSsn4mGT4yq7C+r/F3JgiBL1G7owI826yLEMunnA+qJK++VP3kMDfx CNsBrH+dZUhq47o+Jodu8t1GmRF5Z1JczFP8260XGcYYk50mZj+zywcBUkWBy8RH 9Ss4gVyihsHty8k4t9ufBLSPUwyap6fljSjDn0qSW/cBHVgjljRlPYsPRupzsN5U NSgIYw9vUoBOomZXFDREGMJHQFyG5gfEolkfZc5b2kia01K56L7HwqB28Vz6Sf0d UbyrqtNk6G99pyobdih6Ghz4qcD1xQKU+k2ohZHyXTxjsmwjgqKHNNVIKm52V97J L1HaGy0OEgQAFs3sN6lN0NaDvfYHKYocMs4tN/Pq7gJh0glWXBY= =H24O -----END PGP SIGNATURE-----