-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 19 Feb 2022 20:29:32 +0100 Source: xen Architecture: source Version: 4.16.0+51-g0941d6cb-1 Distribution: unstable Urgency: medium Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org> Changed-By: Hans van Kranenburg <hans@knorrie.org> Closes: 976597 988901 992909 1002658 Changes: xen (4.16.0+51-g0941d6cb-1) unstable; urgency=medium . * Update to new upstream version 4.16.0+51-g0941d6cb, which also contains security fixes for the following issues: - arm: guest_physmap_remove_page not removing the p2m mappings XSA-393 CVE-2022-23033 - A PV guest could DoS Xen while unmapping a grant XSA-394 CVE-2022-23034 - Insufficient cleanup of passed-through device IRQs XSA-395 CVE-2022-23035 * Note that the following XSA are not listed, because... - XSA-391 and XSA-392 have patches for the Linux kernel. * Upload to unstable now, which obsoletes the Xen 4.14 FTBFS issue. (Closes: #1002658) . xen (4.16.0-1~exp1) experimental; urgency=medium . Significant changes: * Update to new upstream version 4.16.0. This also includes a security fix for the following issue, which was not applicable to Xen 4.14 yet: - certain VT-d IOMMUs may not work in shared page table mode XSA-390 CVE-2021-28710 * No longer build any package for the i386 architecture. It was already not possible to use x86_32 hardware because the i386 packages already shipped a 64-bit hypervisor and PV shim. Running 32-bit utils with a 64-bit hypervisor requires using a compatibility layer that is fragile and becomes harder to maintain and test upstream. This change ends the 'grace period' in which users should have moved to using a fully 64-bit dom0. - debian/{control,rules,salsa-ci.yml,xen-utils-V.install.vsn-in}: make the necessary changes - Remove the Recommends on libc6-xen, which already actually does not exist any more. (Closes: #992909) - Drop patch "tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on x86_32" because it is not relevant any more. . Changes related to upgrading to Xen 4.16: * debian/control: adjust to 4.16 [Maximilian Engelhardt] * Drop patches that have been applied upstream * Refresh remaining patches if needed * debian: follow upstream removal of '.sh' suffix in xl bash_completion file [Maximilian Engelhardt] * debian/control, debian/libxenstore*: ship a libxenstore4 package instead of libxenstore3.0, since upstream bumped the soname [Maximilian Engelhardt] . Packaging minor fixes and improvements [Maximilian Engelhardt]: * debian/rules: set SOURCE_BASE_DIR to the top level build dir so that the "Display Debian package version in hypervisor log" patch can use it. * Add patch "xen/arch/x86: make objdump output user locale agnostic" to fix reproducable builds. This patch will also be sent upstream. * d/rules: remove reproducible=+fixfilepath from DEB_BUILD_MAINT_OPTIONS * d/salsa-ci.yml: Explicitly set RELEASE variable to unstable * d/salsa-ci.yml: disable cross building as it's currently not working * debian: call update-grub when installing/removing xen-hypervisor-common (Closes: #988901) * debian: fix dependency generation for python after dh-python was fixed first. (Closes: #976597) * debian/rules: remove unused pybuild settings . Packaging minor fixes and improvements: * Improve patches for building the PV shim separately. This enables to drop the extra Revert of an upstream commit that was done in 4.14.0+80-gd101b417b7-1~exp1: - Drop patch: Revert "pvshim: make PV shim build selectable from configure" - Update patch "[...] Respect caller's CONFIG_PV_SHIM" to follow moving of a line to a different file - Drop patch: "tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on x86_64" because that's now already the default upstream * debian/control.md5sum: remove this obsolete file * Merge patches "vif-common: disable handle_iptable" and "t/h/L/vif-common.sh: fix handle_iptable return value" into a single patch, since the latter was a fix for the first. * debian/control: change the Uploaders email address for Ian Jackson, since he does not work at Citrix any more now Checksums-Sha1: f2d0ec91131ecff7291ac88a64597f5e7abf6972 4117 xen_4.16.0+51-g0941d6cb-1.dsc 5938109ceb039a0aaf253cce72da9f8ea0745dfd 4542340 xen_4.16.0+51-g0941d6cb.orig.tar.xz ba751d44993de4aa49f5a59f2553b8fb506df8ad 128356 xen_4.16.0+51-g0941d6cb-1.debian.tar.xz Checksums-Sha256: 34778578fcbfcbae2c47a6caf6385355af9251ebe978d852f6d88cfd7af4ed7f 4117 xen_4.16.0+51-g0941d6cb-1.dsc 55bb3071592684dacecf7ab89574bc68afa50faeb14382179dfbe567a3831cbe 4542340 xen_4.16.0+51-g0941d6cb.orig.tar.xz 4515137736057c0522aa20ce0822bc36c678213e0d31cad8344dd7919afdf077 128356 xen_4.16.0+51-g0941d6cb-1.debian.tar.xz Files: 6a9d0424f430e916af82ff14b1f2bbd7 4117 admin optional xen_4.16.0+51-g0941d6cb-1.dsc c401b5c8834939e63c63c118e69a3885 4542340 admin optional xen_4.16.0+51-g0941d6cb.orig.tar.xz 249a0f42c03ad5aeefb39699166a10ac 128356 admin optional xen_4.16.0+51-g0941d6cb-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESWyddwNaG9637koYssHfcmNhX2wFAmIRVBAACgkQssHfcmNh X2xDfA/8Cld8sXQQfU4Dnv/10iOnsJ/gU0CZhQpD3+IIbqfaayul3ibiEm0hk+nX dffepKSSEycme4tCCR1DPz7KVSc2LyrnHn2BJP5Fz2vVwiGbbAG9Q0VAXN64+8oN tupORI4QWee4aC5wqien6hivWuhTNjHo2xQr14U4vMtAUNdNZxRIQ2z/B6tGwj94 m/0x5xPde1BdGeltnEzBENbZhBvJNMD1aRx787rZRXv4jKI2S25Mv5npO8JADPxf nCGTljbZCcA8i6sk3C7oRB2ip4iVimYB0dR+0qqJi+9G+ZnfJbHYxISPvD5o4b4R 0LZQtp3XnfLjJMifW5eTJeMFR/hyogJZZa63ppgmFSDrprDSZhOvIkPVOF75HVUE Dcb+kL31i7czJu5+DwXivckbWky2a3XzhhB+uNsRIqYNo36tT9jKJeN5pJPfBE7d 0UcnD7cWOyzZB/XExX0gaV7GGPY/B3uyTO9IN3YzjMRjGjuJZ+Vh4hClFBMxlz+m 06IsBahy0RQU9dPVpulf4HJrxlYYTSllrrO+1JCpyHUj4Z19DNE7bMg/0TPTFiW0 NA5TB4xwnxUrWaOr1YHaEcQIN2qZFJSG7ej8HrvMWfwkYCY4NROsIgpmT0rhGv8Z /9zBPSby8GRxRu5K1VQc2KLeSwKT6qv/djP63Kq6qVwgTi6DvUg= =ch60 -----END PGP SIGNATURE-----