-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 29 Nov 2025 14:52:25 +0100 Source: xen Architecture: source Version: 4.17.5+72-g01140da4e8-1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org> Changed-By: Hans van Kranenburg <hans@knorrie.org> Closes: 1092495 1105193 1105222 1120075 Changes: xen (4.17.5+72-g01140da4e8-1) bookworm-security; urgency=medium . Significant changes: * Update to new upstream version 4.17.5+72-g01140da4e8, which also contains security fixes for the following issues: (Closes: #1105193) (Closes: #1120075) - deadlock potential with VT-d and legacy PCI device pass-through XSA-467 CVE-2025-1713 - x86: Indirect Target Selection XSA-469 CVE-2024-28956 - x86: Incorrect stubs exception handling for flags recovery XSA-470 CVE-2025-27465 - x86: Transitive Scheduler Attacks XSA-471 CVE-2024-36350 CVE-2024-36357 - Multiple vulnerabilities in the Viridian interface XSA-472 CVE-2025-27466 CVE-2025-58142 CVE-2025-58143 - Arm issues with page refcounting XSA-473 CVE-2025-58144 CVE-2025-58145 - x86: Incorrect input sanitisation in Viridian hypercalls XSA-475 CVE-2025-58147 CVE-2025-58148 - Incorrect removal of permissions on PCI device unplug XSA-476 CVE-2025-58149 * Note that the following XSA are not listed, because... - XSA-468 applies to Windows PV drivers - XSA-474 applies to XAPI which is not included in Debian . Packaging minor fixes and improvements: * debian/salsa-ci.yml: adjust for new salsa-ci pipeline . Additional changes for 4.17 that were not backported upstream: * Cherry-pick dd05d265b8 ("x86/intel: Fix PERF_GLOBAL fixup when virtualised") to fix a boot loop when using Xen under nested virtualization (Closes: #1105222) . xen (4.17.5+23-ga4e5191dc0-1+deb12u1) bookworm; urgency=medium . * Ignore lintian error not relevant for bookworm in salsa-ci. * Cherry-pick e6472d4668 (tools/xg: increase LZMA_BLOCK_SIZE for uncompressing the kernel) to allow direct kernel boot with kernels >= 6.12 (Closes: #1092495). Checksums-Sha1: d03ef7857b919f4bedeccc2cad4e8653edc2e54a 4357 xen_4.17.5+72-g01140da4e8-1.dsc 484aee73ee641a79784ccca082d88548f1979258 4735560 xen_4.17.5+72-g01140da4e8.orig.tar.xz d4cd8a6ea02d46f176911e307579dc706445215b 139916 xen_4.17.5+72-g01140da4e8-1.debian.tar.xz Checksums-Sha256: f13956b67fb7a65707c2b0620d89b41ee5d203434dd7bb913017356791ee66c1 4357 xen_4.17.5+72-g01140da4e8-1.dsc 53922f4d0a02c577f2ea9d63f65989cd88715779eebeed879ca1d314103ee06e 4735560 xen_4.17.5+72-g01140da4e8.orig.tar.xz 5bcf3812c64585e270e0b3fa6ee8fd16dff7b9bc0f61375d648c64672484c4d9 139916 xen_4.17.5+72-g01140da4e8-1.debian.tar.xz Files: cc505f0bae1df37fc71190cece7ef8c6 4357 admin optional xen_4.17.5+72-g01140da4e8-1.dsc a06455fe8e2cb343077c1160dcbb542d 4735560 admin optional xen_4.17.5+72-g01140da4e8.orig.tar.xz 0cc6fc105905d9e93bd1a9bc6ebac890 139916 admin optional xen_4.17.5+72-g01140da4e8-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmku1R8ACgkQEMKTtsN8 Tja3WhAAmClBrRJmNE9WkWcdjxCTkOt4keVmN1KCwF5AWgV6f6xzT5HXD1JuG9jY lNTuaXOcUsAaOn8aLiCWl0+42U0bQMWWYIPP/4V5yBVod1WMl4muGl+nSr/y0+xs 87TGQ97bEgyvhKGVoYeTG9ypXwB/5nACpVkSi4SZs5c2ZNMCSB2SrDSv2CCexmFW 0ZGOGgeAXDYT/2/1OEbJ48ksvnAue2uaZx3HiD3wx1w8vczHKYWABDOMXNrOUR8/ V3pYw3IpdrM8EoUnfW8QXblTDuzIqHZthVyn3dDfO/KV25/DMl+g+oqL3CXlS6/K WblGxF3o/sy3KWB6yFDaPQ9H5X4TktreM+DJFAETYmHtZavD4MC7vyKqBxreoF6A 8Y6jtqa0+bgRd5xm4OSrKHhNQXzUE/5HZK+TQiznvc4wIAzzNY7JUuctGHji6Ugk Uh+J3K1tK8TwiDNiB5Qcwh+reAm68o5aIO8zgvvUDYodyo0hitVpo2V4Pj62JGKL UpwPGZNu7zfgEaXi8ZOkOnX+v35fBItI9cPe7Yd9zi8RSVqI03k83Jv5+Lq/0R0h /HmeYAMuJo5BI5islx540orIm9UvzxwqxdoVmF0GUo7uIK2X0PxpvPQiFKfJsPDq lvJotSsLT1TZpYsOSa6JJWVOnyMeQkjrjIqEk8DaKwK7SBV06yY= =CISm -----END PGP SIGNATURE-----
