Debian Package Tracker

general

source: xen (main)
version: 4.11.1-1
maintainer: Debian Xen Team (archive) [DMD]
uploaders: Guido Trotter [DMD] – Ian Jackson [DMD] – Bastian Blank [DMD]
arch: all amd64 arm64 armhf i386
std-ver: 3.9.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.1.4-3+deb7u9
o-o-sec: 4.1.6.lts1-14
oldstable: 4.4.1-9+deb8u10
old-sec: 4.4.4lts4-0+deb8u1
stable: 4.8.5+shim4.10.2+xsa282-1+deb9u11
stable-sec: 4.8.5+shim4.10.2+xsa282-1+deb9u11
testing: 4.11.1-1
unstable: 4.11.1-1

versioned links

4.1.4-3+deb7u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.1.6.lts1-14: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.1-9+deb8u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.4lts4-0+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.8.5+shim4.10.2+xsa282-1+deb9u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libxen-dev
libxencall1
libxendevicemodel1
libxenevtchn1
libxenforeignmemory1
libxengnttab1
libxenmisc4.11
libxenstore3.0
libxentoolcore1
libxentoollog1
xen-doc
xen-hypervisor-4.11-amd64
xen-hypervisor-4.11-arm64
xen-hypervisor-4.11-armhf
xen-hypervisor-common
xen-system-amd64
xen-system-arm64
xen-system-armhf
xen-utils-4.11
xen-utils-common
xenstore-utils

action needed

13 security issues in jessie high

There are 13 open security issues in jessie.

8 important issues:

CVE-2018-19961: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-19965: An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-19966: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.
CVE-2018-19962: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

5 issues skipped by the security teams:

CVE-2016-9818: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.
CVE-2017-10919: Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.
CVE-2016-9817: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set.
CVE-2016-9816: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2.
CVE-2016-9815: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.

Please fix them.

Created: 2015-07-12 Last update: 2019-02-16 15:14

lintian reports 2 errors and 109 warnings high

Lintian reports 2 errors and 109 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-01-13 Last update: 2019-01-13 08:47

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.3.0 instead of 3.9.4).

Created: 2014-08-10 Last update: 2019-01-11 01:38

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2018-10-01 Last update: 2019-02-18 06:05

Depends on packages which need a new maintainer normal

The packages that xen depends on which need a new maintainer are:

markdown (#466330)
- Build-Depends: markdown

Created: 2018-10-15 Last update: 2019-02-18 04:31

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

xen-hypervisor-common could be marked Multi-Arch: foreign
libxen-dev could be marked Multi-Arch: same

Created: 2018-10-11 Last update: 2019-02-18 04:11

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2016-04-06 Last update: 2019-02-18 02:43

11 new commits since last upload, time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 4.11.1-2~, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d872598a98d7e9ddf2901b82bc2cdb226aaa5613
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Sun Feb 3 22:39:38 2019 +0100

    debian/.gitignore: ignore more debhelper snippets
    
    Stuff like:
    
    debian/xen-utils-common.preinst.debhelper
    debian/xen-utils-common.prerm.debhelper

commit ea15b93d5d4eaaa3f484613826a9e855e2d9b8d9
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Sun Feb 3 15:41:29 2019 +0100

    debian/xen-utils-common.*: remove more xend cruft
    
    Ah, these files are still present on my dom0, while they're obsolete and
    not shipped any more. Have them removed, so that they don't confuse the
    user.
    
    (Someone might run into old documentation about xend and see that the
    files are there, and try setting options, which don't do anything
    etc...)
    
    Unpacking xen-utils-common (4.11.1-2~) over (4.11.1-2~) ...
    Setting up xen-utils-common (4.11.1-2~) ...
    Obsolete conffile /etc/default/xend has been modified by you.
    Saving as /etc/default/xend.dpkg-bak ...
    Removing obsolete conffile /etc/xen/xend-config.sxp ...
    Removing obsolete conffile /etc/xen/xend-pci-permissive.sxp ...
    Removing obsolete conffile /etc/xen/xend-pci-quirks.sxp ...
    [...]

commit 402f19232da36d2b87b80d3592cff9f60fb32317
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Fri Feb 1 16:22:13 2019 +0100

    debian/control: bump debhelper builddep to 10
    
    The debian/compat file contains '10', so make sure that there's actually
    a debhelper being dragged in that can do everything needed.
    
    This fixes the lintian warning:
        package-needs-versioned-debhelper-build-depends

commit bfb7387f64b4b78a42be28fae4eb24ec7a2595b5
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Fri Feb 1 16:16:26 2019 +0100

    d/xen-utils-V...: override xen-shim-syms lintian
    
    This is ok, it's not a file that is meant to be executed on the host
    system itself.

commit f943f76c33b9e1358d43d3c5c2acd9039e59b3df
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Fri Feb 1 16:08:54 2019 +0100

    debian/control: add dh-python build-dep
    
    Lintian is complaining: missing-build-dependency-for-dh_-command
    
    "The source package appears to be using a dh_ command but doesn't build
    depend on the package that actually provides it. If it uses it, it must
    build depend on it."

commit 71de8514d57f4040d3ec438c5438e454e68fb9ef
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Fri Feb 1 15:55:50 2019 +0100

    debian/libxenstore3.0.symbols: revert ea2334dfe0
    
    This part of commit ea2334dfe0 was left behind after redoing the
    packaging and getting all libraries in the right place. The build now
    complains about it:
    
    dpkg-gensymbols: warning: some libraries disappeared in the symbols
    file: libxentoolcore-4.10.so.1
    
    dpkg-gensymbols: warning: debian/libxenstore3.0/DEBIAN/symbols doesn't
    match completely debian/libxenstore3.0.symbols

commit 6c310c8f900349f4874d022fb465b27164867907
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Tue Jan 22 19:58:32 2019 +0100

    debian/xen-utils-common.*: remove xend cruft
    
    xend is obsolete and removed. Still, there are some traces of it in init
    and other scripts. Remove all of it now.
    
    Also remove a migration step about upgrading to 4.1, since we don't
    support directly upgrading from something older than that to the current
    package.

commit a8ba67214681b6c5a5d7486550585116f1690ed0
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Thu Jan 24 01:24:55 2019 +0100

    d/control: xenstore-utils breaks xen-utils-common
    
    In the theoretical case that xenstore-utils gets upgraded, when
    upgrading from Stretch to Buster, and then deliberately gets downgraded
    again by the user, a few manual page files could be removed.
    
    In a normal sane upgrade scenario this would never happen.

commit b6909b92f28cd388f390f1c99c2f3f1e06b59cfa
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Thu Jan 24 00:37:30 2019 +0100

    d/control: have xen-utils-common suggest xen-doc

commit d461dc6fbe180c564de4f514a4fe7266f02a8fea
Author: Hans van Kranenburg <hans@knorrie.org>
Date:   Sun Jan 20 00:16:31 2019 +0100

    d/[..]/grub.d/xen.cfg: command line "starter kit"
    
    As pointed out by Gergely in debian bug #919758, the examples in the
    grub documentation contain incorrect suggestions, at least for dom0_mem
    and earlyprintk.
    
    Correct those, and take the opportunity to refresh all of this a bit,
    including the most common set of used options.
    
    Also, point to the online documentation where more explanation about all
    options can be found.
    
    (Closes: #919758)

commit 25553b5896acc3e367de77322665703b6a73f675
Author: Ian Jackson <ian.jackson@citrix.com>
Date:   Thu Jan 10 15:45:45 2019 +0000

    changelog: start an empty changelog for 4.11.1-2~
    
    Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

Created: 2019-01-10 Last update: 2019-02-17 07:02

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2018-10-12 Last update: 2018-10-12 22:42

news

[rss feed]

[2019-01-29] Accepted xen 4.8.5+shim4.10.2+xsa282-1+deb9u11 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2019-01-16] xen 4.11.1-1 MIGRATED to testing (Debian testing watch)
[2019-01-14] Accepted xen 4.8.5+shim4.10.2+xsa282-1+deb9u11 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2019-01-10] Accepted xen 4.11.1-1 (all amd64 source) into unstable (Hans van Kranenburg) (signed by: Ian Jackson)
[2018-11-12] Accepted xen 4.4.4lts4-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-29] Accepted xen 4.4.4lts3-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-24] xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-5 MIGRATED to testing (Debian testing watch)
[2018-10-18] Accepted xen 4.4.4lts2-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-15] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-5 (source) into unstable (Ian Jackson)
[2018-10-15] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-4 (source) into unstable (Ian Jackson)
[2018-10-12] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-3 (source) into unstable (Ian Jackson)
[2018-10-11] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 (all amd64 source) into unstable, unstable (Ian Jackson)
[2018-09-12] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1 (amd64 source) into experimental, experimental (Hans van Kranenburg) (signed by: Ian Jackson)
[2018-09-05] Accepted xen 4.4.4lts1-0+deb8u1 (source all) into oldstable (Bastian Blank)
[2018-08-17] Accepted xen 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Wolodja Wentland) (signed by: Ian Jackson)
[2018-08-16] Accepted xen 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (all amd64 source) into stable->embargoed, stable (Wolodja Wentland) (signed by: Ian Jackson)
[2018-07-16] xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 MIGRATED to testing (Debian testing watch)
[2018-07-01] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-06-27] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-06-24] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-06-20] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-05-28] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-05-28] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-05-25] Accepted xen 4.1.6.lts1-14 (source all amd64) into oldoldstable (Felix Geyer)
[2018-05-25] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-05-15] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-03-12] xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 MIGRATED to testing (Debian testing watch)
[2018-03-05] Accepted xen 4.1.6.lts1-13 (source all amd64) into oldoldstable (Felix Geyer)
[2018-03-05] Accepted xen 4.1.6.lts1-13 (source all amd64) into oldoldstable (Felix Geyer)
[2018-03-04] Accepted xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)

bugs [bug history graph]

all: 59 64
RC: 2
I&N: 45 50
M&W: 7
F&P: 5
patch: 4

links

homepage
lintian (2, 109)
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.9.2-0ubuntu2
57 bugs (10 patches)
patches for 4.9.2-0ubuntu2