Debian Package Tracker

general

source: xen (main)
version: 4.11.1+92-g6c33308a8d-2
maintainer: Debian Xen Team (archive) (DMD)
uploaders: Guido Trotter [DMD] – Ian Jackson [DMD] – Bastian Blank [DMD]
arch: all amd64 arm64 armhf i386
std-ver: 3.9.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.4.1-9+deb8u10
o-o-sec: 4.4.4lts4-0+deb8u1
oldstable: 4.8.5+shim4.10.2+xsa282-1+deb9u11
old-sec: 4.8.5+shim4.10.2+xsa282-1+deb9u11
stable: 4.11.1+92-g6c33308a8d-2
testing: 4.11.1+92-g6c33308a8d-2
unstable: 4.11.1+92-g6c33308a8d-2

versioned links

4.4.1-9+deb8u10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.4lts4-0+deb8u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.8.5+shim4.10.2+xsa282-1+deb9u11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.11.1+92-g6c33308a8d-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libxen-dev
libxencall1
libxendevicemodel1
libxenevtchn1
libxenforeignmemory1
libxengnttab1
libxenmisc4.11
libxenstore3.0
libxentoolcore1
libxentoollog1
xen-doc
xen-hypervisor-4.11-amd64
xen-hypervisor-4.11-arm64
xen-hypervisor-4.11-armhf
xen-hypervisor-common
xen-system-amd64
xen-system-arm64
xen-system-armhf
xen-utils-4.11
xen-utils-common (7 bugs: 0, 5, 2, 0)
xenstore-utils

action needed

lintian reports 6 errors and 54 warnings high

Lintian reports 6 errors and 54 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-08-26 Last update: 2019-08-26 03:36

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.0 instead of 3.9.4).

Created: 2014-08-10 Last update: 2019-07-08 20:08

26 security issues in jessie high

There are 26 open security issues in jessie.

21 important issues:

CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
TEMP-0929992-A28E7B:
CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
TEMP-0930001-09CDD1:
TEMP-0929991-F97A6B:
TEMP-0929998-341CE5:
TEMP-0929995-4F975A:
TEMP-0929993-839329:
TEMP-0929999-332628:
CVE-2018-19966: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595.
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-19962: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones.
CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
TEMP-0929994-6BCADF:
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2018-19961: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.
CVE-2018-3665: System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel.
CVE-2018-19965: An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation.
CVE-2018-3620: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
TEMP-0929996-4E12B0:

5 issues skipped by the security teams:

CVE-2016-9816: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2.
CVE-2016-9815: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort.
CVE-2016-9818: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.
CVE-2016-9817: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set.
CVE-2017-10919: Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223.

Please fix them.

Created: 2015-07-12 Last update: 2019-07-07 09:01

13 security issues in stretch high

There are 13 open security issues in stretch.

13 important issues:

CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
TEMP-0929999-332628:
TEMP-0930001-09CDD1:
TEMP-0929998-341CE5:
TEMP-0929995-4F975A:
TEMP-0929993-839329:
CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
TEMP-0929996-4E12B0:
TEMP-0929992-A28E7B:
TEMP-0929994-6BCADF:
CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf
TEMP-0929991-F97A6B:

Please fix them.

Created: 2019-03-05 Last update: 2019-07-07 09:01

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2019-04-01 Last update: 2019-09-19 20:05

Depends on packages which need a new maintainer normal

The packages that xen depends on which need a new maintainer are:

dh-exec (#851746)
- Build-Depends: dh-exec
markdown (#466330)
- Build-Depends: markdown

Created: 2018-10-15 Last update: 2019-09-19 18:14

Multiarch hinter reports 3 issue(s) normal

There are issues with the multiarch metadata for this package.

xen-hypervisor-common could be marked Multi-Arch: foreign
libxen-dev could be marked Multi-Arch: same
xen-doc could be marked Multi-Arch: same

Created: 2018-10-11 Last update: 2019-09-19 17:44

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2016-04-06 Last update: 2019-09-19 15:35

Build log checks report 3 warnings low

Build log checks report 3 warnings

Created: 2019-06-20 Last update: 2019-06-20 02:01

news

[rss feed]

[2019-06-26] xen 4.11.1+92-g6c33308a8d-2 MIGRATED to testing (Debian testing watch)
[2019-06-24] Accepted xen 4.11.1+92-g6c33308a8d-2 (all amd64 source) into unstable (Hans van Kranenburg) (signed by: Ian Jackson)
[2019-06-19] Accepted xen 4.11.1+92-g6c33308a8d-1 (all amd64 source) into unstable (Hans van Kranenburg) (signed by: Ian Jackson)
[2019-03-11] xen 4.11.1+26-g87f51bf366-3 MIGRATED to testing (Debian testing watch)
[2019-02-28] Accepted xen 4.11.1+26-g87f51bf366-3 (all amd64 source) into unstable (Ian Jackson)
[2019-02-22] Accepted xen 4.11.1+26-g87f51bf366-2 (all amd64 source) into unstable (Ian Jackson)
[2019-01-29] Accepted xen 4.8.5+shim4.10.2+xsa282-1+deb9u11 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2019-01-16] xen 4.11.1-1 MIGRATED to testing (Debian testing watch)
[2019-01-14] Accepted xen 4.8.5+shim4.10.2+xsa282-1+deb9u11 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2019-01-10] Accepted xen 4.11.1-1 (all amd64 source) into unstable (Hans van Kranenburg) (signed by: Ian Jackson)
[2018-11-12] Accepted xen 4.4.4lts4-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-29] Accepted xen 4.4.4lts3-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-24] xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-5 MIGRATED to testing (Debian testing watch)
[2018-10-18] Accepted xen 4.4.4lts2-0+deb8u1 (source all amd64) into oldstable (Felix Geyer)
[2018-10-15] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-5 (source) into unstable (Ian Jackson)
[2018-10-15] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-4 (source) into unstable (Ian Jackson)
[2018-10-12] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-3 (source) into unstable (Ian Jackson)
[2018-10-11] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 (all amd64 source) into unstable, unstable (Ian Jackson)
[2018-09-12] Accepted xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1 (amd64 source) into experimental, experimental (Hans van Kranenburg) (signed by: Ian Jackson)
[2018-09-05] Accepted xen 4.4.4lts1-0+deb8u1 (source all) into oldstable (Bastian Blank)
[2018-08-17] Accepted xen 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Wolodja Wentland) (signed by: Ian Jackson)
[2018-08-16] Accepted xen 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (all amd64 source) into stable->embargoed, stable (Wolodja Wentland) (signed by: Ian Jackson)
[2018-07-16] xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 MIGRATED to testing (Debian testing watch)
[2018-07-01] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-06-27] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-06-24] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-06-20] Accepted xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 (all amd64 source) into stable->embargoed, stable (Ian Jackson)
[2018-05-28] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-05-28] Accepted xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6 (all amd64 source) into proposed-updates->stable-new, proposed-updates (Ian Jackson)
[2018-05-25] Accepted xen 4.1.6.lts1-14 (source all amd64) into oldoldstable (Felix Geyer)

bugs [bug history graph]

all: 35 39
RC: 0
I&N: 27 31
M&W: 7
F&P: 1
patch: 2

links

homepage
lintian (6, 54)
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.9.2-0ubuntu2
59 bugs (11 patches)
patches for 4.9.2-0ubuntu2