Accepted linux-4.9 4.9.189-3+deb9u2~deb8u1 (all source) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Nov 2019 22:05:49 +0000
Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11
Source: linux-4.9
Architecture: all source
Version: 4.9.189-3+deb9u2~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
linux-doc-4.9 - Linux kernel specific documentation for version 4.9
linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11
linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt
linux-manual-4.9 - Linux kernel API manual pages for version 4.9
linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches
linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9
Changes:
linux-4.9 (4.9.189-3+deb9u2~deb8u1) jessie-security; urgency=medium
.
* Backport to jessie; no further changes required
.
linux (4.9.189-3+deb9u2) stretch-security; urgency=high
.
* [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
- KVM: x86: use Intel speculation bugs and features as derived in generic
x86 code
- x86/msr: Add the IA32_TSX_CTRL MSR
- x86/cpu: Add a helper function x86_read_arch_cap_msr()
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
- x86/speculation/taa: Add mitigation for TSX Async Abort
- x86/speculation/taa: Add sysfs reporting for TSX Async Abort
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
- x86/tsx: Add "auto" option to the tsx= cmdline parameter
- x86/speculation/taa: Add documentation for TSX Async Abort
- x86/tsx: Add config options to set tsx=on|off|auto
- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
TSX is now disabled by default; see
Documentation/hw-vuln/tsx_async_abort.rst
* [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
(aka iTLB multi-hit, CVE-2018-12207):
- KVM: x86: simplify ept_misconfig
- KVM: x86: extend usage of RET_MMIO_PF_* constants
- KVM: MMU: drop vcpu param in gpte_access
- kvm: Convert kvm_lock to a mutex
- kvm: x86: Do not release the page inside mmu_set_spte()
- KVM: x86: make FNAME(fetch) and __direct_map more similar
- KVM: x86: remove now unneeded hugepage gfn adjustment
- KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
- KVM: x86: Add is_executable_pte()
- KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
- KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
- x86/bugs: Add ITLB_MULTIHIT bug infrastructure
- cpu/speculation: Uninline and export CPU mitigations helpers
- kvm: mmu: ITLB_MULTIHIT mitigation
- kvm: Add helper function for creating VM worker threads
- kvm: x86: mmu: Recovery of shattered NX large pages
- Documentation: Add ITLB_MULTIHIT documentation
* [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155):
- drm/i915: kick out cmd_parser specific structs from i915_drv.h
- drm/i915: cleanup use of INSTR_CLIENT_MASK
- drm/i915: return EACCES for check_cmd() failures
- drm/i915: don't whitelist oacontrol in cmd parser
- drm/i915: Use the precomputed value for whether to enable command parsing
- drm/i915/cmdparser: Limit clflush to active cachelines
- drm/i915/gtt: Add read only pages to gen8_pte_encode
- drm/i915/gtt: Read-only pages for insert_entries on bdw+
- drm/i915/gtt: Disable read-only support under GVT
- drm/i915: Prevent writing into a read-only object via a GGTT mmap
- drm/i915/cmdparser: Check reg_table_count before derefencing.
- drm/i915/cmdparser: Do not check past the cmd length.
- drm/i915: Silence smatch for cmdparser
- drm/i915: Move engine->needs_cmd_parser to engine->flags
- drm/i915: Rename gen7 cmdparser tables
- drm/i915: Disable Secure Batches for gen6+
- drm/i915: Remove Master tables from cmdparser
- drm/i915: Add support for mandatory cmdparsing
- drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
- drm/i915: Allow parsing of unsized batches
- drm/i915: Add gen9 BCS cmdparsing
- drm/i915/cmdparser: Use explicit goto for error paths
- drm/i915/cmdparser: Add support for backward jumps
- drm/i915/cmdparser: Ignore Length operands during command matching
- drm/i915/cmdparser: Fix jump whitelist clearing
* [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
- drm/i915: Lower RM timeout to avoid DSI hard hangs
- drm/i915/gen8+: Add RC6 CTX corruption WA
* drm/i915: Avoid ABI change for CVE-2019-0155
Checksums-Sha1:
4168501c46e22ef35ff11ea9c6512a7c53f39642 15751 linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc
029c6a8ba641dcb803650490d5e1564570f598a0 2084996 linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz
fb99fc110ac08ba37dd39b61794dbe5dfd882857 7712096 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb
4ce08d7421f5440df9f6a851cff3adcfaa840d78 5768340 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb
a08b617028344cd75343895e3253b5d66157a763 11458098 linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
383abb7c53feaae0e1c4ddfd46b6787733aeface 710308 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb
1d35c9510b97e8d07c5c40aa24a8458a436d7e0e 3248266 linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
5d27b8ef175326b2570ac54485ec9d0080aeacf6 96909574 linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
Checksums-Sha256:
2d1ec499687d10ca8843e9d96a1d96eac197418c3119f4120516e4175fbf94f6 15751 linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc
a4e58756a7739db662cc71b476126d2a122941664db627875df8a257c7d4e2ae 2084996 linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz
f644c99a609f3260c2408cac6cbdc4916f83f73007e0e08447472c94bca983a3 7712096 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb
65699356a0d199207284bb096018ea452d220844f3a37d32f142d8d6d0739cbc 5768340 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb
4a3b6317bcdd41f0851c72a4560665b78ed2b8a605e2a834d4e5332c2383bbc9 11458098 linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
e236d72fd77f485eabb0479aa198847633b9427f7b932e523bd20c8c679eec84 710308 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb
294f097154ceb579084bb4a81e1a9b94b0d7db6b510221f245067514555a5c06 3248266 linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
e3509811a92be6eb0cc2d56328996968116de49d41801b3bde05228dbf84410c 96909574 linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
Files:
46bd281fc73cffdedd30a2062e3cb39b 15751 kernel optional linux-4.9_4.9.189-3+deb9u2~deb8u1.dsc
8d37e82cc49f01cf0c1995eeab58413d 2084996 kernel optional linux-4.9_4.9.189-3+deb9u2~deb8u1.debian.tar.xz
719a0066c14b2bcb74276399a6186d7a 7712096 kernel optional linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u2~deb8u1_all.deb
3ec136a8b17e558b38b78c29a82bd70f 5768340 kernel optional linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u2~deb8u1_all.deb
045ee2f7bcbc131ee245cc7f0a2d9c7f 11458098 doc optional linux-doc-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
7f9d70660e1cdb28cc423d4c72f9de75 710308 devel optional linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u2~deb8u1_all.deb
923a93ed862b1058a176ea1377466791 3248266 doc optional linux-manual-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
eee81698f756eae3af6d4067a5072463 96909574 kernel optional linux-source-4.9_4.9.189-3+deb9u2~deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3MJnAACgkQ57/I7JWG
EQk1yA/+KNSVInbM7pzBG7yUWIyZXS0ab3+b4Z6xASpyrv8UrWZz0XoHpWO10/yd
OzY4fgbMPtUums+Mmamqt9HtyBkcPBVrPaI7sozyTEZXFe+Zyu597IuFbrW0dSyX
HHb1sCKaR/AlDJUL7r4jtW9JXli1T2ZmHhO+pCQ8uOs9Gj/c+/lVbv+v5uNYdVvF
ZoXovyzPaTT+5/7OMZxmC4QtkxEcyv03i/sGCTxKB65TdgkfUbY4R96Z24zVyI7n
azrvegZUbynDfwCRAvhtFAq32sB5kZuua7gq5qJdLmC95CMq8zXBQAyYlubovuPl
i1Zh2zproA2l3QBU1dG6Xc+PkRuccZQ18Htmb86UKqvI2DKT/QM/HWBI73dhRSvd
p6Pe/J4OIzYkM/AU95V8KtE+zwUkCBjqI9FfI4jIm51WDqPEWlq7XOFmUaNg7sXo
yAbeqVfvzpTPjXg0pT2toJO4U4PS6pU0qZOzx+JH4mzu1ykh9RTlZHjg+QqLisxC
OLsxbfHDZunl1HNb6Dgvs+p58Jwtf6pn+7WQqqERl2blts/c1xbvYJnX3j8J3htk
G3mclsOVRsRmrGCkmWYxysGhic0nVdRHjmm9dTnh+qgG3kE4/QT0iFIQ0rK02xPd
9Rlh8R/ALIv8YHGVu2JRIJklViMqBoklDrfkFecebcLCXJHgWdU=
=dy/3
-----END PGP SIGNATURE-----