Accepted linux 4.9.189-3+deb9u2 (all source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Nov 2019 12:18:59 +0000
Binary: linux-doc-4.9 linux-headers-4.9.0-11-common linux-headers-4.9.0-11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-11
Source: linux
Architecture: all source
Version: 4.9.189-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description:
linux-doc-4.9 - Linux kernel specific documentation for version 4.9
linux-headers-4.9.0-11-common - Common header files for Linux 4.9.0-11
linux-headers-4.9.0-11-common-rt - Common header files for Linux 4.9.0-11-rt
linux-manual-4.9 - Linux kernel API manual pages for version 4.9
linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches
linux-support-4.9.0-11 - Support files for Linux 4.9
Changes:
linux (4.9.189-3+deb9u2) stretch-security; urgency=high
.
* [x86] Add mitigation for TSX Asynchronous Abort (CVE-2019-11135):
- KVM: x86: use Intel speculation bugs and features as derived in generic
x86 code
- x86/msr: Add the IA32_TSX_CTRL MSR
- x86/cpu: Add a helper function x86_read_arch_cap_msr()
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
- x86/speculation/taa: Add mitigation for TSX Async Abort
- x86/speculation/taa: Add sysfs reporting for TSX Async Abort
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
- x86/tsx: Add "auto" option to the tsx= cmdline parameter
- x86/speculation/taa: Add documentation for TSX Async Abort
- x86/tsx: Add config options to set tsx=on|off|auto
- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs
TSX is now disabled by default; see
Documentation/hw-vuln/tsx_async_abort.rst
* [x86] KVM: Add mitigation for Machine Check Error on Page Size Change
(aka iTLB multi-hit, CVE-2018-12207):
- KVM: x86: simplify ept_misconfig
- KVM: x86: extend usage of RET_MMIO_PF_* constants
- KVM: MMU: drop vcpu param in gpte_access
- kvm: Convert kvm_lock to a mutex
- kvm: x86: Do not release the page inside mmu_set_spte()
- KVM: x86: make FNAME(fetch) and __direct_map more similar
- KVM: x86: remove now unneeded hugepage gfn adjustment
- KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON
- KVM: x86: Add is_executable_pte()
- KVM: x86: add tracepoints around __direct_map and FNAME(fetch)
- KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active
- x86/bugs: Add ITLB_MULTIHIT bug infrastructure
- cpu/speculation: Uninline and export CPU mitigations helpers
- kvm: mmu: ITLB_MULTIHIT mitigation
- kvm: Add helper function for creating VM worker threads
- kvm: x86: mmu: Recovery of shattered NX large pages
- Documentation: Add ITLB_MULTIHIT documentation
* [x86] i915: Mitigate local privilege escalation on gen9 (CVE-2019-0155):
- drm/i915: kick out cmd_parser specific structs from i915_drv.h
- drm/i915: cleanup use of INSTR_CLIENT_MASK
- drm/i915: return EACCES for check_cmd() failures
- drm/i915: don't whitelist oacontrol in cmd parser
- drm/i915: Use the precomputed value for whether to enable command parsing
- drm/i915/cmdparser: Limit clflush to active cachelines
- drm/i915/gtt: Add read only pages to gen8_pte_encode
- drm/i915/gtt: Read-only pages for insert_entries on bdw+
- drm/i915/gtt: Disable read-only support under GVT
- drm/i915: Prevent writing into a read-only object via a GGTT mmap
- drm/i915/cmdparser: Check reg_table_count before derefencing.
- drm/i915/cmdparser: Do not check past the cmd length.
- drm/i915: Silence smatch for cmdparser
- drm/i915: Move engine->needs_cmd_parser to engine->flags
- drm/i915: Rename gen7 cmdparser tables
- drm/i915: Disable Secure Batches for gen6+
- drm/i915: Remove Master tables from cmdparser
- drm/i915: Add support for mandatory cmdparsing
- drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
- drm/i915: Allow parsing of unsized batches
- drm/i915: Add gen9 BCS cmdparsing
- drm/i915/cmdparser: Use explicit goto for error paths
- drm/i915/cmdparser: Add support for backward jumps
- drm/i915/cmdparser: Ignore Length operands during command matching
- drm/i915/cmdparser: Fix jump whitelist clearing
* [x86] i915: Mitigate local denial-of-service on gen8/gen9 (CVE-2019-0154):
- drm/i915: Lower RM timeout to avoid DSI hard hangs
- drm/i915/gen8+: Add RC6 CTX corruption WA
* drm/i915: Avoid ABI change for CVE-2019-0155
Checksums-Sha1:
e85cadd25bb5abe5a02ad31fb2de8f07a9d6a695 125053 linux_4.9.189-3+deb9u2.dsc
c922a954d78ab243ee9a469e61cfecd9d8df7cc8 2699452 linux_4.9.189-3+deb9u2.debian.tar.xz
48bad9939cf7ff42fc32ee88e73961654759b31b 37956 linux_4.9.189-3+deb9u2_source.buildinfo
573984c580fdbb458f4a400a72b2f77c58fef594 12539262 linux-doc-4.9_4.9.189-3+deb9u2_all.deb
1580527b1c058848dbb46335388e02680b5abfaa 5770260 linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb
efc6d222bd6930668b9fd7af2256a1b49af11fe1 7704852 linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb
2c1c3c95352122d5f244b7e6e358acec0221d305 3224146 linux-manual-4.9_4.9.189-3+deb9u2_all.deb
53d402ffc3bd464dff1d2591d57dfae2856964da 96911448 linux-source-4.9_4.9.189-3+deb9u2_all.deb
d85a4308d5bb8e5c7d23f49e9280de405c0e387d 704242 linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb
Checksums-Sha256:
c4cacfcfcbe73bb61796e75c767d89542cb85bcd8b9c0cb12c5b85f909df0e01 125053 linux_4.9.189-3+deb9u2.dsc
1ae7dacd952ddf39a6d54058f91384eb5214f37e7267deb67b269b66b8f94837 2699452 linux_4.9.189-3+deb9u2.debian.tar.xz
8fa107d5eaf6364030ae712c0d537028271c74858964b8a208b9b878eb0e6dce 37956 linux_4.9.189-3+deb9u2_source.buildinfo
5f353db1c863d30c6439dc63e89e24c7b34f772c21a72a2e2fafda4684270ad7 12539262 linux-doc-4.9_4.9.189-3+deb9u2_all.deb
67ec77a28bd8a5afc8127f6f0e412cf1c70e2cbc1083d8f2f20dfcbcc8a4d0bc 5770260 linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb
1d2c373755c7e792174d031b0d11b1295ca7134b9581bccc9f3212ac1b0a8ed1 7704852 linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb
730011179d564077a92cd6304590f5fab43b03920d334c7348d24dd5cc797afb 3224146 linux-manual-4.9_4.9.189-3+deb9u2_all.deb
2f7f391312e52b04e55be1f346d4889a8655257ed92968b813283107cb8f40e0 96911448 linux-source-4.9_4.9.189-3+deb9u2_all.deb
e36becbc4ba465360120ffe978d20742c7c720d138327f648da83022d3a4c1e5 704242 linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb
Files:
0f1a6857b802189041f82832b7ffad59 125053 kernel optional linux_4.9.189-3+deb9u2.dsc
1e770815ab87954640bb705b1e69cafb 2699452 kernel optional linux_4.9.189-3+deb9u2.debian.tar.xz
35cea95d34147d0d68d5e9caed9d2357 37956 kernel optional linux_4.9.189-3+deb9u2_source.buildinfo
d25457e21a95d3027821d4ecd8093de6 12539262 doc optional linux-doc-4.9_4.9.189-3+deb9u2_all.deb
35ff22064be8c74e39414029e27ccfa8 5770260 kernel optional linux-headers-4.9.0-11-common-rt_4.9.189-3+deb9u2_all.deb
0fa45f22f26597bd4a7f899c864ea878 7704852 kernel optional linux-headers-4.9.0-11-common_4.9.189-3+deb9u2_all.deb
bc3fbe44227d7bf300d5eb0e3bb978d2 3224146 doc optional linux-manual-4.9_4.9.189-3+deb9u2_all.deb
5356a625c8f89c6f7202f1042e7f5d96 96911448 kernel optional linux-source-4.9_4.9.189-3+deb9u2_all.deb
f222572b0e3bd2db716b3a801cd890f3 704242 devel optional linux-support-4.9.0-11_4.9.189-3+deb9u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3JknwACgkQ57/I7JWG
EQmjEw//UZHNdlTDxV9xhSEF9MhFEwtuu5cmyq7sm9w9XaaKgghbA+Xw7v0FCmS2
O7qurw1fIF6Ee1DfFO4H08ve5DRKSKim4o2xuZHv+bR4Js7Vf4+ZaCOYft6Q/spx
vjT76LTPpaStb5A7UduKjjkY2B08WxdQn1o5njHuYIo6gRy//TCWNTkDLrrw0P0Y
hIsKJqnGnkZYZQZmtJ3L8VN/JoW91Fd1Li8jdDedxJZ5LncnCO81NlJlh2PnD160
zQejxz6DbfGe3LLhQEgZ7Bw1T0e+IGFr1y5PKG6TdQAODztAVYMiamh21y5pS7qY
Sb5zYbbQpXKvi3c9ZHX8qKe5dNkTgOiLnGuDwyQSSzwx2obJFWw664iUqzuBT+C0
aT9q+FaX/GF9i2XvxXcrN7Vh9gr0QsniCxGrD3p6DC/DebNR1K9zL8AlydvMeY6H
Z26tFN9oEp8MBOFezKKGS3JE+mgwpk6BDwWveuhGMZoLW3pfJSemrkCdxXQ+Drqx
3/vNTIAR/WTww7iR6oC7H9cwmF0HwhTk/N3QKfMKwEbM3GotfkIWZURsXl4x/EgT
okouHJlUMQell+CRSuZ8V4FlxVgez+IzfSud+YXR/Bqk/nv6goMXRym22m5Gl9NU
KDz3VfGyM4UOFnhSTXXFRej865D33d6drBGIgckQ8rI4OaxIwXQ=
=4mlB
-----END PGP SIGNATURE-----