Skip to main content
search

Downloads

Xen Project 4.14.5

Xen Project 4.14.5

We are pleased to announce the release of Xen 4.14.5. This is available immediately from its git repository

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.14 (tag RELEASE-4.14.5) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 17848dfed4: update Xen version to 4.14.5 [Jan Beulich]
  • eeaf24cced: livepatch: avoid relocations referencing ignored section symbols [Roger Pau Monné]
  • 97258d8819: livepatch: do not ignore sections with 0 size [Roger Pau Monné]
  • 019e56a052: vPCI: replace %pp [Jan Beulich]
  • 9c4d3fbf1a: x86/cpuid: Clobber CPUID leaves 0x800000{1d..20} in policies [Andrew Cooper]
  • 140a95dd06: VT-d: avoid infinite recursion on domain_context_mapping_one() error path [Jan Beulich]
  • 78630ac4be: VT-d: avoid NULL deref on domain_context_mapping_one() error paths [Jan Beulich]
  • d3568578ba: VT-d: don’t needlessly look up DID [Jan Beulich]
  • d7b22226b5: tools/firmware: do not add a .note.gnu.property section [Roger Pau Monné]
  • 87faac2c5e: tools/firmware: force -fcf-protection=none [Roger Pau Monné]
  • 3f48134e31: libxl: Re-scope qmp_proxy_spawn.ao usage [Jason Andryuk]
  • 3486d599f7: libxl: Don’t segfault on soft-reset failure [Jason Andryuk]
  • 294d12c842: xl: Fix global pci options [Jason Andryuk]
  • 47188b2fdc: vpci/msix: fix PBA accesses [Roger Pau Monné]
  • a3b6ec391c: xz: validate the value before assigning it to an enum variable [Lasse Collin]
  • a220fe8768: xz: avoid overlapping memcpy() with invalid input with in-place decompression [Lasse Collin]
  • f21d287506: tools/libxl: don’t allow IOMMU usage with PoD [Roger Pau Monné]
  • a2f7300559: x86/console: process softirqs between warning prints [Roger Pau Monné]
  • cc06d95c41: x86emul: fix VPBLENDMW with mask and memory operand [Jan Beulich]
  • 8369474709: build: fix exported variable name CFLAGS_stack_boundary [Anthony PERARD]
  • a58f5fdc1b: tools/libs/light: set video_mem for PVH guests [Juergen Gross]
  • 67f52a2e2d: tools/libxl: Correctly align the ACPI tables [Kevin Stefanov]
  • 576d4697cd: update Xen version to 4.14.5-pre [Jan Beulich]
  • faed81ff39: IOMMU/x86: use per-device page tables for quarantining [Jan Beulich]
  • 3e4c94da53: AMD/IOMMU: abstract maximum number of page table levels [Jan Beulich]
  • bdea7e425c: IOMMU/x86: drop TLB flushes from quarantine_init() hooks [Jan Beulich]
  • 27b89fdd09: IOMMU/x86: maintain a per-device pseudo domain ID [Jan Beulich]
  • 77c1cb2ae4: VT-d: prepare for per-device quarantine page tables (part II) [Jan Beulich]
  • 680517b6e3: VT-d: prepare for per-device quarantine page tables (part I) [Jan Beulich]
  • 037d360f57: AMD/IOMMU: re-assign devices directly [Jan Beulich]
  • 8a9a21b1ad: VT-d: re-assign devices directly [Jan Beulich]
  • bff4c690b2: VT-d: drop ownership checking from domain_context_mapping_one() [Jan Beulich]
  • 419a09377d: VT-d: fix add/remove ordering when RMRRs are in use [Jan Beulich]
  • b382b7d2ff: VT-d: fix (de)assign ordering when RMRRs are in use [Jan Beulich]
  • 9d7046b644: VT-d: correct ordering of operations in cleanup_domid_map() [Jan Beulich]
  • abfa80967b: x86/hap: do not switch on log dirty for VRAM tracking [Roger Pau Monné]
  • 57cd4b1c52: livepatch: account for patch offset when applying NOP patch [Jan Beulich]
  • 1e595d9c2b: livepatch: resolve old address before function verification [Bjoern Doebel]
  • 10b09aa254: x86/cet: Remove XEN_SHSTK’s dependency on EXPERT [Andrew Cooper]
  • 72a75b9c2c: xen/x86: Livepatch: support patching CET-enhanced functions [Bjoern Doebel]
  • 6db6418770: x86/cet: Remove writeable mapping of the BSPs shadow stack [Andrew Cooper]
  • c843a3030b: x86/cet: Clear IST supervisor token busy bits on S3 resume [Andrew Cooper]
  • 37e594c58f: x86/kexec: Fix kexec-reboot with CET active [Andrew Cooper]
  • 631d8408bb: x86/spec-ctrl: Disable retpolines with CET-IBT [Andrew Cooper]
  • 1bb2a88f0c: x86/CET: Fix S3 resume with shadow stacks active [Andrew Cooper]
  • e56827aa68: x86: Enable CET Indirect Branch Tracking [Andrew Cooper]
  • cc080e630f: x86/EFI: Disable CET-IBT around Runtime Services calls [Andrew Cooper]
  • 9bdbbf1b46: x86/setup: Rework MSR_S_CET handling for CET-IBT [Andrew Cooper]
  • 3e010879f3: x86/entry: Make IDT entrypoints CET-IBT compatible [Andrew Cooper]
  • ae18093e20: x86/entry: Make syscall/sysenter entrypoints CET-IBT compatible [Andrew Cooper]
  • 56bf74df51: x86/emul: Update emulation stubs to be CET-IBT compatible [Andrew Cooper]
  • fbc882c026: x86: Introduce helpers/checks for endbr64 instructions [Andrew Cooper]
  • 334120359d: x86/traps: Rework write_stub_trampoline() to not hardcode the jmp [Andrew Cooper]
  • 5e7db069bd: x86/alternatives: Clear CR4.CET when clearing CR0.WP [Andrew Cooper]
  • 6c932a788c: x86/setup: Read CR4 earlier in __start_xen() [Andrew Cooper]
  • d220178b3c: x86: Introduce support for CET-IBT [Andrew Cooper]
  • ca304edd3b: x86/spec-ctrl: Cease using thunk=lfence on AMD [Andrew Cooper]
  • 7cebd77c80: xen/arm: Allow to discover and use SMCCC_ARCH_WORKAROUND_3 [Bertrand Marquis]
  • fc56dd212e: xen/arm: Add Spectre BHB handling [Rahul Singh]
  • ee4b53ae1b: xen/arm: Add ECBHB and CLEARBHB ID fields [Bertrand Marquis]
  • 6da7a845fb: xen/arm: move errata CSV2 check earlier [Bertrand Marquis]
  • 021466aa73: xen/arm: Introduce new Arm processors [Bertrand Marquis]
  • 496fb0be93: x86/spec-ctrl: Support Intel PSFD for guests [Andrew Cooper]
  • 90565c9e5d: x86/cpuid: Infrastructure for cpuid word 7:2.edx [Andrew Cooper]
  • 96e94760ae: x86/tsx: Cope with TSX deprecation on WHL-R/CFL-R [Andrew Cooper]
  • 366d442477: x86/tsx: Move has_rtm_always_abort to an outer scope [Andrew Cooper]
  • 89eede6122: x86/spec-ctrl: Clean up MSR_MCU_OPT_CTRL handling [Andrew Cooper]
  • 08ec8c11d6: x86/cpuid: Infrastructure for leaf 7:1.ebx [Jan Beulich]
  • 6af894521e: x86/cpuid: Disentangle logic for new feature leaves [Andrew Cooper]
  • f2eaa78606: x86/cpuid: Enable MSR_SPEC_CTRL in SVM guests by default [Andrew Cooper]
  • 29ea3b4540: x86/msr: AMD MSR_SPEC_CTRL infrastructure [Andrew Cooper]
  • 15bb12ed36: x86/svm: VMEntry/Exit logic for MSR_SPEC_CTRL [Andrew Cooper]
  • 6468c20920: x86/spec-ctrl: Use common MSR_SPEC_CTRL logic for AMD [Andrew Cooper]
  • 5170ac955b: x86/spec-ctrl: Record the last write to MSR_SPEC_CTRL [Andrew Cooper]
  • fc86553008: x86/spec-ctrl: Don’t use spec_ctrl_{enter,exit}_idle() for S3 [Andrew Cooper]
  • 1a52e3946d: x86/spec-ctrl: Introduce new has_spec_ctrl boolean [Andrew Cooper]
  • 35d0ea6726: x86/spec-ctrl: Drop use_spec_ctrl boolean [Andrew Cooper]
  • 92dc2dad83: x86/cpuid: Advertise SSB_NO to guests by default [Andrew Cooper]
  • ae0cdc8fac: x86/msr: Fix migration compatibility issue with MSR_SPEC_CTRL [Andrew Cooper]
  • 2c234462f3: x86/vmx: Drop spec_ctrl load in VMEntry path [Andrew Cooper]
  • 1a914256dc: x86/cpuid: support LFENCE always serialising CPUID bit [Roger Pau Monné]
  • 219542eab0: x86/amd: split LFENCE dispatch serializing setup logic into helper [Roger Pau Monné]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.14.4 and qemu-xen-4.14.5).

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes.

XSA Xen qemu-traditional qemu-upstream
XSA-396 N/A (Linux only) N/A N/A
XSA-397 Applied N/A N/A
XSA-398 Applied N/A N/A
XSA-399 Applied N/A N/A
XSA-400 Applied N/A N/A

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.14 stable series to update to this latest point release.

Close Menu