xen (4.17.5+23-ga4e5191dc0-1+deb12u1) bookworm; urgency=medium

  * Ignore lintian error not relevant for bookworm in salsa-ci.
  * Cherry-pick e6472d4668 (tools/xg: increase LZMA_BLOCK_SIZE for
    uncompressing the kernel) to allow direct kernel boot with kernels >=
    6.12 (Closes: #1092495).

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Wed, 19 Feb 2025 00:00:27 +0100

xen (4.17.5+23-ga4e5191dc0-1) bookworm-security; urgency=medium

  * Update to new upstream version 4.17.5+23-ga4e5191dc0, which also contains
    security fixes for the following issues:
    - x86: shadow stack vs exceptions from emulation stubs
      XSA-451 CVE-2023-46841
    - x86: Register File Data Sampling
      XSA-452 CVE-2023-28746
    - GhostRace: Speculative Race Conditions
      XSA-453 CVE-2024-2193
    - x86 HVM hypercalls may trigger Xen bug check
      XSA-454 CVE-2023-46842
    - x86: Incorrect logic for BTC/SRSO mitigations
      XSA-455 CVE-2024-31142
    - x86: Native Branch History Injection
      XSA-456 CVE-2024-2201
    - double unlock in x86 guest IRQ handling
      XSA-458 CVE-2024-31143
    - error handling in x86 IOMMU identity mapping
      XSA-460 CVE-2024-31145
    - PCI device pass-through with shared resources
      XSA-461 CVE-2024-31146
    - x86: Deadlock in vlapic_error()
      XSA-462 CVE-2024-45817
    - Deadlock in x86 HVM standard VGA handling
      XSA-463 CVE-2024-45818
    - libxl leaks data to PVH guests via ACPI tables
      XSA-464 CVE-2024-45819
  * Note that the following XSA are not listed, because...
    - XSA-457 and XSA-465 have patches for the Linux kernel.
    - XSA-459 is within Xapi which is not shipped by this package.
    - XSA-466 contains a documentation update that was only applied to the
      current development version of Xen

 -- Hans van Kranenburg <hans@knorrie.org>  Fri, 20 Dec 2024 18:46:37 +0100

xen (4.17.3+10-g091466ba55-1~deb12u1) bookworm; urgency=medium

  * Rebuild 4.17.3+10-g091466ba55-1 for Bookworm to address the security
    issues since last Debian stable update.

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 04 Feb 2024 16:31:59 +0100

xen (4.17.3+10-g091466ba55-1) unstable; urgency=medium

  * Update to new upstream version 4.17.3+10-g091466ba55, which also contains
    security fixes for the following issues:
    - arm32: The cache may not be properly cleaned/invalidated (take two)
      XSA-447 CVE-2023-46837
    - pci: phantom functions assigned to incorrect contexts
      XSA-449 CVE-2023-46839
    - VT-d: Failure to quarantine devices in !HVM builds
      XSA-450 CVE-2023-46840
  * Note that the following XSA are not listed, because...
    - XSA-448 has patches for the Linux kernel.
  * Compilation with Python 3.12 has been fixed in upstream commit 4000522008
    ("Only compile the hypervisor with -Wdeclaration-after-statement")
    (Closes: #1062048)

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 04 Feb 2024 13:45:17 +0100

xen (4.17.2+76-ge1f9cb16e2-1~deb12u1) bookworm; urgency=medium

  * Rebuild for bookworm to address the security issues since
    4.17.1+2-gb773c48e36-1 listed blow.
  * d/salsa-ci.yml: Set RELEASE variable to bookworm

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Sat, 02 Dec 2023 17:58:08 +0100

xen (4.17.2+76-ge1f9cb16e2-1) unstable; urgency=medium

  * Update to new upstream version 4.17.2-76-ge1f9cb16e2, which also contains
    security fixes for the following issues: (Closes: #1056928)
    - x86/AMD: mismatch in IOMMU quarantine page table levels
      XSA-445 CVE-2023-46835
    - x86: BTC/SRSO fixes not fully effective
      XSA-446 CVE-2023-46836

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Wed, 29 Nov 2023 20:17:30 +0100

xen (4.17.2+55-g0b56bed864-1) unstable; urgency=medium

  * Update to new upstream version 4.17.2+55-g0b56bed864, which also contains
    security fixes for the following issues:
    - arm32: The cache may not be properly cleaned/invalidated
      XSA-437 CVE-2023-34321
    - top-level shadow reference dropped too early for 64-bit PV guests
      XSA-438 CVE-2023-34322
    - x86/AMD: Divide speculative information leak
      XSA-439 CVE-2023-20588
    - xenstored: A transaction conflict can crash C Xenstored
      XSA-440 CVE-2023-34323
    - x86/AMD: missing IOMMU TLB flushing
      XSA-442 CVE-2023-34326
    - Multiple vulnerabilities in libfsimage disk handling
      XSA-443 CVE-2023-34325
    - x86/AMD: Debug Mask handling
      XSA-444 CVE-2023-34327 CVE-2023-34328
  * Note that the following XSA are not listed, because...
    - XSA-441 has patches for the Linux kernel.

 -- Hans van Kranenburg <hans@knorrie.org>  Thu, 12 Oct 2023 19:25:55 +0200

xen (4.17.2-1) unstable; urgency=medium

  * Update to new upstream version 4.17.2, which also contains
    security fixes for the following issues: (Closes: #1042102)
    - x86/AMD: Zenbleed
      XSA-433 CVE-2023-20593
    - x86/AMD: Speculative Return Stack Overflow
      XSA-434 CVE-2023-20569
    - x86/Intel: Gather Data Sampling
      XSA-435 CVE-2022-40982
    - arm: Guests can trigger a deadlock on Cortex-A77
      XSA-436 CVE-2023-34320
  * Note that the following XSA are not listed, because...
    - XSA-432 has patches for the Linux kernel.

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Sun, 20 Aug 2023 16:08:59 +0200

xen (4.17.1+2-gb773c48e36-1) unstable; urgency=medium

  * Update to new upstream version 4.17.1+2-gb773c48e36, which also contains
    security fixes for the following issues:
    - x86 shadow paging arbitrary pointer dereference
      XSA-430 CVE-2022-42335
      (Closes: #1034842)
    - Mishandling of guest SSBD selection on AMD hardware
      XSA-431 CVE-2022-42336

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Thu, 18 May 2023 21:26:30 +0200

xen (4.17.0+74-g3eac216e6e-1) unstable; urgency=medium

  * Update to new upstream version 4.17.0+74-g3eac216e6e, which also contains
    security fixes for the following issues: (Closes: #1033297)
    - x86 shadow plus log-dirty mode use-after-free
      XSA-427 CVE-2022-42332
    - x86/HVM pinned cache attributes mis-handling
      XSA-428 CVE-2022-42333 CVE-2022-42334
    - x86: speculative vulnerability in 32bit SYSCALL path
      XSA-429 CVE-2022-42331

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Thu, 23 Mar 2023 22:22:48 +0100

xen (4.17.0+46-gaaf74a532c-1) unstable; urgency=medium

  * Update to new upstream version 4.17.0+46-gaaf74a532c, which also contains
    security fixes for the following issues:
     - x86: Cross-Thread Return Address Predictions
       XSA-426 CVE-2022-27672
       (Closes: #1031567)
  * debian/shuffle-boot-files: fix typo
  * debian/changelog: Fix bug number typo.
  * debian/changelog: Remove duplicate 'Note that'

 -- Hans van Kranenburg <hans@knorrie.org>  Fri, 24 Feb 2023 18:06:42 +0100

xen (4.17.0+24-g2f8851c37f-2) unstable; urgency=medium

  * Upload to unstable now, since we got message from the OCaml team that we
    are not bothering them while they're doing their stack rebuild.

 -- Hans van Kranenburg <hans@knorrie.org>  Mon, 06 Feb 2023 14:27:40 +0100

xen (4.17.0+24-g2f8851c37f-2~exp1) experimental; urgency=medium

  * Upload to experimental NEW to avoid disrupting ocaml transition.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sun, 05 Feb 2023 13:07:44 +0000

xen (4.17.0+24-g2f8851c37f-1) unstable; urgency=medium

  * Update to new upstream version 4.17.0+24-g2f8851c37f, which also contains
    security fixes for the following issues:
     - Guests can cause Xenstore crash via soft reset
       XSA-425 CVE-2022-42330
       (Closes: #1029830)
  * d/control: update build dependency to libext2fs-dev
  * debian: switch to debhelper compat version 13
  * d/rules: 'dh_missing --fail-missing' is default in dh compat 13
  * d/control: change Depends from lsb-base to sysvinit-utils
  * debian: split debug files out of xen-hypervisor-V-F and xen-utils-V. This
    means that we now start to ship additional separate *-dbg packages.
  * d/xen-utils-common.xendomains.default: remove XENDOMAINS_SYSRQ
  * d/xen-utils-common.xendomains.default: adjust to upstream template
  * debian: remove old leftovers from config file handling
  * d/control: set Rules-Requires-Root: no
  * d/xen-hypervisor-common.lintian-overrides: ignore false positive about
    'debian-news-entry-has-unknown-version'
  * d/rules: use pkg-info.mk and do Maintainer parsing in d/rules
  * Update patch 'Display Debian package version in hypervisor log' to use
    the DEB_VERSION and DEB_MAINTAINER variables that are now available.

  [ Diederik de Haas ]
  * d/control: Drop markdown B-D for documentation
  * ci: Update reason why arm64 crossbuild is disabled

  [ Hans van Kranenburg ]
  * d/copyright: rewrite the file from scratch and make it up to date
  * d/shuffle-boot-files: Add a note about d/not-installed
  * d/shuffle-boot-files: Also handle debug files (Closes: #995233)

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Wed, 01 Feb 2023 21:52:15 +0100

xen (4.17.0-1) unstable; urgency=medium

  * Update to new upstream version 4.17.0.
  * No new security fixes are included.
  * Note that the following XSA are not listed, because...
    - XSA-423 and XSA-424 have patches for the Linux kernel.
  * debian/control: update Standards-Version to 4.6.2
  * debian/control: update Build-Depends for ocaml

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Wed, 21 Dec 2022 22:34:51 +0100

xen (4.17.0~rc4-1~exp1) experimental; urgency=medium

  Significant changes:
  * Update to new upstream version 4.17.0~rc4.

  Changes related to upgrading to Xen 4.17:
  * debian/control: adjust to 4.17
  * Drop "libxl: Fix unneededly rebuilding build.o(pic)", no longer needed
  * Refresh remaining patches if needed

 -- Maximilian Engelhardt <maxi@daemonizer.de>  Wed, 07 Dec 2022 21:01:04 +0100

xen (4.16.2+90-g0d39a6d1ae-1) unstable; urgency=medium

  * Update to new upstream version 4.16.2+90-g0d39a6d1ae, which also contains
    security fixes for the following issues:
     - Xenstore: guests can let run xenstored out of memory
       XSA-326 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314
       CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318
     - Arm: unbounded memory consumption for 2nd-level page tables
       XSA-409 CVE-2022-33747
     - P2M pool freeing may take excessively long
       XSA-410 CVE-2022-33746
     - lock order inversion in transitive grant copy handling
       XSA-411 CVE-2022-33748
     - x86: unintended memory sharing between guests
       XSA-412 CVE-2022-42327
     - Xenstore: Guests can crash xenstored
       XSA-414 CVE-2022-42309
     - Xenstore: Guests can create orphaned Xenstore nodes
       XSA-415 CVE-2022-42310
     - Xenstore: Guests can cause Xenstore to not free temporary memory
       XSA-416 CVE-2022-42319
     - Xenstore: Guests can get access to Xenstore nodes of deleted domains
       XSA-417 CVE-2022-42320
     - Xenstore: Guests can crash xenstored via exhausting the stack
       XSA-418 CVE-2022-42321
     - Xenstore: Cooperating guests can create arbitrary numbers of nodes
       XSA-419 CVE-2022-42322 CVE-2022-42323
     - Oxenstored 32->31 bit integer truncation issues
       XSA-420 CVE-2022-42324
     - Xenstore: Guests can create arbitrary number of nodes via transactions
       XSA-421 CVE-2022-42325 CVE-2022-42326
     - x86: Multiple speculative security issues
       XSA-422 CVE-2022-23824
   * Note that the following XSA are not listed, because...
     - XSA-413 applies to XAPI which is not included in Debian
   * Drop the "x86/CPUID: surface suitable value in EBX of XSTATE subleaf 1"
     patch again because it's included in upstream changes now.

 -- Hans van Kranenburg <hans@knorrie.org>  Wed, 16 Nov 2022 12:50:33 +0100

xen (4.16.2-2) unstable; urgency=medium

  * debian/control: Add libzstd-dev as Build-Depends
  * Pick upstream commit c3bd0b83ea ("x86/CPUID: surface suitable value in EBX
    of XSTATE subleaf 1") to fix compatibility with Linux 5.19.
    (Closes: #1020787)

 -- Hans van Kranenburg <hans@knorrie.org>  Wed, 28 Sep 2022 19:03:14 +0200

xen (4.16.2-1) unstable; urgency=medium

  * Update to new upstream version 4.16.2, which also contains
    security fixes for the following issues:
    - x86 pv: Race condition in typeref acquisition
      XSA-401 CVE-2022-26362
    - x86 pv: Insufficient care with non-coherent mappings
      XSA-402 CVE-2022-26363 CVE-2022-26364
    - Linux disk/nic frontends data leaks
      XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742
      Note that this XSA also contains patches that have to be applied to the
      Linux kernel to make use of the new mitigations.
    - x86: MMIO Stale Data vulnerabilities
      XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
    - Retbleed - arbitrary speculative code execution with return instructions
      XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
    - insufficient TLB flush for x86 PV guests in shadow mode
      XSA-408 CVE-2022-33745
  * Note that the following XSA are not listed, because...
    - XSA-405 and XSA-406 have patches for the Linux kernel.
  * d/.../grub.d/xen.cfg: Redirect output when running grub-mkconfig so that
    we do not wrongly cause text to end up being part of the generated grub
    configuration. (Closes: #1016547)
  * Clean up lintian overrides that are reported as unused.
  * Move comments about lintian overrides above the override line itself,
    instead of being below, as instructed by the lintian documentation.
  * Deal with formatting changes in lintian output, which invalidate
    overrides we have. Also see Debian bug #1007002 for more information.

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 23 Aug 2022 13:25:38 +0200

xen (4.16.1-1) unstable; urgency=medium

  * Update to new upstream version 4.16.1, which also contains security fixes
    for the following issues:
    - Racy interactions between dirty vram tracking and paging log dirty
      hypercalls
      XSA-397 CVE-2022-26356
    - Multiple speculative security issues
      XSA-398 (no CVE yet)
    - race in VT-d domain ID cleanup
      XSA-399 CVE-2022-26357
    - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues
      XSA-400 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361
  * Note that the following XSA are not listed, because...
    - XSA-396 has patches for the Linux kernel.
  * Don't ship NEWS in libxen* packages. Instead, only ship relevant NEWS
    items for actual hypervisor and/or utils packages they belong to.
    (Closes: #962267)
  * d/control: make xen-hypervisor-common arch specific, just like
    xen-utils-common.
  * d/control: stop recommending qemu-system-x86 on arm, because qemu is not
    being built with xen support on arm...
  * Add a patch for tools/libs/light/Makefile which prevents build.o and
    build.opic to be rebuilt unneededly during the package install phase,
    causing a FTBFS because it triggers the use of ccache, which is not
    allowed in the install phase of building the Debian packages.

  Improvements related to Qemu integration:  [Michael Tokarev]
  * d/xen-utils-common.xen.init: properly disable qemu monitor/serial/parallel
    devices for qemu started at boot.
  * debian: switch from recommending qemu-system-x86 to qemu-system-xen and
    mention this change in the NEWS file.
  * Add patch "give meaningful error message if qemu device model is
    unavailable" to give a useful error message only in case the domU needs
    the qemu device model which is not installed, instead of giving a warning
    about missing qemu even if it is not used by this domain.

  Documentation, grammar and spelling fixes and improvements:
  * d/control: drop obsolete paragraph about separate xen linux kernel package
  * d/control: Harmonize the capitalization of the 'Xen' word  [Diederik de Haas]
  * d/control: Improve spelling and grammar  [Diederik de Haas]`

 -- Hans van Kranenburg <hans@knorrie.org>  Mon, 09 May 2022 22:29:23 +0200

xen (4.16.0+51-g0941d6cb-1) unstable; urgency=medium

  * Update to new upstream version 4.16.0+51-g0941d6cb, which also contains
    security fixes for the following issues:
    - arm: guest_physmap_remove_page not removing the p2m mappings
      XSA-393 CVE-2022-23033
    - A PV guest could DoS Xen while unmapping a grant
      XSA-394 CVE-2022-23034
    - Insufficient cleanup of passed-through device IRQs
      XSA-395 CVE-2022-23035
  * Note that the following XSA are not listed, because...
    - XSA-391 and XSA-392 have patches for the Linux kernel.
  * Upload to unstable now, which obsoletes the Xen 4.14 FTBFS issue.
    (Closes: #1002658)

 -- Hans van Kranenburg <hans@knorrie.org>  Sat, 19 Feb 2022 20:29:32 +0100

xen (4.16.0-1~exp1) experimental; urgency=medium

  Significant changes:
  * Update to new upstream version 4.16.0. This also includes a security fix
    for the following issue, which was not applicable to Xen 4.14 yet:
    - certain VT-d IOMMUs may not work in shared page table mode
      XSA-390 CVE-2021-28710
  * No longer build any package for the i386 architecture. It was already not
    possible to use x86_32 hardware because the i386 packages already
    shipped a 64-bit hypervisor and PV shim. Running 32-bit utils with a
    64-bit hypervisor requires using a compatibility layer that is fragile and
    becomes harder to maintain and test upstream. This change ends the 'grace
    period' in which users should have moved to using a fully 64-bit dom0.
    - debian/{control,rules,salsa-ci.yml,xen-utils-V.install.vsn-in}: make the
      necessary changes
    - Remove the Recommends on libc6-xen, which already actually does not
      exist any more. (Closes: #992909)
    - Drop patch "tools/tests/x86_emulator: Pass -no-pie -fno-pic to gcc on
      x86_32" because it is not relevant any more.

  Changes related to upgrading to Xen 4.16:
  * debian/control: adjust to 4.16  [Maximilian Engelhardt]
  * Drop patches that have been applied upstream
  * Refresh remaining patches if needed
  * debian: follow upstream removal of '.sh' suffix in xl bash_completion file
    [Maximilian Engelhardt]
  * debian/control, debian/libxenstore*: ship a libxenstore4 package instead
    of libxenstore3.0, since upstream bumped the soname
    [Maximilian Engelhardt]

  Packaging minor fixes and improvements  [Maximilian Engelhardt]:
  * debian/rules: set SOURCE_BASE_DIR to the top level build dir so that the
    "Display Debian package version in hypervisor log" patch can use it.
  * Add patch "xen/arch/x86: make objdump output user locale agnostic" to fix
    reproducable builds. This patch will also be sent upstream.
  * d/rules: remove reproducible=+fixfilepath from DEB_BUILD_MAINT_OPTIONS
  * d/salsa-ci.yml: Explicitly set RELEASE variable to unstable
  * d/salsa-ci.yml: disable cross building as it's currently not working
  * debian: call update-grub when installing/removing xen-hypervisor-common
    (Closes: #988901)
  * debian: fix dependency generation for python after dh-python was fixed
    first. (Closes: #976597)
  * debian/rules: remove unused pybuild settings

  Packaging minor fixes and improvements:
  * Improve patches for building the PV shim separately. This enables to
    drop the extra Revert of an upstream commit that was done in
    4.14.0+80-gd101b417b7-1~exp1:
    - Drop patch: Revert "pvshim: make PV shim build selectable from
      configure"
    - Update patch "[...] Respect caller's CONFIG_PV_SHIM" to follow moving
      of a line to a different file
    - Drop patch: "tools/firmware/Makefile: CONFIG_PV_SHIM: enable only on
      x86_64" because that's now already the default upstream
  * debian/control.md5sum: remove this obsolete file
  * Merge patches "vif-common: disable handle_iptable" and
    "t/h/L/vif-common.sh: fix handle_iptable return value" into a single
    patch, since the latter was a fix for the first.
  * debian/control: change the Uploaders email address for Ian Jackson,
    since he does not work at Citrix any more now

 -- Hans van Kranenburg <hans@knorrie.org>  Mon, 17 Jan 2022 18:36:02 +0100

xen (4.14.3+32-g9de3671772-1) unstable; urgency=medium

  * Update to new upstream version 4.14.3+32-g9de3671772, which also contains
    security fixes for the following issues:
    - guests may exceed their designated memory limit
      XSA-385 CVE-2021-28706
    - PCI devices with RMRRs not deassigned correctly
      XSA-386 CVE-2021-28702
    - PoD operations on misaligned GFNs
      XSA-388 CVE-2021-28704 CVE-2021-28707 CVE-2021-28708
    - issues with partially successful P2M updates on x86
      XSA-389 CVE-2021-28705 CVE-2021-28709
  * Note that the following XSA are not listed, because...
    - XSA-387 only applies to Xen 4.13 and older
    - XSA-390 only applies to Xen 4.15
  * Pick the following upstream commits to fix a regression which prevents
    amd64 type hardware to fully power off. The issue was introduced in
    version 4.14.0+88-g1d1d1f5391-1 after including upstream commits to
    improve Raspberry Pi 4 support. (Closes: #994899):
    - 8b6d55c126 ("x86/ACPI: fix mapping of FACS")
    - f390941a92 ("x86/DMI: fix table mapping when one lives above 1Mb")
    - 0f089bbf43 ("x86/ACPI: fix S3 wakeup vector mapping")
    - 16ca5b3f87 ("x86/ACPI: don't invalidate S5 data when S3 wakeup vector
                   cannot be determined")

 -- Hans van Kranenburg <hans@knorrie.org>  Sat, 27 Nov 2021 15:09:47 +0100

xen (4.14.3-1) unstable; urgency=high

  * Update to new upstream version 4.14.3, which also contains security fixes
    for the following issues:
    - IOMMU page mapping issues on x86
      XSA-378 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696
    - grant table v2 status pages may remain accessible after de-allocation
      XSA-379 CVE-2021-28697
    - long running loops in grant table handling
      XSA-380 CVE-2021-28698
    - inadequate grant-v2 status frames array bounds check
      XSA-382 CVE-2021-28699
    - xen/arm: No memory limit for dom0less domUs
      XSA-383 CVE-2021-28700
    - Another race in XENMAPSPACE_grant_table handling
      XSA-384 CVE-2021-28701

 -- Hans van Kranenburg <hans@knorrie.org>  Mon, 13 Sep 2021 11:51:20 +0200

xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium

  * Add README.Debian.security containing a note about the end of upstream
    security support for Xen 4.14. Install it into xen-hypervisor-common.

 -- Hans van Kranenburg <hans@knorrie.org>  Fri, 30 Jul 2021 16:57:52 +0200

xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium

  * Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains
    security fixes for the following issues:
    - HVM soft-reset crashes toolstack
      XSA-368 CVE-2021-28687
    - xen/arm: Boot modules are not scrubbed
      XSA-372 CVE-2021-28693
    - inappropriate x86 IOMMU timeout detection / handling
      XSA-373 CVE-2021-28692
    - Speculative Code Store Bypass
      XSA-375 CVE-2021-0089 CVE-2021-26313
    - x86: TSX Async Abort protections not restored after S3
      XSA-377 CVE-2021-28690
  * Note that the following XSA are not listed, because...
    - XSA-370 does not contain code changes.
    - XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the
      Linux kernel.
    - XSA-366 only applies to Xen 4.11.

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 11 Jul 2021 14:29:13 +0200

xen (4.14.1+11-gb0b734a8b3-1) unstable; urgency=medium

  * Update to new upstream version 4.14.1+11-gb0b734a8b3, which also contains
    security fixes for the following issues:
    - IRQ vector leak on x86
      XSA-360 CVE-2021-3308  (Closes: #981052)
    - arm: The cache may not be cleaned for newly allocated scrubbed pages
      XSA-364 CVE-2021-26933
  * Drop separate patches for XSAs up to 359 that are now included in the
    upstream stable branch.

  Packaging bugfixes and improvements [Elliott Mitchell]:
  * debian/rules: Set CC/LD to enable cross-building
  * d/shuffle-binaries: Fix binary shuffling script for cross-building
  * Rework "debian/rules: Do not try to move EFI binaries on armhf"
  * debian/scripts: Optimize runtime scripts
  * debian/xen-utils-common.examples: Remove xm examples
  * d/shuffle-boot-files: make it POSIX compliant  [Hans van Kranenburg, based
    on a patch by Elliott Mitchell]
  * d/shuffle-binaries: Switch loop from for to while
  * d/shuffle-binaries: Switch to POSIX shell, instead of Bash
  * d/shuffle-boot-files: Switch to POSIX shell, instead of Bash
  * debian/xendomains.init: Pipe xen-init-list instead of tmp file

  Make the package build reproducibly [Maximilian Engelhardt]:
  * debian/salsa-ci.yml: enable salsa-ci
  * debian/salsa-ci.yml: enable diffoscope in reprotest
  * debian/rules: use SOURCE_DATE_EPOCH for xen build dates
  * debian/rules: don't include build path in binaries
  * debian/rules: reproducibly build oxenstored
  * Pick the following upstream commits:
    - 5816d327e4 ("xen: don't have timestamp inserted in config.gz")
    - ee41b5c450 ("x86/EFI: don't insert timestamp when SOURCE_DATE_EPOCH is
                   defined")
    - e18dadc5b7 ("docs: use predictable ordering in generated documentation")
  * Include upstream patch that is not committed yet, but needed:
    - docs: set date to SOURCE_DATE_EPOCH if available
  * debian/salsa-ci.yml: don't allow reprotest to fail

  Packaging bugfixes and improvements:
  * d/shuffle-boot-files: Document more inner workings

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 28 Feb 2021 19:49:45 +0100

xen (4.14.0+88-g1d1d1f5391-2) unstable; urgency=high

  * For now, revert "debian/rules: Set CC/LD to enable cross-building", since
    it causes an FTBFS on i386.

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 15 Dec 2020 14:57:41 +0100

xen (4.14.0+88-g1d1d1f5391-1) unstable; urgency=high

  * Update to new upstream version 4.14.0+88-g1d1d1f5391, which also contains
    security fixes for the following issues:
    - stack corruption from XSA-346 change
      XSA-355 CVE-2020-29040 (Closes: #976109)
  * Apply security fixes for the following issues:
    - oxenstored: permissions not checked on root node
      XSA-353 CVE-2020-29479
    - xenstore watch notifications lacking permission checks
      XSA-115 CVE-2020-29480
    - Xenstore: new domains inheriting existing node permissions
      XSA-322 CVE-2020-29481
    - Xenstore: wrong path length check
      XSA-323 CVE-2020-29482
    - Xenstore: guests can crash xenstored via watchs
      XSA-324 CVE-2020-29484
    - Xenstore: guests can disturb domain cleanup
      XSA-325 CVE-2020-29483
    - oxenstored memory leak in reset_watches
      XSA-330 CVE-2020-29485
    - oxenstored: node ownership can be changed by unprivileged clients
      XSA-352 CVE-2020-29486
    - undue recursion in x86 HVM context switch code
      XSA-348 CVE-2020-29566
    - infinite loop when cleaning up IRQ vectors
      XSA-356 CVE-2020-29567
    - FIFO event channels control block related ordering
      XSA-358 CVE-2020-29570
    - FIFO event channels control structure ordering
      XSA-359 CVE-2020-29571
  * Note that the following XSA are not listed, because...
    - XSA-349 and XSA-350 have patches for the Linux kernel
    - XSA-354 has patches for the XAPI toolstack

  Packaging bugfixes and improvements:
  * d/rules: do not compress /usr/share/doc/xen/html (Closes: #942611)
  * Add missing CVE numbers to the previous changelog entries

  Packaging bugfixes and improvements [Elliott Mitchell]:
  * d/shuffle-binaries: Make error detection/message overt
  * d/shuffle-binaries: Add quoting for potentially changeable variables
  * d/shuffle-boot-files: Add lots of double-quotes when handling variables
  * debian/rules: Set CC/LD to enable cross-building
  * debian/xen.init: Load xen_acpi_processor on boot
  * d/shuffle-binaries: Remove useless extra argument being passed in

  Packaging bugfixes and improvements [Maximilian Engelhardt]:
  * d/xen-hypervisor-V-F.postinst.vsn-in: use reboot-required
    (Closes: #862408)
  * d/xen-hypervisor-V-F.postrm: actually install script
  * d/xen-hypervisor-V.*: clean up unused files
  * d/xen-hypervisor-V.bug-control.vsn-in: actually install script
  * debian/rules: enable verbose build

  Fixes to patches for upstream code:
  * t/h/L/vif-common.sh: force handle_iptable return value to be 0
    (Closes: #955994)

  * Pick the following upstream commits to improve Raspberry Pi 4 support,
    requested by Elliott Mitchell:
    - 25849c8b16 ("xen/rpi4: implement watchdog-based reset")
    - 17d192e023 ("tools/python: Pass linker to Python build process")
    - 861f0c1109 ("xen/arm: acpi: Don't fail if SPCR table is absent")
    - 1c4aa69ca1 ("xen/acpi: Rework acpi_os_map_memory() and
                   acpi_os_unmap_memory()")
    - 4d625ff3c3 ("xen/arm: acpi: The fixmap area should always be cleared
                   during failure/unmap")
    - dac867bf9a ("xen/arm: Check if the platform is not using ACPI before
                   initializing Dom0less")
    - 9c2bc0f24b ("xen/arm: Introduce fw_unreserved_regions() and use it")
    - 7056f2f89f ("xen/arm: acpi: add BAD_MADT_GICC_ENTRY() macro")
    - 957708c2d1 ("xen/arm: traps: Don't panic when receiving an unknown debug
                   trap")

  * Pick upstream commit ba6e78f0db ("fix spelling errors"). Thanks, Diederik.

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 15 Dec 2020 13:00:00 +0100

xen (4.14.0+80-gd101b417b7-1) unstable; urgency=medium

  * Re-upload to unstable for rebuild.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Tue, 24 Nov 2020 10:28:22 +0000

xen (4.14.0+80-gd101b417b7-1~exp2) experimental; urgency=medium

  * Re-upload since apparently DMs aren't allowed NEW?

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 23 Nov 2020 13:24:17 +0000

xen (4.14.0+80-gd101b417b7-1~exp1) experimental; urgency=medium

  * Update to new upstream version 4.14.0+80-gd101b417b7, which also contains
    security fixes for the following issues:
    - Information leak via power sidechannel
      XSA-351 CVE-2020-28368
    - x86 PV guest INVLPG-like flushes may leave stale TLB entries
      XSA-286 CVE-2020-27674
    - unsafe AMD IOMMU page table updates
      XSA-347 CVE-2020-27670
    - undue deferral of IOMMU TLB flushes
      XSA-346 CVE-2020-27671
    - x86: Race condition in Xen mapping code
      XSA-345 CVE-2020-27672
    - lack of preemption in evtchn_reset() / evtchn_destroy()
      XSA-344 CVE-2020-25601
    - races with evtchn_reset()
      XSA-343 CVE-2020-25599
    - out of bounds event channels available to 32-bit x86 domains
      XSA-342 CVE-2020-25600
    - Missing memory barriers when accessing/allocating an event channel
      XSA-340 CVE-2020-25603
    - x86 pv guest kernel DoS via SYSENTER
      XSA-339 CVE-2020-25596
    - once valid event channels may not turn invalid
      XSA-338 CVE-2020-25597
    - PCI passthrough code reading back hardware registers
      XSA-337 CVE-2020-25595
    - race when migrating timers between x86 HVM vCPU-s
      XSA-336 CVE-2020-25604
    - Missing unlock in XENMEM_acquire_resource error path
      XSA-334 CVE-2020-25598
    - x86 pv: Crash when handling guest access to MSR_MISC_ENABLE
      XSA-333 CVE-2020-25602
  * Updating to the most recent upstream stable-4.14 branch also fixes
    additional compiling issues with gcc 10 that we were running into. These
    were: upstream commit 5d45ecabe3c0 ("xen/arm64: force gcc 10+ to always
    inline generic atomics helpers") to fix a FTBFS at mem_access.c and
    upstream commit 0dfddb2116e3 ("tools/xenpmd: Fix gcc10 snprintf warning")
    to fix a FTBFS on armhf. (Closes: #970802)
  * Drop upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2
    maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix
    -Werror=stringop-truncation in libxl__prepare_sockaddr_un") from our patch
    pile because these gcc 10 related fixes are in the upstream stable branch
    now.
  * Partially revert "debian/rules: Combine shared Make args" since it caused
    a FTBFS on i386.
  * Revert upstream commit a516bddbd3 ("tools/firmware/Makefile:
    CONFIG_PV_SHIM: enable only on x86_64") and cherry-pick our previous
    commits 0b898ccc2 ("tools/firmware/Makfile: Respect caller's
    CONFIG_PV_SHIM") and a516bddbd3 ("tools/firmware/Makefile: CONFIG_PV_SHIM:
    enable only on x86_64") again to work around a FTBFS where the shim would
    not be built during the i386 package build.
  * Now all FTBFS issues should be resolved, so we can do (Closes: #968965)

  Packaging minor fixes and improvements:
  * d/xen-utils-common.xen.init: Actually *really* include the change to
    disable oom killer for xenstored. It inadvertently got lost in
    4.14.0-1~exp1. (Closes: #961511)

  Lintian related fixes:
  * debian/changelog: fix a typo in the previous changelog entry

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 22 Nov 2020 02:16:00 +0100

xen (4.14.0-1~exp1) experimental; urgency=medium

  Significant changes:
  * Update to new upstream version 4.14.0.
    (Closes: #866380) about removal of broken xen-bugtool
  * debian/{rules,control}: switch to python 3
    (Closes: #938843) about python 2 removal in bullseye
  * debian/control: Fix python dependency to use python3-dev:any and
    libpython3-dev  [Elliott Mitchell]

  Changes related to upgrading to Xen 4.14:
  * debian/control: adjust to 4.14
  * debian/rules: remove install commands for pkgconfig files, since those
    files are not present any more
  * debian/: Follow fsimage -> xenfsimage renaming
  * debian/xen-utils-V.*: Use @version@ instead of hardcoded version
  * debian/control: add flex, bison
  * debian/control: add libxenhypfs[1]  [Ian Jackson]
  * debian/libxenstore3.0.symbols: drop xprintf
    (Closes: #968965)  [Ian Jackson; also reported by Gianfranco Costamagna]
  * d/scripts/xen-init-name, d/scripts/xen-init-list: rewrite these two
    scripts, hugely simplify them and make them use python 3
  * Pick upstream commits d25cc3ec93eb ("libxl: workaround gcc 10.2
    maybe-uninitialized warning") and fff1b7f50e75 ("libxl: fix
    -Werror=stringop-truncation in libxl__prepare_sockaddr_un") to fix gcc 10
    FTBFS
  * tools: don't build/ship xenmon, it can't work with python 3

  Packaging minor fixes and improvements:
  * debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell
    (Closes: #939560)  [Ian Jackson; report from Guillem Jover]
  * debian/rules: Improve comment about hardening options
    (Closes: #939560)  [Ian Jackson; report from Guillem Jover]
  * debian/rules: Drop redundant sequence numbers in dh_installinit
    (Closes: #939560)  [Ian Jackson; report from Guillem Jover]
  * d/xen-utils-common.xen.init: add important notes to keep in mind when
    changing this script, related to multi-version handling
  * debian/control: cleanup Uploaders and add myself
  * debian/control: s/libncurses5-dev/libncurses-dev/
  * xen-utils-V scripts: remove update-alternatives command
  * xen-utils-V.postinst.vsn-in: whitespace cosmetics
  * d/xen-utils-common.xen.init: disable oom killer for xenstored
    (Closes: #961511)
  * debian/rules: Combine shared Make args  [Elliott Mitchell]

  Fixes and improvements for cross-compiling  [Elliott Mitchell]:
  * debian/rules: Add --host to tools configure target
  * Pick upstream commit 69953e285638 ('tools: Partially revert
    "Cross-compilation fixes."')

  Lintian related fixes:
  * debian/changelog: trim trailing whitespace.  [Debian Janitor]
  * debian/pycompat: remove obsolete file.  [Debian Janitor]
  * debian/rules: Avoid using $(PWD) variable.  [Debian Janitor]
  * debian/control: hardcode xen-utils-4.14 python3 dependency because
    dh_python can't figure out how to add it
  * debian/control: xen-doc: add ${misc:Depends}
  * d/xen-hypervisor-V-F.lintian-overrides.vsn-in: fix override to use the
    newer debug-suffix-not-dbg tag and correct the file path used so it
    matches again
  * debian/control: remove XS-Python-Version which is deprecated
  * debian/control: drop autotools-dev build dependency because debhelper
    already takes care of this
  * d/xen-utils-V.lintian-overrides.vsn-in: fix rpath override because the
    xenfsimage python .so filename changed from xenfsimage.so into
    xenfsimage.cpython-38-x86_64-linux-gnu.so now, make it match again
  * d/xen-utils-V.lintian-overrides.vsn-in: s/fsimage/xenfsimage/ which is a
    left over change from the rename in some comment lines
  * d/xen-utils-common.xen.init: use /run instead of /var/run because we don't
    expect anyone on a pre-stretch system to build and use these packages
  * debian/control: update Standards-Version to 4.5.0

 -- Hans van Kranenburg <hans@knorrie.org>  Thu, 17 Sep 2020 18:59:28 +0200

xen (4.11.4+24-gddaaccbbab-1) unstable; urgency=medium

  * Update to new upstream version 4.11.4+24-gddaaccbbab, which also contains
    security fixes for the following issues:
    - inverted code paths in x86 dirty VRAM tracking
      XSA-319 CVE-2020-15563
    - Special Register Buffer speculative side channel
      XSA-320 CVE-2020-0543
      N.B: To mitigate this issue, new cpu microcode is required. The changes
      in Xen provide a workaround for affected hardware that is not receiving
      a vendor microcode update. Please refer to the upstream XSA-320 Advisory
      text for more details.
    - insufficient cache write-back under VT-d
      XSA-321 CVE-2020-15565
    - Missing alignment check in VCPUOP_register_vcpu_info
      XSA-327 CVE-2020-15564
    - non-atomic modification of live EPT PTE
      XSA-328 CVE-2020-15567

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 07 Jul 2020 16:07:39 +0200

xen (4.11.4-1) unstable; urgency=medium

  * Update to new upstream version 4.11.4, which also contains security fixes
    for the following issues:
    - arm: a CPU may speculate past the ERET instruction
      XSA-312 (no CVE yet)
    - multiple xenoprof issues
      XSA-313 CVE-2020-11740 CVE-2020-11741
    - Missing memory barriers in read-write unlock paths
      XSA-314 CVE-2020-11739
    - Bad error path in GNTTABOP_map_grant
      XSA-316 CVE-2020-11743
    - Bad continuation handling in GNTTABOP_copy
      XSA-318 CVE-2020-11742
  * xen-utils and xen-utils-common maint scripts: Replace the previous fix in
    the xen init script with a better fix in the xen-utils package instead, to
    prevent calling the init script stop action (resulting in a disappeared
    xenconsoled) when removing a xen-utils package that belongs to a previous
    (not currently runing) Xen version. Also prevent the xen-utils-common
    package from inadvertently calling stop and start actions because
    dh_installinit would add code for that. (Closes: #932759)
  * debian/NEWS: Mention fixing #932759 and how to deal with the bug

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 26 May 2020 13:33:17 +0200

xen (4.11.3+24-g14b62ab3e5-1) unstable; urgency=high

  * Update to new upstream version 4.11.3+24-g14b62ab3e5, which also
    contains the following security fixes: (Closes: #947944)
    - Unlimited Arm Atomics Operations
      XSA-295 CVE-2019-17349 CVE-2019-17350
    - VCPUOP_initialise DoS
      XSA-296 CVE-2019-18420
    - missing descriptor table limit checking in x86 PV emulation
      XSA-298 CVE-2019-18425
    - Issues with restartable PV type change operations
      XSA-299 CVE-2019-18421
    - add-to-physmap can be abused to DoS Arm hosts
      XSA-301 CVE-2019-18423
    - passed through PCI devices may corrupt host memory after deassignment
      XSA-302 CVE-2019-18424
    - ARM: Interrupts are unconditionally unmasked in exception handlers
      XSA-303 CVE-2019-18422
    - x86: Machine Check Error on Page Size Change DoS
      XSA-304 CVE-2018-12207
    - TSX Asynchronous Abort speculative side channel
      XSA-305 CVE-2019-11135
    - Device quarantine for alternate pci assignment methods
      XSA-306 CVE-2019-19579
    - find_next_bit() issues
      XSA-307 CVE-2019-19581 CVE-2019-19582
    - VMX: VMentry failure with debug exceptions and blocked states
      XSA-308 CVE-2019-19583
    - Linear pagetable use / entry miscounts
      XSA-309 CVE-2019-19578
    - Further issues with restartable PV type change operations
      XSA-310 CVE-2019-19580
    - Bugs in dynamic height handling for AMD IOMMU pagetables
      XSA-311 CVE-2019-19577
  * Add missing CVE numbers to previous changelog entries

 -- Hans van Kranenburg <hans@knorrie.org>  Wed, 08 Jan 2020 12:41:42 +0100

xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high

  * Mention MDS and the need for updated microcode and disabling
    hyper-threading in NEWS.
  * Mention the ucode=scan option in the grub.d/xen documentation.

 -- Hans van Kranenburg <hans@knorrie.org>  Sat, 22 Jun 2019 11:15:08 +0200

xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high

  * Update to new upstream version 4.11.1+92-g6c33308a8d, which also
    contains the following security fixes:
    - Fix: grant table transfer issues on large hosts
      XSA-284 CVE-2019-17340 (Closes: #929991)
    - Fix: race with pass-through device hotplug
      XSA-285 CVE-2019-17341 (Closes: #929998)
    - Fix: x86: steal_page violates page_struct access discipline
      XSA-287 CVE-2019-17342 (Closes: #930001)
    - Fix: x86: Inconsistent PV IOMMU discipline
      XSA-288 CVE-2019-17343 (Closes: #929994)
    - Fix: missing preemption in x86 PV page table unvalidation
      XSA-290 CVE-2019-17344 (Closes: #929996)
    - Fix: x86/PV: page type reference counting issue with failed IOMMU update
      XSA-291 CVE-2019-17345 (Closes: #929995)
    - Fix: x86: insufficient TLB flushing when using PCID
      XSA-292 CVE-2019-17346 (Closes: #929993)
    - Fix: x86: PV kernel context switch corruption
      XSA-293 CVE-2019-17347 (Closes: #929999)
    - Fix: x86 shadow: Insufficient TLB flushing when using PCID
      XSA-294 CVE-2019-17348 (Closes: #929992)
    - Fix: Microarchitectural Data Sampling speculative side channel
      XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
      (Closes: #929129)
  * Note that the fixes for XSA-297 will only have effect when also loading
    updated cpu microcode with MD_CLEAR functionality. When using the
    intel-microcode package to include microcode in the dom0 initrd, it has to
    be loaded by Xen. Please refer to the hypervisor command line
    documentation about the 'ucode=scan' option.
  * Fixes for XSA-295 "Unlimited Arm Atomics Operations" will be added in the
    next upload.

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 18 Jun 2019 09:50:19 +0200

xen (4.11.1+26-g87f51bf366-3) unstable; urgency=medium

  Minor useability improvements and fixes:
  * bash-completion: also complete 'xen'  [Hans van Kranenburg]
  * /etc/default/xen: Handle with ucf again, like in stretch.
    Closes:#923401.  [Ian Jackson]

  Build fix:
  * Fix FTBFS when building only arch-indep binaries (eg
    dpkg-buildpackage -A).  Was due to dh-exec bug wrt not-installed.
    Closes:#923013.  [Hans van Kranenburg; report from Santiago Vila]

  Documentation fix:
  * grub.d/xen.cfg: dom0_mem max IS needed  [Hans van Kranenburg]

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Thu, 28 Feb 2019 16:37:04 +0000

xen (4.11.1+26-g87f51bf366-2) unstable; urgency=medium

  * Packaging change: override spurious lintian warning about
    fsimage.so rpath.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 22 Feb 2019 16:07:37 +0000

xen (4.11.1+26-g87f51bf366-1) unstable; urgency=medium

  Significant changes:
  * Update to new upstream version 4.11.1+26-g87f51bf366.
    (This is from the upstream stable branch.)  [Ian Jackson]
  * Build and use oxenstored rather than the C xenstored by default.
    [Ian Jackson and Hans van Kranenburg]
  * xen init script: rewrite and reorganise xenstored start logic.
    [Hans van Kranenburg]

  Documentation etc. improvements:
  * Refresh hypervisor and dom0 command line options documentation.
    (Closes: #919758)  [Hans van Kranenburg; report from Gergely]
  * Ship /etc/default/xen, a striped and tidied version of upstream
    sysconfig.xencommons.in.  [Hans van Kranenburg]

  Significant bugfixes:
  * xen init script: Do nothing if running for wrong Xen package.
    Avoids mystery loss of xenconsoled.  Closes:#851654.
    [Ian Jackson; report from Wolodja Wentland]
  * Make pygrub work again (by fixing python module and shared library
    paths).  Closes:#912381.  [Ian Jackson; earlier, Bastian Blank;
    report from Dimitar Angelov, also Torben Schou Jensen]

  Packaging bugfixes:
  * Have xen-utils-common suggest xen-doc, because it contains a broken
    symlink to it.  Closes:#911046.
    [Hans van Kranenburg; report from Andreas Beckmann]
  * Have xenstore-utils declare Breaks on xen-utils-common to make
    piuparts happy.  Closes:#911045.
    [Hans van Kranenburg, report from Andreas Beckmann]
  * hotplug-common: Strip arch-specific libdir from config file
    Closes:#862236.  [Ian Jackson; report from Stefan Bühler]
  * xendomains init script; Add dependency on $network.
    Closes:#798510.  [Francois Lesueur]
  * xendomains init script; Add should-dependency on nfs-kernel-server
    Closes:#826871.  [Geoffrey McRae]

  Packaging minor fixes and improvements [Hans van Kranenburg]:
  * debian/libxenstore3.0.symbols: revert ea2334dfe0
  * debian/control: add dh-python build-dep
  * d/xen-utils-V...: override xen-shim-syms lintian
  * debian/control: bump debhelper builddep to 10
  * debian/.gitignore: ignore more debhelper snippets
  * bash-completion: install completion rules for xl
  * xen init script: don't fail when being run in domU
  * Remove xend cruft from various init scripts etc.

  Packaging minor fixes and improvements [Ian Jackson]:
  * xen version/upgrade handling: Improve an error message
  * xen init script: silently exit status 0 if not running under xen
  * xen init script: Tidy up wrong/missing Xen version error handling
  * debian/rules: Fix tiny typos
  * hotplug-common: Do not adjust LD_LIBRARY_PATH

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 22 Feb 2019 15:11:45 +0000

xen (4.11.1-1) unstable; urgency=medium

  * debian/control: Add Homepage, Vcs-Browser and Vcs-Git.
    (Closes: #911457)
  * grub.d/xen.cfg: fix default entry when using l10n (Closes: #865086)
  * debian/rules: Don't exclude the actual pygrub script.
  * Update to new upstream version 4.11.1, which also contains:
    - Fix: insufficient TLB flushing / improper large page mappings with AMD
      IOMMUs
      XSA-275 CVE-2018-19961 CVE-2018-19962
    - Fix: resource accounting issues in x86 IOREQ server handling
      XSA-276 CVE-2018-19963
    - Fix: x86: incorrect error handling for guest p2m page removals
      XSA-277 CVE-2018-19964
    - Fix: x86: Nested VT-x usable even when disabled
      XSA-278 CVE-2018-18883
    - Fix: x86: DoS from attempting to use INVPCID with a non-canonical
      addresses
      XSA-279 CVE-2018-19965
    - Fix for XSA-240 conflicts with shadow paging
      XSA-280 CVE-2018-19966
    - Fix: guest use of HLE constructs may lock up host
      XSA-282 CVE-2018-19967
  * Update version handling patching to put the team mailing list address in
    the first hypervisor log line and fix broken other substitutions.
  * Disable handle_iptable hook in vif-common script. See #894013 for more
    information.

 -- Hans van Kranenburg <hans@knorrie.org>  Wed, 02 Jan 2019 20:59:40 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-5) unstable; urgency=medium

  * debian/rules: Cope if xen-utils-common not being built
    (Fixes binary-indep FTBFS.)

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 15 Oct 2018 18:07:11 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-4) unstable; urgency=medium

  * Many packaging fixes to fix FTBFS on all arches other than amd64.
  * xen-vbd-interface(7): Provide properly-formatted NAME section
  * Add pandoc and markdown to Build-Depends - fixes missing docs.
  * Revert "tools-xenstore-compatibility.diff" apropos of discussion
    https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg00838.html

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 15 Oct 2018 12:15:36 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-3) unstable; urgency=medium

  * hypervisor package postinst: Actually install (avoids need to
    run update-grub by hand).
  * debian/control: Adding Section to source stanza
  * debian/control: Add missing Replaces on old xen-utils-common
  * debian/rules: Add a -n to a gzip rune to improve reproducibility

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 12 Oct 2018 16:55:48 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-2) unstable; urgency=medium

  * Redo as an upload with binaries, because source-only uploads to NEW
    are not allowed.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 05 Oct 2018 19:38:52 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1) unstable; urgency=medium

  * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg;
    merging in 4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1.

 -- Ian Jackson <ian.jackson@citrix.com>  Fri, 05 Oct 2018 18:39:58 +0100

xen (4.11.1~pre+1.733450b39b-1) unstable; urgency=medium

  * Completely overhauled the packaging.  In the source package, things
    are very much simpler now with only a few hundred loc of templating
    and scriptery.  In the binary packages the resulting changes are:
     - We now provide -dbgsym packages in the standard way
      - Shared libraries with unstable ABI upstream (ie, whose
        ABI changes with the Xen version) are now in
        libxen<version>-misc rather than libxen<version> and
        have more conventional-looking filenames.
     - Shared libraries with a stable ABI upstream are now each in their
       own package, named after the soname (ABI version), as is
       conventional.  The sonames and minor versions of these are
       no longer mangled.
     - xs.h, replaced upstream by xenstore.h, is now in
       /usr/include/xenstore-compat (as shipped upstream), with
       symlinks left behind.
     - fsimage*.h is no longer shipped (it's namespace-grabbish).
     - libxenvchan.h is in /usr/include as it is in upstream,
       not buried in /usr/include/xen/io
     - /etc/xen/cpupool, a not very interesting example config file,
       has been moved into /usr/share/doc/.
     - There is a new xen-doc package, in which the upstream HTML
       documentation, and various other bits, is now provided.  This
       replaces the text format documentation previously provided in
       xen-utils-common (but the manpages are still there).
     - Utilities which use on libraries with stable ABIs upstream
       are no longer subjected to the Xen version wrapper.
     - Several utilities are now provided in /usr/bin which were
       previously only available buried in /usr/lib/xen-<version>:
          xen-detect xenalyze xencons xencov_split xen-cpuid
       (version-wrapped, where necessary).
     - Likewise very many utilities and daemons in /usr/sbin:
          gdbsx xen-bugtool xen-ringwatch xen-tmem-list-parse
          xenmon xenpmd flask-* xen-kdd xen-diag xen-hptool
          xen-hvmcrash xen-hvmctx xen-livepatch xen-lowmemd
          xen-mfndump xenbaked xenconsoled xencov xenlockprof
          xenstored xenwatchdogd
     - xend and xm are long gone, so remove the support for the
       TOOLSTACK setting in /etc/default/xen.  /usr/sbin/xen just
       runs xl now.  Remove mentions of xend-config.sxp and all
       *.sxp files.  Drop the xend init script.
     - There is no longer any Built-Using.  This is no longer true for
       seabios, which is depended on and used at runtime, rather than
       being embedded into hvmloader.  (The source package also previously
       tried to mention ipxe-qemu in Built-Using but that's (i) dependent
       upstream on CONFIG_ROMBIOS which we disable, and not a
       build-dependency either.)
     - The hvmloader and xen-shim binaries no longer have their .note
       and .comment section(s) stripped.  .note is needed for xen-shim
       to work properly and to find the corresponding debug files.
       And .comment is tiny and harmless AFAICT.
     - Hypervisor debug map files are installed in /usr/lib/debug.
     - The xl bash_completion file from upstream is installed.
     - libxenvchan.h is installed.
     - We install xen-*.efi in /boot.
     - Sections of some packages have been rationalised.
     - We install a doc-base control file.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Wed, 03 Oct 2018 18:45:02 +0100

xen (4.11.1~pre.20180911.5acdd26fdc+dfsg-1~exp1) experimental; urgency=medium

  * Update to new upstream version 4.11.1~pre.20180911.5acdd26fdc+dfsg.
  * Remove stubdom/grub.patches/00cvs from the upstream source because it's
    not DFSG compliant. (license-problem-gfdl-invariants)
  * Override statically-linked-binary lintian error about
    usr/lib/xen-4.11/boot/xen-shim

 -- Hans van Kranenburg <hans@knorrie.org>  Tue, 11 Sep 2018 15:34:34 +0200

xen (4.11.1~pre+1.733450b39b-1~exp1) experimental; urgency=medium

  [ Hans van Kranenburg ]
  * Update to 4.11.1-pre commit 733450b39b, which also contains:
    - Additional fix for: Unlimited recursion in linear pagetable de-typing
      XSA-240 CVE-2017-15595 (listed as xsa240-4.8/0004)
    - Fix x86 PV guests may gain access to internally used pages
      XSA-248 CVE-2017-17566
    - Fix broken x86 shadow mode refcount overflow check
      XSA-249 CVE-2017-17563
    - Fix improper x86 shadow mode refcount error handling
      XSA-250 CVE-2017-17564
    - Fix improper bug check in x86 log-dirty handling
      XSA-251 CVE-2017-17565
    - Fix: DoS via non-preemptable L3/L4 pagetable freeing
      XSA-252 CVE-2018-7540
    - Fix x86: memory leak with MSR emulation
      XSA-253 CVE-2018-5244
    - Multiple parts of fixes for...
      Information leak via side effects of speculative execution
      XSA-254 CVE-2017-5753 CVE-2017-5715 CVE-2017-5754
      - XPTI stage 1 a.k.a. 'Meltdown band-aid', XPTI-S1 or XPTI-lite
      - Branch predictor hardening for ARM CPUs
      - Support compiling with indirect branch thunks (e.g. retpoline)
      - Report details of speculative mitigations in boot logging
    - Fix: grant table v2 -> v1 transition may crash Xen
      XSA-255 CVE-2018-7541
    - Fix: x86 PVH guest without LAPIC may DoS the host
      XSA-256 CVE-2018-7542
    - The "Comet" shim, which can be used as a mitigation for Meltdown to
      shield the hypervisor against 64-bit PV guests.
    - Fix: Information leak via crafted user-supplied CDROM
      XSA-258 CVE-2018-10472
    - Fix: x86: PV guest may crash Xen with XPTI
      XSA-259 CVE-2018-10471
    - Fix: x86: mishandling of debug exceptions
      XSA-260 CVE-2018-8897
    - Fix: x86 vHPET interrupt injection errors
      XSA-261 CVE-2018-10982
    - Fix: qemu may drive Xen into unbounded loop
      XSA-262 CVE-2018-10981
    - Fix: Speculative Store Bypass
      XSA-263 CVE-2018-3639
    - Fix: preemption checks bypassed in x86 PV MM handling
      XSA-264 CVE-2018-12891
    - Fix: x86: #DB exception safety check can be triggered by a guest
      XSA-265 CVE-2018-12893
    - Fix: libxl fails to honour readonly flag on HVM emulated SCSI disks
      XSA-266 CVE-2018-12892
    - Fix: Speculative register leakage from lazy FPU context switching
      XSA-267 CVE-2018-3665
    - Fix: Use of v2 grant tables may cause crash on ARM
      XSA-268 CVE-2018-15469
    - Fix: x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS
      XSA-269 CVE-2018-15468
    - Fix: oxenstored does not apply quota-maxentity
      XSA-272 CVE-2018-15470
    - Fix: L1 Terminal Fault speculative side channel
      XSA-273 CVE-2018-3620
  * Merge changes for 4.9 from the ubuntu packaging (thanks, Stefan Bader):
    - Rebase patches against upstream source (line numbers etc).
    - debian/rules.real:
      - Add a call to build common tool headers.
      - Add a call to install common tool headers.
    - debian/libxen-dev.install, d/p/ubuntu-tools-libs-abiname.diff:
      - Add additional modifications for new libxendevicemodel.
    - debian/patches/tools-fake-xs-restrict.patch:
      - Re-introduce (fake) xs_restrict call to keep libxenstore version at
        3.0 for now.
    - debian/libxenstore3.0.symbols: add xs_control_command
  * Rebase patches against 4.10 upstream source.
  * Rebase patches against 4.11 upstream source.
  * Add README.source.md to document how the packaging works.
  * This package builds correctly with gcc 7. (Closes: #853710)
  * Fix grub config file conflict when upgrading from Stretch. (Closes: #852545)
  * Init scripts: Do not kill per-domain qemu processes. (Closes: #879751)
  * debian/patches: Fix "'vwprintw' is deprecated" gcc 8 compilation error

  [ Mark Pryor ]
  * Fix shared library build dependencies for the new xentoolcore library.

  [ John Keates ]
  * Enable OVMF (Closes: #858962)

 -- Hans van Kranenburg <hans@knorrie.org>  Sun, 08 Jul 2018 14:30:32 +0200

xen (4.8.2+xsa245-0+deb9u1) stretch-security; urgency=high

  * Update to upstream stable 4.8 branch, which is currently at Xen 4.8.2
    plus a number of bugfixes and security fixes.
    Result is that we now include security fixes for:
       XSA-231 CVE-2017-14316
       XSA-232 CVE-2017-14318
       XSA-233 CVE-2017-14317
       XSA-234 CVE-2017-14319
       (235 already included in 4.8.1-1+deb9u3)
       XSA-236 CVE-2017-15597
       XSA-237 CVE-2017-15590
       XSA-238 CVE-2017-15591
       XSA-239 CVE-2017-15589
       XSA-240 CVE-2017-15595
       XSA-241 CVE-2017-15588
       XSA-242 CVE-2017-15593
       XSA-243 CVE-2017-15592
       XSA-244 CVE-2017-15594
       XSA-245 CVE-2017-17046
    and a number of upstream functionality fixes, which are not easily
    disentangled from the security fixes.
  * Apply two more security fixes:
       XSA-246 CVE-2017-17044
       XSA-247 CVE-2017-17045

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 25 Nov 2017 11:26:37 +0000

xen (4.8.1-1+deb9u3) stretch-security; urgency=high

  * Security fixes for
      XSA-226 CVE-2017-12135
      XSA-227 CVE-2017-12137
      XSA-228 CVE-2017-12136
      XSA-230 CVE-2017-12855
      XSA-235 CVE-2017-15596
  * Adjust changelog entry for 4.8.1-1+deb9u2 to record
    that XSA-225 fix was indeed included.
  * Security fix for XSA-229 not included as that bug is in Linux, not Xen.
  * Security fixes for XSA-231..234 inc. not inclued as still embargoed.

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Thu, 07 Sep 2017 19:17:58 +0100

xen (4.8.1-1+deb9u2) stretch-security; urgency=high

  * Security fixes for
      XSA-216 XSA-217 XSA-218 XSA-219 XSA-220
      XSA-221 XSA-222 XSA-223 XSA-224 XSA-225

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Tue, 20 Jun 2017 14:06:34 +0100

xen (4.8.1-1+deb9u1) unstable; urgency=medium

  * Security fixes for XSA-213 (Closes:#861659) and XSA-214
    (Closes:#861660).  (Xen 4.7 and later is not affected by XSA-215.)

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Tue, 02 May 2017 12:19:57 +0100

xen (4.8.1-1) unstable; urgency=high

  * Update to upstream 4.8.1 release.
    Changes include numerous bugfixes, including security fixes for:
      XSA-212 / CVE-2017-7228   Closes:#859560
      XSA-207 / no cve yet      Closes:#856229
      XSA-206 / no cve yet      no Debian bug

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Tue, 18 Apr 2017 18:05:00 +0100

xen (4.8.1~pre.2017.01.23-1) unstable; urgency=medium

  * Update to current upstream stable-4.8 git branch (Xen 4.8.1-pre).
    Contains bugfixes.
  * debian/control-real etc.: debian.py: Allow version numbers like this.

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Mon, 23 Jan 2017 16:03:31 +0000

xen (4.8.0-1) unstable; urgency=high

  * Update to upstream Xen 4.8.0.
    Includes the following security fixes:
        XSA-201   CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818
        XSA-198   CVE-2016-9379 CVE-2016-9380
        XSA-196   CVE-2016-9378 CVE-2016-9377   Closes:#845669
        XSA-195   CVE-2016-9383
        XSA-194   CVE-2016-9384                 Closes:#845667
        XSA-193   CVE-2016-9385
        XSA-192   CVE-2016-9382
        XSA-191   CVE-2016-9386
    Includes other bugfixes too:
        Closes:#812166, Closes:#818525.

  Cherry picks from upstream:
  * Security fixes:
        XSA-204   CVE-2016-10013                 Closes:#848713
        XSA-203   CVE-2016-10025
        XSA-202   CVE-2016-10024
    For completeness, the following XSAs do not apply here:
        XSA-197   CVE-2016-9381      Bug is in qemu
        XSA-199   CVE-2016-9637      Bug is in qemu
        XSA-200   CVE-2016-9932      Xen 4.8 is not affected
  * Cherry pick a build failure fix:
      "x86/emul: add likely()/unlikely() to test harness"

  [ Ian Jackson ]
  * Drop -lcrypto search from upstream configure, and from our
    Build-Depends.  Closes:#844419.
  * Change my own email address to my work (Citrix) address.  When
    uploading, I will swap hats to effectively sponsor my own upload.

  [ Ian Campbell ]
  * Start a qemu process in dom0 to service the toolstacks loopback disk
    attaches. (Closes: #770456)
  * Remove correct pidfile when stopping xenconsoled.
  * Check that xenstored has actually started before talking to it.
    Incorporate a timeout so as not to block boot (Mitigates #737613)
  * Correct syntax error in xen-init-list when running with xend
    (Closes: #763102)
  * Apply SELinux labels to directories created by initscripts. Patch from
    Russell Coker. (Closes: #764912)
  * Include a reportbug control file to redirect bugs to src:xen for
    packages which contain the Xen version in the name.  Closes:#796370.

  [ Lubomir Host ]
  * Fix xen-init-name to not fail looking for a nonexistent 'config'
    entry in xl's JSON output.  Closes:#818129.

 -- Ian Jackson <ian.jackson@eu.citrix.com>  Thu, 22 Dec 2016 14:51:46 +0000

xen (4.8.0~rc5-1) unstable; urgency=medium

  * New upstream version, Xen 4.8.0 RC5.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Fri, 11 Nov 2016 15:26:58 +0000

xen (4.8.0~rc3-1) unstable; urgency=medium

  * Upload 4.8.0~rc3 to unstable.  (RC5 is out upstream, but let's not
    update to that in the middle of the Xen 4.6 -> 4.8 transition.)
  * No source changes.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Sat, 05 Nov 2016 15:08:47 +0000

xen (4.8.0~rc3-0exp2) experimental; urgency=medium

  * Build-Depend on iasl on all architectures.  ARM has ACPI now.
    Fixes FTBFS on arm64 (at least).
  * Add qemu-utils and seabios to Suggests.
  * Pass -no-pie -fno-pic to x86 emulator test build.  (Patch
    also submitted upstream.)  Fixes FTBFS on i386 with GCC6.
  * Add myself to Uploaders.

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Tue, 01 Nov 2016 18:00:25 +0000

xen (4.8.0~rc3-0exp1) experimental; urgency=high

  * New upstream version, Xen 4.8.0 RC3.
    Fixes many outstanding CVEs.
  * Incorporated many changes from 4.8.0-0ubuntu2
    - libxen-dev is M-A: same
    - Work around grep bug http://bugs.launchpad.net/bugs/1547466
    - debian/xen-hypervisor-4.6.xen.cfg:
      Additional config file to simplify grub configuration.
    - Use new library/abiname scheme.
    - Document what xl and xm are in default.xen
    - Add libvirtd dependency to xendomains init script
    (Thanks to Stefan Bader and others.)

 -- Ian Jackson <ijackson@chiark.greenend.org.uk>  Mon, 24 Oct 2016 17:31:27 +0100

xen (4.6.0-1+nmu2) unstable; urgency=medium

  * Ensure debian/control.md5sum is correctly updated. Fixes FTBFS of
    4.6.0-1+nmu1 on buildds where linux-support-4.2.0-1 is not expected to be
    installed.

 -- Ian Campbell <ijc@debian.org>  Tue, 09 Feb 2016 16:41:16 +0000

xen (4.6.0-1+nmu1) unstable; urgency=medium

  * Non-maintainer upload.
  * Drop unused patching in of $(PREFIX), $(SBINDIR) and $(BINDIR)
    which are no longer used by the upstream build system.
  * Use correct/consistent LIBEXEC dirs throughout build
    (Closes: #805508).

 -- Ian Campbell <ijc@debian.org>  Tue, 19 Jan 2016 14:43:54 +0000

xen (4.6.0-1) unstable; urgency=medium

  * New upstream release.
  * CVE-2015-7812
  * CVE-2015-7813
  * CVE-2015-7814
  * CVE-2015-7835
  * CVE-2015-7969
  * CVE-2015-7970
  * CVE-2015-7971
  * CVE-2015-7972

 -- Bastian Blank <waldi@debian.org>  Sun, 01 Nov 2015 21:49:07 +0100

xen (4.5.1~rc1-1) experimental; urgency=medium

  [ Ian Campbell ]
  * Use xen-init-dom0 from initscript when it is available.
  * Install some user facing docs in xen-utils-common. (Closes: #688308)

  [ Bastian Blank ]
  * New upstream release candidate.

 -- Bastian Blank <waldi@debian.org>  Sun, 31 May 2015 21:59:56 +0200

xen (4.5.0-1) experimental; urgency=medium

  [ Ian Campbell ]
  * New upstream release

 -- Bastian Blank <waldi@debian.org>  Wed, 21 Jan 2015 20:21:45 +0100

xen (4.5.0~rc3-1) experimental; urgency=medium

  * New upstream release candidate.
  * Re-add xend config.

 -- Bastian Blank <waldi@debian.org>  Wed, 17 Dec 2014 22:37:23 +0100

xen (4.4.1-6) unstable; urgency=medium

  * Fix starvation of writers in locks.
    CVE-2014-9065

 -- Bastian Blank <waldi@debian.org>  Thu, 11 Dec 2014 15:56:08 +0100

xen (4.4.1-5) unstable; urgency=medium

  * Fix excessive checks of hypercall arguments.
    CVE-2014-8866
  * Fix boundary checks of emulated MMIO access.
    CVE-2014-8867
  * Fix additional memory leaks in xl. (closes: #767295)

 -- Bastian Blank <waldi@debian.org>  Sun, 30 Nov 2014 20:13:32 +0100

xen (4.4.1-4) unstable; urgency=medium

  [ Bastian Blank ]
  * Make operations pre-emptible.
    CVE-2014-5146, CVE-2014-5149
  * Don't allow page table updates from non-PV page tables.
    CVE-2014-8594
  * Enforce privilege level while loading code segment.
    CVE-2014-8595
  * Fix reference counter leak.
    CVE-2014-9030
  * Use linux 3.16.0-4 stuff.
  * Fix memory leak in xl. (closes: #767295)

  [ Ian Campbell ]
  * Add licensing for tools/python/logging to debian/copyright.
    (Closes: #759384)
  * Correctly include xen-init-name in xen-utils-common. (Closes: #769543)
  * xen-utils recommends grub-xen-host package (Closes: #770460)

 -- Bastian Blank <waldi@debian.org>  Thu, 27 Nov 2014 20:17:36 +0100

xen (4.4.1-3) unstable; urgency=medium

  [ Bastian Blank ]
  * Remove unused build-depencencies.
  * Extend list affected systems for broken interrupt assignment.
    CVE-2013-3495
  * Fix race in hvm memory management.
    CVE-2014-7154
  * Fix missing privilege checks on instruction emulation.
    CVE-2014-7155, CVE-2014-7156
  * Fix uninitialized control structures in FIFO handling.
    CVE-2014-6268
  * Fix MSR range check in emulation.
    CVE-2014-7188

  [ Ian Campbell ]
  * Install xen.efi into /boot for amd64 builds.

 -- Bastian Blank <waldi@debian.org>  Fri, 17 Oct 2014 16:27:46 +0200

xen (4.4.1-2) unstable; urgency=medium

  * Re-build with correct content.
  * Use dh_lintian.

 -- Bastian Blank <waldi@debian.org>  Wed, 24 Sep 2014 20:23:14 +0200

xen (4.4.1-1) unstable; urgency=medium

  * New upstream release.
    - Fix several vulnerabilities. (closes: #757724)
      CVE-2014-2599, CVE-2014-3124,
      CVE-2014-3967, CVE-2014-3968,
      CVE-2014-4021

 -- Bastian Blank <waldi@debian.org>  Sun, 21 Sep 2014 10:45:47 +0200

xen (4.4.0-5) unstable; urgency=medium

  [ Ian Campbell ]
  * Expand on the descriptions of some packages. (Closes: #466683)
  * Clarify where xen-utils-common is required. (Closes: #612403)
  * No longer depend on gawk. Xen can now use any awk one of which is always
    present. (Closes: #589176)
  * Put core dumps in /var/lib/xen/dump and ensure it exists.
    (Closes: #444000)

  [ Bastian Blank ]
  * Handle JSON output from xl in xendomains init script.

 -- Bastian Blank <waldi@debian.org>  Sat, 06 Sep 2014 22:11:20 +0200

xen (4.4.0-4) unstable; urgency=medium

  [ Bastian Blank ]
  * Also remove unused OCaml packages from control file.
  * Make library packages multi-arch: same. (closes: #730417)
  * Use debhelper compat level 9. (closes: #692352)

  [ Ian Campbell ]
  * Correct contents of /etc/xen/scripts/hotplugpath.sh (Closes: #706283)
  * Drop references cpuperf-xen and cpuperf-perfcntr. (Closes: #733847)
  * Install xentrace_format(1), xentrace(8) and xentop(1). (Closes: #407143)

 -- Bastian Blank <waldi@debian.org>  Sat, 30 Aug 2014 13:34:04 +0200

xen (4.4.0-3) unstable; urgency=medium

  [ Ian Campbell ]
  * Use correct SeaBIOS binary which supports Xen (Closes: #737905).

  [ Bastian Blank ]
  * Really update config.{sub,guess}.

 -- Bastian Blank <waldi@debian.org>  Fri, 29 Aug 2014 16:33:19 +0200

xen (4.4.0-2) unstable; urgency=medium

  * Remove broken and unused OCaml-support.

 -- Bastian Blank <waldi@debian.org>  Mon, 18 Aug 2014 15:18:42 +0200

xen (4.4.0-1) unstable; urgency=medium

  [ Bastian Blank ]
  * New upstream release.
    - Update scripts for compatiblity with latest coreutils.
      (closes: #718898)
    - Fix guest reboot with xl toolstack. (closes: #727100)
    - CVE-2013-6375: Insufficient TLB flushing in VT-d (iommu) code.
      (closes: #730254)
    - xl support for global VNC options. (closes: #744157)
    - vif scripts can now be named relative to /etc/xen/scripts.
      (closes: #744160)
    - Support for arbitrary sized SeaBIOS binaries. (closes: #737905)
    - pygrub searches for extlinux.conf in the expected places.
      (closes: #697407)
    - Update scripts to use correct syntax for ip command.
      (closes: #705659)
  * Fix install of xend configs to not break compatibility.

  [ Ian Campbell ]
  * Disable blktap1 support using new configure option instead of by patching.
  * Disable qemu-traditional and rombios support using new configure option
    instead of by patching. No need to build-depend on ipxe any more.
  * Use system qemu-xen via new configure option instead of patching.
  * Use system seabios via new configure option instead of patching.
  * Use EXTRA_CFLAGS_XEN_TOOLS and APPEND_{CPPFLAGS,LDFLAGS} during build.
  * Add support for armhf and arm64.
  * Update config.{sub,guess}.

 -- Bastian Blank <waldi@debian.org>  Sat, 09 Aug 2014 13:09:00 +0200

xen (4.3.0-3) unstable; urgency=low

  * Revive hypervisor on i386.

 -- Bastian Blank <waldi@debian.org>  Fri, 18 Oct 2013 00:15:16 +0200

xen (4.3.0-2) unstable; urgency=low

  * Force proper install order. (closes: #721999)

 -- Bastian Blank <waldi@debian.org>  Sat, 05 Oct 2013 15:03:36 +0000

xen (4.3.0-1) unstable; urgency=low

  * New upstream release.
    - Fix HVM PCI passthrough. (closes: #706543)
  * Call configure with proper arguments.
  * Remove now empty xen-docs package.
  * Disable external code retrieval.
  * Drop all i386 hypervisor packages.
  * Drop complete blktap support.
  * Create /run/xen.
  * Make xen-utils recommend qemu-system-x86. (closes: #688311)
    - This version comes with audio support. (closes: #635166)
  * Make libxenlight and libxlutil public. (closes: #644390)
    - Set versioned ABI name.
    - Install headers.
    - Move libs into normal library path.
  * Use build flags in the tools build.
    - Fix fallout from harderning flags.
  * Update Standards-Version to 3.9.4. No changes.

 -- Bastian Blank <waldi@debian.org>  Thu, 05 Sep 2013 13:54:03 +0200

xen (4.2.2-1) unstable; urgency=low

  * New upstream release.
    - Fix build with gcc 4.8. (closes: #712376)
  * Build-depend on libssl-dev. (closes: #712366)
  * Enable hardening as much as possible.
  * Re-enable ocaml build fixes. (closes: #695176)
  * Check for out-of-bound values in CPU affinity setup.
    CVE-2013-2072
  * Fix information leak on AMD CPUs.
    CVE-2013-2076
  * Recover from faults on XRSTOR.
    CVE-2013-2077
  * Properly check guest input to XSETBV.
    CVE-2013-2078

 -- Bastian Blank <waldi@debian.org>  Thu, 11 Jul 2013 00:28:24 +0200

xen (4.2.1-2) unstable; urgency=low

  * Actually upload to unstable.

 -- Bastian Blank <waldi@debian.org>  Sun, 12 May 2013 00:20:58 +0200

xen (4.2.1-1) experimental; urgency=low

  * New upstream release.
  * Enable usage of seabios.
  * Fix some toolchain issues.

 -- Bastian Blank <waldi@debian.org>  Sat, 11 May 2013 23:55:46 +0200

xen (4.2.0-2) experimental; urgency=low

  * Support JSON output in domain init script helper.

 -- Bastian Blank <waldi@debian.org>  Mon, 01 Oct 2012 15:11:30 +0200

xen (4.2.0-1) experimental; urgency=low

  * New upstream release.

 -- Bastian Blank <waldi@debian.org>  Tue, 18 Sep 2012 13:54:30 +0200

xen (4.2.0~rc3-1) experimental; urgency=low

  * New upstream snapshot.

 -- Bastian Blank <waldi@debian.org>  Fri, 07 Sep 2012 20:28:46 +0200

xen (4.2.0~rc2-1) experimental; urgency=low

  * New upstream snapshot.
  * Build-depend against libglib2.0-dev and libyajl-dev.
  * Disable seabios build for now.
  * Remove support for Lenny and earlier.
  * Support build-arch and build-indep make targets.

 -- Bastian Blank <waldi@debian.org>  Sun, 13 May 2012 12:21:10 +0000

xen (4.1.4-4) unstable; urgency=high

  * Make several long runing operations preemptible.
    CVE-2013-1918
  * Fix source validation for VT-d interrupt remapping.
    CVE-2013-1952

 -- Bastian Blank <waldi@debian.org>  Thu, 02 May 2013 14:30:29 +0200

xen (4.1.4-3) unstable; urgency=high

  * Fix return from SYSENTER.
    CVE-2013-1917
  * Fix various problems with guest interrupt handling.
    CVE-2013-1919
  * Only save pointer after access checks.
    CVE-2013-1920
  * Fix domain locking for transitive grants.
    CVE-2013-1964

 -- Bastian Blank <waldi@debian.org>  Fri, 19 Apr 2013 13:01:57 +0200

xen (4.1.4-2) unstable; urgency=low

  * Use pre-device interrupt remapping mode per default. Fix removing old
    remappings.
    CVE-2013-0153

 -- Bastian Blank <waldi@debian.org>  Wed, 06 Feb 2013 13:04:52 +0100

xen (4.1.4-1) unstable; urgency=low

  * New upstream release.
    - Disable process-context identifier support in newer CPUs for all
      domains.
    - Add workarounds for AMD errata.
    - Don't allow any non-canonical addresses.
    - Use Multiboot memory map if BIOS emulation does not provide one.
    - Fix several problems in tmem.
      CVE-2012-3497
    - Fix error handling in domain creation.
    - Adjust locking and interrupt handling during S3 resume.
    - Tighten more resource and memory range checks.
    - Reset performance counters. (closes: #698651)
    - Remove special-case for first IO-APIC.
    - Fix MSI handling for HVM domains. (closes: #695123)
    - Revert cache value of disks in HVM domains.

 -- Bastian Blank <waldi@debian.org>  Thu, 31 Jan 2013 15:44:50 +0100

xen (4.1.3-8) unstable; urgency=high

  * Fix error in VT-d interrupt remapping source validation.
    CVE-2012-5634
  * Fix buffer overflow in qemu e1000 emulation.
    CVE-2012-6075
  * Update patch, mention second CVE.
    CVE-2012-5511, CVE-2012-6333

 -- Bastian Blank <waldi@debian.org>  Sat, 19 Jan 2013 13:55:07 +0100

xen (4.1.3-7) unstable; urgency=low

  * Fix clock jump due to incorrect annotated inline assembler.
    (closes: #599161)
  * Add support for XZ compressed Linux kernels to hypervisor and userspace
    based loaders, it is needed for any Linux kernels newer then Wheezy.
    (closes: #695056)

 -- Bastian Blank <waldi@debian.org>  Tue, 11 Dec 2012 18:54:59 +0100

xen (4.1.3-6) unstable; urgency=high

  * Fix error handling in physical to machine memory mapping.
    CVE-2012-5514

 -- Bastian Blank <waldi@debian.org>  Tue, 04 Dec 2012 10:51:43 +0100

xen (4.1.3-5) unstable; urgency=high

  * Fix state corruption due to incomplete grant table switch.
    CVE-2012-5510
  * Check range of arguments to several HVM operations.
    CVE-2012-5511, CVE-2012-6333
  * Check array index before using it in HVM memory operation.
    CVE-2012-5512
  * Check memory range in memory exchange operation.
    CVE-2012-5513
  * Don't allow too large memory size and avoid busy looping.
    CVE-2012-5515

 -- Bastian Blank <waldi@debian.org>  Mon, 03 Dec 2012 19:37:38 +0100

xen (4.1.3-4) unstable; urgency=high

  * Use linux 3.2.0-4 stuff.
  * Fix overflow in timer calculations.
    CVE-2012-4535
  * Check value of physical interrupts parameter before using it.
    CVE-2012-4536
  * Error out on incorrect memory mapping updates.
    CVE-2012-4537
  * Check if toplevel page tables are present.
    CVE-2012-4538
  * Fix infinite loop in compatibility code.
    CVE-2012-4539
  * Limit maximum kernel and ramdisk size.
    CVE-2012-2625, CVE-2012-4544

 -- Bastian Blank <waldi@debian.org>  Tue, 20 Nov 2012 15:51:01 +0100

xen (4.1.3-3) unstable; urgency=low

  * Xen domain init script:
    - Make sure Open vSwitch is started before any domain.
    - Properly handle and show output of failed migration and save.
    - Ask all domains to shut down before checking them.

 -- Bastian Blank <waldi@debian.org>  Tue, 18 Sep 2012 13:26:32 +0200

xen (4.1.3-2) unstable; urgency=medium

  * Don't allow writing reserved bits in debug register.
    CVE-2012-3494
  * Fix error handling in interrupt assignment.
    CVE-2012-3495
  * Don't trigger bug messages on invalid flags.
    CVE-2012-3496
  * Check array bounds in interrupt assignment.
    CVE-2012-3498
  * Properly check bounds while setting the cursor in qemu.
    CVE-2012-3515
  * Disable monitor in qemu by default.
    CVE-2012-4411

 -- Bastian Blank <waldi@debian.org>  Fri, 07 Sep 2012 19:41:46 +0200

xen (4.1.3-1) unstable; urgency=medium

  * New upstream release: (closes: #683286)
    - Don't leave the x86 emulation in a bad state. (closes: #683279)
      CVE-2012-3432
    - Only check for shared pages while any exist on teardown.
      CVE-2012-3433
    - Fix error handling for unexpected conditions.
    - Update CPUID masking to latest Intel spec.
    - Allow large ACPI ids.
    - Fix IOMMU support for PCI-to-PCIe bridges.
    - Disallow access to some sensitive IO-ports.
    - Fix wrong address in IOTLB.
    - Fix deadlock on CPUs without working cpufreq driver.
    - Use uncached disk access in qemu.
    - Fix buffer size on emulated e1000 device in qemu.
  * Fixup broken and remove applied patches.

 -- Bastian Blank <waldi@debian.org>  Fri, 17 Aug 2012 11:25:02 +0200

xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-5) unstable; urgency=low

  [ Ian Campbell ]
  * Set tap device MAC addresses to fe:ff:ff:ff:ff:ff (Closes: #671018)
  * Only run xendomains initscript if toolstack is xl or xm (Closes: #680528)

  [ Bastian Blank ]
  * Actually build-depend on new enough version of dpkg-dev.
  * Add xen-sytem-* meta-packages. We are finally in a position to do
    automatic upgrades and this package is missing. (closes: #681376)

 -- Bastian Blank <waldi@debian.org>  Sat, 28 Jul 2012 10:23:26 +0200

xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-4) unstable; urgency=low

  * Add Build-Using info to xen-utils package.
  * Fix build-arch target.

 -- Bastian Blank <waldi@debian.org>  Sun, 01 Jul 2012 19:52:30 +0200

xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-3) unstable; urgency=low

  * Remove /usr/lib/xen-default. It breaks systems if xenstored is not
    compatible.
  * Fix init script usage.
  * Fix udev rules for emulated network devices:
    - Force names of emulated network devices to a predictable name.

 -- Bastian Blank <waldi@debian.org>  Sun, 01 Jul 2012 16:59:04 +0200

xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-2) unstable; urgency=low

  * Fix pointer missmatch in interrupt functions. Fixes build on i386.

 -- Bastian Blank <waldi@debian.org>  Fri, 15 Jun 2012 18:00:51 +0200

xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-1) unstable; urgency=low

  * New upstream snapshot.
    - Fix privilege escalation and syscall/sysenter DoS while using
      non-canonical addresses by untrusted PV guests. (closes: #677221)
      CVE-2012-0217
      CVE-2012-0218
    - Disable Xen on CPUs affected by AMD Erratum #121. PV guests can
      cause a DoS of the host.
      CVE-2012-2934
  * Don't fail if standard toolstacks are not available. (closes: #677244)

 -- Bastian Blank <waldi@debian.org>  Thu, 14 Jun 2012 17:06:25 +0200

xen (4.1.2-7) unstable; urgency=low

  * Really use ucf.
  * Update init script dependencies:
    - Start $syslog before xen.
    - Start drbd and iscsi before xendomains. (closes: #626356)
    - Start corosync and heartbeat after xendomains.
  * Remove /var/log/xen on purge. (closes: #656216)

 -- Bastian Blank <waldi@debian.org>  Tue, 22 May 2012 10:44:41 +0200

xen (4.1.2-6) unstable; urgency=low

  * Fix generation of architectures for hypervisor packages.
  * Remove information about loop devices, it is incorrect. (closes: #503044)
  * Update xendomains init script:
    - Create directory for domain images only root readable. (closes: #596048)
    - Add missing sanity checks for variables. (closes: #671750)
    - Remove not longer supported config options.
    - Don't fail if no config is available.
    - Remove extra output if domain was restored.

 -- Bastian Blank <waldi@debian.org>  Sun, 06 May 2012 20:07:41 +0200

xen (4.1.2-5) unstable; urgency=low

  * Actually force init script rename. (closes: #669341)
  * Fix long output from xl.
  * Move complete init script setup.
  * Rewrite xendomains init script:
    - Use LSB output functions.
    - Make output more clear.
    - Use xen toolstack wrapper.
    - Use a python script to properly read domain details.
  * Set name for Domain-0.

 -- Bastian Blank <waldi@debian.org>  Mon, 23 Apr 2012 11:56:45 +0200

xen (4.1.2-4) unstable; urgency=low

  [ Bastian Blank ]
  * Build-depend on ipxe-qemu instead of ipxe. (closes: #665070)
  * Don't longer use a4wide latex package.
  * Use ucf for /etc/default/xen.
  * Remove handling for old udev rules link and xenstored directory.
  * Rename xend init script to xen.

  [ Lionel Elie Mamane ]
  * Fix toolstack script to work with old dash. (closes: #648029)

 -- Bastian Blank <waldi@debian.org>  Mon, 16 Apr 2012 08:47:29 +0000

xen (4.1.2-3) unstable; urgency=low

  * Merge xen-common source package.
  * Remove xend wrapper, it should not be called by users.
  * Support xl in init script.
  * Restart xen daemons on upgrade.
  * Restart and stop xenconsoled in init script.
  * Load xen-gntdev module.
  * Create /var/lib/xen. (closes: #658101)
  * Cleanup udev rules. (closes: #657745)

 -- Bastian Blank <waldi@debian.org>  Wed, 01 Feb 2012 19:28:28 +0100

xen (4.1.2-2) unstable; urgency=low

  [ Jon Ludlam ]
  * Import (partially reworked) upstream changes for OCaml support.
    - Rename the ocamlfind packages.
    - Remove uuid and log libraries.
    - Fix 2 bit-twiddling bugs and an off-by-one
  * Fix build of OCaml libraries.
  * Add OCaml library and development package.
  * Include some missing headers.

 -- Bastian Blank <waldi@debian.org>  Sat, 10 Dec 2011 19:13:25 +0000

xen (4.1.2-1) unstable; urgency=low

  * New upstream release.
  * Build-depend on pkg-config.
  * Add package libxen-4.1. Includes some shared libs.

 -- Bastian Blank <waldi@debian.org>  Sat, 26 Nov 2011 18:28:06 +0100

xen (4.1.1-3) unstable; urgency=low

  [ Julien Danjou ]
  * Remove Julien Danjou from the Uploaders field. (closes: #590439)

  [ Bastian Blank ]
  * Use current version of python. (closes: #646660)
  * Build-depend against liblzma-dev, it is used if available.
    (closes: #646694)
  * Update Standards-Version to 3.9.2. No changes.
  * Don't use brace-expansion in debhelper install files.

 -- Bastian Blank <waldi@debian.org>  Wed, 26 Oct 2011 14:42:33 +0200

xen (4.1.1-2) unstable; urgency=low

  * Fix hvmloader with gcc 4.6.

 -- Bastian Blank <waldi@debian.org>  Fri, 05 Aug 2011 23:58:36 +0200

xen (4.1.1-1) unstable; urgency=low

  * New upstream release.
  * Don't use qemu-dm if it is not needed. (Backport from xen-unstable.)
  * Use dh_python2.

 -- Bastian Blank <waldi@debian.org>  Mon, 18 Jul 2011 19:38:38 +0200

xen (4.1.0-3) unstable; urgency=low

  * Add ghostscript to build-deps.
  * Enable qemu-dm build.
    - Add qemu as another orig tar.
    - Remove blktap1, bluetooth and sdl support from qemu.
    - Recommend qemu-keymaps and qemu-utils.

 -- Bastian Blank <waldi@debian.org>  Thu, 28 Apr 2011 15:20:45 +0200

xen (4.1.0-2) unstable; urgency=low

  * Re-enable hvmloader:
    - Use packaged ipxe.
  * Workaround incompatibility with xenstored of Xen 4.0.

 -- Bastian Blank <waldi@debian.org>  Fri, 15 Apr 2011 11:38:25 +0200

xen (4.1.0-1) unstable; urgency=low

  * New upstream release.

 -- Bastian Blank <waldi@debian.org>  Sun, 27 Mar 2011 18:09:28 +0000

xen (4.1.0~rc6-1) unstable; urgency=low

  * New upstream release candidate.
  * Build documentation using pdflatex.
  * Use python 2.6. (closes: #596545)
  * Fix lintian override.
  * Install new tools: xl, xenpaging.
  * Enable blktap2.
    - Use own md5 implementation.
    - Fix includes.
    - Fix linking of blktap2 binaries.
    - Remove optimization setting.
  * Temporarily disable hvmloader, wants to download ipxe.
  * Remove xenstored pid check from xl.

 -- Bastian Blank <waldi@debian.org>  Thu, 17 Mar 2011 16:12:45 +0100

xen (4.0.1-2) unstable; urgency=low

  * Fix races in memory management.
  * Make sure that frame-table compression leaves enough alligned.
  * Disable XSAVE support. (closes: #595490)
  * Check for dying domain instead of raising an assertion.
  * Add C6 state with EOI errata for Intel.
  * Make some memory management interrupt safe. Unsure if really needed.
  * Raise bar for inter-socket migrations on mostly-idle systems.
  * Fix interrupt handling for legacy routed interrupts.
  * Allow to set maximal domain memory even during a running change.
  * Support new partition name in pygrub. (closes: #599243)
  * Fix some comparisions "< 0" that may be optimized away.
  * Check for MWAIT support before using it.
  * Fix endless loop on interrupts on Nehalem cpus.
  * Don't crash upon direct GDT/LDT access. (closes: #609531)
    CVE-2010-4255
  * Don't loose timer ticks after domain restore.
  * Reserve some space for IOMMU area in dom0. (closes: #608715)
  * Fix hypercall arguments after trace callout.
  * Fix some error paths in vtd support. Memory leak.
  * Reinstate ACPI DMAR table.

 -- Bastian Blank <waldi@debian.org>  Wed, 12 Jan 2011 15:01:40 +0100

xen (4.0.1-1) unstable; urgency=low

  * New upstream release.
    - Fix IOAPIC S3 with interrupt remapping enabled.

 -- Bastian Blank <waldi@debian.org>  Fri, 03 Sep 2010 17:14:28 +0200

xen (4.0.1~rc6-1) unstable; urgency=low

  * New upstream release candidate.
    - Add some missing locks for page table walk.
    - Fix NMU injection into guest.
    - Fix ioapic updates for vt-d.
    - Add check for GRUB2 commandline behaviour.
    - Fix handling of invalid kernel images.
    - Allow usage of powernow.
  * Remove lowlevel python modules usage from pygrub. (closes: #588811)

 -- Bastian Blank <waldi@debian.org>  Tue, 17 Aug 2010 23:15:34 +0200

xen (4.0.1~rc5-1) unstable; urgency=low

  * New upstream release candidate.

 -- Bastian Blank <waldi@debian.org>  Mon, 02 Aug 2010 17:06:27 +0200

xen (4.0.1~rc3-1) unstable; urgency=low

  * New upstream release candidate.
  * Call dh_pyversion with the correct version.
  * Restart xen daemon on upgrade.

 -- Bastian Blank <waldi@debian.org>  Wed, 30 Jun 2010 16:30:47 +0200

xen (4.0.0-2) unstable; urgency=low

  * Fix python dependency. (closes: #586666)
    - Use python-support.
    - Hardcode to use python 2.5 for now.

 -- Bastian Blank <waldi@debian.org>  Mon, 21 Jun 2010 17:23:16 +0200

xen (4.0.0-1) unstable; urgency=low

  * Update to unstable.
  * Fix spelling in README.
  * Remove unnecessary build-depends.
  * Fixup xend to use different filename lookup.

 -- Bastian Blank <waldi@debian.org>  Thu, 17 Jun 2010 11:16:55 +0200

xen (4.0.0-1~experimental.2) experimental; urgency=low

  * Merge changes from 3.4.3-1.

 -- Bastian Blank <waldi@debian.org>  Fri, 28 May 2010 12:58:12 +0200

xen (4.0.0-1~experimental.1) experimental; urgency=low

  * New upstream version.
  * Rename source package to xen.
  * Build depend against iasl and uuid-dev.
  * Disable blktap2 support, it links against OpenSSL.
  * Update copyright file.

 -- Bastian Blank <waldi@debian.org>  Thu, 06 May 2010 15:47:38 +0200

xen-3 (3.4.3-1) unstable; urgency=low

  * New upstream version.
  * Disable blktap support, it is unusable with current kernels.
  * Disable libaio, was only used by blktap.
  * Drop device creation support. (closes: #583283)

 -- Bastian Blank <waldi@debian.org>  Fri, 28 May 2010 11:43:18 +0200

xen-3 (3.4.3~rc6-1) unstable; urgency=low

  * New upstream release candidate.
    - Relocate multiboot modules. (closes: #580045)
    - Support grub2 in pygrub. (closes: #573311)

 -- Bastian Blank <waldi@debian.org>  Sat, 08 May 2010 11:32:29 +0200

xen-3 (3.4.3~rc3-2) unstable; urgency=low

  * Again list the complete version in the hypervisor.
  * Fix path detection for bootloader, document it. (closes: #481105)
  * Rewrite README.

 -- Bastian Blank <waldi@debian.org>  Thu, 08 Apr 2010 16:14:58 +0200

xen-3 (3.4.3~rc3-1) unstable; urgency=low

  * New upstream release candidate.
  * Use 3.0 (quilt) source format.
  * Always use current python version.

 -- Bastian Blank <waldi@debian.org>  Mon, 01 Mar 2010 22:14:22 +0100

xen-3 (3.4.2-2) unstable; urgency=low

  * Remove Jeremy T. Bouse from uploaders.
  * Export blktap lib and headers.
  * Build amd64 hypervisor on i386. (closes: #366315)

 -- Bastian Blank <waldi@debian.org>  Sun, 22 Nov 2009 16:54:47 +0100

xen-3 (3.4.2-1) unstable; urgency=low

  * New upstream version.
  * Strip hvmloader by hand.
  * Remove extra license file from libxen-dev.

 -- Bastian Blank <waldi@debian.org>  Mon, 16 Nov 2009 20:57:07 +0100

xen-3 (3.4.1-1) unstable; urgency=low

  * New upstream version.

 -- Bastian Blank <waldi@debian.org>  Fri, 21 Aug 2009 21:34:38 +0200

xen-3 (3.4.0-2) unstable; urgency=low

  * Add symbols file for libxenstore3.0. (closes: #536173)
  * Document that ioemu is currently unsupported. (closes: #536175)
  * Fix location of fsimage plugins. (closes: #536174)

 -- Bastian Blank <waldi@debian.org>  Sat, 18 Jul 2009 18:05:35 +0200

xen-3 (3.4.0-1) unstable; urgency=low

  [ Bastian Blank ]
  * New upstream version.
  * Remove ioemu for now. (closes: #490409, #496367)
  * Remove non-pae hypervisor.
  * Use debhelper compat level 7.
  * Make the init script start all daemons.

 -- Bastian Blank <waldi@debian.org>  Tue, 30 Jun 2009 22:33:22 +0200

xen-3 (3.2.1-2) unstable; urgency=low

  * Use e2fslibs based ext2 support for pygrub. (closes: #476366)
  * Fix missing checks in pvfb code.
    See CVE-2008-1952. (closes: #487095)
  * Add support for loading bzImage files. (closes: #474509)
  * Enable TLS support in ioemu code.
  * Drop libcrypto usage because of GPL-incompatibility.
  * Remove AES code from blktap drivers. Considered broken.

 -- Bastian Blank <waldi@debian.org>  Sat, 28 Jun 2008 11:30:43 +0200

xen-3 (3.2.1-1) unstable; urgency=low

  * New upstream version.
  * Set rpath relative to ${ORIGIN}.
  * Add lintian override to xen-utils package.

 -- Bastian Blank <waldi@debian.org>  Thu, 22 May 2008 14:01:47 +0200

xen-3 (3.2.0-5) unstable; urgency=low

  * Provide correct directory to dh_pycentral.

 -- Bastian Blank <waldi@debian.org>  Mon, 14 Apr 2008 21:43:49 +0200

xen-3 (3.2.0-4) unstable; urgency=low

  * Pull in newer xen-utils-common.
  * Fix missing size checks in the ioemu block driver. (closes: #469654)
    See: CVE-2008-0928

 -- Bastian Blank <waldi@debian.org>  Fri, 07 Mar 2008 14:21:38 +0100

xen-3 (3.2.0-3) unstable; urgency=low

  * Clean environment for build.
  * Add packages libxenstore3.0 and xenstore-utils.
  * Move docs package in docs section to match overwrites.
  * Make the hypervisor only recommend the utils.
  * Cleanup installation. (closes: #462989)

 -- Bastian Blank <waldi@debian.org>  Tue, 12 Feb 2008 12:40:56 +0000

xen-3 (3.2.0-2) unstable; urgency=low

  * Fix broken patch. (closes: #462522)

 -- Bastian Blank <waldi@debian.org>  Sat, 26 Jan 2008 17:21:52 +0000

xen-3 (3.2.0-1) unstable; urgency=low

  * New upstream version.
  * Add package libxen-dev. Including public headers and static libs.
    (closes: #402249)
  * Don't longer install xenfb, removed upstream.

 -- Bastian Blank <waldi@debian.org>  Tue, 22 Jan 2008 12:51:49 +0000

xen-3 (3.1.2-2) unstable; urgency=low

  * Add missing rpath definitions.
  * Fix building of pae version.

 -- Bastian Blank <waldi@debian.org>  Sat, 08 Dec 2007 12:07:42 +0000

xen-3 (3.1.2-1) unstable; urgency=high

  * New upstream release:
    - Move shared file into /var/run. (closes: #447795)
      See CVE-2007-3919.
    - x86: Fix various problems with debug-register handling. (closes: #451626)
      See CVE-2007-5906.

 -- Bastian Blank <waldi@debian.org>  Sat, 24 Nov 2007 13:24:45 +0000

xen-3 (3.1.1-1) unstable; urgency=low

  * New upstream release:
    - Don't use exec with untrusted values in pygrub. (closes: #444430)
      See CVE-2007-4993.

 -- Bastian Blank <waldi@debian.org>  Fri, 19 Oct 2007 16:02:37 +0000

xen-3 (3.1.0-2) unstable; urgency=low

  * Switch to texlive for documentation.
  * Drop unused transfig.
  * Drop unused latex features from documentation.
  * Build depend against gcc-multilib for amd64. (closes: #439662)

 -- Bastian Blank <waldi@debian.org>  Fri, 31 Aug 2007 08:15:50 +0000

xen-3 (3.1.0-1) unstable; urgency=low

  [ Julien Danjou ]
  * New upstream version.

  [ Ralph Passgang ]
  * Added graphviz to Build-Indeps

  [ Bastian Blank ]
  * Upstream removed one part of the version. Do it also.
  * Merge utils packages.
  * Install blktap support.
  * Install pygrub.
  * Install xenfb tools.
  * xenconsoled startup is racy, wait a little bit.

 -- Bastian Blank <waldi@debian.org>  Mon, 20 Aug 2007 15:05:08 +0000

xen-3.0 (3.0.4-1-1) unstable; urgency=low

  [ Bastian Blank ]
  * New upstream version (closes: #394411)

  [ Guido Trotter ]
  * Actually try to build and release xen 3.0.4
  * Update build dependencies

 -- Guido Trotter <ultrotter@debian.org>  Wed, 23 May 2007 11:57:29 +0100

xen-3.0 (3.0.3-0-2) unstable; urgency=medium

  [Bastian Blank]
  * Remove device recreate code.
  * Remove build dependency on linux-support-X

  [ Guido Trotter ]
  * Add missing build dependency on zlib1g-dev (closes: #396557)
  * Add missing build dependencies on libncurses5-dev and x11proto-core-dev
    (closes: #396561, #396567)

 -- Guido Trotter <ultrotter@debian.org>  Thu,  2 Nov 2006 16:38:02 +0000

xen-3.0 (3.0.3-0-1) unstable; urgency=low

  * New upstream version.

 -- Bastian Blank <waldi@debian.org>  Fri, 20 Oct 2006 11:04:35 +0000

xen-3.0 (3.0.3~rc4+hg11760-1) unstable; urgency=low

  * New upstream snapshot.
  * Ignore update-grub errors. (closes: #392534)

 -- Bastian Blank <waldi@debian.org>  Sat, 14 Oct 2006 13:09:53 +0000

xen-3.0 (3.0.3~rc1+hg11686-1) unstable; urgency=low

  * New upstream snapshot.
  * Rename ioemu package to include the complete version.
  * Fix name of hypervisor. (closes: #391771)

 -- Bastian Blank <waldi@debian.org>  Mon,  9 Oct 2006 12:48:13 +0000

xen-3.0 (3.0.2-3+hg9762-1) unstable; urgency=low

  * New upstream snapshot.
  * Rename hypervisor and utils packages to include the complete version.
  * Redo build environment.

 -- Bastian Blank <waldi@debian.org>  Mon,  4 Sep 2006 18:43:12 +0000

xen-3.0 (3.0.2+hg9697-2) unstable; urgency=low

  [ Guido Trotter ]
  * Update xen-utils' README.Debian (closes: #372524)

  [ Bastian Blank ]
  * Adopt new python policy. (closes: #380990)
  * Add patch to make new kernels working on the hypervisor.

 -- Bastian Blank <waldi@debian.org>  Tue, 15 Aug 2006 19:20:08 +0000

xen-3.0 (3.0.2+hg9697-1) unstable; urgency=low

  [ Guido Trotter ]
  * Update Standards Version
  * Merge upstream fixes trunk (upstream 3.0.2-3 + a couple of fixes)

  [ Bastian Blank ]
  * Add xen-ioemu-3.0 package to support HVM guests (closes: #368496)

 -- Guido Trotter <ultrotter@debian.org>  Wed, 31 May 2006 10:50:05 +0200

xen-3.0 (3.0.2+hg9681-1) unstable; urgency=low

  * Update xen-hypervisor-3.0-i386 and xen-hypervisor-3.0-i386-pae
    descriptions, specifying what the difference between the two packages is
    (closes: #366019)
  * Merge upstream fixes trunk

 -- Guido Trotter <ultrotter@debian.org>  Thu, 18 May 2006 15:25:02 +0200

xen-3.0 (3.0.2+hg9656-1) unstable; urgency=low

  * Merge upstream fixes trunk
    - This includes a fix for CVE-2006-1056

 -- Guido Trotter <ultrotter@debian.org>  Thu, 27 Apr 2006 17:34:03 +0200

xen-3.0 (3.0.2+hg9651-1) unstable; urgency=low

  * Merge upstream fixes trunk
  * Fix PAE disabled in pae build (Closes: #364875)

 -- Julien Danjou <acid@debian.org>  Wed, 26 Apr 2006 13:19:39 +0200

xen-3.0 (3.0.2+hg9646-1) unstable; urgency=low

  [ Guido Trotter ]
  * Merge upstream fixes trunk

  [ Bastian Blank ]
  * debian/patches/libdir.dpatch: Update to make xm save work

 -- Julien Danjou <acid@debian.org>  Mon, 24 Apr 2006 18:02:07 +0200

xen-3.0 (3.0.2+hg9611-1) unstable; urgency=low

  * Merge upstream bug fixes
  * Fix bug with xend init.d script

 -- Julien Danjou <acid@debian.org>  Wed, 12 Apr 2006 17:35:35 +0200

xen-3.0 (3.0.2+hg9598-1) unstable; urgency=low

  * New upstream release
  * Fix copyright file

 -- Julien Danjou <acid@debian.org>  Mon, 10 Apr 2006 17:02:55 +0200

xen-3.0 (3.0.1+hg8762-1) unstable; urgency=low

  * The "preserve our homes" release
  * Now cooperatively maintained by the Debian Xen Team
  * New upstream release (closes: #327493, #342249)
  * Build depend on transfig (closes: #321157)
  * Use gcc rather than gcc-3.4 to compile (closes: #323698)
  * Split xen-hypervisor-3.0 and xen-utils-3.0
  * Build both normal and pae hypervisor packages
  * Change maintainer and add uploaders field
  * Add force-reload support for init script xendomains
  * Remove dependency against bash
  * Bump standards version to 3.6.2.2
  * xen-utils-3.0 conflicts and replaces xen
  * Add dpatch structure to the package
  * Remove build-dependency on gcc (it's build essential anyway)
  * Make SrvServer.py not executable
  * Create NEWS.Debian file with important upgrade notices
  * Update copyright file
  * Remove the linux-patch-xen package
  * Removed useless build-dependencies: libncurses5-dev, wget
  * Changed xendomains config path to /etc/default
  * xen-utils-3.0 now provides xen-utils and xen-hypervisor-3.0-i386 &
    xen-hypervisor-3.0-i386-pae & xen-hypervizor-amd64 now provide
    xen-hypervisor
  * Made xen-utils-3.0.postinst more fault-tolerant, so that upgrading
    xen2 -> xen3 don't fail because of a running xen2 hypervisor
  * Updated the "Replaces & Conflicts"
  * Install only and correctly udev files
  * Compile date is no more in current locale
  * Add patch which add the debian version and maintainer in the version
    string and removes the banner.
  * Don't install unusable cruft in xen-utils
  * Remove libxen packages (no stable API/ABI)

 -- Julien Danjou <acid@debian.org>  Wed,  5 Apr 2006 16:05:07 +0200

xen (2.0.6-1) unstable; urgency=low

  * Patches applied upstream: non-xen-init-exit.patch, add-build.patch,
    python-install.patch, disable-html-docs.patch.
  * New upstream released.  Closes: #311336.
  * Remove comparison to UML from xen short description.  Closes: #317066.
  * Make packages conflicts with 1.2 doc debs.  Closes: #304285.
  * Add iproute to xen depends, as it uses /bin/ip.  Closes: #300488,
    #317468.

 -- Adam Heath <doogie@brainfood.com>  Wed, 06 Jul 2005 12:35:50 -0500

xen (2.0.5-3) experimental; urgency=low

  * Change priority/section to match the overrides file.

 -- Adam Heath <doogie@brainfood.com>  Fri, 18 Mar 2005 12:43:50 -0600

xen (2.0.5-2) experimental; urgency=low

  * Mike McCallister <mike+debian@metalogue.com>,
    Tommi Virtanen <tv@debian.org>, Tom Hibbert <tom@nsp.co.nz>:
    Fix missing '.' in update-rc.d call in xen.postinst.  Closes: #299384

 -- Adam Heath <doogie@brainfood.com>  Fri, 18 Mar 2005 11:39:56 -0600

xen (2.0.5-1) experimental; urgency=low

  * New upstream.
  * Remove pic-lib.patch, tools-misc-TARGETS.patch, and clean-mttr.patch
    as they have been applied upstream(in various forms).
  * xend now starts at priority 20, stops at 21, while xendomains starts
    at 21, and stops at 20.

 -- Adam Heath <doogie@brainfood.com>  Fri, 11 Mar 2005 14:33:33 -0600

xen (2.0.4-4) experimental; urgency=low

  * Bah, major booboo.  Add /boot to debian/xen.install, so xen.gz will
    get shipped.  Reported by Clint Adams <schizo@debian.org>.

 -- Adam Heath <doogie@brainfood.com>  Tue, 15 Feb 2005 13:00:57 -0600

xen (2.0.4-3) experimental; urgency=low

  * Fix file overlap(/usr/share/doc/xen/examples/*) between xen and
    xen-docs.  Reported by Tupshin Harper <tupshin@tupshin.com>.

 -- Adam Heath <doogie@brainfood.com>  Sun, 06 Feb 2005 01:22:45 -0600

xen (2.0.4-2) experimental; urgency=low

  * Fix kernel patch generation.  It was broken when I integrated with
    debian's kernel source.  I used a symlink, and diff doesn't follow
    those.

 -- Adam Heath <doogie@brainfood.com>  Sat, 05 Feb 2005 18:16:35 -0600

xen (2.0.4-1) experimental; urgency=low

  * New upstream.
  * xen.deb can now install on a plain kernel; that is, the init scripts
    exit successfully if /proc/xen/privcmd doesn't exist.  This allows
    for dual-boot setups.
  * Manpages do not yet exist xend, xenperf, xensv, xfrd, nor xm.  xend
    xfrd are daemons, and take little if any options.  I've not had a need
    to use xenperf nor xensv yet.  xm has nice built in help(xm help).
  * Upstream now requires either linux 2.4.29, or 2.6.10.  Since 2.4.29 is
    not yet in debian, disable the 2.4 patch generation.  Closes: #271245.
  * Not certain how the kernel-patch-xen was empty.  It's not now, with
    the repackaging.  Closes: #272299.
  * Xen no longer produces kernel images, so problems about missing features
    are no longer valid.  Closes: #253924.
  * Acknowledge nmu bugs:
    * No longer build-depend on gcc 3.3, as the default gcc works. Closes:
      #243048.

 -- Adam Heath <doogie@brainfood.com>  Sat, 05 Feb 2005 18:04:27 -0600

xen (2.0.3-0.1) unstable; urgency=low

  * Changes from Tommi Virtanen:
    * Added dh-kpatches and libcurl3-dev to Build-Depends.
    * Add /etc/xen/sv/params.py and /etc/xen/xend/params.py.
    * Add xmexample1 and xmexample2 to xen/doc/examples.

 -- Adam Heath <doogie@brainfood.com>  Wed, 26 Jan 2005 10:55:07 -0600

xen (2.0.3-0) unstable; urgency=low

  * New upstream.  Closes: #280733.
  * Repackaged from scratch.
  * Using unreleased patch management system.  See debian/README.build.
    * After extracting the .dsc, there are no special steps needed
    * Those wanting to change the source, use the normal procedures for
      any package, including using interdiff(or other tool) to send a
      patch to me or the bts.
  * No longer try to do anything fancy with regard to the layout of the
    built kernels.  Now, only patches are distributed.  Please make use of
    the xen support in kernel-package.
  * Early preview release to #debian-devel.

 -- Adam Heath <doogie@brainfood.com>  Tue, 25 Jan 2005 13:24:54 -0600

xen (1.2-4.1) unstable; urgency=high

  * NMU
  * Remove gcc-3.2 from Build-Depends as isn't used during build
    (Closes: #243048)

 -- Frank Lichtenheld <djpig@debian.org>  Sat, 21 Aug 2004 17:42:28 +0200

xen (1.2-4) unstable; urgency=low

  * Added xen-docs.README.Debian, which explains the kernel image layout,
    and contains references on the locations differ from what is mentioned
    by the upstream documentation.  Closes: #230345.

 -- Adam Heath <doogie@brainfood.com>  Fri, 26 Mar 2004 17:36:41 -0600

xen (1.2-3) unstable; urgency=low

  * Add kernel-source-2.4.25 and kernel-patch-debian-2.4.25 to
    Build-Depends-Indep.

 -- Adam Heath <doogie@brainfood.com>  Tue, 23 Mar 2004 20:14:39 -0600

xen (1.2-2) unstable; urgency=low

  * xen: moved /boot/xen.gz to /usr/lib/kernels/xen-i386/images/vmlinuz
  * kernel-image, kernel-modules: swapped i386/xeno to xeno/i386 in
    /usr/lib/kernels.
  * Add kernel-patch-nfs-swap deb.
  * Apply additional patches to kernel-image-xen:
    * nfs-group
    * nfs-swap

 -- Adam Heath <doogie@brainfood.com>  Thu, 04 Mar 2004 12:47:47 -0600

xen (1.2-1) unstable; urgency=low

  * Initial version.

 -- Adam Heath <doogie@brainfood.com>  Tue, 02 Mar 2004 13:21:52 -0600