From 13509e2fb731b75015fc1eb4f4ff0186e9c11d4f Mon Sep 17 00:00:00 2001 From: Fernando Rodrigues Date: Tue, 8 Jul 2025 11:12:33 -0300 Subject: [PATCH] xen: 4.20.0 -> 4.20.1 https://xenbits.xen.org/xsa/advisory-471.html Researchers from Microsoft and ETH Zurich have discovered several new speculative sidechannel attacks which bypass current protections. They are detailed in a paper titled "Enter, Exit, Page Fault, Leak: Testing Isolation Boundaries for Microarchitectural Leaks". Two issues, which AMD have named Transitive Scheduler Attacks, utilise timing information from instruction execution. These are: * CVE-2024-36350: TSA-SQ (TSA in the Store Queues) * CVE-2024-36357: TSA-L1 (TSA in the L1 data cache) For more information, see: https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7029.html https://aka.ms/enter-exit-leak Signed-off-by: Fernando Rodrigues --- pkgs/by-name/xe/xen/package.nix | 43 +++------------------------------ 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix index 50921f5a400d..b20f5ac95710 100644 --- a/pkgs/by-name/xe/xen/package.nix +++ b/pkgs/by-name/xe/xen/package.nix @@ -3,7 +3,6 @@ stdenv, testers, fetchgit, - fetchpatch, replaceVars, # Xen @@ -172,7 +171,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "xen"; - version = "4.20.0"; + version = "4.20.1"; # This attribute can be overriden to correct the file paths in # `passthru` when building an unstable Xen. @@ -184,42 +183,6 @@ stdenv.mkDerivation (finalAttrs: { ./0001-makefile-efi-output-directory.patch (replaceVars ./0002-scripts-external-executable-calls.patch scriptDeps) - - # XSA #469 - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-01.patch"; - hash = "sha256-go743oBhYDuxsK0Xc6nK/WxutQQwc2ERtLKhCU9Dnng="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-02.patch"; - hash = "sha256-FTtEGAPFYxsun38hLhVMKJ1TFJOsTMK3WWPkO0R/OHg=sha256-FTtEGAPFYxsun38hLhVMKJ1TFJOsTMK3WWPkO0R/OHg="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-03.patch"; - hash = "sha256-UkYMSpUgFvr4GJPXLgQsCyppGkNbeiFMyCZORK5tfmA="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-04.patch"; - hash = "sha256-lpiDPSHi+v2VfaWE9kp4+hveZKTzojD1F+RHsOtKE3A="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-05.patch"; - hash = "sha256-N+WR8S5w9dLISlOhMI71TOH8jvCgVAR8xm310k3ZA/M="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-06.patch"; - hash = "sha256-ePuyB3VP9NfQbW36BP3jjMMHKJWFJGeTYUYZqy+IlHQ="; - }) - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa469/xsa469-4.20-07.patch"; - hash = "sha256-+BsCJa01R2lrbu7tEluGrYSAqu2jJcrpFNUoLMY466c="; - }) - - # XSA #470 - (fetchpatch { - url = "https://xenbits.xenproject.org/xsa/xsa470.patch"; - hash = "sha256-zhMZ6pCZtt0ocgsMFVqthMaof46lMMTaYmlepMXVJqM="; - }) ]; outputs = [ @@ -232,8 +195,8 @@ stdenv.mkDerivation (finalAttrs: { src = fetchgit { url = "https://xenbits.xenproject.org/git-http/xen.git"; - rev = "3ad5d648cda5add395f49fc3704b2552aae734f7"; - hash = "sha256-v2DRJv+1bym8zAgU74lo1HQ/9rUcyK3qc4Eec4RpcEY="; + rev = "08f043965a7b1047aabd6d81da6b031465f2d797"; + hash = "sha256-a4dIJBY5aeznXPoI8nSipMgimmww7ejoQ1GE28Gq13o="; }; strictDeps = true;