Description: Incomplete fix for CVE-2015-2150
References:
 http://xenbits.xen.org/xsa/advisory-120.html
 http://thread.gmane.org/gmane.comp.emulators.xen.devel/140440/focus=140441
 http://thread.gmane.org/gmane.linux.kernel/1924087/focus=1924088
Notes:
 bwh> Upstream fix is not clearly correct; see discussions in the references.
 jmm> I've gotten in touch with the subsystems maintainers; the patch breaks
 jmm> qemu (as used by xen). While this was fixed upstream in qemu, the patch
 jmm> hasn't been merged yet since it would break with older versions of qemu
 jmm> I'm trying to find out which version is fine, so maybe we can carry that
 jmm> the xsa120-addendum.patch as a Debian-specific patch it's merged at some
 jmm> point
 carnil> qemu fix is in
 carnil> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2e87512eccf3c5e40f3142ff5a763f4f850839f4
 carnil> which is at least in qemu v2.5.0-rc0 onwards.
 bwh> The kernel fix will be applied to 4.9, so we will need to add a
 bwh> Breaks against old qemu and revert the fix for the jessie backport.
Bugs:
upstream: released (5.1-rc1) [7681f31ec9cdacab4fd10570be924f2cef6669ba]
4.19-upstream-stable: released (4.19.48) [99dcf4a4dd2e102aa843ef2cf9ab65c89e9d56df]
4.9-upstream-stable: released (4.9.181) [19474aa3d81ad5ae8692f7a45ff8ea12fbfd7ede]
3.16-upstream-stable: ignored "breaks qemu versions likely to be used with this kernel version"
3.2-upstream-stable: ignored "EOL"
sid: released (4.19.37-1) [bugfix/all/xen-pciback-Don-t-disable-PCI_COMMAND-on-PCI-device-.patch]
4.19-buster-security: N/A "Fixed before branching point"
4.9-stretch-security: released (4.9.168-1+deb9u5) [bugfix/all/xen-pciback-don-t-disable-pci_command-on-pci-device-.patch]
3.16-jessie-security: ignored "breaks qemu as used in jessie"
3.2-wheezy-security: ignored "breaks qemu as used in jessie"