debian-installer-netboot-images (20210731) unstable; urgency=medium . * Update for D-I Bullseye RC 3. linux (5.10.46-4) unstable; urgency=medium . * bpf: Introduce BPF nospec instruction for mitigating Spectre v4 (CVE-2021-34556, CVE-2021-35477) * bpf: Fix leakage due to insufficient speculative store bypass mitigation (CVE-2021-34556, CVE-2021-35477) * bpf: Remove superfluous aux sanitation on subprog rejection * Ignore ABI changes for bpf_offload_dev_create and bpf_verifier_log_write * bpf: Add kconfig knob for disabling unpriv bpf by default * init: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411) * linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are disabled by default in Debian. * bpf: verifier: Allocate idmap scratch in verifier env * bpf: Fix pointer arithmetic mask tightening under state pruning wpewebkit (2.32.3-2) unstable; urgency=high . * disable-external-audio-rendering.patch: + Build without USE_WPEBACKEND_FDO_AUDIO_EXTENSION so the binary works with the wpebackend-fdo version in bullseye (see #991555). wpewebkit (2.32.3-1) unstable; urgency=high . * New upstream release. * The WPE WebKit security advisory WSA-2021-0004 lists the following security fixes in the latest versions of WPE WebKit: + CVE-2021-30666, CVE-2021-30761 (fixed in 2.26.0). + CVE-2021-30762 (fixed in 2.28.0). + CVE-2021-1817, CVE-2021-1820, CVE-2021-1825, CVE-2021-1826, CVE-2021-30661 (fixed in 2.30.0). + CVE-2021-21806 (fixed in 2.30.6). + CVE-2021-30682 (fixed in 2.32.0). + CVE-2021-30758 (fixed in 2.32.2). + CVE-2021-21775, CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749, CVE-2021-30795, CVE-2021-30797, CVE-2021-30799 (fixed in 2.32.3). wpewebkit (2.32.2-1) unstable; urgency=medium . * New upstream release. xen (4.14.2+25-gb6a8c4f72d-2) unstable; urgency=medium . * Add README.Debian.security containing a note about the end of upstream security support for Xen 4.14. Install it into xen-hypervisor-common. xen (4.14.2+25-gb6a8c4f72d-1) unstable; urgency=medium . * Update to new upstream version 4.14.2+25-gb6a8c4f72d, which also contains security fixes for the following issues: - HVM soft-reset crashes toolstack XSA-368 CVE-2021-28687 - xen/arm: Boot modules are not scrubbed XSA-372 CVE-2021-28693 - inappropriate x86 IOMMU timeout detection / handling XSA-373 CVE-2021-28692 - Speculative Code Store Bypass XSA-375 CVE-2021-0089 CVE-2021-26313 - x86: TSX Async Abort protections not restored after S3 XSA-377 CVE-2021-28690 * Note that the following XSA are not listed, because... - XSA-370 does not contain code changes. - XSA-365, XSA-367, XSA-369, XSA-371 and XSA-374 have patches for the Linux kernel. - XSA-366 only applies to Xen 4.11.