-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Jun 2026 08:33:17 +0300 Source: qemu Architecture: source Version: 1:10.0.11+ds-0+deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian QEMU Team Changed-By: Michael Tokarev Closes: 1139923 Changes: qemu (1:10.0.11+ds-0+deb13u1) trixie; urgency=medium . * new upstream stable/bugfix release: - Update version for 10.0.11 release - linux-user: Fix AT_PHDR when program headers are relocated into their own segment - hw/pci: Replace assert with bounds check and return - ppc/pnv_phb3: Error out on invalid config access - linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn - linux-user/xtensa: save/restore FP registers across signal delivery - target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status - ui/sdl2: Set GL ES profile before creating initial GL context - hw/9pfs: reject . and .. in Twstat rename - hw/9pfs: fix abort due to illegal name with Twstat rename - gdbstub: Update x86 control register bits - target/i386: apply mod to immediate count of an RCL/RCR operation - hw/uefi: fix parse_hexstr (Closes: CVE-2026-48915) - target/riscv: mask vxrm csrw write to the low 2 bits - disas/riscv.c: fix inst_length() - target/riscv/cpu_helper.c: add PMA access fault - target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val - target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers - disas/riscv.c: add 'cbo' insns to disassembler - target/riscv/csr.c: fix mstatus.UXL reserved value - target/riscv/csr.c: do not allow mstatus MPV/GVA writes - target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault - virtio: Allow to fill a whole virtqueue in order - libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() (Closes: CVE-2026-6425) - libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() (Closes: CVE-2026-6425) - tests/qtest: Add amd-iommu command buffer head wrap test - amd_iommu: Update command buffer head ptr in MMIO region after wraparound - amd_iommu: restrict command buffer head/tail ranges to ring size - linux-user: add preadv2/preadv2 - system/rtc: Fix a possible year-2038 integer overflow problem - linux-user/strace: add fsmount series of syscalls - linux-user: implement fsmount(2) series of syscalls - fpu: Handle all rounding modes in partsN_uncanon_normal - hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet - qed: Don't try to flush during incoming migration - qcow2: Fix data loss on zero write with detect-zeroes=unmap - iotests/046: Test that discard/write_zeroes wait for dependencies - qcow2: Fix corruption on discard during write with COW - qemu-io: Add 'aio_discard' command - virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check (Closes: #1139923, CVE-2026-48914) - block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment - s390x/pci: Fix interrupt forwarding disable for interpreted devices - target/s390x: Make container ids in SysIB_15x 1-based - tests/unit: add test-envlist covering setenv/unsetenv name matching - util/envlist: fix prefix-match in envlist_unsetenv() name lookup - 9pfs: fix missing rename lock in v9fs_co_readdir_many (Closes: CVE-2026-48004) - tests/9pfs: add deep absolute path test - tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset - hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors - hw/9pfs: add error handling to v9fs_fix_path() - hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type - hw/9pfs: add NULL check in v9fs_path_is_ancestor() - hw/9pfs: move G_GNUC_PRINTF to header - linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn - linux-user/sh4: restore FP rounding mode on sigreturn - linux-user/sh4: preserve T/M/Q bits across signal delivery - linux-user/mips: save/restore FCSR across signal delivery - linux-user/ppc: restore fp_status from FPSCR on sigreturn - hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match() - hw/net/rocker_of_dpa: Check group ID pointers are not NULL - target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault - target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1 - target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs - target/arm: SVE2 FMAXP, FMINP must honour AH=1 - block/linux-aio: bound ioq_submit() recursion depth - mc146818rtc: Fix get_guest_rtc_ns() overflow bug - apic: fix delivery bitmask with modified xAPIC ids - lsi53c895a: clear tag byte when processing messages - lsi53c895a: fix use-after-free of cancelled request - ui: fix validation of VNC extended clipboard data length (Closes: CVE-2026-8343) - ui/vnc: fix OOB read updating VNC update frequency stats (Closes: CVE-2026-48003) - ui/vnc: fix OOB write in lossy rect worker code (Closes: CVE-2026-48002) - ui/vnc: fix OOB write in VNC stats array (Closes: CVE-2026-48002) - ui/vnc: fix OOB read access in VNC SASL mechname array - target/riscv: clear mseccfg on reset for all dependent extensions - target/riscv: Update the local interrupt mask - target/riscv: Add mseccfg to VMStateDescription - target/riscv: Save stimer and vstimer in CPU vmstate - target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation - target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL - hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen - hw/char: sifive_uart: Avoid infinite delay of async xmit function - target/riscv: Allow mseccfg access based on ext_zicfilp - hw/riscv/riscv-iommu: Fix Svnapot 64KB pages - target/riscv: Update MISA.X for non-standard extensions - target/riscv: Update MISA.C for Zc* extensions Checksums-Sha1: 38ca31bb05597a02cd3031d078264e4783a8fc98 12560 qemu_10.0.11+ds-0+deb13u1.dsc fb72faaf7c72f6536b6076364fae4a17caf749e7 39991080 qemu_10.0.11+ds.orig.tar.xz ddfac3e08bd6ff9d19f2daf9bf6c6309c4b23f09 149948 qemu_10.0.11+ds-0+deb13u1.debian.tar.xz 3033d764ee9479201fceaea6aafa49501679cfd2 8302 qemu_10.0.11+ds-0+deb13u1_source.buildinfo Checksums-Sha256: 14280e750f809249fe41068b7767c8631f5ee636ece6a50df80c9918d7536581 12560 qemu_10.0.11+ds-0+deb13u1.dsc c6fbe5322b2b76bbbef583d1d86d0fca433b3a33776cf38ddcb619cb044b61e6 39991080 qemu_10.0.11+ds.orig.tar.xz 695ea56cafcce0c4246662436c359f11c2d4cbb1395157005e4b925d57abafb1 149948 qemu_10.0.11+ds-0+deb13u1.debian.tar.xz 6efe5c3cc306c53b70ea1576e34298a3a1b63b0cd5a7544bc89a27836f0f4c13 8302 qemu_10.0.11+ds-0+deb13u1_source.buildinfo Files: ee922ee42e802569ecd30a5d2d7be413 12560 otherosfs optional qemu_10.0.11+ds-0+deb13u1.dsc 9b6e147e73aa8e2dcce9cee9c018fe2f 39991080 otherosfs optional qemu_10.0.11+ds.orig.tar.xz 872d86d9dca9c0ec42c5717906a9b2ef 149948 otherosfs optional qemu_10.0.11+ds-0+deb13u1.debian.tar.xz 39de11669ad5dba3ba782bd3056dd159 8302 otherosfs optional qemu_10.0.11+ds-0+deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- wsG7BAEBCgBvBYJqQLJLCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmfKnbv4RG9fZUs9bxxjrc1PjpkbBrE2e1KA58lf2alF 4RYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AABJlBAAw5FRedfPYR/mV8Qj9qfq2GHs YFoHHnvsu9ns8A2UwgAs7Nnk/ChZgZAmL98JQ3BX/B0mRPzr+ba6ZEBDTVywwQ6p zDBaL9CysZESNKkhQem9pE6wDuM0FNho6KhDHQOC4IJk9BOfv4BpHTOGz0t0b/xn MebQ9CXszuJnOXz1lCwPFP07LMnKLoW6aIXB+ETK5/q3h/EVsM+kVeZXh1RXURwJ jemPeFFgLIrm91CD5qTWoE7h3gAQ4J88xHss4bemmo/VtWwCvHnbZpwFVDZIWHSE pPw/7zH3Rs7+QxV5TN+A/TdeCfjx8n6Ky0GOK2K2R3tSSS+4pQR0cdyjxsBm8tmH TltyMRrmYVt3HO/+aMspZijtBlZWMqFrA7Y2z9kITrx+18W7SOoc5KstsNkKXR1Y cYrHfm65yxvDIII433FrD56/tpkuDRbceTyWd1/7k53Yjh9BaW6QQ4CDNAuh9Vsk AhZX98fQ253oh6GTzFbaLmCq5NACT6hVY133/XV8sfJt+ImqdxPuHO5nq/ZmSGT7 Q4fkrtJypq0hz7OkPLrDIMOs6hX9ZC8YWEoX3LmjXAfdhInkUhN/HTxilH7ql19N G5nLypGH/XZet3jjSAwWjuHli9SgQNzTJeYIURT9x97wB4UTdYDxyr5yup5IAYbj OUSSYpqG24lQah9oEB4= =qOon -----END PGP SIGNATURE-----