-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2026 08:33:17 +0300
Source: qemu
Architecture: source
Version: 1:10.0.11+ds-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1139923
Changes:
 qemu (1:10.0.11+ds-0+deb13u1) trixie; urgency=medium
 .
   * new upstream stable/bugfix release:
    - Update version for 10.0.11 release
    - linux-user: Fix AT_PHDR when program headers are relocated into their own segment
    - hw/pci: Replace assert with bounds check and return
    - ppc/pnv_phb3: Error out on invalid config access
    - linux-user/xtensa: fix unlock of uninitialized frame pointer on sigreturn
    - linux-user/xtensa: save/restore FP registers across signal delivery
    - target/xtensa: add cpu_set_fcr/fsr helpers to sync fp_status
    - ui/sdl2: Set GL ES profile before creating initial GL context
    - hw/9pfs: reject . and .. in Twstat rename
    - hw/9pfs: fix abort due to illegal name with Twstat rename
    - gdbstub: Update x86 control register bits
    - target/i386: apply mod to immediate count of an RCL/RCR operation
    - hw/uefi: fix parse_hexstr
      (Closes: CVE-2026-48915)
    - target/riscv: mask vxrm csrw write to the low 2 bits
    - disas/riscv.c: fix inst_length()
    - target/riscv/cpu_helper.c: add PMA access fault
    - target/riscv/cpu_helper.c: fault with reserved PTE.PBMT val
    - target/riscv/insn_trans/trans_rvzicbo.c.inc: save opcode before helpers
    - disas/riscv.c: add 'cbo' insns to disassembler
    - target/riscv/csr.c: fix mstatus.UXL reserved value
    - target/riscv/csr.c: do not allow mstatus MPV/GVA writes
    - target/riscv/cpu_helper.c: allow LOAD_ADDR_MIS promotion to AMO fault
    - virtio: Allow to fill a whole virtqueue in order
    - libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
      (Closes: CVE-2026-6425)
    - libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
      (Closes: CVE-2026-6425)
    - tests/qtest: Add amd-iommu command buffer head wrap test
    - amd_iommu: Update command buffer head ptr in MMIO region after wraparound
    - amd_iommu: restrict command buffer head/tail ranges to ring size
    - linux-user: add preadv2/preadv2
    - system/rtc: Fix a possible year-2038 integer overflow problem
    - linux-user/strace: add fsmount series of syscalls
    - linux-user: implement fsmount(2) series of syscalls
    - fpu: Handle all rounding modes in partsN_uncanon_normal
    - hw/usb/hcd-ohci: Clean up USBPacket before freeing ISO TD packet
    - qed: Don't try to flush during incoming migration
    - qcow2: Fix data loss on zero write with detect-zeroes=unmap
    - iotests/046: Test that discard/write_zeroes wait for dependencies
    - qcow2: Fix corruption on discard during write with COW
    - qemu-io: Add 'aio_discard' command
    - virtio-blk: add missing VIRTIO_BLK_T_SCSI_CMD size check
      (Closes: #1139923, CVE-2026-48914)
    - block/io: fallback to bounce buffer if BLKZEROOUT is not supported because of alignment
    - s390x/pci: Fix interrupt forwarding disable for interpreted devices
    - target/s390x: Make container ids in SysIB_15x 1-based
    - tests/unit: add test-envlist covering setenv/unsetenv name matching
    - util/envlist: fix prefix-match in envlist_unsetenv() name lookup
    - 9pfs: fix missing rename lock in v9fs_co_readdir_many
      (Closes: CVE-2026-48004)
    - tests/9pfs: add deep absolute path test
    - tests/qtest/libqos: add qvirtqueue_reset_pool() for descriptor pool reset
    - hw/9pfs: let callers of v9fs_path_sprintf() and v9fs_fix_path() handle errors
    - hw/9pfs: add error handling to v9fs_fix_path()
    - hw/9pfs: change V9fsPath.size to size_t and v9fs_path_sprintf() return type
    - hw/9pfs: add NULL check in v9fs_path_is_ancestor()
    - hw/9pfs: move G_GNUC_PRINTF to header
    - linux-user/s390x: restore fpu_status rounding mode from FPC on sigreturn
    - linux-user/sh4: restore FP rounding mode on sigreturn
    - linux-user/sh4: preserve T/M/Q bits across signal delivery
    - linux-user/mips: save/restore FCSR across signal delivery
    - linux-user/ppc: restore fp_status from FPSCR on sigreturn
    - hw/net/rocker_of_dpa: Avoid unaligned accesses in _of_dpa_flow_match()
    - hw/net/rocker_of_dpa: Check group ID pointers are not NULL
    - target/arm: Don't assert if 64-bit EL2 AT insn sees a Domain fault
    - target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1
    - target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs
    - target/arm: SVE2 FMAXP, FMINP must honour AH=1
    - block/linux-aio: bound ioq_submit() recursion depth
    - mc146818rtc: Fix get_guest_rtc_ns() overflow bug
    - apic: fix delivery bitmask with modified xAPIC ids
    - lsi53c895a: clear tag byte when processing messages
    - lsi53c895a: fix use-after-free of cancelled request
    - ui: fix validation of VNC extended clipboard data length
      (Closes: CVE-2026-8343)
    - ui/vnc: fix OOB read updating VNC update frequency stats
      (Closes: CVE-2026-48003)
    - ui/vnc: fix OOB write in lossy rect worker code
      (Closes: CVE-2026-48002)
    - ui/vnc: fix OOB write in VNC stats array
      (Closes: CVE-2026-48002)
    - ui/vnc: fix OOB read access in VNC SASL mechname array
    - target/riscv: clear mseccfg on reset for all dependent extensions
    - target/riscv: Update the local interrupt mask
    - target/riscv: Add mseccfg to VMStateDescription
    - target/riscv: Save stimer and vstimer in CPU vmstate
    - target/riscv/pmp: Fix integer overflow in TOR and NA4 address computation
    - target/riscv: Fix medeleg[11] read-only zero bit for M-mode ECALL
    - hw/char: sifive_uart: Implement txctrl.txen and rxctrl.rxen
    - hw/char: sifive_uart: Avoid infinite delay of async xmit function
    - target/riscv: Allow mseccfg access based on ext_zicfilp
    - hw/riscv/riscv-iommu: Fix Svnapot 64KB pages
    - target/riscv: Update MISA.X for non-standard extensions
    - target/riscv: Update MISA.C for Zc* extensions
Checksums-Sha1:
 38ca31bb05597a02cd3031d078264e4783a8fc98 12560 qemu_10.0.11+ds-0+deb13u1.dsc
 fb72faaf7c72f6536b6076364fae4a17caf749e7 39991080 qemu_10.0.11+ds.orig.tar.xz
 ddfac3e08bd6ff9d19f2daf9bf6c6309c4b23f09 149948 qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 3033d764ee9479201fceaea6aafa49501679cfd2 8302 qemu_10.0.11+ds-0+deb13u1_source.buildinfo
Checksums-Sha256:
 14280e750f809249fe41068b7767c8631f5ee636ece6a50df80c9918d7536581 12560 qemu_10.0.11+ds-0+deb13u1.dsc
 c6fbe5322b2b76bbbef583d1d86d0fca433b3a33776cf38ddcb619cb044b61e6 39991080 qemu_10.0.11+ds.orig.tar.xz
 695ea56cafcce0c4246662436c359f11c2d4cbb1395157005e4b925d57abafb1 149948 qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 6efe5c3cc306c53b70ea1576e34298a3a1b63b0cd5a7544bc89a27836f0f4c13 8302 qemu_10.0.11+ds-0+deb13u1_source.buildinfo
Files:
 ee922ee42e802569ecd30a5d2d7be413 12560 otherosfs optional qemu_10.0.11+ds-0+deb13u1.dsc
 9b6e147e73aa8e2dcce9cee9c018fe2f 39991080 otherosfs optional qemu_10.0.11+ds.orig.tar.xz
 872d86d9dca9c0ec42c5717906a9b2ef 149948 otherosfs optional qemu_10.0.11+ds-0+deb13u1.debian.tar.xz
 39de11669ad5dba3ba782bd3056dd159 8302 otherosfs optional qemu_10.0.11+ds-0+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqQLJLCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfKnbv4RG9fZUs9bxxjrc1PjpkbBrE2e1KA58lf2alF
4RYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AABJlBAAw5FRedfPYR/mV8Qj9qfq2GHs
YFoHHnvsu9ns8A2UwgAs7Nnk/ChZgZAmL98JQ3BX/B0mRPzr+ba6ZEBDTVywwQ6p
zDBaL9CysZESNKkhQem9pE6wDuM0FNho6KhDHQOC4IJk9BOfv4BpHTOGz0t0b/xn
MebQ9CXszuJnOXz1lCwPFP07LMnKLoW6aIXB+ETK5/q3h/EVsM+kVeZXh1RXURwJ
jemPeFFgLIrm91CD5qTWoE7h3gAQ4J88xHss4bemmo/VtWwCvHnbZpwFVDZIWHSE
pPw/7zH3Rs7+QxV5TN+A/TdeCfjx8n6Ky0GOK2K2R3tSSS+4pQR0cdyjxsBm8tmH
TltyMRrmYVt3HO/+aMspZijtBlZWMqFrA7Y2z9kITrx+18W7SOoc5KstsNkKXR1Y
cYrHfm65yxvDIII433FrD56/tpkuDRbceTyWd1/7k53Yjh9BaW6QQ4CDNAuh9Vsk
AhZX98fQ253oh6GTzFbaLmCq5NACT6hVY133/XV8sfJt+ImqdxPuHO5nq/ZmSGT7
Q4fkrtJypq0hz7OkPLrDIMOs6hX9ZC8YWEoX3LmjXAfdhInkUhN/HTxilH7ql19N
G5nLypGH/XZet3jjSAwWjuHli9SgQNzTJeYIURT9x97wB4UTdYDxyr5yup5IAYbj
OUSSYpqG24lQah9oEB4=
=qOon
-----END PGP SIGNATURE-----
