diff --git a/0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch b/0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch deleted file mode 100644 index 7583f74..0000000 --- a/0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a2c118bfab8bc6b8bb213abfc35201e441693d55 Mon Sep 17 00:00:00 2001 -From: Andy Honig -Date: Wed, 20 Feb 2013 14:49:16 -0800 -Subject: [PATCH] KVM: Fix bounds checking in ioapic indirect register reads - (CVE-2013-1798) - -If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows -that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate -that request. ioapic_read_indirect contains an -ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in -non-debug builds. In recent kernels this allows a guest to cause a kernel -oops by reading invalid memory. In older kernels (pre-3.3) this allows a -guest to read from large ranges of host memory. - -Tested: tested against apic unit tests. - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - virt/kvm/ioapic.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c -index ce82b94..5ba005c 100644 ---- a/virt/kvm/ioapic.c -+++ b/virt/kvm/ioapic.c -@@ -74,9 +74,12 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic, - u32 redir_index = (ioapic->ioregsel - 0x10) >> 1; - u64 redir_content; - -- ASSERT(redir_index < IOAPIC_NUM_PINS); -+ if (redir_index < IOAPIC_NUM_PINS) -+ redir_content = -+ ioapic->redirtbl[redir_index].bits; -+ else -+ redir_content = ~0ULL; - -- redir_content = ioapic->redirtbl[redir_index].bits; - result = (ioapic->ioregsel & 0x1) ? - (redir_content >> 32) & 0xffffffff : - redir_content & 0xffffffff; --- -1.8.1.4 - diff --git a/0002-KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch b/0002-KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch deleted file mode 100644 index a4516e4..0000000 --- a/0002-KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c300aa64ddf57d9c5d9c898a64b36877345dd4a9 Mon Sep 17 00:00:00 2001 -From: Andy Honig -Date: Mon, 11 Mar 2013 09:34:52 -0700 -Subject: [PATCH 2/3] KVM: x86: fix for buffer overflow in handling of - MSR_KVM_SYSTEM_TIME (CVE-2013-1796) - -If the guest sets the GPA of the time_page so that the request to update the -time straddles a page then KVM will write onto an incorrect page. The -write is done byusing kmap atomic to get a pointer to the page for the time -structure and then performing a memcpy to that page starting at an offset -that the guest controls. Well behaved guests always provide a 32-byte aligned -address, however a malicious guest could use this to corrupt host kernel -memory. - -Tested: Tested against kvmclock unit test. - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - arch/x86/kvm/x86.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index f7c850b..2ade60c 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1959,6 +1959,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - /* ...but clean it before doing the actual write */ - vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); - -+ /* Check that the address is 32-byte aligned. */ -+ if (vcpu->arch.time_offset & -+ (sizeof(struct pvclock_vcpu_time_info) - 1)) -+ break; -+ - vcpu->arch.time_page = - gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); - --- -1.8.1.4 - diff --git a/0003-KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch b/0003-KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch deleted file mode 100644 index 7a2fe65..0000000 --- a/0003-KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch +++ /dev/null @@ -1,163 +0,0 @@ -From 0b79459b482e85cb7426aa7da683a9f2c97aeae1 Mon Sep 17 00:00:00 2001 -From: Andy Honig -Date: Wed, 20 Feb 2013 14:48:10 -0800 -Subject: [PATCH 3/3] KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use - gfn_to_hva_cache functions (CVE-2013-1797) - -There is a potential use after free issue with the handling of -MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable -memory such as frame buffers then KVM might continue to write to that -address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins -the page in memory so it's unlikely to cause an issue, but if the user -space component re-purposes the memory previously used for the guest, then -the guest will be able to corrupt that memory. - -Tested: Tested against kvmclock unit test - -Signed-off-by: Andrew Honig -Signed-off-by: Marcelo Tosatti ---- - arch/x86/include/asm/kvm_host.h | 4 ++-- - arch/x86/kvm/x86.c | 47 ++++++++++++++++++----------------------- - 2 files changed, 22 insertions(+), 29 deletions(-) - -diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h -index 635a74d..4979778 100644 ---- a/arch/x86/include/asm/kvm_host.h -+++ b/arch/x86/include/asm/kvm_host.h -@@ -414,8 +414,8 @@ struct kvm_vcpu_arch { - gpa_t time; - struct pvclock_vcpu_time_info hv_clock; - unsigned int hw_tsc_khz; -- unsigned int time_offset; -- struct page *time_page; -+ struct gfn_to_hva_cache pv_time; -+ bool pv_time_enabled; - /* set guest stopped flag in pvclock flags field */ - bool pvclock_set_guest_stopped_request; - -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 2ade60c..f19ac0a 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1406,10 +1406,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - unsigned long flags, this_tsc_khz; - struct kvm_vcpu_arch *vcpu = &v->arch; - struct kvm_arch *ka = &v->kvm->arch; -- void *shared_kaddr; - s64 kernel_ns, max_kernel_ns; - u64 tsc_timestamp, host_tsc; -- struct pvclock_vcpu_time_info *guest_hv_clock; -+ struct pvclock_vcpu_time_info guest_hv_clock; - u8 pvclock_flags; - bool use_master_clock; - -@@ -1463,7 +1462,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - - local_irq_restore(flags); - -- if (!vcpu->time_page) -+ if (!vcpu->pv_time_enabled) - return 0; - - /* -@@ -1525,12 +1524,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - */ - vcpu->hv_clock.version += 2; - -- shared_kaddr = kmap_atomic(vcpu->time_page); -- -- guest_hv_clock = shared_kaddr + vcpu->time_offset; -+ if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time, -+ &guest_hv_clock, sizeof(guest_hv_clock)))) -+ return 0; - - /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */ -- pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED); -+ pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED); - - if (vcpu->pvclock_set_guest_stopped_request) { - pvclock_flags |= PVCLOCK_GUEST_STOPPED; -@@ -1543,12 +1542,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) - - vcpu->hv_clock.flags = pvclock_flags; - -- memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock, -- sizeof(vcpu->hv_clock)); -- -- kunmap_atomic(shared_kaddr); -- -- mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT); -+ kvm_write_guest_cached(v->kvm, &vcpu->pv_time, -+ &vcpu->hv_clock, -+ sizeof(vcpu->hv_clock)); - return 0; - } - -@@ -1837,10 +1833,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data) - - static void kvmclock_reset(struct kvm_vcpu *vcpu) - { -- if (vcpu->arch.time_page) { -- kvm_release_page_dirty(vcpu->arch.time_page); -- vcpu->arch.time_page = NULL; -- } -+ vcpu->arch.pv_time_enabled = false; - } - - static void accumulate_steal_time(struct kvm_vcpu *vcpu) -@@ -1947,6 +1940,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - break; - case MSR_KVM_SYSTEM_TIME_NEW: - case MSR_KVM_SYSTEM_TIME: { -+ u64 gpa_offset; - kvmclock_reset(vcpu); - - vcpu->arch.time = data; -@@ -1956,19 +1950,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) - if (!(data & 1)) - break; - -- /* ...but clean it before doing the actual write */ -- vcpu->arch.time_offset = data & ~(PAGE_MASK | 1); -+ gpa_offset = data & ~(PAGE_MASK | 1); - - /* Check that the address is 32-byte aligned. */ -- if (vcpu->arch.time_offset & -- (sizeof(struct pvclock_vcpu_time_info) - 1)) -+ if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1)) - break; - -- vcpu->arch.time_page = -- gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT); -- -- if (is_error_page(vcpu->arch.time_page)) -- vcpu->arch.time_page = NULL; -+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, -+ &vcpu->arch.pv_time, data & ~1ULL)) -+ vcpu->arch.pv_time_enabled = false; -+ else -+ vcpu->arch.pv_time_enabled = true; - - break; - } -@@ -2972,7 +2964,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu, - */ - static int kvm_set_guest_paused(struct kvm_vcpu *vcpu) - { -- if (!vcpu->arch.time_page) -+ if (!vcpu->arch.pv_time_enabled) - return -EINVAL; - vcpu->arch.pvclock_set_guest_stopped_request = true; - kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu); -@@ -6723,6 +6715,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu) - goto fail_free_wbinvd_dirty_mask; - - vcpu->arch.ia32_tsc_adjust_msr = 0x0; -+ vcpu->arch.pv_time_enabled = false; - kvm_async_pf_hash_reset(vcpu); - kvm_pmu_init(vcpu); - --- -1.8.1.4 - diff --git a/crypto-algif-suppress-sending-source-address-informa.patch b/crypto-algif-suppress-sending-source-address-informa.patch deleted file mode 100644 index 3484c25..0000000 --- a/crypto-algif-suppress-sending-source-address-informa.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 72a763d805a48ac8c0bf48fdb510e84c12de51fe Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Sun, 7 Apr 2013 14:05:39 +0200 -Subject: [PATCH] crypto: algif - suppress sending source address information - in recvmsg - -The current code does not set the msg_namelen member to 0 and therefore -makes net/socket.c leak the local sockaddr_storage variable to userland --- 128 bytes of kernel stack memory. Fix that. - -Cc: # 2.6.38 -Signed-off-by: Mathias Krause -Signed-off-by: Herbert Xu ---- - crypto/algif_hash.c | 2 ++ - crypto/algif_skcipher.c | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index ef5356c..0262210 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, - else if (len < ds) - msg->msg_flags |= MSG_TRUNC; - -+ msg->msg_namelen = 0; -+ - lock_sock(sk); - if (ctx->more) { - ctx->more = 0; -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index 6a6dfc0..a1c4f0a 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, - long copied = 0; - - lock_sock(sk); -+ msg->msg_namelen = 0; - for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; - iovlen--, iov++) { - unsigned long seglen = iov->iov_len; --- -1.8.1.4 - diff --git a/kernel.spec b/kernel.spec index 23c6373..4f228b2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 102 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -756,15 +756,6 @@ Patch25000: amd64_edac_fix_rank_count.patch #rhbz 921500 Patch25001: i7300_edac_single_mode_fixup.patch -#CVE-2013-1798 rhbz 917017 923968 -Patch25003: 0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch - -#CVE-2013-1796 rhbz 917012 923966 -Patch25004: 0002-KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch - -#CVE-2013-1797 rhbz 917013 923967 -Patch25005: 0003-KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch - #rhbz 920218 Patch25006: mac80211-Dont-restart-sta-timer-if-not-running.patch @@ -780,9 +771,6 @@ Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch -#rhbz 947539 -Patch25013: md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch - #CVE-2013-3222 rhbz 955216 955228 Patch25014: atm-update-msg_namelen-in-vcc_recvmsg.patch @@ -798,9 +786,6 @@ Patch25017: Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch #CVE-2013-3223 rhbz 955662 955666 Patch25018: ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch -#CVE-2013-3076 956162 956168 -Patch25019: crypto-algif-suppress-sending-source-address-informa.patch - #CVE-2013-3234 956135 956139 Patch25020: rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch @@ -1534,15 +1519,6 @@ ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.8.patch #rhbz 859282 ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch -#CVE-2013-1798 rhbz 917017 923968 -ApplyPatch 0001-KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch - -#CVE-2013-1796 rhbz 917012 923966 -ApplyPatch 0002-KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch - -#CVE-2013-1797 rhbz 917013 923967 -ApplyPatch 0003-KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch - #rhbz 920218 ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch @@ -1557,9 +1533,6 @@ ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch -#rhbz 947539 -ApplyPatch md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch - #CVE-2013-3222 rhbz 955216 955228 ApplyPatch atm-update-msg_namelen-in-vcc_recvmsg.patch @@ -1575,9 +1548,6 @@ ApplyPatch Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch #CVE-2013-3223 rhbz 955662 955666 ApplyPatch ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch -#CVE-2013-3076 956162 956168 -ApplyPatch crypto-algif-suppress-sending-source-address-informa.patch - #CVE-2013-3234 956135 956139 ApplyPatch rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch @@ -2452,6 +2422,9 @@ fi # '-' | | # '-' %changelog +* Mon Apr 29 2013 Justin M. Forbes - 3.8.10-100 +- Linux v3.8.10 + * Wed Apr 24 2013 Josh Boyer - 3.8.8-102 - CVE-2013-3228 irda: missing msg_namelen update in irda_recvmsg_dgram (rhbz 956069 956071) - CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089) diff --git a/md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch b/md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch deleted file mode 100644 index d9d66e2..0000000 --- a/md-raid1-10-Handle-REQ_WRITE_SAME-flag-in-write-bios.patch +++ /dev/null @@ -1,95 +0,0 @@ -From c8dc9c654794a765ca61baed07f84ed8aaa7ca8c Mon Sep 17 00:00:00 2001 -From: Joe Lawrence -Date: Thu, 21 Feb 2013 13:28:09 +1100 -Subject: [PATCH] md: raid1,10: Handle REQ_WRITE_SAME flag in write bios - -Set mddev queue's max_write_same_sectors to its chunk_sector value (before -disk_stack_limits merges the underlying disk limits.) With that in place, -be sure to handle writes coming down from the block layer that have the -REQ_WRITE_SAME flag set. That flag needs to be copied into any newly cloned -write bio. - -Signed-off-by: Joe Lawrence -Acked-by: "Martin K. Petersen" -Signed-off-by: NeilBrown ---- - drivers/md/raid1.c | 7 ++++++- - drivers/md/raid10.c | 9 +++++++-- - 2 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index d5bddfc..6e5d5a5 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -1000,6 +1000,7 @@ static void make_request(struct mddev *mddev, struct bio * bio) - const unsigned long do_flush_fua = (bio->bi_rw & (REQ_FLUSH | REQ_FUA)); - const unsigned long do_discard = (bio->bi_rw - & (REQ_DISCARD | REQ_SECURE)); -+ const unsigned long do_same = (bio->bi_rw & REQ_WRITE_SAME); - struct md_rdev *blocked_rdev; - struct blk_plug_cb *cb; - struct raid1_plug_cb *plug = NULL; -@@ -1301,7 +1302,8 @@ read_again: - conf->mirrors[i].rdev->data_offset); - mbio->bi_bdev = conf->mirrors[i].rdev->bdev; - mbio->bi_end_io = raid1_end_write_request; -- mbio->bi_rw = WRITE | do_flush_fua | do_sync | do_discard; -+ mbio->bi_rw = -+ WRITE | do_flush_fua | do_sync | do_discard | do_same; - mbio->bi_private = r1_bio; - - atomic_inc(&r1_bio->remaining); -@@ -2818,6 +2820,9 @@ static int run(struct mddev *mddev) - if (IS_ERR(conf)) - return PTR_ERR(conf); - -+ if (mddev->queue) -+ blk_queue_max_write_same_sectors(mddev->queue, -+ mddev->chunk_sectors); - rdev_for_each(rdev, mddev) { - if (!mddev->gendisk) - continue; -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 64d4824..1a74c12 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1105,6 +1105,7 @@ static void make_request(struct mddev *mddev, struct bio * bio) - const unsigned long do_fua = (bio->bi_rw & REQ_FUA); - const unsigned long do_discard = (bio->bi_rw - & (REQ_DISCARD | REQ_SECURE)); -+ const unsigned long do_same = (bio->bi_rw & REQ_WRITE_SAME); - unsigned long flags; - struct md_rdev *blocked_rdev; - struct blk_plug_cb *cb; -@@ -1460,7 +1461,8 @@ retry_write: - rdev)); - mbio->bi_bdev = rdev->bdev; - mbio->bi_end_io = raid10_end_write_request; -- mbio->bi_rw = WRITE | do_sync | do_fua | do_discard; -+ mbio->bi_rw = -+ WRITE | do_sync | do_fua | do_discard | do_same; - mbio->bi_private = r10_bio; - - atomic_inc(&r10_bio->remaining); -@@ -1502,7 +1504,8 @@ retry_write: - r10_bio, rdev)); - mbio->bi_bdev = rdev->bdev; - mbio->bi_end_io = raid10_end_write_request; -- mbio->bi_rw = WRITE | do_sync | do_fua | do_discard; -+ mbio->bi_rw = -+ WRITE | do_sync | do_fua | do_discard | do_same; - mbio->bi_private = r10_bio; - - atomic_inc(&r10_bio->remaining); -@@ -3569,6 +3572,8 @@ static int run(struct mddev *mddev) - if (mddev->queue) { - blk_queue_max_discard_sectors(mddev->queue, - mddev->chunk_sectors); -+ blk_queue_max_write_same_sectors(mddev->queue, -+ mddev->chunk_sectors); - blk_queue_io_min(mddev->queue, chunk_size); - if (conf->geo.raid_disks % conf->geo.near_copies) - blk_queue_io_opt(mddev->queue, chunk_size * conf->geo.raid_disks); --- -1.8.1.4 - diff --git a/sources b/sources index 7c8f0e1..9ca28ef 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -08cdcef928c2ca402adf1c444a3c43ac patch-3.8.8.xz +973bc1c68bb5f082a66d20c94193d4ee patch-3.8.10.xz