diff -Nru qemu-2.0.0+dfsg/debian/changelog qemu-2.0.0+dfsg/debian/changelog
--- qemu-2.0.0+dfsg/debian/changelog	2019-03-22 21:08:44.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/changelog	2019-05-09 07:01:32.000000000 +0000
@@ -1,3 +1,24 @@
+qemu (2.0.0+dfsg-2ubuntu1.46) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Add support for exposing md-clear functionality
+    to guests
+    - d/p/ubuntu/enable-md-clear.patch
+    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+  * SECURITY UPDATE: heap overflow when loading device tree blob
+    - d/p/ubuntu/CVE-2018-20815.patch: specify how large the buffer to
+      copy the device tree blob into is.
+    - d/p/ubuntu/CVE-2018-20815-prereq-1.patch: Add load_image_size()
+      to replace load_image()
+    - d/p/ubuntu/CVE-2018-20815-prereq-2.patch: Read as long as possible
+      in load_image_size()
+    - CVE-2018-20815
+  * SECURITY UPDATE: information leak in SLiRP
+    - d/p/ubuntu/CVE-2019-9824.patch: check sscanf result when
+      emulating ident.
+    - CVE-2019-9824
+
+ -- Steve Beattie <sbeattie@ubuntu.com>  Wed, 08 May 2019 23:59:48 -0700
+
 qemu (2.0.0+dfsg-2ubuntu1.45) trusty-security; urgency=medium
 
   * SECURITY UPDATE: race during file renaming in v9fs_wstat
diff -Nru qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815.patch qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815.patch
--- qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815.patch	2019-05-09 06:59:11.000000000 +0000
@@ -0,0 +1,35 @@
+From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: [PATCH] device_tree.c: Don't use load_image()
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+
+CVE-2018-20815
+
+---
+ device_tree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/device_tree.c
+===================================================================
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -90,7 +90,7 @@ void *load_device_tree(const char *filen
+     /* First allocate space in qemu for device tree */
+     fdt = g_malloc0(dt_size);
+ 
+-    dt_file_load_size = load_image(filename_path, fdt);
++    dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+     if (dt_file_load_size < 0) {
+         printf("Unable to open device tree file '%s'\n",
+                filename_path);
diff -Nru qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-1.patch qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-1.patch
--- qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-1.patch	2019-05-09 06:59:27.000000000 +0000
@@ -0,0 +1,66 @@
+From ea87616d6c44d998affef3d3b9fdfc49d14b8150 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Mon, 21 Jul 2014 13:02:03 +1000
+Subject: [PATCH] loader: Add load_image_size() to replace load_image()
+
+A subsequent patch to ppc/spapr needs to load the RTAS blob into
+qemu memory rather than target memory (so it can later be copied
+into the right spot at machine reset time).
+
+I would use load_image() but it is marked deprecated because it
+doesn't take a buffer size as argument, so let's add load_image_size()
+that does.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+[aik: fixed errors from checkpatch.pl]
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Alexander Graf <agraf@suse.de>
+---
+ hw/core/loader.c    |   21 +++++++++++++++++++++
+ include/hw/loader.h |    1 +
+ 2 files changed, 22 insertions(+)
+
+Index: b/hw/core/loader.c
+===================================================================
+--- a/hw/core/loader.c
++++ b/hw/core/loader.c
+@@ -89,6 +89,27 @@ int load_image(const char *filename, uin
+     return size;
+ }
+ 
++/* return the size or -1 if error */
++ssize_t load_image_size(const char *filename, void *addr, size_t size)
++{
++    int fd;
++    ssize_t actsize;
++
++    fd = open(filename, O_RDONLY | O_BINARY);
++    if (fd < 0) {
++        return -1;
++    }
++
++    actsize = read(fd, addr, size);
++    if (actsize < 0) {
++        close(fd);
++        return -1;
++    }
++    close(fd);
++
++    return actsize;
++}
++
+ /* read()-like version */
+ ssize_t read_targphys(const char *name,
+                       int fd, hwaddr dst_addr, size_t nbytes)
+Index: b/include/hw/loader.h
+===================================================================
+--- a/include/hw/loader.h
++++ b/include/hw/loader.h
+@@ -13,6 +13,7 @@
+  */
+ int get_image_size(const char *filename);
+ int load_image(const char *filename, uint8_t *addr); /* deprecated */
++ssize_t load_image_size(const char *filename, void *addr, size_t size);
+ int load_image_targphys(const char *filename, hwaddr,
+                         uint64_t max_sz);
+ 
diff -Nru qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-2.patch qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-2.patch
--- qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/CVE-2018-20815-prereq-2.patch	2019-05-09 06:58:22.000000000 +0000
@@ -0,0 +1,52 @@
+From 1f40547f5ce0c135faa7d14f066b97002fd8c204 Mon Sep 17 00:00:00 2001
+From: Li Zhijian <lizhijian@cn.fujitsu.com>
+Date: Thu, 17 Jan 2019 20:49:02 +0800
+Subject: [PATCH] hw/core/loader.c: Read as long as possible in
+ load_image_size()
+
+Don't expect read(2) can always read as many as it's told.
+
+CC: Richard Henderson <richard.henderson@linaro.org>
+CC: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/core/loader.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/hw/core/loader.c b/hw/core/loader.c
+index 3a000d576b..fe5cb24122 100644
+--- a/hw/core/loader.c
++++ b/hw/core/loader.c
+@@ -77,21 +77,20 @@ int64_t get_image_size(const char *filename)
+ ssize_t load_image_size(const char *filename, void *addr, size_t size)
+ {
+     int fd;
+-    ssize_t actsize;
++    ssize_t actsize, l = 0;
+ 
+     fd = open(filename, O_RDONLY | O_BINARY);
+     if (fd < 0) {
+         return -1;
+     }
+ 
+-    actsize = read(fd, addr, size);
+-    if (actsize < 0) {
+-        close(fd);
+-        return -1;
++    while ((actsize = read(fd, addr + l, size - l)) > 0) {
++        l += actsize;
+     }
++
+     close(fd);
+ 
+-    return actsize;
++    return actsize < 0 ? -1 : l;
+ }
+ 
+ /* read()-like version */
+-- 
+2.17.1
+
diff -Nru qemu-2.0.0+dfsg/debian/patches/CVE-2019-9824.patch qemu-2.0.0+dfsg/debian/patches/CVE-2019-9824.patch
--- qemu-2.0.0+dfsg/debian/patches/CVE-2019-9824.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/CVE-2019-9824.patch	2019-05-09 06:59:42.000000000 +0000
@@ -0,0 +1,49 @@
+From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: [PATCH] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+CVE-2019-9824
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 262a42d6c8..ef9d99c154 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 							break;
+ 						}
+ 					}
++					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++								 so_rcv->sb_datalen,
++								 "%d,%d\r\n", n1, n2);
++					so_rcv->sb_rptr = so_rcv->sb_data;
++					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;
+-- 
+2.17.1
+
diff -Nru qemu-2.0.0+dfsg/debian/patches/enable-md-clear.patch qemu-2.0.0+dfsg/debian/patches/enable-md-clear.patch
--- qemu-2.0.0+dfsg/debian/patches/enable-md-clear.patch	1970-01-01 00:00:00.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/enable-md-clear.patch	2019-04-29 22:44:32.000000000 +0000
@@ -0,0 +1,46 @@
+>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 1 Mar 2019 21:40:52 +0100
+Subject: [qemu PATCH] target/i386: define md-clear bit
+
+md-clear is a new CPUID bit which is set when microcode provides the
+mechanism to invoke a flush of various exploitable CPU buffers by invoking
+the VERW instruction.  Add the new feature, and pass it down to
+Hypervisor.framework guests.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+[Backported to qemu 2.5 -- sbeattie]
+---
+	The last hunk is only needed for OS X, but anyway this is going
+	to be the patch that will be committed upstream.
+
+ target-i386/cpu.c           |    2 +-
+ target-i386/cpu.h           |    1 +
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+Index: b/target/i386/cpu.c
+===================================================================
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -505,7 +505,7 @@ static FeatureWordInfo feature_word_info
+ 
+ static const char *cpuid_7_0_edx_feature_name[] = {
+     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+-    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
++    NULL, NULL, "md-clear", NULL, NULL, NULL, NULL, NULL,
+     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+     NULL, NULL, "spec-ctrl", NULL, NULL, NULL, NULL, "ssbd",
+ };
+Index: b/target/i386/cpu.h
+===================================================================
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATUR
+ #define CPUID_7_0_EBX_RDSEED   (1U << 18)
+ #define CPUID_7_0_EBX_ADX      (1U << 19)
+ #define CPUID_7_0_EBX_SMAP     (1U << 20)
++#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
+ #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
+ #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
+ 
diff -Nru qemu-2.0.0+dfsg/debian/patches/series qemu-2.0.0+dfsg/debian/patches/series
--- qemu-2.0.0+dfsg/debian/patches/series	2019-03-22 21:08:33.000000000 +0000
+++ qemu-2.0.0+dfsg/debian/patches/series	2019-05-09 06:59:42.000000000 +0000
@@ -277,3 +277,8 @@
 CVE-2018-19364-2.patch
 CVE-2018-19489.patch
 CVE-2019-6778.patch
+enable-md-clear.patch
+CVE-2018-20815-prereq-1.patch
+CVE-2018-20815-prereq-2.patch
+CVE-2018-20815.patch
+CVE-2019-9824.patch