main/xen: add mitigations for XSA 326, 405, 406, 409-422
Upstream only do point releases every four to six months. XSA patches do not always apply cleanly to releases but should apply to the tip of a stable branch. Only bug and security fixes are commited to the staging branch and then, after passing rigorous tests in upstream CI, go into the stable branches and thus the stable branches should be considered safe.
Fetch and apply patches from upstream gitweb.