Oracle Linux Security Advisory ELSA-2021-3447

https://linux.oracle.com/errata/ELSA-2021-3447.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-abi-stablelists-4.18.0-305.17.1.el8_4.noarch.rpm
kernel-core-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-cross-headers-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-debug-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-debug-core-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-debug-devel-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-debug-modules-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-debug-modules-extra-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-devel-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-doc-4.18.0-305.17.1.el8_4.noarch.rpm
kernel-headers-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-modules-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-modules-extra-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-tools-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-tools-libs-4.18.0-305.17.1.el8_4.x86_64.rpm
perf-4.18.0-305.17.1.el8_4.x86_64.rpm
python3-perf-4.18.0-305.17.1.el8_4.x86_64.rpm
kernel-tools-libs-devel-4.18.0-305.17.1.el8_4.x86_64.rpm

aarch64:
bpftool-4.18.0-305.17.1.el8_4.aarch64.rpm
kernel-headers-4.18.0-305.17.1.el8_4.aarch64.rpm
kernel-tools-4.18.0-305.17.1.el8_4.aarch64.rpm
kernel-tools-libs-4.18.0-305.17.1.el8_4.aarch64.rpm
perf-4.18.0-305.17.1.el8_4.aarch64.rpm
python3-perf-4.18.0-305.17.1.el8_4.aarch64.rpm
kernel-tools-libs-devel-4.18.0-305.17.1.el8_4.aarch64.rpm


SRPMS:
https://oss.oracle.com:443/ol8/SRPMS-updates/kernel-4.18.0-305.17.1.el8_4.src.rpm

Related CVEs:

CVE-2021-37576
CVE-2021-38201




Description of changes:

[4.18.0-305.17.1.el8_4.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5.el8

[4.18.0-305.17.1.el8_4]
- ucounts: Move max_time_namespace according to ucount_type (Alex Gladkov) [1998002 1982954]
- netfilter: conntrack: remove offload_pickup sysctl again (Florian Westphal) [1995555 1987101]
- netfilter: flowtable: Set offload timeouts according to proto values (Phil Sutter) [1995554 1979184]
- netfilter: conntrack: Introduce udp offload timeout configuration (Phil Sutter) [1995554 1979184]
- netfilter: conntrack: Introduce tcp offload timeout configuration (Phil Sutter) [1995554 1979184]
- powerpc/64s: Fix crashes when toggling stf barrier (Desnes A. Nunes do Rosario) [1989174 1964484]
- iavf: fix locking of critical sections (Stefan Assmann) [1997534 1975245]
- iavf: do not override the adapter state in the watchdog task (Stefan Assmann) [1997534 1975245]

[4.18.0-305.16.1.el8_4]
- kernfs: dont call d_splice_alias() under kernfs node lock (Ian Kent) [1994879 1939133]
- kernfs: use i_lock to protect concurrent inode updates (Ian Kent) [1994879 1939133]
- kernfs: switch kernfs to use an rwsem (Ian Kent) [1994879 1939133]
- kernfs: use VFS negative dentry caching (Ian Kent) [1994879 1939133]
- kernfs: add a revision to identify directory node changes (Ian Kent) [1994879 1939133]
- kernfs: move revalidate to be near lookup (Ian Kent) [1994879 1939133]
- scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (Jan Stancek) [1948608 1923762]
- net: sched: act_mirred: Reset ct info when mirror/redirect skb (C. Erastus Toe) [1992226 1980532]
- usb: ehci: Prevent missed ehci interrupts with edge-triggered MSI (Torez Smith) [1993894 1972139]
- usb: ehci: do not initialise static variables (Torez Smith) [1993894 1972139]
- usb: host: move EH SINGLE_STEP_SET_FEATURE implementation to core (Torez Smith) [1993894 1972139]
- USB: ehci: drop workaround for forced irq threading (Torez Smith) [1993894 1972139]
- usb: ehci: add spurious flag to disable overcurrent checking (Torez Smith) [1993894 1972139]
- NFS: Only change the cookie verifier if the directory page cache is empty (Benjamin Coddington) [1993895 1982825]
- NFS: Fix handling of cookie verifier in uncached_readdir() (Benjamin Coddington) [1993895 1982825]
- nfs: Subsequent READDIR calls should carry non-zero cookieverifier (Benjamin Coddington) [1993895 1982825]
- KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow (Jon Maloy) [1988225 1988226] {CVE-2021-37576}

[4.18.0-305.15.1.el8_4]
- sched: Fix data-race in wakeup (Phil Auld) [1987296 1937103]
- mm/page_alloc: bail out on fatal signal during reclaim/compaction retry attempt (Aaron Tomlin) [1984085 1919765]
- sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base() (Benjamin Coddington) [1990404 1969751]

[4.18.0-305.14.1.el8_4]
- tick/nohz: Kick only _queued_ task whose tick dependency is updated (Waiman Long) [1981336 1922901]
- tick/nohz: Change signal tick dependency to wake up CPUs of member tasks (Waiman Long) [1981336 1922901]
- tick/nohz: Only wake up a single target cpu when kicking a task (Waiman Long) [1981336 1922901]
- tick/nohz: Narrow down noise while setting current task's tick dependency (Waiman Long) [1981336 1922901]
- mlx5: net: zero-initialize tc skb extension on allocation (Jan Stancek) [1982220 1965418]
- scsi: qedf: Update the max_id value in host structure (Nilesh Javali) [1989097 1954876]
- scsi: qla2xxx: Reserve extra IRQ vectors (Nilesh Javali) [1986156 1964834]

[4.18.0-305.13.1.el8_4]
- xfrm: Fix wraparound in xfrm_policy_addr_delta() (Sabrina Dubroca) [1981840 1951965]
- VMCI: Release resource if the work is already queued (Cathy Avery) [1982042 1978518]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata

Oracle8: ELSA-2021-3447: kernel Important Security Update

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

Summary

[4.18.0-305.17.1.el8_4.OL8] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15-11.0.5.el8 [4.18.0-305.17.1.el8_4] - ucounts: Move max_time_namespace according to ucount_type (Alex Gladkov) [1998002 1982954] - netfilter: conntrack: remove offload_pickup sysctl again (Florian Westphal) [1995555 1987101] - netfilter: flowtable: Set offload timeouts according to proto values (Phil Sutter) [1995554 1979184] - netfilter: conntrack: Introduce udp offload timeout configuration (Phil Sutter) [1995554 1979184] - netfilter: conntrack: Introduce tcp offload timeout configuration (Phil Sutter) [1995554 1979184] - powerpc/64s: Fix crashes when toggling stf barrier (Desnes A. Nunes do Rosario) [1989174 1964484] - iavf: fix locking of critical sections (Stefan Assmann) [1997534 1975245] - iavf: do not override the adapter state in the watchdog task (Stefan Assmann) [1997534 1975245] [4.18.0-305.16.1.el8_4] - kernfs: dont call d_splice_alias() under kernfs node lock (Ian Kent) [1994879 1939133] - kernfs: use i_lock to protect concurrent inode updates (Ian Kent) [1994879 1939133] - kernfs: switch kernfs to use an rwsem (Ian Kent) [1994879 1939133] - kernfs: use VFS negative dentry caching (Ian Kent) [1994879 1939133] - kernfs: add a revision to identify directory node changes (Ian Kent) [1994879 1939133] - kernfs: move revalidate to be near lookup (Ian Kent) [1994879 1939133] - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (Jan Stancek) [1948608 1923762] - net: sched: act_mirred: Reset ct info when mirror/redirect skb (C. Erastus Toe) [1992226 1980532] - usb: ehci: Prevent missed ehci interrupts with edge-triggered MSI (Torez Smith) [1993894 1972139] - usb: ehci: do not initialise static variables (Torez Smith) [1993894 1972139] - usb: host: move EH SINGLE_STEP_SET_FEATURE implementation to core (Torez Smith) [1993894 1972139] - USB: ehci: drop workaround for forced irq threading (Torez Smith) [1993894 1972139] - usb: ehci: add spurious flag to disable overcurrent checking (Torez Smith) [1993894 1972139] - NFS: Only change the cookie verifier if the directory page cache is empty (Benjamin Coddington) [1993895 1982825] - NFS: Fix handling of cookie verifier in uncached_readdir() (Benjamin Coddington) [1993895 1982825] - nfs: Subsequent READDIR calls should carry non-zero cookieverifier (Benjamin Coddington) [1993895 1982825] - KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow (Jon Maloy) [1988225 1988226] {CVE-2021-37576} [4.18.0-305.15.1.el8_4] - sched: Fix data-race in wakeup (Phil Auld) [1987296 1937103] - mm/page_alloc: bail out on fatal signal during reclaim/compaction retry attempt (Aaron Tomlin) [1984085 1919765] - sunrpc: Avoid a KASAN slab-out-of-bounds bug in xdr_set_page_base() (Benjamin Coddington) [1990404 1969751] [4.18.0-305.14.1.el8_4] - tick/nohz: Kick only _queued_ task whose tick dependency is updated (Waiman Long) [1981336 1922901] - tick/nohz: Change signal tick dependency to wake up CPUs of member tasks (Waiman Long) [1981336 1922901] - tick/nohz: Only wake up a single target cpu when kicking a task (Waiman Long) [1981336 1922901] - tick/nohz: Narrow down noise while setting current task's tick dependency (Waiman Long) [1981336 1922901] - mlx5: net: zero-initialize tc skb extension on allocation (Jan Stancek) [1982220 1965418] - scsi: qedf: Update the max_id value in host structure (Nilesh Javali) [1989097 1954876] - scsi: qla2xxx: Reserve extra IRQ vectors (Nilesh Javali) [1986156 1964834] [4.18.0-305.13.1.el8_4] - xfrm: Fix wraparound in xfrm_policy_addr_delta() (Sabrina Dubroca) [1981840 1951965] - VMCI: Release resource if the work is already queued (Cathy Avery) [1982042 1978518]

SRPMs

https://oss.oracle.com:443/ol8/SRPMS-updates/kernel-4.18.0-305.17.1.el8_4.src.rpm

x86_64

bpftool-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-abi-stablelists-4.18.0-305.17.1.el8_4.noarch.rpm kernel-core-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-cross-headers-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-debug-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-debug-core-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-debug-devel-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-debug-modules-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-debug-modules-extra-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-devel-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-doc-4.18.0-305.17.1.el8_4.noarch.rpm kernel-headers-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-modules-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-modules-extra-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-tools-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-tools-libs-4.18.0-305.17.1.el8_4.x86_64.rpm perf-4.18.0-305.17.1.el8_4.x86_64.rpm python3-perf-4.18.0-305.17.1.el8_4.x86_64.rpm kernel-tools-libs-devel-4.18.0-305.17.1.el8_4.x86_64.rpm

aarch64

bpftool-4.18.0-305.17.1.el8_4.aarch64.rpm kernel-headers-4.18.0-305.17.1.el8_4.aarch64.rpm kernel-tools-4.18.0-305.17.1.el8_4.aarch64.rpm kernel-tools-libs-4.18.0-305.17.1.el8_4.aarch64.rpm perf-4.18.0-305.17.1.el8_4.aarch64.rpm python3-perf-4.18.0-305.17.1.el8_4.aarch64.rpm kernel-tools-libs-devel-4.18.0-305.17.1.el8_4.aarch64.rpm

i386

Severity
Related CVEs: CVE-2021-37576 CVE-2021-38201

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved