Oracle8: ELSA-2022-5316: kernel Important Security Update | LinuxSe...

Advisories

Oracle Linux Security Advisory ELSA-2022-5316

https://linux.oracle.com/errata/ELSA-2022-5316.html

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-abi-stablelists-4.18.0-372.13.1.0.1.el8_6.noarch.rpm
kernel-core-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-cross-headers-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-debug-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-debug-core-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-debug-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-debug-modules-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-debug-modules-extra-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-doc-4.18.0-372.13.1.0.1.el8_6.noarch.rpm
kernel-headers-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-modules-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-modules-extra-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-tools-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-tools-libs-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
perf-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
python3-perf-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm
kernel-tools-libs-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm

aarch64:
bpftool-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
kernel-cross-headers-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
kernel-headers-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
kernel-tools-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
kernel-tools-libs-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
perf-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
python3-perf-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm
kernel-tools-libs-devel-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm


SRPMS:
https://oss.oracle.com/ol8/SRPMS-updates/kernel-4.18.0-372.13.1.0.1.el8_6.src.rpm

Related CVEs:

CVE-2020-28915
CVE-2022-27666




Description of changes:

[4.18.0-372.13.1.0.1.el8_6.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5.el8
- debug: lockdown kgdb [Orabug: 34270802] {CVE-2022-21499}

[4.18.0-372.13.1.el8_6]
- openvswitch: always update flow key after nat (Aaron Conole) [2068476 2066885]
- KVM: PPC: Fix TCE handling for VFIO (Daniel Henrique Barboza) [2085572 2062687]
- rfkill: make new event layout opt-in (Jose Ignacio Tornos Martinez) [2087641 2023175]
- ASoC: Intel: soc-acpi: add entries in ADL match table (Jaroslav Kysela) [2090423 2052011]
- isert: support for unsolicited NOPIN with no response (Maurizio Lombardi) [2079433 2035915]
- iscsit: increment max_cmd_sn for isert on command release (Maurizio Lombardi) [2079433 2035915]
- net: tcp better handling of reordering then loss cases (Marcelo Ricardo Leitner) [2080972 2074566]
- tcp: tcp_mark_head_lost is only valid for sack-tcp (Marcelo Ricardo Leitner) [2080972 2074566]

[4.18.0-372.12.1.el8_6]
- sctp: use the correct skb for security_sctp_assoc_request (Xin Long) [2070959]
- net/mlx5e: Fix wrong source vport matching on tunnel rule (Amir Tzin) [2088610]
- net/mlx5: DR, Fix missing flow_source when creating multi-destination FW table (Amir Tzin) [2088611]
- net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte (Amir Tzin) [2088611]
- net/mlx5: DR, Cache STE shadow memory (Amir Tzin) [2075553]
- net/mlx5: DR, Fix the threshold that defines when pool sync is initiated (Amir Tzin) [2075553]
- drm/i915/display: Remove check for low voltage sku for max dp source rate (Jocelyn Falempe) [2066644]
- net/mlx5: DR, Ignore modify TTL on RX if device doesn't support it (Amir Tzin) [2088638]
- net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion (Amir Tzin) [2081011]
- net/mlx5e: TC, Skip redundant ct clear actions (Amir Tzin) [2079918]
- net/mlx5e: TC, fix decap fallback to uplink when int port not supported (Amir Tzin) [2088639]
- CI: Use zstream builder image (Veronika Kabatova)
- ice: Allow to pass VLAN tagged packets to VF when port VLAN is configured (Petr Oros) [2081794]
- ice: clear stale Tx queue settings before configuring (Petr Oros) [2081794]
- ice: fix crash when writing timestamp on RX rings (Petr Oros) [2081794]
- ice: Fix race during aux device (un)plugging (Petr Oros) [2081794]
- ice: fix PTP stale Tx timestamps cleanup (Petr Oros) [2081794]
- ice: ice_sched: fix an incorrect NULL check on list iterator (Petr Oros) [2081794]
- ice: fix use-after-free when deinitializing mailbox snapshot (Petr Oros) [2081794]
- ice: wait 5 s for EMP reset after firmware flash (Petr Oros) [2081794]
- ice: Protect vf_state check by cfg_lock in ice_vc_process_vf_msg() (Petr Oros) [2081794]
- ice: Fix incorrect locking in ice_vc_process_vf_msg() (Petr Oros) [2081794]
- ice: Fix memory leak in ice_get_orom_civd_data() (Petr Oros) [2081794]
- ice: fix crash in switchdev mode (Petr Oros) [2081794]
- Revert "iavf: Fix deadlock occurrence during resetting VF interface" (Petr Oros) [2081794]
- ice: arfs: fix use-after-free when freeing @rx_cpu_rmap (Petr Oros) [2081794]
- ice: clear cmd_type_offset_bsz for TX rings (Petr Oros) [2081794]
- ice: xsk: fix VSI state check in ice_xsk_wakeup() (Petr Oros) [2081794]
- ice: synchronize_rcu() when terminating rings (Petr Oros) [2081794]
- ice: Do not skip not enabled queues in ice_vc_dis_qs_msg (Petr Oros) [2081794]
- ice: Set txq_teid to ICE_INVAL_TEID on ring creation (Petr Oros) [2081794]
- ice: Fix broken IFF_ALLMULTI handling (Petr Oros) [2081794]
- ice: Fix MAC address setting (Petr Oros) [2081794]
- openvswitch: Fix setting ipv6 fields causing hw csum failure (Eelco Chaudron) [2086549]
- sched/cputime, proc/stat: Fix incorrect guest nice cpustat value (Waiman Long) [2084138]
- procfs: Use all-in-one vtime aware kcpustat accessor (Waiman Long) [2084138]
- procfs: Use vtime aware kcpustat accessor to fetch CPUTIME_SYSTEM (Waiman Long) [2084138]
- proc: read kernel cpu stat pointer once (Waiman Long) [2084138]
- proc: use "unsigned int" in /proc/stat hook (Waiman Long) [2084138]
- sched/cputime: Support other fields on kcpustat_field() (Waiman Long) [2084138]
- sched/cputime: Add vtime guest task state (Waiman Long) [2084138]
- sched/cputime: Add vtime idle task state (Waiman Long) [2084138]
- sched/cputime: Spare a seqcount lock/unlock cycle on context switch (Waiman Long) [2084138]
- sched/vtime: Move task_struct_rh->vtime_cpu back to vtime structure (Waiman Long) [2084138]
- net: openvswitch: fix leak of nested actions (Eelco Chaudron) [2086590]
- net/sched: fix initialization order when updating chain 0 head (Marcelo Ricardo Leitner) [2074221]
- PCI: hv: Propagate coherence from VMbus device to PCI device (Vitaly Kuznetsov) [2074829]
- Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device (Vitaly Kuznetsov) [2074829]

[4.18.0-372.11.1.el8_6]
- Revert "xfs: actually bump warning counts when we send warnings" (Carlos Maiolino) [2071713]
- SUNRPC: use different lock keys for INET6 and LOCAL (Guillaume Nault) [2079856]
- Revert "netfilter: conntrack: tag conntracks picked up in local out hook" (Florian Westphal) [2065266]
- Revert "netfilter: nat: force port remap to prevent shadowing well-known ports" (Florian Westphal) [2065266]
- KVM: PPC: Book3S HV: Add infrastructure to support 2nd DAWR (Laurent Vivier) [2079069]
- KVM: PPC: Book3S HV: Rename current DAWR macros and variables (Laurent Vivier) [2079069]
- esp: limit skb_page_frag_refill use to a single page (Sabrina Dubroca) [2062114] {CVE-2022-27666}
- esp: Fix possible buffer overflow in ESP transformation (Sabrina Dubroca) [2062114] {CVE-2022-27666}
- NFS: Don't loop forever in nfs_do_recoalesce() (Scott Mayhew) [2080998]

[4.18.0-372.10.1.el8_6]
- Fonts: Replace discarded const qualifier (Nico Pache) [2064762]
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts (Nico Pache) [2064762]
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h (Nico Pache) [2064762]
- CI: Drop baseline runs (Veronika Kabatova)
- redhat: drop the -sha512 suffix from default rhpkg invocation (Jarod Wilson)
- redhat: switch release to zstream (Augusto Caringi)
- ceph: fix possible NULL pointer dereference for req->r_session (Xiubo Li) [2080071]


_______________________________________________
El-errata mailing list
[email protected]
https://oss.oracle.com/mailman/listinfo/el-errata

Oracle8: ELSA-2022-5316: kernel Important Security Update

Summary

Description of changes: [4.18.0-372.13.1.0.1.el8_6.OL8] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15-11.0.5.el8 - debug: lockdown kgdb [Orabug: 34270802] {CVE-2022-21499} [4.18.0-372.13.1.el8_6] - openvswitch: always update flow key after nat (Aaron Conole) [2068476 2066885] - KVM: PPC: Fix TCE handling for VFIO (Daniel Henrique Barboza) [2085572 2062687] - rfkill: make new event layout opt-in (Jose Ignacio Tornos Martinez) [2087641 2023175] - ASoC: Intel: soc-acpi: add entries in ADL match table (Jaroslav Kysela) [2090423 2052011] - isert: support for unsolicited NOPIN with no response (Maurizio Lombardi) [2079433 2035915] - iscsit: increment max_cmd_sn for isert on command release (Maurizio Lombardi) [2079433 2035915] - net: tcp better handling of reordering then loss cases (Marcelo Ricardo Leitner) [2080972 2074566] - tcp: tcp_mark_head_lost is only valid for sack-tcp (Marcelo Ricardo Leitner) [2080972 2074566] [4.18.0-372.12.1.el8_6] - sctp: use the correct skb for security_sctp_assoc_request (Xin Long) [2070959] - net/mlx5e: Fix wrong source vport matching on tunnel rule (Amir Tzin) [2088610] - net/mlx5: DR, Fix missing flow_source when creating multi-destination FW table (Amir Tzin) [2088611] - net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte (Amir Tzin) [2088611] - net/mlx5: DR, Cache STE shadow memory (Amir Tzin) [2075553] - net/mlx5: DR, Fix the threshold that defines when pool sync is initiated (Amir Tzin) [2075553] - drm/i915/display: Remove check for low voltage sku for max dp source rate (Jocelyn Falempe) [2066644] - net/mlx5: DR, Ignore modify TTL on RX if device doesn't support it (Amir Tzin) [2088638] - net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion (Amir Tzin) [2081011] - net/mlx5e: TC, Skip redundant ct clear actions (Amir Tzin) [2079918] - net/mlx5e: TC, fix decap fallback to uplink when int port not supported (Amir Tzin) [2088639] - CI: Use zstream builder image (Veronika Kabatova) - ice: Allow to pass VLAN tagged packets to VF when port VLAN is configured (Petr Oros) [2081794] - ice: clear stale Tx queue settings before configuring (Petr Oros) [2081794] - ice: fix crash when writing timestamp on RX rings (Petr Oros) [2081794] - ice: Fix race during aux device (un)plugging (Petr Oros) [2081794] - ice: fix PTP stale Tx timestamps cleanup (Petr Oros) [2081794] - ice: ice_sched: fix an incorrect NULL check on list iterator (Petr Oros) [2081794] - ice: fix use-after-free when deinitializing mailbox snapshot (Petr Oros) [2081794] - ice: wait 5 s for EMP reset after firmware flash (Petr Oros) [2081794] - ice: Protect vf_state check by cfg_lock in ice_vc_process_vf_msg() (Petr Oros) [2081794] - ice: Fix incorrect locking in ice_vc_process_vf_msg() (Petr Oros) [2081794] - ice: Fix memory leak in ice_get_orom_civd_data() (Petr Oros) [2081794] - ice: fix crash in switchdev mode (Petr Oros) [2081794] - Revert "iavf: Fix deadlock occurrence during resetting VF interface" (Petr Oros) [2081794] - ice: arfs: fix use-after-free when freeing @rx_cpu_rmap (Petr Oros) [2081794] - ice: clear cmd_type_offset_bsz for TX rings (Petr Oros) [2081794] - ice: xsk: fix VSI state check in ice_xsk_wakeup() (Petr Oros) [2081794] - ice: synchronize_rcu() when terminating rings (Petr Oros) [2081794] - ice: Do not skip not enabled queues in ice_vc_dis_qs_msg (Petr Oros) [2081794] - ice: Set txq_teid to ICE_INVAL_TEID on ring creation (Petr Oros) [2081794] - ice: Fix broken IFF_ALLMULTI handling (Petr Oros) [2081794] - ice: Fix MAC address setting (Petr Oros) [2081794] - openvswitch: Fix setting ipv6 fields causing hw csum failure (Eelco Chaudron) [2086549] - sched/cputime, proc/stat: Fix incorrect guest nice cpustat value (Waiman Long) [2084138] - procfs: Use all-in-one vtime aware kcpustat accessor (Waiman Long) [2084138] - procfs: Use vtime aware kcpustat accessor to fetch CPUTIME_SYSTEM (Waiman Long) [2084138] - proc: read kernel cpu stat pointer once (Waiman Long) [2084138] - proc: use "unsigned int" in /proc/stat hook (Waiman Long) [2084138] - sched/cputime: Support other fields on kcpustat_field() (Waiman Long) [2084138] - sched/cputime: Add vtime guest task state (Waiman Long) [2084138] - sched/cputime: Add vtime idle task state (Waiman Long) [2084138] - sched/cputime: Spare a seqcount lock/unlock cycle on context switch (Waiman Long) [2084138] - sched/vtime: Move task_struct_rh->vtime_cpu back to vtime structure (Waiman Long) [2084138] - net: openvswitch: fix leak of nested actions (Eelco Chaudron) [2086590] - net/sched: fix initialization order when updating chain 0 head (Marcelo Ricardo Leitner) [2074221] - PCI: hv: Propagate coherence from VMbus device to PCI device (Vitaly Kuznetsov) [2074829] - Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device (Vitaly Kuznetsov) [2074829] [4.18.0-372.11.1.el8_6] - Revert "xfs: actually bump warning counts when we send warnings" (Carlos Maiolino) [2071713] - SUNRPC: use different lock keys for INET6 and LOCAL (Guillaume Nault) [2079856] - Revert "netfilter: conntrack: tag conntracks picked up in local out hook" (Florian Westphal) [2065266] - Revert "netfilter: nat: force port remap to prevent shadowing well-known ports" (Florian Westphal) [2065266] - KVM: PPC: Book3S HV: Add infrastructure to support 2nd DAWR (Laurent Vivier) [2079069] - KVM: PPC: Book3S HV: Rename current DAWR macros and variables (Laurent Vivier) [2079069] - esp: limit skb_page_frag_refill use to a single page (Sabrina Dubroca) [2062114] {CVE-2022-27666} - esp: Fix possible buffer overflow in ESP transformation (Sabrina Dubroca) [2062114] {CVE-2022-27666} - NFS: Don't loop forever in nfs_do_recoalesce() (Scott Mayhew) [2080998] [4.18.0-372.10.1.el8_6] - Fonts: Replace discarded const qualifier (Nico Pache) [2064762] - Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts (Nico Pache) [2064762] - fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h (Nico Pache) [2064762] - CI: Drop baseline runs (Veronika Kabatova) - redhat: drop the -sha512 suffix from default rhpkg invocation (Jarod Wilson) - redhat: switch release to zstream (Augusto Caringi) - ceph: fix possible NULL pointer dereference for req->r_session (Xiubo Li) [2080071]

i386

x86_64

bpftool-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-abi-stablelists-4.18.0-372.13.1.0.1.el8_6.noarch.rpm kernel-core-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-cross-headers-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-debug-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-debug-core-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-debug-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-debug-modules-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-debug-modules-extra-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-doc-4.18.0-372.13.1.0.1.el8_6.noarch.rpm kernel-headers-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-modules-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-modules-extra-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-tools-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-tools-libs-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm perf-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm python3-perf-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm kernel-tools-libs-devel-4.18.0-372.13.1.0.1.el8_6.x86_64.rpm aarch64: bpftool-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm kernel-cross-headers-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm kernel-headers-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm kernel-tools-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm kernel-tools-libs-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm perf-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm python3-perf-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm kernel-tools-libs-devel-4.18.0-372.13.1.0.1.el8_6.aarch64.rpm

SRPMS

https://oss.oracle.com/ol8/SRPMS-updates/kernel-4.18.0-372.13.1.0.1.el8_6.src.rpm

Severity
Related CVEs: CVE-2020-28915 CVE-2022-27666

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.