Oracle Linux Security Advisory ELSA-2024-3306

http://linux.oracle.com/errata/ELSA-2024-3306.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm
kernel-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm
kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-devel-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-devel-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-doc-5.14.0-427.18.1.el9_4.noarch.rpm
kernel-headers-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm
perf-5.14.0-427.18.1.el9_4.x86_64.rpm
python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm
rtla-5.14.0-427.18.1.el9_4.x86_64.rpm
rv-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-cross-headers-5.14.0-427.18.1.el9_4.x86_64.rpm
kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.x86_64.rpm
libperf-5.14.0-427.18.1.el9_4.x86_64.rpm

aarch64:
bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm
kernel-cross-headers-5.14.0-427.18.1.el9_4.aarch64.rpm
kernel-headers-5.14.0-427.18.1.el9_4.aarch64.rpm
kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm
kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm
kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.aarch64.rpm
perf-5.14.0-427.18.1.el9_4.aarch64.rpm
python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-427.18.1.el9_4.src.rpm

Related CVEs:

CVE-2024-26642
CVE-2024-26643
CVE-2024-26673
CVE-2024-26804




Description of changes:

[5.14.0-427.18.1.el9_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.18.1.el9_4]
- netfilter: nf_tables: disallow anonymous set with timeout flag (Phil Sutter) [RHEL-32971 RHEL-30082] {CVE-2024-26642}
- netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (Phil Sutter) [RHEL-33070 RHEL-30078] {CVE-2024-26643}
- netfilter: nft_ct: fix l3num expectations with inet pseudo family (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- arm64: tlb: Fix TLBI RANGE operand (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- arm64/mm: Modify range-based tlbi to decrement scale (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- rh_messages.h: mark mlx5 on Bluefield-3 as unmaintained (Scott Weaver) [RHEL-35878 RHEL-33061]
- net: ip_tunnel: prevent perpetual headroom growth (Guillaume Nault) [RHEL-33934 RHEL-31816] {CVE-2024-26804}
- gitlab-ci: use zstream builder container image (Michael Hofmann)
- selftests: net: gro fwd: update vxlan GRO test expectations (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: prevent local UDP tunnel packets from being GROed (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not transition UDP GRO fraglist partial checksums to unnecessary (Antoine Tenart) [RHEL-30910 RHEL-19729]
- gro: fix ownership transfer (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not accept non-tunnel GSO skbs landing in a tunnel (Antoine Tenart) [RHEL-30910 RHEL-19729]
- bpf, tcx: Get rid of tcx_link_const (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add additional mprog query test coverage (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Make seen_tc* variable tests more robust (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test query on empty mprog and pass revision into attach (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Adapt assert_mprog_count to always expect 0 count (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test bpf_mprog query API via libbpf and raw syscall (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftest/bpf: Add various selftests for program limits (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Refuse unused attributes in bpf_prog_{attach,detach} (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Handle bpf_mprog_query with NULL entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- net: Fix skb consume leak in sch_handle_egress (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add various more tcx test cases (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add test for detachment on empty mprog entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat during dev unregister (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat in ingress_destroy upon tcx_entry_free (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx links (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx opts (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Add fd-based tcx multi-prog infra with link support (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpftool: Implement link show support for tcx (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpftool: Extend net dump with tcx progs (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpf: fix precision backtracking instruction iteration (Jay Shin) [RHEL-35230 RHEL-23643]

[5.14.0-427.17.1.el9_4]
- ceph: switch to use cap_delay_lock for the unlink delay list (Jay Shin) [RHEL-33003 RHEL-32997]
- ceph: remove useless session parameter for check_caps() (Xiubo Li) [RHEL-33003 RHEL-19813]
- ceph: flush the dirty caps immediatelly when quota is approaching (Xiubo Li) [RHEL-33003 RHEL-19813]
- vhost: Add smp_rmb() in vhost_enable_notify() (Gavin Shan) [RHEL-31839 RHEL-26104]
- vhost: Add smp_rmb() in vhost_vq_avail_empty() (Gavin Shan) [RHEL-31839 RHEL-26104]
- iommu/vt-d: Support enforce_cache_coherency only for empty domains (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Add MTL to quirk list to skip TE disabling (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Make context clearing consistent with context mapping (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Disable PCI ATS in legacy passthrough mode (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Omit devTLB invalidation requests when TES=0 (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- PCI/MSI: Prevent MSI hardware interrupt number truncation (Myron Stowe) [RHEL-33656 RHEL-21453]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata

Oracle9: ELSA-2024-3306: kernel Moderate Security Advisory Updates

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

Summary

[5.14.0-427.18.1.el9_4.OL9] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5] - Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] - Add Oracle Linux IMA certificates [5.14.0-427.18.1.el9_4] - netfilter: nf_tables: disallow anonymous set with timeout flag (Phil Sutter) [RHEL-32971 RHEL-30082] {CVE-2024-26642} - netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (Phil Sutter) [RHEL-33070 RHEL-30078] {CVE-2024-26643} - netfilter: nft_ct: fix l3num expectations with inet pseudo family (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673} - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673} - arm64: tlb: Fix TLBI RANGE operand (Shaoqin Huang) [RHEL-33412 RHEL-26259] - arm64/mm: Modify range-based tlbi to decrement scale (Shaoqin Huang) [RHEL-33412 RHEL-26259] - rh_messages.h: mark mlx5 on Bluefield-3 as unmaintained (Scott Weaver) [RHEL-35878 RHEL-33061] - net: ip_tunnel: prevent perpetual headroom growth (Guillaume Nault) [RHEL-33934 RHEL-31816] {CVE-2024-26804} - gitlab-ci: use zstream builder container image (Michael Hofmann) - selftests: net: gro fwd: update vxlan GRO test expectations (Antoine Tenart) [RHEL-30910 RHEL-19729] - udp: prevent local UDP tunnel packets from being GROed (Antoine Tenart) [RHEL-30910 RHEL-19729] - udp: do not transition UDP GRO fraglist partial checksums to unnecessary (Antoine Tenart) [RHEL-30910 RHEL-19729] - gro: fix ownership transfer (Antoine Tenart) [RHEL-30910 RHEL-19729] - udp: do not accept non-tunnel GSO skbs landing in a tunnel (Antoine Tenart) [RHEL-30910 RHEL-19729] - bpf, tcx: Get rid of tcx_link_const (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Add additional mprog query test coverage (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Make seen_tc* variable tests more robust (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Test query on empty mprog and pass revision into attach (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Adapt assert_mprog_count to always expect 0 count (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Test bpf_mprog query API via libbpf and raw syscall (Felix Maurer) [RHEL-33062 RHEL-28590] - selftest/bpf: Add various selftests for program limits (Felix Maurer) [RHEL-33062 RHEL-28590] - bpf: Refuse unused attributes in bpf_prog_{attach,detach} (Felix Maurer) [RHEL-33062 RHEL-28590] - bpf: Handle bpf_mprog_query with NULL entry (Felix Maurer) [RHEL-33062 RHEL-28590] - net: Fix skb consume leak in sch_handle_egress (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Add various more tcx test cases (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Add test for detachment on empty mprog entry (Felix Maurer) [RHEL-33062 RHEL-28590] - tcx: Fix splat during dev unregister (Felix Maurer) [RHEL-33062 RHEL-28590] - tcx: Fix splat in ingress_destroy upon tcx_entry_free (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Add mprog API tests for BPF tcx links (Felix Maurer) [RHEL-33062 RHEL-28590] - selftests/bpf: Add mprog API tests for BPF tcx opts (Felix Maurer) [RHEL-33062 RHEL-28590] - bpf: Add fd-based tcx multi-prog infra with link support (Felix Maurer) [RHEL-33062 RHEL-28590] - bpftool: Implement link show support for tcx (Artem Savkov) [RHEL-33062 RHEL-23643] - bpftool: Extend net dump with tcx progs (Artem Savkov) [RHEL-33062 RHEL-23643] - bpf: fix precision backtracking instruction iteration (Jay Shin) [RHEL-35230 RHEL-23643] [5.14.0-427.17.1.el9_4] - ceph: switch to use cap_delay_lock for the unlink delay list (Jay Shin) [RHEL-33003 RHEL-32997] - ceph: remove useless session parameter for check_caps() (Xiubo Li) [RHEL-33003 RHEL-19813] - ceph: flush the dirty caps immediatelly when quota is approaching (Xiubo Li) [RHEL-33003 RHEL-19813] - vhost: Add smp_rmb() in vhost_enable_notify() (Gavin Shan) [RHEL-31839 RHEL-26104] - vhost: Add smp_rmb() in vhost_vq_avail_empty() (Gavin Shan) [RHEL-31839 RHEL-26104] - iommu/vt-d: Support enforce_cache_coherency only for empty domains (Jerry Snitselaar) [RHEL-32793 RHEL-31083] - iommu/vt-d: Add MTL to quirk list to skip TE disabling (Jerry Snitselaar) [RHEL-32793 RHEL-31083] - iommu/vt-d: Make context clearing consistent with context mapping (Jerry Snitselaar) [RHEL-32793 RHEL-31083] - iommu/vt-d: Disable PCI ATS in legacy passthrough mode (Jerry Snitselaar) [RHEL-32793 RHEL-31083] - iommu/vt-d: Omit devTLB invalidation requests when TES=0 (Jerry Snitselaar) [RHEL-32793 RHEL-31083] - PCI/MSI: Prevent MSI hardware interrupt number truncation (Myron Stowe) [RHEL-33656 RHEL-21453]

SRPMs

http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-427.18.1.el9_4.src.rpm

x86_64

bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm kernel-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-devel-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-devel-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-doc-5.14.0-427.18.1.el9_4.noarch.rpm kernel-headers-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm perf-5.14.0-427.18.1.el9_4.x86_64.rpm python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm rtla-5.14.0-427.18.1.el9_4.x86_64.rpm rv-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-cross-headers-5.14.0-427.18.1.el9_4.x86_64.rpm kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.x86_64.rpm libperf-5.14.0-427.18.1.el9_4.x86_64.rpm

aarch64

bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm kernel-cross-headers-5.14.0-427.18.1.el9_4.aarch64.rpm kernel-headers-5.14.0-427.18.1.el9_4.aarch64.rpm kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.aarch64.rpm perf-5.14.0-427.18.1.el9_4.aarch64.rpm python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm