ELSA-2022-5819

ELSA-2022-5819 - kernel security and bug fix update

Type:SECURITY
Severity:IMPORTANT
Release Date:2022-08-08

Description


[4.18.0-372.19.1.0.1_6.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5
- debug: lockdown kgdb [Orabug: 34270802] {CVE-2022-21499}

[4.18.0-372.19.1_6]
- net/mlx5: CT: Fix header-rewrite re-use for tupels (Amir Tzin) [2104013 2101162]
- net/mlx5e: TC, Fix ct_clear overwriting ct action metadata (Amir Tzin) [2104012 2100474]
- netfilter: flowtable: fix TCP flow teardown (Florian Westphal) [2104002 2088234]
- netfilter: conntrack: annotate data-races around ct->timeout (Florian Westphal) [2104002 2088234]
- netfilter: conntrack: initialize ct->timeout (Florian Westphal) [2104002 2088234]
- net/sched: act_police: more accurate MTU policing (Davide Caratti) [2102333 2100893]
- bpf: Fix request_sock leak in sk lookup helpers (Antoine Tenart) [2104670 2085313]

[4.18.0-372.18.1_6]
- redhat: flesh out rpminspect config file (Jarod Wilson)
- powerpc/pseries/ddw: Revert 'Extend upper limit for huge DMA window for persistent memory' (Steve Best) [2100150 2056080]
- vdpa: mlx5: synchronize driver status with CVQ (Jason Wang) [2093416 2048009]
- vdpa: mlx5: prevent cvq work from hogging CPU (Jason Wang) [2093416 2048009]
- vdpa/mlx5: Avoid processing works if workqueue was destroyed (Cindy Lu) [2093416 2048009]
- cifs: fix potential double free during failed mount (Ronnie Sahlberg) [2102251 2088799]

[4.18.0-372.17.1_6]
- tcp: drop the hash_32() part from the index calculation (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: increase source port perturb table to 2^16 (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: dynamically allocate the perturb table used by source ports (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: add small random increments to the source port (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: resalt the secret every 10 seconds (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: use different parts of the port_offset for index and offset (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- secure_seq: use the 64 bits of the siphash for port offset calculation (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: add some entropy in __inet_hash_connect() (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- tcp: change source port randomizarion at connect() time (Guillaume Nault) [2087130 2064876] {CVE-2022-1012}
- hrtimer: Unbreak hrtimer_force_reprogram() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Use raw_cpu_ptr() in clock_was_set() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Avoid more SMP function calls in clock_was_set() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Avoid unnecessary SMP function calls in clock_was_set() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Add bases argument to clock_was_set() (Fernando Pacheco) [2090484 2071776]
- time/timekeeping: Avoid invoking clock_was_set() twice (Fernando Pacheco) [2090484 2071776]
- timekeeping: Distangle resume and clock-was-set events (Fernando Pacheco) [2090484 2071776]
- timerfd: Provide timerfd_resume() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Force clock_was_set() handling for the HIGHRES=n, NOHZ=y case (Fernando Pacheco) [2090484 2071776]
- hrtimer: Ensure timerfd notification for HIGHRES=n (Fernando Pacheco) [2090484 2071776]
- hrtimer: Consolidate reprogramming code (Fernando Pacheco) [2090484 2071776]
- hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() (Fernando Pacheco) [2090484 2071776]
- hrtimer: Annotate lockless access to timer->state (Fernando Pacheco) [2090484 2071776]
- mm, compaction: fast_find_migrateblock() should return pfn in the target zone (Rafael Aquini) [2100529 2067130]
- lib/sbitmap: fix sb->map leak (Ming Lei) [2100254 2093549]
- scsi: core: Fix sbitmap depth in scsi_realloc_sdev_budget_map() (Ewan D. Milne) [2100254 2071831]
- lib/sbitmap: allocate sb->map via kvzalloc_node (Ewan D. Milne) [2100254 2071831]
- mm: move kvmalloc-related functions to slab.h (Ewan D. Milne) [2100254 2071831]
- scsi: core: Reallocate device's budget map on queue depth change (Ewan D. Milne) [2100254 2071831]
- scsi: core: Fix scsi_device_max_queue_depth() (Ewan D. Milne) [2100254 2071831]
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2092986 2092987] {CVE-2022-32250}
- audit: improve audit queue handling when 'audit=1' on cmdline (Richard Guy Briggs) [2095434 2035123]
- audit: improve robustness of the audit queue handling (Richard Guy Briggs) [2095434 2035123]


Related CVEs


CVE-2022-1012
CVE-2022-32250

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 8 (aarch64) kernel-4.18.0-372.19.1.0.1.el8_6.src.rpmd17a5358c344d36b56f3cbab12fba63c-
bpftool-4.18.0-372.19.1.0.1.el8_6.aarch64.rpmacfe756a1363e6316121b7199e7d0dbc-
kernel-cross-headers-4.18.0-372.19.1.0.1.el8_6.aarch64.rpmadb8b004bdaf85d1616143e8a99813ca-
kernel-headers-4.18.0-372.19.1.0.1.el8_6.aarch64.rpm76b458f2736cef50c48715df76458d40-
kernel-tools-4.18.0-372.19.1.0.1.el8_6.aarch64.rpma673f110d825da7728978c11af0e9a93-
kernel-tools-libs-4.18.0-372.19.1.0.1.el8_6.aarch64.rpm0f187177474dfe8abed8896bff148c29-
kernel-tools-libs-devel-4.18.0-372.19.1.0.1.el8_6.aarch64.rpma8b23895e0b93e5fd836a2d6a1058248-
perf-4.18.0-372.19.1.0.1.el8_6.aarch64.rpme0b48be35507fca6fddde2ff4d4586ef-
python3-perf-4.18.0-372.19.1.0.1.el8_6.aarch64.rpm32d4eaaa74e364f78dfc3f2fc728590b-
Oracle Linux 8 (x86_64) kernel-4.18.0-372.19.1.0.1.el8_6.src.rpmd17a5358c344d36b56f3cbab12fba63c-
bpftool-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm26147edb03fff4c97d80b6ae29cc6080-
kernel-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm9614b444a7392cfaae2c9d210186b939-
kernel-abi-stablelists-4.18.0-372.19.1.0.1.el8_6.noarch.rpm52ccfd5391f3e85fe0a41bcb948f04e4-
kernel-core-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm374abb69f5b91a4406605141b5833425-
kernel-cross-headers-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm8f6f5d9178530803d516b0036d32cc51-
kernel-debug-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm1dda922085fb062568cb823a5b4189e5-
kernel-debug-core-4.18.0-372.19.1.0.1.el8_6.x86_64.rpmf3b7f0c67a0d232aefd9244e7bb6cf5c-
kernel-debug-devel-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm285568d3cc9b295ae467a947966fada0-
kernel-debug-modules-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm01f97e31859228bf96ad82c447939dd7-
kernel-debug-modules-extra-4.18.0-372.19.1.0.1.el8_6.x86_64.rpmb7c1482f8c113968d3672c35bdd4c320-
kernel-devel-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm1a5404bffa3d9beb8bef094b3221ac4e-
kernel-doc-4.18.0-372.19.1.0.1.el8_6.noarch.rpm4b61aa722a1756f33cb7d16a79325715-
kernel-headers-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm456db1d2923892f000fa7e2bde70f982-
kernel-modules-4.18.0-372.19.1.0.1.el8_6.x86_64.rpmce3d4811e1d53bf48bea4a91c2184925-
kernel-modules-extra-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm3dc5c8db44f97a208afecfde1cf3d90c-
kernel-tools-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm45984fed9a126d63e3a4832e9dfbd815-
kernel-tools-libs-4.18.0-372.19.1.0.1.el8_6.x86_64.rpme536fb33aabdb1c8617dfea3f34868e4-
kernel-tools-libs-devel-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm54609282dca6c9ae60e76fb551037944-
perf-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm34f3822ebf34501dc4ef3ff2f9005814-
python3-perf-4.18.0-372.19.1.0.1.el8_6.x86_64.rpm4a5a00058590e350bdf857cfeb7caa66-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete