ELSA-2023-0334

ELSA-2023-0334 - kernel security and bug fix update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2023-01-25

Description

[5.14.0-162.12.1_1.OL9]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]

[5.14.0-162.12.1_1]
- x86/fpu: Drop fpregs lock before inheriting FPU permissions (Valentin Schneider) [2154407 2153181]
- hv_netvsc: Fix race between VF offering and VF association message from host (Mohammed Gamal) [2151605 2149277]
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (Emanuele Giuseppe Esposito) [2150910 2092794]

[5.14.0-162.11.1_1]
- drm/i915: fix TLB invalidation for Gen12 video and compute engines (Wander Lairson Costa) [2148152 2148153] {CVE-2022-4139}
- memcg: prohibit unconditional exceeding the limit of dying tasks (Chris von Recklinghausen) [2143976 2120352]
- mm, oom: do not trigger out_of_memory from the #PF (Waiman Long) [2143976 2139747]
- mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks (Chris von Recklinghausen) [2143976 2120352]
- pipe: Fix missing lock in pipe_resize_ring() (Ian Kent) [2141631 2141632] {CVE-2022-2959}
- net: usb: ax88179_178a: Fix packet receiving (Jose Ignacio Tornos Martinez) [2142722 2142723] {CVE-2022-2964}
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (Jose Ignacio Tornos Martinez) [2142722 2142723] {CVE-2022-2964}
- NFSD: Protect against send buffer overflow in NFSv3 READ (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READ (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv3 READDIR (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READDIR (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_encode's buflen calculation (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}

[5.14.0-162.10.1_1]
- ice: Fix crash by keep old cfg when update TCs more than queues (Petr Oros) [2132070 2131953]
- ice: Fix tunnel checksum offload with fragmented traffic (Petr Oros) [2132070 2131953]
- ice: handle E822 generic device ID in PLDM header (Petr Oros) [2132070 2131953]
- ice: ethtool: Prohibit improper channel config for DCB (Petr Oros) [2132070 2131953]
- ice: ethtool: advertise 1000M speeds properly (Petr Oros) [2132070 2131953]
- ice: Fix switchdev rules book keeping (Petr Oros) [2132070 2131953]
- ice: fix access-beyond-end in the switch code (Petr Oros) [2132070 2131953]
- eth: ice: silence the GCC 12 array-bounds warning (Petr Oros) [2132070 2131953]
- ice: Expose RSS indirection tables for queue groups via ethtool (Petr Oros) [2132070 2131953]
- Revert 'ice: Hide bus-info in ethtool for PRs in switchdev mode' (Petr Oros) [2132070 2131953]
- ice: remove period on argument description in ice_for_each_vf (Petr Oros) [2132070 2131953]
- ice: add a function comment for ice_cfg_mac_antispoof (Petr Oros) [2132070 2131953]
- ice: fix wording in comment for ice_reset_vf (Petr Oros) [2132070 2131953]
- ice: remove return value comment for ice_reset_all_vfs (Petr Oros) [2132070 2131953]
- ice: always check VF VSI pointer values (Petr Oros) [2132070 2131953]
- ice: add newline to dev_dbg in ice_vf_fdir_dump_info (Petr Oros) [2132070 2131953]
- ice: get switch id on switchdev devices (Petr Oros) [2132070 2131953]
- ice: return ENOSPC when exceeding ICE_MAX_CHAIN_WORDS (Petr Oros) [2132070 2131953]
- ice: introduce common helper for retrieving VSI by vsi_num (Petr Oros) [2132070 2131953]
- ice: use min_t() to make code cleaner in ice_gnss (Petr Oros) [2132070 2131953]
- ice, xsk: Avoid refilling single Rx descriptors (Petr Oros) [2132070 2131953]
- ice, xsk: Diversify return values from xsk_wakeup call paths (Petr Oros) [2132070 2131953]
- ice, xsk: Terminate Rx side of NAPI when XSK Rx queue gets full (Petr Oros) [2132070 2131953]
- ice, xsk: Decorate ICE_XDP_REDIR with likely() (Petr Oros) [2132070 2131953]
- ice: Add mpls+tso support (Petr Oros) [2132070 2131953]
- ice: switch: convert packet template match code to rodata (Petr Oros) [2132070 2131953]
- ice: switch: use convenience macros to declare dummy pkt templates (Petr Oros) [2132070 2131953]
- ice: switch: use a struct to pass packet template params (Petr Oros) [2132070 2131953]
- ice: switch: unobscurify bitops loop in ice_fill_adv_dummy_packet() (Petr Oros) [2132070 2131953]
- ice: switch: add and use u16[] aliases to ice_adv_lkup_elem::{h, m}_u (Petr Oros) [2132070 2131953]
- ice: Support GTP-U and GTP-C offload in switchdev (Petr Oros) [2132070 2131953]
- Documentation/admin-guide: Document nomodeset kernel parameter (Karol Herbst) [2145217 2143841]
- drm: Move nomodeset kernel parameter to the DRM subsystem (Karol Herbst) [2145217 2143841]
- selftests/bpf: Limit unroll_count for pyperf600 test (Frantisek Hrbata) [2144902 2139836]
- nvme-fc: fix the fc_appid_store return value (Ewan D. Milne) [2136914 2113035]
- ACPI: processor idle: Practically limit 'Dummy wait' workaround to old Intel systems (Wei Huang) [2142168 2130652]
- CI: Drop c9s CI parts (Veronika Kabatova)
- CI: Use GA builder container (Veronika Kabatova)

[5.14.0-162.9.1_1]
- CI: Remove deprecated variable (Veronika Kabatova)
- drm: fix duplicated code in drm_connector_register (Karol Herbst) [2134619 2132575]
- drm/mgag200: Fix PLL setup for G200_SE_A rev >=4 (Jocelyn Falempe) [2140153 1960467]
- scsi: mpi3mr: Schedule IRQ kthreads only on non-RT kernels (Tomas Henzl) [2139213 2136223]

[5.14.0-162.8.1_1]
- redhat: fix the branch we pull from the documentation tree (Herton R. Krzesinski)
- nvme-tcp: handle number of queue changes (John Meneghini) [2131359 2112025]
- nvmet: expose max queues to configfs (John Meneghini) [2131359 2112025]
- nvme-fabrics: parse nvme connect Linux error codes (John Meneghini) [2131359 2112025]
- vfio/type1: Unpin zero pages (Alex Williamson) [2128514 2121855]
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE (Oleg Nesterov) [2127881 2121271] {CVE-2022-30594}

[5.14.0-162.7.1_1]
- i2c: ismt: prevent memory corruption in ismt_access() (David Arcari) [2127532 2125582] {CVE-2022-3077}
- x86/fpu: Prevent FPU state corruption (Oleksandr Natalenko) [2134588 2131667]
- iavf: Fix reset error handling (Petr Oros) [2127884 2119712]
- iavf: Fix NULL pointer dereference in iavf_get_link_ksettings (Petr Oros) [2127884 2119712]
- iavf: Fix missing state logs (Petr Oros) [2127884 2119712]

Related CVEs

CVE-2022-4139

CVE-2022-3077

CVE-2022-2964

CVE-2022-43945

CVE-2022-2959

CVE-2022-30594

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_aarch64_appstream
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_aarch64_u1_baseos_patch
	bpftool-5.14.0-162.12.1.el9_1.aarch64.rpm	a49434759e858d96e52aaad022948bfae4f45fbd66d0e3cada219f22d30b4ad6	-	ol9_aarch64_baseos_latest
	bpftool-5.14.0-162.12.1.el9_1.aarch64.rpm	a49434759e858d96e52aaad022948bfae4f45fbd66d0e3cada219f22d30b4ad6	-	ol9_aarch64_u1_baseos_patch
	kernel-cross-headers-5.14.0-162.12.1.el9_1.aarch64.rpm	12d99ecc3f11e9a4e2b0753c5fb45afc2231cf24acd6ea4dbcd97e989a38a869	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-162.12.1.el9_1.aarch64.rpm	966ee4617d84eb483add4ea2a5a9ab494c7e545d2fec33db5e62834559376c24	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-162.12.1.el9_1.aarch64.rpm	ac34e9e69518260ebff7dd112ea02bd37c1a92202da39b90d9b899a42a8d211c	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-162.12.1.el9_1.aarch64.rpm	ac34e9e69518260ebff7dd112ea02bd37c1a92202da39b90d9b899a42a8d211c	-	ol9_aarch64_u1_baseos_patch
	kernel-tools-libs-5.14.0-162.12.1.el9_1.aarch64.rpm	1d1b77d5678eaf1ce52770db666f35b57838ee97e2f6715a1aa50cb8c01f7403	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-162.12.1.el9_1.aarch64.rpm	1d1b77d5678eaf1ce52770db666f35b57838ee97e2f6715a1aa50cb8c01f7403	-	ol9_aarch64_u1_baseos_patch
	kernel-tools-libs-devel-5.14.0-162.12.1.el9_1.aarch64.rpm	bfe8fef50d6e456ab7f060698c2b0ee4b15f0ca402a2e9fe7caf2b9c60363645	-	ol9_aarch64_codeready_builder
	perf-5.14.0-162.12.1.el9_1.aarch64.rpm	4017837d6bd73d35978ccdd8a533d700896d4687eea6f240a7cb3a7069799718	-	ol9_aarch64_appstream
	python3-perf-5.14.0-162.12.1.el9_1.aarch64.rpm	323cb6f0ccc30bc5539243e4e4fbee7c5c918edcf206771cc7d4c9b36e06342e	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-162.12.1.el9_1.aarch64.rpm	323cb6f0ccc30bc5539243e4e4fbee7c5c918edcf206771cc7d4c9b36e06342e	-	ol9_aarch64_u1_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_x86_64_appstream
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-162.12.1.el9_1.src.rpm	0ce7a3920af2c3903dfda3a195e59c4a0131137e1fb60a36e83b0068c39cf173	-	ol9_x86_64_u1_baseos_patch
	bpftool-5.14.0-162.12.1.el9_1.x86_64.rpm	0ff9f5a06c96ac22ce02ccebfe723a776f2c55f4563fb444a2e81834ca991fc2	-	ol9_x86_64_baseos_latest
	bpftool-5.14.0-162.12.1.el9_1.x86_64.rpm	0ff9f5a06c96ac22ce02ccebfe723a776f2c55f4563fb444a2e81834ca991fc2	-	ol9_x86_64_u1_baseos_patch
	kernel-5.14.0-162.12.1.el9_1.x86_64.rpm	2a6099328147a9175a37e02987abca525595fe00437b44b9032088cef9efde7d	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-162.12.1.el9_1.x86_64.rpm	2a6099328147a9175a37e02987abca525595fe00437b44b9032088cef9efde7d	-	ol9_x86_64_u1_baseos_patch
	kernel-abi-stablelists-5.14.0-162.12.1.el9_1.noarch.rpm	591489b6a8ad7efcf95665e377ec30c39008515e6473a8befdcf4ddfc620b3f1	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-162.12.1.el9_1.noarch.rpm	591489b6a8ad7efcf95665e377ec30c39008515e6473a8befdcf4ddfc620b3f1	-	ol9_x86_64_u1_baseos_patch
	kernel-core-5.14.0-162.12.1.el9_1.x86_64.rpm	d10b6228288c7333fa4edb68f944eac4950354c5f7d169228f992bb4a690abdd	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-162.12.1.el9_1.x86_64.rpm	d10b6228288c7333fa4edb68f944eac4950354c5f7d169228f992bb4a690abdd	-	ol9_x86_64_u1_baseos_patch
	kernel-cross-headers-5.14.0-162.12.1.el9_1.x86_64.rpm	7c5588b629fdfde0b6abc3dd6707f9d34c83302d77d1eca3ac1cb12f75403afd	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-162.12.1.el9_1.x86_64.rpm	ce8664aa7aeeb734fe2384344e58b0638595e514d5bcc6c126da968bd2ab58b2	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-162.12.1.el9_1.x86_64.rpm	ce8664aa7aeeb734fe2384344e58b0638595e514d5bcc6c126da968bd2ab58b2	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-core-5.14.0-162.12.1.el9_1.x86_64.rpm	1f712fbdfe2d6382072cdadaad39270e14b0ff107fc789cb4a91c65d5f447fac	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-162.12.1.el9_1.x86_64.rpm	1f712fbdfe2d6382072cdadaad39270e14b0ff107fc789cb4a91c65d5f447fac	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	fbdb2ca3defff9a91389fd804e1d39c9aa62e1b8d8f3ecfffef70ef047a7bd4f	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-162.12.1.el9_1.x86_64.rpm	3a795b7a484378d922c7ac570f4f23e75a5b60842a276b9fca23d99d87d2d7bc	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	58fd81862993b09701e56b33c1875befea15383e5a7612a3eea8692d6d707b84	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	58fd81862993b09701e56b33c1875befea15383e5a7612a3eea8692d6d707b84	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	e60a43fa3ea15a0d9607136aed5d905cedd2758d9c5840e93886ca8a0cf030a4	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	e60a43fa3ea15a0d9607136aed5d905cedd2758d9c5840e93886ca8a0cf030a4	-	ol9_x86_64_u1_baseos_patch
	kernel-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	859ec181b869ac786431e31da8a94aa9f1350b65860a3c4314529914242858e6	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-162.12.1.el9_1.x86_64.rpm	7e26550d7ad2a9da05c810c9b33cdcb503bc884b0edf352b6347dfa7bd2215af	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-162.12.1.el9_1.noarch.rpm	fa2534ebe32f9231b4ae7fa1d2f09058a1f8c98d64361a9d1a4fb317b9227137	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-162.12.1.el9_1.x86_64.rpm	ddb41ae020f9e3adad8981b3e324696c188b1aff37593fbac7458f5f030c7b1e	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	ba47d00a80befec89279066e8ccb962b0a3b2edff7e3640e2196ce87bc416734	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	ba47d00a80befec89279066e8ccb962b0a3b2edff7e3640e2196ce87bc416734	-	ol9_x86_64_u1_baseos_patch
	kernel-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	9f8a1b5ac151a8bd140439621f34ca92918661da93dfb8213601d718fa890656	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	9f8a1b5ac151a8bd140439621f34ca92918661da93dfb8213601d718fa890656	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-5.14.0-162.12.1.el9_1.x86_64.rpm	a8bf07ef650669c094ef50213719bdeec950c551ab2f77303112209d764f02a5	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-162.12.1.el9_1.x86_64.rpm	a8bf07ef650669c094ef50213719bdeec950c551ab2f77303112209d764f02a5	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-libs-5.14.0-162.12.1.el9_1.x86_64.rpm	a65a5626e71ded2e07e204b26c2ba30ea3fe839e9e198e881979c9bc742e1b8d	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-162.12.1.el9_1.x86_64.rpm	a65a5626e71ded2e07e204b26c2ba30ea3fe839e9e198e881979c9bc742e1b8d	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-libs-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	e0fab8dd29902ad5822a0c6d7a6aa1a6a488ab129b2609701437d45d539cc586	-	ol9_x86_64_codeready_builder
	perf-5.14.0-162.12.1.el9_1.x86_64.rpm	e88c9b8d7ef7a018a465a6bce9470538ae712d9c66815aae7f9c0088e61cf872	-	ol9_x86_64_appstream
	python3-perf-5.14.0-162.12.1.el9_1.x86_64.rpm	d71a0ddc737312bfbb0042794d86a40213fccb66b468e6fd7d1dd980790735ee	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-162.12.1.el9_1.x86_64.rpm	d71a0ddc737312bfbb0042794d86a40213fccb66b468e6fd7d1dd980790735ee	-	ol9_x86_64_u1_baseos_patch

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team