ELSA-2019-4570

ELSA-2019-4570 - Unbreakable Enterprise kernel security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2019-03-12

Description


[4.14.35-1844.3.2]
- uek-rpm: Remove hardcoded 'kernel_git_commit' macro from specfile (Victor Erminpour) [Orabug: 29357695]
- mm: cleancache: fix corruption on missed inode invalidation (Pavel Tikhomirov) [Orabug: 29364665] {CVE-2018-16862}
- l2tp: fix reading optional fields of L2TPv3 (Jacob Wen) [Orabug: 29368046]

[4.14.35-1844.3.1]
- x86/speculation: Add support for STIBP always-on preferred mode (Thomas Lendacky) [Orabug: 29344486]
- x86/speculation: Provide IBPB always command line options (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add seccomp Spectre v2 user space protection mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Enable prctl mode for spectre_v2_user (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add prctl() control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prevent stale SPEC_CTRL msr content (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Split out TIF update (Thomas Gleixner) [Orabug: 29344486]
- ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Remove static key ibpb_enabled_key (Anjali Kulkarni) [Orabug: 29344486]
- x86/speculation: Prepare for conditional IBPB in switch_mm() (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Avoid __switch_to_xtra() calls (Thomas Gleixner) [Orabug: 29344486]
- x86/process: Consolidate and simplify switch_to_xtra() code (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare for per task indirect branch speculation control (Tim Chen) [Orabug: 29344486]
- x86/speculation: Add command line control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Unify conditional spectre v2 print functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculataion: Mark command line parser data __initdata (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Mark string arrays const correctly (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Reorder the spec_v2 code (Thomas Gleixner) [Orabug: 29344486]
- x86/l1tf: Show actual SMT state (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Rework SMT state change (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Expose sched_smt_present static key (Thomas Gleixner) [Orabug: 29344486]
- x86/Kconfig: Select SCHED_SMT if SMP enabled (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Make sched_smt_present track topology (Peter Zijlstra (Intel)) [Orabug: 29344486]
- x86/speculation: Reorganize speculation control MSRs update (Tim Chen) [Orabug: 29344486]
- x86/speculation: Rename SSBD update functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Disable STIBP when enhanced IBRS is in use (Tim Chen) [Orabug: 29344486]
- x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Clean up spectre_v2_parse_cmdline() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Update the TIF_SSBD comment (Tim Chen) [Orabug: 29344486]
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (Peter Zijlstra) [Orabug: 29344486]
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (Jiri Kosina) [Orabug: 29344486]
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (Jiri Kosina) [Orabug: 29344486]
- netfilter: nf_tables: deactivate expressions in rule replecement routine (Taehee Yoo) [Orabug: 29355502]
- btrfs: Verify that every chunk has corresponding block group at mount time (Qu Wenruo) [Orabug: 29355254] {CVE-2018-14612}
- mlx4_ib: Distribute completion vectors when zero is supplied (Hakon Bugge) [Orabug: 29324328]
- x86/speculation: Clean up retpoline code in bugs.c (Alejandro Jimenez) [Orabug: 29211613]
- x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE (WANG Chao) [Orabug: 29211613]
- x86/build: Fix compiler support check for CONFIG_RETPOLINE (Masahiro Yamada) [Orabug: 29211613]
- x86/retpoline: Remove minimal retpoline support (Zhenzhong Duan) [Orabug: 29211613]
- uek-rpm: Enable device-mapper era driver (Dave Aldridge) [Orabug: 29283140]
- uek-rpm: use multi-threaded xz compression for rpms (Alexander Burmashev) [Orabug: 29322860]
- uek-rpm: optimize find-requires usage (Alexander Burmashev) [Orabug: 29322860]
- find-debuginfo.sh: backport parallel files procession (Alexander Burmashev) [Orabug: 29322860]

[4.14.35-1844.3.0]
- xfs: refactor short form directory structure verifier function (Darrick J. Wong) [Orabug: 29301204]
- xfs: provide a centralized method for verifying inline fork data (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for short form symlinks (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for shortform xattrs (Darrick J. Wong) [Orabug: 29301204]
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (Qu Wenruo) [Orabug: 29301101] {CVE-2018-14609}
- iommu/amd: Fix IOMMU page flush when detach device from a domain (Suravee Suthikulpanit) [Orabug: 29297191]
- x86/apic: Switch all APICs to Fixed delivery mode (Thomas Gleixner) [Orabug: 29262403]
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (Eduardo Habkost) [Orabug: 29229728]
- bnx2x: disable GSO where gso_size is too big for hardware (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- net: create skb_gso_validate_mac_len() (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- slub: make ->cpu_partial unsigned (Alexey Dobriyan) [Orabug: 28973025]


Related CVEs


CVE-2018-1000026
CVE-2018-14609
CVE-2018-14612

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (aarch64) kernel-uek-4.14.35-1844.3.2.el7uek.src.rpme3cd0f7c8bfee8a802b2655f1513e679-
kernel-uek-4.14.35-1844.3.2.el7uek.aarch64.rpmbf4cac083a2502b866cf7465fabc7860-
kernel-uek-debug-4.14.35-1844.3.2.el7uek.aarch64.rpmde221504b8ed14c7b20002ff78991499-
kernel-uek-debug-devel-4.14.35-1844.3.2.el7uek.aarch64.rpmfc94fc5a3f5fc0f3b94ecd6572bbeee0-
kernel-uek-devel-4.14.35-1844.3.2.el7uek.aarch64.rpm71c8028335d8332fe3b9203790cf387f-
kernel-uek-headers-4.14.35-1844.3.2.el7uek.aarch64.rpm751c42d3222cf9b3cc846e41a7a60c14-
kernel-uek-tools-4.14.35-1844.3.2.el7uek.aarch64.rpm896ece3c9b6a652d347a41f33e958d28-
kernel-uek-tools-libs-4.14.35-1844.3.2.el7uek.aarch64.rpm4d5e80909d357ee403953a0f9044c9de-
kernel-uek-tools-libs-devel-4.14.35-1844.3.2.el7uek.aarch64.rpm68bab3a5ba6a3226ca68d50cb2e48166-
perf-4.14.35-1844.3.2.el7uek.aarch64.rpm6752e4ab3c07c36711462bc3312ec372-
python-perf-4.14.35-1844.3.2.el7uek.aarch64.rpma5bd1254451e2b26afc344ea8234af4e-
Oracle Linux 7 (x86_64) kernel-uek-4.14.35-1844.3.2.el7uek.src.rpme3cd0f7c8bfee8a802b2655f1513e679-
kernel-uek-4.14.35-1844.3.2.el7uek.x86_64.rpm926be02f837e0845565c1eac16cbcdbc-
kernel-uek-debug-4.14.35-1844.3.2.el7uek.x86_64.rpm36da3f20123a6f648a20961e70f1c285-
kernel-uek-debug-devel-4.14.35-1844.3.2.el7uek.x86_64.rpm6cb833f518e6aab641cdf2988713fee8-
kernel-uek-devel-4.14.35-1844.3.2.el7uek.x86_64.rpm5a89a927a46fcd02da1f6671a47a8419-
kernel-uek-doc-4.14.35-1844.3.2.el7uek.noarch.rpma132135f774f1bf974e5291cb5df57bc-
kernel-uek-tools-4.14.35-1844.3.2.el7uek.x86_64.rpmd18db3c28df6addd0ddd8a406d2b104c-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete