ELSA-2020-5914

ELSA-2020-5914 - Unbreakable Enterprise kernel security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2020-11-10

Description


[5.4.17-2036.100.6.1.el8uek]
- powercap: restrict energy meter to root access (Kanth Ghatraju) [Orabug: 32040802] {CVE-2020-8694} {CVE-2020-8695}
- KVM: ioapic: break infinite recursion on lazy EOI (Vitaly Kuznetsov) [Orabug: 32066585] {CVE-2020-27152} {CVE-2020-27152}
- x86/mitigations: Restore paranoid checks for int3 handling (Boris Ostrovsky) [Orabug: 31999339]
- x86/jump_label: Patch one site at a time (Boris Ostrovsky) [Orabug: 31999339]

[5.4.17-2036.100.5.el8uek]
- uek-rpm: Fix integer test for 4k page size module signing (Dave Kleikamp) [Orabug: 32021114]
- uek-rpm/kernel-uek.spec: Sign modules for 4k kernel (Vijay Kumar) [Orabug: 32021114]
- hdlc_ppp: add range checks in ppp_cp_parse_cr() (Dan Carpenter) [Orabug: 31989185] {CVE-2020-25643}
- dm crypt: add flags to optionally bypass kcryptd workqueues (Ignat Korchagin) [Orabug: 31998688]
- uek-rpm: Create initramfs at postinstall stage also. (Somasundaram Krishnasamy) [Orabug: 32010302]
- geneve: add transport ports in route lookup for geneve (Mark Gray) [Orabug: 32013938] {CVE-2020-25645}
- nvmet: Disable keep-alive timer when kato is cleared to 0h (Amit Engel) [Orabug: 31997181]
- KVM: nVMX: stop abusing need_vmcs12_to_shadow_sync for eVMCS mapping (Vitaly Kuznetsov) [Orabug: 31986433]
- cpu/hotplug: avoid race between cpuset_hotplug_workfn and later hotplug (Daniel Jordan) [Orabug: 31985221]
- uek-rpm: Update secure boot UEK signing certificates (Brian Maly) [Orabug: 31979626]
- uek-rpm: Add old OL keys to the default .blacklist keyring (Eric Snowberg) [Orabug: 31961115]
- certs: Add ability to preload revocation certs (Eric Snowberg) [Orabug: 31961115]
- certs: Move load_system_certificate_list to a common function (Eric Snowberg) [Orabug: 31961115]
- certs: Add EFI_CERT_X509_GUID support for dbx entries (Eric Snowberg) [Orabug: 31961115] {CVE-2020-26541}
- bcache: stop setting ->queuedata (Christoph Hellwig) [Orabug: 30210051]
- bcache: pr_info() format clean up in bcache_device_init() (Coly Li) [Orabug: 30210051]
- bcache: use delayed kworker fo asynchronous devices registration (Coly Li) [Orabug: 30210051]
- bcache: check and adjust logical block size for backing devices (Mauricio Faria de Oliveira) [Orabug: 30210051]
- bcache: configure the asynchronous registertion to be experimental (Coly Li) [Orabug: 30210051]
- bcache: asynchronous devices registration (Coly Li) [Orabug: 30210051]
uses to a more typical style (Joe Perches) [Orabug: 30210051]
- bcache: remove redundant variables i and n (Colin Ian King) [Orabug: 30210051]
- bcache: remove a duplicate ->make_request_fn assignment (Christoph Hellwig) [Orabug: 30210051]
- bcache: pass the make_request methods to blk_queue_make_request (Christoph Hellwig) [Orabug: 30210051]
- bcache: remove dupplicated declaration from btree.h (Coly Li) [Orabug: 30210051]
- bcache: optimize barrier usage for atomic operations (Coly Li) [Orabug: 30210051]
- bcache: optimize barrier usage for Rmw atomic bitops (Davidlohr Bueso) [Orabug: 30210051]
- bcache: Use scnprintf() for avoiding potential buffer overflow (Takashi Iwai) [Orabug: 30210051]
- bcache: make bch_sectors_dirty_init() to be multithreaded (Coly Li) [Orabug: 30210051]
- bcache: make bch_btree_check() to be multithreaded (Coly Li) [Orabug: 30210051]
- bcache: add bcache_ prefix to btree_root() and btree() macros (Coly Li) [Orabug: 30210051]
- bcache: move macro btree() and btree_root() into btree.h (Coly Li) [Orabug: 30210051]
- bcache: remove macro nr_to_fifo_front() (Coly Li) [Orabug: 30210051]
- bcache: Revert 'bcache: shrink btree node cache after bch_btree_check()' (Coly Li) [Orabug: 30210051]
- bcache: check return value of prio_read() (Coly Li) [Orabug: 30210051]
- bcache: reap from tail of c->btree_cache in bch_mca_scan() (Coly Li) [Orabug: 30210051]
- bcache: reap c->btree_cache_freeable from the tail in bch_mca_scan() (Coly Li) [Orabug: 30210051]
- bcache: remove member accessed from struct btree (Coly Li) [Orabug: 30210051]
- bcache: add code comments for state->pool in __btree_sort() (Coly Li) [Orabug: 30210051]
- bcache: use read_cache_page_gfp to read the superblock (Christoph Hellwig) [Orabug: 30210051]
- bcache: store a pointer to the on-disk sb in the cache and cached_dev structures (Christoph Hellwig) [Orabug: 30210051]
- bcache: return a pointer to the on-disk sb from read_super (Christoph Hellwig) [Orabug: 30210051]
- bcache: transfer the sb_page reference to register_{bdev,cache} (Christoph Hellwig) [Orabug: 30210051]
- bcache: use a separate data structure for the on-disk super block (Christoph Hellwig) [Orabug: 30210051]
- bcache: don't export symbols (Christoph Hellwig) [Orabug: 30210051]
- bcache: remove the extra cflags for request.o (Christoph Hellwig) [Orabug: 30210051]
- bcache: add idle_max_writeback_rate sysfs interface (Coly Li) [Orabug: 30210051]
- bcache: add code comments in bch_btree_leaf_dirty() (Coly Li) [Orabug: 30210051]
- bcache: add code comment bch_keylist_pop() and bch_keylist_pop_front() (Coly Li) [Orabug: 30210051]
- bcache: deleted code comments for dead code in bch_data_insert_keys() (Coly Li) [Orabug: 30210051]
- bcache: add more accurate error messages in read_super() (Coly Li) [Orabug: 30210051]
- bcache: fix a lost wake-up problem caused by mca_cannibalize_lock (Guoju Fang) [Orabug: 30210051]
- mstflint_access: Update driver code to v4.15.0-1 from Github (Itay Avraham) [Orabug: 31965669]
- rds/tcp: Enhance stats maintained by rds (Rao Shoaib) [Orabug: 31933715]
- panic: move disabling iommu to after dump_stack() (John Donnelly) [Orabug: 31916337]
- nbd_genl_status: null check for nla_nest_start (Navid Emamdoost) [Orabug: 31972480] {CVE-2019-16089}
- vgacon: remove software scrollback support (Linus Torvalds) [Orabug: 31914650] {CVE-2020-14390}
- fbcon: remove soft scrollback code (Linus Torvalds) [Orabug: 31914650] {CVE-2020-14390}
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() (Shung-Hsi Yu) [Orabug: 31907969]
- PCI: pciehp: Reduce noisiness on hot removal (Lukas Wunner) [Orabug: 30512596]
- kdump: update Documentation about crashkernel (Chen Zhou) [Orabug: 31554906]
- arm64: kdump: add memory for devices by DT property linux, usable-memory-range (Chen Zhou) [Orabug: 31554906]
- kdump: add threshold for the required memory (Chen Zhou) [Orabug: 31554906]
- arm64: kdump: reimplement crashkernel=X (Chen Zhou) [Orabug: 31554906]
- arm64: kdump: introduce some macroes for crash kernel reservation (Chen Zhou) [Orabug: 31554906]
- x86: kdump: move reserve_crashkernel[_low]() into crash_core.c (Chen Zhou) [Orabug: 31554906]
- x86: kdump: use macro CRASH_ADDR_LOW_MAX in functions reserve_crashkernel[_low]() (Chen Zhou) [Orabug: 31554906]
- x86: kdump: make the lower bound of crash kernel reservation consistent (Chen Zhou) [Orabug: 31554906]
- x86: kdump: move CRASH_ALIGN to 2M (Chen Zhou) [Orabug: 31554906]
- block: allow 'chunk_sectors' to be non-power-of-2 (Mike Snitzer) [Orabug: 31827023]
- block: use lcm_not_zero() when stacking chunk_sectors (Mike Snitzer) [Orabug: 31827023]
- dm: fix comment in dm_process_bio() (Mike Snitzer) [Orabug: 31827023]
- dm: fix bio splitting and its bio completion order for regular IO (Mike Snitzer) [Orabug: 31827023]
- block: allow for_each_bvec to support zero len bvec (Ming Lei) [Orabug: 31955136] {CVE-2020-25641}

[5.4.17-2036.100.4.el8uek]
- xfs: force writes to delalloc regions to unwritten (Darrick J. Wong) [Orabug: 30787888]
- xfs: properly serialise fallocate against AIO+DIO (Dave Chinner) [Orabug: 31366104]
- perf/x86/rapl: Add Ice Lake RAPL support (Thomas Tai) [Orabug: 31766610]
- xfs: attach dquots and reserve quota blocks during unwritten conversion (Darrick J. Wong) [Orabug: 31785972]
- netfilter: ctnetlink: add a range check for l3/l4 protonum (Will McVicker) [Orabug: 31872853] {CVE-2020-25211}
- net/rds: Extract dest qp num for displaying in rds-info (Praveen Kumar Kannoju) [Orabug: 31880140]
- uek-rpm: streamline 4konly build (Dave Kleikamp) [Orabug: 31891770]
- bnxt: correct warning: unused variable: 'rc' (John Donnelly) [Orabug: 31907548]
- i40e: Correct warning: 'aq_ret' may be used uninitialized, (John Donnelly) [Orabug: 31907631]
- uek-rpm: Add ovmapi.ko to uek6 nano_modules (Joe Jin) [Orabug: 31908852]
- uek-rpm: config: Enable OVM API (Joe Jin) [Orabug: 31908852]
- uek-rpm: Fix kernel-ueknano depmod warnings vhost_iotlb regmap-i2c (Vijayendra Suman) [Orabug: 31916879]
- kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE (Muchun Song) [Orabug: 31920526]
- scsi: page warning: 'page' may be used uninitialized. (John Donnelly) [Orabug: 31920671]
- x86/speculation/taa: Add TAA_MITIGATION_IDLE mode (Patrick Colp) [Orabug: 31921884]
- oracleasm: Access d_bdev before dropping inode (Stephen Brennan) [Orabug: 31927355]
- iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (Suravee Suthikulpanit) [Orabug: 31931368]
- iommu/amd: Fix potential @entry null deref (Joao Martins) [Orabug: 31931368]
- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (Suravee Suthikulpanit) [Orabug: 31931368]


Related CVEs


CVE-2020-8694
CVE-2020-8695

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 7 (aarch64) kernel-uek-5.4.17-2036.100.6.1.el7uek.src.rpme41225f50ef1b9f4d8becd4c315e226f-
kernel-uek-5.4.17-2036.100.6.1.el7uek.aarch64.rpm8b403ad83703167329165f8c78acefb8-
kernel-uek-debug-5.4.17-2036.100.6.1.el7uek.aarch64.rpm890f30819e129772883a88b262ecfea2-
kernel-uek-debug-devel-5.4.17-2036.100.6.1.el7uek.aarch64.rpm935141ad150f873c29078ba535bd6e1b-
kernel-uek-devel-5.4.17-2036.100.6.1.el7uek.aarch64.rpmc5d3d39137f5fadd4d27d51ae572cae3-
kernel-uek-doc-5.4.17-2036.100.6.1.el7uek.noarch.rpme0658f8fbc9fd61b572145c3a1d029d5-
kernel-uek-tools-5.4.17-2036.100.6.1.el7uek.aarch64.rpmdca6eed02c982ae37ab250988eb2989d-
kernel-uek-tools-libs-5.4.17-2036.100.6.1.el7uek.aarch64.rpm4c8cb9a3239ef38fcb3d5f0e712ab212-
perf-5.4.17-2036.100.6.1.el7uek.aarch64.rpm881588de05822f29a4b454187521e6bc-
python-perf-5.4.17-2036.100.6.1.el7uek.aarch64.rpm18864879a6c2ec81a0c1d864bc6adb91-
Oracle Linux 7 (x86_64) kernel-uek-5.4.17-2036.100.6.1.el7uek.src.rpme41225f50ef1b9f4d8becd4c315e226f-
kernel-uek-5.4.17-2036.100.6.1.el7uek.x86_64.rpmedb955f4a3935abe6c6d90575e4aea92-
kernel-uek-debug-5.4.17-2036.100.6.1.el7uek.x86_64.rpm9bb0bd679c5ef7c2af98fc1710658c3d-
kernel-uek-debug-devel-5.4.17-2036.100.6.1.el7uek.x86_64.rpm4213f42c5e38ea6d3a629092a562f79a-
kernel-uek-devel-5.4.17-2036.100.6.1.el7uek.x86_64.rpmb4902dc88c37d3eca7265449815c3a5e-
kernel-uek-doc-5.4.17-2036.100.6.1.el7uek.noarch.rpme0658f8fbc9fd61b572145c3a1d029d5-
kernel-uek-tools-5.4.17-2036.100.6.1.el7uek.x86_64.rpm99fa8a259f7332ea5ff83897b4cb3225-
Oracle Linux 8 (aarch64) kernel-uek-5.4.17-2036.100.6.1.el8uek.src.rpm83b0beb186588b60cac926a67bc35540-
kernel-uek-5.4.17-2036.100.6.1.el8uek.aarch64.rpma8c7f0029c1ab08cfc1c2ce9861e399c-
kernel-uek-debug-5.4.17-2036.100.6.1.el8uek.aarch64.rpm47ea91b5e032fb19ca016d8ff74aa9ec-
kernel-uek-debug-devel-5.4.17-2036.100.6.1.el8uek.aarch64.rpm3d57f61559ce29d0528a8fe5a9bf00c0-
kernel-uek-devel-5.4.17-2036.100.6.1.el8uek.aarch64.rpm799e14c9a3f369bec3d492fe10f6d173-
kernel-uek-doc-5.4.17-2036.100.6.1.el8uek.noarch.rpm8e745f8df2122f74a7bb3c18e32dd602-
Oracle Linux 8 (x86_64) kernel-uek-5.4.17-2036.100.6.1.el8uek.src.rpm83b0beb186588b60cac926a67bc35540-
kernel-uek-5.4.17-2036.100.6.1.el8uek.x86_64.rpmc50d83f43ceab2a3e256b1bb1449fbdc-
kernel-uek-debug-5.4.17-2036.100.6.1.el8uek.x86_64.rpm4abc690cfdbcf6145206d9b07ba01cd3-
kernel-uek-debug-devel-5.4.17-2036.100.6.1.el8uek.x86_64.rpmc3b0a15b55bf44608ce8aee78fe3f15a-
kernel-uek-devel-5.4.17-2036.100.6.1.el8uek.x86_64.rpm2c94919e6a9b27886ec1f4279155a09d-
kernel-uek-doc-5.4.17-2036.100.6.1.el8uek.noarch.rpm8e745f8df2122f74a7bb3c18e32dd602-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete