ELSA-2021-2570

ULN >
Oracle Linux Errata repository >
ELSA-2021-2570

ELSA-2021-2570 - kernel security and bug fix update

Type:	SECURITY
Severity:	IMPORTANT
Release Date:	2021-07-01

Description

[4.18.0-305.7.1_4.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15-11.0.5

[4.18.0-305.7.1_4]
- net: zero-initialize tc skb extension on allocation (Ivan Vecera) [1965457 1946986]
- net/sched: cls_flower: fix only mask bit check in the validate_ct_state (Ivan Vecera) [1965457 1946986]
- net: cls_api: Fix uninitialised struct field bo->unlocked_driver_cb (Ivan Vecera) [1965457 1946986]
- net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct (Ivan Vecera) [1965457 1946986]
- net/sched: cls_flower: validate ct_state for invalid and reply flags (Ivan Vecera) [1965457 1946986]
- flow_dissector: fix TTL and TOS dissection on IPv4 fragments (Paolo Abeni) [1963952 1950288]
- Revert 'sctp: Fix SHUTDOWN CTSN Ack in the peer restart case' (Xin Long) [1965632 1953839]
- sctp: do asoc update earlier in sctp_sf_do_dupcook_b (Xin Long) [1965632 1953839]
- sctp: do asoc update earlier in sctp_sf_do_dupcook_a (Xin Long) [1965632 1953839]
- Bluetooth: verify AMP hci_chan before amp_destroy (Gopal Tiwari) [1962544 1962546] {CVE-2021-33034}
- x86/kvm: Unify kvm_pv_guest_cpu_reboot() with kvm_guest_cpu_offline() (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Disable all PV features on crash (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Disable kvmclock on all CPUs on shutdown (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Teardown PV features on boot CPU as well (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Fix pr_info() for async PF setup/teardown (Lenny Szubowicz) [1964930 1934273]
- net/sched: act_ct: Fix ct template allocation for zone 0 (Marcelo Ricardo Leitner) [1965150 1881824]

[4.18.0-305.6.1_4]
- openvswitch: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
- net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
- net/sched: act_ct: fix wild memory access when clearing fragments (Davide Caratti) [1963940 1924608]
- net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT (Ivan Vecera)
- redhat/configs: Add CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_REVOCATION_LIST (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: add 'x509_revocation_list' to gitignore (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- integrity: Load mokx variables into the blacklist keyring (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Add ability to preload revocation certs (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Move load_system_certificate_list to a common function (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Add EFI_CERT_X509_GUID support for dbx entries (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- net/sched: cls_api: increase max_reclassify_loop (Davide Caratti) [1965148 1955136]
- dm writecache: fix performance degradation in ssd mode (Mike Snitzer) [1962241 1961859]
- scsi: fnic: Use scsi_host_busy_iter() to traverse commands (Ewan D. Milne) [1961705 1949250]
- scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (Ewan D. Milne) [1961705 1949250]

[4.18.0-305.5.1_4]
- gfs2: report 'already frozen/thawed' errors (Bob Peterson) [1961849 1932236]
- gfs2: move freeze glock outside the make_fs_rw and _ro functions (Bob Peterson) [1961849 1932236]
- gfs2: Add common helper for holding and releasing the freeze glock (Bob Peterson) [1961849 1932236]
- gfs2: in signal_our_withdraw wait for unfreeze of _this_ fs only (Bob Peterson) [1961849 1932236]
- gfs2: Don't freeze the file system during unmount (Bob Peterson) [1961849 1932236]
- gfs2: Fix regression in freeze_go_sync (Bob Peterson) [1961849 1932236]
- gfs2: The freeze glock should never be frozen (Bob Peterson) [1961849 1932236]
- gfs2: When freezing gfs2, use GL_EXACT and not GL_NOCACHE (Bob Peterson) [1961849 1932236]
- gfs2: read-only mounts should grab the sd_freeze_gl glock (Bob Peterson) [1961849 1932236]
- gfs2: freeze should work on read-only mounts (Bob Peterson) [1961849 1932236]
- gfs2: Abort gfs2_freeze if io error is seen (Bob Peterson) [1961849 1932236]
- CI: Disable result checking for realtime check (Veronika Kabatova)
- CI: Explicitly disable result checking for private CI (Veronika Kabatova)
- CI: Rename variable (Veronika Kabatova)
- CI: Update builder containers (Veronika Kabatova)

[4.18.0-305.4.1_4]
- vmxnet3: Set the default of vxlan overlay offload to disabled (Cathy Avery) [1960702 1941714]

Related CVEs

CVE-2020-26541

CVE-2021-33034

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory

Oracle Linux 8 (aarch64)	kernel-4.18.0-305.7.1.el8_4.src.rpm	19f022245718eb2b864d805e4327a55b	-
	bpftool-4.18.0-305.7.1.el8_4.aarch64.rpm	bbcc2da77b6d052e0f0184c58885bb80	-
	kernel-cross-headers-4.18.0-305.7.1.el8_4.aarch64.rpm	80a00ec95111fda2567bcfed16d95236	-
	kernel-headers-4.18.0-305.7.1.el8_4.aarch64.rpm	6e2f0828ac25948805d630e15ff62238	-
	kernel-tools-4.18.0-305.7.1.el8_4.aarch64.rpm	180d32efc0a11bbae28233fc60ed5685	-
	kernel-tools-libs-4.18.0-305.7.1.el8_4.aarch64.rpm	3d460ad228492125f0bc068a9ccfb722	-
	kernel-tools-libs-devel-4.18.0-305.7.1.el8_4.aarch64.rpm	031fa4e65f0020840a48aa3afb8ece4a	-
	perf-4.18.0-305.7.1.el8_4.aarch64.rpm	d37bfa9a01ec94175ff8eae5e727fe76	-
	python3-perf-4.18.0-305.7.1.el8_4.aarch64.rpm	f08af5725b9102024029a0bb7d667be0	-

Oracle Linux 8 (x86_64)	kernel-4.18.0-305.7.1.el8_4.src.rpm	19f022245718eb2b864d805e4327a55b	-
	bpftool-4.18.0-305.7.1.el8_4.x86_64.rpm	26ecf0fafc6d686bb9d70591238c6bc4	-
	kernel-4.18.0-305.7.1.el8_4.x86_64.rpm	d75aac97339929f643c0eef2798b6049	-
	kernel-abi-stablelists-4.18.0-305.7.1.el8_4.noarch.rpm	7754f72664d3c59f83ce75e2b7222f6a	-
	kernel-core-4.18.0-305.7.1.el8_4.x86_64.rpm	94c4fa349a76d080001848a1a03130df	-
	kernel-cross-headers-4.18.0-305.7.1.el8_4.x86_64.rpm	d9f0e313108d1c5b83d2f305819edf00	-
	kernel-debug-4.18.0-305.7.1.el8_4.x86_64.rpm	b457046bd9051736194175dcf514a1b4	-
	kernel-debug-core-4.18.0-305.7.1.el8_4.x86_64.rpm	28449c4a2653cc340f59e083d931e99b	-
	kernel-debug-devel-4.18.0-305.7.1.el8_4.x86_64.rpm	0d8be1515c851c0b762592fe929930fd	-
	kernel-debug-modules-4.18.0-305.7.1.el8_4.x86_64.rpm	e31f21b17f99a976ded6337e99385217	-
	kernel-debug-modules-extra-4.18.0-305.7.1.el8_4.x86_64.rpm	7c0e4da867f5a71c22a5ffcdc0457246	-
	kernel-devel-4.18.0-305.7.1.el8_4.x86_64.rpm	dcbe0bb8a98d0c046495d13791d573d5	-
	kernel-doc-4.18.0-305.7.1.el8_4.noarch.rpm	1f855eeac10ebb646bd6a5c71df6a3ab	-
	kernel-headers-4.18.0-305.7.1.el8_4.x86_64.rpm	04049cb785e7d7a9ecb2284a2463b5f5	-
	kernel-modules-4.18.0-305.7.1.el8_4.x86_64.rpm	b16c11cf6ba4a5b3e0d6bbe056c77e5e	-
	kernel-modules-extra-4.18.0-305.7.1.el8_4.x86_64.rpm	556de77438bd095e88f2f6eb2ad8b323	-
	kernel-tools-4.18.0-305.7.1.el8_4.x86_64.rpm	c7c8d8c43edd6f2c3f4b329a736a054f	-
	kernel-tools-libs-4.18.0-305.7.1.el8_4.x86_64.rpm	698a500d7e28e701777ea3fa9522c3da	-
	kernel-tools-libs-devel-4.18.0-305.7.1.el8_4.x86_64.rpm	378eccc216576bba875b99ef1cf9a19c	-
	perf-4.18.0-305.7.1.el8_4.x86_64.rpm	7738d390f31847a9ec5b1a7cdd10382a	-
	python3-perf-4.18.0-305.7.1.el8_4.x86_64.rpm	cdc587d5865ceccced7a2de1b3436ecd	-

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691