ELSA-2022-5249

ELSA-2022-5249 - kernel security and bug fix update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2022-06-30

Description

[5.14.0-70.17.1.0.1_0.OL9]
- lockdown: also lock down previous kgdb use (Daniel Thompson) [Orabug: 34290418] {CVE-2022-21499}

[5.14.0-70.17.1_0.OL9]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 < 15.3-1.0.4
- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944]

[5.14.0-70.17.1_0]
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2092994 2092995] {CVE-2022-1966}
- thunderx nic: mark device as unmaintained (Inigo Huguet) [2092638 2060285]
- pseries/eeh: Fix the kdump kernel crash during eeh_pseries_init (Steve Best) [2092255 2067770]
- perf: Fix sys_perf_event_open() race against self (Michael Petlan) [2087963 2087964] {CVE-2022-1729}
- spec: Fix separate tools build (Jiri Olsa) [2090852 2054579]
- mm: lru_cache_disable: replace work queue synchronization with synchronize_rcu (Marcelo Tosatti) [2086963 2033500]

[5.14.0-70.16.1_0]
- dm integrity: fix memory corruption when tag_size is less than digest size (Benjamin Marzinski) [2082187 2081778]

[5.14.0-70.15.1_0]
- CI: Use zstream builder image (Veronika Kabatova)
- tcp: drop the hash_32() part from the index calculation (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- tcp: increase source port perturb table to 2^16 (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- tcp: dynamically allocate the perturb table used by source ports (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- tcp: add small random increments to the source port (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- tcp: resalt the secret every 10 seconds (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- tcp: use different parts of the port_offset for index and offset (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- secure_seq: use the 64 bits of the siphash for port offset calculation (Guillaume Nault) [2087128 2064868] {CVE-2022-1012}
- Revert 'netfilter: conntrack: tag conntracks picked up in local out hook' (Florian Westphal) [2085480 2061850]
- Revert 'netfilter: nat: force port remap to prevent shadowing well-known ports' (Florian Westphal) [2085480 2061850]
- redhat/koji/Makefile: Decouple koji Makefile from Makefile.common (Andrea Claudi)
- redhat: fix make {distg-brew,distg-koji} (Andrea Claudi)
- esp: limit skb_page_frag_refill use to a single page (Sabrina Dubroca) [2082950 2082951] {CVE-2022-27666}
- esp: Fix possible buffer overflow in ESP transformation (Sabrina Dubroca) [2082950 2082951] {CVE-2022-27666}
- sctp: use the correct skb for security_sctp_assoc_request (Ondrej Mosnacek) [2084044 2078856]
- security: implement sctp_assoc_established hook in selinux (Ondrej Mosnacek) [2084044 2078856]
- security: add sctp_assoc_established hook (Ondrej Mosnacek) [2084044 2078856]
- security: call security_sctp_assoc_request in sctp_sf_do_5_1D_ce (Ondrej Mosnacek) [2084044 2078856]
- security: pass asoc to sctp_assoc_request and sctp_sk_clone (Ondrej Mosnacek) [2084044 2078856]

[5.14.0-70.14.1_0]
- PCI: hv: Propagate coherence from VMbus device to PCI device (Vitaly Kuznetsov) [2074830 2068432]
- Drivers: hv: vmbus: Propagate VMbus coherence to each VMbus device (Vitaly Kuznetsov) [2074830 2068432]
- redhat: rpminspect: disable 'patches' check for known empty patch files (Herton R. Krzesinski)
- redhat/configs: make SHA512_arch algos and CRYPTO_USER built-ins (Vladis Dronov) [2072643 2070624]
- CI: Drop baseline runs (Veronika Kabatova)

Related CVEs

CVE-2022-1966

CVE-2022-27666

CVE-2022-1729

CVE-2022-1012

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_aarch64_appstream
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_aarch64_u0_baseos_patch
	bpftool-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	2e3f9e0a43f1799995b318c3a942c5788998f1849189119ee24941b76b5ff404	-	ol9_aarch64_baseos_latest
	bpftool-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	2e3f9e0a43f1799995b318c3a942c5788998f1849189119ee24941b76b5ff404	-	ol9_aarch64_u0_baseos_patch
	kernel-cross-headers-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	a0b8e36397b608bcf69a239940838dc676a4c6df00da12189a30352e3e77f96f	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	09d1823257dd5ba9f9964bd54e36067fbedc80799b195d2c1a23abfe5b327f93	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	95b3eac12232ae1c64f4f2bdb8ccbdf08f6670934cc083a875b794c21a3148cf	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	95b3eac12232ae1c64f4f2bdb8ccbdf08f6670934cc083a875b794c21a3148cf	-	ol9_aarch64_u0_baseos_patch
	kernel-tools-libs-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	593d7bb30ff24ecc4abc51f619556fda946a2a0264567d2329bf4bf213c03116	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	593d7bb30ff24ecc4abc51f619556fda946a2a0264567d2329bf4bf213c03116	-	ol9_aarch64_u0_baseos_patch
	kernel-tools-libs-devel-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	f1c7ad749233efb6e5a8823aafcbaa4baf2e9a181795c3b963748ba623e2aed2	-	ol9_aarch64_codeready_builder
	perf-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	da3eeb3e26e94b3df53c694e6c7e9e849655c6aaa296a08111573161e633bcfb	-	ol9_aarch64_appstream
	python3-perf-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	c43da8c3d2577c4ea56d6bd4aa28184d8e45080db298663a121d81c4a6adef48	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-70.17.1.0.1.el9_0.aarch64.rpm	c43da8c3d2577c4ea56d6bd4aa28184d8e45080db298663a121d81c4a6adef48	-	ol9_aarch64_u0_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_x86_64_appstream
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-70.17.1.0.1.el9_0.src.rpm	2c4fb89841ebd0095fc5138d5a2eedbb3822a5d0aefa0d642ba867bac1985adc	-	ol9_x86_64_u0_baseos_patch
	bpftool-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	fb78cf58dce62109b0475775937919eaacd9c3a7c6c252fea3ccfd96ac1d0139	-	ol9_x86_64_baseos_latest
	bpftool-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	fb78cf58dce62109b0475775937919eaacd9c3a7c6c252fea3ccfd96ac1d0139	-	ol9_x86_64_u0_baseos_patch
	kernel-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	517d74952de5bd81df4ada01d6d4c28bc2b1e9bf9d74f991b1f3503b410a07e1	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	517d74952de5bd81df4ada01d6d4c28bc2b1e9bf9d74f991b1f3503b410a07e1	-	ol9_x86_64_u0_baseos_patch
	kernel-abi-stablelists-5.14.0-70.17.1.0.1.el9_0.noarch.rpm	367d6c4c94485308ab3b4da9f4e5bb6a8be68f2af93d3051c79d9f7970d564cf	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-70.17.1.0.1.el9_0.noarch.rpm	367d6c4c94485308ab3b4da9f4e5bb6a8be68f2af93d3051c79d9f7970d564cf	-	ol9_x86_64_u0_baseos_patch
	kernel-core-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	f429af532e4fe92bc249d178130b35fb3e3e97c702f40e702f072401bde0843d	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	f429af532e4fe92bc249d178130b35fb3e3e97c702f40e702f072401bde0843d	-	ol9_x86_64_u0_baseos_patch
	kernel-cross-headers-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	f7f6f9193bfdc8b0805734b47397617c55720622e2e0510ee0c641a23a18f40c	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	880a617a6e1d5b18d13bafcede635d988f52d3e9d6cd56f33180cc70c278aacc	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	880a617a6e1d5b18d13bafcede635d988f52d3e9d6cd56f33180cc70c278aacc	-	ol9_x86_64_u0_baseos_patch
	kernel-debug-core-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	8753a0493ecddcaefaf708d5f0bbd8b97d9a5764ad24365494af18b66ff03027	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	8753a0493ecddcaefaf708d5f0bbd8b97d9a5764ad24365494af18b66ff03027	-	ol9_x86_64_u0_baseos_patch
	kernel-debug-devel-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	1d1a2742c47584eb3959a77a62d49dc0732ed5c7e89b9ab10e2778eb56052da7	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	95620954768d874bfd80eb0ceeb8a8a378824b34df25973d0f9f687fe16b0ac9	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	dfc7fc071086989ba95c07bcf112ebaf21fe1e39cef4d87a302b21f9578a938f	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	dfc7fc071086989ba95c07bcf112ebaf21fe1e39cef4d87a302b21f9578a938f	-	ol9_x86_64_u0_baseos_patch
	kernel-debug-modules-extra-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	c88a906ccf7c07dfdeaf783c9a79fc88e09591595561eb3dce7fa83f047b4e8d	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	c88a906ccf7c07dfdeaf783c9a79fc88e09591595561eb3dce7fa83f047b4e8d	-	ol9_x86_64_u0_baseos_patch
	kernel-devel-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	806d74a5a4f0fd40cc64c750cc78cb7fb425f2f366e7dd2f77d2135fdbd95877	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	90e2bc8bac72278f335be2459b69fbfcb27b79ec34240bc204cdaf69e799dc05	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-70.17.1.0.1.el9_0.noarch.rpm	5649671a8b007dfb79054bc93db2e2c831ba7dcb3a2502d02793b297f15c08c7	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	aa04539682513f94cdd7514412d48c453284b1534bb0800b9d4fad4c2a2956a3	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	91f1adf383040dc664ba23a82836ae0a08a4217860b8aa1eb3e848caa40ab944	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	91f1adf383040dc664ba23a82836ae0a08a4217860b8aa1eb3e848caa40ab944	-	ol9_x86_64_u0_baseos_patch
	kernel-modules-extra-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	e147ab5719c67600c20e4eb84fbda5120c9e5da8f858ead40b7c0b4db75fdb1a	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	e147ab5719c67600c20e4eb84fbda5120c9e5da8f858ead40b7c0b4db75fdb1a	-	ol9_x86_64_u0_baseos_patch
	kernel-tools-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	0ed3acfb7b453641eaa12491d1923c04ddc5e75fa27a546c132b5e86707561b9	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	0ed3acfb7b453641eaa12491d1923c04ddc5e75fa27a546c132b5e86707561b9	-	ol9_x86_64_u0_baseos_patch
	kernel-tools-libs-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	9be4f4326c02e322328e7e76b31d50e39816f1581e4da196628db0d2f5b65be4	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	9be4f4326c02e322328e7e76b31d50e39816f1581e4da196628db0d2f5b65be4	-	ol9_x86_64_u0_baseos_patch
	kernel-tools-libs-devel-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	e0273bf858da2b944b942b17489f9ee0a1cd64eadfa783c28d54f131dd1e36bb	-	ol9_x86_64_codeready_builder
	perf-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	72974aae1040ea03f1b2bf97190e591a7dc916e8b4c8f6c8006a5f8fcc047d1c	-	ol9_x86_64_appstream
	python3-perf-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	53a75d317ceb2dd19d03407ba9a70979c7c6db8f5e5019060acb8ca4298ec524	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-70.17.1.0.1.el9_0.x86_64.rpm	53a75d317ceb2dd19d03407ba9a70979c7c6db8f5e5019060acb8ca4298ec524	-	ol9_x86_64_u0_baseos_patch

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team