ELSA-2023-0334

ULN >
Oracle Linux Errata repository >
ELSA-2023-0334

ELSA-2023-0334 - kernel security and bug fix update

Type:	SECURITY
Severity:	IMPORTANT
Release Date:	2023-01-25

Description

[5.14.0-162.12.1_1.OL9]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]

[5.14.0-162.12.1_1]
- x86/fpu: Drop fpregs lock before inheriting FPU permissions (Valentin Schneider) [2154407 2153181]
- hv_netvsc: Fix race between VF offering and VF association message from host (Mohammed Gamal) [2151605 2149277]
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (Emanuele Giuseppe Esposito) [2150910 2092794]

[5.14.0-162.11.1_1]
- drm/i915: fix TLB invalidation for Gen12 video and compute engines (Wander Lairson Costa) [2148152 2148153] {CVE-2022-4139}
- memcg: prohibit unconditional exceeding the limit of dying tasks (Chris von Recklinghausen) [2143976 2120352]
- mm, oom: do not trigger out_of_memory from the #PF (Waiman Long) [2143976 2139747]
- mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks (Chris von Recklinghausen) [2143976 2120352]
- pipe: Fix missing lock in pipe_resize_ring() (Ian Kent) [2141631 2141632] {CVE-2022-2959}
- net: usb: ax88179_178a: Fix packet receiving (Jose Ignacio Tornos Martinez) [2142722 2142723] {CVE-2022-2964}
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (Jose Ignacio Tornos Martinez) [2142722 2142723] {CVE-2022-2964}
- NFSD: Protect against send buffer overflow in NFSv3 READ (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READ (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv3 READDIR (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READDIR (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_encode's buflen calculation (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation (Scott Mayhew) [2141769 2141770] {CVE-2022-43945}

[5.14.0-162.10.1_1]
- ice: Fix crash by keep old cfg when update TCs more than queues (Petr Oros) [2132070 2131953]
- ice: Fix tunnel checksum offload with fragmented traffic (Petr Oros) [2132070 2131953]
- ice: handle E822 generic device ID in PLDM header (Petr Oros) [2132070 2131953]
- ice: ethtool: Prohibit improper channel config for DCB (Petr Oros) [2132070 2131953]
- ice: ethtool: advertise 1000M speeds properly (Petr Oros) [2132070 2131953]
- ice: Fix switchdev rules book keeping (Petr Oros) [2132070 2131953]
- ice: fix access-beyond-end in the switch code (Petr Oros) [2132070 2131953]
- eth: ice: silence the GCC 12 array-bounds warning (Petr Oros) [2132070 2131953]
- ice: Expose RSS indirection tables for queue groups via ethtool (Petr Oros) [2132070 2131953]
- Revert 'ice: Hide bus-info in ethtool for PRs in switchdev mode' (Petr Oros) [2132070 2131953]
- ice: remove period on argument description in ice_for_each_vf (Petr Oros) [2132070 2131953]
- ice: add a function comment for ice_cfg_mac_antispoof (Petr Oros) [2132070 2131953]
- ice: fix wording in comment for ice_reset_vf (Petr Oros) [2132070 2131953]
- ice: remove return value comment for ice_reset_all_vfs (Petr Oros) [2132070 2131953]
- ice: always check VF VSI pointer values (Petr Oros) [2132070 2131953]
- ice: add newline to dev_dbg in ice_vf_fdir_dump_info (Petr Oros) [2132070 2131953]
- ice: get switch id on switchdev devices (Petr Oros) [2132070 2131953]
- ice: return ENOSPC when exceeding ICE_MAX_CHAIN_WORDS (Petr Oros) [2132070 2131953]
- ice: introduce common helper for retrieving VSI by vsi_num (Petr Oros) [2132070 2131953]
- ice: use min_t() to make code cleaner in ice_gnss (Petr Oros) [2132070 2131953]
- ice, xsk: Avoid refilling single Rx descriptors (Petr Oros) [2132070 2131953]
- ice, xsk: Diversify return values from xsk_wakeup call paths (Petr Oros) [2132070 2131953]
- ice, xsk: Terminate Rx side of NAPI when XSK Rx queue gets full (Petr Oros) [2132070 2131953]
- ice, xsk: Decorate ICE_XDP_REDIR with likely() (Petr Oros) [2132070 2131953]
- ice: Add mpls+tso support (Petr Oros) [2132070 2131953]
- ice: switch: convert packet template match code to rodata (Petr Oros) [2132070 2131953]
- ice: switch: use convenience macros to declare dummy pkt templates (Petr Oros) [2132070 2131953]
- ice: switch: use a struct to pass packet template params (Petr Oros) [2132070 2131953]
- ice: switch: unobscurify bitops loop in ice_fill_adv_dummy_packet() (Petr Oros) [2132070 2131953]
- ice: switch: add and use u16[] aliases to ice_adv_lkup_elem::{h, m}_u (Petr Oros) [2132070 2131953]
- ice: Support GTP-U and GTP-C offload in switchdev (Petr Oros) [2132070 2131953]
- Documentation/admin-guide: Document nomodeset kernel parameter (Karol Herbst) [2145217 2143841]
- drm: Move nomodeset kernel parameter to the DRM subsystem (Karol Herbst) [2145217 2143841]
- selftests/bpf: Limit unroll_count for pyperf600 test (Frantisek Hrbata) [2144902 2139836]
- nvme-fc: fix the fc_appid_store return value (Ewan D. Milne) [2136914 2113035]
- ACPI: processor idle: Practically limit 'Dummy wait' workaround to old Intel systems (Wei Huang) [2142168 2130652]
- CI: Drop c9s CI parts (Veronika Kabatova)
- CI: Use GA builder container (Veronika Kabatova)

[5.14.0-162.9.1_1]
- CI: Remove deprecated variable (Veronika Kabatova)
- drm: fix duplicated code in drm_connector_register (Karol Herbst) [2134619 2132575]
- drm/mgag200: Fix PLL setup for G200_SE_A rev >=4 (Jocelyn Falempe) [2140153 1960467]
- scsi: mpi3mr: Schedule IRQ kthreads only on non-RT kernels (Tomas Henzl) [2139213 2136223]

[5.14.0-162.8.1_1]
- redhat: fix the branch we pull from the documentation tree (Herton R. Krzesinski)
- nvme-tcp: handle number of queue changes (John Meneghini) [2131359 2112025]
- nvmet: expose max queues to configfs (John Meneghini) [2131359 2112025]
- nvme-fabrics: parse nvme connect Linux error codes (John Meneghini) [2131359 2112025]
- vfio/type1: Unpin zero pages (Alex Williamson) [2128514 2121855]
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE (Oleg Nesterov) [2127881 2121271] {CVE-2022-30594}

[5.14.0-162.7.1_1]
- i2c: ismt: prevent memory corruption in ismt_access() (David Arcari) [2127532 2125582] {CVE-2022-3077}
- x86/fpu: Prevent FPU state corruption (Oleksandr Natalenko) [2134588 2131667]
- iavf: Fix reset error handling (Petr Oros) [2127884 2119712]
- iavf: Fix NULL pointer dereference in iavf_get_link_ksettings (Petr Oros) [2127884 2119712]
- iavf: Fix missing state logs (Petr Oros) [2127884 2119712]

Related CVEs

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory

Oracle Linux 9 (aarch64)	kernel-5.14.0-162.12.1.el9_1.src.rpm	4768059f21c67806ac66e13f89e1699f	-
	bpftool-5.14.0-162.12.1.el9_1.aarch64.rpm	efdfe3a2f2d9474141563041b37c1f97	-
	kernel-cross-headers-5.14.0-162.12.1.el9_1.aarch64.rpm	0fd15bb87c3ea6ba5e972c0e5f530668	-
	kernel-headers-5.14.0-162.12.1.el9_1.aarch64.rpm	7cd65e604cc8bc9f7565fa8f153ba6ca	-
	kernel-tools-5.14.0-162.12.1.el9_1.aarch64.rpm	52af4703c7a984535b75b7935e1f4484	-
	kernel-tools-libs-5.14.0-162.12.1.el9_1.aarch64.rpm	b4577dba50803255b304ba7b82accb15	-
	kernel-tools-libs-devel-5.14.0-162.12.1.el9_1.aarch64.rpm	a2c1eaaca41e5793cc06f226a93246b8	-
	perf-5.14.0-162.12.1.el9_1.aarch64.rpm	5873b7c08f05830917f4992a80eb2b33	-
	python3-perf-5.14.0-162.12.1.el9_1.aarch64.rpm	5193f44ffde7d15e48da132b1854eba9	-

Oracle Linux 9 (x86_64)	kernel-5.14.0-162.12.1.el9_1.src.rpm	4768059f21c67806ac66e13f89e1699f	-
	bpftool-5.14.0-162.12.1.el9_1.x86_64.rpm	fd4678a8bb414a958f6b4858ee509374	-
	kernel-5.14.0-162.12.1.el9_1.x86_64.rpm	f1c3f9db7630099ba842737200b00e1b	-
	kernel-abi-stablelists-5.14.0-162.12.1.el9_1.noarch.rpm	a3fc05ff135ef30956799ef28e004677	-
	kernel-core-5.14.0-162.12.1.el9_1.x86_64.rpm	9d9b9a478fc85547f62828784655dc6c	-
	kernel-cross-headers-5.14.0-162.12.1.el9_1.x86_64.rpm	a6609360677ac8e568a7f69cf82c2ec5	-
	kernel-debug-5.14.0-162.12.1.el9_1.x86_64.rpm	14a7413dabc4f6639d98e0e8a09e40ac	-
	kernel-debug-core-5.14.0-162.12.1.el9_1.x86_64.rpm	0c4a403fce277f1486b536385f2d0d52	-
	kernel-debug-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	fdd1df5243376428c19a91c41179a840	-
	kernel-debug-devel-matched-5.14.0-162.12.1.el9_1.x86_64.rpm	bfc0cfa5032e2e61f07df591036d5bed	-
	kernel-debug-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	377dd5348aaec5783ec41e22eb1ead85	-
	kernel-debug-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	99c7ccf992b704db3ca1e90fd613f566	-
	kernel-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	8a4523a020e01b0c3ed3bea22ee24728	-
	kernel-devel-matched-5.14.0-162.12.1.el9_1.x86_64.rpm	eca9c9f9933511c8979dc48e57080f83	-
	kernel-doc-5.14.0-162.12.1.el9_1.noarch.rpm	ee429b45cf21a71bafe8d9c7486e2d49	-
	kernel-headers-5.14.0-162.12.1.el9_1.x86_64.rpm	9bb9ba83b86b605712a09e8149f59402	-
	kernel-modules-5.14.0-162.12.1.el9_1.x86_64.rpm	bf1adb04110efcb34a024f31fa369837	-
	kernel-modules-extra-5.14.0-162.12.1.el9_1.x86_64.rpm	d7dc5035da204015f608790383ced889	-
	kernel-tools-5.14.0-162.12.1.el9_1.x86_64.rpm	a32dcd182a2d840ae29179d031a73e60	-
	kernel-tools-libs-5.14.0-162.12.1.el9_1.x86_64.rpm	80a2ba2f7e0332afffeb05c475a73614	-
	kernel-tools-libs-devel-5.14.0-162.12.1.el9_1.x86_64.rpm	832da340ecc8ad2d5fef474746838d2a	-
	perf-5.14.0-162.12.1.el9_1.x86_64.rpm	a01be6b2621d3f1a95791b4007938314	-
	python3-perf-5.14.0-162.12.1.el9_1.x86_64.rpm	473bfdcd3908f789735e6f7af03ff40f	-

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691