ELSA-2023-0832
- ULN >
- Oracle Linux Errata repository >
- ELSA-2023-0832
ELSA-2023-0832 - kernel security and bug fix update
| Type: | SECURITY |
| Severity: | IMPORTANT |
| Release Date: | 2023-02-22 |
Description
[4.18.0-425.13.1_7.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
[4.18.0-425.13.1_7]
- mm/cgroup/reclaim: fix dirty pages throttling on cgroup v1 (Waiman Long) [2160221]
- mm: vmscan: remove deadlock due to throttling failing to make progress (Waiman Long) [2160221]
- mm: vmscan: reduce throttling due to a failure to make progress -fix (Waiman Long) [2160221]
- mm: vmscan: Reduce throttling due to a failure to make progress (Waiman Long) [2160221]
- mm/vmscan: delay waking of tasks throttled on NOPROGRESS (Waiman Long) [2160221]
- mm/vmscan: increase the timeout if page reclaim is not making progress (Waiman Long) [2160221]
- mm/vmscan: centralise timeout values for reclaim_throttle (Waiman Long) [2160221]
- mm/page_alloc: remove the throttling logic from the page allocator (Waiman Long) [2160221]
- mm/writeback: throttle based on page writeback instead of congestion (Waiman Long) [2160221]
- mm/vmscan: throttle reclaim when no progress is being made (Waiman Long) [2160221]
- mm/vmscan: throttle reclaim and compaction when too may pages are isolated (Waiman Long) [2160221]
- mm/vmscan: throttle reclaim until some writeback completes if congested (Waiman Long) [2160221]
- mm/vmscan.c: delete or fix duplicated words (Waiman Long) [2160221]
- mm,page_alloc: PF_WQ_WORKER threads must sleep at should_reclaim_retry() (Nico Pache) [2160221]
- ceph: avoid putting the realm twice when decoding snaps fails (Xiubo Li) [2155797 2139881]
- mm/mremap: hold the rmap lock in write mode when moving page table entries. (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: use pmd/pud_poplulate to update page table entries (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: don't enable optimized PUD move if page table levels is 2 (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: convert huge PUD move to separate helper (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: fix BUILD_BUG_ON() error in get_extent (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap.c: fix extent calculation (Waiman Long) [2140944] {CVE-2022-41222}
- x86: mremap speedup - Enable HAVE_MOVE_PUD (Waiman Long) [2140944] {CVE-2022-41222}
- mm: speedup mremap on 1GB or larger regions (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: start addresses are properly aligned (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: calculate extent in one place (Waiman Long) [2140944] {CVE-2022-41222}
- mm/mremap: it is sure to have enough space when extent meets requirement (Waiman Long) [2140944] {CVE-2022-41222}
- s390/boot: add secure boot trailer (Tobias Huschle) [2151530 2141967]
- i40e: Fix VF hang when reset is triggered on another VF (Ivan Vecera) [2160460 2103801]
- i2c: ismt: Fix an out-of-bounds bug in ismt_access() (Prarit Bhargava) [2154388 2119066] {CVE-2022-2873}
- iavf: schedule watchdog immediately when changing primary MAC (Michal Schmidt) [2163257 2152493]
- iavf: Move netdev_update_features() into watchdog task (Michal Schmidt) [2163257 2152493]
- iavf: fix temporary deadlock and failure to set MAC address (Michal Schmidt) [2163257 2152493]
- iavf: Fix error handling in iavf_init_module() (Michal Schmidt) [2163257 2152493]
- iommu/vt-d: Clean up si_domain in the init_dmars() error path (Jerry Snitselaar) [2149474 2118428]
- x86/pci/xen: Use msi_msg shadow structs (Jerry Snitselaar) [2149474 2118428]
- iommu/intel: Use msi_msg shadow structs (Jerry Snitselaar) [2149474 2118428]
- PCI: MSI: Fix Kconfig dependencies for PCI_MSI_ARCH_FALLBACKS (Jerry Snitselaar) [2149474 2118428]
- x86/apic/msi: Unbreak DMAR and HPET MSI (Jerry Snitselaar) [2149474 2118428]
- iommu/amd: Remove domain search for PCI/MSI (Jerry Snitselaar) [2149474 2118428]
- iommu/vt-d: Remove domain search for PCI/MSI[X] (Jerry Snitselaar) [2149474 2118428]
- x86/irq: Make most MSI ops XEN private (Jerry Snitselaar) [2149474 2118428]
- x86/irq: Cleanup the arch_*_msi_irqs() leftovers (Jerry Snitselaar) [2149474 2118428]
- PCI/MSI: Make arch_.*_msi_irq[s] fallbacks selectable (Jerry Snitselaar) [2149474 2118428]
- x86/xen: Wrap XEN MSI management into irqdomain (Jerry Snitselaar) [2149474 2118428]
- x86/xen: Consolidate XEN-MSI init (Jerry Snitselaar) [2149474 2118428]
- x86/xen: Rework MSI teardown (Jerry Snitselaar) [2149474 2118428]
- x86/xen: Make xen_msi_init() static and rename it to xen_hvm_msi_init() (Jerry Snitselaar) [2149474 2118428]
- x86/irq: Move apic_post_init() invocation to one place (Jerry Snitselaar) [2149474 2118428]
- x86/msi: Use generic MSI domain ops (Jerry Snitselaar) [2149474 2118428]
- x86/msi: Remove pointless vcpu_affinity callback (Jerry Snitselaar) [2149474 2118428]
- iommu/vt-d: Fix compile error with CONFIG_PCI_ATS not set (Myron Stowe) [2149474 2118428]
- iommu/vt-d: Cure VF irqdomain hickup (Myron Stowe) [2149474 2118428]
- x86/pci: Set default irq domain in pcibios_add_device() (Myron Stowe) [2149474 2118428]
- iommm/amd: Store irq domain in struct device (Myron Stowe) [2149474 2118428]
- iommm/vt-d: Store irq domain in struct device (Myron Stowe) [2149474 2118428]
- PCI/MSI: Provide pci_dev_has_special_msi_domain() helper (Myron Stowe) [2149474 2118428]
- x86/msi: Consolidate MSI allocation (Myron Stowe) [2149474 2118428]
- PCI/MSI: Rework pci_msi_domain_calc_hwirq() (Myron Stowe) [2149474 2118428]
- x86/irq: Consolidate UV domain allocation (Myron Stowe) [2149474 2118428]
- x86/irq: Consolidate DMAR irq allocation (Myron Stowe) [2149474 2118428]
- x86_ioapic_Consolidate_IOAPIC_allocation (Myron Stowe) [2149474 2118428]
- x86/msi: Consolidate HPET allocation (Myron Stowe) [2149474 2118428]
- iommu/irq_remapping: Consolidate irq domain lookup (Myron Stowe) [2149474 2118428]
- iommu/amd: Consolidate irq domain getter (Myron Stowe) [2149474 2118428]
- iommu/vt-d: Consolidate irq domain getter (Myron Stowe) [2149474 2118428]
- x86/irq: Add allocation type for parent domain retrieval (Myron Stowe) [2149474 2118428]
- irqdomain: Export irq_domain_update_bus_token (Myron Stowe) [2149474 2118428]
- gitlab-ci: use CI templates from production branch (Michael Hofmann)
- iavf: remove INITIAL_MAC_SET to allow gARP to work properly (Stefan Assmann) [2149745 1938635]
- Revert 'scsi: iscsi: ql4xxx: Use per-session workqueue for unbinding' (Chris Leech) [2152734 2122624]
- Revert 'scsi: iscsi: Use the session workqueue for recovery' (Chris Leech) [2152734 2122624]
- arm64/bpf: Remove 128MB limit for BPF JIT programs (Yauheni Kaliuta) [2152138 2140163]
- bpf: Define bpf_jit_alloc_exec_limit for arm64 JIT (Yauheni Kaliuta) [2152138 2140163]
- arm64: extable: add type and data fields (Yauheni Kaliuta) [2152138 2140163]
- arm64: extable: use ex for exception_table_entry (Yauheni Kaliuta) [2152138 2140163]
- arm64: extable: make fixup_exception() return bool (Yauheni Kaliuta) [2152138 2140163]
- arm64: extable: consolidate definitions (Yauheni Kaliuta) [2152138 2140163]
- arm64: kvm: use kvm_exception_table_entry (Yauheni Kaliuta) [2152138 2140163]
- be2net: Fix buffer overflow in be_get_module_eeprom (Josef Oskera) [2160182 2126917]
[4.18.0-425.12.1_7]
- x86/fpu: Prevent FPU state corruption (Oleksandr Natalenko) [2134586 2130890]
- x86/fpu: Drop fpregs lock before inheriting FPU permissions (Eder Zulian) [2154460 2153549]
- kernel-doc: fix undefined args variable (Jan Stancek) [2157905 2134954]
- mm: memcontrol: fix potential oom_lock recursion deadlock (Waiman Long) [2157922 2138886]
- memcg: prohibit unconditional exceeding the limit of dying tasks (Waiman Long) [2157922 2138886]
- mm, oom: do not trigger out_of_memory from the #PF (Waiman Long) [2157922 2138886]
- mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks (Waiman Long) [2157922 2138886]
- mm: memcontrol: don't count limit-setting reclaim as memory pressure (Waiman Long) [2157922 2138886]
- KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (Thomas Huth) [2158813 2151854]
- net: mana: Fix race on per-CQ variable napi work_done (Emanuele Giuseppe Esposito) [2155437 2151722]
- mei: me: add adler lake point S DID (Prarit Bhargava) [2141783 2141602]
- PCI: hv: Only reuse existing IRTE allocation for Multi-MSI (Emanuele Giuseppe Esposito) [2155289 2100275]
- PCI: hv: Fix the definition of vector in hv_compose_msi_msg() (Emanuele Giuseppe Esposito) [2155289 2100275]
- PCI: hv: Fix interrupt mapping for multi-MSI (Emanuele Giuseppe Esposito) [2155289 2100275]
- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Emanuele Giuseppe Esposito) [2155289 2100275]
- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Emanuele Giuseppe Esposito) [2155289 2100275]
- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Emanuele Giuseppe Esposito) [2155289 2100275]
- drm/ast: Support multiple outputs (Jarod Wilson) [2149287 2147553]
[4.18.0-425.11.1_7]
- NFSD: Protect against send buffer overflow in NFSv3 READ (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READ (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv3 READDIR (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- NFSD: Protect against send buffer overflow in NFSv2 READDIR (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_encode's buflen calculation (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation (Scott Mayhew) [2143172 2141774] {CVE-2022-43945}
- panic, kexec: make __crash_kexec() NMI safe (Valentin Schneider) [2139580 2134126]
- kexec: turn all kexec_mutex acquisitions into trylocks (Valentin Schneider) [2139580 2134126]
- kexec: move locking into do_kexec_load (Valentin Schneider) [2139580 2134126]
- vdpa/mlx5: re-create forwarding rules after mac modified (Laurent Vivier) [2152912 2145136]
- timers/nohz: Last resort update jiffies on nohz_full IRQ entry (Waiman Long) [2153653 2108387]
- irq: Call tick_irq_enter() inside HARDIRQ_OFFSET (Waiman Long) [2153653 2108387]
- irqtime: Move irqtime entry accounting after irq offset incrementation (Waiman Long) [2153653 2108387]
- sched/vtime: Consolidate IRQ time accounting (Waiman Long) [2153653 2108387]
- s390/vtime: Use the generic IRQ entry accounting (Waiman Long) [2153653 2108387]
- sched/cputime: Remove symbol exports from IRQ time accounting (Waiman Long) [2153653 2108387]
- genirq/irqdomain: Don't try to free an interrupt that has no mapping (Waiman Long) [2153653 2108387]
- genirq: Provide __irq_enter/exit_raw() (Waiman Long) [2153653 2108387]
- powerpc/time: Only set CONFIG_ARCH_HAS_SCALED_CPUTIME on PPC64 (Waiman Long) [2153653 2108387]
- powerpc/time: isolate scaled cputime accounting in dedicated functions. (Waiman Long) [2153653 2108387]
- PCI: hv: Fix synchronization between channel callback and hv_pci_bus_exit() (Mohammed Gamal) [2155280 2144708]
- PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() (Mohammed Gamal) [2155280 2144708]
- PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening (Mohammed Gamal) [2155280 2144708]
- net/mlx5e: TC, Reject forwarding from internal port to internal port (Mohammad Kabat) [2141959 2131345]
- hv_netvsc: Fix race between VF offering and VF association message from host (Mohammed Gamal) [2155272 2149279]
- x86/mce: Reduce number of machine checks taken during recovery (Prarit Bhargava) [2137592 2104388]
- cgroup/cpuset: Reduce cpuset_rwsem writer latency (Waiman Long) [2153108 2149031]
- rcu/exp: Mark current CPU as exp-QS in IPI loop second pass (Waiman Long) [2153108 2149031]
- rcu: Always inline rcu_dynticks_task*_{enter,exit}() (Waiman Long) [2153108 2149031]
- rcu: Fix existing exp request check in sync_sched_exp_online_cleanup() (Waiman Long) [2153108 2149031]
- rcu: Fix macro name CONFIG_TASKS_RCU_TRACE (Waiman Long) [2153108 2149031]
- rcu: Fix stall-warning deadlock due to non-release of rcu_node ->lock (Waiman Long) [2153108 2149031]
- rcu: Fix to include first blocked task in stall warning (Waiman Long) [2153108 2149031]
- cgroup: Use cgroup_attach_{lock,unlock}() from cgroup_attach_task_all() (Waiman Long) [2153108 2149031]
- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Waiman Long) [2153108 2149031]
cpus_read_lock() deadlock (Waiman Long) [2153108 2149031]
- cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree (Waiman Long) [2153108 2149031]
- cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug (Waiman Long) [2153108 2149031]
- cgroup: reduce dependency on cgroup_mutex (Waiman Long) [2153108 2149031]
- sunrpc: Set sk_allocation to GFP_NOFS to avoid using current->task_frag. (Guillaume Nault) [2153230 2089660]
Related CVEs
| CVE-2022-2873 |
| CVE-2022-41222 |
| CVE-2022-43945 |
Updated Packages
| Release/Architecture | Filename | MD5sum | Superseded By Advisory |
| Oracle Linux 8 (aarch64) | kernel-4.18.0-425.13.1.el8_7.src.rpm | 76e499ebe133053509d6b5d0f1b89ef9 | - |
| bpftool-4.18.0-425.13.1.el8_7.aarch64.rpm | 37130862d9af82afa6bdeb83cae2bbe5 | - | |
| kernel-cross-headers-4.18.0-425.13.1.el8_7.aarch64.rpm | b3c9e405cbaf941a0baf108f8f4a57e2 | - | |
| kernel-headers-4.18.0-425.13.1.el8_7.aarch64.rpm | 1258cb8d8c0edbbf84bceee9d79b591f | - | |
| kernel-tools-4.18.0-425.13.1.el8_7.aarch64.rpm | e75969f0e5407355fec8706627d5a014 | - | |
| kernel-tools-libs-4.18.0-425.13.1.el8_7.aarch64.rpm | 28a955b26a293dd09181b4fa12f9d835 | - | |
| kernel-tools-libs-devel-4.18.0-425.13.1.el8_7.aarch64.rpm | e7caf543186e5a2177c4da63f47b2a49 | - | |
| perf-4.18.0-425.13.1.el8_7.aarch64.rpm | 7310a58a0c3448458439bd14785db030 | - | |
| python3-perf-4.18.0-425.13.1.el8_7.aarch64.rpm | d7ecd9a98faaae2dcf8d50935f57e1bc | - | |
| Oracle Linux 8 (x86_64) | kernel-4.18.0-425.13.1.el8_7.src.rpm | 76e499ebe133053509d6b5d0f1b89ef9 | - |
| bpftool-4.18.0-425.13.1.el8_7.x86_64.rpm | a222e18106fffbbe2bd56097e656cb08 | - | |
| kernel-4.18.0-425.13.1.el8_7.x86_64.rpm | 6a79f2db9440abda08ba224129f93660 | - | |
| kernel-abi-stablelists-4.18.0-425.13.1.el8_7.noarch.rpm | 45454bdce852387ba280e7489d964324 | - | |
| kernel-core-4.18.0-425.13.1.el8_7.x86_64.rpm | f0e55fd61ee026b6cc68d5e8dd6a03ef | - | |
| kernel-cross-headers-4.18.0-425.13.1.el8_7.x86_64.rpm | b81b1d2c4309e38e5b712783941527aa | - | |
| kernel-debug-4.18.0-425.13.1.el8_7.x86_64.rpm | c6845e9416bb7c9d0d9078f92844dc4f | - | |
| kernel-debug-core-4.18.0-425.13.1.el8_7.x86_64.rpm | 431f1a89c716734f26938d037429ab4e | - | |
| kernel-debug-devel-4.18.0-425.13.1.el8_7.x86_64.rpm | 0b87a59c7ddcb8ce32b67f720da24a10 | - | |
| kernel-debug-modules-4.18.0-425.13.1.el8_7.x86_64.rpm | f82204ed4dd7e90b7b040c8060d2c5c3 | - | |
| kernel-debug-modules-extra-4.18.0-425.13.1.el8_7.x86_64.rpm | cc1d7d659e066ae071964bf17e29b86e | - | |
| kernel-devel-4.18.0-425.13.1.el8_7.x86_64.rpm | dc814fccecceb3d6087cd3ad090bc859 | - | |
| kernel-doc-4.18.0-425.13.1.el8_7.noarch.rpm | 11b4fb90813a506e370183c17d8da015 | - | |
| kernel-headers-4.18.0-425.13.1.el8_7.x86_64.rpm | abc5aee70352dbe91c9601218dd563f4 | - | |
| kernel-modules-4.18.0-425.13.1.el8_7.x86_64.rpm | 61dc916830c498ea56caa1e112753603 | - | |
| kernel-modules-extra-4.18.0-425.13.1.el8_7.x86_64.rpm | b106045fe933e863673d39ee45830aa1 | - | |
| kernel-tools-4.18.0-425.13.1.el8_7.x86_64.rpm | cfbe05ca5225e2fabf0134d0e5f384ae | - | |
| kernel-tools-libs-4.18.0-425.13.1.el8_7.x86_64.rpm | bb85f24b2f6db446363c7fc081d98ae5 | - | |
| kernel-tools-libs-devel-4.18.0-425.13.1.el8_7.x86_64.rpm | 5dbbce0b3efd5d05d4bd0bf7d7707cdb | - | |
| perf-4.18.0-425.13.1.el8_7.x86_64.rpm | cf19b0975e896dbaf159287aebb7073c | - | |
| python3-perf-4.18.0-425.13.1.el8_7.x86_64.rpm | fabfd1aa24097225faa49065795ed30f | - | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
