ELSA-2023-1470

ELSA-2023-1470 - kernel security, bug fix, and enhancement update

Type:	SECURITY
Impact:	IMPORTANT
Release Date:	2023-03-28

Description

- [5.14.0-162.22.2_1.OL9]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove nmap references from kernel (Mridula Shastry) [Orabug: 34313944]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]

[5.14.0-162.22.2_1]
- tun: avoid double free in tun_free_netdev (Jon Maloy) [2156373] {CVE-2022-4744}

[5.14.0-162.22.1_1]
- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF (Jaroslav Kysela) [2163390 2125540] {CVE-2023-0266}

[5.14.0-162.21.1_1]
- s390/boot: add secure boot trailer (Tobias Huschle) [2151528 2141966]
- s390/kexec: fix ipl report address for kdump (Tobias Huschle) [2166903 2161327]
- s390/qeth: cache link_info for ethtool (Tobias Huschle) [2166304 2110436]
- scsi: zfcp: Fix missing auto port scan and thus missing target ports (Tobias Huschle) [2127880 2121088]

[5.14.0-162.20.1_1]
- cgroup/cpuset: remove unreachable code (Waiman Long) [2161105 1946801]
- kselftest/cgroup: Add cpuset v2 partition root state test (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Update description of cpuset.cpus.partition in cgroup-v2.rst (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Make partition invalid if cpumask change violates exclusivity rule (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Relocate a code block in validate_change() (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Show invalid partition reason string (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Add a new isolated cpus.partition type (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Relax constraints to partition & cpus changes (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Allow no-task partition to have empty cpuset.cpus.effective (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Miscellaneous cleanups & add helper functions (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset (Waiman Long) [2161105 1946801]
- cpuset: convert 'allowed' in __cpuset_node_allowed() to be boolean (Waiman Long) [2161105 1946801]
- cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() (Waiman Long) [2161105 1946801]
- cgroup: cleanup comments (Waiman Long) [2161105 1946801]
- act_mirred: use the backlog for nested calls to mirred ingress (Davide Caratti) [2164655 2150278] {CVE-2022-4269}
- net/sched: act_mirred: better wording on protection against excessive stack growth (Davide Caratti) [2164655 2150278] {CVE-2022-4269}
- scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM (Emanuele Giuseppe Esposito) [2170227 2150660]

[5.14.0-162.19.1_1]
- sched/core: Use kfree_rcu() in do_set_cpus_allowed() (Waiman Long) [2160614 2143847]
- sched/core: Fix use-after-free bug in dup_user_cpus_ptr() (Waiman Long) [2160614 2143847]
- sched: Always clear user_cpus_ptr in do_set_cpus_allowed() (Waiman Long) [2143766 2107354]
- sched: Enforce user requested affinity (Waiman Long) [2143766 2107354]
- sched: Always preserve the user requested cpumask (Waiman Long) [2143766 2107354]
- sched: Introduce affinity_context (Waiman Long) [2143766 2107354]
- sched: Add __releases annotations to affine_move_task() (Waiman Long) [2143766 2107354]
- x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly (Dean Nelson) [2168382 2122851]
- x86/fpu: Exclude dynamic states from init_fpstate (Dean Nelson) [2168382 2122851]
- x86/fpu: Fix the init_fpstate size check with the actual size (Dean Nelson) [2168382 2122851]
- x86/fpu: Configure init_fpstate attributes orderly (Dean Nelson) [2168382 2122851]
- x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (Dean Nelson) [2168382 2122851]

Related CVEs

CVE-2022-4269

CVE-2022-4744

CVE-2023-0266

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_aarch64_appstream
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_aarch64_u1_baseos_patch
	bpftool-5.14.0-162.22.2.el9_1.aarch64.rpm	30f3c04a41642244108418e2b6caf35ea582459de06e350c490630ea667c714c	-	ol9_aarch64_baseos_latest
	bpftool-5.14.0-162.22.2.el9_1.aarch64.rpm	30f3c04a41642244108418e2b6caf35ea582459de06e350c490630ea667c714c	-	ol9_aarch64_u1_baseos_patch
	kernel-cross-headers-5.14.0-162.22.2.el9_1.aarch64.rpm	53511cf3ac951dd8e209d3d4f71fda5349ecd64e998ecbcf8c3c250ade169b5e	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-162.22.2.el9_1.aarch64.rpm	229503e17d05e251169e8d1a98a4597f5e3e5053e05bca02cc16e4a38fa5b70a	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-162.22.2.el9_1.aarch64.rpm	27f3032c10a4e637ed585c2d113f66584c5183171c65ee47bc811fb800302ed6	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-162.22.2.el9_1.aarch64.rpm	27f3032c10a4e637ed585c2d113f66584c5183171c65ee47bc811fb800302ed6	-	ol9_aarch64_u1_baseos_patch
	kernel-tools-libs-5.14.0-162.22.2.el9_1.aarch64.rpm	2abafb7500087d15b30fdb3fb20d65174e397b53493821befe60c065ae34c1ef	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-162.22.2.el9_1.aarch64.rpm	2abafb7500087d15b30fdb3fb20d65174e397b53493821befe60c065ae34c1ef	-	ol9_aarch64_u1_baseos_patch
	kernel-tools-libs-devel-5.14.0-162.22.2.el9_1.aarch64.rpm	c6176e7bda7a63ac3b962ae01ef27febb649ceaf1e94907e6ae2ad5f0e2231ba	-	ol9_aarch64_codeready_builder
	perf-5.14.0-162.22.2.el9_1.aarch64.rpm	f95fe7d9aa19d18ce09d27fb5d2ae82d8dd8bc192afecaebb2646c14b5399b80	-	ol9_aarch64_appstream
	python3-perf-5.14.0-162.22.2.el9_1.aarch64.rpm	da6d74d8fd20c1fac0b2e699c063dfbe9132eed6306a0e2d6ff72d693fdb8851	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-162.22.2.el9_1.aarch64.rpm	da6d74d8fd20c1fac0b2e699c063dfbe9132eed6306a0e2d6ff72d693fdb8851	-	ol9_aarch64_u1_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_x86_64_appstream
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-162.22.2.el9_1.src.rpm	d3d8c8f925c918d1acf0555b2611088e7960fb75da96136c4a7c725162370c3e	-	ol9_x86_64_u1_baseos_patch
	bpftool-5.14.0-162.22.2.el9_1.x86_64.rpm	8146892f65de64515a9e4b06ccf174e20d9b9f17cafed67aa6389d2fbca14ee7	-	ol9_x86_64_baseos_latest
	bpftool-5.14.0-162.22.2.el9_1.x86_64.rpm	8146892f65de64515a9e4b06ccf174e20d9b9f17cafed67aa6389d2fbca14ee7	-	ol9_x86_64_u1_baseos_patch
	kernel-5.14.0-162.22.2.el9_1.x86_64.rpm	71b16126e41c6d6282a3d23ae21a1a06b7dd395215bd04969f83892665931994	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-162.22.2.el9_1.x86_64.rpm	71b16126e41c6d6282a3d23ae21a1a06b7dd395215bd04969f83892665931994	-	ol9_x86_64_u1_baseos_patch
	kernel-abi-stablelists-5.14.0-162.22.2.el9_1.noarch.rpm	4694fac68d0a0ddabec90bd1305d9badfd14e7d9f5e5f80507e514caf8c4b08c	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-162.22.2.el9_1.noarch.rpm	4694fac68d0a0ddabec90bd1305d9badfd14e7d9f5e5f80507e514caf8c4b08c	-	ol9_x86_64_u1_baseos_patch
	kernel-core-5.14.0-162.22.2.el9_1.x86_64.rpm	7383c74219ded559db68d768193ec9348d9e82dddc5622a094913e16efb7ab55	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-162.22.2.el9_1.x86_64.rpm	7383c74219ded559db68d768193ec9348d9e82dddc5622a094913e16efb7ab55	-	ol9_x86_64_u1_baseos_patch
	kernel-cross-headers-5.14.0-162.22.2.el9_1.x86_64.rpm	e779e0895dc7be5032ebd4fedc4741039609d36674fe0ce338858966bc8ea0e2	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-162.22.2.el9_1.x86_64.rpm	bd9212789e4939ba234da6b351f82833cfa50bdab5e6c89b88438dacedd6353e	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-162.22.2.el9_1.x86_64.rpm	bd9212789e4939ba234da6b351f82833cfa50bdab5e6c89b88438dacedd6353e	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-core-5.14.0-162.22.2.el9_1.x86_64.rpm	9cb357961617b340d8a6da0dc4327b6323f4300204c5c6ae44302a136a1e53f3	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-162.22.2.el9_1.x86_64.rpm	9cb357961617b340d8a6da0dc4327b6323f4300204c5c6ae44302a136a1e53f3	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-devel-5.14.0-162.22.2.el9_1.x86_64.rpm	420ae2262a2f3f3f621d69167e36a19ee0d9db008f8b7b8ca19b041f9c9e3040	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-162.22.2.el9_1.x86_64.rpm	f24a297171588f68f17e9203a7ca5039ecaf74a41f56c74ff3c90c6bd1f0c194	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-162.22.2.el9_1.x86_64.rpm	16a7374f22c7dd742ce3068a2a9cd15e34931f603fcab6a14d9a5d3fa565d9cd	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-162.22.2.el9_1.x86_64.rpm	16a7374f22c7dd742ce3068a2a9cd15e34931f603fcab6a14d9a5d3fa565d9cd	-	ol9_x86_64_u1_baseos_patch
	kernel-debug-modules-extra-5.14.0-162.22.2.el9_1.x86_64.rpm	7744f2b71daf5124adf53b063b9bf61c6cf9a0b49b60b2468eb25bb063cf32ab	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-162.22.2.el9_1.x86_64.rpm	7744f2b71daf5124adf53b063b9bf61c6cf9a0b49b60b2468eb25bb063cf32ab	-	ol9_x86_64_u1_baseos_patch
	kernel-devel-5.14.0-162.22.2.el9_1.x86_64.rpm	a64f289229c0097fc527522117f1aa8eb104af985aebbdfa41d18292516dbba5	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-162.22.2.el9_1.x86_64.rpm	03c04203d306e12889220895f29242119258cab253bf24b5365f88a760ab9fc2	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-162.22.2.el9_1.noarch.rpm	181c581e23e38e5544a936357bc8c7a078c9538fdffff4411987591b73e4cd50	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-162.22.2.el9_1.x86_64.rpm	2dbd40d739327e992118bf3b824a64b02e2f936db66e301c637fb5f4999d929d	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-162.22.2.el9_1.x86_64.rpm	4547976eaf4d40cf84ef46aa95d8598ab5981db42b7baa20ef80535827474102	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-162.22.2.el9_1.x86_64.rpm	4547976eaf4d40cf84ef46aa95d8598ab5981db42b7baa20ef80535827474102	-	ol9_x86_64_u1_baseos_patch
	kernel-modules-extra-5.14.0-162.22.2.el9_1.x86_64.rpm	10a9af419a4f2d40378b1b4ee41b05c8a322e6941bd14a90776787397032ae72	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-162.22.2.el9_1.x86_64.rpm	10a9af419a4f2d40378b1b4ee41b05c8a322e6941bd14a90776787397032ae72	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-5.14.0-162.22.2.el9_1.x86_64.rpm	b598eae2ce24fecede51496186823b742c9384d0a924fa239975eb524ba47098	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-162.22.2.el9_1.x86_64.rpm	b598eae2ce24fecede51496186823b742c9384d0a924fa239975eb524ba47098	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-libs-5.14.0-162.22.2.el9_1.x86_64.rpm	c50087def4b16088ee7991afe5e667f32067ccb14857e48a9ab23e920a444b4b	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-162.22.2.el9_1.x86_64.rpm	c50087def4b16088ee7991afe5e667f32067ccb14857e48a9ab23e920a444b4b	-	ol9_x86_64_u1_baseos_patch
	kernel-tools-libs-devel-5.14.0-162.22.2.el9_1.x86_64.rpm	dcc16a8090b56221862e0280838461c88931df1fd4fac03df9c25d810f80d58d	-	ol9_x86_64_codeready_builder
	perf-5.14.0-162.22.2.el9_1.x86_64.rpm	e3d576c56646cf4ad4c9ea390494330c39db9cdeeb70dc8862bbfa89f7aac50d	-	ol9_x86_64_appstream
	python3-perf-5.14.0-162.22.2.el9_1.x86_64.rpm	68514104857ed7c39c7e3eda54133e92a97674897a3f064969584e9df5622830	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-162.22.2.el9_1.x86_64.rpm	68514104857ed7c39c7e3eda54133e92a97674897a3f064969584e9df5622830	-	ol9_x86_64_u1_baseos_patch

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team