ELSA-2024-3306

ULN >
Oracle Linux Errata repository >
ELSA-2024-3306

ELSA-2024-3306 - kernel security and bug fix update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2024-05-23

Description

[5.14.0-427.18.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.18.1_4]
- netfilter: nf_tables: disallow anonymous set with timeout flag (Phil Sutter) [RHEL-32971 RHEL-30082] {CVE-2024-26642}
- netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (Phil Sutter) [RHEL-33070 RHEL-30078] {CVE-2024-26643}
- netfilter: nft_ct: fix l3num expectations with inet pseudo family (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- arm64: tlb: Fix TLBI RANGE operand (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- arm64/mm: Modify range-based tlbi to decrement scale (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- rh_messages.h: mark mlx5 on Bluefield-3 as unmaintained (Scott Weaver) [RHEL-35878 RHEL-33061]
- net: ip_tunnel: prevent perpetual headroom growth (Guillaume Nault) [RHEL-33934 RHEL-31816] {CVE-2024-26804}
- gitlab-ci: use zstream builder container image (Michael Hofmann)
- selftests: net: gro fwd: update vxlan GRO test expectations (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: prevent local UDP tunnel packets from being GROed (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not transition UDP GRO fraglist partial checksums to unnecessary (Antoine Tenart) [RHEL-30910 RHEL-19729]
- gro: fix ownership transfer (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not accept non-tunnel GSO skbs landing in a tunnel (Antoine Tenart) [RHEL-30910 RHEL-19729]
- bpf, tcx: Get rid of tcx_link_const (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add additional mprog query test coverage (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Make seen_tc* variable tests more robust (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test query on empty mprog and pass revision into attach (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Adapt assert_mprog_count to always expect 0 count (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test bpf_mprog query API via libbpf and raw syscall (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftest/bpf: Add various selftests for program limits (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Refuse unused attributes in bpf_prog_{attach,detach} (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Handle bpf_mprog_query with NULL entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- net: Fix skb consume leak in sch_handle_egress (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add various more tcx test cases (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add test for detachment on empty mprog entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat during dev unregister (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat in ingress_destroy upon tcx_entry_free (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx links (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx opts (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Add fd-based tcx multi-prog infra with link support (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpftool: Implement link show support for tcx (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpftool: Extend net dump with tcx progs (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpf: fix precision backtracking instruction iteration (Jay Shin) [RHEL-35230 RHEL-23643]

[5.14.0-427.17.1_4]
- ceph: switch to use cap_delay_lock for the unlink delay list (Jay Shin) [RHEL-33003 RHEL-32997]
- ceph: remove useless session parameter for check_caps() (Xiubo Li) [RHEL-33003 RHEL-19813]
- ceph: flush the dirty caps immediatelly when quota is approaching (Xiubo Li) [RHEL-33003 RHEL-19813]
- vhost: Add smp_rmb() in vhost_enable_notify() (Gavin Shan) [RHEL-31839 RHEL-26104]
- vhost: Add smp_rmb() in vhost_vq_avail_empty() (Gavin Shan) [RHEL-31839 RHEL-26104]
- iommu/vt-d: Support enforce_cache_coherency only for empty domains (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Add MTL to quirk list to skip TE disabling (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Make context clearing consistent with context mapping (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Disable PCI ATS in legacy passthrough mode (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Omit devTLB invalidation requests when TES=0 (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- PCI/MSI: Prevent MSI hardware interrupt number truncation (Myron Stowe) [RHEL-33656 RHEL-21453]

Related CVEs

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label

Oracle Linux 9 (aarch64)	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_aarch64_appstream
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm	e51fdce85d4a15a88f44f95e4dc7de06803565ec804097bfb145840560684b1d	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm	e51fdce85d4a15a88f44f95e4dc7de06803565ec804097bfb145840560684b1d	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.18.1.el9_4.aarch64.rpm	91b3375f649cdc9289cd1d8e8f3fa079ce2e7b7e894a748d61358a087f6761eb	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.18.1.el9_4.aarch64.rpm	9e6267284adcc33f8310e16186f08431ca3d468251ed2d3c70934c2f022b14f0	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm	2d75821457aa0e7804f8c50b136feaebfa567bfae6fcea0e26b86407e1da7a6f	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm	2d75821457aa0e7804f8c50b136feaebfa567bfae6fcea0e26b86407e1da7a6f	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm	9918e1aa46736409d085e5e1281626709a487390e36caf9a54740730425751a3	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm	9918e1aa46736409d085e5e1281626709a487390e36caf9a54740730425751a3	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.aarch64.rpm	7d7a50b5cad015d8f8fb339d7e0c1e8430b0390452c061b65e7d745f5e5301dc	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.18.1.el9_4.aarch64.rpm	516f46ad99954d96fcfb8fa9c42292c727eea71e81092a0b183ecec8ef1bad19	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm	fe8d612dfc0852bebc30563d55ab0e97a91bf1f8e6b517c5e01a1eb55dda1095	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm	fe8d612dfc0852bebc30563d55ab0e97a91bf1f8e6b517c5e01a1eb55dda1095	-	ol9_aarch64_u4_baseos_patch

Oracle Linux 9 (x86_64)	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_x86_64_appstream
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.18.1.el9_4.src.rpm	3b83b2c5369951aa0d67c43a188d5e4e0c4813943a2e35b5e0ab36e8af8d6ecc	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm	03b6a62efc5b7bae7c62d217a60ff47fa91e1299cb2f3d447fcedcb8e1392972	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm	03b6a62efc5b7bae7c62d217a60ff47fa91e1299cb2f3d447fcedcb8e1392972	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.18.1.el9_4.x86_64.rpm	fb3e263622974bb86b7dad53c81989a22036c470d9b78436a48fb5a933bd603f	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.x86_64.rpm	fb3e263622974bb86b7dad53c81989a22036c470d9b78436a48fb5a933bd603f	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm	22571a952d2c7a062947532794c5e5cdf9f5865215b41269d928888259ac1585	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm	22571a952d2c7a062947532794c5e5cdf9f5865215b41269d928888259ac1585	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm	e2e9eb4420097bcf40c30837ade260078e5c80a2d838ff95855d830c66962863	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm	e2e9eb4420097bcf40c30837ade260078e5c80a2d838ff95855d830c66962863	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.18.1.el9_4.x86_64.rpm	aa2bd61a0403ec48531b19f680df51e47ef8aff6c687048d9476f57df361328f	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm	7d31ddeec8e17fed785db286c30d3387fcdb66c3b00c5b8d69cd763f9b673ea9	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm	7d31ddeec8e17fed785db286c30d3387fcdb66c3b00c5b8d69cd763f9b673ea9	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1c88f5efb549aff6fab82db0e7e6278299e3d77f853d148d4834d563707d700a	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1c88f5efb549aff6fab82db0e7e6278299e3d77f853d148d4834d563707d700a	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	0bb25f2a6f44335a0dfd8412526d970bfc4de4efce44b2f1c37a1af8cd4934f2	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm	a36b791fd0b30d404d2f956004562b500589b5f31382f8358f6fbbf395e4b8e1	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	1bd394cf47686e392b73b755464699704d7816a121ceacf959cd16f0b08e6823	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	1bd394cf47686e392b73b755464699704d7816a121ceacf959cd16f0b08e6823	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	5454382de34ef0d98385726776fd5a0d8361a97ab6f135e1481e666a1ead17bc	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	5454382de34ef0d98385726776fd5a0d8361a97ab6f135e1481e666a1ead17bc	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	1ac9160363f1248ed272248f4e0405c3f13cf255f263ea5da9c92bf449b6f106	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	1ac9160363f1248ed272248f4e0405c3f13cf255f263ea5da9c92bf449b6f106	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	0740eb741f3f584716971aeb0add16783da293c41bf8a4baebdc5495a3a1ceca	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	0740eb741f3f584716971aeb0add16783da293c41bf8a4baebdc5495a3a1ceca	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	0e65d383ecdba420613b953c9c369ea8d69aa7399c6c3cc51778a075c753bf8a	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm	7ff8fcf065e5e7ed27b1fe0c8e71a88961a0337f16cb1678970f040daab55e07	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.18.1.el9_4.noarch.rpm	b4661ca9b8f3c7d8381c4181d53370990d4433f9e19ff68ffdc9392a90a56870	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.18.1.el9_4.x86_64.rpm	760feb0fde0056bb4a345c2052689abc7547a3522b659ce3efe194761507e93b	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	3bc1946c8d37b058760d42dad864f4f5f09303b8fdd951572a2d0f5c46ea5339	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	3bc1946c8d37b058760d42dad864f4f5f09303b8fdd951572a2d0f5c46ea5339	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1072739c4005ffb60e28e3d65064a6a728d508ac559c6cbb43c92d10b25f951a	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1072739c4005ffb60e28e3d65064a6a728d508ac559c6cbb43c92d10b25f951a	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	dc8020c84821f1275f0ba581e923cdb044eaca87ce20bc72f0af141ab236b82d	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	dc8020c84821f1275f0ba581e923cdb044eaca87ce20bc72f0af141ab236b82d	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm	1c71e28d018b031598a36622ea2d47ada952f9f2aa6388d4c2291a77b6ee4e1f	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm	1c71e28d018b031598a36622ea2d47ada952f9f2aa6388d4c2291a77b6ee4e1f	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm	4cfbfadc0d8603a24d3883aede78817dea71592ebea2f44c3d30319197324cb6	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm	4cfbfadc0d8603a24d3883aede78817dea71592ebea2f44c3d30319197324cb6	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	26d70570e4b96de1b85c0bfd4a90975ffb64eade1d3b77867c23cdce81e92c30	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	70f99f5281c8ed780c91a3e8ad3676c66e71186c5397de89781e09e1df2b1ea9	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	70f99f5281c8ed780c91a3e8ad3676c66e71186c5397de89781e09e1df2b1ea9	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.18.1.el9_4.x86_64.rpm	f41011dc9090ccae9ba64c3616829a67ef5be5e496821cd1b5aad6a7ff7d48fd	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.18.1.el9_4.x86_64.rpm	12b3dfe32260413258d1a936cdf283a9da3a01dc2d0d92f969a312798e576c90	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm	22b0085d06d57d9f929ec646f8e9aaa81423f71d55e4c2d7e4796b8baab4bc4e	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm	22b0085d06d57d9f929ec646f8e9aaa81423f71d55e4c2d7e4796b8baab4bc4e	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.18.1.el9_4.x86_64.rpm	35827a9464b1dfe04bb0be76aa56ccb94f4126dca77eb4cf904aa10a948a9717	-	ol9_x86_64_appstream
	rv-5.14.0-427.18.1.el9_4.x86_64.rpm	36c0ba36dd81a57f972d9f79c846653ee61cf2422115413ace52c246cb34a4b3	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691