ELSA-2024-3306

ULN >
Oracle Linux Errata repository >
ELSA-2024-3306

ELSA-2024-3306 - kernel security and bug fix update

Type:	SECURITY
Severity:	MODERATE
Release Date:	2024-05-23

Description

[5.14.0-427.18.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.18.1_4]
- netfilter: nf_tables: disallow anonymous set with timeout flag (Phil Sutter) [RHEL-32971 RHEL-30082] {CVE-2024-26642}
- netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (Phil Sutter) [RHEL-33070 RHEL-30078] {CVE-2024-26643}
- netfilter: nft_ct: fix l3num expectations with inet pseudo family (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (Phil Sutter) [RHEL-32963 RHEL-31345] {CVE-2024-26673}
- arm64: tlb: Fix TLBI RANGE operand (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- arm64/mm: Modify range-based tlbi to decrement scale (Shaoqin Huang) [RHEL-33412 RHEL-26259]
- rh_messages.h: mark mlx5 on Bluefield-3 as unmaintained (Scott Weaver) [RHEL-35878 RHEL-33061]
- net: ip_tunnel: prevent perpetual headroom growth (Guillaume Nault) [RHEL-33934 RHEL-31816] {CVE-2024-26804}
- gitlab-ci: use zstream builder container image (Michael Hofmann)
- selftests: net: gro fwd: update vxlan GRO test expectations (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: prevent local UDP tunnel packets from being GROed (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not transition UDP GRO fraglist partial checksums to unnecessary (Antoine Tenart) [RHEL-30910 RHEL-19729]
- gro: fix ownership transfer (Antoine Tenart) [RHEL-30910 RHEL-19729]
- udp: do not accept non-tunnel GSO skbs landing in a tunnel (Antoine Tenart) [RHEL-30910 RHEL-19729]
- bpf, tcx: Get rid of tcx_link_const (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add additional mprog query test coverage (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Make seen_tc* variable tests more robust (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test query on empty mprog and pass revision into attach (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Adapt assert_mprog_count to always expect 0 count (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Test bpf_mprog query API via libbpf and raw syscall (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftest/bpf: Add various selftests for program limits (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Refuse unused attributes in bpf_prog_{attach,detach} (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Handle bpf_mprog_query with NULL entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- net: Fix skb consume leak in sch_handle_egress (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add various more tcx test cases (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add test for detachment on empty mprog entry (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat during dev unregister (Felix Maurer) [RHEL-33062 RHEL-28590]
- tcx: Fix splat in ingress_destroy upon tcx_entry_free (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx links (Felix Maurer) [RHEL-33062 RHEL-28590]
- selftests/bpf: Add mprog API tests for BPF tcx opts (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpf: Add fd-based tcx multi-prog infra with link support (Felix Maurer) [RHEL-33062 RHEL-28590]
- bpftool: Implement link show support for tcx (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpftool: Extend net dump with tcx progs (Artem Savkov) [RHEL-33062 RHEL-23643]
- bpf: fix precision backtracking instruction iteration (Jay Shin) [RHEL-35230 RHEL-23643]

[5.14.0-427.17.1_4]
- ceph: switch to use cap_delay_lock for the unlink delay list (Jay Shin) [RHEL-33003 RHEL-32997]
- ceph: remove useless session parameter for check_caps() (Xiubo Li) [RHEL-33003 RHEL-19813]
- ceph: flush the dirty caps immediatelly when quota is approaching (Xiubo Li) [RHEL-33003 RHEL-19813]
- vhost: Add smp_rmb() in vhost_enable_notify() (Gavin Shan) [RHEL-31839 RHEL-26104]
- vhost: Add smp_rmb() in vhost_vq_avail_empty() (Gavin Shan) [RHEL-31839 RHEL-26104]
- iommu/vt-d: Support enforce_cache_coherency only for empty domains (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Add MTL to quirk list to skip TE disabling (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Make context clearing consistent with context mapping (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Disable PCI ATS in legacy passthrough mode (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- iommu/vt-d: Omit devTLB invalidation requests when TES=0 (Jerry Snitselaar) [RHEL-32793 RHEL-31083]
- PCI/MSI: Prevent MSI hardware interrupt number truncation (Myron Stowe) [RHEL-33656 RHEL-21453]

Related CVEs

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory	Channel Label

Oracle Linux 9 (aarch64)	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_aarch64_appstream
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm	3c72890d30ebd4ef2e482671ddffa5ce	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.18.1.el9_4.aarch64.rpm	3c72890d30ebd4ef2e482671ddffa5ce	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.18.1.el9_4.aarch64.rpm	aa32795f819d903ae398365d468feedf	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.18.1.el9_4.aarch64.rpm	9274ed3394fc5d6a65730abe57b66706	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm	0021d262a6e6ad67eadd1d33e12c025b	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.18.1.el9_4.aarch64.rpm	0021d262a6e6ad67eadd1d33e12c025b	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm	a9ee3e85b98ba7aae3e029953ffc833e	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.18.1.el9_4.aarch64.rpm	a9ee3e85b98ba7aae3e029953ffc833e	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.aarch64.rpm	ea0a01c818f5cac00e95a90e9bdde168	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.18.1.el9_4.aarch64.rpm	ccbb4a7612e04dcdd0d300a8658f09c6	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm	dc188a7c306e4d95b6eb37071a1897cd	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.18.1.el9_4.aarch64.rpm	dc188a7c306e4d95b6eb37071a1897cd	-	ol9_aarch64_u4_baseos_patch

Oracle Linux 9 (x86_64)	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_x86_64_appstream
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.18.1.el9_4.src.rpm	b7c0ec0bfbb92a55d515081b48c2e83d	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm	49d9adf15fde105a3da73cedb2d26f92	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.18.1.el9_4.x86_64.rpm	49d9adf15fde105a3da73cedb2d26f92	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.18.1.el9_4.x86_64.rpm	d0ddcf7fcebaf7f3a92fd8e87eeb419a	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.18.1.el9_4.x86_64.rpm	d0ddcf7fcebaf7f3a92fd8e87eeb419a	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm	84f90e2848f897032f17a1f163902832	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.18.1.el9_4.noarch.rpm	84f90e2848f897032f17a1f163902832	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1ad5b1743585e90601a5594279e7eab3	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.18.1.el9_4.x86_64.rpm	1ad5b1743585e90601a5594279e7eab3	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.18.1.el9_4.x86_64.rpm	025bd66640fe72fb8b4ae821a017ed10	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm	f3f45f5aa6f37d5cdc1a4c8478322330	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.18.1.el9_4.x86_64.rpm	f3f45f5aa6f37d5cdc1a4c8478322330	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm	05edebe9e1fe54f58da61ce04ae05963	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.18.1.el9_4.x86_64.rpm	05edebe9e1fe54f58da61ce04ae05963	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	8a9d17bb8b5e0bbf1387308a6daf9b6c	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm	077e47f54f7dfe5c9f2b6f55dce8cd50	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	77897d4844e9e063bcec26131f5c6102	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	77897d4844e9e063bcec26131f5c6102	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	7a75bf50758bc8c16999276a89c2e5e1	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	7a75bf50758bc8c16999276a89c2e5e1	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	1f5eb2d4a5ce0056ca8e73732be48ca8	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	1f5eb2d4a5ce0056ca8e73732be48ca8	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	a6440259a2fe89021ce6aeffde22eef8	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	a6440259a2fe89021ce6aeffde22eef8	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	f630065ddf833be8d713d1188eb65095	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.18.1.el9_4.x86_64.rpm	2e8502b079af18d06cac9989b05b2488	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.18.1.el9_4.noarch.rpm	dd3f4852794249c1e1cc3c9d4314f207	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.18.1.el9_4.x86_64.rpm	218a57c2b91576af18b96e1bd4cec1d5	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	13aa1bf75ce506046451512d12ef49e6	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.18.1.el9_4.x86_64.rpm	13aa1bf75ce506046451512d12ef49e6	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	9ce4b16cc084d49dc0b78c961deff84b	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.18.1.el9_4.x86_64.rpm	9ce4b16cc084d49dc0b78c961deff84b	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	6514a0b2224616eebc08b0ebfd4525a0	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.18.1.el9_4.x86_64.rpm	6514a0b2224616eebc08b0ebfd4525a0	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm	ba420c625e65fc46bcfd455c17882747	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.18.1.el9_4.x86_64.rpm	ba420c625e65fc46bcfd455c17882747	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm	c391297dfe99ebd0d4a7af528eb7005c	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.18.1.el9_4.x86_64.rpm	c391297dfe99ebd0d4a7af528eb7005c	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.18.1.el9_4.x86_64.rpm	aebd5cbae76e1f85c46be93a0f4161f9	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	86e79d73f8241c2a8f7fb15ccdd190d4	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.18.1.el9_4.x86_64.rpm	86e79d73f8241c2a8f7fb15ccdd190d4	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.18.1.el9_4.x86_64.rpm	9b4f812cc166ed27d6fb8e6551d3e015	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.18.1.el9_4.x86_64.rpm	c389e62d6d7aedd4780971eebf2f246b	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm	f00e4cd5933443a7794eab739a4879db	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.18.1.el9_4.x86_64.rpm	f00e4cd5933443a7794eab739a4879db	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.18.1.el9_4.x86_64.rpm	fddfdb9adf88a666da53d387acf06efb	-	ol9_x86_64_appstream
	rv-5.14.0-427.18.1.el9_4.x86_64.rpm	3fbfb39fbf1a95ac822972a50420cb8a	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691