ELSA-2024-4583

ELSA-2024-4583 - kernel security update

Type:SECURITY
Severity:IMPORTANT
Release Date:2024-07-18

Description


- [5.14.0-427.26.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.26.1_4]
- net: ena: Fix incorrect descriptor free behavior (Kamal Heib) [RHEL-39217 RHEL-37430] {CVE-2024-35958}
- tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). (Guillaume Nault) [RHEL-41749 RHEL-39837] {CVE-2024-36904}
- mm/mglru: Revert 'don't sync disk for each aging cycle' (Waiman Long) [RHEL-44418]
- tipc: fix UAF in error path (Xin Long) [RHEL-34848 RHEL-34280] {CVE-2024-36886}
- selftest/cgroup: Update test_cpuset_prs.sh to match changes (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Make cpuset.cpus.exclusive independent of cpuset.cpus (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition (Waiman Long) [RHEL-45139]
- selftest/cgroup: Fix test_cpuset_prs.sh problems reported by test robot (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix remote root partition creation problem (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Optimize isolated partition only generate_sched_domains() calls (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix retval in update_cpumask() (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix a memory leak in update_exclusive_cpumask() (Waiman Long) [RHEL-45139]
- ice: implement AQ download pkg retry (Petr Oros) [RHEL-38907 RHEL-17318]
- redhat: include resolve_btfids in kernel-devel (Viktor Malik) [RHEL-43426 RHEL-40707]
- blk-cgroup: fix list corruption from resetting io stat (cki-backport-bot) [RHEL-44977] {CVE-2024-38663}
- misc: rtsx: do clear express reg every SD_INT (David Arcari) [RHEL-39985 RHEL-33706]
- misc: rtsx: Fix rts5264 driver status incorrect when card removed (David Arcari) [RHEL-39985 RHEL-33706]
- netfilter: tproxy: bail out if IP has been disabled on the device (cki-backport-bot) [RHEL-44371] {CVE-2024-36270}
- lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure (cki-backport-bot) [RHEL-44263 RHEL-44261] {CVE-2024-38543}
- r8169: Fix possible ring buffer corruption on fragmented Tx packets. (cki-backport-bot) [RHEL-44039] {CVE-2024-38586}
- net: micrel: Fix receiving the timestamp in the frame for lan8841 (cki-backport-bot) [RHEL-43996] {CVE-2024-38593}
- vt: fix memory overlapping when deleting chars in the buffer (Waiman Long) [RHEL-43379 RHEL-27780] {CVE-2022-48627}
- net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map (Kamal Heib) [RHEL-42728 RHEL-34192] {CVE-2024-26858}
- locking/atomic: Make test_and_*_bit() ordered on failure (Paolo Bonzini) [RHEL-45896]
- mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index (Rafael Aquini) [RHEL-42659 RHEL-31840] {CVE-2024-26783}
- can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock (Jose Ignacio Tornos Martinez) [RHEL-42379 RHEL-31530] {CVE-2023-52638}
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() (Ken Cox) [RHEL-42226 RHEL-38715] {CVE-2021-47548}

[5.14.0-427.25.1_4]
- nvme: fix reconnection fail due to reserved tag allocation (Maurizio Lombardi) [RHEL-42896 RHEL-36896] {CVE-2024-27435}
- net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg (cki-backport-bot) [RHEL-43625] {CVE-2021-47596}
- scsi: sg: Avoid race in error handling & drop bogus warn (Ewan D. Milne) [RHEL-36106 RHEL-35659]
- scsi: sg: Avoid sg device teardown race (Ewan D. Milne) [RHEL-36106 RHEL-35659]
- netfilter: nf_tables: use timestamp to check for set element timeout (Florian Westphal) [RHEL-38032 RHEL-33985] {CVE-2024-27397}
- netfilter: nft_set_rbtree: Remove unused variable nft_net (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nft_set_rbtree: prefer sync gc to async worker (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nft_set_rbtree: rename gc deactivate+erase function (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nf_tables: de-constify set commit ops function argument (Florian Westphal) [RHEL-38032 RHEL-33985]
- octeontx2-af: avoid off-by-one read from userspace (Kamal Heib) [RHEL-40486 RHEL-39873] {CVE-2024-36957}


Related CVEs


CVE-2021-47548
CVE-2023-52638
CVE-2024-27397
CVE-2024-35958
CVE-2024-36270
CVE-2024-38586
CVE-2024-38593
CVE-2024-38663
CVE-2021-47596
CVE-2024-36957
CVE-2024-36904
CVE-2024-36886
CVE-2022-48627
CVE-2024-26783
CVE-2024-27435
CVE-2024-26858
CVE-2024-38543

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By AdvisoryChannel Label
Oracle Linux 9 (aarch64) kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_aarch64_appstream
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_aarch64_baseos_latest
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_aarch64_codeready_builder
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_aarch64_u4_baseos_patch
bpftool-7.3.0-427.26.1.el9_4.aarch64.rpm80658e45d8e587aa810dcba3b7619410-ol9_aarch64_baseos_latest
bpftool-7.3.0-427.26.1.el9_4.aarch64.rpm80658e45d8e587aa810dcba3b7619410-ol9_aarch64_u4_baseos_patch
kernel-cross-headers-5.14.0-427.26.1.el9_4.aarch64.rpm6b2180eb4570ebe9cdccb75665348728-ol9_aarch64_codeready_builder
kernel-headers-5.14.0-427.26.1.el9_4.aarch64.rpm572f8b0beb9623c42c68a65fd370ef00-ol9_aarch64_appstream
kernel-tools-5.14.0-427.26.1.el9_4.aarch64.rpm47153ae6757f4c85fd5fb6bf48abd8c9-ol9_aarch64_baseos_latest
kernel-tools-5.14.0-427.26.1.el9_4.aarch64.rpm47153ae6757f4c85fd5fb6bf48abd8c9-ol9_aarch64_u4_baseos_patch
kernel-tools-libs-5.14.0-427.26.1.el9_4.aarch64.rpm9e303b3a42f29d40a30123f7cb8f443a-ol9_aarch64_baseos_latest
kernel-tools-libs-5.14.0-427.26.1.el9_4.aarch64.rpm9e303b3a42f29d40a30123f7cb8f443a-ol9_aarch64_u4_baseos_patch
kernel-tools-libs-devel-5.14.0-427.26.1.el9_4.aarch64.rpm48717be9be847d0b5e8e33161b330f0a-ol9_aarch64_codeready_builder
perf-5.14.0-427.26.1.el9_4.aarch64.rpm67737a3cf2da033db4417e2dd3e366d6-ol9_aarch64_appstream
python3-perf-5.14.0-427.26.1.el9_4.aarch64.rpma1502909caa6865af3d6ee7125a98c88-ol9_aarch64_baseos_latest
python3-perf-5.14.0-427.26.1.el9_4.aarch64.rpma1502909caa6865af3d6ee7125a98c88-ol9_aarch64_u4_baseos_patch
Oracle Linux 9 (x86_64) kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_x86_64_appstream
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_x86_64_baseos_latest
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_x86_64_codeready_builder
kernel-5.14.0-427.26.1.el9_4.src.rpm8a5d9881a5a84c18ea931a399b087bf9-ol9_x86_64_u4_baseos_patch
bpftool-7.3.0-427.26.1.el9_4.x86_64.rpm507d392d9891764d324d78acd10c6b1b-ol9_x86_64_baseos_latest
bpftool-7.3.0-427.26.1.el9_4.x86_64.rpm507d392d9891764d324d78acd10c6b1b-ol9_x86_64_u4_baseos_patch
kernel-5.14.0-427.26.1.el9_4.x86_64.rpm6dd7d4e332d613c35f8bf1c811ac6099-ol9_x86_64_baseos_latest
kernel-5.14.0-427.26.1.el9_4.x86_64.rpm6dd7d4e332d613c35f8bf1c811ac6099-ol9_x86_64_u4_baseos_patch
kernel-abi-stablelists-5.14.0-427.26.1.el9_4.noarch.rpmfcc131494cb9194ffffa4420df8caaec-ol9_x86_64_baseos_latest
kernel-abi-stablelists-5.14.0-427.26.1.el9_4.noarch.rpmfcc131494cb9194ffffa4420df8caaec-ol9_x86_64_u4_baseos_patch
kernel-core-5.14.0-427.26.1.el9_4.x86_64.rpm5430dccb531fda6657ac4f7d459b60bb-ol9_x86_64_baseos_latest
kernel-core-5.14.0-427.26.1.el9_4.x86_64.rpm5430dccb531fda6657ac4f7d459b60bb-ol9_x86_64_u4_baseos_patch
kernel-cross-headers-5.14.0-427.26.1.el9_4.x86_64.rpm78c2977b6a9952a477a35e3da7f2e71d-ol9_x86_64_codeready_builder
kernel-debug-5.14.0-427.26.1.el9_4.x86_64.rpm7b3c5c282afa9154575453c6251e3113-ol9_x86_64_baseos_latest
kernel-debug-5.14.0-427.26.1.el9_4.x86_64.rpm7b3c5c282afa9154575453c6251e3113-ol9_x86_64_u4_baseos_patch
kernel-debug-core-5.14.0-427.26.1.el9_4.x86_64.rpm002d58da651bb2fcc997c68cc1847f23-ol9_x86_64_baseos_latest
kernel-debug-core-5.14.0-427.26.1.el9_4.x86_64.rpm002d58da651bb2fcc997c68cc1847f23-ol9_x86_64_u4_baseos_patch
kernel-debug-devel-5.14.0-427.26.1.el9_4.x86_64.rpmdbbadfebedb7e2d8aefc9767d6476fc2-ol9_x86_64_appstream
kernel-debug-devel-matched-5.14.0-427.26.1.el9_4.x86_64.rpmc8945b9a0351e44cb5bfaf763adf4ce5-ol9_x86_64_appstream
kernel-debug-modules-5.14.0-427.26.1.el9_4.x86_64.rpmc27520df8ad33394e14145f2aad9a44b-ol9_x86_64_baseos_latest
kernel-debug-modules-5.14.0-427.26.1.el9_4.x86_64.rpmc27520df8ad33394e14145f2aad9a44b-ol9_x86_64_u4_baseos_patch
kernel-debug-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm225822c67890d71f627e16cf6b758d0a-ol9_x86_64_baseos_latest
kernel-debug-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm225822c67890d71f627e16cf6b758d0a-ol9_x86_64_u4_baseos_patch
kernel-debug-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpma03d730b984ee1c124c110b4d4ec5010-ol9_x86_64_baseos_latest
kernel-debug-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpma03d730b984ee1c124c110b4d4ec5010-ol9_x86_64_u4_baseos_patch
kernel-debug-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpmd7cc2a22ce157f700c659e9cbaa97d93-ol9_x86_64_baseos_latest
kernel-debug-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpmd7cc2a22ce157f700c659e9cbaa97d93-ol9_x86_64_u4_baseos_patch
kernel-devel-5.14.0-427.26.1.el9_4.x86_64.rpmc3533ab7de36dcb4584418dc021a8e70-ol9_x86_64_appstream
kernel-devel-matched-5.14.0-427.26.1.el9_4.x86_64.rpmc9ade80bd3b0f340e125c90e91e47393-ol9_x86_64_appstream
kernel-doc-5.14.0-427.26.1.el9_4.noarch.rpm0d9836f21883311a9ff694a506514db9-ol9_x86_64_appstream
kernel-headers-5.14.0-427.26.1.el9_4.x86_64.rpm1cf930ee0f887702b8d01b91ac321bc3-ol9_x86_64_appstream
kernel-modules-5.14.0-427.26.1.el9_4.x86_64.rpm0cf8ea1e224b0ed2c839154758001650-ol9_x86_64_baseos_latest
kernel-modules-5.14.0-427.26.1.el9_4.x86_64.rpm0cf8ea1e224b0ed2c839154758001650-ol9_x86_64_u4_baseos_patch
kernel-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpme7691d7f77106201f28a6e871b5b61d5-ol9_x86_64_baseos_latest
kernel-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpme7691d7f77106201f28a6e871b5b61d5-ol9_x86_64_u4_baseos_patch
kernel-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpmf098b63554ee79144400a0caea04722b-ol9_x86_64_baseos_latest
kernel-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpmf098b63554ee79144400a0caea04722b-ol9_x86_64_u4_baseos_patch
kernel-tools-5.14.0-427.26.1.el9_4.x86_64.rpm89b2cb2f99f6c5a025b05d663b202dd8-ol9_x86_64_baseos_latest
kernel-tools-5.14.0-427.26.1.el9_4.x86_64.rpm89b2cb2f99f6c5a025b05d663b202dd8-ol9_x86_64_u4_baseos_patch
kernel-tools-libs-5.14.0-427.26.1.el9_4.x86_64.rpmfc5b0d7dc9f2501e1aec5be524fcd2cd-ol9_x86_64_baseos_latest
kernel-tools-libs-5.14.0-427.26.1.el9_4.x86_64.rpmfc5b0d7dc9f2501e1aec5be524fcd2cd-ol9_x86_64_u4_baseos_patch
kernel-tools-libs-devel-5.14.0-427.26.1.el9_4.x86_64.rpm952c5467b7bad8a01854fb1aa6026a94-ol9_x86_64_codeready_builder
kernel-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm1cadf4adb2a2135fe4e813fef8fc6b87-ol9_x86_64_baseos_latest
kernel-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm1cadf4adb2a2135fe4e813fef8fc6b87-ol9_x86_64_u4_baseos_patch
libperf-5.14.0-427.26.1.el9_4.x86_64.rpm229e89efcb5d76ce1da913493cbd9157-ol9_x86_64_codeready_builder
perf-5.14.0-427.26.1.el9_4.x86_64.rpm5e0a11e5dc74917790031dee03254286-ol9_x86_64_appstream
python3-perf-5.14.0-427.26.1.el9_4.x86_64.rpmcf86d2f6e91e6e31d6defa2e6bfd39ab-ol9_x86_64_baseos_latest
python3-perf-5.14.0-427.26.1.el9_4.x86_64.rpmcf86d2f6e91e6e31d6defa2e6bfd39ab-ol9_x86_64_u4_baseos_patch
rtla-5.14.0-427.26.1.el9_4.x86_64.rpm69113cdf6387fd685993112171f69acc-ol9_x86_64_appstream
rv-5.14.0-427.26.1.el9_4.x86_64.rpmaaf6db0b98b01ae88d07b1957221f04f-ol9_x86_64_appstream


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete