ELSA-2024-4583

ELSA-2024-4583 - kernel security update

Type:	SECURITY
Severity:	IMPORTANT
Release Date:	2024-07-18

Description

- [5.14.0-427.26.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.26.1_4]
- net: ena: Fix incorrect descriptor free behavior (Kamal Heib) [RHEL-39217 RHEL-37430] {CVE-2024-35958}
- tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). (Guillaume Nault) [RHEL-41749 RHEL-39837] {CVE-2024-36904}
- mm/mglru: Revert 'don't sync disk for each aging cycle' (Waiman Long) [RHEL-44418]
- tipc: fix UAF in error path (Xin Long) [RHEL-34848 RHEL-34280] {CVE-2024-36886}
- selftest/cgroup: Update test_cpuset_prs.sh to match changes (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Make cpuset.cpus.exclusive independent of cpuset.cpus (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition (Waiman Long) [RHEL-45139]
- selftest/cgroup: Fix test_cpuset_prs.sh problems reported by test robot (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix remote root partition creation problem (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Optimize isolated partition only generate_sched_domains() calls (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix retval in update_cpumask() (Waiman Long) [RHEL-45139]
- cgroup/cpuset: Fix a memory leak in update_exclusive_cpumask() (Waiman Long) [RHEL-45139]
- ice: implement AQ download pkg retry (Petr Oros) [RHEL-38907 RHEL-17318]
- redhat: include resolve_btfids in kernel-devel (Viktor Malik) [RHEL-43426 RHEL-40707]
- blk-cgroup: fix list corruption from resetting io stat (cki-backport-bot) [RHEL-44977] {CVE-2024-38663}
- misc: rtsx: do clear express reg every SD_INT (David Arcari) [RHEL-39985 RHEL-33706]
- misc: rtsx: Fix rts5264 driver status incorrect when card removed (David Arcari) [RHEL-39985 RHEL-33706]
- netfilter: tproxy: bail out if IP has been disabled on the device (cki-backport-bot) [RHEL-44371] {CVE-2024-36270}
- lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure (cki-backport-bot) [RHEL-44263 RHEL-44261] {CVE-2024-38543}
- r8169: Fix possible ring buffer corruption on fragmented Tx packets. (cki-backport-bot) [RHEL-44039] {CVE-2024-38586}
- net: micrel: Fix receiving the timestamp in the frame for lan8841 (cki-backport-bot) [RHEL-43996] {CVE-2024-38593}
- vt: fix memory overlapping when deleting chars in the buffer (Waiman Long) [RHEL-43379 RHEL-27780] {CVE-2022-48627}
- net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map (Kamal Heib) [RHEL-42728 RHEL-34192] {CVE-2024-26858}
- locking/atomic: Make test_and_*_bit() ordered on failure (Paolo Bonzini) [RHEL-45896]
- mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index (Rafael Aquini) [RHEL-42659 RHEL-31840] {CVE-2024-26783}
- can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock (Jose Ignacio Tornos Martinez) [RHEL-42379 RHEL-31530] {CVE-2023-52638}
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() (Ken Cox) [RHEL-42226 RHEL-38715] {CVE-2021-47548}

[5.14.0-427.25.1_4]
- nvme: fix reconnection fail due to reserved tag allocation (Maurizio Lombardi) [RHEL-42896 RHEL-36896] {CVE-2024-27435}
- net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg (cki-backport-bot) [RHEL-43625] {CVE-2021-47596}
- scsi: sg: Avoid race in error handling & drop bogus warn (Ewan D. Milne) [RHEL-36106 RHEL-35659]
- scsi: sg: Avoid sg device teardown race (Ewan D. Milne) [RHEL-36106 RHEL-35659]
- netfilter: nf_tables: use timestamp to check for set element timeout (Florian Westphal) [RHEL-38032 RHEL-33985] {CVE-2024-27397}
- netfilter: nft_set_rbtree: Remove unused variable nft_net (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nft_set_rbtree: prefer sync gc to async worker (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nft_set_rbtree: rename gc deactivate+erase function (Florian Westphal) [RHEL-38032 RHEL-33985]
- netfilter: nf_tables: de-constify set commit ops function argument (Florian Westphal) [RHEL-38032 RHEL-33985]
- octeontx2-af: avoid off-by-one read from userspace (Kamal Heib) [RHEL-40486 RHEL-39873] {CVE-2024-36957}

Related CVEs

CVE-2021-47548

CVE-2023-52638

CVE-2024-27397

CVE-2024-35958

CVE-2024-36270

CVE-2024-38586

CVE-2024-38593

CVE-2024-38663

CVE-2021-47596

CVE-2024-36957

CVE-2024-36904

CVE-2024-36886

CVE-2022-48627

CVE-2024-26783

CVE-2024-27435

CVE-2024-26858

CVE-2024-38543

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_aarch64_appstream
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.26.1.el9_4.aarch64.rpm	80658e45d8e587aa810dcba3b7619410	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.26.1.el9_4.aarch64.rpm	80658e45d8e587aa810dcba3b7619410	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.26.1.el9_4.aarch64.rpm	6b2180eb4570ebe9cdccb75665348728	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.26.1.el9_4.aarch64.rpm	572f8b0beb9623c42c68a65fd370ef00	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.26.1.el9_4.aarch64.rpm	47153ae6757f4c85fd5fb6bf48abd8c9	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.26.1.el9_4.aarch64.rpm	47153ae6757f4c85fd5fb6bf48abd8c9	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.26.1.el9_4.aarch64.rpm	9e303b3a42f29d40a30123f7cb8f443a	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.26.1.el9_4.aarch64.rpm	9e303b3a42f29d40a30123f7cb8f443a	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.26.1.el9_4.aarch64.rpm	48717be9be847d0b5e8e33161b330f0a	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.26.1.el9_4.aarch64.rpm	67737a3cf2da033db4417e2dd3e366d6	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.26.1.el9_4.aarch64.rpm	a1502909caa6865af3d6ee7125a98c88	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.26.1.el9_4.aarch64.rpm	a1502909caa6865af3d6ee7125a98c88	-	ol9_aarch64_u4_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_x86_64_appstream
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.26.1.el9_4.src.rpm	8a5d9881a5a84c18ea931a399b087bf9	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.26.1.el9_4.x86_64.rpm	507d392d9891764d324d78acd10c6b1b	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.26.1.el9_4.x86_64.rpm	507d392d9891764d324d78acd10c6b1b	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.26.1.el9_4.x86_64.rpm	6dd7d4e332d613c35f8bf1c811ac6099	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.26.1.el9_4.x86_64.rpm	6dd7d4e332d613c35f8bf1c811ac6099	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.26.1.el9_4.noarch.rpm	fcc131494cb9194ffffa4420df8caaec	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.26.1.el9_4.noarch.rpm	fcc131494cb9194ffffa4420df8caaec	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.26.1.el9_4.x86_64.rpm	5430dccb531fda6657ac4f7d459b60bb	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.26.1.el9_4.x86_64.rpm	5430dccb531fda6657ac4f7d459b60bb	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.26.1.el9_4.x86_64.rpm	78c2977b6a9952a477a35e3da7f2e71d	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.26.1.el9_4.x86_64.rpm	7b3c5c282afa9154575453c6251e3113	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.26.1.el9_4.x86_64.rpm	7b3c5c282afa9154575453c6251e3113	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.26.1.el9_4.x86_64.rpm	002d58da651bb2fcc997c68cc1847f23	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.26.1.el9_4.x86_64.rpm	002d58da651bb2fcc997c68cc1847f23	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.26.1.el9_4.x86_64.rpm	dbbadfebedb7e2d8aefc9767d6476fc2	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.26.1.el9_4.x86_64.rpm	c8945b9a0351e44cb5bfaf763adf4ce5	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.26.1.el9_4.x86_64.rpm	c27520df8ad33394e14145f2aad9a44b	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.26.1.el9_4.x86_64.rpm	c27520df8ad33394e14145f2aad9a44b	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm	225822c67890d71f627e16cf6b758d0a	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm	225822c67890d71f627e16cf6b758d0a	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpm	a03d730b984ee1c124c110b4d4ec5010	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpm	a03d730b984ee1c124c110b4d4ec5010	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm	d7cc2a22ce157f700c659e9cbaa97d93	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm	d7cc2a22ce157f700c659e9cbaa97d93	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.26.1.el9_4.x86_64.rpm	c3533ab7de36dcb4584418dc021a8e70	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.26.1.el9_4.x86_64.rpm	c9ade80bd3b0f340e125c90e91e47393	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.26.1.el9_4.noarch.rpm	0d9836f21883311a9ff694a506514db9	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.26.1.el9_4.x86_64.rpm	1cf930ee0f887702b8d01b91ac321bc3	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.26.1.el9_4.x86_64.rpm	0cf8ea1e224b0ed2c839154758001650	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.26.1.el9_4.x86_64.rpm	0cf8ea1e224b0ed2c839154758001650	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm	e7691d7f77106201f28a6e871b5b61d5	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.26.1.el9_4.x86_64.rpm	e7691d7f77106201f28a6e871b5b61d5	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpm	f098b63554ee79144400a0caea04722b	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.26.1.el9_4.x86_64.rpm	f098b63554ee79144400a0caea04722b	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.26.1.el9_4.x86_64.rpm	89b2cb2f99f6c5a025b05d663b202dd8	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.26.1.el9_4.x86_64.rpm	89b2cb2f99f6c5a025b05d663b202dd8	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.26.1.el9_4.x86_64.rpm	fc5b0d7dc9f2501e1aec5be524fcd2cd	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.26.1.el9_4.x86_64.rpm	fc5b0d7dc9f2501e1aec5be524fcd2cd	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.26.1.el9_4.x86_64.rpm	952c5467b7bad8a01854fb1aa6026a94	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm	1cadf4adb2a2135fe4e813fef8fc6b87	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.26.1.el9_4.x86_64.rpm	1cadf4adb2a2135fe4e813fef8fc6b87	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.26.1.el9_4.x86_64.rpm	229e89efcb5d76ce1da913493cbd9157	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.26.1.el9_4.x86_64.rpm	5e0a11e5dc74917790031dee03254286	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.26.1.el9_4.x86_64.rpm	cf86d2f6e91e6e31d6defa2e6bfd39ab	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.26.1.el9_4.x86_64.rpm	cf86d2f6e91e6e31d6defa2e6bfd39ab	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.26.1.el9_4.x86_64.rpm	69113cdf6387fd685993112171f69acc	-	ol9_x86_64_appstream
	rv-5.14.0-427.26.1.el9_4.x86_64.rpm	aaf6db0b98b01ae88d07b1957221f04f	-	ol9_x86_64_appstream