ELSA-2024-8162

ELSA-2024-8162 - kernel security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2024-10-16

Description

[5.14.0-427.40.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.40.1_4]
- gfs2: Fix NULL pointer dereference in gfs2_log_flush (CKI Backport Bot) [RHEL-51561 RHEL-51559] {CVE-2024-42079}
- net: stmmac: Separate C22 and C45 transactions for xgmac (CKI Backport Bot) [RHEL-60274 RHEL-6297]
- dmaengine: idxd: Check for driver name match before sva user feature (Jerry Snitselaar) [RHEL-47239 RHEL-44836 RHEL-46619]
- ceph: switch to corrected encoding of max_xattr_size in mdsmap (Xiubo Li) [RHEL-57609 RHEL-26722]
- KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked (CKI Backport Bot) [RHEL-46428] {CVE-2024-39483}
- vfs: don't mod negative dentry count when on shrinker list (Brian Foster) [RHEL-60567 RHEL-46609]
- fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading (Brian Foster) [RHEL-60567 RHEL-46609]
- x86/bugs: Reverse instruction order of CLEAR_CPU_BUFFERS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- Revert 'x86/bugs: Use fixed addressing for VERW operand' (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- redhat/configs: Enable x86 CONFIG_MITIGATION_RFDS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/rfds: Mitigate Register File Data Sampling (RFDS) (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- Documentation/hw-vuln: Add documentation for RFDS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/bugs: Use fixed addressing for VERW operand (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/VMX: Move VERW closer to VMentry for MDS mitigation (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry_32: Add VERW just before userspace transition (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry_64: Add VERW just before userspace transition (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry: Harden return-to-user (Prarit Bhargava) [RHEL-48713 RHEL-25415]
- x86/entry: Optimize common_interrupt_return() (Prarit Bhargava) [RHEL-48713 RHEL-25415]
- x86/bugs: Add asm helpers for executing VERW (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- sched: act_ct: take care of padding in struct zones_ht_key (Xin Long) [RHEL-55112 RHEL-50682] {CVE-2024-42272}
- sched: act_ct: add netns into the key of tcf_ct_flow_table (Xin Long) [RHEL-55112 RHEL-28816]
- dmaengine: idxd: Fix oops during rmmod on single-CPU platforms (CKI Backport Bot) [RHEL-41361] {CVE-2024-35989}
- hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field (Steve Best) [RHEL-42115 RHEL-37721] {CVE-2021-47385}

[5.14.0-427.39.1_4]
- mptcp: ensure snd_nxt is properly initialized on connect (cki-backport-bot) [RHEL-52474 RHEL-39867] {CVE-2024-36889}
- ping: fix address binding wrt vrf (Antoine Tenart) [RHEL-57563 RHEL-50920]
- net/mlx5: Add a timeout to acquire the command queue semaphore (Benjamin Poirier) [RHEL-44227 RHEL-44225] {CVE-2024-38556}
- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CKI Backport Bot) [RHEL-48142 RHEL-48140] {CVE-2024-40959}
- ionic: fix use after netif_napi_del() (Michal Schmidt) [RHEL-47636 RHEL-47634] {CVE-2024-39502}
- ionic: clean interrupt before enabling queue to avoid credit race (Michal Schmidt) [RHEL-47636 RHEL-36065]
- Revert 'net/mlx5: Block entering switchdev mode with ns inconsistency' (Benjamin Poirier) [RHEL-42391 RHEL-24466] {CVE-2023-52658}
- tipc: Return non-zero value from tipc_udp_addr2str() on error (Xin Long) [RHEL-55075 RHEL-55074] {CVE-2024-42284}
- x86: set FSRS automatically on AMD CPUs that have FSRM (Prarit Bhargava) [RHEL-56970 RHEL-25415]

[5.14.0-427.38.1_4]
- module: avoid allocation if module is already present and ready (Donald Dutile) [RHEL-52417]
- module: move early sanity checks into a helper (Donald Dutile) [RHEL-52417]
- module: extract patient module check into helper (Donald Dutile) [RHEL-52417]
- null_blk: Fix return value of nullb_device_power_store() (Ming Lei) [RHEL-58636 RHEL-39662]
- null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' (Ming Lei) [RHEL-58636 RHEL-39662]
- net: sched: sch_multiq: fix possible OOB write in multiq_tune() (cki-backport-bot) [RHEL-43472] {CVE-2024-36978}
- netfilter: nft_flow_offload: release dst in case direct xmit path is used (Florian Westphal) [RHEL-38520 RHEL-33469]
- netfilter: nft_flow_offload: reset dst in route object after setting up flow (Florian Westphal) [RHEL-38520 RHEL-33469] {CVE-2024-27403}
- netfilter: flowtable: simplify route logic (Florian Westphal) [RHEL-38520 RHEL-33469]
- net: psample: fix uninitialized metadata. (Adrian Moreno) [RHEL-56909]

Related CVEs

CVE-2024-42079

CVE-2024-36978

CVE-2021-47385

CVE-2023-28746

CVE-2024-39502

CVE-2024-38556

CVE-2024-39483

CVE-2024-35989

CVE-2024-27403

CVE-2024-40959

CVE-2024-42284

CVE-2023-52658

CVE-2024-36889

CVE-2024-42272

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_aarch64_appstream
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.40.1.el9_4.aarch64.rpm	2504d571fe707521ad38da8fdce0e608e9c1f2d4ca3955e06719b0cf6377929b	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.40.1.el9_4.aarch64.rpm	2504d571fe707521ad38da8fdce0e608e9c1f2d4ca3955e06719b0cf6377929b	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.40.1.el9_4.aarch64.rpm	ce20ebcec0cf21cd95f4df9e5eae944d873bbdf9b5d1fa28345bcad6326a4289	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.40.1.el9_4.aarch64.rpm	a98bce76b208a4ce0f5f75ef644b8931377babe7d17bd66eb5fe5ff76c984508	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.40.1.el9_4.aarch64.rpm	8000965ad32d554c425a7745db5158ca1f49895674f605175c25a28fd92c5ca7	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.40.1.el9_4.aarch64.rpm	8000965ad32d554c425a7745db5158ca1f49895674f605175c25a28fd92c5ca7	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.40.1.el9_4.aarch64.rpm	97b7b4595f38ddbc22737f0e61c9a7505a2f7552d4a957ef83658eaa25388942	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.40.1.el9_4.aarch64.rpm	97b7b4595f38ddbc22737f0e61c9a7505a2f7552d4a957ef83658eaa25388942	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.40.1.el9_4.aarch64.rpm	887d6f48ae44c64fbad1e6bd1c6ce07954aa4c79e940b1c27d025d0b69360467	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.40.1.el9_4.aarch64.rpm	bca0ae3cadce03faa7264f9b210ceeb944d1d33c3395365b60fe1eeb7e46701b	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.40.1.el9_4.aarch64.rpm	dfe622ce3669241b6cfbcd4d5155174b9a340868fef86fa1e267de59277daf22	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.40.1.el9_4.aarch64.rpm	dfe622ce3669241b6cfbcd4d5155174b9a340868fef86fa1e267de59277daf22	-	ol9_aarch64_u4_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_x86_64_appstream
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.40.1.el9_4.src.rpm	2adf0bb79cded91c193e8ed36422d1f1720e7bafdc69a1db05f1b558e88e9d97	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.40.1.el9_4.x86_64.rpm	1eb9b6f22d1a83dead07b25853477cac591519552a4f18508eb748af9433c3c4	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.40.1.el9_4.x86_64.rpm	1eb9b6f22d1a83dead07b25853477cac591519552a4f18508eb748af9433c3c4	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.40.1.el9_4.x86_64.rpm	eed9b01ea56bad46d354d52f11758067fc20d3f6f21ece61bd69394f348bed32	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.x86_64.rpm	eed9b01ea56bad46d354d52f11758067fc20d3f6f21ece61bd69394f348bed32	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.40.1.el9_4.noarch.rpm	10100159b635860fb49d3092dadfe635fe88d3eaa218e3266589dc55a9ff132b	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.40.1.el9_4.noarch.rpm	10100159b635860fb49d3092dadfe635fe88d3eaa218e3266589dc55a9ff132b	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.40.1.el9_4.x86_64.rpm	866f620ceef4a72be5d26dcb2969f49ef7dd06f979fd10f19e4aa92ed3416535	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.40.1.el9_4.x86_64.rpm	866f620ceef4a72be5d26dcb2969f49ef7dd06f979fd10f19e4aa92ed3416535	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.40.1.el9_4.x86_64.rpm	ba3c69168490181401fab1bf5c0c3e9157260b8de49d954893c848170fb2f66c	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.40.1.el9_4.x86_64.rpm	14ab81be1576ceac18f156516efdbc5192285a48e8fc87c70b542eeba247b7ca	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.40.1.el9_4.x86_64.rpm	14ab81be1576ceac18f156516efdbc5192285a48e8fc87c70b542eeba247b7ca	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.40.1.el9_4.x86_64.rpm	7c5e0551f3fbaace2db0abc5ce26cf4b0bc645857470b1eb54e082c7b09045ac	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.40.1.el9_4.x86_64.rpm	7c5e0551f3fbaace2db0abc5ce26cf4b0bc645857470b1eb54e082c7b09045ac	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	1a34252bf2bf2b24333de038abf8eb7f71e374e9f4fdf405e608fa4fdec28835	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.40.1.el9_4.x86_64.rpm	c18656f8ea3d7c0fbb23ea6e694c03e5e3b336a402e7852f92afe4966e64789f	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	cb729c120afe51772b9360f566d421c85deeea4b7d94aadb802f350ef918cd69	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	cb729c120afe51772b9360f566d421c85deeea4b7d94aadb802f350ef918cd69	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	240aa9a99cdfbcecab94390d1cb98579aab3de2f8ad54b54696225a3a94a89bf	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	240aa9a99cdfbcecab94390d1cb98579aab3de2f8ad54b54696225a3a94a89bf	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	91dce1522360527c8990b7b3bd32425431a3bf37edd11c767ccce605c6cec185	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	91dce1522360527c8990b7b3bd32425431a3bf37edd11c767ccce605c6cec185	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	00baa2b093ba1276cc7d973054a4c2454fe370e8d7e198d924859f32110ea2dc	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	00baa2b093ba1276cc7d973054a4c2454fe370e8d7e198d924859f32110ea2dc	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	c5d79ced5357fcdf795ed6d7569bbf2e97e94d22890466e8ba13b40493085a62	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.40.1.el9_4.x86_64.rpm	929a7ec1fd9d86da33d32097f2ac05aa5a63cd006efbde114133435f4d897a86	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.40.1.el9_4.noarch.rpm	303dd6c82923ad416b222d078505f4f7f09c54e9128600fee69f7f5e75cd6cd0	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.40.1.el9_4.x86_64.rpm	de87a7029a2311a3ef7ea7d941bb0c7aab7590f1058a69c4295bc4e31de7f592	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	70507506542e269b358c20464b2b68c3229d1985acf841eccb469e63c420c4f7	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	70507506542e269b358c20464b2b68c3229d1985acf841eccb469e63c420c4f7	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	0363a5cd94ec9ec8857d48b47def256f2cc61b69dff0502514c4c42fd5f0d936	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	0363a5cd94ec9ec8857d48b47def256f2cc61b69dff0502514c4c42fd5f0d936	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	15f6bad8b0d6a94276fa3cd003f2a8d3223190aac961bdc25999f24e29977414	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	15f6bad8b0d6a94276fa3cd003f2a8d3223190aac961bdc25999f24e29977414	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.40.1.el9_4.x86_64.rpm	3c04bf07873280247017b98c5c33d1933339c07e3aa8ee3202ad51c508e61fb7	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.40.1.el9_4.x86_64.rpm	3c04bf07873280247017b98c5c33d1933339c07e3aa8ee3202ad51c508e61fb7	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.40.1.el9_4.x86_64.rpm	eb31502ffba0bd399028cc6ac704b07007a64038c8e1a40af65d3edcbb89e0a2	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.40.1.el9_4.x86_64.rpm	eb31502ffba0bd399028cc6ac704b07007a64038c8e1a40af65d3edcbb89e0a2	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	5e9ccbc9c4f137397d9b71acc3ab9282730ac21e603045653159dd7656fddc5a	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	826840b53d83d35212d31a08328e517391fe2c6538eb6df9c63a3742f31583af	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	826840b53d83d35212d31a08328e517391fe2c6538eb6df9c63a3742f31583af	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.40.1.el9_4.x86_64.rpm	00e2c25c29fd35c662729eb92c7485fa3389e58b46746122b97152d42ff730db	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.40.1.el9_4.x86_64.rpm	03127cf444f3757a38f6d017aab86b32496f96b3d4a6d2c1b3653f9b75f55622	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.40.1.el9_4.x86_64.rpm	2fb47d17005f675c901d7b247e74912485e65c886ca443eb7c631af4771c8a1a	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.40.1.el9_4.x86_64.rpm	2fb47d17005f675c901d7b247e74912485e65c886ca443eb7c631af4771c8a1a	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.40.1.el9_4.x86_64.rpm	491563a6a0bdfd10f70d4c81f94bb8a9024ac94d294a8bb1d27eee6063da991c	-	ol9_x86_64_appstream
	rv-5.14.0-427.40.1.el9_4.x86_64.rpm	570a2963359f6f2705f67d68ad9f32d90680c6764316abb557dfa6c9ae1bc79a	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team