ELSA-2024-8162

ULN >
Oracle Linux Errata repository >
ELSA-2024-8162

ELSA-2024-8162 - kernel security update

Type:	SECURITY
Severity:	MODERATE
Release Date:	2024-10-16

Description

[5.14.0-427.40.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.40.1_4]
- gfs2: Fix NULL pointer dereference in gfs2_log_flush (CKI Backport Bot) [RHEL-51561 RHEL-51559] {CVE-2024-42079}
- net: stmmac: Separate C22 and C45 transactions for xgmac (CKI Backport Bot) [RHEL-60274 RHEL-6297]
- dmaengine: idxd: Check for driver name match before sva user feature (Jerry Snitselaar) [RHEL-47239 RHEL-44836 RHEL-46619]
- ceph: switch to corrected encoding of max_xattr_size in mdsmap (Xiubo Li) [RHEL-57609 RHEL-26722]
- KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked (CKI Backport Bot) [RHEL-46428] {CVE-2024-39483}
- vfs: don't mod negative dentry count when on shrinker list (Brian Foster) [RHEL-60567 RHEL-46609]
- fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading (Brian Foster) [RHEL-60567 RHEL-46609]
- x86/bugs: Reverse instruction order of CLEAR_CPU_BUFFERS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- Revert 'x86/bugs: Use fixed addressing for VERW operand' (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- redhat/configs: Enable x86 CONFIG_MITIGATION_RFDS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/rfds: Mitigate Register File Data Sampling (RFDS) (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- Documentation/hw-vuln: Add documentation for RFDS (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/bugs: Use fixed addressing for VERW operand (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/VMX: Move VERW closer to VMentry for MDS mitigation (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- KVM/VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry_32: Add VERW just before userspace transition (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry_64: Add VERW just before userspace transition (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- x86/entry: Harden return-to-user (Prarit Bhargava) [RHEL-48713 RHEL-25415]
- x86/entry: Optimize common_interrupt_return() (Prarit Bhargava) [RHEL-48713 RHEL-25415]
- x86/bugs: Add asm helpers for executing VERW (Waiman Long) [RHEL-48713 RHEL-31226] {CVE-2023-28746}
- sched: act_ct: take care of padding in struct zones_ht_key (Xin Long) [RHEL-55112 RHEL-50682] {CVE-2024-42272}
- sched: act_ct: add netns into the key of tcf_ct_flow_table (Xin Long) [RHEL-55112 RHEL-28816]
- dmaengine: idxd: Fix oops during rmmod on single-CPU platforms (CKI Backport Bot) [RHEL-41361] {CVE-2024-35989}
- hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field (Steve Best) [RHEL-42115 RHEL-37721] {CVE-2021-47385}

[5.14.0-427.39.1_4]
- mptcp: ensure snd_nxt is properly initialized on connect (cki-backport-bot) [RHEL-52474 RHEL-39867] {CVE-2024-36889}
- ping: fix address binding wrt vrf (Antoine Tenart) [RHEL-57563 RHEL-50920]
- net/mlx5: Add a timeout to acquire the command queue semaphore (Benjamin Poirier) [RHEL-44227 RHEL-44225] {CVE-2024-38556}
- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() (CKI Backport Bot) [RHEL-48142 RHEL-48140] {CVE-2024-40959}
- ionic: fix use after netif_napi_del() (Michal Schmidt) [RHEL-47636 RHEL-47634] {CVE-2024-39502}
- ionic: clean interrupt before enabling queue to avoid credit race (Michal Schmidt) [RHEL-47636 RHEL-36065]
- Revert 'net/mlx5: Block entering switchdev mode with ns inconsistency' (Benjamin Poirier) [RHEL-42391 RHEL-24466] {CVE-2023-52658}
- tipc: Return non-zero value from tipc_udp_addr2str() on error (Xin Long) [RHEL-55075 RHEL-55074] {CVE-2024-42284}
- x86: set FSRS automatically on AMD CPUs that have FSRM (Prarit Bhargava) [RHEL-56970 RHEL-25415]

[5.14.0-427.38.1_4]
- module: avoid allocation if module is already present and ready (Donald Dutile) [RHEL-52417]
- module: move early sanity checks into a helper (Donald Dutile) [RHEL-52417]
- module: extract patient module check into helper (Donald Dutile) [RHEL-52417]
- null_blk: Fix return value of nullb_device_power_store() (Ming Lei) [RHEL-58636 RHEL-39662]
- null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' (Ming Lei) [RHEL-58636 RHEL-39662]
- net: sched: sch_multiq: fix possible OOB write in multiq_tune() (cki-backport-bot) [RHEL-43472] {CVE-2024-36978}
- netfilter: nft_flow_offload: release dst in case direct xmit path is used (Florian Westphal) [RHEL-38520 RHEL-33469]
- netfilter: nft_flow_offload: reset dst in route object after setting up flow (Florian Westphal) [RHEL-38520 RHEL-33469] {CVE-2024-27403}
- netfilter: flowtable: simplify route logic (Florian Westphal) [RHEL-38520 RHEL-33469]
- net: psample: fix uninitialized metadata. (Adrian Moreno) [RHEL-56909]

Related CVEs

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory	Channel Label

Oracle Linux 9 (aarch64)	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_aarch64_appstream
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.40.1.el9_4.aarch64.rpm	65078cc18f7bfc3e149c0f791f3434b3	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.40.1.el9_4.aarch64.rpm	65078cc18f7bfc3e149c0f791f3434b3	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.40.1.el9_4.aarch64.rpm	9ae5917f16f68b59f48d32888f206477	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.40.1.el9_4.aarch64.rpm	09a08d3d099ff9109f28b0975759ae0b	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.40.1.el9_4.aarch64.rpm	f7377cf64230a71b8244942d7100f7c6	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.40.1.el9_4.aarch64.rpm	f7377cf64230a71b8244942d7100f7c6	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.40.1.el9_4.aarch64.rpm	e97029af5a5d56596c4880b46ffd049d	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.40.1.el9_4.aarch64.rpm	e97029af5a5d56596c4880b46ffd049d	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.40.1.el9_4.aarch64.rpm	d4abe959211a1dea3d28ffeb3f622734	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.40.1.el9_4.aarch64.rpm	c97d0adc6765020cbf80d19d3e7adec3	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.40.1.el9_4.aarch64.rpm	f65addb00ac2db3e6dcb40f8d356cbe9	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.40.1.el9_4.aarch64.rpm	f65addb00ac2db3e6dcb40f8d356cbe9	-	ol9_aarch64_u4_baseos_patch

Oracle Linux 9 (x86_64)	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_x86_64_appstream
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.40.1.el9_4.src.rpm	3123405e3f9972d6fa8e72d88d2610cd	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.40.1.el9_4.x86_64.rpm	dacd408616cc2889f31d8130a615ec69	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.40.1.el9_4.x86_64.rpm	dacd408616cc2889f31d8130a615ec69	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.40.1.el9_4.x86_64.rpm	9093e8a54d20bc31a833f22887871bc8	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.40.1.el9_4.x86_64.rpm	9093e8a54d20bc31a833f22887871bc8	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.40.1.el9_4.noarch.rpm	425f63293bbad22e7d305a1fe49c2f04	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.40.1.el9_4.noarch.rpm	425f63293bbad22e7d305a1fe49c2f04	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.40.1.el9_4.x86_64.rpm	57591d07186f9b7e20cfa2f46ed4f655	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.40.1.el9_4.x86_64.rpm	57591d07186f9b7e20cfa2f46ed4f655	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.40.1.el9_4.x86_64.rpm	731c166b543cd1558a466fe9adb9600f	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.40.1.el9_4.x86_64.rpm	444cd4ab678d5581110d54984366012f	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.40.1.el9_4.x86_64.rpm	444cd4ab678d5581110d54984366012f	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.40.1.el9_4.x86_64.rpm	ce8ca4fa330fce7e3148d927dfb40bcc	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.40.1.el9_4.x86_64.rpm	ce8ca4fa330fce7e3148d927dfb40bcc	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	f2df0daea1836fdd4e9e8e3a82629e10	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.40.1.el9_4.x86_64.rpm	56d07feb0b07df14fd05ba927cba4b20	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	63d5557c0ec9ba57519780a37eb3bcc2	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	63d5557c0ec9ba57519780a37eb3bcc2	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	5c0bdee5edd6b150bb6ce7feeeac3a0d	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	5c0bdee5edd6b150bb6ce7feeeac3a0d	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	ec826790f4f77410127282f5c2c48997	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	ec826790f4f77410127282f5c2c48997	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	2227714bc53adf0eebcc2a4424b336f5	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	2227714bc53adf0eebcc2a4424b336f5	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	5c5056127e12d49a64963e22a4c8b65a	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.40.1.el9_4.x86_64.rpm	233a7ad104f037a48e645b2a35fdfe7e	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.40.1.el9_4.noarch.rpm	04b8f9f708d82f23639aa39c838449f9	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.40.1.el9_4.x86_64.rpm	5824ebfac487e830b5b1ae3d8e0f5c42	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	656f67e1a75293b337a1f030c0704e10	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.40.1.el9_4.x86_64.rpm	656f67e1a75293b337a1f030c0704e10	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	e9afc7761133a878a3185f32b194705d	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.40.1.el9_4.x86_64.rpm	e9afc7761133a878a3185f32b194705d	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	0b7fe73a5a5f0ad1f5f7cad1fb6c1f8f	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.40.1.el9_4.x86_64.rpm	0b7fe73a5a5f0ad1f5f7cad1fb6c1f8f	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.40.1.el9_4.x86_64.rpm	767cb6075d50114b26ae7a658591957c	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.40.1.el9_4.x86_64.rpm	767cb6075d50114b26ae7a658591957c	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.40.1.el9_4.x86_64.rpm	f945a514abd533a2c22a462bba1c0aaa	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.40.1.el9_4.x86_64.rpm	f945a514abd533a2c22a462bba1c0aaa	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.40.1.el9_4.x86_64.rpm	0ade248495355123c908fbc8bbbabee4	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	c4d7f9a9cb54d44070994f7b1e06e8e1	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.40.1.el9_4.x86_64.rpm	c4d7f9a9cb54d44070994f7b1e06e8e1	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.40.1.el9_4.x86_64.rpm	051f7553b59c73474faa1707a233cc15	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.40.1.el9_4.x86_64.rpm	51f917a8b462ce87f2ec6862db7077fc	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.40.1.el9_4.x86_64.rpm	869dae7bff9f8bc9d8347fc121af0a88	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.40.1.el9_4.x86_64.rpm	869dae7bff9f8bc9d8347fc121af0a88	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.40.1.el9_4.x86_64.rpm	0c646628fc683ce9382bf7b5b2f74f3c	-	ol9_x86_64_appstream
	rv-5.14.0-427.40.1.el9_4.x86_64.rpm	baadc83068db5843a994c6effedc767e	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

Oracle customers - enter a support request
Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691