ELSA-2024-8617

ELSA-2024-8617 - kernel security update

Type:	SECURITY
Severity:	MODERATE
Release Date:	2024-10-30

Description

[5.14.0-427.42.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.42.1_4]
- redhat/configs: Add CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI retpoline check (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Clarify that syscall hardening isn't a BHI mitigation (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI handling of RRSBA (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI documentation (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix return type of spectre_bhi_state() (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Make CONFIG_SPECTRE_BHI_ON the default (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- KVM: x86: Add BHI_NO (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Mitigate KVM by default (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Add BHI mitigation knob (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Enumerate Branch History Injection (BHI) bug (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Define SPEC_CTRL_BHI_DIS_S (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Add support for clearing branch history at syscall entry (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- perf/x86/amd/lbr: Use freeze based on availability (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- Documentation/kernel-parameters: Add spec_rstack_overflow to mitigations=off (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- KVM: x86: Use a switch statement and macros in __feature_translate() (Maxim Levitsky) [RHEL-45492 RHEL-32430]
- KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace (Maxim Levitsky) [RHEL-45492 RHEL-32430]
- x86/entry/32: Convert do_fast_syscall_32() to bool return type (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- x86/entry: Add do_SYSENTER_32() prototype (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- x86/bugs: Reset speculation control settings on init (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- mpls: Reduce skb re-allocations due to skb_cow() (Guillaume Nault) [RHEL-61696 RHEL-55145]
- scsi: core: Fix unremoved procfs host directory regression (Ewan D. Milne) [RHEL-39539 RHEL-39601 RHEL-33543 RHEL-35000] {CVE-2024-26935}
- tty: Fix out-of-bound vmalloc access in imageblit (Andrew Halaney) [RHEL-42095 RHEL-24205] {CVE-2021-47383}
- block: initialize integrity buffer to zero before writing it to media (Ming Lei) [RHEL-54769 RHEL-54768] {CVE-2024-43854}
- block: cleanup bio_integrity_prep (Ming Lei) [RHEL-54769 RHEL-25988]
- block: refactor to use helper (Ming Lei) [RHEL-54769 RHEL-25988]
- ceph: fix cap ref leak via netfs init_request (Patrick Donnelly) [RHEL-62666 RHEL-61459]
- redhat/configs: Enable CONFIG_OCTEON_EP_VF (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add ethtool support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add Tx/Rx processing and interrupt support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add support for ndo ops (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add Tx/Rx ring resource setup and cleanup (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add VF-PF mailbox communication. (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add hardware configuration APIs (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: Add driver framework and device initialization (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: support firmware notifications for VFs (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: control net framework to support VF offloads (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: PF-VF mailbox version support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: add PF-VF mailbox communication (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- x86/mm/ident_map: Use gbpages only where full GB page should be mapped. (Chris von Recklinghausen) [RHEL-62209 RHEL-26268]
- netfilter: nfnetlink_queue: un-break NF_REPEAT (Phil Sutter) [RHEL-62299]

[5.14.0-427.41.1_4]
- iommu/amd: Fix panic accessing amd_iommu_enable_faulting (Jerry Snitselaar) [RHEL-55507 RHEL-37320 RHEL-40344]
- iommu/vt-d: Allocate DMAR fault interrupts locally (Jerry Snitselaar) [RHEL-55507 RHEL-28780]
- netfilter: nft_inner: validate mandatory meta and payload (Phil Sutter) [RHEL-47488 RHEL-47486] {CVE-2024-39504}
- netfilter: flowtable: initialise extack before use (CKI Backport Bot) [RHEL-58546 RHEL-58544] {CVE-2024-45018}
- ext4: do not create EA inode under buffer lock (Carlos Maiolino) [RHEL-48285 RHEL-48282] {CVE-2024-40972}
- ext4: fold quota accounting into ext4_xattr_inode_lookup_create() (Carlos Maiolino) [RHEL-48285 RHEL-48282] {CVE-2024-40972}
- ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (Carlos Maiolino) [RHEL-48519 RHEL-48517] {CVE-2024-40998}
- ext4: turn quotas off if mount failed after enabling quotas (Carlos Maiolino) [RHEL-48519 RHEL-48517] {CVE-2024-40998}
- mptcp: fix data re-injection from stale subflow (Davide Caratti) [RHEL-59920 RHEL-32669] {CVE-2024-26826}
- xfs: add bounds checking to xlog_recover_process_data (CKI Backport Bot) [RHEL-50864 RHEL-50862] {CVE-2024-41014}
- af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). (Davide Caratti) [RHEL-42771 RHEL-33410]
- af_unix: Fix garbage collector racing against connect() (Davide Caratti) [RHEL-42771 RHEL-33410] {CVE-2024-26923}
- af_unix: fix lockdep positive in sk_diag_dump_icons() (Davide Caratti) [RHEL-42771 RHEL-33410]
- xfs: don't walk off the end of a directory data block (CKI Backport Bot) [RHEL-50887 RHEL-50885] {CVE-2024-41013}
- ipv6: prevent possible NULL dereference in rt6_probe() (Hangbin Liu) [RHEL-48161 RHEL-45826] {CVE-2024-40960}
- mac802154: fix llsec key resources release in mac802154_llsec_key_del (Steve Best) [RHEL-42795 RHEL-34969] {CVE-2024-26961}
- mptcp: ensure snd_una is properly initialized on connect (Florian Westphal) [RHEL-47945 RHEL-47943] {CVE-2024-40931}
- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CKI Backport Bot) [RHEL-47560 RHEL-47558] {CVE-2024-40904}
- nvme-multipath: fix io accounting on failover (John Meneghini) [RHEL-59646 RHEL-56635]
- nvme: fix multipath batched completion accounting (John Meneghini) [RHEL-59646 RHEL-56635]
- xfs: fix log recovery buffer allocation for the legacy h_size fixup (Bill O'Donnell) [RHEL-46481 RHEL-46479] {CVE-2024-39472}
- tcp: add sanity checks to rx zerocopy (Paolo Abeni) [RHEL-58403 RHEL-29496] {CVE-2024-26640}
- netpoll: Fix race condition in netpoll_owner_active (CKI Backport Bot) [RHEL-49373 RHEL-49371] {CVE-2024-41005}
- wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (CKI Backport Bot) [RHEL-48321 RHEL-48319] {CVE-2024-40977}
- smb: client: fix hang in wait_for_response() for negproto (Jay Shin) [RHEL-61606 RHEL-57983]
- NFSv4.1/pnfs: fix NFS with TLS in pnfs (Benjamin Coddington) [RHEL-61467 RHEL-34576]
- ceph: remove the incorrect Fw reference check when dirtying pages (Xiubo Li) [RHEL-61415 RHEL-60255]
- net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (Davide Caratti) [RHEL-48483 RHEL-44375] {CVE-2024-40995}
- net/sched: taprio: extend minimum interval restriction to entire cycle too (Davide Caratti) [RHEL-44377 RHEL-44375] {CVE-2024-36244}
- net/sched: taprio: make q->picos_per_byte available to fill_sched_entry() (Davide Caratti) [RHEL-44377 RHEL-44375] {CVE-2024-36244}

Related CVEs

CVE-2024-26640

CVE-2024-41013

CVE-2024-36244

CVE-2024-40995

CVE-2024-26935

CVE-2024-2201

CVE-2024-41014

CVE-2024-26923

CVE-2024-26826

CVE-2024-39504

CVE-2024-40904

CVE-2024-40931

CVE-2024-40977

CVE-2024-45018

CVE-2024-41005

CVE-2024-43854

CVE-2024-26961

CVE-2024-40960

CVE-2024-40998

CVE-2021-47383

CVE-2024-39472

CVE-2024-40972

Updated Packages

Release/Architecture	Filename	MD5sum	Superseded By Advisory	Channel Label
Oracle Linux 9 (aarch64)	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_aarch64_appstream
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_aarch64_u4_baseos_patch
	bpftool-7.3.0-427.42.1.el9_4.aarch64.rpm	4e24e9321eb9ca897f20b6624435f238	-	ol9_aarch64_baseos_latest
	bpftool-7.3.0-427.42.1.el9_4.aarch64.rpm	4e24e9321eb9ca897f20b6624435f238	-	ol9_aarch64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.42.1.el9_4.aarch64.rpm	ace1e7b0905da5cc80561e1f4e86461c	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-427.42.1.el9_4.aarch64.rpm	9b8128369155380323ffda86ca76f9aa	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-427.42.1.el9_4.aarch64.rpm	0c2b0208dc32f89f78f2c7b2df3e48ec	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-427.42.1.el9_4.aarch64.rpm	0c2b0208dc32f89f78f2c7b2df3e48ec	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.42.1.el9_4.aarch64.rpm	c9ca4a547e3449d5261fc9feac209d48	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-427.42.1.el9_4.aarch64.rpm	c9ca4a547e3449d5261fc9feac209d48	-	ol9_aarch64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.aarch64.rpm	45ee7ce95526ba1a94d93102b03a5fe4	-	ol9_aarch64_codeready_builder
	perf-5.14.0-427.42.1.el9_4.aarch64.rpm	8c503d8e682f726fddd4549db69f2225	-	ol9_aarch64_appstream
	python3-perf-5.14.0-427.42.1.el9_4.aarch64.rpm	17613060a29d125e4c93bd2b3071390d	-	ol9_aarch64_baseos_latest
	python3-perf-5.14.0-427.42.1.el9_4.aarch64.rpm	17613060a29d125e4c93bd2b3071390d	-	ol9_aarch64_u4_baseos_patch
Oracle Linux 9 (x86_64)	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_x86_64_appstream
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-427.42.1.el9_4.src.rpm	3494260b7dcf27d700dabcc0edbd56a3	-	ol9_x86_64_u4_baseos_patch
	bpftool-7.3.0-427.42.1.el9_4.x86_64.rpm	5c56c3170844a2d83c4407135f655e45	-	ol9_x86_64_baseos_latest
	bpftool-7.3.0-427.42.1.el9_4.x86_64.rpm	5c56c3170844a2d83c4407135f655e45	-	ol9_x86_64_u4_baseos_patch
	kernel-5.14.0-427.42.1.el9_4.x86_64.rpm	2db995df5ae735e689c6091cde9a53a4	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-427.42.1.el9_4.x86_64.rpm	2db995df5ae735e689c6091cde9a53a4	-	ol9_x86_64_u4_baseos_patch
	kernel-abi-stablelists-5.14.0-427.42.1.el9_4.noarch.rpm	a835877373a05d4c3cb179e137273617	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-427.42.1.el9_4.noarch.rpm	a835877373a05d4c3cb179e137273617	-	ol9_x86_64_u4_baseos_patch
	kernel-core-5.14.0-427.42.1.el9_4.x86_64.rpm	68812178cf63fc9fb9e271b0d3be6c90	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-427.42.1.el9_4.x86_64.rpm	68812178cf63fc9fb9e271b0d3be6c90	-	ol9_x86_64_u4_baseos_patch
	kernel-cross-headers-5.14.0-427.42.1.el9_4.x86_64.rpm	1705bc465f2fbe0ef75ad0cabf864e66	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-427.42.1.el9_4.x86_64.rpm	95afd5f28c822680513c320c1904fc55	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-427.42.1.el9_4.x86_64.rpm	95afd5f28c822680513c320c1904fc55	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-core-5.14.0-427.42.1.el9_4.x86_64.rpm	9a04fdb4ac17865a64683e88cf3f7e33	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-427.42.1.el9_4.x86_64.rpm	9a04fdb4ac17865a64683e88cf3f7e33	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-devel-5.14.0-427.42.1.el9_4.x86_64.rpm	f658176794d5897bdcb192aa15a4863b	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm	cac60bb7745ab5554e6923b5ca54db1d	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-427.42.1.el9_4.x86_64.rpm	69634e869b35b185e55c32fd90f8b1d8	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-427.42.1.el9_4.x86_64.rpm	69634e869b35b185e55c32fd90f8b1d8	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm	08b978c08b59d8b3cac8bbb38ec3b5e1	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm	08b978c08b59d8b3cac8bbb38ec3b5e1	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm	2bfbd0549807211bdb63f77dc62b278e	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm	2bfbd0549807211bdb63f77dc62b278e	-	ol9_x86_64_u4_baseos_patch
	kernel-debug-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm	da6f0d22470c77f252ffe8cc9796484a	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm	da6f0d22470c77f252ffe8cc9796484a	-	ol9_x86_64_u4_baseos_patch
	kernel-devel-5.14.0-427.42.1.el9_4.x86_64.rpm	699bc2f103fb98b974c7eccd411140ce	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm	9c9f6a0815c89ea3581d8feebb2f5117	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-427.42.1.el9_4.noarch.rpm	0970cca0a911ce85a2b56ed6cd7518fe	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-427.42.1.el9_4.x86_64.rpm	f4384ab00279f8a47d4ca99640f2e9dd	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-427.42.1.el9_4.x86_64.rpm	3c353df806b741c3eed9e7f11e59e2f7	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-427.42.1.el9_4.x86_64.rpm	3c353df806b741c3eed9e7f11e59e2f7	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm	abdaa61ca120ace2b8fbc6f2f9462586	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm	abdaa61ca120ace2b8fbc6f2f9462586	-	ol9_x86_64_u4_baseos_patch
	kernel-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm	338e0e571c9de784e2c0240f69781ede	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm	338e0e571c9de784e2c0240f69781ede	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-5.14.0-427.42.1.el9_4.x86_64.rpm	64c6c79aa1def4aa5153cd6f10bb2baa	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-427.42.1.el9_4.x86_64.rpm	64c6c79aa1def4aa5153cd6f10bb2baa	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-5.14.0-427.42.1.el9_4.x86_64.rpm	22453a3f1303ab49d5b5f3b18e37f30a	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-427.42.1.el9_4.x86_64.rpm	22453a3f1303ab49d5b5f3b18e37f30a	-	ol9_x86_64_u4_baseos_patch
	kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.x86_64.rpm	3728c562bf0c2177354f7b553a60df50	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm	d216e64b5214508bcdc702ce05a845b8	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm	d216e64b5214508bcdc702ce05a845b8	-	ol9_x86_64_u4_baseos_patch
	libperf-5.14.0-427.42.1.el9_4.x86_64.rpm	b269b18e7e98245e878871b7c96a228a	-	ol9_x86_64_codeready_builder
	perf-5.14.0-427.42.1.el9_4.x86_64.rpm	87fb7f3d53486c16fec273eefc8e65ef	-	ol9_x86_64_appstream
	python3-perf-5.14.0-427.42.1.el9_4.x86_64.rpm	38d3e164f594172ab2bbbfdff6f3a113	-	ol9_x86_64_baseos_latest
	python3-perf-5.14.0-427.42.1.el9_4.x86_64.rpm	38d3e164f594172ab2bbbfdff6f3a113	-	ol9_x86_64_u4_baseos_patch
	rtla-5.14.0-427.42.1.el9_4.x86_64.rpm	318334196845869ea632ae807f730ff1	-	ol9_x86_64_appstream
	rv-5.14.0-427.42.1.el9_4.x86_64.rpm	887d53d4f29ddfb696184233ff3adb9d	-	ol9_x86_64_appstream