Oracle Errata System Oracle Linux 5.3 2015-12-10T00:00:00 Oracle Linux 7 [1.1.1-29.0.1.el7_0.4] - Replace docs/et.png in tarball with blank image [1.1.1-29.el7_0.4] - qemu: blockcopy: Don't remove existing disk mirror info (rhbz#1149078) - qemu: copy: Accept 'format' parameter when copying to a non-existing img (rhbz#1149078) - qemu: reject rather than hang on blockcommit of active layer (rhbz#1150379) - CVE-2014-7823: dumpxml: security hole with migratable flag (CVE-2014-7823) - Fix crash when saving a domain with type none dac label (rhbz#1171124) LOW Copyright 2015 Oracle, Inc. CVE-2014-7823 Oracle Linux 6 [2.12-1.149.4] - Fix recursive dlopen() (#1173469). [2.12-1.149.3] - Fix typo in res_send and res_query (#rh1172023). [2.12-1.149.2] - Fix crashes on invalid input in IBM gconv modules (CVE-2014-6040, #1139571). [2.12-1.149.1] - Fix wordexp() to honour WRDE_NOCMD (CVE-2014-7817, #1170121). MODERATE Copyright 2015 Oracle, Inc. CVE-2014-7817 CVE-2014-6040 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.4.0-1.0.1] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [31.4.0-1] - Update to 31.4.0 ESR [31.3.0-9] - Fixed problems with dictionaries (mozbz#1097550) - Fixed rhbz#1164855 - firefox.desktop is missing x-scheme-handler MimeType entries [31.3.0-7] - Added Python 2.7 to build Firefox [31.3.0-6] - ia64 fix (mozbz#1093278) CRITICAL Copyright 2015 Oracle, Inc. CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 CVE-2014-8641 Oracle Linux 5 Oracle Linux 6 [31.4.0-1.0.1.el6_6] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [31.4.0-1] - Update to 31.4.0 [31.3.0-3] - Fixed problems with dictionaries (mozbz#1097550) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8634 CVE-2014-8638 CVE-2014-8639 Oracle Linux 6 Oracle Linux 7 [1.0.1e-34.7] - fix CVE-2014-3570 - incorrect computation in BN_sqr() - fix CVE-2014-3571 - possible crash in dtls1_get_record() - fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state - fix CVE-2014-8275 - various certificate fingerprint issues - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export ciphersuites and on server - fix CVE-2015-0205 - do not allow unauthenticated client DH certificate - fix CVE-2015-0206 - possible memory leak when buffering DTLS records MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 Oracle Linux 6 Oracle Linux 7 [1:1.7.0.75-2.5.4.0.0.1.el6_6] - Update DISTRO_NAME in specfile [1:1.7.0.75-2.5.4.0] - Fix abrt_friendly_hs_log_jdk7.patch to apply again. [1:1.7.0.75-2.5.4.0] - Bump to 2.5.4 using OpenJDK 7u75 b13. - Remove earlier temporary patch for RH1146622 (included upstream) - Fix elliptic curve list as part of fsg.sh - Resolves: rhbz#1180295 - Resolves: rhbz#1173706 CRITICAL Copyright 2015 Oracle, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 Oracle Linux 5 [1:1.7.0.75-2.5.4.0.0.1.el5_11] - Add oracle-enterprise.patch - Fix DISTRO_NAME to 'Oracle Linux' [1:1.7.0.75-2.5.4.0] - Bump to 2.5.4 using OpenJDK 7u75 b13. - Fix elliptic curve list as part of fsg.sh - Resolves: rhbz#1180294 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 Oracle Linux 6 [1:1.8.0.31-1.b13] - Update to January CPU patch update. - Resolves: RHBZ#1180299 [1:1.8.0.25-4.b17] - updated aarch64 sources - epoch synced to 1 - all ppcs excluded from classes dump(1156151) - Resolves: rhbz#1173706 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 CVE-2014-6549 CVE-2015-0437 Oracle Linux 6 Oracle Linux 7 [1.900.1-16.3] - CVE-2014-8157 - dec->numtiles off-by-one check in jpc_dec_process_sot() (#1183671) - CVE-2014-8158 - unrestricted stack memory use in jpc_qmfb.c (#1183679) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8157 CVE-2014-8158 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [1:1.6.0.33-1.13.6.1.0.1.el5_11] - Add oracle-enterprise.patch [1:1.6.0.34-1.13.6.1] - Update to latest 1.13.6 release candidate tarball - Fixes a number of issues found with b34: - * OJ51, PR2187: Sync patch for 4873188 with 7 version - * OJ52, PR2185: Application of 6786276 introduces compatibility issue - * OJ53, PR2181: strict-aliasing warnings issued on PPC32 - * OJ54, PR2182: 6911104 reintroduces test fragment removed in existing 6964018 backport - * S6730740, PR2186: Fix for 6729881 has apparently broken several 64 bit tests: 'Bad address' - * S7031830, PR2183: bad_record_mac failure on TLSv1.2 enabled connection with SSLEngine - Also includes PR2180, so patch dropped from RPM. - Resolves: rhbz#1180289 [1:1.6.0.34-1.13.6.0] - Apply pr2180.patch to work around issue with older autotools. - Resolves: rhbz#1180289 [1:1.6.0.34-1.13.6.0] - Update to IcedTea 1.13.6 - Apply pr2125.patch in generate_rhel_zip.sh to remove unwanted elliptic curves. - Add no_pr2125.patch to avoid repeating the procedure during the IcedTea build. - Avoid duplicating the OpenJDK build version by making more use of %{openjdkver}. - Add US_export_policy.jar and local_policy.jar to packages. - Resolves: rhbz#1180289 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412 Oracle Linux 6 [2.6.32-504.8.1] - [crypto] crc32c: Kill pointless CRYPTO_CRC32C_X86_64 option (Jarod Wilson) [1175509 1036212] - [crypto] testmgr: add larger crc32c test vector to test FPU path in crc32c_intel (Jarod Wilson) [1175509 1036212] - [crypto] tcrypt: Added speed test in tcrypt for crc32c (Jarod Wilson) [1175509 1036212] - [crypto] crc32c: Optimize CRC32C calculation with PCLMULQDQ instruction (Jarod Wilson) [1175509 1036212] - [crypto] crc32c: Rename crc32c-intel.c to crc32c-intel_glue.c (Jarod Wilson) [1175509 1036212] [2.6.32-504.7.1] - [kernel] ipc/sem: Fully initialize sem_array before making it visible (Rik van Riel) [1172029 1165277] - [kernel] ipc/sem: synchronize semop and semctl with IPC_RMID (Rik van Riel) [1172029 1165277] - [kernel] ipc/sem: update sem_otime for all operations (Larry Woodman) [1172025 1168588] - [fs] fuse: prevent null nd panic on dentry revalidate (Brian Foster) [1172022 1162782] - [net] netfilter: ipset: timeout values corrupted on set resize (Marcelo Leitner) [1172764 1152754] - [net] netfilter: fix xt_TCPOPTSTRIP in forwarding path (Marcelo Leitner) [1172027 1135650] - [usb] ehci: Fix panic on hotplug race condition (Don Zickus) [1172024 1107010] - [usb] usb_wwan: replace release and disconnect with a port_remove hook (Stanislaw Gruszka) [1172030 1148615] - [x86] traps: stop using IST for #SS (Petr Matousek) [1172810 1172811] {CVE-2014-9322} [2.6.32-504.6.1] - [fs] ext4: don't count external journal blocks as overhead (Eric Sandeen) [1168504 1163811] - [net] sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [1163090 1153980] {CVE-2014-7841} - [netdrv] e100: fix typo in MDI/MDI-X eeprom check in e100_phy_init (John Greene) [1165985 1156417] - [powerpc] Add smp_mb()s to arch_spin_unlock_wait() (Gustavo Duarte) [1165986 1136224] - [powerpc] Add smp_mb() to arch_spin_is_locked() (Gustavo Duarte) [1165986 1136224] - [kernel] cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags (Aaron Tomlin) [1165002 1045310] - [documentation] cpuset: Update the cpuset flag file (Aaron Tomlin) [1165002 1045310] - [alsa] control: Make sure that id->index does not overflow (Jacob Tanenbaum) [1149140 1117312] {CVE-2014-4656} - [alsa] control: Handle numid overflow (Jacob Tanenbaum) [1149140 1117312] {CVE-2014-4656} - [s390] mm: fix SIGBUS handling (Hendrik Brueckner) [1169433 1145070] - [fs] gfs2: fix bad inode i_goal values during block allocation (Abhijith Das) [1165001 1130684] - [md] dm-thin: fix pool_io_hints to avoid looking at max_hw_sectors (Mike Snitzer) [1161420 1161421 1142773 1145230] [2.6.32-504.5.1] - [fs] nfsd: don't halt scanning the DRC LRU list when there's an RC_INPROG entry (J. Bruce Fields) [1168129 1150675] [2.6.32-504.4.1] - [fs] nfs: Make sure pre_change_attr is initialized correctly (Scott Mayhew) [1163214 1160042] - [usb] ehci: Fix a regression in the ISO scheduler (Gustavo Duarte) [1162072 1145805] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-4656 CVE-2014-7841 Oracle Linux 5 [2.5-123.0.1.el5_11.1] - Switch to use malloc when the input line is too long [Orabug 19951108] - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) [2.5-123.1] - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0235 Oracle Linux 6 Oracle Linux 7 Oracle Linux 7: [2.17-55.0.4.el7_0.5] - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. (Jose E. Marchesi) [2.17-55.5] - Rebuild and run regression testing. [2.17-55.4] - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183535). [2.17-55.3] - Fix wordexp() to honour WRDE_NOCMD (CVE-2014-7817, #1170118) [2.17-55.2] - ftell: seek to end only when there are unflushed bytes (#1170187). [2.17-55.1] - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, Oracle Linux 6 : [2.12-1.149.5] - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533). CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0235 Oracle Linux 6 Oracle Linux 7 [0.1.3-4] - Add patch for CVE-2014-9130 (RHBZ#1169369) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9130 Oracle Linux 7 [3.10.0-123.20.1] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-123.20.1] - [fs] seq_file: don't include mm.h in genksyms calculation (Ian Kent) [1184152 1183280] [3.10.0-123.19.1] - [mm] shmem: fix splicing from a hole while it's punched (Denys Vlasenko) [1118244 1118245] {CVE-2014-4171} - [mm] shmem: fix faulting into a hole, not taking i_mutex (Denys Vlasenko) [1118244 1118245] {CVE-2014-4171} - [mm] shmem: fix faulting into a hole while it's punched (Denys Vlasenko) [118244 1118245] {CVE-2014-4171} - [x86] traps: stop using IST for #SS (Petr Matousek) [1172812 1172813] {CVE-2014-9322} - [net] vxlan: fix incorrect initializer in union vxlan_addr (Daniel Borkmann) [1156611 1130643] - [net] vxlan: fix crash when interface is created with no group (Daniel Borkmann) [1156611 1130643] - [net] vxlan: fix nonfunctional neigh_reduce() (Daniel Borkmann) [1156611 1130643] - [net] vxlan: fix potential NULL dereference in arp_reduce() (Daniel Borkmann) [1156611 1130643] - [net] vxlan: remove unused port variable in vxlan_udp_encap_recv() (Daniel Borkmann) [1156611 1130643] - [net] vxlan: remove extra newline after function definition (Daniel Borkmann) [1156611 1130643] - [net] etherdevice: Use ether_addr_copy to copy an Ethernet address (Stefan Assmann) [1156611 1091126] - [fs] splice: perform generic write checks (Eric Sandeen) [1163799 1155907] {CVE-2014-7822} - [fs] eliminate BUG() call when there's an unexpected lock on file close (Frank Sorenson) [1172266 1148130] - [net] sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [1163094 1154002] {CVE-2014-7841} - [fs] lockd: Try to reconnect if statd has moved (Benjamin Coddington) [1150889 1120850] - [fs] sunrpc: Don't wake tasks during connection abort (Benjamin Coddington) [1150889 1120850] - [fs] cifs: NULL pointer dereference in SMB2_tcon (Jacob Tanenbaum) [1147528 1147529] {CVE-2014-7145} - [net] ipv6: addrconf: implement address generation modes (Jiri Pirko) [1144876 1107369] - [net] gre: add link local route when local addr is any (Jiri Pirko) [1144876 1107369] - [net] gre6: don't try to add the same route two times (Jiri Pirko) [1144876 1107369] - [fs] isofs: unbound recursion when processing relocated directories (Jacob Tanenbaum) [1142270 1142271] {CVE-2014-5471 CVE-2014-5472} - [fs] fs: seq_file: fallback to vmalloc allocation (Ian Kent) [1140302 1095623] - [fs] fs: /proc/stat: convert to single_open_size() (Ian Kent) [1140302 1095623] - [fs] fs: seq_file: always clear m->count when we free m->buf (Ian Kent) [1140302 1095623] [3.10.0-123.18.1] - [net] ipv6: fib: fix fib dump restart (Panu Matilainen) [1172795 1163605] - [net] ipv6: drop unused fib6_clean_all_ro() function and rt6_proc_arg struct (Panu Matilainen) [1172795 1163605] - [net] ipv6: avoid high order memory allocations for /proc/net/ipv6_route (Panu Matilainen) [1172795 1163605] - [mm] numa: Remove BUG_ON() in __handle_mm_fault() (Rik van Riel) [1170662 1119439] - [fs] aio: fix race between aio event completion and reaping (Jeff Moyer) [1154172 1131312] [3.10.0-123.17.1] - [ethernet] mlx4: Protect port type setting by mutex (Amir Vadai) [1162733 1095345] [3.10.0-123.16.1] - [fs] aio: block exit_aio() until all context requests are completed (Jeff Moyer) [1163992 1122092] - [fs] aio: add missing smp_rmb() in read_events_ring (Jeff Moyer) [1154172 1131312] - [fs] aio: fix reqs_available handling (Jeff Moyer) [1163992 1122092] - [fs] aio: report error from io_destroy() when threads race in io_destroy() (Jeff Moyer) [1163992 1122092] - [fs] aio: block io_destroy() until all context requests are completed (Jeff Moyer) [1163992 1122092] - [fs] aio: v4 ensure access to ctx->ring_pages is correctly serialised for migration (Jeff Moyer) [1163992 1122092] - [fs] aio/migratepages: make aio migrate pages sane (Jeff Moyer) [1163992 1122092] - [fs] aio: clean up and fix aio_setup_ring page mapping (Jeff Moyer) [1163992 1122092] [3.10.0-123.15.1] - [scsi] ipr: wait for aborted command responses (Gustavo Duarte) [1162734 1156530] - [scsi] reintroduce scsi_driver.init_command (Ewan Milne) [1146983 1105204] - [block] implement an unprep function corresponding directly to prep (Ewan Milne) [1146983 1105204] - [scsi] Revert: reintroduce scsi_driver.init_command (Ewan Milne) [1146983 1105204] [3.10.0-123.14.1] - [fs] nfs: Fix another nfs4_sequence corruptor (Steve Dickson) [1162073 1111170] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-4171 CVE-2014-5471 CVE-2014-5472 CVE-2014-7841 CVE-2014-7145 CVE-2014-7822 Oracle Linux 7 [1:5.5.41-2] - Include new certificate for tests Resolves: #1186109 [1:5.5.41-1] - Rebase to 5.5.41 Also fix: CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0411 CVE-2015-0432 Resolves: #1186109 [1:5.5.40-2] - Fix header to let dependencies to build fine Resolves: #1177836 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0411 CVE-2015-0432 Oracle Linux 5 kernel [2.6.18-402.0.0.0.1] - [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078] - ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772] - i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649] - [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030] - [oprofile] export __get_user_pages_fast() function [orabug 14277030] - [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030] - [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030] - [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030] - [kernel] Initialize the local uninitialized variable stats. [orabug 14051367] - [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763] - [x86 ] fix fpu context corrupt when preempt in signal context [orabug 14038272] - [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075] - fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan) - [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan) - [x86] Fix lvt0 reset when hvm boot up with noapic param - [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason) [orabug 12342275] - [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346] - [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566] - [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042] - [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646] - fix filp_close() race (Joe Jin) [orabug 10335998] - make xenkbd.abs_pointer=1 by default [orabug 67188919] - [xen] check to see if hypervisor supports memory reservation change (Chuck Anderson) [orabug 7556514] - [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki) [orabug 10315433] - [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258] - [mm] Patch shrink_zone to yield during severe mempressure events, avoiding hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839] - [mm] Enhance shrink_zone patch allow full swap utilization, and also be NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919] - fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042] - [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson) [orabug 9107465] - [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson) [orabug 9764220] - Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615] - fix overcommit memory to use percpu_counter for (KOSAKI Motohiro, Guru Anbalagane) [orabug 6124033] - [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208] - [ib] fix memory corruption (Andy Grover) [orabug 9972346] - [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203] - [usb] usbcore: fix refcount bug in endpoint removal (Junxiao Bi) [orabug 14795203] MODERATE Copyright 2015 Oracle, Inc. CVE-2014-7822 Oracle Linux 5 kernel [2.6.18-402] - [block] virtio: Reset device after blk_cleanup_queue() (Stefan Hajnoczi) [1006536] - [block] virtio: Call del_gendisk() before disable guest kick (Stefan Hajnoczi) [1006536] - [block] virtio: Drop unused request tracking list (Stefan Hajnoczi) [1006536] - [fs] cifs: setfacl removes part of ACL when setting POSIX ACLs (Sachin Prabhu) [1105625] - [fs] splice: perform generic write checks (Eric Sandeen) [1155908] {CVE-2014-7822} - [fs] ext4: verify block bitmap (Lukas Czerner) [1034403] - [fs] ext4: fix type declaration of ext4_validate_block_bitmap (Lukas Czerner) [1034403] - [fs] ext4: error out if verifying the block bitmap fails (Lukas Czerner) [1034403] - [x86] traps: stop using IST for #SS (Petr Matousek) [1172809] {CVE-2014-9322} [2.6.18-401] - [net] rds: fix possible double free on sock tear down (Herton R. Krzesinski) [1116880] MODERATE Copyright 2015 Oracle, Inc. CVE-2014-7822 Oracle Linux 6 [1.6.11-12] - mod_dav_svn fix for CVE-2014-3580 backport [1.6.11-11] - add security fixes for CVE-2014-3528, CVE_2014-3580 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3528 CVE-2014-3580 Oracle Linux 7 [1.7.14-7] - add security fixes for CVE-2014-3528, CVE-2014-3580, CVE-2014-8108 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3528 CVE-2014-3580 CVE-2014-8108 Oracle Linux 5 [3.6.23-9] - related: #1191608 - Update patchset for CVE-2015-0240. [3.6.23-8] - resolves: #1191608 - CVE-2015-0240: RCE in netlogon. CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0240 Oracle Linux 6 [4.0.0-66.rc4] - related: #1191387 - Update patchset for CVE-2015-0240. [4.0.0-65.rc4] - resolves: #1191387 - CVE-2015-0240: RCE in netlogon. CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0240 Oracle Linux 6 [3.6.23-14.0.1] - Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 18253258] [3.6.23-14] - related: #1191338 - Update patchset for CVE-2015-0240. [3.6.23-13] - resolves: #1191338 - CVE-2015-0240: RCE in netlogon. CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0240 Oracle Linux 7 [4.1.1-38] - resolves: #1194132 - CVE-2015-0240: RCE in netlogon server. IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0240 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 firefox [31.5.0-2.0.1.el7_0] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [31.5.0-2] - Update to 31.5.0 ESR Build 2 xulrunner [31.5.0-1.0.1-el7_0] - Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js - Removed XULRUNNER_VERSION from SOURCE21 [31.5.0-1] - Update to 31.5.0 ESR [31.4.0-2] - Added -std=gnu++0x to libxul library build flags (rhbz#1170226) CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836 Oracle Linux 5 Oracle Linux 6 [31.5.0-1.0.1.el6_6] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [31.5.0-1] - Update to 31.5.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836 Oracle Linux 7 [3.10.0-229] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229] - [net] rtnetlink: allow to register ops without ops->setup set (Jiri Benc) [1186492] [3.10.0-228] - [fs] NFSv4.1: Fix an Oops in nfs41_walk_client_list (Steve Dickson) [1185784] - [misc] redhat: dont suppress Revert patches from changelog (Jarod Wilson) [1187353] - [infiniband] Revert: ipoib: Consolidate rtnl_lock tasks in workqueue (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: Make the carrier_on_task race aware (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: fix MCAST_FLAG_BUSY usage (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: fix mcast_dev_flush/mcast_restart_task race (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: change init sequence ordering (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: Use dedicated workqueues per interface (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: Make ipoib_mcast_stop_thread flush the workqueue (Doug Ledford) [1179740] - [infiniband] Revert: ipoib: No longer use flush as a parameter (Doug Ledford) [1179740] - [fs] fix deadlock in cifs_ioctl_clone() (Sachin Prabhu) [1183980] - [md] dm-cache: fix missing ERR_PTR returns and handling (Mike Snitzer) [1182665] - [fs] cifs: fix regression in cifs_create_mf_symlink() (Sachin Prabhu) [1186324] - [net] ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [1181819] - [fs] coredump: add new P variable in core_pattern (Jiri Olsa) [1186360] - [drm] fix fb-helper vs MST dangling connector ptrs (Rob Clark) [1184968] - [net] bridge: Program port vlan filters only if filtering is enabled in bridge (Vlad Yasevich) [1183958] - [fs] cifs: Complete oplock break jobs before closing file handle (Sachin Prabhu) [1177215] - [fs] LOCKD: Fix a race when initialising nlmsvc_timeout (Benjamin Coddington) [1144982] - [scsi] hpsa: add in P840ar controller model name (Joseph Szczypek) [1185467] - [scsi] hpsa: add in gen9 controller model names (Joseph Szczypek) [1185467] [3.10.0-227] - [fs] ext4: fix overwrite race condition (Jacob Tanenbaum) [1152607] {CVE-2014-8086} - [media] ttusb-dec: buffer overflow in ioctl (Alexander Gordeev) [1167116] {CVE-2014-8884} - [drm] i915: demote opregion excessive timeout WARN_ONCE to DRM_INFO_ONCE (Rob Clark) [1145627] - [md] Revert: raid56: Dont perform reads to support writes until stripe is ready (Jes Sorensen) [1153796] - [md] Revert: raid5: avoid livelock caused by non-aligned writes (Jes Sorensen) [1153796] - [drm] i915: further quiet i915 (Rob Clark) [1163074] - [scsi] megaraid_sas: endianness related bug fixes and code optimization (Tomas Henzl) [1179748] - [s390] crypto: kernel oops at insmod of the z90crypt device driver (Hendrik Brueckner) [1172136] - [drm] mgag200: Add command line option to specify preferred depth (Dave Airlie) [1044555] - [drm] mgag200: Consolidate depth/bpp handling (Dave Airlie) [1044555] - [fs] Revert: ext4: revert Disable punch hole on non-extent mapped files (Lukas Czerner) [1176840] [3.10.0-226] - [md] dm-cache: fix problematic dual use of a single migration count variable (Mike Snitzer) [1182665] - [md] dm-cache: share cache-metadata object across inactive and active DM tables (Mike Snitzer) [1182665] - [net] tun/macvtap: use consume_skb() instead of kfree_skb() when needed (Jiri Pirko) [1182805] - [virt] Revert: hyperv: Add handler for RNDIS_STATUS_NETWORK_CHANGE event (Jason Wang) [1164163] - [virt] kvm/vmx: invalid host cr4 handling across vm entries (Jacob Tanenbaum) [1153329] {CVE-2014-3690} - [virt] virtio-scsi: Fix the race condition in virtscsi_handle_event (Fam Zheng) [1152140] - [virt] kvm: workaround SuSEs 2.6.16 pvclock vs masterclock issue (Marcelo Tosatti) [1177718] - [fs] bdi: avoid oops on device removal (Fam Zheng) [1087179] - [mm] backing_dev: fix hung task on sync (Fam Zheng) [1087179] - [mm] Revert: vmstat: create separate function to fold per cpu diffs into local counters (Larry Woodman) [1179654] - [mm] Revert: vmstat: create fold_diff (Larry Woodman) [1179654] - [mm] Revert: vmstat: use this_cpu() to avoid irqon/off sequence in refresh_cpu_vm_stats (Larry Woodman) [1179654] - [mm] Revert: vmstat: on-demand vmstat workers V8 (Larry Woodman) [1179654] [3.10.0-225] - [net] team: avoid possible underflow of count_pending value for notify_peers and mcast_rejoin (Jiri Pirko) [1176697] - [fs] seq_file: dont include mm.h in genksyms calculation (Ian Kent) [1183280] - [scsi] Avoid crashing if device uses DIX but adapter does not support it (Ewan Milne) [1093012] [3.10.0-224] - [fs] xfs: catch invalid negative blknos in _xfs_buf_find() (Eric Sandeen) [1164128] - [fs] proc: make proc_fd_permission() thread-friendly (Carlos Maiolino) [1171242] - [fs] rpc: fix xdr_truncate_encode to handle buffer ending on page boundary ('J. Bruce Fields') [1176641] - [fs] nfs: nfs4_fl_prepare_ds, fix bugs when the connect attempt fails (Steve Dickson) [1113248] - [fs] gfs2: fix bad inode i_goal values during block allocation (Abhijith Das) [1144209] - [fs] nfsd: allow turning off nfsv3 readdir_plus (Steve Dickson) [1178949] - [fs] nfsd4: fix xdr4 count of server in fs_location4 (Benjamin Coddington) [1164055] - [fs] nfsd4: fix xdr4 inclusion of escaped char (Benjamin Coddington) [1164055] - [fs] xfs: replace global xfslogd wq with per-mount wq (Brian Foster) [1155929] - [fs] xfs: mark all internal workqueues as freezable (Brian Foster) [1155929] - [fs] overlayfs: Add call to mark_tech_preview (BZ 1180613) (David Howells) [1180613] - [fs] aio: fix uncorrent dirty pages accouting when truncating AIO ring buffer (Jeff Moyer) [1159346] - [infiniband] ocrdma: fix hardcoded max cqe and max send wr (Doug Ledford) [1158148] - [crypto] aesni-intel: Add support for 192 & 256 bit keys to AESNI RFC4106 (Jarod Wilson) [1176266] - [block] blk-mq: Fix a use-after-free (Fam Zheng) [1152159] - [crypto] drbg: panic on continuous self test error (Jarod Wilson) [1179496] - [ethernet] mlx4: Cache line CQE/EQE stride fixes (Doug Ledford) [1088499 1173483] - [ethernet] mlx4: Add mlx4_en_get_cqe helper (Doug Ledford) [1088499 1173483] - [ethernet] mlx4: Cache line EQE size support (Doug Ledford) [1088499 1173483] - [infiniband] ocrdma: Fix ocrdma_query_qp() to report q_key value for UD QPs (Doug Ledford) [1167256] - [infiniband] ocrdma: Always resolve destination mac from GRH for UD QPs (Doug Ledford) [1167256] - [net] gre: fix the inner mac header in nbma tunnel xmit path (Alexander Duyck) [1168608] [3.10.0-223] - [md] dm-thin: fix crash by initializing thin devices refcount and completion earlier (Mike Snitzer) [1175282] - [scsi] storvsc: Fix a bug in storvsc limits (Vitaly Kuznetsov) [1174162] - [iser-target] Ignore non TEXT + LOGOUT opcodes for discovery (Andy Grover) [1058736] - [iser-target] Add support for ISCSI_OP_TEXT opcode + payload handling (Andy Grover) [1058736] - [iser-target] Rename sense_buf_dma/len to pdu_dma/len (Andy Grover) [1058736] - [iscsi-target] Add IFC_SENDTARGETS_SINGLE support (Andy Grover) [1058736] - [iscsi-target] Move sendtargets parsing into iscsit_process_text_cmd (Andy Grover) [1058736] - [iscsi-target] Allow ->MaxXmitDataSegmentLength assignment for iser discovery (Andy Grover) [1058736] - [iscsi-target] Refactor ISCSI_OP_TEXT_RSP TX handling (Andy Grover) [1058736] - [iscsi-target] Refactor ISCSI_OP_TEXT RX handling (Andy Grover) [1058736] - [iscsi] isert-target: Refactor ISCSI_OP_NOOP RX handling (Andy Grover) [1058736] - [net] description of dma_cookie cause make xmldocs warning (Jiri Benc) [1173444] - [net] tcp: make tcp_cleanup_rbuf private (Jiri Benc) [1173444] - [net] net_dma: revert 'copied_early' (Jiri Benc) [1173444] - [net] net_dma: mark broken (Jiri Benc) [1173444] - [net] unix: allow set_peek_off to fail (Jiri Benc) [1123777] - [net] ppp: ppp-ioctl.h: pull in ppp_defs.h (Jiri Benc) [1159802] - [net] bridge: Add filtering support for default_pvid (Vlad Yasevich) [1164653] - [net] bridge: Simplify pvid checks (Vlad Yasevich) [1164653] - [net] bridge: Add a default_pvid sysfs attribute (Vlad Yasevich) [1164653] - [net] bridge: Prepare for 802.1ad vlan filtering support (Vlad Yasevich) [1164653] - [net] bridge: Fix the way to check if a local fdb entry can be deleted (Vlad Yasevich) [1164653] - [net] bridge: Fix the way to insert new local fdb entries in br_fdb_changeaddr (Vlad Yasevich) [1164653] - [net] Remove extern from function prototypes (Vlad Yasevich) [1164653] - [ethernet] mlx5: Add more supported devices (Amir Vadai) [1169277] - [infiniband] mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach (Amir Vadai) [1151331] - [ethernet] mlx4: mlx4_en_set_settings() always fails when autoneg is set (Amir Vadai) [1170129] [3.10.0-222] - [scsi] qla2xxx: Update version number to 8.07.00.08.07.1-k2 (Chad Dupuis) [1085239] - [scsi] qla2xxx: Move mailbox failure messages to a default debug level (Chad Dupuis) [1085239] - [security] commoncap: dont alloc the credential unless needed in cap_task_prctl (Paul Moore) [1056347] - [iommu] vt-d: Fix dmar_domain leak in iommu_attach_device (Myron Stowe) [1109829] - [iommu] vt-d: Only remove domain when device is removed (Myron Stowe) [1109829] - [base] core: Add BUS_NOTIFY_REMOVED_DEVICE event (Myron Stowe) [1109829] - [powerpc] kdump: Ignore failure in enabling big endian exception during crash (Steve Best) [1170362] - [infiniband] srpt: convert printks to pr_* functions (Doug Ledford) [1174910] - [infiniband] srpt: Handle GID change events (Doug Ledford) [1174910] - [input] alps: fix v4 button press recognition (Benjamin Tissoires) [1107819] - [input] alps: v7 - document the v7 touchpad packet protocol (Benjamin Tissoires) [1107819] - [input] alps: v7 - fix finger counting for > 2 fingers on clickpads (Benjamin Tissoires) [1107819] - [input] alps: v7 - sometimes a single touch is reported in mt[1] (Benjamin Tissoires) [1107819] - [input] alps: v7 - ignore new packets (Benjamin Tissoires) [1107819] - [powerpc] perf/hv-24x7: Use kmem_cache_free() instead of kfree (Gustavo Duarte) [1171795] - [powerpc] perf/hv-24x7: Use per-cpu page buffer (Gustavo Duarte) [1171795] - [powerpc] perf/hv-24x7: use kmem_cache instead of aligned stack allocations (Gustavo Duarte) [1171795] - [powerpc] perf/hv-24x7: Use kmem_cache_free (Gustavo Duarte) [1171795] - [powerpc] Fill in si_addr_lsb siginfo field (Gustavo Duarte) [1173267] - [powerpc] Add VM_FAULT_HWPOISON handling to powerpc page fault handler (Gustavo Duarte) [1173267] - [fs] dlm: fix missing endian conversion of rcom_status flags (Andrew Price) [1175900] - [scsi] add Intel Multi-Flex to scsi scan blacklist (Hannes Frederic Sowa) [1175862] - [scsi] do not issue SCSI RSOC command to Promise Vtrak E610f (Hannes Frederic Sowa) [1175862] - [scsi] scsi_lib: rate-limit the error message from failing commands (Tomas Henzl) [1175785] - [scsi] iscsi_ibft: Fix finding Broadcom specific ibft sign (Chris Leech) [1095169] [3.10.0-221] - [ethernet] enic: fix rx skb checksum (Stefan Assmann) [1154182] - [x86] uv: make kdump default action for 'power nmi' (George Beshers) [1175560] - [virt] powerpc/kvm: book3s_hv - Fix KSM memory corruption (David Gibson) [1170394] - [pci] Revert: Remove from bus_list and release resources in pci_release_dev() (Prarit Bhargava) [1172946] - [powercap] rapl: add support for CPU model 0x3f (Rui Wang) [1177579] - [kernel] audit: dont attempt to lookup PIDs when changing PID filtering audit rules (Paul Moore) [1172624] - [ethernet] ixgbe: avoid possible read_reg panic caused by late method binding (John Greene) [1145772] - [ethernet] ixgbe: bump version number (John Greene) [1145772] - [ethernet] ixgbe: Add X550 support function pointers (John Greene) [1145772] - [ethernet] ixgbe: Add new support for X550 MACs (John Greene) [1145772] - [ethernet] ixgbe: Add x550 SW/FW semaphore support (John Greene) [1145772] - [ethernet] ixgbe: add methods for combined read and write operations (John Greene) [1145772] - [ethernet] ixgbe: cleanup checksum to allow error results (John Greene) [1145772] - [ethernet] ixgbe: Add timeout parameter to ixgbe_host_interface_command (John Greene) [1145772] - [ethernet] ixgbe: Fix spurious release of semaphore in EEPROM access (John Greene) [1145772] - [drm] i915: remove the IRQs enabled WARN from intel_disable_gt_powersave (Rob Clark) [1173317] - [drm] i915: tame the chattermouth (Rob Clark) [1173317] - [drm] ttm: Avoid memory allocation from shrinker functions (Rob Clark) [1173317] - [drm] ttm: Fix possible stack overflow by recursive shrinker calls (Rob Clark) [1173317] - [drm] ttm: Use mutex_trylock() to avoid deadlock inside shrinker functions (Rob Clark) [1173317] - [drm] video/fb: Propagate error code from failing to unregister conflicting fb (Rob Clark) [1173317] - [drm] i915: save/restore GMBUS freq across suspend/resume on gen4 (Rob Clark) [1173317] - [drm] i915: resume MST after reading back hw state (Rob Clark) [1173317] - [drm] dp-mst: Remove branches before dropping the reference (Rob Clark) [1173317] - [drm] fb_helper: move deferred fb checking into restore mode (Rob Clark) [1173317] - [drm] dp: retry AUX transactions 32 times (v1.1) (Rob Clark) [1173317] - [drm] i915: Ignore long hpds on eDP ports (Rob Clark) [1173317] - [drm] i915/dp: only use training pattern 3 on platforms that support it (Rob Clark) [1173317] - [drm] radeon: sync all BOs involved in a CS (Rob Clark) [1173317] - [drm] radeon: kernel panic in drm_calc_vbltimestamp_from_scanoutpos with 3.18.0-rc6 (Rob Clark) [1173317] - [drm] i915: Unlock panel even when LVDS is disabled (Rob Clark) [1173317] - [drm] i915: More cautious with pch fifo underruns (Rob Clark) [1173317] - [drm] i915: Ignore SURFLIVE and flip counter when the GPU gets reset (Rob Clark) [1173317] - [drm] i915: Kick fbdev before vgacon (Rob Clark) [1173317] - [drm] i915: Handle failure to kick out a conflicting fb driver (Rob Clark) [1173317] - [drm] i915: drop WaSetupGtModeTdRowDispatch:snb (Rob Clark) [1173317] - [drm] radeon: add locking around atombios scratch space usage (Rob Clark) [1173317] - [drm] radeon: add missing crtc unlock when setting up the MC (Rob Clark) [1173317] - [drm] i915: Disable caches for Global GTT (Rob Clark) [1173317] - [drm] i915: Do not leak pages when freeing userptr objects (Rob Clark) [1173317] - [drm] ast: Fix HW cursor image (Rob Clark) [1173317] - [drm] radeon: Use drm_malloc_ab instead of kmalloc_array (Rob Clark) [1173317] - [drm] radeon/dpm: disable ulv support on SI (Rob Clark) [1173317] - [drm] i915: Do a dummy DPCD read before the actual read (Rob Clark) [1173317] - [drm] nouveau/bios: memset dcb struct to zero before parsing (Rob Clark) [1173317] - [drm] nv50/disp: fix dpms regression on certain boards (Rob Clark) [1173317] - [drm] nouveau/ltc: fix cbc issues on certain boards (Rob Clark) [1173317] - [drm] nouveau/ltc: fix tag base address getting truncated if above 4GiB (Rob Clark) [1173317] - [drm] nvc0-/fb/ram: fix use of non-existant ram if partitions arent uniform (Rob Clark) [1173317] - [drm] nouveau/bar: behave better if ioremap failed (Rob Clark) [1173317] - [drm] nouveau: make sure display hardware is reinitialised on runtime resume (Rob Clark) [1173317] - [drm] nouveau: punt fbcon resume out to a workqueue (Rob Clark) [1173317] - [drm] nouveau/kms: restore acceleration before fb_set_suspend() resumes (Rob Clark) [1173317] - [drm] nouveau/kms: take more care when pulling down accelerated fbcon (Rob Clark) [1173317] - [drm] i915: Flush the PTEs after updating them before suspend (Rob Clark) [1153301] - [drm] radeon/cik: use a separate counter for CP init timeout (Rob Clark) [1173317] - [drm] radeon/dpm: fix resume on mullins (Rob Clark) [1173317] - [drm] radeon: dont reset dma on r6xx-evergreen init (Rob Clark) [1173317] - [drm] radeon: dont reset sdma on CIK init (Rob Clark) [1173317] - [drm] radeon: dont reset dma on NI/SI init (Rob Clark) [1173317] - [drm] radeon: add connector quirk for fujitsu board (Rob Clark) [1173317] - [drm] radeon/dpm: set the thermal type properly for special configs (Rob Clark) [1173317] - [drm] radeon: fix semaphore value init (Rob Clark) [1173317] - [drm] radeon: handle broken disabled rb mask gracefully (6xx/7xx) (Rob Clark) [1173317] - [drm] radeon: fix active_cu mask on SI and CIK after re-init (v3) (Rob Clark) [1173317] - [drm] radeon: fix active cu count for SI and CIK (Rob Clark) [1173317] - [drm] radeon: fix pm handling in radeon_gpu_reset (Rob Clark) [1173317] - [drm] radeon: properly document reloc priority mask (Rob Clark) [1173317] - [drm] radeon/dpm: select the appropriate vce power state for KV/KB/ML (Rob Clark) [1173317] - [drm] radeon: Add missing lines to ci_set_thermal_temperature_range (Rob Clark) [1173317] - [drm] radeon: Add ability to get and change dpm state when radeon PX card is turned off (Rob Clark) [1173317] - [drm] vmwgfx: Fix a potential infinite spin waiting for fifo idle (Rob Clark) [1173317] - [drm] ast: AST2000 cannot be detected correctly (Rob Clark) [1173317] - [drm] ast: open key before detect chips (Rob Clark) [1173317] - [drm] i915: Dont leak command parser tables on suspend/resume (Rob Clark) [1153301] - [drm] i915/hdmi: fix hdmi audio state readout (Rob Clark) [1153301] - [drm] i915: Wait for vblank before enabling the TV encoder (Rob Clark) [1153301] - [drm] i915: Fix EIO/wedged handling in gem fault handler (Rob Clark) [1153301] - [drm] i915: Fix lock dropping in intel_tv_detect() (Rob Clark) [1153301] - [drm] i915: Remove bogus __init annotation from DMI callbacks (Rob Clark) [1153301] - [drm] i915: Ignore VBT backlight presence check on Acer C720 (4005U) (Rob Clark) [1153301] - [drm] i915: fix plane/cursor handling when runtime suspended (Rob Clark) [1153301] - [drm] i915: dont try to retrain a DP link on an inactive CRTC (Rob Clark) [1153301] - [drm] i915: Fix locking for intel_enable_pipe_a() (Rob Clark) [1153301] - [drm] i915: Skip load detect when intel_crtc->new_enable==true (Rob Clark) [1153301] - [drm] i915: Disable RCS flips on Ivybridge (Rob Clark) [1153301] - [drm] i915: read HEAD register back in init_ring_common() to enforce ordering (Rob Clark) [1153301] - [drm] i915: Fix crash when failing to parse MIPI VBT (Rob Clark) [1153301] - [drm] radeon: tweak ACCEL_WORKING2 query for hawaii (Rob Clark) [1173317] - [drm] radeon/atom: add new voltage fetch function for hawaii (Rob Clark) [1173317] - [drm] radeon: set VM base addr using the PFP (Rob Clark) [1173317] - [drm] radeon: load the lm63 driver for an lm64 thermal chip (Rob Clark) [1173317] - [drm] radeon: re-enable dpm by default on BTC (Rob Clark) [1173317] - [drm] radeon: re-enable dpm by default on cayman (Rob Clark) [1173317] - [drm] radeon/dpm: handle voltage info fetching on hawaii (Rob Clark) [1173317] - [drm] ttm: Choose a pool to shrink correctly in ttm_dma_pool_shrink_scan() (Rob Clark) [1173317] - [drm] ttm: Fix possible division by 0 in ttm_dma_pool_shrink_scan() (Rob Clark) [1173317] - [drm] ttm: fix handling of TTM_PL_FLAG_TOPDOWN (Rob Clark) [1173317] - [drm] nouveau: Bump version from 1.1.1 to 1.1.2 (Rob Clark) [1173317] - [drm] nouveau: Dis/Enable vblank irqs during suspend/resume (Rob Clark) [1173317] - [drm] radeon: add additional SI pci ids (Rob Clark) [1173317] - [drm] radeon: add new bonaire pci ids (Rob Clark) [1173317] - [drm] radeon: add new KV pci id (Rob Clark) [1173317] - [powerpc] add little endian flag to syscall_get_arch() (Richard Guy Briggs) [1169461] - [powerpc] simplify syscall_get_arch() (Richard Guy Briggs) [1169461] [3.10.0-220] - [scsi] libcxgbi: fix freeing skb prematurely (Sai Vemuri) [1174982] - [scsi] cxgb4i: use set_wr_txq() to set tx queues (Sai Vemuri) [1174982] - [scsi] cxgb4i: handle non-pdu-aligned rx data (Sai Vemuri) [1174982] - [scsi] cxgb4i: additional types of negative advice (Sai Vemuri) [1174982] - [scsi] cxgb4i: set the max. pdu length in firmware (Sai Vemuri) [1174982] - [scsi] cxgb4i: fix credit check for tx_data_wr (Sai Vemuri) [1174982] - [scsi] cxgb4i: fix tx immediate data credit check (Sai Vemuri) [1174982] - [net] ipv6: update Destination Cache entries when gateway turn into host (Jiri Pirko) [1114781] - [net] ipsec: Dont update the pmtu on ICMPV6_DEST_UNREACH (Herbert Xu) [1158771] - [s390] zfcp: remove access control tables interface (port leftovers) (Hendrik Brueckner) [1173553] - [x86] perf: Use extended offcore mask on Haswell (Don Zickus) [1170795] - [fs] ovl: ovl_dir_fsync() cleanup (David Howells) [985875] - [fs] ovl: pass dentry into ovl_dir_read_merged() (David Howells) [985875] - [fs] ovl: use lockless_dereference() for upperdentry (David Howells) [985875] - [fs] ovl: allow filenames with comma (David Howells) [985875] - [fs] ovl: fix race in private xattr checks (David Howells) [985875] - [fs] ovl: fix remove/copy-up race (David Howells) [985875] - [fs] ovl: rename filesystem type to 'overlay' (David Howells) [985875] - [fs] Dont warn if both ->rename() and ->rename2() iops are defined (David Howells) [985875] - [fs] overlayfs: Fix the kABI for overlayfs (David Howells) [985875] - [fs] overlayfs: dont poison cursor (David Howells) [985875] - [fs] overlayfs: initialize ->is_cursor (David Howells) [985875] - [fs] overlayfs: fix lockdep misannotation (David Howells) [985875] - [fs] overlayfs: fix check for cursor (David Howells) [985875] - [fs] overlayfs: barriers for opening upper-layer directory (David Howells) [985875] - [kernel] rcu: Provide counterpart to rcu_dereference() for non-RCU situations (David Howells) [985875] - [fs] overlayfs: embed middle into overlay_readdir_data (David Howells) [985875] - [fs] overlayfs: embed root into overlay_readdir_data (David Howells) [985875] - [fs] overlayfs: make ovl_cache_entry->name an array instead of pointer (David Howells) [985875] - [fs] overlayfs: dont hold ->i_mutex over opening the real directory (David Howells) [985875] - [fs] overlayfs: limit filesystem stacking depth (David Howells) [985875] - [fs] overlayfs: overlay filesystem documentation (David Howells) [985875] - [fs] overlayfs: implement show_options (David Howells) [985875] - [fs] overlayfs: add statfs support (David Howells) [985875] - [fs] overlayfs: filesystem (David Howells) [985875] - [mm] shmem: support RENAME_WHITEOUT (David Howells) [985875] - [fs] ext4: support RENAME_WHITEOUT (David Howells) [985875] - [fs] vfs: add RENAME_WHITEOUT (David Howells) [985875] - [fs] vfs: add whiteout support (David Howells) [985875] - [fs] vfs: export check_sticky() (David Howells) [985875] - [fs] vfs: introduce clone_private_mount() (David Howells) [985875] - [fs] vfs: export __inode_permission() to modules (David Howells) [985875] - [fs] vfs: export do_splice_direct() to modules (David Howells) [985875] - [fs] vfs: add i_op->dentry_open() (David Howells) [985875] - [fs] namei: trivial fix to vfs_rename_dir comment (David Howells) [985875] - [fs] cifs: support RENAME_NOREPLACE (David Howells) [985875] - [fs] hostfs: support rename flags (David Howells) [985875] - [mm] shmem: support RENAME_EXCHANGE (David Howells) [985875] - [mm] shmem: support RENAME_NOREPLACE (David Howells) [985875] - [fs] btrfs: add RENAME_NOREPLACE (David Howells) [985875] - [fs] bad_inode: add ->rename2() (David Howells) [985875] - [fs] call rename2 if exists (David Howells) [985875] - [fs] fuse: restructure ->rename2() (David Howells) [985875] - [fs] fuse: add renameat2 support (David Howells) [985875] - [fs] dcache: fix races between __d_instantiate() and checks of dentry flags (David Howells) [985875] - [fs] ext4: add cross rename support (David Howells) [985875] - [fs] vfs: add cross-rename (David Howells) [985875] - [fs] vfs: lock_two_nondirectories - allow directory args (David Howells) [985875] - [security] add flags to rename hooks (David Howells) [985875] - [fs] vfs: add RENAME_NOREPLACE flag (David Howells) [985875] - [fs] vfs: add renameat2 syscall (David Howells) [985875] - [fs] namei: use common code for dir and non-dir (David Howells) [985875] - [fs] namei: move d_move() up (David Howells) [985875] - [fs] vfs: add d_is_dir() (David Howells) [985875] - [fs] vfs: Put a small type field into struct dentry::d_flags (David Howells) [985875] [3.10.0-219] - [mm] vmstat: on-demand vmstat workers V8 (Larry Woodman) [1157802] - [mm] vmstat: use this_cpu() to avoid irqon/off sequence in refresh_cpu_vm_stats (Larry Woodman) [1157802] - [mm] vmstat: create fold_diff (Larry Woodman) [1157802] - [mm] vmstat: create separate function to fold per cpu diffs into local counters (Larry Woodman) [1157802] - [block] blk-mq: Fix uninitialized kobject at CPU hotplugging (Jeff Moyer) [1169232] - [kernel] audit: AUDIT_FEATURE_CHANGE message format missing delimiting space (Richard Guy Briggs) [1165469] - [fs] NFSv4.1: nfs41_clear_delegation_stateid shouldnt trust NFS_DELEGATED_STATE (Steve Dickson) [1166845] - [fs] NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return (Steve Dickson) [1166845] - [fs] NFS: Dont try to reclaim delegation open state if recovery failed (Steve Dickson) [1166845] - [fs] NFSv4: Ensure that we call FREE_STATEID when NFSv4.x stateids are revoked (Steve Dickson) [1166845] - [fs] NFSv4: Ensure that we remove NFSv4.0 delegations when state has expired (Steve Dickson) [1166845] [3.10.0-218] - [scsi] cxgb4i: Dont block unload/cxgb4 unload when remote closes TCP connection (Sai Vemuri) [1169941] - [kernel] kthread: partial revert of 81c98869faa5 ('kthread: ensure locality of task_struct allocations') (Gustavo Duarte) [953583] - [mm] slub: fall back to node_to_mem_node() node if allocating on memoryless node (Gustavo Duarte) [953583] - [mm] topology: add support for node_to_mem_node() to determine the fallback node (Gustavo Duarte) [953583] - [mm] slub: search partial list on numa_mem_id(), instead of numa_node_id() (Gustavo Duarte) [953583] - [kernel] kthread: ensure locality of task_struct allocations (Gustavo Duarte) [953583] - [md] dm-thin: fix missing out-of-data-space to write mode transition if blocks are released (Mike Snitzer) [1173181] - [md] dm-thin: fix inability to discard blocks when in out-of-data-space mode (Mike Snitzer) [1173181] - [wireless] iwlwifi/mvm: update values for Smart Fifo (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/dvm: fix flush support for old firmware (Stanislaw Gruszka) [1155538] - [wireless] ath5k: fix hardware queue index assignment (Stanislaw Gruszka) [1155538] - [wireless] ath9k: fix BE/BK queue order (Stanislaw Gruszka) [1155538] - [wireless] ath9k_hw: fix hardware queue allocation (Stanislaw Gruszka) [1155538] - [wireless] ath9k: Fix RTC_DERIVED_CLK usage (Stanislaw Gruszka) [1155538] - [wireless] rt2x00: do not align payload on modern H/W (Stanislaw Gruszka) [1155538] - [wireless] mac80211: Fix regression that triggers a kernel BUG with CCMP (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi: fix RFkill while calibrating (Stanislaw Gruszka) [1155538] - [wireless] mac80211: fix use-after-free in defragmentation (Stanislaw Gruszka) [1155538] - [wireless] mac80211: properly flush delayed scan work on interface removal (Stanislaw Gruszka) [1155538] - [wireless] mac80211: schedule the actual switch of the station before CSA count 0 (Stanislaw Gruszka) [1155538] - [wireless] mac80211: use secondary channel offset IE also beacons during CSA (Stanislaw Gruszka) [1155538] - [wireless] rt2x00: add new rt2800usb device (Stanislaw Gruszka) [1155538] - [wireless] Revert: iwlwifi/mvm: treat EAPOLs like mgmt frames wrt rate (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/dvm: drop non VO frames when flushing (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi: configure the LTR (Stanislaw Gruszka) [1155538] - [wireless] mac80211: fix typo in starting baserate for rts_cts_rate_idx (Stanislaw Gruszka) [1155538] - [wireless] rt2x00: add new rt2800usb devices (Stanislaw Gruszka) [1155538] - [wireless] rt2x00: support Ralink 5362 (Stanislaw Gruszka) [1155538] - [wireless] Revert: ath9k: reduce ANI firstep range for older chips (Stanislaw Gruszka) [1155538] - [wireless] rt2800: correct BBP1_TX_POWER_CTRL mask (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi: Add missing PCI IDs for the 7260 series (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/mvm: disable BT Co-running by default (Stanislaw Gruszka) [1155538] - [wireless] nl80211: clear skb cb before passing to netlink (Stanislaw Gruszka) [1155538] - [wireless] ath9k/htc: fix random decryption failure (Stanislaw Gruszka) [1155538] - [wireless] brcmfmac: handle IF event for P2P_DEVICE interface (Stanislaw Gruszka) [1155538] - [wireless] Revert: mac80211: disable uAPSD if all ACs are under ACM (Stanislaw Gruszka) [1155538] - [wireless] rtlwifi/rtl8192cu: Add new ID (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/mvm: set MAC_FILTER_IN_BEACON correctly for STA/P2P client (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/mvm: treat EAPOLs like mgmt frames wrt rate (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi: increase DEFAULT_MAX_TX_POWER (Stanislaw Gruszka) [1155538] - [wireless] iwlwifi/mvm: fix endianity issues with Smart Fifo commands (Stanislaw Gruszka) [1155538] - [wireless] Revert: iwlwifi/dvm: dont enable CTS to self (Stanislaw Gruszka) [1155538] - [wireless] carl9170: fix sending URBs with wrong type when using full-speed (Stanislaw Gruszka) [1155538] [3.10.0-217] - [net] ipv6: yet another new IPV6_MTU_DISCOVER option IPV6_PMTUDISC_OMIT (Hannes Frederic Sowa) [1170116] - [net] ipv4: yet another new IP_MTU_DISCOVER option IP_PMTUDISC_OMIT (Hannes Frederic Sowa) [1170116] - [net] ipv4: use ip_skb_dst_mtu to determine mtu in ip_fragment (Hannes Frederic Sowa) [1170116] - [net] ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing (Hannes Frederic Sowa) [1170116] - [net] ipv6: move ip6_sk_accept_pmtu from generic pmtu update path to ipv6 one (Hannes Frederic Sowa) [1170116] - [net] ipv6: support IPV6_PMTU_INTERFACE on sockets (Hannes Frederic Sowa) [1170116] - [net] udp: do not report ICMP redirects to user space (Hannes Frederic Sowa) [1170116] - [net] ipv4: new ip_no_pmtu_disc mode to always discard incoming frag needed msgs (Hannes Frederic Sowa) [1170116] - [net] inet: make no_pmtu_disc per namespace and kill ipv4_config (Hannes Frederic Sowa) [1170116] - [net] ipv4: improve documentation of ip_no_pmtu_disc (Hannes Frederic Sowa) [1170116] - [net] ipv4: introduce new IP_MTU_DISCOVER mode IP_PMTUDISC_INTERFACE (Hannes Frederic Sowa) [1170116] - [net] xfrm: revert ipv4 mtu determination to dst_mtu (Hannes Frederic Sowa) [1170116] - [net] xfrm: introduce helper for safe determination of mtu (Hannes Frederic Sowa) [1170116] - [net] netfilter: conntrack: disable generic tracking for known protocols (Daniel Borkmann) [1170520] - [net] gre: Fix use-after-free panic in ipgre_rcv() (Panu Matilainen) [1117543] - [net] netfilter: nf_conntrack_h323: lookup route from proper net namespace (Florian Westphal) [1163847] - [net] netfilter: xt_tcpmss: lookup route from proper net namespace (Florian Westphal) [1163847] - [net] netfilter: xt_tcpmss: Get mtu only if clamp-mss-to-pmtu is specified (Florian Westphal) [1163847] - [wireless] cfg80211: dont WARN about two consecutive Country IE hint (Stanislaw Gruszka) [1164282] - [fs] aio: fix race between aio event completion and reaping (Jeff Moyer) [1131312] - [fs] proc/task_mmu: fix missing check during hugepage migration (Jacob Tanenbaum) [1105040] {CVE-2014-3940} - [kernel] trace: insufficient syscall number validation in perf and ftrace subsystems (Jacob Tanenbaum) [1161570] {CVE-2014-7825 CVE-2014-7826} - [ethernet] i40e: get pf_id from HW rather than PCI function (Stefan Assmann) [1078740] - [ethernet] i40e: increase ARQ size (Stefan Assmann) [1078740] - [x86] uv: Update the UV3 TLB shootdown logic (Frank Ramsay) [1170253] - [tools] peeksiginfo: add PAGE_SIZE definition (Steve Best) [1172250] - [base] bus: Fix unbalanced device reference in drivers_probe (Alex Williamson) [1158862] - [char] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma (Gustavo Duarte) [1154818] - [powerpc] kvm: book3s_hv - Reserve cma region only in hypervisor mode (Gustavo Duarte) [1147740] - [x86] traps: stop using IST for #SS (Petr Matousek) [1172813] {CVE-2014-9322} [3.10.0-216] - [acpi] Revert: hotplug/pci: Simplify disable_slot() (Prarit Bhargava) [1158720] - [infiniband] iser: Adjust data_length to include protection information (Amir Vadai) [1107622] - [infiniband] iser: Bump version to 1.4.1 (Amir Vadai) [1107622] - [infiniband] iser: Allow bind only when connection state is UP (Amir Vadai) [1107622] - [infiniband] iser: Fix RX/TX CQ resource leak on error flow (Amir Vadai) [1107622] - [infiniband] iser: Clarify a duplicate counters check (Amir Vadai) [1107622] - [infiniband] iser: Replace connection waitqueue with completion object (Amir Vadai) [1107622] - [infiniband] iser: Protect iser state machine with a mutex (Amir Vadai) [1107622] - [infiniband] iser: Remove redundant return code in iser_free_ib_conn_res() (Amir Vadai) [1107622] - [infiniband] iser: Seperate iser_conn and iscsi_endpoint storage space (Amir Vadai) [1107622] - [infiniband] iser: Fix responder resources advertisement (Amir Vadai) [1107622] - [infiniband] iser: Add TIMEWAIT_EXIT event handling (Amir Vadai) [1107622] - [infiniband] iser: Support IPv6 address family (Amir Vadai) [1107622] - [infiniband] iser: Bump version to 1.4 (Amir Vadai) [1107622] - [infiniband] iser: Add missing newlines to logging messages (Amir Vadai) [1107622] - [infiniband] iser: Fix a possible race in iser connection states transition (Amir Vadai) [1107622] - [infiniband] iser: Simplify connection management (Amir Vadai) [1107622] - [infiniband] iser: Bump driver version to 1.3 (Amir Vadai) [1107622] - [infiniband] iser: Update Mellanox copyright note (Amir Vadai) [1107622] - [infiniband] iser: Print QP information once connection is established (Amir Vadai) [1107622] - [infiniband] iser: Remove struct iscsi_iser_conn (Amir Vadai) [1107622] - [infiniband] iser: Drain the tx cq once before looping on the rx cq (Amir Vadai) [1107622] - [infiniband] iser: Fix sector_t format warning (Amir Vadai) [1107622] - [infiniband] iser: Publish T10-PI support to SCSI midlayer (Amir Vadai) [1107622] - [infiniband] iser: Implement check_protection (Amir Vadai) [1107622] - [infiniband] iser: Support T10-PI operations (Amir Vadai) [1107622] - [infiniband] iser: Initialize T10-PI resources (Amir Vadai) [1107622] - [infiniband] iser: Introduce pi_enable, pi_guard module parameters (Amir Vadai) [1107622] - [infiniband] iser: Generalize fall_to_bounce_buf routine (Amir Vadai) [1107622] - [infiniband] iser: Generalize iser_unmap_task_data and finalize_rdma_unaligned_sg (Amir Vadai) [1107622] - [infiniband] iser: Replace fastreg descriptor valid bool with indicators container (Amir Vadai) [1107622] - [infiniband] iser: Keep IB device attributes under iser_device (Amir Vadai) [1107622] - [infiniband] iser: Move fast_reg_descriptor initialization to a function (Amir Vadai) [1107622] - [infiniband] iser: Push the decision what memory key to use into fast_reg_mr routine (Amir Vadai) [1107622] - [infiniband] iser: Avoid FRWR notation, use fastreg instead (Amir Vadai) [1107622] - [infiniband] iser: Suppress completions for fast registration work requests (Amir Vadai) [1107622] - [infiniband] iser: Fix use after free in iser_snd_completion() (Amir Vadai) [1107622] - [scsi] libiscsi: Add check_protection callback for transports (Amir Vadai) [1107622] - [mm] mem-hotplug: reset node present pages when hot-adding a new pgdat (Motohiro Kosaki) [1156396] - [mm] mem-hotplug: reset node managed pages when hot-adding a new pgdat (Motohiro Kosaki) [1156396] - [mm] make __free_pages_bootmem() only available at boot time (Motohiro Kosaki) [1156396] - [mm] use a dedicated lock to protect totalram_pages and zone->managed_pages (Motohiro Kosaki) [1156396] - [mm] accurately calculate zone->managed_pages for highmem zones (Motohiro Kosaki) [1156396] - [md] dm-cache: fix spurious cell_defer when dealing with partial block at end of device (Mike Snitzer) [1165050] - [md] dm-cache: dirty flag was mistakenly being cleared when promoting via overwrite (Mike Snitzer) [1165050] - [md] dm-cache: only use overwrite optimisation for promotion when in writeback mode (Mike Snitzer) [1165050] - [md] dm-cache: discard block size must be a multiple of cache block size (Mike Snitzer) [1165050] - [md] dm-cache: fix a harmless race when working out if a block is discarded (Mike Snitzer) [1165050] - [md] dm-cache: when reloading a discard bitset allow for a different discard block size (Mike Snitzer) [1165050] - [md] dm-cache: fix some issues with the new discard range support (Mike Snitzer) [1165050] - [md] dm-array: if resizing the array is a noop set the new root to the old one (Mike Snitzer) [1165050] - [md] dm-bufio: fix memleak when using a dm_buffers inline bio (Mike Snitzer) [1165050] - [md] dm: use rcu_dereference_protected instead of rcu_dereference (Mike Snitzer) [1165246] - [md] dm-thin: suspend/resume active thin devices when reloading thin-pool (Mike Snitzer) [1165246] - [md] dm-thin: do not allow thin device activation while pool is suspended (Mike Snitzer) [1165246] - [md] dm-thin: fix a race in thin_dtr (Mike Snitzer) [1165246] - [md] dm-thin: remove stale 'trim' message in block comment above pool_message (Mike Snitzer) [1165246] - [md] dm: update wait_on_bit calls for RHEL (Mike Snitzer) [1165246] - [md] dm: enhance internal suspend and resume interface (Mike Snitzer) [1165246] - [md] dm: add presuspend_undo hook to target_type (Mike Snitzer) [1165246] - [md] dm: return earlier from dm_blk_ioctl if target doesnt implement .ioctl (Mike Snitzer) [1165246] - [md] dm: do not call dm_sync_table() when creating new devices (Mike Snitzer) [1165246] - [md] dm: sparse - Annotate field with __rcu for checking (Mike Snitzer) [1165246] - [md] dm: Use rcu_dereference() for accessing rcu pointer (Mike Snitzer) [1165246] - [md] dm: allow active and inactive tables to share dm_devs (Mike Snitzer) [1165246] - [md] dm-mpath: stop queueing IO when no valid paths exist (Mike Snitzer) [1165246] [3.10.0-215] - [net] vxlan: Do not reuse sockets for a different address family (Marcelo Leitner) [1146107] - [net] vti: Fix kernel panic due to tunnel not being removed on link deletion (Panu Matilainen) [1167725] - [net] sctp: test if association is dead in sctp_wake_up_waiters (Daniel Borkmann) [1166467] - [net] sctp: wake up all assocs if sndbuf policy is per socket (Daniel Borkmann) [1166467] - [net] ip: better estimate tunnel header cut for correct ufo handling (Alexander Duyck) [1159577] - [net] ipv6: gso: remove redundant locking (Alexander Duyck) [1159577] - [net] ipv6: Do not treat a GSO_TCPV4 request from UDP tunnel over IPv6 as invalid (Alexander Duyck) [1159577] - [net] ipv6: fib: fix fib dump restart (Panu Matilainen) [1163605] - [net] ipv6: drop unused fib6_clean_all_ro() function and rt6_proc_arg struct (Panu Matilainen) [1163605] - [net] ipv6: avoid high order memory allocations for /proc/net/ipv6_route (Panu Matilainen) [1163605] - [net] ipv4: Fix incorrect error code when adding an unreachable route (Panu Matilainen) [1165552] - [net] sctp: replace seq_printf with seq_puts (Daniel Borkmann) [1164214] - [net] sctp: add transport state in /proc/net/sctp/remaddr (Daniel Borkmann) [1164214] - [IB] isert: Adjust CQ size to HW limits (Andy Grover) [1166314] - [ib_isert] Add max_send_sge=2 minimum for control PDU responses (Andy Grover) [1166314] - [scsi] megaraid_sas: do not process IOCTLs and SCSI commands during driver removal (Tomas Henzl) [1162645] - [scsi] megaraid_sas: dndinaness related bug fixes (Tomas Henzl) [1162645] - [scsi] megaraid_sas: corrected return of wait_event from abort frame path (Tomas Henzl) [1162645] - [scsi] megaraid_sas: make HBA operational after LD_MAP_SYNC DCMD in OCR path (Tomas Henzl) [1162645] - [scsi] megaraid_sas: online Firmware upgrade support for Extended VD feature (Tomas Henzl) [1162645] - [scsi] megaraid_sas: update MAINTAINERS and copyright information for megaraid drivers (Tomas Henzl) [1162645] - [scsi] megaraid_sas: driver version upgrade and remove some meta data of driver (06.805.06.01-rc1) (Tomas Henzl) [1162645] [3.10.0-214] - [powerpc] Drop useless warning in eeh_init() (Gustavo Duarte) [1156651] - [powerpc] pseries: Decrease message level on EEH initialization (Gustavo Duarte) [1156651] - [net] ceph: fixup includes in pagelist.h (Ilya Dryomov) [1165232] - [net] ceph: change from BUG to WARN for __remove_osd() asserts (Ilya Dryomov) [1165232] - [net] ceph: clear r_req_lru_item in __unregister_linger_request() (Ilya Dryomov) [1165232] - [net] ceph: unlink from o_linger_requests when clearing r_osd (Ilya Dryomov) [1165232] - [net] ceph: do not crash on large auth tickets (Ilya Dryomov) [1165232] - [fs] ceph: fix flush tid comparision (Ilya Dryomov) [1165232] - [net] ceph: eliminate unnecessary allocation in process_one_ticket() (Ilya Dryomov) [1165232] - [block] rbd: Fix error recovery in rbd_obj_read_sync() (Ilya Dryomov) [1165232] - [net] ceph: use memalloc flags for net IO (Ilya Dryomov) [1165232] - [block] rbd: use a single workqueue for all devices (Ilya Dryomov) [1165232] - [fs] ceph: fix divide-by-zero in __validate_layout() (Ilya Dryomov) [1165232] - [block] rbd: rbd workqueues need a resque worker (Ilya Dryomov) [1165232] - [net] ceph: ceph-msgr workqueue needs a resque worker (Ilya Dryomov) [1165232] - [fs] ceph: fix bool assignments (Ilya Dryomov) [1165232] - [net] ceph: separate multiple ops with commas in debugfs output (Ilya Dryomov) [1165232] - [net] ceph: sync osd op definitions in rados.h (Ilya Dryomov) [1165232] - [net] ceph: remove redundant declaration (Ilya Dryomov) [1165232] - [fs] ceph: additional debugfs output (Ilya Dryomov) [1165232] - [fs] ceph: export ceph_session_state_name function (Ilya Dryomov) [1165232] - [fs] ceph: use pagelist to present MDS request data (Ilya Dryomov) [1165232] - [net] ceph: reference counting pagelist (Ilya Dryomov) [1165232] - [fs] ceph: fix llistxattr on symlink (Ilya Dryomov) [1165232] - [fs] ceph: send client metadata to MDS (Ilya Dryomov) [1165232] - [fs] ceph: remove redundant code for max file size verification (Ilya Dryomov) [1165232] - [fs] ceph: move ceph_find_inode() outside the s_mutex (Ilya Dryomov) [1165232] - [fs] ceph: request xattrs if xattr_version is zero (Ilya Dryomov) [1165232] - [block] rbd: set the remaining discard properties to enable support (Ilya Dryomov) [1165232] - [block] rbd: use helpers to handle discard for layered images correctly (Ilya Dryomov) [1165232] - [block] rbd: extract a method for adding object operations (Ilya Dryomov) [1165232] - [block] rbd: make discard trigger copy-on-write (Ilya Dryomov) [1165232] - [block] rbd: tolerate -ENOENT for discard operations (Ilya Dryomov) [1165232] - [block] rbd: fix snapshot context reference count for discards (Ilya Dryomov) [1165232] - [block] rbd: read image size for discard check safely (Ilya Dryomov) [1165232] - [block] rbd: initial discard bits (Ilya Dryomov) [1165232] - [block] rbd: extend the operation type (Ilya Dryomov) [1165232] - [block] rbd: skip the copyup when an entire object writing (Ilya Dryomov) [1165232] - [block] rbd: add img_obj_request_simple() helper (Ilya Dryomov) [1165232] - [block] rbd: access snapshot context and mapping size safely (Ilya Dryomov) [1165232] - [block] rbd: do not return -ERANGE on auth failures (Ilya Dryomov) [1165232] - [net] ceph: dont try checking queue_work() return value (Ilya Dryomov) [1165232] - [fs] ceph: make sure request isnt in any waiting list when kicking request (Ilya Dryomov) [1165232] - [fs] ceph: protect kick_requests() with mdsc->mutex (Ilya Dryomov) [1165232] - [net] ceph: Convert pr_warning to pr_warn (Ilya Dryomov) [1165232] - [fs] ceph: trim unused inodes before reconnecting to recovering MDS (Ilya Dryomov) [1165232] - [net] ceph: fix a use after free issue in osdmap_set_max_osd (Ilya Dryomov) [1165232] - [net] ceph: select CRYPTO_CBC in addition to CRYPTO_AES (Ilya Dryomov) [1165232] - [net] ceph: resend lingering requests with a new tid (Ilya Dryomov) [1165232] - [net] ceph: abstract out ceph_osd_request enqueue logic (Ilya Dryomov) [1165232] - [block] rbd: fix error return code in rbd_dev_device_setup() (Ilya Dryomov) [1165232] - [block] rbd: avoid format-security warning inside alloc_workqueue() (Ilya Dryomov) [1165232] - [kernel] printk/register_console: prevent adding the same console twice (Artem Savkov) [1169766] - [mm] hugetlb: add cond_resched_lock() in, return_unused_surplus_pages() (Motohiro Kosaki) [1142698] - [mm] hugetlb: fix softlockup when a large number of, hugepages are freed (Motohiro Kosaki) [1142698] - [kernel] sched: Use new KABI macros (Don Zickus) [1164383] - [net] Use new KABI macros (Don Zickus) [1164383] - [scsi] Use new KABI macros (Don Zickus) [1164383] - [kernel] Use new KABI macros (Don Zickus) [1164383] - [block] Use new KABI macros (Don Zickus) [1164383] - [block] include: Use new KABI macros (Don Zickus) [1164383] - [misc] Use new KABI macros (Don Zickus) [1164383] - [x86] Use new KABI macros (Don Zickus) [1164383] - [powerpc] Use new KABI macros (Don Zickus) [1164383] [3.10.0-213] - [scsi] ipr: dont log error messages when applications issues illegal requests (Gustavo Duarte) [1163019] - [net] macvlan: Allow setting multicast filter on all macvlan types (Vlad Yasevich) [848197] - [block] genhd: fix leftover might_sleep() in blk_free_devt() (Jeff Moyer) [1167728] - [ethernet] mlx4: Add VXLAN ndo calls to the PF net device ops too (Florian Westphal) [1168212] - [powerpc] xmon: le - Fix endiannes issue in RTAS call from xmon (Steve Best) [1160650] - [mm] thp: close race between split and zap huge pages (Seth Jennings) [1165268] - [mm] thp: close race between mremap() and split_huge_page() (Seth Jennings) [1165268] - [mmc] rtsx: Change default tx phase (Don Zickus) [1106204] - [mfd] rtsx: Copyright modifications (Don Zickus) [1106204] - [mfd] rtsx: Configure to enter a deeper power-saving mode in S3 (Don Zickus) [1106204] - [mfd] rtsx: Move some actions from rtsx_pci_init_hw to individual extra_init_hw (Don Zickus) [1106204] - [mfd] rtsx: Add shutdown callback in rtsx_pci_driver (Don Zickus) [1106204] - [mfd] rtsx: Read vendor setting from config space (Don Zickus) [1106204] - [mfd] rtsx: Add support for RTL8411B (Don Zickus) [1106204] [3.10.0-212] - [fs] fsnotify: next_i is freed during fsnotify_unmount_inodes (Eric Sandeen) [1124997] - [fs] btrfs: fix regression of btrfs device replace (Eric Sandeen) [1162983] - [fs] ext4: dont count external journal blocks as overhead (Eric Sandeen) [1164366] - [fs] Fix oops when creating symlinks on smb3 (Sachin Prabhu) [1161429] [3.10.0-211] - [net] sctp: fix memory leak in auth key management (Daniel Borkmann) [1160928] - [net] sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [1154002] {CVE-2014-7841} - [net] tcp: zero retrans_stamp if all retrans were acked (Marcelo Leitner) [1162193] - [net] netfilter: log: protect nf_log_register against double registering (Marcelo Leitner) [1148041 1155088] - [net] netfilter: ulog: compat with new structure (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: nat expression must select CONFIG_NF_NAT (Marcelo Leitner) [1148041 1155088] - [net] netfilter: add explicit Kconfig for NETFILTER_XT_NAT (Marcelo Leitner) [1148041 1155088] - [net] netfilter: masquerading needs to be independent of x_tables in Kconfig (Marcelo Leitner) [1148041 1155088] - [net] netfilter: NFT_CHAIN_NAT_IPV* is independent of NFT_NAT (Marcelo Leitner) [1148041 1155088] - [net] netfilter: move NAT Kconfig switches out of the iptables scope (Marcelo Leitner) [1148041 1155088] - [net] netfilter: NETFILTER_XT_TARGET_LOG selects NF_LOG_* (Marcelo Leitner) [1148041 1155088] - [net] netfilter: fix several Kconfig problems in NF_LOG_* (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_masq: register/unregister notifiers on module init/exit (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: allow to filter from prerouting and postrouting (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_compat: remove incomplete 32/64 bits arch compat code (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: wait for call_rcu completion on module removal (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_reject: introduce icmp code abstraction for inet and bridge (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: store and dump set policy (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: export rule-set generation ID (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add new nft_masq expression (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_nat: include a flag attribute (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: extend NFT_MSG_DELTABLE to support flushing the ruleset (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add helpers to schedule objects deletion (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add devgroup support in meta expresion (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: rename nf_table_delrule_by_chain() (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add helper to unregister chain hooks (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: refactor rule deletion helper (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_chain_nat_ipv6: use generic IPv6 NAT code from core (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nat: move specific NAT IPv6 to core (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_rbtree: no need for spinlock from set destroy path (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_hash: no need for rcu in the hash set destroy path (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_chain_nat_ipv4: use generic IPv4 NAT code from core (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nat: move specific NAT IPv4 to core (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_meta: Add cpu attribute support (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_meta: add pkttype support (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix error return code (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: dont update chain with unset counters (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: uninitialize element key/data from the commit path (Marcelo Leitner) [1148041 1155088] - [net] nftables: Convert nft_hash to use generic rhashtable (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: Avoid duplicate call to nft_data_uninit() for same key (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: check for unset NFTA_SET_ELEM_LIST_ELEMENTS attribute (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: simplify set dump through netlink (Marcelo Leitner) [1148041 1155088] - [net] netfilter: bridge: add reject support (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: 64bit stats need some extra synchronization (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: set NLM_F_DUMP_INTR if netlink dumping is stale (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: safe RCU iteration on list when dumping (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: skip transaction if no update flags in tables (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_log: fix coccinelle warnings (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_log: complete logging support (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_log: request explicit logger when loading rules (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_nat: dont dump port information if unset (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: indicate family when dumping set elements (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_compat: call {target, match}->destroy() to cleanup entry (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix wrong type in transaction when replacing rules (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: decrement chain use counter when replacing rules (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use u32 for chain use counter (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use RCU-safe list insertion when replacing rules (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: atomic allocation in set notifications from rcu callback (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: allow to delete several objects from a batch (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_rbtree: introduce locking (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: release objects in reverse order in the abort path (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix wrong transaction ordering in set elements (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: defer all object release via rcu (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: remove skb and nlh from context structure (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: simplify nf_tables_*_notify (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use new transaction infrastructure to handle elements (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use new transaction infrastructure to handle table (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: pass context to nf_tables_updtable() (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: disabling table hooks always succeeds (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use new transaction infrastructure to handle chain (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: refactor chain statistic routines (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: use new transaction infrastructure to handle sets (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add message type to transactions (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: relocate commit and abort routines in the source file (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: generalise transaction infrastructure (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: deconstify table and chain in context structure (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix trace of matching non-terminal rule (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix missing return trace at the end of non-base chain (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix bogus rulenum after goto action (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix tracing of the goto action (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix goto action (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: reset rule number counter after jump and goto (Marcelo Leitner) [1148041 1155088] - [net] netfilter: add helper for adding nat extension (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: relax string validation of NFTA_CHAIN_TYPE (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: Add meta expression key for bridge interface name (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: Make meta expression core functions public (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: Stack expression type depending on their family (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix nft_cmp_fast failure on big endian for size < 4 (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: handle more than 8 * PAGE_SIZE set name allocations (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: fix wrong format in request_module() (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: set names cannot be larger than 15 bytes (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add set_elem notifications (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_hash: use set global element counter instead of private one (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: implement proper set selection (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_ct: split nft_ct_init() into two functions for get/set (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_meta: split nft_meta_init() into two functions for get/set (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_ct: add missing ifdef for NFT_MARK setting (Marcelo Leitner) [1148041 1155088] - [net] netfilter: Add missing vmalloc.h include to nft_hash.c (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_nat: fix family validation (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_ct: remove family from struct nft_ct (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: restore notifications for anonymous set destruction (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: restore context for expression destructors (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: clean up nf_tables_trans_add() argument order (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_hash: bug fixes and resizing (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add optional user data area to rules (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: accept QUEUE/DROP verdict parameters (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_tables: add nft_dereference() macro (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nft_ct: labels get support (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_nat: add full port randomization support (Marcelo Leitner) [1148041 1155088] - [net] nf_tables: Include appropriate header file in netfilter/nft_lookup.c (Marcelo Leitner) [1148041 1155088] - [net] netfilter: xt_log: add missing string format in nf_log_packet() (Marcelo Leitner) [1148041 1155088] - [net] netfilter: log: nf_log_packet() as real unified interface (Marcelo Leitner) [1148041 1155088] - [net] netfilter: log: split family specific code to nf_log_{ip, ip6, common}.c files (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_log: move log buffering to core logging (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nf_log: use an array of loggers instead of list (Marcelo Leitner) [1148041 1155088] - [net] introduce netdev_alloc_pcpu_stats() for drivers (Marcelo Leitner) [1148041 1155088] - [net] netfilter: nfnetlink: add rcu_dereference_protected() helpers (Marcelo Leitner) [1148041 1155088] - [net] netfilter: ip_set: rename nfnl_dereference()/nfnl_set() (Marcelo Leitner) [1148041 1155088] - [net] netfilter: ipset: remove unused code (Marcelo Leitner) [1148041 1155088] - [net] netfilter: Remove extern from function prototypes (Marcelo Leitner) [1148041 1155088] - [net] netfilter: Remove extern from function prototypes (Marcelo Leitner) [1148041 1155088] - [net] openvswitch: remove dup comment in vport.h (Jiri Benc) [1110384] - [net] openvswitch: restore OVS_FLOW_CMD_NEW notifications (Jiri Benc) [1110384] - [net] openvswitch: Add recirc and hash action (Jiri Benc) [1110384] - [net] openvswitch: simplify sample action implementation (Jiri Benc) [1110384] - [net] openvswitch: Use tun_key only for egress tunnel path (Jiri Benc) [1110384] - [net] openvswitch: refactor ovs flow extract API (Jiri Benc) [1110384] - [net] openvswitch: Remove pkt_key from OVS_CB (Jiri Benc) [1110384] - [net] openvswitch: change the data type of error status to atomic_long_t (Jiri Benc) [1110384] - [net] genetlink: add function genl_has_listeners() (Jiri Benc) [1110384] - [net] vxlan: Call udp_flow_src_port (Jiri Benc) [1110384] - [net] udp: Add function to make source port for UDP tunnels (Jiri Benc) [1110384] - [net] openvswitch: distinguish between the dropped and consumed skb (Jiri Benc) [1110384] - [net] openvswitch: fix a memory leak (Jiri Benc) [1110384] - [net] openvswitch: Fix memory leak in ovs_vport_alloc() error path (Jiri Benc) [1110384] - [net] openvswitch: fix duplicate #include headers (Jiri Benc) [1110384] - [net] openvswitch: Remove unlikely() for WARN_ON() conditions (Jiri Benc) [1110384] - [net] openvswitch: Use IS_ERR_OR_NULL (Jiri Benc) [1110384] - [net] openvswitch: Add skb_clone NULL check for the sampling action (Jiri Benc) [1110384] - [net] openvswitch: Sample action without side effects (Jiri Benc) [1110384] - [net] openvswitch: Avoid memory corruption in queue_userspace_packet() (Jiri Benc) [1110384] - [net] openvswitch: Enable tunnel GSO for OVS bridge (Jiri Benc) [1110384] - [net] openvswitch: Allow each vport to have an array of 'port_id's (Jiri Benc) [1110384] - [net] openvswitch: make generic netlink group const (Jiri Benc) [1110384] - [net] openvswitch: introduce rtnl ops stub (Jiri Benc) [1110384] - [net] openvswitch: Use exact lookup for flow_get and flow_del (Jiri Benc) [1110384] - [net] openvswitch: Fix tracking of flags seen in TCP flows (Jiri Benc) [1110384] - [net] openvswitch: supply a dummy err_handler of gre_cisco_protocol to prevent kernel crash (Jiri Benc) [1110384] - [net] openvswitch: Fix a double free bug for the sample action (Jiri Benc) [1110384] - [net] openvswitch: Simplify genetlink code (Jiri Benc) [1110384] - [net] openvswitch: Minimize ovs_flow_cmd_new (Jiri Benc) [1110384] - [net] openvswitch: Split ovs_flow_cmd_new_or_set() (Jiri Benc) [1110384] - [net] openvswitch: Minimize ovs_flow_cmd_del critical section (Jiri Benc) [1110384] - [net] openvswitch: Reduce locking requirements (Jiri Benc) [1110384] - [net] openvswitch: Fix ovs_flow_stats_get/clear RCU dereference (Jiri Benc) [1110384] - [net] openvswitch: Fix typo (Jiri Benc) [1110384] - [net] openvswitch: Minimize dp and vport critical sections (Jiri Benc) [1110384] - [net] openvswitch: Make flow mask removal symmetric (Jiri Benc) [1110384] - [net] openvswitch: Build flow cmd netlink reply only if needed (Jiri Benc) [1110384] - [net] openvswitch: Clarify locking (Jiri Benc) [1110384] - [net] openvswitch: Avoid assigning a NULL pointer to flow actions (Jiri Benc) [1110384] - [net] openvswitch: Compact sw_flow_key (Jiri Benc) [1110384] - [net] net/openvswitch: Use with RCU_INIT_POINTER(x, NULL) in vport-gre.c (Jiri Benc) [1110384] - [net] openvswitch: Use TCP flags in the flow key for stats (Jiri Benc) [1110384] - [net] openvswitch: Fix output of SCTP mask (Jiri Benc) [1110384] - [net] openvswitch: Per NUMA node flow stats (Jiri Benc) [1110384] - [net] openvswitch: Remove 5-tuple optimization (Jiri Benc) [1110384] - [net] openvswitch: Use ether_addr_copy (Jiri Benc) [1110384] - [net] openvswitch: flow_netlink: Use pr_fmt to OVS_NLERR output (Jiri Benc) [1110384] - [net] openvswitch: Use net_ratelimit in OVS_NLERR (Jiri Benc) [1110384] - [net] openvswitch: Added (unsigned long long) cast in printf (Jiri Benc) [1110384] - [net] openvswitch: avoid cast-qual warning in vport_priv (Jiri Benc) [1110384] - [net] openvswitch: avoid warnings in vport_from_priv (Jiri Benc) [1110384] - [net] openvswitch: use const in some local vars and casts (Jiri Benc) [1110384] - [net] openvswitch: get rid of SET_ETHTOOL_OPS (Jiri Benc) [1110384] - [net] openvswitch: Correctly report flow used times for first 5 minutes after boot (Jiri Benc) [1110384] - [net] openvswitch: Fix race (Jiri Benc) [1110384] - [net] openvswitch: Read tcp flags only then the tranport header is present (Jiri Benc) [1110384] - [net] openvswitch: rename ->sync to ->syncp (Jiri Benc) [1110384] - [net] openvswitch: make functions local (Jiri Benc) [1110384] - [net] Add utility function to copy skb hash (Jiri Benc) [1110384] - [net] Change skb_get_rxhash to skb_get_hash (Jiri Benc) [1110384] - [net] netlink: Re-add locking to netlink_lookup() and seq walker (Jiri Benc) [1140661] - [lib] rhashtable: remove second linux/log2.h inclusion (Jiri Benc) [1140661] - [lib] rhashtable: allow user to set the minimum shifts of shrinking (Jiri Benc) [1140661] - [lib] rhashtable: fix lockdep splat in rhashtable_destroy() (Jiri Benc) [1140661] - [lib] rhashtable: Spelling s/compuate/compute/ (Jiri Benc) [1140661] - [net] netlink: Annotate RCU locking for seq_file walker (Jiri Benc) [1140661] - [net] netlink: hold nl_sock_hash_lock during diag dump (Jiri Benc) [1140661] - [net] netlink: fix lockdep splats (Jiri Benc) [1140661] - [net] netlink: Convert netlink_lookup() to use RCU protected hash table (Jiri Benc) [1140661] - [net] netlink: make compare exist all the time (Jiri Benc) [1140661] - [net] netlink: Add compare function for netlink_table (Jiri Benc) [1140661] - [lib] rhashtable: fix annotations for rht_for_each_entry_rcu() (Jiri Benc) [1140661] - [lib] rhashtable: unexport and make rht_obj() static (Jiri Benc) [1140661] - [lib] rhashtable: RCU annotations for next pointers (Jiri Benc) [1140661] - [lib] rhashtable: Resizable, Scalable, Concurrent Hash Table (Jiri Benc) [1140661] - [mm] add kvfree() (Jiri Benc) [1140661] - [net] netlink: Fix handling of error from netlink_dump() (Jiri Benc) [1140661] - [net] netlink: autosize skb lengthes (Jiri Benc) [1140661] - [net] netlink: Eliminate kmalloc in netlink dump operation (Jiri Benc) [1140661] [3.10.0-210] - [misc] kabi: revert two kabi additions that need updated ppc64 sums (Jarod Wilson) [3.10.0-209] - [fs] xfs: write failure beyond EOF truncates too much data (Brian Foster) [1032968] - [fs] xfs: xfs_vm_write_end truncates too much on failure (Brian Foster) [1032968] - [fs] xfs: use ->invalidatepage() length argument (Brian Foster) [1032968] - [fs] xfs: change invalidatepage prototype to accept length (Brian Foster) [1032968] - [fs] xfs: restore buffer_head unwritten bit on ioend cancel (Brian Foster) [1162953] - [fs] xfs: allow inode allocations in post-growfs disk space (Eric Sandeen) [1115201] - [scsi] pm8001: Update nvmd response data to request buffer (Rich Bono) [1110943] - [scsi] pm8001: fix pm8001_store_update_fw (Rich Bono) [1110943] - [scsi] pm8001: Fix erratic calculation in update_flash (Rich Bono) [1110943] - [scsi] pm8001: Fix invalid return when request_irq() failed (Rich Bono) [1110943] - [scsi] pm8001: fix a memory leak in nvmd_resp (Rich Bono) [1110943] - [scsi] pm8001: fix update_flash (Rich Bono) [1110943] - [scsi] pm8001: fix a memory leak in flash_update (Rich Bono) [1110943] - [scsi] pm8001: Cleaning up uninitialized variables (Rich Bono) [1110943] - [scsi] pm8001: Fix to remove null pointer checks that could never happen (Rich Bono) [1110943] - [scsi] pm8001: more fixes to honor return value (Rich Bono) [1110943] - [scsi] pm8001: add a new spinlock to protect the CCB (Rich Bono) [1110943] - [scsi] pm8001: honor return value (Rich Bono) [1110943] - [scsi] pm8001: clean bitmap management functions (Rich Bono) [1110943] - [scsi] pm8001: Fix hibernation issue (Rich Bono) [1110943] - [scsi] pm8001: Fix potential null pointer dereference and memory leak (Rich Bono) [1110943] - [scsi] pm80xx: Fix missing NULL pointer checks and memory leaks (Rich Bono) [1110943] - [scsi] drivers/scsi/pm8001/pm8001_ctl.c: avoid world-writable sysfs files (Rich Bono) [1110943] - [scsi] pm80xx: fix problem of pm8001_work_fn reseting incorrect phy device (Rich Bono) [1110943] - [scsi] pm80xx: Fix missing NULL pointer checks and memory leaks (Rich Bono) [1110943] - [scsi] pm80xx: Enable BAR shift to avoid BIOS conflict with MPI space for ATTO pm8001 based HBAs (Rich Bono) [1110943] - [scsi] pm80xx: Read saved WWN from NVMD for ATTO pm8001 based HBAs (Rich Bono) [1110943] - [scsi] pm80xx: Fixed return value issue (Rich Bono) [1110943] - [md] dm-thin: fix pool_io_hints to avoid looking at max_hw_sectors (Mike Snitzer) [1156164] - [kernel] audit: keep inode pinned (Paul Moore) [1162261] - [block] nvme: cleanup nvme_split_flush_data() (David Milburn) [1161766] - [scsi] ibmvfc: fix little endian issues (Steve Best) [1159781] - [scsi] ibmvfc: Fix for offlining devices during error recovery (Steve Best) [1159781] [3.10.0-208] - [scsi] cxgb4i: send abort_rpl correctly (Sai Vemuri) [1163467] - [Documentation] cxgbi: add maintainer for cxgb3i/cxgb4i (Sai Vemuri) [1163467] - [ethernet] cxgb4vf: FL Starvation Threshold needs to be larger than the SGEs Egress Congestion Threshold (Sai Vemuri) [1163467] - [ethernet] cxgb4: For T5 use Packing and Padding Boundaries for SGE DMA transfers (Sai Vemuri) [1163467] - [ethernet] cxgb4vf: Move fl_starv_thres into adapter->sge data structure (Sai Vemuri) [1163467] - [ethernet] cxgb4vf: Replace repetitive pci device IDs with right ones (Sai Vemuri) [1163467] - [infinband] cxgb4: Make c4iw_wr_log_size_order static (Sai Vemuri) [1163467] - [infinband] cxgb4: Add missing neigh_release in find_route (Sai Vemuri) [1163467] - [infinband] cxgb4: Fix ntuple calculation for ipv6 and remove duplicate line (Sai Vemuri) [1163467] - [ethernet] cxgb4: Fix FW flash logic using ethtool (Sai Vemuri) [1163467] - [infiniband] cxgb4: Take IPv6 into account for best_mtu and set_emss (Sai Vemuri) [1163467] - [ethernet] cxgb4: Wait for device to get ready before reading any register (Sai Vemuri) [1163467] - [ethernet] cxgb4vf: Add 40G support for cxgb4vf driver (Sai Vemuri) [1163467] - [ethernet] cxgb4: Updated the LSO transfer length in CPL_TX_PKT_LSO for T5 (Sai Vemuri) [1163467] - [ethernet] cxgb4: Add support for adaptive rx (Sai Vemuri) [1163467] - [ethernet] cxgb4: Change default Interrupt Holdoff Packet Count Threshold (Sai Vemuri) [1163467] - [ethernet] cxgb4: Add Devicde ID for two more adapter (Sai Vemuri) [1163467] - [ethernet] cxgb4vf: Remove superfluous 'idx' parameter of CH_DEVICE() macro (Sai Vemuri) [1163467] - [ethernet] cxgb4: Use BAR2 Going To Sleep (GTS) for T5 and later (Sai Vemuri) [1163467] - [scsi] cxgbi: support ipv6 address host_param (Sai Vemuri) [1153834] - [scsi] cxgb4i: Fix -Wmaybe-uninitialized warning (Sai Vemuri) [1153834] - [scsi] cxgb4i: Remove duplicate call to dst_neigh_lookup() (Sai Vemuri) [1153834] - [scsi] cxgb4i: Fix -Wunused-function warning (Sai Vemuri) [1153834] - [ethernet] cxgb4: Fix build failure in cxgb4 when ipv6 is disabled/not in-built (Sai Vemuri) [1153834] - [scsi] cxgb4i: Remove duplicated CLIP handling code (Sai Vemuri) [1153834] - [ethernet] be2net: fix alignment on line wrap (Ivan Vecera) [1165755] - [ethernet] be2net: remove multiple assignments on a single line (Ivan Vecera) [1165755] - [ethernet] be2net: remove space after typecasts (Ivan Vecera) [1165755] - [ethernet] be2net: remove unnecessary blank lines after an open brace (Ivan Vecera) [1165755] - [ethernet] be2net: insert a blank line after function/struct//enum definitions (Ivan Vecera) [1165755] - [ethernet] be2net: remove multiple blank lines (Ivan Vecera) [1165755] - [ethernet] be2net: add blank line after declarations (Ivan Vecera) [1165755] - [ethernet] be2net: remove return statements for void functions (Ivan Vecera) [1165755] - [ethernet] be2net: add speed reporting for 20G-KR interface (Ivan Vecera) [1165755] - [ethernet] be2net: add speed reporting for 40G/KR interface (Ivan Vecera) [1165755] - [ethernet] be2net: fix sparse warnings in be_cmd_req_port_type{} (Ivan Vecera) [1165755] - [ethernet] be2net: fix a sparse warning in be_cmd_modify_eqd() (Ivan Vecera) [1165755] - [ethernet] be2net: enable PCIe error reporting on VFs too (Ivan Vecera) [1165755] - [ethernet] be2net: send a max of 8 EQs to be_cmd_modify_eqd() on Lancer (Ivan Vecera) [1165755] - [ethernet] be2net: fix port-type reporting in get_settings (Ivan Vecera) [1165755] - [ethernet] be2net: add ethtool '-m' option support (Ivan Vecera) [1165755] - [ethernet] be2net: fix RX fragment posting for jumbo frames (Ivan Vecera) [1165755] - [ethernet] be2net: replace strcpy with strlcpy (Ivan Vecera) [1165755] - [ethernet] be2net: fix some log messages (Ivan Vecera) [1165755] - [ethernet] bna: fix skb->truesize underestimation (Ivan Vecera) [1165759] - [ethernet] bna: allow transmit tagged frames (Ivan Vecera) [1165759] - [ethernet] bna: use container_of to resolve bufdesc_ex from bufdesc (Ivan Vecera) [1165759] - [ethernet] r8169: add support for RTL8168EP (Ivan Vecera) [1165764] - [ethernet] r8169: add support for Byte Queue Limits (Ivan Vecera) [1165764] - [ethernet] r8169: call 'rtl8168_driver_start' 'rtl8168_driver_stop' only when hardware dash function is enabled (Ivan Vecera) [1165764] - [ethernet] r8169: modify the behavior of function 'rtl8168_oob_notify' (Ivan Vecera) [1165764] - [ethernet] r8169: change the name of function 'r8168dp_check_dash' to 'r8168_check_dash' (Ivan Vecera) [1165764] - [ethernet] r8169: change the name of function'rtl_w1w0_eri' (Ivan Vecera) [1165764] - [ethernet] r8169: for function 'rtl_w1w0_phy' change its name and behavior (Ivan Vecera) [1165764] - [ethernet] r8169: add more chips to support magic packet v2 (Ivan Vecera) [1165764] - [ethernet] r8169: add support more chips to get mac address from backup mac address register (Ivan Vecera) [1165764] - [ethernet] r8169: add disable/enable RTL8411B pll function (Ivan Vecera) [1165764] - [ethernet] r8169: add disable/enable RTL8168G pll function (Ivan Vecera) [1165764] - [ethernet] r8169: change uppercase number to lowercase number (Ivan Vecera) [1165764] - [ethernet] r8169: fix an if condition (Ivan Vecera) [1165764] - [ethernet] r8169: adjust __rtl8169_set_features (Ivan Vecera) [1165764] - [ethernet] r8169: fix setting rx vlan (Ivan Vecera) [1165764] - [ethernet] r8169: fix the default setting of rx vlan (Ivan Vecera) [1165764] [3.10.0-207] - [powerpc] use device_online/offline() instead of cpu_up/down() (Gustavo Duarte) [1157737] - [ethernet] i40e: disable FCoE (Stefan Assmann) [1165175] - [cpufreq] intel_pstate: Add CPUID for BDW-H CPU (Steve Best) [1164379] - [mm] do not overwrite reserved pages counter at show_mem() (Rafael Aquini) [1125433] - [alsa] Revert: Kconfig: rename HAS_IOPORT to HAS_IOPORT_MAP (Jarod Wilson) [1112200] - [ethernet] enic: Do not call napi_disable when preemption is disabled (Stefan Assmann) [1145019] - [ethernet] enic: fix possible deadlock in enic_stop/ enic_rfs_flw_tbl_free (Stefan Assmann) [1145019] - [x86] uv_bau: Avoid NULL pointer reference in ptc_seq_show (Frank Ramsay) [1161183] - [x86] uv_bau: Increase maximum CPUs per socket/hub (Frank Ramsay) [1161183] - [mm] vmscan: do not throttle based on pfmemalloc reserves if node has no ZONE_NORMAL (Gustavo Duarte) [1148925] - [char] hwrng/pseries: port to new read API and fix stack corruption (Gustavo Duarte) [1163659] - [md] Revert: dm-cache: add call to mark_tech_preview (Mike Snitzer) [1159001] - [md] dm-cache: emit a warning message if there are a lot of cache blocks (Mike Snitzer) [1159001] - [md] dm-cache: improve discard support (Mike Snitzer) [1159001] - [md] dm-cache: revert 'prevent corruption caused by discard_block_size > cache_block_size' (Mike Snitzer) [1159001] - [md] dm-cache: revert 'remove remainder of distinct discard block size' (Mike Snitzer) [1159001] - [md] dm-bio-prison: introduce support for locking ranges of blocks (Mike Snitzer) [1159001] - [md] dm-btree: fix a recursion depth bug in btree walking code (Mike Snitzer) [1080894] - [md] dm-cache-policy-mq: simplify ability to promote sequential IO to the cache (Mike Snitzer) [1159001] - [md] dm-cache-policy-mq: tweak algorithm that decides when to promote a block (Mike Snitzer) [1159001] - [security] selinux: fix inode security list corruption (Paul Moore) [1152274] [3.10.0-206] - [x86] quirks: Print the Intel graphics stolen memory range (Rob Clark) [1154053] - [x86] quirks: Add Intel graphics stolen memory quirk for gen2 platforms (Rob Clark) [1154053] - [x86] quirks: Add vfunc for Intel graphics stolen memory base address (Rob Clark) [1154053] - [x86] quirks: use gen6 stolen detection for VLV (Rob Clark) [1154053] - [x86] quirks: support GMS and GGMS changes on i915/bdw (Rob Clark) [1154053] - [x86] quirks: add early quirk for reserving Intel graphics stolen memory v5 (Rob Clark) [1154053] - [net] vmxnet3: fix netpoll race condition (Neil Horman) [1158001] - [virt] virtio_balloon: update_balloon_size() - update correct field (Luiz Capitulino) [1163567] - [firmware] memmap: dont create memmap sysfs of same firmware_map_entry (Takahiro MUNEDA) [1160173] - [mm] memory-hotplug: clear pgdat which is allocated by bootmem in try_offline_node() (Larry Woodman) [1156393] - [kernel] add panic_on_warn (Prarit Bhargava) [1163852] - [virt] hyperv: Fix the total_data_buflen in send path (Jason Wang) [1156305] - [virt] hyperv: Add handling of IP header with option field in netvsc_set_hash() (Jason Wang) [1156305] - [virt] hyperv: Fix a bug in netvsc_start_xmit() (Jason Wang) [1156305] - [virt] hyperv: Fix a bug in netvsc_send() (Jason Wang) [1156305] - [powerpc] kexec: adjust crashkernel reservation for 2GB-4GB systems (Gustavo Duarte) [1074924] - [virt] kvm/ioapic: conditionally delay irq delivery duringeoi broadcast (John Snow) [921526] - [fs] file_table: get rid of s_files and files_lock (Gustavo Duarte) [1112805] - [fs] super: uninline destroy_super(), consolidate alloc_super() (Gustavo Duarte) [1112805] - [ethernet] mlx4: Advertize encapsulation offloads features only when VXLAN tunnel is set (Florian Westphal) [1097478] - [ethernet] mlx4: Avoid leaking steering rules on flow creation error flow (Florian Westphal) [1097478] - [ethernet] mlx4: Dont attempt to TX offload the outer UDP checksum for VXLAN (Florian Westphal) [1097478] - [scsi] bnx2fc: fix tgt spinlock locking (Maurizio Lombardi) [1165169] - [scsi] TUR path is down after adapter gets reset with multipath (Ewan Milne) [1153738] - [scsi] call device handler for failed TUR command (Ewan Milne) [1153738] [3.10.0-205] - [mm] shmem: fix splicing from a hole while its punched (Denys Vlasenko) [1118245] {CVE-2014-4171} - [mm] shmem: fix faulting into a hole, not taking i_mutex (Denys Vlasenko) [1118245] {CVE-2014-4171} - [mm] shmem: fix faulting into a hole while its punched (Denys Vlasenko) [1118245] {CVE-2014-4171} - [virt] kvm: detect LVTT changes under APICv (Radim Krcmar) [1151174] - [virt] kvm: detect SPIV changes under APICv (Radim Krcmar) [1151174] - [virt] kvm: recalculate_apic_map after enabling apic (Radim Krcmar) [1151174] - [virt] kvm: trace kvm_ple_window grow/shrink (Radim Krcmar) [1163296] - [virt] kvm/vmx: dynamise PLE window (Radim Krcmar) [1163296] - [virt] kvm/vmx: make PLE window per-VCPU (Radim Krcmar) [1163296] - [virt] kvm: introduce sched_in to kvm_x86_ops (Radim Krcmar) [1163296] - [virt] kvm: add kvm_arch_sched_in (Radim Krcmar) [1163296] - [kernel] uprobes: Dont assume that arch_uprobe->insn/ixol is u8[MAX_UINSN_BYTES] (Steve Best) [1159365] - [drm] qxl: dont create too large primary surface (Dave Airlie) [1158233] - [powerpc] pseries: Quieten ibm, pcie-link-speed-stats warning (Steve Best) [1162287] - [md] dm-thin: fix potential for infinite loop in pool_io_hints (Mike Snitzer) [1156164] - [virt] hyperv/vmbus: Increase the limit on the number of pfns we can handle (Jason Wang) [1160130] - [virt] kvm: update masterclock values on TSC writes (Marcelo Tosatti) [1158039] - [virt] kvm: emulate MOVNTDQ (Paolo Bonzini) [1117542] - [crypto] af_alg: properly label AF_ALG socket (Ondrej Kozina) [1161148] - [powerpc] vphn: NUMA node code expects big-endian (Steve Best) [1154673] [3.10.0-204] - [net] ip6_gre: Return an error when adding an existing tunnel (Alexander Duyck) [1151886 1152368] - [net] ip6_tunnel: Return an error when adding an existing tunnel (Alexander Duyck) [1151886 1152368] - [net] ip_tunnel: Dont allow to add the same tunnel multiple times (Alexander Duyck) [1151886 1152368] - [net] gre: Use inner mac length when computing tunnel length (Alexander Duyck) [1151886 1152368] - [net] gre: enable offloads for GRE (Alexander Duyck) [1151886 1152368] - [net] ipv4: fix a potential use after free in gre_offload.c (Alexander Duyck) [1151886 1152368] - [net] ipv4: fix a potential use after free in ip_tunnel_core.c (Alexander Duyck) [1151886 1152368] - [net] gro: fix aggregation for skb using frag_list (Alexander Duyck) [1154239] - [net] gro: make sure skb->cb[] initial content has not to be zero (Alexander Duyck) [1154239] - [net] bridge: notify user space after fdb update (Alexander Duyck) [1109605] - [net] bridge: Fix the way to find old local fdb entries in br_fdb_changeaddr (Alexander Duyck) [1109605] - [net] handle encapsulation offloads when computing segment lengths (Jiri Benc) [1144571] - [net] gso: make skb_gso_segment error handling more robust (Jiri Benc) [1144571] - [net] gso: use feature flag argument in all protocol gso handlers (Jiri Benc) [1144571] - [net] udp_offload: Use IS_ERR_OR_NULL (Jiri Benc) [1144571] - [net] ipv4: Use IS_ERR_OR_NULL (Jiri Benc) [1144571] [3.10.0-203] - [fs] GFS2: If we use up our block reservation, request more next time (Robert S Peterson) [1142238] - [fs] GFS2: Only increase rs_sizehint (Robert S Peterson) [1142238] - [fs] GFS2: Set of distributed preferences for rgrps (Robert S Peterson) [1142238] - [fs] autofs: fix symlinks arent checked for expiry (Ian Kent) [1116182] - [fs] GFS2: fix regression in dir_double_exhash (Robert S Peterson) [1160229] - [fs] gfs2_atomic_open(): skip lookups on hashed dentry (Robert S Peterson) [1158150] - [fs] splice: perform generic write checks (Eric Sandeen) [1155907] - [fs] fs: seq_file: fallback to vmalloc allocation (Ian Kent) [1095623] - [fs] fs: /proc/stat: convert to single_open_size() (Ian Kent) [1095623] - [fs] fs: seq_file: always clear m->count when we free m->buf (Ian Kent) [1095623] [3.10.0-202] - [ethernet] mlx4: Use PTYS register to set ethtool settings (Speed) (Amir Vadai) [1060221] - [ethernet] mlx4: Use PTYS register to query ethtool settings (Amir Vadai) [1060221] - [ethernet] mlx4: use SPEED_UNKNOWN and DUPLEX_UNKNOWN when appropriate (Amir Vadai) [1060221] - [ethernet] mlx4: Add 100M, 20G, 56G speeds ethtool reporting support (Amir Vadai) [1060221] - [ethernet] mlx4: Add ethernet backplane autoneg device capability (Amir Vadai) [1060221] - [ethernet] mlx4: Introduce ACCESS_REG CMD and eth_prot_ctrl dev cap (Amir Vadai) [1060221] - [ethernet] mlx4: Cable info, get_module_info/eeprom ethtool support (Amir Vadai) [1060221] - [ethernet] mlx4: Introduce mlx4_get_module_info for cable module info reading (Amir Vadai) [1060221] - [ethernet] mlx4: Enable CQE/EQE stride support (Amir Vadai) [1060221] - [virt] kvm/vmx: defer load of APIC access page address during reset (Paolo Bonzini) [1140974] - [virt] kvm: do not handle APIC access page if in-kernel irqchip is not in use (Paolo Bonzini) [1140974] - [virt] kvm: Unpin and remove kvm_arch->apic_access_page (Paolo Bonzini) [1140974] - [virt] kvm/vmx: Implement set_apic_access_page_addr (Paolo Bonzini) [1140974] - [virt] kvm: Add request bit to reload APIC access page address (Paolo Bonzini) [1140974] - [virt] kvm: Add arch specific mmu notifier for page invalidation (Paolo Bonzini) [1140974] - [virt] kvm: Rename make_all_cpus_request() to kvm_make_all_cpus_request() and make it non-static (Paolo Bonzini) [1140974] - [virt] kvm: Remove ept_identity_pagetable from struct kvm_arch (Paolo Bonzini) [1140974] - [virt] kvm: Use APIC_DEFAULT_PHYS_BASE macro as the apic access page address (Paolo Bonzini) [1140974] - [drm] vmwgfx: respect 'nomodeset' (Rob Clark) [1101381] - [s390] qeth: dont query for info if hardware not ready (Hendrik Brueckner) [1147573] - [block] Fix dev_t minor allocation lifetime (Jeff Moyer) [1139898] - [md] dm-crypt: fix access beyond the end of allocated space (Mike Snitzer) [1135066] - [fs] isofs: unbound recursion when processing relocated directories (Jacob Tanenbaum) [1142271] {CVE-2014-5471 CVE-2014-5472} - [ethernet] be2net: use v1 of SET_FLOW_CONTROL command (Ivan Vecera) [1087128] - [acpi] return 1 after successfully install cmos_rtc space handler (Amos Kong) [1159465] - [x86] hyperv: Bypass the timer_irq_works() check (Jason Wang) [1058105] - [mm] hugetlb: initialize PG_reserved for tail pages of gigantic compound pages (Luiz Capitulino) [1158506] - [kernel] cpuset: PF_SPREAD_PAGE and PF_SPREAD_SLAB should be atomic flags (Aaron Tomlin) [1160360] - [infiniband] qib: Correct reference counting in debugfs qp_stats (Rui Wang) [1150001] - [x86] uv: Check for alloc_cpumask_var() failures properly in uv_nmi_setup() (George Beshers) [1155754] - [powerpc] fadump: Fix endianess issues in firmware assisted dump handling (Steve Best) [1159773] [3.10.0-201] - [scsi] ipr: wait for aborted command responses (Gustavo Duarte) [1156530] - [ethernet] mlx4: Protect port type setting by mutex (Amir Vadai) [1095345] - [acpi] pm: Only set power states of devices that are power manageable (Amos Kong) [1142683] - [x86] setup: Mark Intel Haswell ULT as supported (Prarit Bhargava) [1159006] - [kernel] sched: Fix unreleased llc_shared_mask bit during CPU hotplug (Takahiro MUNEDA) [1116294] - [mm] do not walk all of system memory during show_mem (Johannes Weiner) [1125433] - [mm] remove noisy remainder of the scan_unevictable interface (Johannes Weiner) [1111215] - [pci] Rename sysfs 'enabled' file back to 'enable' (Myron Stowe) [1159655] - [kernel] sched/fair: Care divide error in update_task_scan_period() (Motohiro Kosaki) [1140979] - [powerpc] numa: ensure per-cpu NUMA mappings are correct on topology update (Gustavo Duarte) [1150097] - [powerpc] numa: use cached value of update->cpu in update_cpu_topology (Gustavo Duarte) [1150097] - [powerpc] numa: Add ability to disable and debug topology updates (Gustavo Duarte) [1150097] - [powerpc] numa: check error return from proc_create (Gustavo Duarte) [1150097] - [powerpc] some changes in numa_setup_cpu() (Gustavo Duarte) [1150097] - [powerpc] Only set numa node information for present cpus at boottime (Gustavo Duarte) [1150097] - [powerpc] Fix warning reported by verify_cpu_node_mapping() (Gustavo Duarte) [1150097] - [powerpc] reorder per-cpu NUMA informations initialization (Gustavo Duarte) [1150097] - [powerpc] pseries: Make CPU hotplug path endian safe (Steve Best) [1159579] - [powerpc] pseries: Fix endian issues in cpu hot-removal (Steve Best) [1159579] - [powerpc] pseries: Fix endian issues in onlining cpu threads (Steve Best) [1159579] - [x86] smpboot: Fix up typo in topology detection (Prarit Bhargava) [1156655] - [x86] smpboot: Add new topology for multi-NUMA-node CPUs (Prarit Bhargava) [1158269] - [kernel] sched: Rework sched_domain topology definition (Prarit Bhargava) [1158269] - [usb] hub: take hub->hdev reference when processing from eventlist (Don Zickus) [1151508] - [usb] ehci: unlink QHs even after the controller has stopped (Don Zickus) [1151491] - [tools] testing/selftests/powerpc: Correct DSCR during TM context switch (Gustavo Duarte) [1134511] - [tools] testing/selftests: Add infrastructure for powerpc selftests (Gustavo Duarte) [1134511] - [scsi] ibmvscsi: Abort init sequence during error recovery (Gustavo Duarte) [1105496] - [scsi] ibmvscsi: Add memory barriers for send / receive (Gustavo Duarte) [1105496] - [x86] fpu: __restore_xstate_sig()->math_state_restore() needs preempt_disable() (Oleg Nesterov) [1121784] - [x86] fpu: shift drop_init_fpu() from save_xstate_sig() to handle_signal() (Oleg Nesterov) [1121784] [3.10.0-200] - [fs] ext4: fix wrong assert in ext4_mb_normalize_request() (Lukas Czerner) [1146046] - [mm] Remove false WARN_ON from pagecache_isize_extended() (Lukas Czerner) [1156096] - [fs] ext4: check s_chksum_driver when looking for bg csum presence (Lukas Czerner) [1156096] - [fs] ext4: move error report out of atomic context in ext4_init_block_bitmap() (Lukas Czerner) [1156096] - [fs] ext4: Replace open coded mdata csum feature to helper function (Lukas Czerner) [1156096] - [fs] ext4: fix reservation overflow in ext4_da_write_begin (Lukas Czerner) [1156096] - [fs] ext4: add ext4_iget_normal() which is to be used for dir tree lookups (Lukas Czerner) [1156096] - [fs] ext4: dont orphan or truncate the boot loader inode (Lukas Czerner) [1156096] - [fs] ext4: grab missed write_count for EXT4_IOC_SWAP_BOOT (Lukas Czerner) [1156096] - [fs] ext4: get rid of code duplication (Lukas Czerner) [1156096] - [fs] ext4: fix over-defensive complaint after journal abort (Lukas Czerner) [1156096] - [fs] ext4: fix return value of ext4_do_update_inode (Lukas Czerner) [1156096] - [fs] ext4: fix mmap data corruption when blocksize < pagesize (Lukas Czerner) [1156096] - [fs] vfs: fix data corruption when blocksize < pagesize for mmaped data (Lukas Czerner) [1156096] - [fs] ext4: dont check quota format when there are no quota files (Lukas Czerner) [1156096] - [fs] jbd2: avoid pointless scanning of checkpoint lists (Lukas Czerner) [1156096] - [fs] ext4: explicitly inform user about orphan list cleanup (Lukas Czerner) [1156096] - [fs] jbd2: jbd2_log_wait_for_space improve error detetcion (Lukas Czerner) [1156096] - [fs] jbd2: free bh when descriptor block checksum fails (Lukas Czerner) [1156096] - [fs] ext4: check EA value offset when loading (Lukas Czerner) [1156096] - [fs] ext4: dont keep using page if inline conversion fails (Lukas Czerner) [1156096] - [fs] ext4: validate external journal superblock checksum (Lukas Czerner) [1156096] - [fs] jbd2: fix journal checksum feature flag handling (Lukas Czerner) [1156096] - [fs] ext4: provide separate operations for sysfs feature files (Lukas Czerner) [1156096] - [fs] ext4: add sysfs entry showing whether the fs contains errors (Lukas Czerner) [1156096] - [fs] ext4: renumber EXT4_EX_* flags to avoid flag aliasing problems (Lukas Czerner) [1156096] - [fs] ext4: fix comments about get_blocks (Lukas Czerner) [1156096] - [fs] ext4: fix accidental flag aliasing in ext4_map_blocks flags (Lukas Czerner) [1156096] - [fs] ext4: fix ZERO_RANGE bug hidden by flag aliasing (Lukas Czerner) [1156096] - [fs] ext4: use ext4_update_i_disksize instead of opencoded ones (Lukas Czerner) [1156096] - [fs] ext4: remove a duplicate call in ext4_init_new_dir() (Lukas Czerner) [1156096] - [fs] ext4: add missing BUFFER_TRACE before ext4_journal_get_write_access (Lukas Czerner) [1156096] - [fs] ext4: check inline directory before converting (Lukas Czerner) [1156096] - [fs] ext4: fix incorrect locking in move_extent_per_page (Lukas Czerner) [1156096] - [fs] ext4: use correct depth value (Lukas Czerner) [1156096] - [fs] ext4: add i_data_sem sanity check (Lukas Czerner) [1156096] - [fs] ext4: fix wrong size computation in ext4_mb_normalize_request() (Lukas Czerner) [1156096] - [fs] ext4: make ext4_has_inline_data() as a inline function (Lukas Czerner) [1156096] - [fs] ext4: remove readpage() check in ext4_mmap_file() (Lukas Czerner) [1156096] - [fs] ext4: remove metadata reservation checks (Lukas Czerner) [1156096] - [fs] ext4: rearrange initialization to fix EXT4FS_DEBUG (Lukas Czerner) [1156096] - [fs] ext4: fix potential null pointer dereference in ext4_free_inode (Lukas Czerner) [1156096] - [fs] ext4: decrement free clusters/inodes counters when block group declared bad (Lukas Czerner) [1156096] - [fs] ext4: handle symlink properly with inline_data (Lukas Czerner) [1156096] - [fs] ext4: reduce contention on s_orphan_lock (Lukas Czerner) [1156096] - [fs] ext4: use sbi in ext4_orphan_[add|del]() (Lukas Czerner) [1156096] - [fs] ext4: remove unnecessary double parentheses (Lukas Czerner) [1156096] - [fs] ext4: do not destroy ext4_groupinfo_caches if ext4_mb_init() fails (Lukas Czerner) [1156096] - [fs] ext4: make local functions static (Lukas Czerner) [1156096] - [fs] ext4: fix block bitmap validation when bigalloc, ^flex_bg (Lukas Czerner) [1156096] - [fs] ext4: fix block bitmap initialization under sparse_super2 (Lukas Czerner) [1156096] - [fs] ext4: find the group descriptors on a 1k-block bigalloc, meta_bg filesystem (Lukas Czerner) [1156096] - [fs] ext4: avoid unneeded lookup when xattr name is invalid (Lukas Czerner) [1156096] - [fs] ext4: remove obsoleted check (Lukas Czerner) [1156096] - [fs] ext4: add a new spinlock i_raw_lock to protect the ext4s raw inode (Lukas Czerner) [1156096] - [fs] ext4: revert Disable punch hole on non-extent mapped files (Lukas Czerner) [1150178] - [fs] ext4: fix transaction issues for ext4_fallocate and ext_zero_range (Lukas Czerner) [1150171] - [fs] ext4: move i_size, i_disksize update routines to helper function (Lukas Czerner) [1150171] - [fs] ext4: fix incorect journal credits reservation in ext4_zero_range (Lukas Czerner) [1150171] - [fs] ext4: fix COLLAPSE RANGE test for bigalloc file systems (Lukas Czerner) [1150171] - [fs] ext4: fix punch hole on files with indirect mapping (Lukas Czerner) [1150171] - [fs] ext4: Fix block zeroing when punching holes in indirect block files (Lukas Czerner) [1150171] - [fs] ext4: fix ZERO_RANGE test failure in data journalling (Lukas Czerner) [1150171] - [fs] ext4: use EXT_MAX_BLOCKS in ext4_es_can_be_merged() (Lukas Czerner) [1150171] - [fs] ext4: rename uninitialized extents to unwritten (Lukas Czerner) [1150171] - [fs] ext4: disable COLLAPSE_RANGE for bigalloc (Lukas Czerner) [1150171] - [fs] ext4: fix COLLAPSE_RANGE failure with 1KB block size (Lukas Czerner) [1150171] - [fs] ext4: use EINVAL if not a regular file in ext4_collapse_range() (Lukas Czerner) [1150171] - [fs] ext4: enforce we are operating on a regular file in ext4_zero_range() (Lukas Czerner) [1150171] - [fs] ext4: fix extent merging in ext4_ext_shift_path_extents() (Lukas Czerner) [1150171] - [fs] ext4: discard preallocations after removing space (Lukas Czerner) [1150171] - [fs] ext4: no need to truncate pagecache twice in collapse range (Lukas Czerner) [1150171] - [fs] ext4: fix removing status extents in ext4_collapse_range() (Lukas Czerner) [1150171] - [fs] ext4: use filemap_write_and_wait_range() correctly in collapse range (Lukas Czerner) [1150171] - [fs] ext4: use truncate_pagecache() in collapse range (Lukas Czerner) [1150171] - [fs] ext4: always check ext4_ext_find_extent result (Lukas Czerner) [1150171] - [fs] ext4: COLLAPSE_RANGE only works on extent-based files (Lukas Czerner) [1150171] - [fs] ext4: fix byte order problems introduced by the COLLAPSE_RANGE patches (Lukas Czerner) [1150171] - [fs] ext4: disallow all fallocate operation on active swapfile (Lukas Czerner) [1150171] - [fs] ext4: move falloc collapse range check into the filesystem methods (Lukas Czerner) [1150171] - [fs] ext4: fix COLLAPSE_RANGE test failure in data journalling mode (Lukas Czerner) [1150171] - [fs] ext4: remove unneeded test of ret variable (Lukas Czerner) [1150171] - [fs] ext4: Introduce FALLOC_FL_ZERO_RANGE flag for fallocate (Lukas Czerner) [1150171] - [fs] ext4: Introduce FALLOC_FL_ZERO_RANGE flag for fallocate (Lukas Czerner) [1150171] - [fs] ext4: refactor ext4_fallocate code (Lukas Czerner) [1150171] - [fs] ext4: Update inode i_size after the preallocation (Lukas Czerner) [1150171] - [fs] ext4: Add new flag(FALLOC_FL_COLLAPSE_RANGE) for fallocate (Lukas Czerner) [1150171] - [fs] ext4: Add support FALLOC_FL_COLLAPSE_RANGE for fallocate (Lukas Czerner) [1150171] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3690 CVE-2014-3940 CVE-2014-7825 CVE-2014-7826 CVE-2014-8086 CVE-2014-8160 CVE-2014-8172 CVE-2014-8173 CVE-2014-8709 CVE-2014-8884 CVE-2015-0274 Oracle Linux 7 [1.3.10-5.7] - Fix: 'Argument list too long' when using virt-v2v on Windows guest with French copy of Citrix installed related: rhbz#1145056 [1.3.10-5.6] - Fix: typo in man page resolves: rhbz#1099286 [1.3.10-5.4] - Fix: hivex missing checks for small/truncated files resolves: rhbz#1158992 [1.3.10-5.3] - Fix: hivexml generates 'Argument list too long' error. resolves: rhbz#1145056 [1.3.10-5.2] - Resolves: rhbz#1125544 [1.3.10-5.1] - Rebase to hivex 1.3.10. resolves: rhbz#1023978 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9273 Oracle Linux 7 [1.2.8-16.0.1] - Replace docs/et.png in tarball with blank image [1.2.8-16] - qemu: don't setup cpuset.mems if memory mode in numatune is not 'strict' (rhbz#1186094) - lxc: don't setup cpuset.mems if memory mode in numatune is not 'strict' (rhbz#1186094) [1.2.8-15] - qemu: Add missing goto error in qemuRestoreCgroupState (rhbz#1161540) [1.2.8-14] - virNetworkDefUpdateIPDHCPHost: Don't crash when updating network (rhbz#1182486) - Format CPU features even for host-model (rhbz#1182448) - util: Add function virCgroupHasEmptyTasks (rhbz#1161540) - util: Add virNumaGetHostNodeset (rhbz#1161540) - qemu: Remove unnecessary qemuSetupCgroupPostInit function (rhbz#1161540) - qemu: Save numad advice into qemuDomainObjPrivate (rhbz#1161540) - qemu: Leave cpuset.mems in parent cgroup alone (rhbz#1161540) - qemu: Fix hotplugging cpus with strict memory pinning (rhbz#1161540) - util: Fix possible NULL dereference (rhbz#1161540) - qemu_driver: fix setting vcpus for offline domain (rhbz#1161540) - qemu: migration: Unlock vm on failed ACL check in protocol v2 APIs (CVE-2014-8136) - CVE-2015-0236: qemu: Check ACLs when dumping security info from save image (CVE-2015-0236) - CVE-2015-0236: qemu: Check ACLs when dumping security info from snapshots (CVE-2015-0236) - Check for domain liveness in qemuDomainObjExitMonitor (rhbz#1161024) - Mark the domain as active in qemuhotplugtest (rhbz#1161024) - Fix vmdef usage while in monitor in qemuDomainHotplugVcpus (rhbz#1161024) - Fix vmdef usage while in monitor in BlockStat* APIs (rhbz#1161024) - Fix vmdef usage while in monitor in qemu process (rhbz#1161024) - Fix vmdef usage after domain crash in monitor on device detach (rhbz#1161024) - Fix vmdef usage after domain crash in monitor on device attach (rhbz#1161024) [1.2.8-13] - conf: Fix memory leak when parsing invalid network XML (rhbz#1180136) - qxl: change the default value for vgamem_mb to 16 MiB (rhbz#1181052) - qemuxml2argvtest: Fix test after change of qxl vgamem_mb default (rhbz#1181052) - conf: fix crash when hotplug a channel chr device with no target (rhbz#1181408) - qemu: forbid second blockcommit during active commit (rhbz#1135339) - qemu_monitor: introduce new function to get QOM path (rhbz#1180574) - qemu_process: detect updated video ram size values from QEMU (rhbz#1180574) [1.2.8-12] - Fix hotplugging of block device-backed usb disks (rhbz#1175668) - qemu: Create memory-backend-{ram, file} iff needed (rhbz#1175397) - conf: Don't format actual network definition in migratable XML (rhbz#1177194) [1.2.8-11] - virsh: vol-upload disallow negative offset (rhbz#1087104) - storage: fix crash caused by no check return before set close (rhbz#1087104) - qemu: Fix virsh freeze when blockcopy storage file is removed (rhbz#1139567) - security: Manage SELinux labels on shared/readonly hostdev's (rhbz#1082521) - nwfilter: fix crash when adding non-existing nwfilter (rhbz#1169409) - conf: Fix libvirtd crash matching hostdev XML (rhbz#1174053) - qemu: Resolve Coverity REVERSE_INULL (rhbz#1172570) - CVE-2014-8131: Fix possible deadlock and segfault in qemuConnectGetAllDomainStats() (CVE-2014-8131) - qemu: bulk stats: Fix logic in monitor handling (rhbz#1172570) - qemu: avoid rare race when undefining domain (rhbz#1150505) - Do not format CPU features without a model (rhbz#1151885) - Ignore CPU features without a model for host-passthrough (rhbz#1151885) - Silently ignore MAC in NetworkLoadConfig (rhbz#1156367) - Generate a MAC when loading a config instead of package update (rhbz#1156367) - qemu: move setting emulatorpin ahead of monitor showing up (rhbz#1170484) - util: Introduce flags field for macvtap creation (rhbz#1081461) - network: Bring netdevs online later (rhbz#1081461) - qemu: always call qemuInterfaceStartDevices() when starting CPUs (rhbz#1081461) - qemu: add a qemuInterfaceStopDevices(), called when guest CPUs stop (rhbz#1081461) - conf: replace call to virNetworkFree() with virObjectUnref() (rhbz#1099210) - util: new functions for setting bridge and bridge port attributes (rhbz#1099210) - util: functions to manage bridge fdb (forwarding database) (rhbz#1099210) - conf: new network bridge device attribute macTableManager (rhbz#1099210) - network: save bridge name in ActualNetDef when actualType==network too (rhbz#1099210) - network: store network macTableManager setting in NetDef actual object (rhbz#1099210) - network: setup bridge devices for macTableManager='libvirt' (rhbz#1099210) - qemu: setup tap devices for macTableManager='libvirt' (rhbz#1099210) - qemu: add/remove bridge fdb entries as guest CPUs are started/stopped (rhbz#1099210) - virsh: document block.n.allocation stat (rhbz#1041569) - getstats: avoid memory leak on OOM (rhbz#1041569) - getstats: improve documentation (rhbz#1041569) - getstats: start giving offline block stats (rhbz#1041569) - getstats: add block.n.path stat (rhbz#1041569) - qemuMonitorJSONBlockStatsUpdateCapacity: Don't skip disks (rhbz#1041569) - getstats: prepare monitor collection for recursion (rhbz#1041569) - getstats: perform recursion in monitor collection (rhbz#1041569) - getstats: prepare for dynamic block.count stat (rhbz#1041569) - getstats: add new flag for block backing chain (rhbz#1041569) - getstats: split block stats reporting for easier recursion (rhbz#1041569) - getstats: crawl backing chain for qemu (rhbz#1041569) - logical: Add '--type snapshot' to lvcreate command (rhbz#1166592) [1.2.8-10] - qemu: add the missing jobinfo type in qemuDomainGetJobInfo (rhbz#1167883) - network: Fix upgrade from libvirt older than 1.2.4 (rhbz#1167145) - qemu: fix domain startup failing with 'strict' mode in numatune (rhbz#1168866) - qemu: Don't track quiesced state of FSs (rhbz#1160084) - qemu: fix block{commit,copy} abort handling (rhbz#1135169) [1.2.8-9] - doc: fix mismatched ACL attribute name (rhbz#1161358) - qemu: monitor: Rename and improve qemuMonitorGetPtyPaths (rhbz#1146944) - conf: Add channel state for virtio channels to the XML (rhbz#1146944) - qemu: Add handling for VSERPORT_CHANGE event (rhbz#1146944) - qemu: chardev: Extract more information about character devices (rhbz#1146944) - qemu: process: Refresh virtio channel guest state when connecting to mon (rhbz#1146944) - event: Add guest agent lifecycle event (rhbz#1146944) - examples: Add support for the guest agent lifecycle event (rhbz#1146944) - qemu: Emit the guest agent lifecycle event (rhbz#1146944) - internal: add macro to round value to the next closest power of 2 (rhbz#1076098) - video: cleanup usage of vram attribute and update documentation (rhbz#1076098) - QXL: fix setting ram and vram values for QEMU QXL device (rhbz#1076098) - caps: introduce new QEMU capability for vgamem_mb device property (rhbz#1076098) - qemu-command: use vram attribute for all video devices (rhbz#1076098) - qemu-command: introduce new vgamem attribute for QXL video device (rhbz#1076098) [1.2.8-8] - qemu: Fix crash in tunnelled migration (rhbz#1147331) - qemu: Really fix crash in tunnelled migration (rhbz#1147331) - qemu: Update fsfreeze status on domain state transitions (rhbz#1160084) - qemuPrepareNVRAM: Save domain conf only if domain's persistent (rhbz#1026772) - docs: Document NVRAM behavior on transient domains (rhbz#1026772) - Fix build in qemu_capabilities (rhbz#1165782) - qemu: Support OVMF on armv7l aarch64 guests (rhbz#1165782) - qemu: Drop OVMF whitelist (rhbz#1165782) - storage: Fix issue finding LU's when block doesn't exist (rhbz#1152382) - storage: Add thread to refresh for createVport (rhbz#1152382) - storage: qemu: Fix security labelling of new image chain elements (rhbz#1151718) - virsh: sync domdisplay help and manual (rhbz#997802) - docs: domain: Move docs for storage hosts under the <source> element (rhbz#1164528) - test: virstoragetest: Add testing of network disk details (rhbz#1164528) - util: storage: Copy hosts of a storage file only if they exist (rhbz#1164528) - qemu: Refactor qemuBuildNetworkDriveURI to take a virStorageSourcePtr (rhbz#1164528) - tests: Reflow the expected output from RBD disk test (rhbz#1164528) - util: split out qemuParseRBDString into a common helper (rhbz#1164528) - util: storagefile: Split out parsing of NBD string into a separate func (rhbz#1164528) - storage: Allow parsing of RBD backing strings when building backing chain (rhbz#1164528) - storage: rbd: qemu: Add support for specifying internal RBD snapshots (rhbz#1164528) - storage: rbd: Implement support for passing config file option (rhbz#1164528) [1.2.8-7] - qemu: avoid rare race when undefining domain (rhbz#1150505) - qemu: stop NBD server after successful migration (rhbz#1160212) - Require at least one console for LXC domain (rhbz#1155410) - remote: Fix memory leak in remoteConnectGetAllDomainStats (rhbz#1158715) - CVE-2014-7823: dumpxml: security hole with migratable flag (CVE-2014-7823) - Free job statistics from the migration cookie (rhbz#1161124) - Fix virDomainChrEquals for spicevmc (rhbz#1162097) - network: fix call virNetworkEventLifecycleNew when networkStartNetwork fail (rhbz#1162915) - Do not crash on gluster snapshots with no host name (rhbz#1162974) - nwfilter: fix deadlock caused updating network device and nwfilter (rhbz#1143780) - util: eliminate 'use after free' in callers of virNetDevLinkDump (rhbz#1163463) - storage: Check for valid fc_host parent at startup (rhbz#1160565) - storage: Ensure fc_host parent matches wwnn/wwpn (rhbz#1160565) - storage: Don't use a stack copy of the adapter (rhbz#1160926) - storage: Introduce virStoragePoolSaveConfig (rhbz#1160926) - storage: Introduce 'managed' for the fchost parent (rhbz#1160926) - qemu: Always set migration capabilities (rhbz#1163953) [1.2.8-6] - qemu: support nospace reason in io error event (rhbz#1119784) - RHEL: Add support for QMP I/O error reason (rhbz#1119784) - nodeinfo: fix nodeGetFreePages when max node is zero (rhbz#1145048) - nodeGetFreePages: Push forgotten change (rhbz#1145048) - conf: tests: fix virDomainNetDefFormat for vhost-user in client mode (rhbz#1155458) - util: string: Add helper to check whether string is empty (rhbz#1142693) - qemu: restore: Fix restoring of VM when the restore hook returns empty XML (rhbz#1142693) - security_selinux: Don't relabel /dev/net/tun (rhbz#1095636) - qemu: Fix updating bandwidth limits in live XML (rhbz#1146511) - qemu: save domain status after set the blkio parameters (rhbz#1146511) - qemu: call qemuDomainObjBeginJob/qemuDomainObjEndJob in qemuDomainSetInterfaceParameters (rhbz#1146511) - qemu: save domain status after set domain's numa parameters (rhbz#1146511) - qemu: forbid snapshot-delete --children-only on external snapshot (rhbz#956506) - qemu: better error message when block job can't succeed (rhbz#1140981) - Reject live update of offloading options (rhbz#1155441) - virutil: Introduce virGetSCSIHostNumber (rhbz#1146837) - virutil: Introduce virGetSCSIHostNameByParentaddr (rhbz#1146837) - storage_conf: Resolve libvirtd crash matching scsi_host (rhbz#1146837) - Match scsi_host pools by parent address first (rhbz#1146837) - Relax duplicate SCSI host pool checking (rhbz#1146837) - qemu: Remove possible NULL deref in debug output (rhbz#1141621) - virsh: Adjust the text in man page regarding qemu-attach (rhbz#1141621) - hotplug: Check for alias in controller detach (rhbz#1141621) - hotplug: Check for alias in disk detach (rhbz#1141621) - hotplug: Check for alias in hostdev detach (rhbz#1141621) - hotplug: Check for alias in chrdev detach (rhbz#1141621) - hotplug: Check for alias in net detach (rhbz#1141621) - qemu-attach: Assign device aliases (rhbz#1141621) - hotplug: fix char device detach (rhbz#1141621) - storage: Fix crash when parsing backing store URI with schema (rhbz#1156288) - remote: fix jump depends on uninitialised value (rhbz#1158715) - qemu: Release nbd port from migrationPorts instead of remotePorts (rhbz#1159245) - conf: add trustGuestRxFilters attribute to network and domain interface (rhbz#848199) - network: set interface actual trustGuestRxFilters from network/portgroup (rhbz#848199) - util: define virNetDevRxFilter and basic utility functions (rhbz#848199) - qemu: qemuMonitorQueryRxFilter - retrieve guest netdev rx-filter (rhbz#848199) - qemu: add short document on qemu event handlers (rhbz#848199) - qemu: setup infrastructure to handle NIC_RX_FILTER_CHANGED event (rhbz#848199) - qemu: change macvtap device MAC address in response to NIC_RX_FILTER_CHANGED (rhbz#848199) - util: Functions to update host network device's multicast filter (rhbz#848199) - qemu: change macvtap multicast list in response to NIC_RX_FILTER_CHANGED (rhbz#848199) - virnetdev: Resolve Coverity DEADCODE (rhbz#848199) - virnetdev: Resolve Coverity FORWARD_NULL (rhbz#848199) - virnetdev: Resolve Coverity RESOURCE_LEAK (rhbz#848199) - lxc: improve error message for invalid blkiotune settings (rhbz#1131306) - qemu: improve error message for invalid blkiotune settings (rhbz#1131306) - Do not probe for power mgmt capabilities in lxc emulator (rhbz#1159227) - qemu: make advice from numad available when building commandline (rhbz#1138545) [1.2.8-5] - qemuPrepareNVRAM: Save domain after NVRAM path generation (rhbz#1026772) - Fix crash cpu_shares change event crash on domain startup (rhbz#1147494) - Don't verify CPU features with host-passthrough (rhbz#1147584) - Also filter out non-migratable features out of host-passthrough (rhbz#1147584) - selinux: Avoid label reservations for type = none (rhbz#1138487) - qemu: bulk stats: extend internal collection API (rhbz#1113116) - qemu: bulk stats: implement CPU stats group (rhbz#1113116) - qemu: bulk stats: implement balloon group (rhbz#1113116) - qemu: bulk stats: implement VCPU group (rhbz#1113116) - qemu: bulk stats: implement interface group (rhbz#1113116) - qemu: bulk stats: implement block group (rhbz#1113116) - virsh: add options to query bulk stats group (rhbz#1113116) - lib: De-duplicate stats group documentation for all stats functions (rhbz#1113116) - lib: Document that virConnectGetAllDomainStats may omit some stats fields (rhbz#1113116) - man: virsh: Add docs for supported stats groups (rhbz#1113116) - qemu: monitor: return block stats data as a hash to avoid disk mixup (rhbz#1113116) - qemu: monitor: Avoid shadowing variable 'devname' on FreeBSD (rhbz#1113116) - qemu: monitor: Add helper function to fill physical/virtual image size (rhbz#1113116) - qemu: bulk stats: add block allocation information (rhbz#1113116) - qemu: json: Fix missing break in error reporting function (rhbz#1113116) - qemu: monitor: Avoid shadowing variable 'devname' on FreeBSD. Again. (rhbz#1113116) - docs, conf, schema: add support for shmem device (rhbz#1126991) - qemu: add capability probing for ivshmem device (rhbz#1126991) - qemu: Build command line for ivshmem device (rhbz#1126991) - minor shmem clean-ups (rhbz#1126991) - virSecuritySELinuxSetTapFDLabel: Temporarily revert to old behavior (rhbz#1095636) - domain_conf: fix domain deadlock (CVE-2014-3657) - qemu: support relative backing for RHEL 7.0.z qemu (rhbz#1150322) - qemu: Fix hot unplug of SCSI_HOST device (rhbz#1141732) - qemu: Remove need for virConnectPtr in hotunplug detach host, net (rhbz#1141732) [1.2.8-4] - Fix libvirtd crash when removing metadata (rhbz#1143955) - Fix leak in x86UpdateHostModel (rhbz#1144303) - Move the FIPS detection from capabilities (rhbz#1135431) - qemu: raise an error when trying to use readonly sata disks (rhbz#1112939) - virsh-host: fix pagesize unit of freepages (rhbz#1145048) - nodeinfo: report error when given node is out of range (rhbz#1145050) - Fix typo of virNodeGetFreePages comment (rhbz#1145050) - nodeinfo: Prefer MIN in nodeGetFreePages (rhbz#1145050) - Fix bug with loading bridge name for active domain during libvirtd start (rhbz#1140085) - qemu: save image: Split out user provided XML checker (rhbz#1142693) - qemu: save image: Add possibility to return XML stored in the image (rhbz#1142693) - qemu: save image: Split out new definition check/update (rhbz#1142693) - qemu: save image: Split out checks done only when editing the save img (rhbz#1142693) - qemu: hook: Provide hook when restoring a domain save image (rhbz#1142693) - qemu: Expose additional migration statistics (rhbz#1013055) - qemu: Fix old tcp:host URIs more cleanly (rhbz#1013055) - qemu: Prepare support for arbitrary migration protocol (rhbz#1013055) - qemu: Add RDMA migration capabilities (rhbz#1013055) - qemu: RDMA migration support (rhbz#1013055) - qemu: Memory pre-pinning support for RDMA migration (rhbz#1013055) - qemu: Fix memory leak in RDMA migration code (rhbz#1013055) - schemas: finish virTristate{Bool, Switch} transition (rhbz#1139364) - conf: split out virtio net driver formatting (rhbz#1139364) - conf: remove redundant local variable (rhbz#1139364) - conf: add options for disabling segment offloading (rhbz#1139364) - qemu: wire up virtio-net segment offloading options (rhbz#1139364) - spec: Enable qemu driver for RHEL-7 on aarch64 (rhbz#1142448) - blkdeviotune: fix bug with saving values into live XML (rhbz#1146511) - security: Fix labelling host devices (rhbz#1146550) - qemu: Add missing goto on rawio (rhbz#1103739) - hostdev: Add 'rawio' attribute to _virDomainHostdevSubsysSCSI (rhbz#1103739) - qemu: Process the hostdev 'rawio' setting (rhbz#1103739) - util: Add function to check if a virStorageSource is 'empty' (rhbz#1138231) - util: storage: Allow metadata crawler to report useful errors (rhbz#1138231) - qemu: Sanitize argument names and empty disk check in qemuDomainDetermineDiskChain (rhbz#1138231) - qemu: Report better errors from broken backing chains (rhbz#1138231) - storage: Improve error message when traversing backing chains (rhbz#1138231) - qemu: Always re-detect backing chain (rhbz#1144922) - event: introduce new event for tunable values (rhbz#1115898) - tunable_event: extend debug message and tweak limit for remote message (rhbz#1115898) - add an example how to use tunable event (rhbz#1115898) - Fix MinGW build (rhbz#1115898) - event_example: cleanup example code for tunable event (rhbz#1115898) - cputune_event: queue the event for cputune updates (rhbz#1115898) - blkdeviotune: trigger tunable event for blkdeviotune updates (rhbz#1115898) - Rename tunable event constants (rhbz#1115898) - Fix typo s/EMULATORIN/EMULATORPIN/ (rhbz#1115898) - Check for NULL in qemu monitor event filter (rhbz#1144920) [1.2.8-3] - virsh: Move --completed from resume to domjobinfo (rhbz#1063724) - qemu_driver: Resolve Coverity COPY_PASTE_ERROR (rhbz#1141209) - virfile: Resolve Coverity DEADCODE (rhbz#1141209) - lxc: Resolve Coverity FORWARD_NULL (rhbz#1141209) - qemu: Resolve Coverity FORWARD_NULL (rhbz#1141209) - qemu: Resolve Coverity FORWARD_NULL (rhbz#1141209) - xen: Resolve Coverity NEGATIVE_RETURNS (rhbz#1141209) - qemu: Resolve Coverity NEGATIVE_RETURNS (rhbz#1141209) - qemu: Resolve Coverity NEGATIVE_RETURNS (rhbz#1141209) - virsh: Resolve Coverity NEGATIVE_RETURNS (rhbz#1141209) - daemon: Resolve Coverity RESOURCE_LEAK (rhbz#1141209) - domain_conf: Resolve Coverity COPY_PASTE_ERROR (rhbz#1141209) - storage_conf: Fix libvirtd crash when defining scsi storage pool (rhbz#1141943) - qemu: time: Report errors if agent command fails (rhbz#1142294) - util: storage: Copy driver type when initializing chain element (rhbz#1140984) - docs, conf, schema: add support for shared memory mapping (rhbz#1133144) - qemu: add support for shared memory mapping (rhbz#1133144) - rpc: reformat the flow to make a bit more sense (rhbz#927369) - remove redundant pidfile path constructions (rhbz#927369) - util: fix potential leak in error codepath (rhbz#927369) - util: get rid of unnecessary umask() call (rhbz#927369) - rpc: make daemon spawning a bit more intelligent (rhbz#927369) - conf: add backend element to interfaces (rhbz#1139362) - Wire up the interface backend options (rhbz#1139362) - CVE-2014-3633: qemu: blkiotune: Use correct definition when looking up disk (CVE-2014-3633) - qemu: fix crash with shared disks (rhbz#1142722) - nvram: Fix permissions (rhbz#1026772) - libvirt.spec: Fix permission even for libvirt-driver-qemu (rhbz#1026772) - virDomainUndefineFlags: Allow NVRAM unlinking (rhbz#1026772) - formatdomain: Update <loader/> example to match the rest (rhbz#1026772) - domaincaps: Expose UEFI capability (rhbz#1026772) - qemu_capabilities: Change virQEMUCapsFillDomainCaps signature (rhbz#1026772) - domaincaps: Expose UEFI binary path, if it exists (rhbz#1026772) - domaincapstest: Run cleanly on systems missing OVMF firmware (rhbz#1026772) - conf: Disallow nonexistent NUMA nodes for hugepages (rhbz#1135396) - qemu: Honor hugepages for UMA domains (rhbz#1135396) - RHEL: Fix maxvcpus output (rhbz#1092363) - virsh: Add iothread to 'attach-disk' (rhbz#1101574) - qemu: Issue query-iothreads and to get list of active IOThreads (rhbz#1101574) - vircgroup: Introduce virCgroupNewIOThread (rhbz#1101574) - qemu_domain: Add niothreadpids and iothreadpids (rhbz#1101574) - qemu_cgroup: Introduce cgroup functions for IOThreads (rhbz#1101574) - qemu: Allow pinning specific IOThreads to a CPU (rhbz#1101574) - domain_conf: Add iothreadpin to cputune (rhbz#1101574) - vircgroup: Fix broken builds without cgroups (rhbz#1101574) - cputune: allow interleaved xml (rhbz#1101574) - qemu: Fix iothreads issue (rhbz#1101574) - qemu_cgroup: Adjust spacing around incrementor (rhbz#1101574) - qemu: Fix call in qemuDomainSetNumaParamsLive for virCgroupNewIOThread (rhbz#1101574) - qemu: Need to check for capability before query (rhbz#1101574) - qemu: Don't fail startup/attach for IOThreads if no JSON (rhbz#1101574) - Fixes for domains with no iothreads (rhbz#1101574) [1.2.8-2] - remote: Fix memory leak on error path when deserializing bulk stats (rhbz#1136350) - spec: Fix preun script for daemon (rhbz#1136736) - security: fix DH key generation when FIPS mode is on (rhbz#1128497) - tests: force FIPS testing mode with new enough GNU TLS versions (rhbz#1128497) - Don't include non-migratable features in host-model (rhbz#1138221) - qemu: Rename DEFAULT_JOB_MASK to QEMU_DEFAULT_JOB_MASK (rhbz#1134154) - qemu: snapshot: Fix job handling when creating snapshots (rhbz#1134154) - qemu: snapshot: Acquire job earlier on snapshot revert/delete (rhbz#1134154) - qemu: snapshot: Fix snapshot function header formatting and spacing (rhbz#1134154) - qemu: snapshot: Simplify error paths (rhbz#1134154) - qemu: Propagate QEMU errors during incoming migrations (rhbz#1090093) - Refactor job statistics (rhbz#1063724) - qemu: Avoid incrementing jobs_queued if virTimeMillisNow fails (rhbz#1063724) - Add support for fetching statistics of completed jobs (rhbz#1063724) - qemu: Silence coverity on optional migration stats (rhbz#1063724) - virsh: Add support for completed job stats (rhbz#1063724) - qemu: Transfer migration statistics to destination (rhbz#1063724) - qemu: Recompute downtime and total time when migration completes (rhbz#1063724) - qemu: Transfer recomputed stats back to source (rhbz#1063724) - conf: Extend <loader/> and introduce <nvram/> (rhbz#1112257) - qemu: Implement extended loader and nvram (rhbz#1112257) - qemu: Automatically create NVRAM store (rhbz#1112257) [1.2.8-1] - Rebased to libvirt-1.2.8 (rhbz#1035158) - The rebase also fixes the following bugs: rhbz#927369, rhbz#957293, rhbz#999926, rhbz#1021703, rhbz#1043735 rhbz#1047818, rhbz#1062142, rhbz#1064770, rhbz#1072653, rhbz#1078126 rhbz#1095636, rhbz#1103245, rhbz#1119215, rhbz#1121837, rhbz#1121955 rhbz#1122455, rhbz#1126329, rhbz#1126721, rhbz#1126909, rhbz#1128097 rhbz#1128751, rhbz#1129207, rhbz#1129372, rhbz#1129998, rhbz#1130089 rhbz#1130379, rhbz#1131306, rhbz#1131445, rhbz#1131788, rhbz#1131811 rhbz#1131819, rhbz#1131876, rhbz#1132301, rhbz#1132305, rhbz#1132347 [1.2.7-1] - Rebased to libvirt-1.2.7 (rhbz#1035158) - The rebase also fixes the following bugs: rhbz#823535, rhbz#872628, rhbz#874418, rhbz#878394, rhbz#880483 rhbz#921094, rhbz#963817, rhbz#964177, rhbz#967493, rhbz#967494 rhbz#972964, rhbz#983350, rhbz#985782, rhbz#985980, rhbz#990319 rhbz#990418, rhbz#991290, rhbz#992980, rhbz#994731, rhbz#995377 rhbz#997627, rhbz#997802, rhbz#1006700, rhbz#1007698, rhbz#1007759 rhbz#1010885, rhbz#1022874, rhbz#1023366, rhbz#1025407, rhbz#1027076 rhbz#1029266, rhbz#1029732, rhbz#1032363, rhbz#1033020, rhbz#1033398 rhbz#1033704, rhbz#1035128, rhbz#1046192, rhbz#1049038, rhbz#1052114 rhbz#1056902, rhbz#1062142, rhbz#1063837, rhbz#1066280, rhbz#1066894 rhbz#1067338, rhbz#1069552, rhbz#1069784, rhbz#1070680, rhbz#1072141 rhbz#1072677, rhbz#1073368, rhbz#1073506, rhbz#1074086, rhbz#1075290 rhbz#1075299, rhbz#1076957, rhbz#1076959, rhbz#1076960, rhbz#1076962 rhbz#1077009, rhbz#1077572, rhbz#1078590, rhbz#1079162, rhbz#1079173 rhbz#1080859, rhbz#1081881, rhbz#1081932, rhbz#1082124, rhbz#1083345 rhbz#1084360, rhbz#1085706, rhbz#1085769, rhbz#1086121, rhbz#1086331 rhbz#1086704, rhbz#1087104, rhbz#1087671, rhbz#1088293, rhbz#1088667 rhbz#1088787, rhbz#1088864, rhbz#1089179, rhbz#1089378, rhbz#1091132 rhbz#1091866, rhbz#1092038, rhbz#1092253, rhbz#1093127, rhbz#1095035 rhbz#1097028, rhbz#1097503, rhbz#1097677, rhbz#1097968, rhbz#1098659 rhbz#1099978, rhbz#1100086, rhbz#1100769, rhbz#1101059, rhbz#1101510 rhbz#1101987, rhbz#1101999, rhbz#1102426, rhbz#1102457, rhbz#1102611 rhbz#1104992, rhbz#1104993, rhbz#1105939, rhbz#1108593, rhbz#1110198 rhbz#1110212, rhbz#1110673, rhbz#1111044, rhbz#1112939, rhbz#1113332 rhbz#1113668, rhbz#1113751, rhbz#1113868, rhbz#1118710, rhbz#1119206 rhbz#1119387, rhbz#1119592, rhbz#1120474, rhbz#1122255, rhbz#1122973 - spec: Enable qemu driver for RHEL-7 on ppc64 (rhbz#1120474) [1.2.6-1] - Rebased to libvirt-1.2.6 (rhbz#1035158) LOW Copyright 2015 Oracle, Inc. CVE-2014-8136 CVE-2015-0236 Oracle Linux 7 [2.4.6-31.0.1] - replace index.html with Oracle's index page oracle_index.html [2.4.6-31] - mod_proxy_fcgi: determine if FCGI_CONN_CLOSE should be enabled instead of hardcoding it (#1168050) - mod_proxy: support Unix Domain Sockets (#1168081) [2.4.6-30] - core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704) - mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581) [2.4.6-29] - rebuild against proper version of OpenSSL (#1080125) [2.4.6-28] - set vstring based on /etc/os-release (#1114123) [2.4.6-27] - fix the dependency on openssl-libs to match the fix for #1080125 [2.4.6-26] - allow <Auth*ProviderAlias>'es to be seen under virtual hosts (#1131847) [2.4.6-25] - do not use hardcoded curve for ECDHE suites (#1080125) [2.4.6-24] - allow reverse-proxy to be set via SetHandler (#1136290) [2.4.6-23] - fix possible crash in SIGINT handling (#1131006) [2.4.6-22] - ab: fix integer overflow when printing stats with lot of requests (#1092420) [2.4.6-21] - add pre_htaccess so mpm-itk can be build as separate module (#1059143) [2.4.6-20] - mod_ssl: prefer larger keys and support up to 8192-bit keys (#1073078) LOW Copyright 2015 Oracle, Inc. CVE-2013-5704 CVE-2014-3581 Oracle Linux 7 [2.17-78.0.1] - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. [2.17-78] - Fix ppc64le builds (#1077389). [2.17-77] - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183545). [2.17-76] - Fix application crashes during calls to gettimeofday on ppc64 when kernel exports gettimeofday via VDSO (#1077389). - Prevent NSS-based file backend from entering infinite loop when different APIs request the same service (CVE-2014-8121, #1182272). [2.17-75] - Fix permission of debuginfo source files to allow multiarch debuginfo packages to be installed and upgraded (#1170110). [2.17-74] - Fix wordexp() to honour WRDE_NOCMD (CVE-2014-7817, #1170487). [2.17-73] - ftell: seek to end only when there are unflushed bytes (#1156331). [2.17-72] - [s390] Fix up _dl_argv after adjusting arguments in _dl_start_user (#1161666). [2.17-71] - Fix incorrect handling of relocations in 64-bit LE mode for Power (#1162847). [2.17-70] - [s390] Retain stack alignment when skipping over loader argv (#1161666). [2.17-69] - Use __int128_t in link.h to support older compiler (#1120490). [2.17-68] - Revert to defining __extern_inline only for gcc-4.3+ (#1120490). [2.17-67] - Correct a defect in the generated math error table in the manual (#786638). [2.17-66] - Include preliminary thread, signal and cancellation safety documentation in manual (#786638). [2.17-65] - PowerPC 32-bit and 64-bit optimized function support using STT_GNU_IFUNC (#731837). - Support running Intel MPX-enabled applications (#1132518). - Support running Intel AVX-512-enabled applications (#1140272). [2.17-64] - Fix crashes on invalid input in IBM gconv modules (#1140474, CVE-2014-6040). [2.17-63] - Build build-locale-archive statically (#1070611). - Return failure in getnetgrent only when all netgroups have been searched (#1085313). [2.17-62] - Don't use alloca in addgetnetgrentX (#1138520). - Adjust pointers to triplets in netgroup query data (#1138520). [2.17-61] - Set CS_PATH to just /use/bin (#1124453). - Add systemtap probe in lll_futex_wake for ppc and s390 (#1084089). [2.17-60] - Add mmap usage to malloc_info output (#1103856). - Fix nscd lookup for innetgr when netgroup has wildcards (#1080766). - Fix memory order when reading libgcc handle (#1103874). - Fix typo in nscd/selinux.c (#1125306). - Do not fail if one of the two responses to AF_UNSPEC fails (#1098047). [2.17-59] - Provide correct buffer length to netgroup queries in nscd (#1083647). - Return NULL for wildcard values in getnetgrent from nscd (#1085290). - Avoid overlapping addresses to stpcpy calls in nscd (#1083644). - Initialize all of datahead structure in nscd (#1083646). [2.17-58] - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, [2.17-57] - Merge 64-bit ARM (AArch64) support (#1027179). - Fix build failure for rtkaio/tst-aiod2.c and rtkaio/tst-aiod3.c. [2.17-56] - Merge LE 64-bit POWER support (#1125513). [2.17-55.4] - Fix tst-cancel4, tst-cancelx4, tst-cancel5, and tst-cancelx5 for all targets. - Fix tst-ildoubl, and tst-ldouble for POWER. - Allow LE 64-bit POWER to build with VSX if enabled (#1124048). [2.17-55.3] - Fix ppc64le ABI issue with pthread_atfork being present in libpthread.so.0. [2.17-55.2] - Add ABI baseline for 64-bit POWER LE. [2.17-55.1] - Add 64-bit POWER LE support. MODERATE Copyright 2015 Oracle, Inc. CVE-2014-6040 CVE-2014-8121 Oracle Linux 7 [8.32-14] - Fix CVE-2014-8964 (unused memory usage on zero-repeat assertion condition) (bug #1169797) [8.32-13] - Disable unsupported JIT mode on little-endian 64-bit PowerPC platform (bug #1125642) - Raise optimization level to 3 on little-endian 64-bit PowerPC (bug #1123498) LOW Copyright 2015 Oracle, Inc. CVE-2014-8964 Oracle Linux 7 [1.5.3-86.el7] - kvm-vfio-pci-Fix-interrupt-disabling.patch [bz#1180942] - kvm-cirrus-fix-blit-region-check.patch [bz#1169456] - kvm-cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf.patch [bz#1169456] - Resolves: bz#1169456 (CVE-2014-8106 qemu-kvm: qemu: cirrus: insufficient blit region checks [rhel-7.1]) - Resolves: bz#1180942 (qemu core dumped when unhotplug gpu card assigned to guest) [1.5.3-85.el7] - kvm-block-delete-cow-block-driver.patch [bz#1175325] - Resolves: bz#1175325 (Delete cow block driver) [1.5.3-84.el7] - kvm-qemu-iotests-Test-case-for-backing-file-deletion.patch [bz#1002493] - kvm-qemu-iotests-Add-sample-image-and-test-for-VMDK-vers.patch [bz#1134237] - kvm-vmdk-Check-VMFS-extent-line-field-number.patch [bz#1134237] - kvm-qemu-iotests-Introduce-_unsupported_imgopts.patch [bz#1002493] - kvm-qemu-iotests-Add-_unsupported_imgopts-for-vmdk-subfo.patch [bz#1002493] - kvm-vmdk-Fix-big-flat-extent-IO.patch [bz#1134241] - kvm-vmdk-Check-for-overhead-when-opening.patch [bz#1134251] - kvm-block-vmdk-add-basic-.bdrv_check-support.patch [bz#1134251] - kvm-qemu-iotest-Make-077-raw-only.patch [bz#1134237] - kvm-qemu-iotests-Don-t-run-005-on-vmdk-split-formats.patch [bz#1002493] - kvm-vmdk-extract-vmdk_read_desc.patch [bz#1134251] - kvm-vmdk-push-vmdk_read_desc-up-to-caller.patch [bz#1134251] - kvm-vmdk-do-not-try-opening-a-file-as-both-image-and-des.patch [bz#1134251] - kvm-vmdk-correctly-propagate-errors.patch [bz#1134251] - kvm-block-vmdk-do-not-report-file-offset-for-compressed-.patch [bz#1134251] - kvm-vmdk-Fix-d-and-lld-to-PRI-in-format-strings.patch [bz#1134251] - kvm-vmdk-Fix-x-to-PRIx32-in-format-strings-for-cid.patch [bz#1134251] - kvm-qemu-img-Convert-by-cluster-size-if-target-is-compre.patch [bz#1134283] - kvm-vmdk-Implement-.bdrv_write_compressed.patch [bz#1134283] - kvm-vmdk-Implement-.bdrv_get_info.patch [bz#1134283] - kvm-qemu-iotests-Test-converting-to-streamOptimized-from.patch [bz#1134283] - kvm-vmdk-Fix-local_err-in-vmdk_create.patch [bz#1134283] - kvm-fpu-softfloat-drop-INLINE-macro.patch [bz#1002493] - kvm-block-New-bdrv_nb_sectors.patch [bz#1002493] - kvm-vmdk-Optimize-cluster-allocation.patch [bz#1002493] - kvm-vmdk-Handle-failure-for-potentially-large-allocation.patch [bz#1002493] - kvm-vmdk-Use-bdrv_nb_sectors-where-sectors-not-bytes-are.patch [bz#1002493] - kvm-vmdk-fix-vmdk_parse_extents-extent_file-leaks.patch [bz#1002493] - kvm-vmdk-fix-buf-leak-in-vmdk_parse_extents.patch [bz#1002493] - kvm-vmdk-Fix-integer-overflow-in-offset-calculation.patch [bz#1002493] - kvm-migration-fix-parameter-validation-on-ram-load-CVE-2.patch [bz#1163078] - Resolves: bz#1002493 (qemu-img convert rate about 100k/second from qcow2/raw to vmdk format on nfs system file) - Resolves: bz#1134237 (Opening malformed VMDK description file should fail) - Resolves: bz#1134241 (QEMU fails to correctly read/write on VMDK with big flat extent) - Resolves: bz#1134251 (Opening an obviously truncated VMDK image should fail) - Resolves: bz#1134283 (qemu-img convert from ISO to streamOptimized fails) - Resolves: bz#1163078 (CVE-2014-7840 qemu-kvm: qemu: insufficient parameter validation during ram load [rhel-7.1]) [1.5.3-83.el7] - kvm-xhci-add-sanity-checks-to-xhci_lookup_uport.patch [bz#1074219] - kvm-Revert-Build-ceph-rbd-only-for-rhev.patch [bz#1140742] - kvm-Revert-rbd-Only-look-for-qemu-specific-copy-of-librb.patch [bz#1140742] - kvm-Revert-rbd-link-and-load-librbd-dynamically.patch [bz#1140742] - kvm-spec-Enable-rbd-driver-add-dependency.patch [bz#1140742] - Resolves: bz#1074219 (qemu core dump when install a RHEL.7 guest(xhci) with migration) - Resolves: bz#1140742 (Enable native support for Ceph) [1.5.3-82.el7] - kvm-hw-pci-fixed-error-flow-in-pci_qdev_init.patch [bz#1046007] - kvm-hw-pci-fixed-hotplug-crash-when-using-rombar-0-with-.patch [bz#1046007] - Resolves: bz#1046007 (qemu-kvm aborted when hot plug PCI device to guest with romfile and rombar=0) [1.5.3-81.el7] - kvm-migration-static-variables-will-not-be-reset-at-seco.patch [bz#1071776] - kvm-vfio-pci-Add-debug-config-options-to-disable-MSI-X-K.patch [bz#1098976] - kvm-vfio-correct-debug-macro-typo.patch [bz#1098976] - kvm-vfio-pci-Fix-MSI-X-debug-code.patch [bz#1098976] - kvm-vfio-pci-Fix-MSI-X-masking-performance.patch [bz#1098976] - kvm-vfio-Fix-MSI-X-vector-expansion.patch [bz#1098976] - kvm-vfio-Don-t-cache-MSIMessage.patch [bz#1098976] - Resolves: bz#1071776 (Migration 'expected downtime' does not refresh after reset to a new value) - Resolves: bz#1098976 (2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput) [1.5.3-80.el7] - kvm-dump-RHEL-specific-fix-for-CPUState-bug-introduced-b.patch [bz#1161563] - kvm-dump-guest-memory-Check-for-the-correct-return-value.patch [bz#1157798] - kvm-dump-const-qualify-the-buf-of-WriteCoreDumpFunction.patch [bz#1157798] - kvm-dump-add-argument-to-write_elfxx_notes.patch [bz#1157798] - kvm-dump-add-API-to-write-header-of-flatten-format.patch [bz#1157798] - kvm-dump-add-API-to-write-vmcore.patch [bz#1157798] - kvm-dump-add-API-to-write-elf-notes-to-buffer.patch [bz#1157798] - kvm-dump-add-support-for-lzo-snappy.patch [bz#1157798] - kvm-RPM-spec-build-qemu-kvm-with-lzo-and-snappy-enabled-.patch [bz#1157798] - kvm-dump-add-members-to-DumpState-and-init-some-of-them.patch [bz#1157798] - kvm-dump-add-API-to-write-dump-header.patch [bz#1157798] - kvm-dump-add-API-to-write-dump_bitmap.patch [bz#1157798] - kvm-dump-add-APIs-to-operate-DataCache.patch [bz#1157798] - kvm-dump-add-API-to-write-dump-pages.patch [bz#1157798] - kvm-dump-Drop-qmp_dump_guest_memory-stub-and-build-for-a.patch [bz#1157798] - kvm-dump-make-kdump-compressed-format-available-for-dump.patch [bz#1157798] - kvm-Define-the-architecture-for-compressed-dump-format.patch [bz#1157798] - kvm-dump-add-query-dump-guest-memory-capability-command.patch [bz#1157798] - kvm-dump-Drop-pointless-error_is_set-DumpState-member-er.patch [bz#1157798] - kvm-dump-fill-in-the-flat-header-signature-more-pleasing.patch [bz#1157798] - kvm-dump-simplify-write_start_flat_header.patch [bz#1157798] - kvm-dump-eliminate-DumpState.page_shift-guest-s-page-shi.patch [bz#1157798] - kvm-dump-eliminate-DumpState.page_size-guest-s-page-size.patch [bz#1157798] - kvm-dump-select-header-bitness-based-on-ELF-class-not-EL.patch [bz#1157798] - kvm-dump-hoist-lzo_init-from-get_len_buf_out-to-dump_ini.patch [bz#1157798] - kvm-dump-simplify-get_len_buf_out.patch [bz#1157798] - kvm-rename-parse_enum_option-to-qapi_enum_parse-and-make.patch [bz#1087724] - kvm-qapi-introduce-PreallocMode-and-new-PreallocModes-fu.patch [bz#1087724] - kvm-raw-posix-Add-falloc-and-full-preallocation-option.patch [bz#1087724] - kvm-qcow2-Add-falloc-and-full-preallocation-option.patch [bz#1087724] - kvm-vga-fix-invalid-read-after-free.patch [bz#1161890] - kvm-Use-qemu-kvm-in-documentation-instead-of-qemu-system.patch [bz#1140618] - kvm-vnc-sanitize-bits_per_pixel-from-the-client.patch [bz#1157645] - kvm-spice-call-qemu_spice_set_passwd-during-init.patch [bz#1138639] - kvm-block-raw-posix-Try-both-FIEMAP-and-SEEK_HOLE.patch [bz#1160237] - kvm-block-raw-posix-Fix-disk-corruption-in-try_fiemap.patch [bz#1160237] - kvm-block-raw-posix-use-seek_hole-ahead-of-fiemap.patch [bz#1160237] - kvm-raw-posix-Fix-raw_co_get_block_status-after-EOF.patch [bz#1160237] - kvm-raw-posix-raw_co_get_block_status-return-value.patch [bz#1160237] - kvm-raw-posix-SEEK_HOLE-suffices-get-rid-of-FIEMAP.patch [bz#1160237] - kvm-raw-posix-The-SEEK_HOLE-code-is-flawed-rewrite-it.patch [bz#1160237] - Resolves: bz#1087724 ([Fujitsu 7.1 FEAT]: qemu-img should use fallocate() system call for 'preallocation=full' option) - Resolves: bz#1138639 (fail to login spice session with password + expire time) - Resolves: bz#1140618 (Should replace 'qemu-system-i386' by '/usr/libexec/qemu-kvm' in manpage of qemu-kvm for our official qemu-kvm build) - Resolves: bz#1157645 (CVE-2014-7815 qemu-kvm: qemu: vnc: insufficient bits_per_pixel from the client sanitization [rhel-7.1]) - Resolves: bz#1157798 ([FEAT RHEL7.1]: qemu: Support compression for dump-guest-memory command) - Resolves: bz#1160237 (qemu-img convert intermittently corrupts output images) - Resolves: bz#1161563 (invalid QEMU NOTEs in vmcore that is dumped for multi-VCPU guests) - Resolves: bz#1161890 ([abrt] qemu-kvm: pixman_image_get_data(): qemu-kvm killed by SIGSEGV) [1.5.3-79.el7] - kvm-libcacard-link-against-qemu-error.o-for-error_report.patch [bz#1088176] - kvm-error-Add-error_abort.patch [bz#1088176] - kvm-blockdev-Fail-blockdev-add-with-encrypted-images.patch [bz#1088176] - kvm-blockdev-Fix-NULL-pointer-dereference-in-blockdev-ad.patch [bz#1088176] - kvm-qemu-iotests-Test-a-few-blockdev-add-error-cases.patch [bz#1088176] - kvm-block-Add-errp-to-bdrv_new.patch [bz#1088176] - kvm-qemu-img-Avoid-duplicate-block-device-IDs.patch [bz#1088176] - kvm-block-Catch-duplicate-IDs-in-bdrv_new.patch [bz#1088176] - kvm-qemu-img-Allow-source-cache-mode-specification.patch [bz#1138691] - kvm-qemu-img-Allow-cache-mode-specification-for-amend.patch [bz#1138691] - kvm-qemu-img-clarify-src_cache-option-documentation.patch [bz#1138691] - kvm-qemu-img-fix-rebase-src_cache-option-documentation.patch [bz#1138691] - kvm-qemu-img-fix-img_compare-flags-error-path.patch [bz#1138691] - kvm-ac97-register-reset-via-qom.patch [bz#1141667] - kvm-virtio-blk-Factor-common-checks-out-of-virtio_blk_ha.patch [bz#1085232] - kvm-virtio-blk-Bypass-error-action-and-I-O-accounting-on.patch [bz#1085232] - kvm-virtio-blk-Treat-read-write-beyond-end-as-invalid.patch [bz#1085232] - kvm-ide-Treat-read-write-beyond-end-as-invalid.patch [bz#1085232] - kvm-ide-only-constrain-read-write-requests-to-drive-size.patch [bz#1085232] - Resolves: bz#1085232 (Ilegal guest requests on block devices pause the VM) - Resolves: bz#1088176 (QEMU fail to check whether duplicate ID for block device drive using 'blockdev-add' to hotplug) - Resolves: bz#1138691 (Allow qemu-img to bypass the host cache (check, compare, convert, rebase, amend)) - Resolves: bz#1141667 (Qemu crashed if reboot guest after hot remove AC97 sound device) [1.5.3-78.el7] - kvm-slirp-udp-fix-NULL-pointer-dereference-because-of-un.patch [bz#1144820] - kvm-hw-pci-fix-error-flow-in-pci-multifunction-init.patch [bz#1049734] - kvm-rhel-Drop-machine-type-pc-q35-rhel7.0.0.patch [bz#1111107] - kvm-virtio-scsi-Plug-memory-leak-on-virtio_scsi_push_eve.patch [bz#1088822] - kvm-virtio-scsi-Report-error-if-num_queues-is-0-or-too-l.patch [bz#1089606] - kvm-virtio-scsi-Fix-memory-leak-when-realize-failed.patch [bz#1089606] - kvm-virtio-scsi-Fix-num_queue-input-validation.patch [bz#1089606] - kvm-Revert-linux-aio-use-event-notifiers.patch [bz#1104748] - kvm-specfile-Require-glusterfs-api-3.6.patch [bz#1155518] - Resolves: bz#1049734 (PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device) - Resolves: bz#1088822 (hot-plug a virtio-scsi disk via 'blockdev-add' always cause QEMU quit) - Resolves: bz#1089606 (QEMU will not reject invalid number of queues (num_queues = 0) specified for virtio-scsi) - Resolves: bz#1104748 (48% reduction in IO performance for KVM guest, io=native) - Resolves: bz#1111107 (Remove Q35 machine type from qemu-kvm) - Resolves: bz#1144820 (CVE-2014-3640 qemu-kvm: qemu: slirp: NULL pointer deref in sosendto() [rhel-7.1]) - Resolves: bz#1155518 (qemu-kvm: undefined symbol: glfs_discard_async) [1.5.3-77.el7] - kvm-seccomp-add-semctl-to-the-syscall-whitelist.patch [bz#1026314] - kvm-Revert-kvmclock-Ensure-proper-env-tsc-value-for-kvmc.patch [bz#1098602 bz#1130428] - kvm-Revert-kvmclock-Ensure-time-in-migration-never-goes-.patch [bz#1098602 bz#1130428] - kvm-Introduce-cpu_clean_all_dirty.patch [bz#1098602 bz#1130428] - kvm-kvmclock-Ensure-proper-env-tsc-value-for-kvmclock.v2.patch [bz#1098602 bz#1130428] - kvm-kvmclock-Ensure-time-in-migration-never-goes-back.v2.patch [bz#1098602 bz#1130428] - Resolves: bz#1026314 (BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda') - Resolves: bz#1098602 (kvmclock: Ensure time in migration never goes backward (backport)) - Resolves: bz#1130428 (After migration of RHEL7.1 guest with '-vga qxl', GUI console is hang) [1.5.3-76.el7] - kvm-usb-hcd-xhci-QOM-Upcast-Sweep.patch [bz#980747] - kvm-usb-hcd-xhci-QOM-parent-field-cleanup.patch [bz#980747] - kvm-uhci-egsm-fix.patch [bz#1046873] - kvm-usb-redir-fix-use-after-free.patch [bz#1046574 bz#1088116] - kvm-xhci-remove-leftover-debug-printf.patch [bz#980833] - kvm-xhci-add-tracepoint-for-endpoint-state-changes.patch [bz#980833] - kvm-xhci-add-port-to-slot_address-tracepoint.patch [bz#980833] - kvm-usb-parallelize-usb3-streams.patch [bz#1075846] - kvm-xhci-Init-a-transfers-xhci-slotid-and-epid-member-on.patch [bz#1075846] - kvm-xhci-Add-xhci_epid_to_usbep-helper-function.patch [bz#980833] - kvm-xhci-Fix-memory-leak-on-xhci_disable_ep.patch [bz#980833] - kvm-usb-Also-reset-max_packet_size-on-ep_reset.patch [bz#1075846] - kvm-usb-Fix-iovec-memleak-on-combined-packet-free.patch [bz#1075846] - kvm-usb-hcd-xhci-Remove-unused-sstreamsm-member-from-XHC.patch [bz#980747] - kvm-usb-hcd-xhci-Remove-unused-cancelled-member-from-XHC.patch [bz#980747] - kvm-usb-hcd-xhci-Report-completion-of-active-transfer-wi.patch [bz#980747] - kvm-usb-hcd-xhci-Update-endpoint-context-dequeue-pointer.patch [bz#980747] - kvm-xhci-Add-a-few-missing-checks-for-disconnected-devic.patch [bz#980833] - kvm-usb-Add-max_streams-attribute-to-endpoint-info.patch [bz#1111450] - kvm-usb-Add-usb_device_alloc-free_streams.patch [bz#1111450] - kvm-xhci-Call-usb_device_alloc-free_streams.patch [bz#980833] - kvm-uhci-invalidate-queue-on-device-address-changes.patch [bz#1111450] - kvm-xhci-iso-fix-time-calculation.patch [bz#949385] - kvm-xhci-iso-allow-for-some-latency.patch [bz#949385] - kvm-xhci-switch-debug-printf-to-tracepoint.patch [bz#980747] - kvm-xhci-use-DPRINTF-instead-of-fprintf-stderr.patch [bz#980833] - kvm-xhci-child-detach-fix.patch [bz#980833] - kvm-usb-add-usb_pick_speed.patch [bz#1075846] - kvm-xhci-make-port-reset-trace-point-more-verbose.patch [bz#980833] - kvm-usb-initialize-libusb_device-to-avoid-crash.patch [bz#1111450] - kvm-target-i386-get-CPL-from-SS.DPL.patch [bz#1097363] - kvm-trace-use-unique-Red-Hat-version-number-in-simpletra.patch [bz#1088112] - kvm-trace-add-pid-field-to-simpletrace-record.patch [bz#1088112] - kvm-simpletrace-add-support-for-trace-record-pid-field.patch [bz#1088112] - kvm-simpletrace-add-simpletrace.py-no-header-option.patch [bz#1088112] - kvm-trace-extract-stap_escape-function-for-reuse.patch [bz#1088112] - kvm-trace-add-tracetool-simpletrace_stap-format.patch [bz#1088112] - kvm-trace-install-simpletrace-SystemTap-tapset.patch [bz#1088112] - kvm-trace-install-trace-events-file.patch [bz#1088112] - kvm-trace-add-SystemTap-init-scripts-for-simpletrace-bri.patch [bz#1088112] - kvm-simpletrace-install-simpletrace.py.patch [bz#1088112] - kvm-trace-add-systemtap-initscript-README-file-to-RPM.patch [bz#1088112] - kvm-rdma-Fix-block-during-rdma-migration.patch [bz#1152969] - Resolves: bz#1046574 (fail to passthrough the USB speaker redirected from usb-redir with xhci controller) - Resolves: bz#1046873 (fail to be recognized the hotpluging usb-storage device with xhci controller in win2012R2 guest) - Resolves: bz#1075846 (qemu-kvm core dumped when hotplug/unhotplug USB3.0 device multi times) - Resolves: bz#1088112 ([Fujitsu 7.1 FEAT]:QEMU: capturing trace data all the time using ftrace-based tracing) - Resolves: bz#1088116 (qemu crash when device_del usb-redir) - Resolves: bz#1097363 (qemu ' KVM internal error. Suberror: 1' when query cpu frequently during pxe boot in Intel 'Q95xx' host) - Resolves: bz#1111450 (Guest crash when hotplug usb while disable virt_use_usb) - Resolves: bz#1152969 (Qemu-kvm got stuck when migrate to wrong RDMA ip) - Resolves: bz#949385 (passthrough USB speaker to win2012 guest fail to work well) - Resolves: bz#980747 (flood with 'xhci: wrote doorbell while xHC stopped or paused' when redirected USB Webcam from usb-host with xHCI controller) - Resolves: bz#980833 (xhci: FIXME: endpoint stopped w/ xfers running, data might be lost) [1.5.3-75.el7] - kvm-target-i386-Broadwell-CPU-model.patch [bz#1116117] - kvm-pc-Add-Broadwell-CPUID-compatibility-bits.patch [bz#1116117] - kvm-virtio-balloon-fix-integer-overflow-in-memory-stats-.patch [bz#1142290] - Resolves: bz#1116117 ([Intel 7.1 FEAT] Broadwell new instructions support for KVM - qemu-kvm) - Resolves: bz#1142290 (guest is stuck when setting balloon memory with large guest-stats-polling-interval) [1.5.3-74.el7] - kvm-ide-Add-wwn-support-to-IDE-ATAPI-drive.patch [bz#1131316] - kvm-vmdk-Allow-vmdk_create-to-work-with-protocol.patch [bz#1098086] - kvm-block-make-vdi-bounds-check-match-upstream.patch [bz#1098086] - kvm-vdi-say-why-an-image-is-bad.patch [bz#1098086] - kvm-block-do-not-abuse-EMEDIUMTYPE.patch [bz#1098086] - kvm-cow-correctly-propagate-errors.patch [bz#1098086] - kvm-block-Use-correct-width-in-format-strings.patch [bz#1098086] - kvm-vdi-remove-double-conversion.patch [bz#1098086] - kvm-block-vdi-Error-out-immediately-in-vdi_create.patch [bz#1098086] - kvm-vpc-Implement-.bdrv_has_zero_init.patch [bz#1098086] - kvm-block-vpc-use-QEMU_PACKED-for-on-disk-structures.patch [bz#1098086] - kvm-block-allow-bdrv_unref-to-be-passed-NULL-pointers.patch [bz#1098086] - kvm-block-vdi-use-block-layer-ops-in-vdi_create-instead-.patch [bz#1098086] - kvm-block-use-the-standard-ret-instead-of-result.patch [bz#1098086] - kvm-block-vpc-use-block-layer-ops-in-vpc_create-instead-.patch [bz#1098086] - kvm-block-iotest-update-084-to-test-static-VDI-image-cre.patch [bz#1098086] - kvm-block-add-helper-function-to-determine-if-a-BDS-is-i.patch [bz#1122925] - kvm-block-extend-block-commit-to-accept-a-string-for-the.patch [bz#1122925] - kvm-block-add-backing-file-option-to-block-stream.patch [bz#1122925] - kvm-block-add-__com.redhat_change-backing-file-qmp-comma.patch [bz#1122925] - Resolves: bz#1098086 (RFE: Supporting creating vmdk/vdi/vpc format disk with protocols (glusterfs)) - Resolves: bz#1122925 (Maintain relative path to backing file image during live merge (block-commit)) - Resolves: bz#1131316 (fail to specify wwn for virtual IDE CD-ROM) [1.5.3-73.el7] - kvm-scsi-disk-fix-bug-in-scsi_block_new_request-introduc.patch [bz#1105880] - Resolves: bz#1105880 (bug in scsi_block_new_request() function introduced by upstream commit 137745c5c60f083ec982fe9e861e8c16ebca1ba8) [1.5.3-72.el7] - kvm-vbe-make-bochs-dispi-interface-return-the-correct-me.patch [bz#1139118] - kvm-vbe-rework-sanity-checks.patch [bz#1139118] - kvm-spice-display-add-display-channel-id-to-the-debug-me.patch [bz#1139118] - kvm-spice-make-sure-we-don-t-overflow-ssd-buf.patch [bz#1139118] - Resolves: bz#1139118 (CVE-2014-3615 qemu-kvm: Qemu: crash when guest sets high resolution [rhel-7.1]) [1.5.3-71.el7] - kvm-spice-move-qemu_spice_display_-from-spice-graphics-t.patch [bz#1054077] - kvm-spice-move-spice_server_vm_-start-stop-calls-into-qe.patch [bz#1054077] - kvm-spice-stop-server-for-qxl-hard-reset.patch [bz#1054077] - kvm-qemu-Adjust-qemu-wakeup.patch [bz#1064156] - kvm-vmstate_xhci_event-fix-unterminated-field-list.patch [bz#1122147] - kvm-vmstate_xhci_event-bug-compat-with-RHEL-7.0-RHEL-onl.patch [bz#1122147] - kvm-pflash_cfi01-write-flash-contents-to-bdrv-on-incomin.patch [bz#1139702] - kvm-ide-test-Add-enum-value-for-DEV.patch [bz#1123372] - kvm-ide-test-Add-FLUSH-CACHE-test-case.patch [bz#1123372] - kvm-ide-Fix-segfault-when-flushing-a-device-that-doesn-t.patch [bz#1123372] - kvm-IDE-Fill-the-IDENTIFY-request-consistently.patch [bz#852348] - kvm-ide-Add-resize-callback-to-ide-core.patch [bz#852348] - Resolves: bz#1054077 (qemu crash when reboot win7 guest with spice display) - Resolves: bz#1064156 ([qxl] The guest show black screen while resumed guest which managedsaved in pmsuspended status.) - Resolves: bz#1122147 (CVE-2014-5263 vmstate_xhci_event: fix unterminated field list) - Resolves: bz#1123372 (qemu-kvm crashed when doing iofuzz testing) - Resolves: bz#1139702 (pflash (UEFI varstore) migration shortcut for libvirt [RHEL]) - Resolves: bz#852348 (fail to block_resize local data disk with IDE/AHCI disk_interface) [1.5.3-70.el7] - kvm-Enforce-stack-protector-usage.patch [bz#1064260] - kvm-pc-increase-maximal-VCPU-count-to-240.patch [bz#1134408] - kvm-gluster-Add-discard-support-for-GlusterFS-block-driv.patch [bz#1136534] - kvm-gluster-default-scheme-to-gluster-and-host-to-localh.patch [bz#1088150] - kvm-qdev-properties-system.c-Allow-vlan-or-netdev-for-de.patch [bz#996011] - kvm-vl-process-object-after-other-backend-options.patch [bz#1128095] - Resolves: bz#1064260 (Handle properly --enable-fstack-protector option) - Resolves: bz#1088150 (qemu-img coredumpd when try to create a gluster format image) - Resolves: bz#1128095 (chardev 'chr0' isn't initialized when we try to open rng backend) - Resolves: bz#1134408 ([HP 7.1 FEAT] Increase qemu-kvm's VCPU limit to 240) - Resolves: bz#1136534 (glusterfs backend does not support discard) - Resolves: bz#996011 (vlan and queues options cause core dumped when qemu-kvm process quit(or ctrl+c)) [1.5.3-69.el7] - kvm-rdma-bug-fixes.patch [bz#1107821] - kvm-virtio-serial-report-frontend-connection-state-via-m.patch [bz#1122151] - kvm-char-report-frontend-open-closed-state-in-query-char.patch [bz#1122151] - kvm-acpi-fix-tables-for-no-hpet-configuration.patch [bz#1129552] - kvm-mirror-Fix-resource-leak-when-bdrv_getlength-fails.patch [bz#1130603] - kvm-blockjob-Add-block_job_yield.patch [bz#1130603] - kvm-mirror-Go-through-ready-complete-process-for-0-len-i.patch [bz#1130603] - kvm-qemu-iotests-Test-BLOCK_JOB_READY-event-for-0Kb-imag.patch [bz#1130603] - kvm-block-make-top-argument-to-block-commit-optional.patch [bz#1130603] - kvm-qemu-iotests-Test-0-length-image-for-mirror.patch [bz#1130603] - kvm-mirror-Fix-qiov-size-for-short-requests.patch [bz#1130603] - Resolves: bz#1107821 (rdma migration: seg if destination isn't listening) - Resolves: bz#1122151 (Pass close from qemu-ga) - Resolves: bz#1129552 (backport 'acpi: fix tables for no-hpet configuration') - Resolves: bz#1130603 (advertise active commit to libvirt) [1.5.3-68.el7] - kvm-virtio-net-Do-not-filter-VLANs-without-F_CTRL_VLAN.patch [bz#1065724] - kvm-virtio-net-add-vlan-receive-state-to-RxFilterInfo.patch [bz#1065724] - kvm-virtio-rng-check-return-value-of-virtio_load.patch [bz#1116941] - kvm-qapi-treat-all-negative-return-of-strtosz_suffix-as-.patch [bz#1074403] - Resolves: bz#1065724 (rx filter incorrect when guest disables VLAN filtering) - Resolves: bz#1074403 (qemu-kvm can not give any warning hint when set sndbuf with negative value) - Resolves: bz#1116941 (Return value of virtio_load not checked in virtio_rng_load) [1.5.3-67.el7] - kvm-vl.c-Output-error-on-invalid-machine-type.patch [bz#990724] - kvm-migration-dump-vmstate-info-as-a-json-file-for-stati.patch [bz#1118707] - kvm-vmstate-static-checker-script-to-validate-vmstate-ch.patch [bz#1118707] - kvm-tests-vmstate-static-checker-add-dump1-and-dump2-fil.patch [bz#1118707] - kvm-tests-vmstate-static-checker-incompat-machine-types.patch [bz#1118707] - kvm-tests-vmstate-static-checker-add-version-error-in-ma.patch [bz#1118707] - kvm-tests-vmstate-static-checker-version-mismatch-inside.patch [bz#1118707] - kvm-tests-vmstate-static-checker-minimum_version_id-chec.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-a-section.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-a-field.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-last-field-in-a-.patch [bz#1118707] - kvm-tests-vmstate-static-checker-change-description-name.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-Fields.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-Description.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-Description-insi.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-a-subsection.patch [bz#1118707] - kvm-tests-vmstate-static-checker-remove-Subsections.patch [bz#1118707] - kvm-tests-vmstate-static-checker-add-substructure-for-us.patch [bz#1118707] - kvm-tests-vmstate-static-checker-add-size-mismatch-insid.patch [bz#1118707] - kvm-aio-fix-qemu_bh_schedule-bh-ctx-race-condition.patch [bz#1116728] - kvm-block-Improve-driver-whitelist-checks.patch [bz#999789] - kvm-vmdk-Fix-format-specific-information-create-type-for.patch [bz#1029271] - kvm-virtio-pci-Report-an-error-when-msix-vectors-init-fa.patch [bz#1095645] - kvm-scsi-Report-error-when-lun-number-is-in-use.patch [bz#1096576] - kvm-util-Split-out-exec_dir-from-os_find_datadir.patch [bz#1017685] - kvm-rules.mak-fix-obj-to-a-real-relative-path.patch [bz#1017685] - kvm-rules.mak-allow-per-object-cflags-and-libs.patch [bz#1017685] - kvm-block-use-per-object-cflags-and-libs.patch [bz#1017685] - kvm-vmdk-Fix-creating-big-description-file.patch [bz#1039791] - Resolves: bz#1017685 (Gluster etc. should not be a dependency of vscclient and libcacard) - Resolves: bz#1029271 (Format specific information (create type) was wrong when create it specified subformat='streamOptimized') - Resolves: bz#1039791 (qemu-img creates truncated VMDK image with subformat=twoGbMaxExtentFlat) - Resolves: bz#1095645 (vectors of virtio-scsi-pci will be 0 when set vectors>=129) - Resolves: bz#1096576 (QEMU core dumped when boot up two scsi-hd disk on the same virtio-scsi-pci controller in Intel host) - Resolves: bz#1116728 (Backport qemu_bh_schedule() race condition fix) - Resolves: bz#1118707 (VMstate static checker: backport -dump-vmstate feature to export json-encoded vmstate info) - Resolves: bz#990724 (qemu-kvm failing when invalid machine type is provided) - Resolves: bz#999789 (qemu should give a more friendly prompt when didn't specify read-only for VMDK format disk) [1.5.3-66.el7] - kvm-xhci-fix-overflow-in-usb_xhci_post_load.patch [bz#1074219] - kvm-migration-qmp_migrate-keep-working-after-syntax-erro.patch [bz#1086598] - kvm-seccomp-add-shmctl-mlock-and-munlock-to-the-syscall-.patch [bz#1026314] - kvm-exit-when-no-kvm-and-vcpu-count-160.patch [bz#1076326] - kvm-Disallow-outward-migration-while-awaiting-incoming-m.patch [bz#1086987] - kvm-block-Ignore-duplicate-or-NULL-format_name-in-bdrv_i.patch [bz#1088695 bz#1093983] - kvm-block-vhdx-account-for-identical-header-sections.patch [bz#1097020] - kvm-aio-Fix-use-after-free-in-cancellation-path.patch [bz#1095877] - kvm-scsi-disk-Improve-error-messager-if-can-t-get-versio.patch [bz#1021788] - kvm-scsi-Improve-error-messages-more.patch [bz#1021788] - kvm-memory-Don-t-call-memory_region_update_coalesced_ran.patch [bz#1096645] - kvm-kvmclock-Ensure-time-in-migration-never-goes-backwar.patch [bz#1098602] - kvm-kvmclock-Ensure-proper-env-tsc-value-for-kvmclock_cu.patch [bz#1098602] - Resolves: bz#1021788 (the error message 'scsi generic interface too old' is wrong more often than not) - Resolves: bz#1026314 (qemu-kvm hang when use '-sandbox on'+'vnc'+'hda') - Resolves: bz#1074219 (qemu core dump when install a RHEL.7 guest(xhci) with migration) - Resolves: bz#1076326 (qemu-kvm does not quit when booting guest w/ 161 vcpus and '-no-kvm') - Resolves: bz#1086598 (migrate_cancel wont take effect on previouly wrong migrate -d cmd) - Resolves: bz#1086987 (src qemu crashed when starting migration in inmigrate mode) - Resolves: bz#1088695 (there are four 'gluster' in qemu-img supported format list) - Resolves: bz#1093983 (there are three 'nbd' in qemu-img supported format list) - Resolves: bz#1095877 (segmentation fault in qemu-kvm due to use-after-free of a SCSIGenericReq (host device pass-through)) - Resolves: bz#1096645 ([FJ7.0 Bug] RHEL7.0 guest attaching 150 or more virtio-blk disks fails to start up) - Resolves: bz#1097020 ([RFE] qemu-img: Add/improve Disk2VHD tools creating VHDX images) - Resolves: bz#1098602 (kvmclock: Ensure time in migration never goes backward (backport)) [1.5.3-65.el7] - kvm-Allow-mismatched-virtio-config-len.patch [bz#1113009] - Resolves: bz#1113009 (Migration failed with virtio-blk from RHEL6.5.0 host to RHEL7.0 host) [1.5.3-64.el7] - kvm-zero-initialize-KVM_SET_GSI_ROUTING-input.patch [bz#1098976] - kvm-skip-system-call-when-msi-route-is-unchanged.patch [bz#1098976] - Resolves: bz#1098976 (2x RHEL 5.10 VM running on RHEL 7 KVM have low TCP_STREAM throughput) [1.5.3-63.el7] - kvm-char-restore-read-callback-on-a-reattached-hotplug-c.patch [bz#1038914] - kvm-qcow2-Free-preallocated-zero-clusters.patch [bz#1052093] - kvm-qemu-iotests-Discard-preallocated-zero-clusters.patch [bz#1052093] - kvm-XBZRLE-Fix-qemu-crash-when-resize-the-xbzrle-cache.patch [bz#1066338] - kvm-Provide-init-function-for-ram-migration.patch [bz#1066338] - kvm-Init-the-XBZRLE.lock-in-ram_mig_init.patch [bz#1066338] - kvm-XBZRLE-Fix-one-XBZRLE-corruption-issues.patch [bz#1066338] - kvm-Count-used-RAMBlock-pages-for-migration_dirty_pages.patch [bz#1074913] - kvm-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch [bz#1095678] - kvm-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch [bz#1095690] - kvm-virtio-net-out-of-bounds-buffer-write-on-load.patch [bz#1095685] - kvm-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch [bz#1095695] - kvm-virtio-avoid-buffer-overrun-on-incoming-migration.patch [bz#1095738] - kvm-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095742] - kvm-virtio-validate-config_len-on-load.patch [bz#1095783] - kvm-virtio-validate-num_sg-when-mapping.patch [bz#1095766] - kvm-virtio-allow-mapping-up-to-max-queue-size.patch [bz#1095766] - kvm-usb-sanity-check-setup_index-setup_len-in-post_load.patch [bz#1095747] - kvm-usb-sanity-check-setup_index-setup_len-in-post_l2.patch [bz#1095747] - kvm-vmstate-reduce-code-duplication.patch [bz#1095716] - kvm-vmstate-add-VMS_MUST_EXIST.patch [bz#1095716] - kvm-vmstate-add-VMSTATE_VALIDATE.patch [bz#1095716] - kvm-hpet-fix-buffer-overrun-on-invalid-state-load.patch [bz#1095707] - kvm-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch [bz#1095716] - kvm-usb-fix-up-post-load-checks.patch [bz#1096829] - kvm-qcow-correctly-propagate-errors.patch [bz#1097230] - kvm-qcow1-Make-padding-in-the-header-explicit.patch [bz#1097230] - kvm-qcow1-Check-maximum-cluster-size.patch [bz#1097230] - kvm-qcow1-Validate-L2-table-size-CVE-2014-0222.patch [bz#1097230] - kvm-qcow1-Validate-image-size-CVE-2014-0223.patch [bz#1097237] - kvm-qcow1-Stricter-backing-file-length-check.patch [bz#1097237] - Resolves: bz#1038914 (Guest can't receive any character transmitted from host after hot unplugging virtserialport then hot plugging again) - Resolves: bz#1052093 (qcow2 corruptions (leaked clusters after installing a rhel7 guest using virtio_scsi)) - Resolves: bz#1066338 (Reduce the migrate cache size during migration causes qemu segment fault) - Resolves: bz#1074913 (migration can not finish with 1024k 'remaining ram' left after hotunplug 4 nics) - Resolves: bz#1095678 (CVE-2013-4148 qemu-kvm: qemu: virtio-net: buffer overflow on invalid state load [rhel-7.1]) - Resolves: bz#1095685 (CVE-2013-4149 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on load [rhel-7.1]) - Resolves: bz#1095690 (CVE-2013-4150 qemu-kvm: qemu: virtio-net: out-of-bounds buffer write on invalid state load [rhel-7.1]) - Resolves: bz#1095695 (CVE-2013-4151 qemu-kvm: qemu: virtio: out-of-bounds buffer write on invalid state load [rhel-7.1]) - Resolves: bz#1095707 (CVE-2013-4527 qemu-kvm: qemu: hpet: buffer overrun on invalid state load [rhel-7.1]) - Resolves: bz#1095716 (CVE-2013-4529 qemu-kvm: qemu: hw/pci/pcie_aer.c: buffer overrun on invalid state load [rhel-7.1]) - Resolves: bz#1095738 (CVE-2013-6399 qemu-kvm: qemu: virtio: buffer overrun on incoming migration [rhel-7.1]) - Resolves: bz#1095742 (CVE-2013-4542 qemu-kvm: qemu: virtio-scsi: buffer overrun on invalid state load [rhel-7.1]) - Resolves: bz#1095747 (CVE-2013-4541 qemu-kvm: qemu: usb: insufficient sanity checking of setup_index+setup_len in post_load [rhel-7.1]) - Resolves: bz#1095766 (CVE-2013-4535 CVE-2013-4536 qemu-kvm: qemu: virtio: insufficient validation of num_sg when mapping [rhel-7.1]) - Resolves: bz#1095783 (CVE-2014-0182 qemu-kvm: qemu: virtio: out-of-bounds buffer write on state load with invalid config_len [rhel-7.1]) - Resolves: bz#1096829 (CVE-2014-3461 qemu-kvm: Qemu: usb: fix up post load checks [rhel-7.1]) - Resolves: bz#1097230 (CVE-2014-0222 qemu-kvm: Qemu: qcow1: validate L2 table size to avoid integer overflows [rhel-7.1]) - Resolves: bz#1097237 (CVE-2014-0223 qemu-kvm: Qemu: qcow1: validate image size to avoid out-of-bounds memory access [rhel-7.1]) [1.5.3-62.el7] - kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch [bz#1094285] - Resolves: bz#1094285 (Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.) [1.5.3-61.el7] - kvm-iscsi-fix-indentation.patch [bz#1083413] - kvm-iscsi-correctly-propagate-errors-in-iscsi_open.patch [bz#1083413] - kvm-block-iscsi-query-for-supported-VPD-pages.patch [bz#1083413] - kvm-block-iscsi-fix-segfault-if-writesame-fails.patch [bz#1083413] - kvm-iscsi-recognize-invalid-field-ASCQ-from-WRITE-SAME-c.patch [bz#1083413] - kvm-iscsi-ignore-flushes-on-scsi-generic-devices.patch [bz#1083413] - kvm-iscsi-always-query-max-WRITE-SAME-length.patch [bz#1083413] - kvm-iscsi-Don-t-set-error-if-already-set-in-iscsi_do_inq.patch [bz#1083413] - kvm-iscsi-Remember-to-set-ret-for-iscsi_open-in-error-ca.patch [bz#1083413] - kvm-qemu_loadvm_state-shadow-SeaBIOS-for-VM-incoming-fro.patch [bz#1027565] - kvm-uhci-UNfix-irq-routing-for-RHEL-6-machtypes-RHEL-onl.patch [bz#1085701] - kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch [bz#1087980] - Resolves: bz#1027565 (fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host) - Resolves: bz#1083413 (qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400)) - Resolves: bz#1085701 (Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device) - Resolves: bz#1087980 (CVE-2014-2894 qemu-kvm: QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART [rhel-7.1]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3640 CVE-2014-7815 CVE-2014-7840 CVE-2014-8106 Oracle Linux 7 libabw [0.0.2-1] - new upstream release 0.0.2 - generate man pages for the tools [0.0.1-1] - new upstream release libcmis [0.4.1-5] - Related: rhbz#1132065 coverity: fix mismatching exceptions [0.4.1-4] - a few use-after-free fixes for the C wrapper [0.4.1-3] - Resolves: rhbz#1132065 rebase to 0.4.1 libetonyek [0.0.4-2] - Related: rhbz#1130553 fix coverity issue [0.0.4-1] - new upstream release [0.0.3-2] - generate man pages [0.0.3-1] - new release [0.0.2-1] - new release [0.0.1-1] - new release libfreehand [0.0.0-3] - fix memory leak [0.0.0-2] - add gperf to BuildRequires [0.0.0-1] - initial import liblangtag [0.5.4-8] - Related: rhbz#1132077 really resolve multilib conflict in -devel [0.5.4-7] - Related: rhbz#1132077 resolve multilib conflict in -devel [0.5.4-6] - Related: rhbz#1132077 add explicit dep on -gobject to -devel [0.5.4-5] - split GObject introspection files out of main package [0.5.3-1] - Resolves: rhbz#1132077 rebase to 0.5.4 libmwaw [0.2.0-4] - Resolves: rhbz#1132070 rebase to 0.2.0 libodfgen [0.0.4-1] - Resolves: rhbz#1132072 rebase to 0.0.4 libreoffice [1:4.2.6.3-5] - Resolves: rhbz#1098973 crash on exit [1:4.2.6.3-4] - Resolves: rhbz#1111216 LibreOffice Calc: PDF export of an empty document fails with Write Error [1:4.2.6.3-3] - CVE-2014-3693: Disable sdremote by default and improve flow control [1:4.2.6.3-2] - Related: rhbz#1119709 port LibreOffice to aarch64 [1:4.2.6.3-1] - Resolves: rhbz#1119709 rebase to 4.2.6 [1:4.1.4.2-4] - Resolves: rhbz#1125588 port LibreOffice to ppc64le mdds [0.10.3-1] - Resolves: rhbz#1132069 rebase to 0.10.3 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-0247 CVE-2014-3575 CVE-2014-3693 Oracle Linux 7 [1.3.3.1-13] - release 1.3.3.1-13 - Resolves: bug 1183655 - Fixed Covscan FORWARD_NULL defects (DS 47988) [1.3.3.1-12] - release 1.3.3.1-12 - Resolves: bug 1182477 - Windows Sync accidentally cleared raw_entry (DS 47989) - Resolves: bug 1180325 - upgrade script fails if /etc and /var are on different file systems (DS 47991 ) - Resolves: bug 1183655 - Schema learning mechanism, in replication, unable to extend an existing definition (DS 47988) [1.3.3.1-11] - release 1.3.3.1-11 - Resolves: bug 1080186 - During delete operation do not refresh cache entry if it is a tombstone (DS 47750) [1.3.3.1-10] - release 1.3.3.1-10 - Resolves: bug 1172731 - CVE-2014-8112 password hashing bypassed when 'nsslapd-unhashed-pw-switch' is set to off - Resolves: bug 1166265 - DS hangs during online total update (DS 47942) - Resolves: bug 1168151 - CVE-2014-8105 information disclosure through 'cn=changelog' subtree - Resolves: bug 1044170 - Allow memberOf suffixes to be configurable (DS 47526) - Resolves: bug 1171356 - Bind DN tracking unable to write to internalModifiersName without special permissions (DS 47950) - Resolves: bug 1153737 - logconv.pl -- support parsing/showing/reporting different protocol versions (DS 47949) - Resolves: bug 1171355 - start dirsrv after chrony on RHEL7 and Fedora (DS 47947) - Resolves: bug 1170707 - cos_cache_build_definition_list does not stop during server shutdown (DS 47967) - Resolves: bug 1170708 - COS memory leak when rebuilding the cache (DS - Ticket 47969) - Resolves: bug 1170709 - Account lockout attributes incorrectly updated after failed SASL Bind (DS 47970) - Resolves: bug 1166260 - cookie_change_info returns random negative number if there was no change in a tree (DS 47960) - Resolves: bug 1012991 - Error log levels not displayed correctly (DS 47636) - Resolves: bug 1108881 - rsearch filter error on any search filter (DS 47722) - Resolves: bug 994690 - Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart (DS 47451) - Resolves: bug 1162997 - Running a plugin task can crash the server (DS 47451) - Resolves: bug 1166252 - RHEL7.1 ns-slapd segfault when ipa-replica-install restarts (DS 47451) - Resolves: bug 1172597 - Crash if setting invalid plugin config area for MemberOf Plugin (DS 47525) - Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47965) [1.3.3.1-9] - release 1.3.3.1-9 - Resolves: bug 1153737 - Disable SSL v3, by default. (DS 47928) - Resolves: bug 1163461 - Should not check aci syntax when deleting an aci (DS 47953) [1.3.3.1-8] - release 1.3.3.1-8 - Resolves: bug 1156607 - Crash in entry_add_present_values_wsi_multi_valued (DS 47937) - Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928, DS 47945, DS 47948) - Resolves: bug 1158804 - Malformed cookie for LDAP Sync makes DS crash (DS 47939) [1.3.3.1-7] - release 1.3.3.1-7 - Resolves: bug 1153737 - Disable SSL v3, by default (DS 47928) [1.3.3.1-6] - release 1.3.3.1-6 - Resolves: bug 1151287 - dynamically added macro aci is not evaluated on the fly (DS 47922) - Resolves: bug 1080186 - Need to move slapi_pblock_set(pb, SLAPI_MODRDN_EXISTING_ENTRY, original_entry->ep_entry) prior to original_entry overwritten (DS 47897) - Resolves: bug 1150694 - Encoding of SearchResultEntry is missing tag (DS 47920) - Resolves: bug 1150695 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails. (DS 47919) - Resolves: bug 1139882 - Fix remaining compiler warnings (DS 47892) - Resolves: bug 1150206 - result of dna_dn_is_shared_config is incorrectly used (DS 47918) [1.3.3.1-5] - release 1.3.3.1-5 - Resolves: bug 1139882 - coverity defects found in 1.3.3.x (DS 47892) [1.3.3.1-4] - release 1.3.3.1-4 - Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47750) - Resolves: bug 1145846 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server (DS 47908) - Resolves: bug 1117979 - harden the list of ciphers available by default (phase 2) (DS 47838) - provide enabled ciphers as search result (DS 47880) [1.3.3.1-3] - release 1.3.3.1-3 - Resolves: bug 1139882 - coverity defects found in 1.3.3.1 [1.3.3.1-2] - release 1.3.3.1-2 - Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check (DS 47748) - Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47834) - Resolves: bug 1139882 - coverity defects found in 1.3.3.1 (DS 47890) - Resolves: bug 1112702 - Broken dereference control with the FreeIPA 4.0 ACIs (DS 47885 - deref plugin should not return references with noc access rights) - Resolves: bug 1117979 - harden the list of ciphers available by default (DS 47838, DS 47895) - Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing (DS 47889 - DS crashed during ipa-server-install on test_ava_filter) [1.3.3.1-1] - release 1.3.3.1-1 - Resolves: bug 746646 - RFE: easy way to configure which users and groups to sync with winsync - Resolves: bug 881372 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts. - Resolves: bug 920597 - Possible to add invalid ACI value - Resolves: bug 921162 - Possible to add nonexistent target to ACI - Resolves: bug 923799 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message. - Resolves: bug 924937 - Attribute 'dsOnlyMemberUid' not allowed when syncing nested posix groups from AD with posixWinsync - Resolves: bug 951754 - Self entry access ACI not working properly - Resolves: bug 952517 - Dirsrv instance failed to start with Segmentation fault (core dump) after modifying 7-bit check plugin - Resolves: bug 952682 - nsslapd-db-transaction-batch-val turns to -1 - Resolves: bug 966443 - Plugin library path validation - Resolves: bug 975176 - Non-directory manager can change the individual userPassword's storage scheme - Resolves: bug 979465 - IPA replica's - 'SASL encrypted packet length exceeds maximum allowed limit' - Resolves: bug 982597 - Some attributes in cn=config should not be multivalued - Resolves: bug 987009 - 389-ds-base - shebang with /usr/bin/env - Resolves: bug 994690 - RFE: Allow dynamically adding/enabling/disabling/removing plugins without requiring a server restart - Resolves: bug 1012991 - errorlog-level 16384 is listed as 0 in cn=config - Resolves: bug 1013736 - Enabling/Disabling DNA plug-in throws 'ldap_modify: Server Unwilling to Perform (53)' error - Resolves: bug 1014380 - setup-ds.pl doesn't lookup the 'root' group correctly - Resolves: bug 1020459 - rsa_null_sha should not be enabled by default - Resolves: bug 1024541 - start dirsrv after ntpd - Resolves: bug 1029959 - Managed Entries betxnpreoperation - transaction not aborted upon failure to create managed entry - Resolves: bug 1031216 - add dbmon.sh - Resolves: bug 1044133 - Indexed search with filter containing '&' and '!' with attribute subtypes gives wrong result - Resolves: bug 1044134 - should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default - Resolves: bug 1044135 - make connection buffer size adjustable - Resolves: bug 1044137 - posix winsync should support ADD user/group entries from DS to AD - Resolves: bug 1044138 - mep_pre_op: Unable to fetch origin entry - Resolves: bug 1044139 - [RFE] Support RFC 4527 Read Entry Controls - Resolves: bug 1044140 - Allow search to look up 'in memory RUV' - Resolves: bug 1044141 - MMR stress test with dna enabled causes a deadlock - Resolves: bug 1044142 - winsync doesn't sync DN valued attributes if DS DN value doesn't exist - Resolves: bug 1044143 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change - Resolves: bug 1044144 - resurrected entry is not correctly indexed - Resolves: bug 1044146 - Add a warning message when a connection hits the max number of threads - Resolves: bug 1044147 - 7-bit check plugin does not work for userpassword attribute - Resolves: bug 1044148 - The backend name provided to bak2db is not validated - Resolves: bug 1044149 - Winsync should support range retrieval - Resolves: bug 1044150 - 7-bit checking is not necessary for userPassword - Resolves: bug 1044151 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports - Resolves: bug 1044152 - ChainOnUpdate: 'cn=directory manager' can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised. - Resolves: bug 1044153 - mods optimizer - Resolves: bug 1044154 - multi master replication allows schema violation - Resolves: bug 1044156 - DS crashes with some 7-bit check plugin configurations - Resolves: bug 1044157 - Some updates of 'passwordgraceusertime' are useless when updating 'userpassword' - Resolves: bug 1044159 - [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533 - Resolves: bug 1044160 - remove-ds.pl should remove /var/lock/dirsrv - Resolves: bug 1044162 - enhance retro changelog - Resolves: bug 1044163 - updates to ruv entry are written to retro changelog - Resolves: bug 1044164 - Password administrators should be able to violate password policy - Resolves: bug 1044168 - Schema replication between DS versions may overwrite newer base schema - Resolves: bug 1044169 - ACIs do not allow attribute subtypes in targetattr keyword - Resolves: bug 1044170 - Allow memberOf suffixes to be configurable - Resolves: bug 1044171 - Allow referential integrity suffixes to be configurable - Resolves: bug 1044172 - Plugin library path validation prevents intentional loading of out-of-tree modules - Resolves: bug 1044173 - make referential integrity configuration more flexible - Resolves: bug 1044177 - allow configuring changelog trim interval - Resolves: bug 1044179 - objectclass may, must lists skip rest of objectclass once first is found in sup - Resolves: bug 1044180 - memberOf on a user is converted to lowercase - Resolves: bug 1044181 - report unindexed internal searches - Resolves: bug 1044183 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added - Resolves: bug 1044185 - dbscan on entryrdn should show all matching values - Resolves: bug 1044187 - logconv.pl - RFE - add on option for a minimum etime for unindexed search stats - Resolves: bug 1044188 - Recognize compressed log files - Resolves: bug 1044191 - support TLSv1.1 and TLSv1.2, if supported by NSS - Resolves: bug 1044193 - default nsslapd-sasl-max-buffer-size should be 2MB - Resolves: bug 1044194 - Complex filter in a search request doen't work as expected. - Resolves: bug 1044196 - Automember plug-in should treat MODRDN operations as ADD operations - Resolves: bug 1044198 - Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset - Resolves: bug 1044202 - db2bak.pl issue when specifying non-default directory - Resolves: bug 1044203 - Allow referint plugin to use an alternate config area - Resolves: bug 1044205 - Allow memberOf to use an alternate config area - Resolves: bug 1044210 - idl switch does not work - Resolves: bug 1044211 - make old-idl tunable - Resolves: bug 1044212 - IDL-style can become mismatched during partial restoration - Resolves: bug 1044213 - backend performance - introduce optimization levels - Resolves: bug 1044215 - using transaction batchval violates durability - Resolves: bug 1044216 - examine replication code to reduce amount of stored state information - Resolves: bug 1048980 - 7-bit check plugin not checking MODRDN operation - Resolves: bug 1049030 - Windows Sync group issues - Resolves: bug 1052751 - Page control does not work if effective rights control is specified - Resolves: bug 1052754 - Allow nsDS5ReplicaBindDN to be a group DN - Resolves: bug 1057803 - logconv errors when search has invalid bind dn - Resolves: bug 1060032 - [RFE] Update lastLoginTime also in Account Policy plugin if account lockout is based on passwordExpirationTime. - Resolves: bug 1061060 - betxn: retro changelog broken after cancelled transaction - Resolves: bug 1061572 - improve dbgen rdn generation, output and man page. - Resolves: bug 1063990 - single valued attribute replicated ADD does not work - Resolves: bug 1064006 - Size returned by slapi_entry_size is not accurate - Resolves: bug 1064986 - Replication retry time attributes cannot be added - Resolves: bug 1067090 - Missing warning for invalid replica backoff configuration - Resolves: bug 1072032 - Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53 - Resolves: bug 1074306 - Under heavy stress, failure of turning a tombstone into glue makes the server hung - Resolves: bug 1074447 - Part of DNA shared configuration is deleted after server restart - Resolves: bug 1076729 - Continuous add/delete of an entry in MMR setup causes entryrdn-index conflict - Resolves: bug 1077884 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf - Resolves: bug 1077897 - Memory leak with proxy auth control - Resolves: bug 1079099 - Simultaneous adding a user and binding as the user could fail in the password policy check - Resolves: bug 1080186 - Creating a glue fails if one above level is a conflict or missing - Resolves: bug 1082967 - attribute uniqueness plugin fails when set as a chaining component - Resolves: bug 1085011 - Directory Server crash reported from reliab15 execution - Resolves: bug 1086890 - empty modify returns LDAP_INVALID_DN_SYNTAX - Resolves: bug 1086902 - mem leak in do_bind when there is an error - Resolves: bug 1086904 - mem leak in do_search - rawbase not freed upon certain errors - Resolves: bug 1086908 - Performing deletes during tombstone purging results in operation errors - Resolves: bug 1090178 - #481 breaks possibility to reassemble memberuid list - Resolves: bug 1092099 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone - Resolves: bug 1092342 - nsslapd-ndn-cache-max-size accepts any invalid value. - Resolves: bug 1092648 - Negative value of nsSaslMapPriority is not reset to lowest priority - Resolves: bug 1097004 - Problem with deletion while replicated - Resolves: bug 1098654 - db2bak.pl error with changelogdb - Resolves: bug 1099654 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator. - Resolves: bug 1108405 - find a way to remove replication plugin errors messages 'changelog iteration code returned a dummy entry with csn %s, skipping ...' - Resolves: bug 1108407 - managed entry plugin fails to update managed entry pointer on modrdn operation - Resolves: bug 1108865 - memory leak in ldapsearch filter objectclass=* - Resolves: bug 1108870 - ACI warnings in error log - Resolves: bug 1108872 - Logconv.pl with an empty access log gives lots of errors - Resolves: bug 1108874 - logconv.pl memory continually grows - Resolves: bug 1108881 - rsearch filter error on any search filter - Resolves: bug 1108895 - [RFE - RHDS9] CLI report to monitor replication - Resolves: bug 1108902 - rhds91 389-ds-base-1.2.11.15-31.el6_5.x86_64 crash in db4 __dbc_get_pp env = 0x0 ? - Resolves: bug 1108909 - single valued attribute replicated ADD does not work - Resolves: bug 1109334 - 389 Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled. - Resolves: bug 1109336 - Parent numsubordinate count can be incorrectly updated if an error occurs - Resolves: bug 1109339 - Nested tombstones become orphaned after purge - Resolves: bug 1109354 - Tombstone purging can crash the server if the backend is stopped/disabled - Resolves: bug 1109357 - Coverity issue in 1.3.3 - Resolves: bug 1109364 - valgrind - value mem leaks, uninit mem usage - Resolves: bug 1109375 - provide default syntax plugin - Resolves: bug 1109378 - Environment variables are not passed when DS is started via service - Resolves: bug 1111364 - Updating winsync one-way sync does not affect the behaviour dynamically - Resolves: bug 1112824 - Broken dereference control with the FreeIPA 4.0 ACIs - Resolves: bug 1113605 - server restart wipes out index config if there is a default index - Resolves: bug 1115177 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro - Resolves: bug 1117021 - Server deadlock if online import started while server is under load - Resolves: bug 1117975 - paged results control is not working in some cases when we have a subsuffix. - Resolves: bug 1117979 - harden the list of ciphers available by default - Resolves: bug 1117981 - Fix various typos in manpages & code - Resolves: bug 1117982 - Fix hyphens used as minus signed and other manpage mistakes - Resolves: bug 1118002 - server crashes deleting a replication agreement - Resolves: bug 1118006 - RFE - forcing passwordmustchange attribute by non-cn=directory manager - Resolves: bug 1118007 - [RFE] Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords - Resolves: bug 1118014 - Enhance ACIs to have more control over MODRDN operations - Resolves: bug 1118021 - Return all attributes in rootdse without explicit request - Resolves: bug 1118025 - Slow ldapmodify operation time for large quantities of multi-valued attribute values - Resolves: bug 1118032 - Schema Replication Issue - Resolves: bug 1118034 - 389 DS Server crashes and dies while handles paged searches from clients - Resolves: bug 1118043 - Failed deletion of aci: no such attribute - Resolves: bug 1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed. - Resolves: bug 1118051 - Add switch to disable pre-hashed password checking - Resolves: bug 1118054 - Make ldbm_back_seq independently support transactions - Resolves: bug 1118055 - Add operations rejected by betxn plugins remain in cache - Resolves: bug 1118057 - online import crashes server if using verbose error logging - Resolves: bug 1118059 - add fixup-memberuid.pl script - Resolves: bug 1118060 - winsync plugin modify is broken - Resolves: bug 1118066 - memberof scope: allow to exclude subtrees - Resolves: bug 1118069 - 389-ds production segfault: __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:144 - Resolves: bug 1118074_DELETE_FN - plugin returned error' messages - Resolves: bug 1118076 - ds logs many 'Operation error fetching Null DN' messages - Resolves: bug 1118077 - Improve import logging and abort handling - Resolves: bug 1118079 - Multi master replication initialization incomplete after restore of one master - Resolves: bug 1118080 - Don't add unhashed password mod if we don't have an unhashed value - Resolves: bug 1118081 - Investigate betxn plugins to ensure they return the correct error code - Resolves: bug 1118082 - The error result text message should be obtained just prior to sending result - Resolves: bug 1123865 - CVE-2014-3562 389-ds-base: 389-ds: unauthenticated information disclosure [rhel-7.1] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8105 CVE-2014-8112 Oracle Linux 7 [6.6.1p1-11 + 0.9.3-9] - fix direction in CRYPTO_SESSION audit message (#1171248) [6.6.1p1-10 + 0.9.3-9] - add new option GSSAPIEnablek5users and disable using ~/.k5users by default CVE-2014-9278 (#1169843) [6.6.1p1-9 + 0.9.3-9] - log via monitor in chroots without /dev/log (#1083482) [6.6.1p1-8 + 0.9.3-9] - increase size of AUDIT_LOG_SIZE to 256 (#1171163) - record pfs= field in CRYPTO_SESSION audit event (#1171248) [6.6.1p1-7 + 0.9.3-9] - fix gsskex patch to correctly handle MONITOR_REQ_GSSSIGN request (#1118005) [6.6.1p1-6 + 0.9.3-9] - correct the calculation of bytes for authctxt->krb5_ccname <ams@corefiling.com> (#1161073) [6.6.1p1-5 + 0.9.3-9] - change audit trail for unknown users (#1158521) [6.6.1p1-4 + 0.9.3-9] - revert the default of KerberosUseKuserok back to yes - fix kuserok patch which checked for the existence of .k5login unconditionally and hence prevented other mechanisms to be used properly [6.6.1p1-3 + 0.9.3-9] - fix parsing empty options in sshd_conf - ignore SIGXFSZ in postauth monitor [6.6.1p1-2 + 0.9.3-9] - slightly change systemd units logic - use sshd-keygen.service (#1066615) - log when a client requests an interactive session and only sftp is allowed (#1130198) - sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode (#1143867) [6.6.1p1-1 + 0.9.3-9] - new upstream release (#1059667) - prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338) - make /etc/ssh/moduli file public (#1134448) - test existence of /etc/ssh/ssh_host_ecdsa_key in sshd-keygen.service - don't clean up gssapi credentials by default (#1134447) - ssh-agent - try CLOCK_BOOTTIME with fallback (#1134449) - disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6 - add support for ED25519 keys to sshd-keygen and sshd.sysconfig - standardise on NI_MAXHOST for gethostname() string lengths (#1097665) - set a client's address right after a connection is set (mindrot#2257) (#912792) - apply RFC3454 stringprep to banners when possible (mindrot#2058) (#1104662) - don't consider a partial success as a failure (mindrot#2270) (#1112972) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-2653 CVE-2014-9278 Oracle Linux 7 [1.12.2-14] - fix for kinit -C loops (#1184629, MIT/krb5 issue 243, 'Do not loop on principal unknown errors'). [1.12.2-13] - fix for CVE-2014-5352 (#1179856) 'gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)' - fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)' - fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)' - fix for CVE-2014-9423 (#1179863) 'libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)' [1.12.2-12] - fix for CVE-2014-5354 (#1174546) 'krb5: NULL pointer dereference when using keyless entries' [1.12.2-11] - fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy name crash' [1.12.2-10] - In ksu, without the -e flag, also check .k5users (#1105489) When ksu was explicitly told to spawn a shell, a line in .k5users which listed '*' as the allowed command would cause the principal named on the line to be considered as a candidate for authentication. When ksu was not passed a command to run, which implicitly meant that the invoking user wanted to run the target user's login shell, knowledge that the principal was a valid candidate was ignored, which could cause a less optimal choice of the default target principal. This doesn't impact the authorization checks which we perform later. Patch by Nalin Dahyabhai <nalin@redhat.com> [1.12.2-9] - Undo libkadmclnt SONAME change (from 8 to 9) which originally happened in the krb5 1.12 rebase (#1166012) but broke rubygem-rkerberos (sort of ruby language bindings for libkadmclnt&co.) dependicies, as side effect of rubygem-rkerberos using private interfaces in libkadmclnt. [1.12.2-8] - fix the problem where the %license file has been a dangling symlink - ksu: pull in fix from pull #206 to avoid breakage when the default_ccache_name doesn't include a cache type as a prefix - ksu: pull in a proposed fix for pull #207 to avoid breakage when the invoking user doesn't already have a ccache [1.12.2-7] - pull in patch from master to load plugins with RTLD_NODELETE, when defined (RT#7947) [1.12.2-6] - backport patch to make the client skip checking the server's reply address when processing responses to password-change requests, which between NAT and upcoming HTTPS support, can cause us to erroneously report an error to the user when the server actually reported success (RT#7886) - backport support for accessing KDCs and kpasswd services via HTTPS proxies (marked by being specified as https URIs instead as hostnames or hostname-and-port), such as the one implemented in python-kdcproxy (RT#7929, #109919), and pick up a subsequent patch to build HTTPS as a plugin [1.12.2-5] - backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1078888) - define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that it's declared (#1059730,#1084068,#1109102) [1.12.2-4] - kpropd hasn't bothered with -S since 1.11; stop trying to use that flag in the systemd unit file [1.12.2-3] - pull in upstream fix for an incorrect check on the value returned by a strdup() call (#1132062) [1.12.1-15] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild [1.12.2-2] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild [1.12.2-1] - update to 1.12.2 - drop patch for RT#7820, fixed in 1.12.2 - drop patch for #231147, fixed as RT#3277 in 1.12.2 - drop patch for RT#7818, fixed in 1.12.2 - drop patch for RT#7836, fixed in 1.12.2 - drop patch for RT#7858, fixed in 1.12.2 - drop patch for RT#7924, fixed in 1.12.2 - drop patch for RT#7926, fixed in 1.12.2 - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2 - drop patch for CVE-2014-4343, included in 1.12.2 - drop patch for CVE-2014-4344, included in 1.12.2 - drop patch for CVE-2014-4345, included in 1.12.2 - replace older proposed changes for ksu with backports of the changes after review and merging upstream (#1015559, #1026099, #1118347) [1.12.1-14] - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) [1.12.1-13] - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344) [1.12.1-12] - gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1117963) [1.12.1-11] - fix license handling [1.12.1-10] - pull in fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1116181) [1.12.1-9] - pull in changes from upstream which add processing of the contents of /etc/gss/mech.d/*.conf when loading GSS modules (#1102839) [1.12.1-8] - pull in fix for building against tcl 8.6 (#1107061) [1.12.1-7] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild [1.12.1-6] - Backport fix for change password requests when using FAST (RT#7868) [1.12.1-5] - spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator doesn't get confused (#1066000, RT#7858) [1.12.1-4] - pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more of #1040056 as #1063905) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc [1.12.1-3] - refresh nss_wrapper and add socket_wrapper to the %check environment * Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - add currently-proposed changes to teach ksu about credential cache collections and the default_ccache_name setting (#1015559,#1026099) [1.12.1-2] - pull in multiple changes to allow replay caches to be added to a GSS credential store as 'rcache'-type credentials (RT#7818/#7819/#7836, [1.12.1-1] - update to 1.12.1 - drop patch for RT#7794, included now - drop patch for RT#7797, included now - drop patch for RT#7803, included now - drop patch for RT#7805, included now - drop patch for RT#7807, included now - drop patch for RT#7045, included now - drop patches for RT#7813 and RT#7815, included now - add patch to always retrieve the KDC time offsets from keyring caches, so that we don't mistakenly interpret creds as expired before their time when our clock is ahead of the KDC's (RT#7820, #1030607) [1.12-11] - update the PIC patch for iaesx86.s to not use ELF relocations to the version that landed upstream (RT#7815, #1045699) * Thu Jan 09 2014 Nalin Dahyabhai <nalin@redhat.com> - pass -Wl,--warn-shared-textrel to the compiler when we're creating shared libraries [1.12-10] - amend the PIC patch for iaesx86.s to also save/restore ebx in the functions where we modify it, because the ELF spec says we need to [1.12-9] - grab a more-commented version of the most recent patch from upstream master - make a guess at making the 32-bit AES-NI implementation sufficiently position-independent to not require execmod permissions for libk5crypto (more of #1045699) [1.12-8] - add patch from Dhiru Kholia for the AES-NI implementations to allow libk5crypto to be properly marked as not needing an executable stack on arches where they're used (#1045699, and so many others) [1.12-7] - revert that last change for a bit while sorting out execstack when we use AES-NI (#1045699) [1.12-6] - add yasm as a build requirement for AES-NI support, on arches that have yasm and AES-NI [1.12-5] - pull in fix from master to make reporting of errors encountered by the SPNEGO mechanism work better (RT#7045, part of #1043962) * Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com> - update a test wrapper to properly handle things that the new libkrad does, and add python-pyrad as a build requirement so that we can run its tests [1.12-4] - revise previous patch to initialize one more element [1.12-3] - backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739) [1.12-2] - pull in fix from master to return a NULL pointer rather than allocating zero bytes of memory if we read a zero-length input token (RT#7794, part of - pull in fix from master to ignore an empty token from an acceptor if we've already finished authenticating (RT#7797, part of #1043962) - pull in fix from master to avoid a memory leak when a mechanism's init_sec_context function fails (RT#7803, part of #1043962) - pull in fix from master to avoid a memory leak in a couple of error cases which could occur while obtaining acceptor credentials (RT#7805, part of #1043962) [1.12-1] - update to 1.12 final [1.12-beta2.0] - update to beta2 - drop obsolete backports for storing KDC time offsets and expiration times in keyring credential caches [1.12-beta1.0] - rebase to master - update to beta1 - drop obsolete backport of fix for RT#7706 [1.11.4-2] - pull in fix to store KDC time offsets in keyring credential caches (RT#7768, - pull in fix to set expiration times on credentials stored in keyring credential caches (RT#7769, #1031724) [1.11.4-1] - update to 1.11.4 - drop patch for RT#7650, obsoleted - drop patch for RT#7706, obsoleted as RT#7723 - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-4341 CVE-2014-4344 CVE-2014-4345 CVE-2014-4342 CVE-2014-4343 CVE-2014-5352 CVE-2014-5353 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Oracle Linux 7 [4.1.0-18.0.1] - Replace login-screen-logo.png [20362818] - Drop subscription-manager requires for OL7 - Drop redhat-access-plugin-ipa requires for OL7 - Blank out header-logo.png product-name.png [4.1.0-18] - Fix ipa-pwd-extop global configuration caching (#1187342) - group-detach does not add correct objectclasses (#1187540) [4.1.0-17] - Wrong directories created on full restore (#1186398) - ipa-restore crashes if replica is unreachable (#1186396) - idoverrideuser-add option --sshpubkey does not work (#1185410) [4.1.0-16] - PassSync does not sync passwords due to missing ACIs (#1181093) - ipa-replica-manage list does not list synced domain (#1181010) - Do not assume certmonger is running in httpinstance (#1181767) - ipa-replica-manage disconnect fails without password (#1183279) - Put LDIF files to their original location in ipa-restore (#1175277) - DUA profile not available anonymously (#1184149) - IPA replica missing data after master upgraded (#1176995) [4.1.0-15] - Re-add accidentally removed patches for #1170695 and #1164896 [4.1.0-14] - IPA Replicate creation fails with error 'Update failed! Status: [10 Total update abortedLDAP error: Referral]' (#1166265) - running ipa-server-install --setup-dns results in a crash (#1072502) - DNS zones are not migrated into forward zones if 4.0+ replica is added (#1175384) - gid is overridden by uid in default trust view (#1168904) - When migrating warn user if compat is enabled (#1177133) - Clean up debug log for trust-add (#1168376) - No error message thrown on restore(full kind) on replica from full backup taken on master (#1175287) - ipa-restore proceed even IPA not configured (#1175326) - Data replication not working as expected after data restore from full backup (#1175277) - IPA externally signed CA cert expiration warning missing from log (#1178128) - ipa-upgradeconfig fails in CA-less installs (#1181767) - IPA certs fail to autorenew simultaneouly (#1173207) - More validation required on ipa-restore's options (#1176034) [4.1.0-13] - Expand the token auth/sync windows (#919228) - Access is not rejected for disabled domain (#1172598) - krb5kdc crash in ldap_pvt_search (#1170695) - RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) [4.1.0-12] - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible (#1169591) - CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) (#1172578) [4.1.0-11] - Throw zonemgr error message before installation proceeds (#1163849) - Winsync: Setup is broken due to incorrect import of certificate (#1169867) - Enable last token deletion when password auth type is configured (#919228) - ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) - add --hosts and --hostgroup options to allow/retrieve keytab methods (#1007367) - Extend host-show to add the view attribute in set of default attributes (#1168916) - Prefer TCP connections to UDP in krb5 clients (#919228) - [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) - webui: increase notification duration (#1171089) - RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) - RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert (#1170003) - Improve validation of --instance and --backend options in ipa-restore (#951581) - RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) - Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) [4.1.0-10] - Use NSS protocol range API to set available TLS protocols (#1156466) [4.1.0-9] - schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 build fails (#1167196) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - 'ipa trust-add ... ' cmd says : (Trust status: Established and verified) while in the logs we see 'WERR_ACCESS_DENIED' during verification step. (#1144121) - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server (#1156466) - Add support/hooks for a one-time password system like SecureID in IPA (#919228) - Tracebacks with latest build for --zonemgr cli option (#1167270) - ID Views: Support migration from the sync solution to the trust solution (#891984) [4.1.0-8] - Improve otptoken help messages (#919228) - Ensure users exist when assigning tokens to them (#919228) - Enable QR code display by default in otptoken-add (#919228) - Show warning instead of error if CA did not start (#1158410) - CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) - Traceback when adding zone with long name (#1164859) - Backup & Restore mechanism (#951581) - ignoring user attributes in migrate-ds does not work if uppercase characters are returned by ldap (#1159816) - Allow ipa-getkeytab to optionally fetch existing keys (#1007367) - Failure when installing on dual stacked system with external ca (#1128380) - ipa-server should keep backup of CS.cfg (#1059135) - Tracebacks with latest build for --zonemgr cli option (#1167270) - webui: use domain name instead of domain SID in idrange adder dialog (#891984) - webui: normalize idview tab labels (#891984) [4.1.0-7] - ipa-csreplica-manage connect fails (#1157735) - error message which is not understandable when IDNA2003 characters are present in --zonemgr (#1163849) - Fix warning message should not contain CLI commands (#1114013) - Renewing the CA signing certificate does not extend its validity period end (#1163498) - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd (#1159330) [4.1.0-6] - Fix: DNS installer adds invalid zonemgr email (#1056202) - ipaplatform: Use the dirsrv service, not target (#951581) - Fix: DNS policy upgrade raises asertion error (#1161128) - Fix upgrade referint plugin (#1161128) - Upgrade: fix trusts objectclass violationi (#1161128) - group-add doesn't accept gid parameter (#1149124) [4.1.0-5] - Update slapi-nis dependency to pull 0.54-2 (#891984) - ipa-restore: Don't crash if AD trust is not installed (#951581) - Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) - Trust setting not restored for CA cert with ipa-restore command (#1159011) - ipa-server-install fails when restarting named (#1162340) [4.1.0-4] - Update Requires on pki-ca to 10.1.2-4 (#1129558) - build: increase java stack size for all arches - Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) - Fix dns zonemgr validation regression (#1056202) - Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) - Do not wait for new CA certificate to appear in LDAP in ipa-certupdate (#886645) - Add bind-dyndb-ldap working dir to IPA specfile - Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage (#886645) - Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) - Deadlock in schema compat plugin (#1161131) - ipactl stop should stop dirsrv last (#1161129) - Upgrade 3.3.5 to 4.1 failed (#1161128) - CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) [4.1.0-3] - Do not check if port 8443 is available in step 2 of external CA install (#1129481) [4.1.0-2] - Update Requires on selinux-policy to 3.13.1-4 [4.1.0-1] - Update to upstream 4.1.0 (#1109726) [4.1.0-0.1.alpha1] - Update to upstream 4.1.0 Alpha 1 (#1109726) [4.0.3-3] - Add redhat-access-plugin-ipa dependency [4.0.3-2] - Re-enable otptoken_yubikey plugin [4.0.3-1] - Update to upstream 4.0.3 (#1109726) [3.3.3-29] - Server installation fails using external signed certificates with 'IndexError: list index out of range' (#1111320) - Add rhino to BuildRequires to fix Web UI build error MODERATE Copyright 2015 Oracle, Inc. CVE-2010-5312 CVE-2012-6662 Oracle Linux 7 clutter [1.14.4-12] - Include upstream patch to prevent a crash when hitting hardware limits Resolves: rhbz#1115162 [1.14.4-11] - Fix a typo in the Requires [1.14.4-10] - Add patch for quadbuffer stereo suppport Resolves: rhbz#1108891 cogl [1.14.1-6] - Add patches for quadbuffer stereo suppport Resolves: rhbz#1108890 [1.14.0-5.2] - Ensure the glBlitFramebuffer case is not hit for swrast, since that's still broken. gnome-shell [3.8.4-45] - Don't inform GDM about session changes that came from GDM Resolves: #1163474 [3.8.4-44] - If password authentication is disabled and smartcard authentication is enabled and smartcard isn't plugged in at start up, prompt user for smartcard Resolves: #1159385 [3.8.4-43] - Support long login banner messages more effectively Resolves: #1110036 [3.8.4-42] - Respect disk-writes lockdown setting Resolves: rhbz#1154122 [3.8.4-41] - Disallow consecutive screenshot requests to avoid an OOM situation Resolves: rhbz#1154107 [3.8.4-41] - Add option to limit app switcher to current workspace Resolves: rhbz#1101568 [3.8.4-40] - Try harder to use the default calendar application Resolves: rhbz#1052201 [3.8.4-40] - Update workspace switcher fix Resolves: rhbz#1092102 [3.8.4-39] - Validate screenshot parameters Resolves: rhbz#1104694 [3.8.4-38] - Fix shrinking workspace switcher Resolves: rhbz#1092102 [3.8.4-38] - Update fix for vertical monitor layouts to upstream fix Resolves: rhbz#1075240 [3.8.4-38] - Fix traceback introduced in 3.8.4-36 when unlocking via user switcher Related: #1101333 [3.8.4-37] - Fix problems with LDAP and disable-user-list=TRUE Resolves: rhbz#1137041 [3.8.4-36] - Fix login screen focus issue following idle Resolves: rhbz#1101333 [3.8.4-35] - Disallow cancel from login screen before login attempt has been initiated. Resolves: rhbz#1109530 [3.8.4-34] - Disallow cancel from login screen after login is already commencing. Resolves: rhbz#1079294 [3.8.4-33] - Add a patch for quadbuffer stereo suppport Resolves: rhbz#1108893 mutter [3.8.4.16] - Fix window placement regression Resolves: rhbz#1153641 [3.8.4-15] - Fix delayed mouse mode Resolves: rhbz#1149585 [3.8.4-14] - Preserve window placement on monitor changes Resolves: rhbz#1126754 [3.8.4-13] - Improve handling of vertical monitor layouts Resolves: rhbz#1108322 [3.8.4-13] - Add patches for quadbuffer stereo suppport Fix a bad performance problem drawing window thumbnails Resolves: rhbz#861507 LOW Copyright 2015 Oracle, Inc. CVE-2014-7300 Oracle Linux 6 [1.2.11.15-50] - Release 1.2.11.15-50 - Resolves: #1179099 - Problem with single value attribute MMR replication (DS 47915, DS 569) [1.2.11.15-49] - Release 1.2.11.15-49 - Resolves: #1180629 - CVE-2014-8105: information disclosure through 'cn=changelog' subtree - Resolves: #1179099 - Problem with single value attribute MMR replication (DS 47915) - Resolves: #1179595 - default nsslapd-sasl-max-buffer-size should be 2MB (DS 47457) - Resolves: #1179100 - ACI's are replaced by 'ACI_ALL' after editing goup of ACI's including invalid one (DS 47953) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8105 Oracle Linux 7 [31.5.0-2] - Update to 31.5.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0822 CVE-2015-0827 CVE-2015-0831 CVE-2015-0836 Oracle Linux 6 Oracle Linux 7 [32:9.9.4-18.1] - Fix CVE-2015-1349 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1349 Oracle Linux 6 [2.6.32-504.12.2] - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181173 1179327] {CVE-2014-8159} [2.6.32-504.12.1] - [fs] splice: perform generic write checks (Eric Sandeen) [1163798 1155900] {CVE-2014-7822} [2.6.32-504.11.1] - [virt] kvm: excessive pages un-pinning in kvm_iommu_map error path (Jacob Tanenbaum) [1156520 1156521] {CVE-2014-8369} - [x86] crypto: Add support for 192 & 256 bit keys to AESNI RFC4106 (Jarod Wilson) [1184332 1176211] - [block] nvme: Clear QUEUE_FLAG_STACKABLE (David Milburn) [1180555 1155715] - [net] netfilter: conntrack: disable generic tracking for known protocols (Daniel Borkmann) [1182071 1114697] {CVE-2014-8160} - [xen] pvhvm: Fix vcpu hotplugging hanging (Vitaly Kuznetsov) [1179343 1164278] - [xen] pvhvm: Don't point per_cpu(xen_vpcu, 33 and larger) to shared_info (Vitaly Kuznetsov) [1179343 1164278] - [xen] enable PVHVM VCPU placement when using more than 32 CPUs (Vitaly Kuznetsov) [1179343 1164278] - [xen] support large numbers of CPUs with vcpu info placement (Vitaly Kuznetsov) [1179343 1164278] [2.6.32-504.10.1] - [netdrv] tg3: Change nvram command timeout value to 50ms (Ivan Vecera) [1182903 1176230] [2.6.32-504.9.1] - [net] ipv6: increase ip6_rt_max_size to 16384 (Hannes Frederic Sowa) [1177581 1112946] - [net] ipv6: don't set DST_NOCOUNT for remotely added routes (Hannes Frederic Sowa) [1177581 1112946] - [net] ipv6: don't count addrconf generated routes against gc limit (Hannes Frederic Sowa) [1177581 1112946] - [net] ipv6: Don't put artificial limit on routing table size (Hannes Frederic Sowa) [1177581 1112946] - [scsi] bnx2fc: fix tgt spinlock locking (Maurizio Lombardi) [1179098 1079656] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7822 CVE-2014-8160 CVE-2014-8159 CVE-2014-8369 Oracle Linux 6 Oracle Linux 7 [2.3.11-15.el6_6.1] - Fixes CVE-2014-9657 - Check minimum size of record_size. - Fixes CVE-2014-9658 - Use correct value for minimum table length test. - Fixes CVE-2014-9675 - New macro that checks one character more than strncmp. - Fixes CVE-2014-9660 - Check _BDF_GLYPH_BITS. - Fixes CVE-2014-9661 - Initialize face->ttf_size. - Always set face->ttf_size directly. - Exclusively use the truetype font driver for loading the font contained in the sfnts array. - Fixes CVE-2014-9663 - Fix order of validity tests. - Fixes CVE-2014-9664 - Add another boundary testing. - Fix boundary testing. - Fixes CVE-2014-9667 - Protect against addition overflow. - Fixes CVE-2014-9669 - Protect against overflow in additions and multiplications. - Fixes CVE-2014-9670 - Add sanity checks for row and column values. - Fixes CVE-2014-9671 - Check size and offset values. - Fixes CVE-2014-9673 - Fix integer overflow by a broken POST table in resource-fork. - Fixes CVE-2014-9674 - Fix integer overflow by a broken POST table in resource-fork. - Additional overflow check in the summation of POST fragment lengths. - Work around behaviour of X11s pcfWriteFont and pcfReadFont functions - Resolves: #1197737 [2.3.11-15] - Fix CVE-2012-5669 (Use correct array size for checking glyph_enc) - Resolves: #903543 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9657 CVE-2014-9658 CVE-2014-9660 CVE-2014-9661 CVE-2014-9663 CVE-2014-9664 CVE-2014-9667 CVE-2014-9669 CVE-2014-9670 CVE-2014-9671 CVE-2014-9673 CVE-2014-9674 CVE-2014-9675 Oracle Linux 6 Oracle Linux 7 [6.0-2] - Fix CVE-2014-9636 CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 Resolves: #1196132 #1196120 #1196124 #1196128 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8139 CVE-2014-8140 CVE-2014-8141 CVE-2014-9636 Oracle Linux 6 [1.0.1e-30.7] - update fix for CVE-2015-0287 to what was released upstream [1.0.1e-30.6] - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0292 - integer underflow in base64 decoder - fix CVE-2015-0293 - triggerable assert in SSLv2 server MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 Oracle Linux 7 [1.0.1e-42.4] - update fix for CVE-2015-0287 to what was released upstream [1.0.1e-42.3] - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0292 - integer underflow in base64 decoder - fix CVE-2015-0293 - triggerable assert in SSLv2 server [1.0.1e-42.2] - fix broken error detection when unwrapping unpadded key [1.0.1e-42.1] - fix the RFC 5649 for key material that does not need padding MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.5.3-1.0.1.el5_11] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [31.5.3-1] - Update to 31.5.3 ESR [31.5.2-1] - Update to 31.5.2 ESR [31.5.1-1] - Update to 31.5.1 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0817 CVE-2015-0818 Oracle Linux 7 [3.10.0-229.1.2] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.1.2] - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181177 1179347] {CVE-2014-8159} [3.10.0-229.1.1] - [crypto] testmgr: mark rfc4106(gcm(aes)) as fips_allowed (Jarod Wilson) [1197751 1185400] - [virt] storvsc: ring buffer failures may result in I/O freeze (Vitaly Kuznetsov) [1197749 1171409] - [md] dm-thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode (Mike Snitzer) [1197745 1184592] - [kernel] workqueue: fix subtle pool management issue which can stall whole worker_pool (Eric Sandeen) [1197744 1165535] - [platform] thinkpad_acpi: support new BIOS version string pattern (Benjamin Tissoires) [1197743 1194830] - [x86] ioapic: kcrash: Prevent crash_kexec() from deadlocking on ioapic_lock (Baoquan He) [1197742 1182424] - [net] sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [1196588 1183959] {CVE-2015-1421} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8159 CVE-2015-1421 Oracle Linux 7 ipa [4.1.0-18.0.1.el7_1.3] - Replace login-screen-logo.png [20362818] - Drop subscription-manager requires for OL7 - Drop redhat-access-plugin-ipa requires for OL7 - Blank out header-logo.png product-name.png [4.1.0-18.3] - [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) [4.1.0-18.2] - IPA extdom plugin fails when encountering large groups (#1193759) - CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1202997) [4.1.0-18.1] - 'an internal error has occurred' during ipa host-del --updatedns (#1198431) - Renamed patch 1013 to 0114, as it was merged upstream - Fax number not displayed for user-show when kinit'ed as normal user. (#1198430) - Replication agreement with replica not disabled when ipa-restore done without IPA installed (#1199060) - Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) slapi-nis [0.54-3] - Fix CVE-2015-0283 - Resolves: #1202995 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0283 CVE-2015-1827 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [3.2.17-4.1.0.1] - Add setroubleshoot-oracle-enterprise.patch to change bug reporting URL to linux.oracle.com [3.2.17-4.1] - Fix get_rpm_nvr_*_temporary functions Resolves:#1203352 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1815 Oracle Linux 7 [2.9.1-5.0.1.el7_1.2] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.9.1-5.2] - Fix missing entities after CVE-2014-3660 fix - CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195649) - Fix regressions introduced by CVE-2014-0191 patch MODERATE Copyright 2015 Oracle, Inc. CVE-2014-0191 Oracle Linux 6 Oracle Linux 7 [8.4.20-2] - fix for CVE-2015-0241 CVE-2015-0243 CVE-2015-0244 CVE-2014-8161 (rhbz#1198651 & rhbz#1198652) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.6.0-2.0.1.el5_11] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [31.6.0-1] - Update to 31.6.0 ESR Build 2 [31.6.0-1] - Update to 31.6.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0801 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 Oracle Linux 6 Oracle Linux 7 [1.3.0-5] - fix buffer overflow when processing ID3v2 metadata (CVE-2014-8962) - fix buffer overflow with invalid blocksize (CVE-2014-9028) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8962 CVE-2014-9028 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.6.0-1.0.1] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [31.6.0-1] - Update to 31.6.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0801 CVE-2015-0807 CVE-2015-0813 CVE-2015-0815 CVE-2015-0816 Oracle Linux 5 kernel [2.6.18-404.0.0.0.1] - [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078] - ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772] - i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649] - [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030] - [oprofile] export __get_user_pages_fast() function [orabug 14277030] - [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030] - [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030] - [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030] - [kernel] Initialize the local uninitialized variable stats. [orabug 14051367] - [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763] - [x86 ] fix fpu context corrupt when preempt in signal context [orabug 14038272] - [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075] - fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan) - [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan) - [x86] Fix lvt0 reset when hvm boot up with noapic param - [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason) [orabug 12342275] - [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346] - [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566] - [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042] - [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646] - fix filp_close() race (Joe Jin) [orabug 10335998] - make xenkbd.abs_pointer=1 by default [orabug 67188919] - [xen] check to see if hypervisor supports memory reservation change (Chuck Anderson) [orabug 7556514] - [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki) [orabug 10315433] - [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258] - [mm] Patch shrink_zone to yield during severe mempressure events, avoiding hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839] - [mm] Enhance shrink_zone patch allow full swap utilization, and also be NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919] - fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042] - [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson) [orabug 9107465] - [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson) [orabug 9764220] - Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615] - fix overcommit memory to use percpu_counter for (KOSAKI Motohiro, Guru Anbalagane) [orabug 6124033] - [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208] - [ib] fix memory corruption (Andy Grover) [orabug 9972346] - [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203] - [usb] usbcore: fix refcount bug in endpoint removal (Junxiao Bi) [orabug 14795203] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8867 CVE-2014-8159 Oracle Linux 5 kernel [2.6.18-404] - [infiniband] core: Prevent integer overflow in ib_umem_get (Doug Ledford) [1179353] {CVE-2014-8159} [2.6.18-403] - [s390] zcrypt: Toleration of new crypto hardware (Hendrik Brueckner) [1182522] - [fs] cifs: Use pid from cifsFileInfo in wrt pages/set_file_size (Sachin Prabhu) [1169304] - [xen] x86: confine internally handled MMIO to solitary regions (Denys Vlasenko) [1164256] {CVE-2014-8867} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8867 CVE-2014-8159 Oracle Linux 6 [1.10.3-37] - fix for CVE-2014-5355 (#1193939) 'krb5: unauthenticated denial of service in recvauth_common() and others' [1.10.3-36] - fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy name crash' [1.10.3-35] - Changelog fixes to make errata subsystem happy. [1.10.3-34] - fix for CVE-2014-5352 (#1179856) 'gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)' - fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)' - fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)' MODERATE Copyright 2015 Oracle, Inc. CVE-2014-5352 CVE-2014-5353 CVE-2014-9421 CVE-2014-9422 CVE-2014-5355 Oracle Linux 6 Oracle Linux 7 [1.15.0-26] - CVE fixes for: CVE-2015-0255 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0255 Oracle Linux 5 [0.9.8e-33] - fix CVE-2014-8275 (without introduction of CVE-2015-0286) - various certificate fingerprint issues - fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export ciphersuites and on server - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0292 - integer underflow in base64 decoder - fix CVE-2015-0293 - triggerable assert in SSLv2 server MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8275 CVE-2015-0204 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 Oracle Linux 6 Oracle Linux 7 [1:1.7.0.75-2.5.5.1.0.1.el7_1] - Update DISTRO_NAME in specfile [1:1.7.0.75-2.5.5.1] - repacked sources - Resolves: rhbz#1209072 [1:1.7.0.75-2.5.5.0] - Bump to 2.5.5 using OpenJDK 7u79 b14. - Update OpenJDK tarball creation comments - Remove test case for RH1191652 now fix has been verified. - Drop AArch64 version of RH1191652 HotSpot patch as included upstream. - Resolves: rhbz#1209072 CRITICAL Copyright 2015 Oracle, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 Oracle Linux 5 [1:1.7.0.75-2.5.5.1.0.1.el5_11] - Add oracle-enterprise.patch - Fix DISTRO_NAME to 'Oracle Linux' [1:1.7.0.75-2.5.5.1] - Repacked sources - Resolves: rhbz#1209069 [1:1.7.0.79-2.5.5.0] - Bump to 2.5.5 using OpenJDK 7u79 b14. - Resolves: rhbz#1209069 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [1:1.6.0.35-1.13.7.1] - Repackaged source files - Resolves: rhbz#1209067 [1:1.6.0.35-1.13.7.0] - Update to IcedTea 1.13.7 - Regenerate add-final-location-rpaths patch so as to be less disruptive. - Resolves: rhbz#1209067 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 Oracle Linux 6 Oracle Linux 7 [1:1.8.0.45-30.b13] - repacked sources - Resolves: RHBZ#1209076 [1:1.8.0.45-7.b13] - Re-add %{name} prefix to patches to avoid conflicts with OpenJDK 7 versions. - Remove ppc64le test case now fix has been verified. - Resolves: rhbz#1194378 [1:1.8.0.45-27.b13] - updated to security u45 - minor sync with 7.2 - generate_source_tarball.sh - adapted java-1.8.0-openjdk-s390-java-opts.patch and java-1.8.0-openjdk-size_t.patch - reworked (synced) zero patches (removed 103,11 added 204, 400-403) - family of 5XX patches renamed to 6XX - added upstreamed patch 501 and 505 - included removeSunEcProvider-RH1154143.patch - returned java (jre only) provides - repacked policies (source20) - removed duplicated NVR provides - added automated test for priority (length7) - Resolves: RHBZ#1209076 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2015-0470 Oracle Linux 6 [2.12-1.149.7] - Fix invalid file descriptor reuse while sending DNS query (#1207995, CVE-2013-7423). - Fix buffer overflow in gethostbyname_r with misaligned buffer (#1209375, CVE-2015-1781). [2.12-1.149.6] - Enhance nscd to detect any configuration file changes (#1194149). MODERATE Copyright 2015 Oracle, Inc. CVE-2013-7423 CVE-2015-1781 Oracle Linux 6 [2.6.32-504.16.2] - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181173 1179327] {CVE-2014-8159} [2.6.32-504.16.1] - [fs] gfs2: Move gfs2_file_splice_write outside of #ifdef (Robert S Peterson) [1198329 1193559] - [security] keys: close race between key lookup and freeing (Radomir Vrbovsky) [1179849 1179850] {CVE-2014-9529} - [net] sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [1196587 1135425] {CVE-2015-1421} - [fs] gfs2: Allocate reservation during splice_write (Robert S Peterson) [1198329 1193559] - [fs] nfs: Be less aggressive about returning delegations for open files (Steve Dickson) [1196314 1145334] - [fs] nfs: Avoid PUTROOTFH when managing leases (Benjamin Coddington) [1196313 1143013] - [crypto] testmgr: mark rfc4106(gcm(aes)) as fips_allowed (Jarod Wilson) [1194983 1185395] - [crypto] Extending the RFC4106 AES-GCM test vectors (Jarod Wilson) [1194983 1185395] - [char] raw: Return short read or 0 at end of a raw device, not EIO (Jeff Moyer) [1195747 1142314] - [scsi] hpsa: Use local workqueues instead of system workqueues - part1 (Tomas Henzl) [1193639 1134115] - [x86] kvm: vmx: invalid host cr4 handling across vm entries (Jacob Tanenbaum) [1153326 1153327] {CVE-2014-3690} - [fs] isofs: Fix unchecked printing of ER records (Radomir Vrbovsky) [1180481 1180492] {CVE-2014-9584} - [fs] bio: fix argument of __bio_add_page() for max_sectors > 0xffff (Fam Zheng) [1198428 1166763] - [media] ttusb-dec: buffer overflow in ioctl (Alexander Gordeev) [1170971 1167115] {CVE-2014-8884} - [kernel] trace: insufficient syscall number validation in perf and ftrace subsystems (Jacob Tanenbaum) [1161567 1161568] {CVE-2014-7826 CVE-2014-7825} - [fs] nfs: Fix a delegation callback race (Dave Wysochanski) [1187639 1149831] - [fs] nfs: Don't use the delegation->inode in nfs_mark_return_delegation() (Dave Wysochanski) [1187639 1149831] - [infiniband] ipoib: don't queue a work struct up twice (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: make sure we reap all our ah on shutdown (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: cleanup a couple debug messages (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: flush the ipoib_workqueue on unregister (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: fix ipoib_mcast_restart_task (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: fix race between mcast_dev_flush and mcast_join (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: remove unneeded locks (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: don't restart our thread on ENETRESET (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: Handle -ENETRESET properly in our callback (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: make delayed tasks not hold up everything (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: Add a helper to restart the multicast task (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: fix IPOIB_MCAST_RUN flag usage (Doug Ledford) [1187664 1187666 1184072 1159925] - [infiniband] ipoib: Remove unnecessary port query (Doug Ledford) [1187664 1187666 1184072 1159925] - [x86] kvm: Avoid pagefault in kvm_lapic_sync_to_vapic (Paolo Bonzini) [1192055 1116398] - [s390] kernel: fix cpu target address of directed yield (Hendrik Brueckner) [1188339 1180061] - [mm] memcg: do not allow task about to OOM kill to bypass the limit (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] memcg: do not declare OOM from __GFP_NOFAIL allocations (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [fs] buffer: move allocation failure loop into the allocator (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] memcg: handle non-error OOM situations more gracefully (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] memcg: do not trap chargers with full callstack on OOM (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] memcg: rework and document OOM waiting and wakeup (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] memcg: enable memcg OOM killer only for user faults (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [x86] mm: finish user fault error path with fatal signal (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [mm] pass userspace fault flag to generic fault handler (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [s390] mm: do not invoke OOM killer on kernel fault OOM (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [powerpc] mm: remove obsolete init OOM protection (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [powerpc] mm: invoke oom-killer from remaining unconverted page fault handlers (Johannes Weiner) [1198110 1088334] {CVE-2014-8171} - [security] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID (Denys Vlasenko) [1104567 1104568] {CVE-2014-3215} - [security] Add PR_<GET, SET>_NO_NEW_PRIVS to prevent execve from granting privs (Denys Vlasenko) [1104567 1104568] {CVE-2014-3215} [2.6.32-504.15.1] - [netdrv] ixgbe: remove CIAA/D register reads from bad VF check (John Greene) [1196312 1156061] - [pci] Make FLR and AF FLR reset warning messages different (Myron Stowe) [1192365 1184540] - [pci] Fix unaligned access in AF transaction pending test (Myron Stowe) [1192365 1184540] - [pci] Merge multi-line quoted strings (Myron Stowe) [1192365 1184540] - [pci] Wrong register used to check pending traffic (Myron Stowe) [1192365 1184540] - [pci] Add pci_wait_for_pending() -- refactor pci_wait_for_pending_transaction() (Myron Stowe) [1192365 1184540] - [pci] Use pci_wait_for_pending_transaction() instead of for loop (Myron Stowe) [1192365 1184540] - [pci] Add pci_wait_for_pending_transaction() (Myron Stowe) [1192365 1184540] - [pci] Wait for pending transactions to complete before 82599 FLR (Myron Stowe) [1192365 1184540] - [scsi] storvsc: fix a bug in storvsc limits (Vitaly Kuznetsov) [1196532 1174168] [2.6.32-504.14.1] - [s390] crypto: kernel oops at insmod of the z90crypt device driver (Hendrik Brueckner) [1191916 1172137] - [sound] alsa: usb-audio: Fix crash at re-preparing the PCM stream (Jerry Snitselaar) [1192105 1167059] - [usb] ehci: bugfix: urb->hcpriv should not be NULL (Jerry Snitselaar) [1192105 1167059] - [mm] mmap: uncached vma support with writenotify (Jerry Snitselaar) [1192105 1167059] - [kernel] futex: Mention key referencing differences between shared and private futexes (Larry Woodman) [1192107 1167405] - [kernel] futex: Ensure get_futex_key_refs() always implies a barrier (Larry Woodman) [1192107 1167405] [2.6.32-504.13.1] - [netdrv] enic: fix rx skb checksum (Stefan Assmann) [1189068 1115505] - [scsi] Revert 'fix our current target reap infrastructure' (David Milburn) [1188941 1168072] - [scsi] Revert 'dual scan thread bug fix' (David Milburn) [1188941 1168072] - [net] tcp: do not copy headers in tcp_collapse() (Alexander Duyck) [1188838 1156289] - [net] tcp: use tcp_flags in tcp_data_queue() (Alexander Duyck) [1188838 1156289] - [net] tcp: use TCP_SKB_CB(skb)->tcp_flags in input path (Alexander Duyck) [1188838 1156289] - [net] tcp: remove unused tcp_fin() parameters (Alexander Duyck) [1188838 1156289] - [net] tcp: rename tcp_skb_cb flags (Alexander Duyck) [1188838 1156289] - [net] tcp: unify tcp flag macros (Alexander Duyck) [1188838 1156289] - [net] tcp: unalias tcp_skb_cb flags and ip_dsfield (Alexander Duyck) [1188838 1156289] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3690 CVE-2014-7825 CVE-2014-7826 CVE-2014-8884 CVE-2015-1421 CVE-2014-3215 CVE-2014-8171 CVE-2014-9529 CVE-2014-9584 Oracle Linux 6 [0.12.1.2-2.448.el6_6.2] - kvm-cirrus-fix-blit-region-check.patch [bz#1170571] - kvm-cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf.patch [bz#1170571] - Resolves: bz#1170571 (CVE-2014-8106 qemu-kvm: qemu: cirrus: insufficient blit region checks [rhel-6.6.z]) [0.12.1.2-2.448.el6_6.1] - kvm-net-Forbid-dealing-with-packets-when-VM-is-not-run_2.patch [bz#970103] - kvm-virtio-net-drop-assert-on-vm-stop.patch [bz#970103] - kvm-migration-set-speed-to-maximum-during-last-stage_2.patch [bz#970103] - kvm-migration-only-call-append-when-there-is-something_2.patch [bz#970103] - kvm-migration-Only-call-memmove-when-there-is-anything-t.patch [bz#970103] - kvm-migration-remove-not-needed-ram_save_remaining-fun_2.patch [bz#970103] - kvm-migration-move-bandwidth-calculation-to-inside-sta_2.patch [bz#970103] - kvm-migration-Don-t-calculate-bandwidth-when-last-cycl_2.patch [bz#970103] - kvm-buffered_flush-return-errors.patch [bz#970103] - kvm-bandwidth_limit-standarize-in-size_t.patch [bz#970103] - kvm-fix-bz-1196970.patch [bz#1196970] - Resolves: bz#1196970 (Migrate status is failed after migrate_cancel.) - Resolves: bz#970103 (Downtime during live migration of busy VM is much higher than migration_downtime in vdsm.conf) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8106 Oracle Linux 5 [kvm-83-270.0.1.el5_11] - Added kvm-add-oracle-workaround-for-libvirt-bug.patch - Added kvm-Introduce-oel-machine-type.patch [kvm-83-270.el5] - KVM: x86: Check non canonical addresses upon WRMSR - Resolves: bz#1152982 (CVE-2014-3610 kernel: kvm: noncanonical MSR writes [rhel-5.11.z]) [kvm-83-269.el5] - KVM: x86: Improve thread safety in pit - Resolves: bz#1152985 (CVE-2014-3611 kernel: kvm: PIT timer race condition) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3611 CVE-2014-3610 Oracle Linux 7 [1.3.3.1-16] - release 1.3.3.1-16 - Resolves: bug 1212894 - CVE-2015-1854 389ds-base: access control bypass with modrdn IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1854 Oracle Linux 7 [0:7.0.54-2] - Resovles: CVE-2014-0227 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-0227 Oracle Linux 7 [2.0.7-19.0.1.el7_1.2] - kdumpctl: exclude default_hugepagesz setting from kdump kernel cmdline (Sriharsha Yadagudde) [Orabug: 19134999] - kdumpctl: verify if kernel support securelevel interface (Sriharsha Yadagudde) [Orabug: 18905671] [2.0.7-19.2] - dracut-module-setup: Enhance kdump to support the bind mounted feature in Atomic - Fix the warning if the target path is bind mount in Atomic - Get the mount point correctly, if the device has several mount point - kdump-lib: Add new function to judge the system is Atomic or not - kdump-lib: Add the new function to enhance bind mounted judgement - Remove duplicate slash in save path - dracut-module-setup.sh: change the insecure use of /tmp/*9947* filenames [2.0.7-19.1] - sadump: Support more than 16TB physical memory space. MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0267 Oracle Linux 7 [3.10.0-229.4.2] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.4.2] - [x86] crypto: aesni - fix memory usage in GCM decryption (Kurt Stutsman) [1213331 1212178] {CVE-2015-3331} [3.10.0-229.4.1] - [crypto] x86: sha256_ssse3 - also test for BMI2 (Herbert Xu) [1211484 1201563] - [crypto] testmgr: fix RNG return code enforcement (Herbert Xu) [1211487 1198978] - [crypto] rng: RNGs must return 0 in success case (Herbert Xu) [1211487 1198978] - [crypto] x86: sha1 - reduce size of the AVX2 asm implementation (Herbert Xu) [1211291 1177968] - [crypto] x86: sha1 - fix stack alignment of AVX2 variant (Herbert Xu) [1211291 1177968] - [crypto] x86: sha1 - re-enable the AVX variant (Herbert Xu) [1211291 1177968] - [crypto] sha: SHA1 transform x86_64 AVX2 (Herbert Xu) [1211291 1177968] - [crypto] sha-mb: sha1_mb_alg_state can be static (Herbert Xu) [1211290 1173756] - [crypto] mcryptd: mcryptd_flist can be static (Herbert Xu) [1211290 1173756] - [crypto] sha-mb: SHA1 multibuffer job manager and glue code (Herbert Xu) [1211290 1173756] - [crypto] sha-mb: SHA1 multibuffer crypto computation (x8 AVX2) (Herbert Xu) [1211290 1173756] - [crypto] sha-mb: SHA1 multibuffer submit and flush routines for AVX2 (Herbert Xu) [1211290 1173756] - [crypto] sha-mb: SHA1 multibuffer algorithm data structures (Herbert Xu) [1211290 1173756] - [crypto] sha-mb: multibuffer crypto infrastructure (Herbert Xu) [1211290 1173756] - [kernel] sched: Add function single_task_running to let a task check if it is the only task running on a cpu (Herbert Xu) [1211290 1173756] - [crypto] ahash: initialize entry len for null input in crypto hash sg list walk (Herbert Xu) [1211290 1173756] - [crypto] ahash: Add real ahash walk interface (Herbert Xu) [1211290 1173756] - [char] random: account for entropy loss due to overwrites (Herbert Xu) [1211288 1110044] - [char] random: allow fractional bits to be tracked (Herbert Xu) [1211288 1110044] - [char] random: statically compute poolbitshift, poolbytes, poolbits (Herbert Xu) [1211288 1110044] [3.10.0-229.3.1] - [netdrv] mlx4_en: tx_info->ts_requested was not cleared (Doug Ledford) [1209240 1178070] [3.10.0-229.2.1] - [char] tpm: Added Little Endian support to vtpm module (Steve Best) [1207051 1189017] - [powerpc] pseries: Fix endian problems with LE migration (Steve Best) [1207050 1183198] - [iommu] vt-d: Work around broken RMRR firmware entries (Myron Stowe) [1205303 1195802] - [iommu] vt-d: Store bus information in RMRR PCI device path (Myron Stowe) [1205303 1195802] - [s390] zcrypt: enable s390 hwrng to seed kernel entropy (Hendrik Brueckner) [1205300 1196398] - [s390] zcrypt: improve device probing for zcrypt adapter cards (Hendrik Brueckner) [1205300 1196398] - [net] team: fix possible null pointer dereference in team_handle_frame (Jiri Pirko) [1202359 1188496] - [fs] fsnotify: fix handling of renames in audit (Paul Moore) [1202358 1191562] - [net] openvswitch: Fix net exit (Jiri Benc) [1202357 1200859] - [fs] gfs2: Move gfs2_file_splice_write outside of #ifdef (Robert S Peterson) [1201256 1193910] - [fs] gfs2: Allocate reservation during splice_write (Robert S Peterson) [1201256 1193910] - [crypto] aesni: fix 'by8' variant for 128 bit keys (Herbert Xu) [1201254 1174971] - [crypto] aesni: remove unused defines in 'by8' variant (Herbert Xu) [1201254 1174971] - [crypto] aesni: fix counter overflow handling in 'by8' variant (Herbert Xu) [1201254 1174971] - [crypto] aes: AES CTR x86_64 'by8' AVX optimization (Herbert Xu) [1201254 1174971] - [kernel] audit: restore AUDIT_LOGINUID unset ABI (Richard Guy Briggs) [1197748 1120491] - [kernel] audit: replace getname()/putname() hacks with reference counters (Paul Moore) [1197746 1155208] - [kernel] audit: fix filename matching in __audit_inode() and __audit_inode_child() (Paul Moore) [1197746 1155208] - [kernel] audit: enable filename recording via getname_kernel() (Paul Moore) [1197746 1155208] - [fs] namei: simpler calling conventions for filename_mountpoint() (Paul Moore) [1197746 1155208] - [fs] namei: create proper filename objects using getname_kernel() (Paul Moore) [1197746 1155208] - [fs] namei: rework getname_kernel to handle up to PATH_MAX sized filenames (Paul Moore) [1197746 1155208] - [fs] namei: cut down the number of do_path_lookup() callers (Paul Moore) [1197746 1155208] - [fs] execve: use 'struct filename *' for executable name passing (Paul Moore) [1197746 1155208] - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181177 1179347] {CVE-2014-8159} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3331 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.0-4.0.1.el5_11] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.0-4] - Obsolete Firefox 31 [38.0-3] - Removed unused patches [38.0-2] - Update to 38.0 ESR [38.0b8-0.13] - New gcc version, should fix s390x build failures [38.0b8-0.12] - Update to 38 Beta 8 [38.0b6-0.11] - No longer supported ppc ia64 arches (rhbz#1214863, rhbz#1214865) - s390x build fix [38.0b6-0.10] - Update to 38 Beta 6 - Added patch for mozbz#1152515 [38.0b5-0.9] - Update to 38 Beta 5 - More build fixes - Removed preference security.tls.version.fallback-limit [38.0b3-0.8] - Update to 38 Beta 3 - Added Yasm assembler [38.0b2-0.7] - Set default preference security.tls.version.fallback-limit to 1 [38.0b2-0.6] - Enabled debug build [38.0b2-1] - Update to 38.0b2 [38.0b1-1] - Update to 38.0b1 CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-0797 CVE-2015-2708 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 Oracle Linux 6 [0:6.0.24-83] - Related: rhbz#1207048 tomcat initscript didn't assign - RETVAL after killing tomcat process [0:6.0.24-82] - Resolves: rhbz#1207048 Tomcat init script needs to be adjusted - to kill tomcat if stop is unsuccessful [0:6.0.24-81] - Resolves: CVE-2014-0227 Limited DoS in chunked transfer encoding - input filter MODERATE Copyright 2015 Oracle, Inc. CVE-2014-0227 Oracle Linux 6 [0.12.1.2-2.448.el6_6.3] - kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219267] - Resolves: bz#1219267 (EMBARGOED CVE-2015-3456 qemu-kvm: qemu: floppy disk controller flaw [rhel-6.6.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3456 Oracle Linux 7 [1.5.3-86.el7_1.2] - kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219269] - Resolves: bz#1219269 (EMBARGOED CVE-2015-3456 qemu-kvm: qemu: floppy disk controller flaw [rhel-7.1.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3456 Oracle Linux 5 [3.0.3-146.el5] - xen-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch - xen-FDC-Fix-buffer-overflow-Herv-Poussineau.patch - Resolves: bz#1219333 (xen: qemu: floppy disk controller flaw [rhel-5.11.z]) [3.0.3-144.el5] - xm: Fix vcpu-pin complain for CPU number out of range (rhbz 955656) - libxc: Support set affinity for more than 64 CPUS (rhbz 955656) - libxc: Fixes for 'support affinity for more than 64 CPUS' (rhbz 955656) - xend: Fix bug of a cpu affinity vcpu-pin under ia32pa (rhbz 955656) - libxc: Fix cpu number overflow for vcpu-pin (rhbz 955656) [3.0.3-143.el5] - libxc: move error checking next to the function which returned the error (rhbz 870413) - libxc: builder: limit maximum size of kernel/ramdisk (rhbz 870413) - e1000: discard packets that are too long if !SBP and !LPE (rhbz 910844) - e1000: discard oversized packets based on SBP|LPE (rhbz 910844) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3456 Oracle Linux 5 [kvm-83-272.0.1.el5] - Added kvm-add-oracle-workaround-for-libvirt-bug.patch - Added kvm-Introduce-oel-machine-type.patch [kvm-83.272.el5] - kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219266] - Resolves: bz#1219266 (kvm: qemu: floppy disk controller flaw [rhel-5.11.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3456 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.7.0-1.0.1.el5_11] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [31.7.0-1] - Update to 31.7.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-2708 CVE-2015-2710 CVE-2015-2713 CVE-2015-2716 Oracle Linux 5 kernel [2.6.18-406.0.0.0.1] - [netfront] fix ring buffer index go back led vif stop [orabug 18272251] - [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078] - ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772] - i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649] - [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030] - [oprofile] export __get_user_pages_fast() function [orabug 14277030] - [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030] - [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030] - [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030] - [kernel] Initialize the local uninitialized variable stats. [orabug 14051367] - [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763] - [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075] - fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan) - [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan) - [x86] Fix lvt0 reset when hvm boot up with noapic param - [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason) [orabug 12342275] - [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346] - [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566] - [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042] - [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646] - fix filp_close() race (Joe Jin) [orabug 10335998] - make xenkbd.abs_pointer=1 by default [orabug 67188919] - [xen] check to see if hypervisor supports memory reservation change (Chuck Anderson) [orabug 7556514] - [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki) [orabug 10315433] - [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258] - [mm] Patch shrink_zone to yield during severe mempressure events, avoiding hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839] - [mm] Enhance shrink_zone patch allow full swap utilization, and also be NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919] - fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042] - [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson) [orabug 9107465] - [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson) [orabug 9764220] - Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615] - fix overcommit memory to use percpu_counter for (KOSAKI Motohiro, Guru Anbalagane) [orabug 6124033] - [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208] - [ib] fix memory corruption (Andy Grover) [orabug 9972346] - [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1805 Oracle Linux 5 kernel [2.6.18-406] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Mateusz Guzik) [1203787] {CVE-2015-1805} [2.6.18-405] - [net] tcp: zero retrans_stamp if all retrans were acked (Marcelo Leitner) [1205521] - [net] tcp: fix retrans_stamp advancing in error cases (Marcelo Leitner) [1205521] - [net] tcp: Fix inconsistency source (Marcelo Leitner) [1205521] - [ipc] sem: fix the potential use-after-free in freeary() (Oleg Nesterov) [1124574] - [scsi] lpfc: Fix crash in device reset handler (Rob Evers) [1070964] - [mm] fix broken max_reclaims_in_progress memory reclaim throttle (Lachlan McIlroy) [1164105] - [x86_64] fpu: save_i387() must clr TS_USEDFPU along with stts() (Oleg Nesterov) [1193505] - [block] virtio: Call revalidate_disk() upon online disk resize (Stefan Hajnoczi) [1200855] - [block] virtio: fix config handler race (Stefan Hajnoczi) [1200855] - [block] virtio: allow re-reading config space at runtime (Stefan Hajnoczi) [1200855] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1805 Oracle Linux 6 Oracle Linux 7 [1.0.1e-30.9] - fix CVE-2015-4000 - prevent the logjam attack on client - restrict the DH key size to at least 768 bits (limit will be increased in future) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-4000 Oracle Linux 6 [2.6.32-504.23.4] - [crypto] drbg: fix maximum value checks on 32 bit systems (Herbert Xu) [1225950 1219907] - [crypto] drbg: remove configuration of fixed values (Herbert Xu) [1225950 1219907] [2.6.32-504.23.3] - [netdrv] bonding: fix locking in enslave failure path (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: primary_slave & curr_active_slave are not cleaned on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: vlans don't get deleted on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: mc addresses don't get deleted on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: IFF_BONDING is not stripped on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: fix error handling if slave is busy v2 (Nikolay Aleksandrov) [1222483 1221856] [2.6.32-504.23.2] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1202860 1185166] {CVE-2015-1805} [2.6.32-504.23.1] - [x86] crypto: sha256_ssse3 - fix stack corruption with SSSE3 and AVX implementations (Herbert Xu) [1218681 1201490] - [scsi] storvsc: ring buffer failures may result in I/O freeze (Vitaly Kuznetsov) [1215754 1171676] - [scsi] storvsc: get rid of overly verbose warning messages (Vitaly Kuznetsov) [1215753 1167967] - [scsi] storvsc: NULL pointer dereference fix (Vitaly Kuznetsov) [1215753 1167967] - [netdrv] ixgbe: fix detection of SFP+ capable interfaces (John Greene) [1213664 1150343] - [x86] crypto: aesni - fix memory usage in GCM decryption (Kurt Stutsman) [1213329 1213330] {CVE-2015-3331} [2.6.32-504.22.1] - [kernel] hrtimer: Prevent hrtimer_enqueue_reprogram race (Prarit Bhargava) [1211940 1136958] - [kernel] hrtimer: Preserve timer state in remove_hrtimer() (Prarit Bhargava) [1211940 1136958] - [crypto] testmgr: fix RNG return code enforcement (Herbert Xu) [1212695 1208804] - [net] netfilter: xtables: make use of caller family rather than target family (Florian Westphal) [1212057 1210697] - [net] dynticks: avoid flow_cache_flush() interrupting every core (Marcelo Leitner) [1210595 1191559] - [tools] perf: Fix race in build_id_cache__add_s() (Milos Vyletel) [1210593 1204102] - [infiniband] ipath+qib: fix dma settings (Doug Ledford) [1208621 1171803] - [fs] dcache: return -ESTALE not -EBUSY on distributed fs race (J. Bruce Fields) [1207815 1061994] - [net] neigh: Keep neighbour cache entries if number of them is small enough (Jiri Pirko) [1207352 1199856] - [x86] crypto: sha256_ssse3 - also test for BMI2 (Herbert Xu) [1204736 1201560] - [scsi] qla2xxx: fix race in handling rport deletion during recovery causes panic (Chad Dupuis) [1203544 1102902] - [redhat] configs: Enable SSSE3 acceleration by default (Herbert Xu) [1201668 1036216] - [crypto] sha512: Create module providing optimized SHA512 routines using SSSE3, AVX or AVX2 instructions (Herbert Xu) [1201668 1036216] - [crypto] sha512: Optimized SHA512 x86_64 assembly routine using AVX2 RORX instruction (Herbert Xu) [1201668 1036216] - [crypto] sha512: Optimized SHA512 x86_64 assembly routine using AVX instructions (Herbert Xu) [1201668 1036216] - [crypto] sha512: Optimized SHA512 x86_64 assembly routine using Supplemental SSE3 instructions (Herbert Xu) [1201668 1036216] - [crypto] sha512: Expose generic sha512 routine to be callable from other modules (Herbert Xu) [1201668 1036216] - [crypto] sha256: Create module providing optimized SHA256 routines using SSSE3, AVX or AVX2 instructions (Herbert Xu) [1201668 1036216] - [crypto] sha256: Optimized sha256 x86_64 routine using AVX2's RORX instructions (Herbert Xu) [1201668 1036216] - [crypto] sha256: Optimized sha256 x86_64 assembly routine with AVX instructions (Herbert Xu) [1201668 1036216] - [crypto] sha256: Optimized sha256 x86_64 assembly routine using Supplemental SSE3 instructions (Herbert Xu) [1201668 1036216] - [crypto] sha256: Expose SHA256 generic routine to be callable externally (Herbert Xu) [1201668 1036216] - [crypto] rng: RNGs must return 0 in success case (Herbert Xu) [1201669 1199230] - [fs] isofs: infinite loop in CE record entries (Jacob Tanenbaum) [1175243 1175245] {CVE-2014-9420} - [x86] vdso: ASLR bruteforce possible for vdso library (Jacob Tanenbaum) [1184896 1184897] {CVE-2014-9585} - [kernel] time: ntp: Correct TAI offset during leap second (Prarit Bhargava) [1201674 1199134] - [scsi] lpfc: correct device removal deadlock after link bounce (Rob Evers) [1211910 1194793] - [scsi] lpfc: Linux lpfc driver doesn't re-establish the link after a cable pull on LPe12002 (Rob Evers) [1211910 1194793] - [x86] switch_to(): Load TLS descriptors before switching DS and ES (Denys Vlasenko) [1177353 1177354] {CVE-2014-9419} - [net] vlan: Don't propagate flag changes on down interfaces (Jiri Pirko) [1173501 1135347] - [net] bridge: register vlan group for br ports (Jiri Pirko) [1173501 1135347] - [netdrv] tg3: Use new VLAN code (Jiri Pirko) [1173501 1135347] - [netdrv] be2net: move to new vlan model (Jiri Pirko) [1173501 1135347] - [net] vlan: mask vlan prio bits (Jiri Pirko) [1173501 1135347] - [net] vlan: don't deliver frames for unknown vlans to protocols (Jiri Pirko) [1173501 1135347] - [net] vlan: allow nested vlan_do_receive() (Jiri Pirko) [1173501 1135347] - [net] allow vlan traffic to be received under bond (Jiri Pirko) [1173501 1135347] - [net] vlan: goto another_round instead of calling __netif_receive_skb (Jiri Pirko) [1173501 1135347] - [net] bonding: fix bond_arp_rcv setting and arp validate desync state (Jiri Pirko) [1173501 1135347] - [net] bonding: remove packet cloning in recv_probe() (Jiri Pirko) [1173501 1135347] - [net] bonding: Fix LACPDU rx_dropped commit (Jiri Pirko) [1173501 1135347] - [net] bonding: don't increase rx_dropped after processing LACPDUs (Jiri Pirko) [1173501 1135347] - [net] bonding: use local function pointer of bond->recv_probe in bond_handle_frame (Jiri Pirko) [1173501 1135347] - [net] bonding: move processing of recv handlers into handle_frame() (Jiri Pirko) [1173501 1135347] - [netdrv] revert 'bonding: fix bond_arp_rcv setting and arp validate desync state' (Jiri Pirko) [1173501 1135347] - [netdrv] revert 'bonding: check for vlan device in bond_3ad_lacpdu_recv()' (Jiri Pirko) [1173501 1135347] - [net] vlan: Always untag vlan-tagged traffic on input (Jiri Pirko) [1173501 1135347] - [net] Make skb->skb_iif always track skb->dev (Jiri Pirko) [1173501 1135347] - [net] vlan: fix a potential memory leak (Jiri Pirko) [1173501 1135347] - [net] vlan: fix mac_len recomputation in vlan_untag() (Jiri Pirko) [1173501 1135347] - [net] vlan: reset headers on accel emulation path (Jiri Pirko) [1173501 1135347] - [net] vlan: Fix the ingress VLAN_FLAG_REORDER_HDR check (Jiri Pirko) [1173501 1135347] - [net] vlan: make non-hw-accel rx path similar to hw-accel (Jiri Pirko) [1173501 1135347] - [net] allow handlers to be processed for orig_dev (Jiri Pirko) [1173501 1135347] - [net] bonding: get netdev_rx_handler_unregister out of locks (Jiri Pirko) [1173501 1135347] - [net] bonding: fix rx_handler locking (Jiri Pirko) [1173501 1135347] - [net] introduce rx_handler results and logic around that (Jiri Pirko) [1173501 1135347] - [net] bonding: register slave pointer for rx_handler (Jiri Pirko) [1173501 1135347] - [net] bonding: COW before overwriting the destination MAC address (Jiri Pirko) [1173501 1135347] - [net] bonding: convert bonding to use rx_handler (Jiri Pirko) [1173501 1135347] - [net] openvswitch: use rx_handler_data pointer to store vport pointer (Jiri Pirko) [1173501 1135347] - [net] add a synchronize_net() in netdev_rx_handler_unregister() (Jiri Pirko) [1173501 1135347] - [net] add rx_handler data pointer (Jiri Pirko) [1173501 1135347] - [net] replace hooks in __netif_receive_skb (Jiri Pirko) [1173501 1135347] - [net] fix conflict between null_or_orig and null_or_bond (Jiri Pirko) [1173501 1135347] - [net] remove the unnecessary dance around skb_bond_should_drop (Jiri Pirko) [1173501 1135347] - [net] revert 'bonding: fix receiving of dups due vlan hwaccel' (Jiri Pirko) [1173501 1135347] - [net] uninline skb_bond_should_drop() (Jiri Pirko) [1173501 1135347] - [net] bridge: Set vlan_features to allow offloads on vlans (Jiri Pirko) [1173501 1135347] - [net] bridge: convert br_features_recompute() to ndo_fix_features (Jiri Pirko) [1173501 1135347] - [net] revert 'bridge: explictly tag vlan-accelerated frames destined to the host' (Jiri Pirko) [1173501 1135347] - [net] revert 'fix vlan gro path' (Jiri Pirko) [1173501 1135347] - [net] revert 'bridge: do not learn from exact matches' (Jiri Pirko) [1173501 1135347] - [net] revert 'bridge gets duplicate packets when using vlan over bonding' (Jiri Pirko) [1173501 1135347] - [net] llc: remove noisy WARN from llc_mac_hdr_init (Jiri Pirko) [1173501 1135347] - [net] bridge: stp: ensure mac header is set (Jiri Pirko) [1173501 1135347] - [net] vlan: remove reduntant check in ndo_fix_features callback (Jiri Pirko) [1173501 1135347] - [net] vlan: enable soft features regardless of underlying device (Jiri Pirko) [1173501 1135347] - [net] vlan: don't call ndo_vlan_rx_register on hardware that doesn't have vlan support (Jiri Pirko) [1173501 1135347] - [net] vlan: Fix vlan_features propagation (Jiri Pirko) [1173501 1135347] - [net] vlan: convert VLAN devices to use ndo_fix_features() (Jiri Pirko) [1173501 1135347] - [net] revert 'vlan: Avoid broken offload configuration when reorder_hdr is disabled' (Jiri Pirko) [1173501 1135347] - [net] vlan: vlan device is lockless do not transfer real_num_<tx|rx>_queues (Jiri Pirko) [1173501 1135347] - [net] vlan: consolidate 8021q tagging (Jiri Pirko) [1173501 1135347] - [net] propagate NETIF_F_HIGHDMA to vlans (Jiri Pirko) [1173501 1135347] - [net] Fix a memmove bug in dev_gro_receive() (Jiri Pirko) [1173501 1135347] - [net] vlan: remove check for headroom in vlan_dev_create (Jiri Pirko) [1173501 1135347] - [net] vlan: set hard_header_len when VLAN offload features are toggled (Jiri Pirko) [1173501 1135347] - [net] vlan: Calling vlan_hwaccel_do_receive() is always valid (Jiri Pirko) [1173501 1135347] - [net] vlan: Centralize handling of hardware acceleration (Jiri Pirko) [1173501 1135347] - [net] vlan: finish removing vlan_find_dev from public header (Jiri Pirko) [1173501 1135347] - [net] vlan: make vlan_find_dev private (Jiri Pirko) [1173501 1135347] - [net] vlan: Avoid hash table lookup to find group (Jiri Pirko) [1173501 1135347] - [net] revert 'vlan: Add helper functions to manage vlans on bonds and slaves' (Jiri Pirko) [1173501 1135347] - [net] revert 'bonding: assign slaves their own vlan_groups' (Jiri Pirko) [1173501 1135347] - [net] revert 'bonding: fix regression on vlan module removal' (Jiri Pirko) [1173501 1135347] - [net] revert 'bonding: Always add vid to new slave group' (Jiri Pirko) [1173501 1135347] - [net] revert 'bonding: Fix up refcounting issues with bond/vlan config' (Jiri Pirko) [1173501 1135347] - [net] revert '8021q/vlan: filter device events on bonds' (Jiri Pirko) [1173501 1135347] - [net] vlan: Use vlan_dev_real_dev in vlan_hwaccel_do_receive (Jiri Pirko) [1173501 1135347] - [net] gro: __napi_gro_receive() optimizations (Jiri Pirko) [1173501 1135347] - [net] vlan: Rename VLAN_GROUP_ARRAY_LEN to VLAN_N_VID (Jiri Pirko) [1173501 1135347] - [net] vlan: make vlan_hwaccel_do_receive() return void (Jiri Pirko) [1173501 1135347] - [net] vlan: init_vlan should not copy slave or master flags (Jiri Pirko) [1173501 1135347] - [net] vlan: updates vlan real_num_tx_queues (Jiri Pirko) [1173501 1135347] - [net] vlan: adds vlan_dev_select_queue (Jiri Pirko) [1173501 1135347] - [net] llc: use dev_hard_header (Jiri Pirko) [1173501 1135347] - [net] vlan: support 'loose binding' to the underlying network device (Jiri Pirko) [1173501 1135347] - [net] revert 'net: don't set VLAN_TAG_PRESENT for VLAN 0 frames' (Jiri Pirko) [1173501 1135347] - [net] bridge: Add support for TX vlan offload (Jiri Pirko) [1173562 1146391] - [net] revert 'bridge: Set vlan_features to allow offloads on vlans' (Vlad Yasevich) [1144442 1121991] [2.6.32-504.21.1] - [netdrv] ixgbe: Fix memory leak in ixgbe_free_q_vector, missing rcu (John Greene) [1210901 1150343] - [netdrv] ixgbe: Fix tx_packets and tx_bytes stats not updating (John Greene) [1210901 1150343] - [netdrv] qlcnic: Fix update of ethtool stats (Chad Dupuis) [1210902 1148019] [2.6.32-504.20.1] - [fs] exec: do not abuse ->cred_guard_mutex in threadgroup_lock() (Petr Oros) [1208620 1169225] - [kernel] cgroup: always lock threadgroup during migration (Petr Oros) [1208620 1169225] - [kernel] threadgroup: extend threadgroup_lock() to cover exit and exec (Petr Oros) [1208620 1169225] - [kernel] threadgroup: rename signal->threadgroup_fork_lock to ->group_rwsem (Petr Oros) [1208620 1169225] [2.6.32-504.19.1] - [mm] memcg: fix crash in re-entrant cgroup_clear_css_refs() (Johannes Weiner) [1204626 1168185] [2.6.32-504.18.1] - [fs] cifs: Use key_invalidate instead of the rh_key_invalidate() (Sachin Prabhu) [1203366 885899] - [fs] KEYS: Add invalidation support (Sachin Prabhu) [1203366 885899] - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181173 1179327] {CVE-2014-8159} [2.6.32-504.17.1] - [x86] fpu: shift clear_used_math() from save_i387_xstate() to handle_signal() (Oleg Nesterov) [1199900 1196262] - [x86] fpu: change save_i387_xstate() to rely on unlazy_fpu() (Oleg Nesterov) [1199900 1196262] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8159 CVE-2015-3331 CVE-2015-1805 CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 Oracle Linux 7 abrt [2.1.11-22.0.1] - Drop libreport-rhel and libreport-plugin-rhtsupport requires [2.1.11-22] - do not open the build_ids file as the user abrt - do not unlink failed and big user core files - Related: #1212819, #1216973 [2.1.11-21] - validate all D-Bus method arguments - Related: #1214610 [2.1.11-20] - remove the old dump directories during upgrade - abrt-action-install-debuginfo-to-abrt-cache: sanitize arguments and umask - fix race conditions and directory traversal issues in abrt-dbus - use /var/spool/abrt instead of /var/tmp/abrt - make the problem directories owned by root and the group abrt - validate uploaded problem directories in abrt-handle-upload - don't override files with user core dump files - fix symbolic link and race condition flaws - Resolves: #1211969, #1212819, #1212863, #1212869 - Resolves: #1214453, #1214610, #1216973, #1218583 libreport [2.1.11-23.0.1] - Update workflow xml for Oracle [18945470] - Add oracle-enterprise.patch and oracle-enterprise-po.patch - Remove libreport-plugin-rhtsupport and libreport-rhel - Added orabug20390725.patch to remove redhat reference [bug 20390725] - Added Bug20357383.patch to remove redhat reference [bug 20357383] [2.1.11-23] - do not open files outside a dump directory - Related: #1217484 [2.1.11-22] - switch the default dump dir mode to 0750 - harden against directory traversal, crafted symbolic links - avoid race-conditions in dump dir opening - Resolves: #1212096, #1217499, #1218610, #1217484 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1869 CVE-2015-1870 CVE-2015-3142 CVE-2015-3147 CVE-2015-3150 CVE-2015-3151 CVE-2015-3159 CVE-2015-3315 Oracle Linux 6 [0.12.1.2-2.448.el6_6.4] - kvm-pcnet-fix-Negative-array-index-read.patch [bz#1225886] - kvm-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch [bz#1225886] - Resolves: bz#1225886 (EMBARGOED CVE-2015-3209 qemu-kvm: qemu: pcnet: multi-tmd buffer overflow in the tx path [rhel-6.6.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3209 Oracle Linux 7 [1:2.0-17] - AP WMM: Fix integer underflow in WMM Action frame parser (rh #1221178) (rh #1222015) [1:2.0-16] - P2P: Validate SSID element length before copying it (CVE-2015-1863) [1:2.0-15] - Add domain_match config option from upstream (rh #1178263) - Include peer certificate in EAP events for use by clients [1:2.0-14] - Use os_exec() for action script execution (CVE-2014-3686) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1863 CVE-2015-4142 Oracle Linux 6 Oracle Linux 7 [1.0.1e-30.11] - improved fix for CVE-2015-1791 - add missing parts of CVE-2015-0209 fix for corectness although unexploitable [1.0.1e-30.10] - fix CVE-2014-8176 - invalid free in DTLS buffering code - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent - fix CVE-2015-1791 - race condition handling NewSessionTicket - fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function - fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on read in multithreaded applications MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8176 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-3216 Oracle Linux 6 Oracle Linux 7 [1:1.4.2-67.1] - CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982). IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9679 CVE-2015-1158 CVE-2015-1159 Oracle Linux 7 [5.4.16-36] - fix more functions accept paths with NUL character #1213407 [5.4.16-35] - core: fix multipart/form-data request can use excessive amount of CPU usage CVE-2015-4024 - fix various functions accept paths with NUL character CVE-2015-4025, CVE-2015-4026, #1213407 - fileinfo: fix denial of service when processing a crafted file #1213442 - ftp: fix integer overflow leading to heap overflow when reading FTP file listing CVE-2015-4022 - phar: fix buffer over-read in metadata parsing CVE-2015-2783 - phar: invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307 - phar: fix buffer overflow in phar_set_inode() CVE-2015-3329 - phar: fix memory corruption in phar_parse_tarfile caused by empty entry file name CVE-2015-4021 - soap: fix type confusion through unserialize #1222538 - apache2handler: fix pipelined request executed in deinitialized interpreter under httpd 2.4 CVE-2015-3330 [5.4.16-34] - fix memory corruption in fileinfo module on big endian machines #1082624 - fix segfault in pdo_odbc on x86_64 #1159892 - fix segfault in gmp allocator #1154760 [5.4.16-33] - core: use after free vulnerability in unserialize() CVE-2014-8142 and CVE-2015-0231 - core: fix use-after-free in unserialize CVE-2015-2787 - core: fix NUL byte injection in file name argument of move_uploaded_file() CVE-2015-2348 - date: use after free vulnerability in unserialize CVE-2015-0273 - enchant: fix heap buffer overflow in enchant_broker_request_dict CVE-2014-9705 - exif: free called on unitialized pointer CVE-2015-0232 - fileinfo: fix out of bounds read in mconvert CVE-2014-9652 - gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709 - phar: use after free in phar_object.c CVE-2015-2301 - soap: fix type confusion through unserialize [5.4.16-31] - fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710 [5.4.16-29] - xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668 - core: fix integer overflow in unserialize() CVE-2014-3669 - exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670 [5.4.16-27] - gd: fix NULL pointer dereference in gdImageCreateFromXpm(). CVE-2014-2497 - gd: fix NUL byte injection in file names. CVE-2014-5120 - fileinfo: fix extensive backtracking in regular expression (incomplete fix for CVE-2013-7345). CVE-2014-3538 - fileinfo: fix mconvert incorrect handling of truncated pascal string size. CVE-2014-3478 - fileinfo: fix cdf_read_property_info (incomplete fix for CVE-2012-1571). CVE-2014-3587 - spl: fix use-after-free in ArrayIterator due to object change during sorting. CVE-2014-4698 - spl: fix use-after-free in SPL Iterators. CVE-2014-4670 - network: fix segfault in dns_get_record (incomplete fix for CVE-2014-4049). CVE-2014-3597 [5.4.16-25] - fix segfault after startup on aarch64 (#1107567) - compile php with -O3 on ppc64le (#1123499) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8142 CVE-2014-9652 CVE-2014-9705 CVE-2014-9709 CVE-2015-0231 CVE-2015-0232 CVE-2015-0273 CVE-2015-2301 CVE-2015-2348 CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3330 CVE-2015-3411 CVE-2015-3412 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 CVE-2015-4598 CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 CVE-2015-4602 CVE-2015-4603 CVE-2015-4604 CVE-2015-4605 Oracle Linux 7 [3.10.0-229.7.2] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.7.2] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1202861 1198843] {CVE-2015-1805} [3.10.0-229.7.1] - [scsi] storvsc: get rid of overly verbose warning messages (Vitaly Kuznetsov) [1215770 1206437] - [scsi] storvsc: force discovery of LUNs that may have been removed (Vitaly Kuznetsov) [1215770 1206437] - [scsi] storvsc: in responce to a scan event, scan the host (Vitaly Kuznetsov) [1215770 1206437] - [scsi] storvsc: NULL pointer dereference fix (Vitaly Kuznetsov) [1215770 1206437] - [virtio] defer config changed notifications (David Gibson) [1220278 1196009] - [virtio] unify config_changed handling (David Gibson) [1220278 1196009] - [x86] kernel: Remove a bogus 'ret_from_fork' optimization (Mateusz Guzik) [1209234 1209235] {CVE-2015-2830} - [kernel] futex: Mention key referencing differences between shared and private futexes (Larry Woodman) [1219169 1205862] - [kernel] futex: Ensure get_futex_key_refs() always implies a barrier (Larry Woodman) [1219169 1205862] - [scsi] megaraid_sas: revert: Add release date and update driver version (Tomas Henzl) [1216213 1207175] - [kernel] module: set nx before marking module MODULE_STATE_COMING (Hendrik Brueckner) [1214788 1196977] - [kernel] module: Clean up ro/nx after early module load failures (Pratyush Anand) [1214403 1202866] - [drm] radeon: fix kernel segfault in hwmonitor (Jerome Glisse) [1213467 1187817] - [fs] btrfs: make xattr replace operations atomic (Eric Sandeen) [1205086 1205873] - [x86] mm: Linux stack ASLR implementation (Jacob Tanenbaum) [1195684 1195685] {CVE-2015-1593} - [net] netfilter: nf_tables: fix flush ruleset chain dependencies (Jiri Pirko) [1192880 1192881] {CVE-2015-1573} - [fs] isofs: Fix unchecked printing of ER records (Mateusz Guzik) [1180482 1180483] {CVE-2014-9584} - [security] keys: memory corruption or panic during key garbage collection (Jacob Tanenbaum) [1179851 1179852] {CVE-2014-9529} - [fs] isofs: infinite loop in CE record entries (Jacob Tanenbaum) [1175246 1175248] {CVE-2014-9420} [3.10.0-229.6.1] - [net] tcp: abort orphan sockets stalling on zero window probes (Florian Westphal) [1215924 1151756] - [x86] crypto: aesni - fix memory usage in GCM decryption (Kurt Stutsman) [1213331 1212178] {CVE-2015-3331} [3.10.0-229.5.1] - [powerpc] mm: thp: Add tracepoints to track hugepage invalidate (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: Use read barrier when creating real_pte (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Use ACCESS_ONCE when loading pmdp (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Invalidate with vpn in loop (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Handle combo pages in invalidate (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Invalidate old 64K based hash page mapping before insert of 4k pte (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Don't recompute vsid and ssize in loop on invalidate (Gustavo Duarte) [1212977 1199016] - [powerpc] mm: thp: Add write barrier after updating the valid bit (Gustavo Duarte) [1212977 1199016] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9529 CVE-2014-9584 CVE-2015-1805 CVE-2014-9420 CVE-2015-1573 CVE-2015-1593 CVE-2015-2830 Oracle Linux 7 [3:2.1.15-21] - fix CVE-2015-2775 - directory traversal in MTA transports [3:2.1.15-20] - fix #1107652 - do not install patch backup files in documentation [3:2.1.15-19] - fix #1188043 - set 2775 permission only for /etc/mailman [3:2.1.15-18] - fix #1107652 - add support for DMARC - fix #1180981 - install tmpfiles.d into /usr/lib instead of /etc - fix #1188043 - set 2775 permission for /etc/mailman MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2775 Oracle Linux 7 [3.12-10.1.0.1] - add libreswan-oracle.patch to detect Oracle Linux distro [3.12-10.1] - Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart [3.12-10] - Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix] [3.12-9] - Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()] - Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster] - Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling] [3.12-8] - Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions [3.12-7] - Resolves: rhbz#1208022 libreswan ignores module blacklist rules - Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot - Resolves: rhbz#1211146 pluto crashes in fips mode [3.12-6] - Resolves: rhbz#1198650 SELinux context string size limit - Resolves: rhbz#1198649 Add new option for BSI random requirement MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3204 Oracle Linux 6 Oracle Linux 7 nss [3.19.1-3.0.1] - Added nss-vendor.patch to change vendor [3.19.1-3] - Additional NULL initialization. [3.19.1-2] - Updated the patch to keep old cipher suite order - Resolves: Bug 1224449 [3.19.1-1] - Rebase to nss-3.19.1 - Resolves: Bug 1224449 nss-util [3.19.0-1] - Rebase to nss-3.19.1 - Resolves: Bug 1224449 [3.18.0-1] - Resolves: - Bug 1205064 - [RHEL6.6] nss-util 3.18 rebase required for firefox 38 ESR MODERATE Copyright 2015 Oracle, Inc. CVE-2015-4000 Oracle Linux 5 [kvm-83-273.0.1.el5] - Added kvm-add-oracle-workaround-for-libvirt-bug.patch - Added kvm-Introduce-oel-machine-type.patch [kvm-83.273.el5] - kvm-pcnet-Properly-handle-TX-requests-during-Link-Fail.patch [bz#1225896] - kvm-pcnet-fix-Negative-array-index-read.patch [bz#1225896] - kvm-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch [bz#1225896] - Resolves: bz#1225896 (EMBARGOED CVE-2015-3209 kvm: qemu: pcnet: multi-tmd buffer overflow in the tx path [rhel-5.11.z) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3209 Oracle Linux 7 [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0252 Oracle Linux 6 Oracle Linux 7 [8.4.20-3] - CVE-2015-3165, CVE-2015-3166, CVE-2015-3167 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3165 CVE-2015-3166 CVE-2015-3167 Oracle Linux 5 [0.9.8e-36.0.1] - Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893] - fix CVE-2014-3570 - Bignum squaring may produce incorrect results - fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] [0.9.8e-36] - also change the default DH parameters in s_server to 1024 bits [0.9.8e-35] - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent - fix CVE-2015-4000 - prevent the logjam attack on client - restrict the DH key size to at least 768 bits (limit will be increased in future) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-4000 CVE-2015-1789 CVE-2015-1790 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.1.0-1.0.1] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.1.0-1] - Update to 38.1.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2727 CVE-2015-2728 CVE-2015-2729 CVE-2015-2731 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 CVE-2015-2743 Oracle Linux 6 abrt [2.0.8-26.0.1.el6_6.1] - Add abrt-oracle-enterprise.patch to be product neutral - Remove abrt-plugin-rhtsupport dependency for cli and desktop - Make abrt Obsoletes/Provides abrt-plugin-rhtsupprot [2.0.8-26.el6_6.1] - remove old dump directories in upgrade - remove outdated rmp scriptlets - daemon: allow only root to submit CCpp, Koops, VMCore and Xorg problems - abrt-action-install-debuginfo-to-abrt-cache: sanitize arguments and umask - make the problem directories owned by abrt and the group root - validate uploaded problem directories in abrt-handle-upload - don't override nor remove files with user core dump files - fix symbolic link and race condition flaws - Resolves: #1211966 libreport [2.0.9-21.0.1.el6_6.1] - Add oracle-enterprise.patch and oracle-enterprise-po.patch - Remove libreport-plugin-rhtsupport pkg [2.0.9-21.el6_6.1] - switch dump directory owner from 'abrt:user' to 'user:abrt' (rhbz#1212093) - harden against directory traversal, crafted symbolic links (rhbz#1212093) - avoid race-conditions in dump dir opening (rhbz#1212093) - Resolves: #1211966 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1869 CVE-2015-1870 CVE-2015-3142 CVE-2015-3147 CVE-2015-3159 CVE-2015-3315 Oracle Linux 6 [5.3.3-46] - fix gzfile accept paths with NUL character #1213407 - fix patch for CVE-2015-4024 [5.3.3-45] - fix more functions accept paths with NUL character #1213407 [5.3.3-44] - soap: missing fix for #1222538 and #1204868 [5.3.3-43] - core: fix multipart/form-data request can use excessive amount of CPU usage CVE-2015-4024 - fix various functions accept paths with NUL character CVE-2015-4026, #1213407 - ftp: fix integer overflow leading to heap overflow when reading FTP file listing CVE-2015-4022 - phar: fix buffer over-read in metadata parsing CVE-2015-2783 - phar: invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307 - phar: fix buffer overflow in phar_set_inode() CVE-2015-3329 - phar: fix memory corruption in phar_parse_tarfile caused by empty entry file name CVE-2015-4021 - soap: more fix type confusion through unserialize #1222538 [5.3.3-42] - soap: more fix type confusion through unserialize #1204868 [5.3.3-41] - core: fix double in zend_ts_hash_graceful_destroy CVE-2014-9425 - core: fix use-after-free in unserialize CVE-2015-2787 - exif: fix free on unitialized pointer CVE-2015-0232 - gd: fix buffer read overflow in gd_gif.c CVE-2014-9709 - date: fix use after free vulnerability in unserialize CVE-2015-0273 - enchant: fix heap buffer overflow in enchant_broker_request_dict CVE-2014-9705 - phar: use after free in phar_object.c CVE-2015-2301 - soap: fix type confusion through unserialize MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9705 CVE-2014-9709 CVE-2015-0232 CVE-2015-0273 CVE-2015-2301 CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3411 CVE-2015-3412 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 CVE-2015-4598 CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 CVE-2015-4602 CVE-2015-4603 CVE-2014-9425 Oracle Linux 6 [2.6.32-504.30.3] - [redhat] spec: Update dracut dependency to pull in drbg module (Frantisek Hrbata) [1241517 1241338] [2.6.32-504.30.2] - [crypto] rng: Remove krng (Herbert Xu) [1233512 1226418] - [crypto] drbg: Add stdrng alias and increase priority (Herbert Xu) [1233512 1226418] - [crypto] seqiv: Move IV seeding into init function (Herbert Xu) [1233512 1226418] - [crypto] eseqiv: Move IV seeding into init function (Herbert Xu) [1233512 1226418] - [crypto] chainiv: Move IV seeding into init function (Herbert Xu) [1233512 1226418] [2.6.32-504.30.1] - [net] Fix checksum features handling in netif_skb_features() (Vlad Yasevich) [1231690 1220247] [2.6.32-504.29.1] - [net] gso: fix skb_segment for non-offset skb pointers (Jiri Benc) [1229586 1200533] [2.6.32-504.28.1] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1202860 1185166] {CVE-2015-1805} - [net] ipv4: Missing sk_nulls_node_init in ping_unhash (Denys Vlasenko) [1218102 1218103] {CVE-2015-3636} - [net] conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition (Jesper Brouer) [1227467 1227468 1212801 1200541] - [net] tcp: Restore RFC5961-compliant behavior for SYN packets (Jesper Brouer) [1227467 1227468 1212801 1200541] - [x86] kernel: ignore NMI IOCK when in kdump kernel (Jerry Snitselaar) [1225054 1196263] - [x86] asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Mateusz Guzik) [1209232 1209233] {CVE-2015-2830} - [fs] gfs2: try harder to obtain journal lock during recovery (Abhijith Das) [1222588 1110846] for core_pmu (Jiri Olsa) [1219149 1188336] - [x86] mm: Linux stack ASLR implementation (Jacob Tanenbaum) [1195682 1195683] {CVE-2015-1593} - [fs] xfs: DIO write completion size updates race (Brian Foster) [1218499 1198440] - [net] ipv6: Don't reduce hop limit for an interface (Denys Vlasenko) [1208492 1208493] - [net] vlan: more careful checksum features handling (Vlad Yasevich) [1221844 1212384] - [kernel] tracing: Export tracing clock functions (Jerry Snitselaar) [1217986 1212502] - [edac] sb_edac: fix corruption/crash on imbalanced Haswell home agents (Seth Jennings) [1213468 1210148] - [netdrv] tun: Fix csum_start with VLAN acceleration (Jason Wang) [1217189 1036482] - [netdrv] tun: unbreak truncated packet signalling (Jason Wang) [1217189 1036482] - [netdrv] tuntap: hardware vlan tx support (Jason Wang) [1217189 1036482] - [vhost] vhost-net: fix handle_rx buffer size (Jason Wang) [1217189 1036482] - [netdrv] ixgbe: fix X540 Completion timeout (John Greene) [1215855 1150343] - [char] tty: drop driver reference in tty_open fail path (Mateusz Guzik) [1201893 1201894] - [netdrv] macvtap: Fix csum_start when VLAN tags are present (Vlad Yasevich) [1215914 1123697] - [netdrv] macvtap: signal truncated packets (Vlad Yasevich) [1215914 1123697] - [netdrv] macvtap: restore vlan header on user read (Vlad Yasevich) [1215914 1123697] - [netdrv] macvlan: Initialize vlan_features to turn on offload support (Vlad Yasevich) [1215914 1123697] - [netdrv] macvlan: Add support for 'always_on' offload features (Vlad Yasevich) [1215914 1123697] - [netdrv] mactap: Fix checksum errors for non-gso packets in bridge mode (Vlad Yasevich) [1215914 1123697] - [netdrv] revert 'macvlan: fix checksums error when we are in bridge mode' (Vlad Yasevich) [1215914 1123697] - [net] core: Correctly set segment mac_len in skb_segment() (Vlad Yasevich) [1215914 1123697] - [net] core: generalize skb_segment() (Vlad Yasevich) [1215914 1123697] - [net] core: Add skb_headers_offset_update helper function (Vlad Yasevich) [1215914 1123697] - [netdrv] ixgbe: Correctly disable VLAN filter in promiscuous mode (Vlad Yasevich) [1215914 1123697] - [netdrv] ixgbe: remove vlan_filter_disable and enable functions (Vlad Yasevich) [1215914 1123697] - [netdrv] qlge: Fix TSO for non-accelerated vlan traffic (Vlad Yasevich) [1215914 1123697] - [netdrv] i40evf: Fix TSO and hw checksums for non-accelerated vlan packets (Vlad Yasevich) [1215914 1123697] - [netdrv] i40e: Fix TSO and hw checksums for non-accelerated vlan packets (Vlad Yasevich) [1215914 1123697] - [netdrv] ehea: Fix TSO and hw checksums with non-accelerated vlan packets (Vlad Yasevich) [1215914 1123697] - [netdrv] e1000: Fix TSO for non-accelerated vlan traffic (Vlad Yasevich) [1215914 1123697] - [kernel] ipc: sysv shared memory limited to 8TiB (George Beshers) [1224301 1171218] - [mm] hugetlb: improve page-fault scalability (Larry Woodman) [1212300 1120365] - [netdrv] hyperv: Fix the total_data_buflen in send path (Jason Wang) [1222556 1132918] - [crypto] drbg: fix maximum value checks on 32 bit systems (Herbert Xu) [1225950 1219907] - [crypto] drbg: remove configuration of fixed values (Herbert Xu) [1225950 1219907] [2.6.32-504.27.1] - [netdrv] mlx4_en: current_mac isn't updated in port up (Amir Vadai) [1224383 1081667] - [netdrv] mlx4_en: Fix mac_hash database inconsistency (Amir Vadai) [1224383 1081667] - [netdrv] mlx4_en: Protect MAC address modification with the state_lock mutex (Amir Vadai) [1224383 1081667] - [netdrv] mlx4_en: Fix errors in MAC address changing when port is down (Amir Vadai) [1224383 1081667] - [netdrv] mlx4: Verify port number in __mlx4_unregister_mac (Amir Vadai) [1224383 1081667] - [netdrv] mlx4_en: Adding missing initialization of perm_addr (Amir Vadai) [1225489 1120930] [2.6.32-504.26.1] - [kernel] sched: Fix clock_gettime(CLOCK_[PROCESS/THREAD]_CPUTIME_ID) monotonicity (Seth Jennings) [1219501 1140024] - [kernel] sched: Replace use of entity_key() (Larry Woodman) [1219123 1124603] [2.6.32-504.25.1] - [net] ipvs: allow rescheduling of new connections when port reuse is detected (Marcelo Leitner) [1222771 1108514] - [net] ipvs: Fix reuse connection if real server is dead (Marcelo Leitner) [1222771 1108514] - [netdrv] bonding: fix locking in enslave failure path (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: primary_slave & curr_active_slave are not cleaned on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: vlans don't get deleted on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: mc addresses don't get deleted on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: IFF_BONDING is not stripped on enslave failure (Nikolay Aleksandrov) [1222483 1221856] - [netdrv] bonding: fix error handling if slave is busy v2 (Nikolay Aleksandrov) [1222483 1221856] [2.6.32-504.24.1] - [mm] readahead: get back a sensible upper limit (Rafael Aquini) [1215755 1187940] MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1593 CVE-2015-2830 CVE-2011-5321 CVE-2015-2922 CVE-2015-3636 Oracle Linux 6 Oracle Linux 7 [1:1.8.0.51-0.b16] - July 2015 security update to u51b16. - Add script for generating OpenJDK tarballs from a local Mercurial tree. - Add %{name} prefix to patches to avoid conflicts with OpenJDK 7 versions. - Add patches for RH issues fixed in IcedTea 2.x and/or the upcoming u60. - Use 'openjdk' as directory prefix to allow patch interchange with IcedTea. - Re-generate EC disablement patch following CPU DH changes. - Resolves: rhbz#1235160 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4000 CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2659 CVE-2015-2808 CVE-2015-3149 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 Oracle Linux 6 Oracle Linux 7 [1:1.7.0.85-2.6.1.3.0.1] - Update DISTRO_NAME in specfile [1:1.7.0.85-2.6.1.3] - libsctp is not available on all versions of RHEL 6. - Resolves: rhbz#1235156 [1:1.7.0.85-2.6.1.2] - Bump upstream tarball to u25b01 to fix issue with 8075374 backport. - Resolves: rhbz#1235156 [1:1.7.0.85-2.6.1.1] - Update OpenJDK tarball so correct version is used. - Resolves: rhbz#1235156 [1:1.7.0.85-2.6.1.0] - Bump to 2.6.1 and u85b00. - Resolves: rhbz#1235156 [1:1.7.0.80-2.6.0.0] - Revert addition of LCMS removal as RHEL < 7 does not have LCMS 2. - Resolves: rhbz#1235156 [1:1.7.0.80-2.6.0.0] - Bump to 2.6.0 and u80b32. - Drop upstreamed patches and separate AArch64 HotSpot. - Add dependencies on pcsc-lite-devel (PR2496) and lksctp-tools-devel (PR2446) - Only run -Xshare:dump on JIT archs other than power64 as port lacks support - Update remove-intree-libraries script to cover LCMS and PCSC headers and SunEC. - Resolves: rhbz#1235156 CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4000 CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 Oracle Linux 5 [1:1.7.0.85-2.6.1.3.0.1] - Add oracle-enterprise.patch - Fix DISTRO_NAME to 'Oracle Linux' [1:1.7.0.85-2.6.1.3] - Check return value of gio_init in gsettings_init and return false if necessary. - Re-enable the use of system GConf. - Only ifdef g_type_init&g_free if USE_SYSTEM_GIO and USE_SYSTEM_GCONF are undefined. - Resolves: rhbz#1242587 [1:1.7.0.85-2.6.1.2] - Turn off system GConf as library seems buggy on RHEL 5.11 - Resolves: rhbz#1235155 [1:1.7.0.85-2.6.1.1] - Bump upstream tarball to u25b01 to fix issue with 8075374 backport. - Resolves: rhbz#1235155 [1:1.7.0.85-2.6.1.0] - Remove upstream PR2503 fix. - Resolves: rhbz#1235155 [1:1.7.0.85-2.6.1.0] - Update OpenJDK tarball so correct version is used. - Resolves: rhbz#1235155 [1:1.7.0.85-2.6.1.0] - Bump to 2.6.1 and u85b00. - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - The RHEL 5 version of libsctp is too old for the OpenJDK SCTP implementation. - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - Backport PR2503 to allow build to proceed without GIO being present. - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - Revert move to redhat-lsb-core as unavailable on RHEL 5.11. - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - Remove libxslt and mercurial dependencies pulled in from IcedTea builds. - Reduce redhat-lsb dependency to redhat-lsb-core (lsb_release) - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - Revert addition of LCMS removal as RHEL < 7 does not have LCMS 2. - Resolves: rhbz#1235155 [1:1.7.0.80-2.6.0.0] - Bump to 2.6.0 and u80b32. - Drop upstreamed patches and separate AArch64 HotSpot. - Add dependencies on pcsc-lite-devel (PR2496) and lksctp-tools-devel (PR2446) - Add dependency on GConf2-devel (PR2320) - Only run -Xshare:dump on JIT archs other than power64 as port lacks support - Update remove-intree-libraries script to cover LCMS and PCSC headers and SunEC. - Resolves: rhbz#1235155 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4000 CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 Oracle Linux 6 [2.2.15-45.0.1] - replace index.html with Oracle's index page oracle_index.html - update vstring in specfile [2.2.15-45] - mod_proxy_balancer: add support for 'drain mode' (N) (#767130) [2.2.15-44] - set SSLCipherSuite to DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES (#1086771) [2.2.15-43] - revert DirectoryMatch patch from 2.2.15-40 (#1016963) [2.2.15-42] - core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704) [2.2.15-41] - fix compilation with older OpenSSL caused by misspelling in patch (#1162268) [2.2.15-40] - mod_proxy: do not mix workers shared memory during graceful restart (#1149906) - mod_ssl: Fix SSL_CLIENT_VERIFY value when optional_no_ca and SSLSessionCache are used and SSL session is resumed (#1149703) - mod_ssl: log revoked certificates at the INFO level (#1161328) - mod_ssl: use -extensions v3_req for certificate generation (#906476) - core: check the config file before restarting the server (#1146194) - core: do not match files when using DirectoryMatch (#1016963) - core: improve error message for inaccessible DocumentRoot (#987590) - rotatelogs: improve support for localtime (#922844) - mod_deflate: fix decompression of files larger than 4GB (#1057695) - ab: fix integer overflow when printing stats with lot of requests (#1092419) - ab: try all addresses instead of failing on first one when not available (#1125269) - ab: fix read failure when targeting SSL server (#1045477) - apachectl: support HTTPD_LANG variable from /etc/sysconfig/httpd (#963146) - do not display 'bomb' icon for files ending with 'core' (#1069625) LOW Copyright 2015 Oracle, Inc. CVE-2013-5704 Oracle Linux 6 [7.19.7-46] - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) [7.19.7-45] - reject CRLFs in URLs passed to proxy (CVE-2014-8150) [7.19.7-44] - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) [7.19.7-43] - fix manpage typos found using aspell (#1011101) - fix comments about loading CA certs with NSS in man pages (#1011083) - fix handling of DNS cache timeout while a transfer is in progress (#835898) - eliminate unnecessary inotify events on upload via file protocol (#883002) - use correct socket type in the examples (#997185) - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178) - fix SIGSEGV of curl --retry when network is down (#1009455) - allow to use TLS 1.1 and TLS 1.2 (#1012136) - docs: update the links to cipher-suites supported by NSS (#1104160) - allow to use ECC ciphers if NSS implements them (#1058767) - make curl --trace-time print correct time (#1120196) - let tool call PR_Cleanup() on exit if NSPR is used (#1146528) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747) - allow to enable/disable new AES cipher-suites (#1156422) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163) - disable libcurl-level downgrade to SSLv3 (#1154059) [7.19.7-42] - do not force connection close after failed HEAD request (#1168137) - fix occasional SIGSEGV during SSL handshake (#1168668) [7.19.7-41] - fix a connection failure when FTPS handle is reused (#1154663) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 Oracle Linux 6 [2.6.32-573] - [security] selinux: dont waste ebitmap space when importing NetLabel categories (Paul Moore) [1130197] - [x86] Revert Add driver auto probing for x86 features v4 (Prarit Bhargava) [1231280] - [net] bridge: netfilter: dont call iptables on vlan packets if sysctl is off (Florian Westphal) [1236551] - [net] ebtables: Allow filtering of hardware accelerated vlan frames (Florian Westphal) [1236551] [2.6.32-572] - [fs] Revert fuse: use clear_highpage and KM_USER0 instead of KM_USER1 (Brian Foster) [1229562] [2.6.32-571] - [netdrv] bnx2x: Move statistics implementation into semaphores (Michal Schmidt) [1231348] - [scsi] storvsc: Set the SRB flags correctly when no data transfer is needed (Vitaly Kuznetsov) [1221404] [2.6.32-570] - [block] fix ext_dev_lock lockdep report (Jeff Moyer) [1230927] - [md] Revert md dm: run queue on re-queue (Mike Snitzer) [1232007] - [firmware] another cxgb4 firmware load fixup (Sai Vemuri) [1189255] - [char] tty: Dont protect atomic operation with mutex (Aristeu Rozanski) [1184182] - [edac] i5100 add 6 ranks per channel (Aristeu Rozanski) [1171333] - [edac] i5100 clean controller to channel terms (Aristeu Rozanski) [1171333] - [crypto] rng - Remove krng (Herbert Xu) [1226418] - [crypto] drbg - Add stdrng alias and increase priority (Herbert Xu) [1226418] - [crypto] seqiv - Move IV seeding into init function (Herbert Xu) [1226418] - [crypto] eseqiv - Move IV seeding into init function (Herbert Xu) [1226418] - [crypto] chainiv - Move IV seeding into init function (Herbert Xu) [1226418] [2.6.32-569] - [gpu] drm/radeon: fix freeze for laptop with Turks/Thames GPU (Jerome Glisse) [1213297] - [md] dm: fix casting bug in dm_merge_bvec (Mike Snitzer) [1226453] - [fs] nfs: Send the size attribute on open(O_TRUNC) (Benjamin Coddington) [1208065] - [net] inet: fix processing of ICMP frag_needed messages (Sabrina Dubroca) [1210321] - [net] tcp: double default TSQ output bytes limit (Hannes Frederic Sowa) [1140590] - [hv] hv_balloon: correctly handle num_pages>INT_MAX case (Vitaly Kuznetsov) [1006234] - [hv] hv_balloon: correctly handle val.freeram<num_pages case (Vitaly Kuznetsov) [1006234] - [hv] hv_balloon: survive ballooning request with num_pages=0 (Vitaly Kuznetsov) [1006234] - [hv] hv_balloon: eliminate jumps in piecewiese linear floor function (Vitaly Kuznetsov) [1006234] - [hv] hv_balloon: do not online pages in offline blocks (Vitaly Kuznetsov) [1006234] - [hv] hv_balloon: dont lose memory when onlining order is not natural (Vitaly Kuznetsov) [1006234] [2.6.32-568] - [base] reduce boot delay on large memory systems (Seth Jennings) [1221389] - [md] dm: run queue on re-queue (Mike Snitzer) [1225158] - [fs] take i_mutex during prepare_binprm for set<u,g>id executables (Mateusz Guzik) [1216269] {CVE-2015-3339} - [netdrv] i40e: Make sure to be in VEB mode if SRIOV is enabled at probe (Stefan Assmann) [1206000] - [netdrv] i40e: start up in VEPA mode by default (Stefan Assmann) [1206000] - [netdrv] e1000e: Bump the version to 3.2.5 (John Greene) [1211531] - [netdrv] e1000e: fix unit hang during loopback test (John Greene) [1211531] - [netdrv] e1000e: fix systim issues (John Greene) [1211531] - [netdrv] e1000e: fix legacy interrupt handling in i219 (John Greene) [1211531] - [netdrv] e1000e: fix flush_desc_ring implementation (John Greene) [1211531] - [netdrv] e1000e: fix logical error in flush_desc_rings (John Greene) [1211531] - [netdrv] e1000e: remove call to do_div and sign mismatch warning (John Greene) [1211531] - [netdrv] e1000e: i219 execute unit hang fix on every reset or power state transition (John Greene) [1211531] - [netdrv] e1000e: i219 fix unit hang on reset and runtime D3 (John Greene) [1211531] - [netdrv] e1000e: fix call to do_div to use u64 arg (John Greene) [1211531] - [netdrv] e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size (John Greene) [1211531] - [netdrv] e1000e: Correctly include VLAN_HLEN when changing interface MTU (John Greene) [1211531] - [netdrv] e1000e: call netif_carrier_off early on down (John Greene) [1211531] [2.6.32-567] - [serial] add ability to set IRQ via module parameter (Prarit Bhargava) [1210848] - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1185166] {CVE-2015-1805} - [netdrv] macvlan: add VLAN filters to lowerdev (Ivan Vecera) [1213846] - [x86] Mark Intel Broadwell-DE processor as unsupported (Steve Best) [1226904] - [net] ipv6: reallocate addrconf router for ipv6 address when lo device up (Hannes Frederic Sowa) [1223610] - [mm] memory-failure: move refcount only in !MF_COUNT_INCREASED (Rafael Aquini) [1222832] - [mm] memory-failure: shift page lock from head page to tail page after thp split (Rafael Aquini) [1222832] - [mm] memory-failure: transfer page count from head page to tail page after split thp (Rafael Aquini) [1222832] - [scsi] lpfc: Correct loss of target discovery after cable swap (Rob Evers) [1226779] [2.6.32-566] - [netdrv] iwlwifi: use custom workqueue (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: remove not used *bt-coex* files (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: avoid use-after-free on iwl_mvm_d0i3_enable_tx() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: clean net-detect info if device was reset during suspend (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: take the UCODE_DOWN reference when resuming (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: BT Coex - duplicate the command if sent ASYNC (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: nvm: force mac from otp in case nvm mac is reserved (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Free fw_status after use to avoid memory leak (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix MLME trigger (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: dont disable the busmaster DMA clock for family 8000 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: 7000: modify the firmware name for 3165 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: forbid MIMO on devices that dont support it (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: force quota update update after FW restart (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix typo in CONFIG option (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont power off the device between INIT and OPER firmwares (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: prevent using unmapped memory in fw monitor (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Avoid signal based decisions if ave beacon RSSI is 0 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix scan iteration complete notification handling (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont stop the FW monitor too early (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix Tx Power firmware API (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: capture connection loss as part of MLME trigger (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for time events (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: do string formatting in debug triggers (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: fix spelling errors (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont return uninitialized value in get_survey() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove unused arguments (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Fix wrongfully flushing frames in the roc/off channel queue (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add debugfs entry with the number of net-detect scans (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: refactor rs_update_rate_tbl (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: check the size of the trigger struct from the firmware file (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon MLME failures (Stanislaw Gruszka) [1134606] - [net] mac80211: Fix mac80211.h docbook comments (Stanislaw Gruszka) [1134606] - [net] mac80211: notify the driver about deauth (Stanislaw Gruszka) [1134606] - [net] mac80211: notify the driver about association status (Stanislaw Gruszka) [1134606] - [net] mac80211: notify the driver about authentication status (Stanislaw Gruszka) [1134606] - [netdrv] mac80211: convert rssi_callback() to event_callback() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: fix comment indentation (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Clean up UMAC scan UIDs in the reset and drv_stop flows (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: 8000: change PNVM in case it doesnt match to the HW step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix debug print in the RSA ownership workaround (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: allow to configure the timeout for the Tx queues (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: drop support for early versions of 8000 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: use debugfs_create_bool() for enable_scan_iteration_notif (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: initialize trans_pcie->ref_count on configure() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: inform mac80211 about umac scans that was aborted by restart (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove d0i3 ref correctly during AP start (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: Fix memory leak in iwl_req_fw_callback() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove WARN_ON for invalid BA notification (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: take IWL_MVM_REF_UCODE_DOWN before restarting hw (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont wait for firmware verification (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: add new 3165 series PCI IDs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove time-event start/end failure warning (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add iccm data to 8000 b-step data dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: add rx packet sequence number to dbg print (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: properly flush the queues for buffering transport (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: assign new TLV bit for multi-source LAR (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: continue (with error) CSA on GO time event failure (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: simplify iwl_mvm_get_wakeup_status() return (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont double unlock the mutex in __iwl_mvm_resume() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: clarify time event end handling (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Always enable the smart FIFO (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: update copyright to include 2015 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: add more new 8260 series PCI IDs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: BT Coex - update the new API (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix force NMI for 8000 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: freeze the non-shared queues when a station goes to sleep (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: allow the op_mode to freeze the stuck queue timer (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: update Tx statistics when using fixed rate (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont init MCC during CT-kill (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove warning on station exhaustion (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: trans: Take ownership on secure machine before FW load (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: add new 8260 series PCI IDs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: improve ss_params debug print (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: dont allow the FW to return invalid ch indices (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: reflect TDLS pm state in mvmvif->pm_enabled (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix identation (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove unneeded include iwl-fw-error-dump.h (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: use correct NVM offset for LAR enable for new NVMs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: fix smatch warning: warn: inconsistent indenting (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: include more registers in the prph dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: speed up the Tx DMA stop flow (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support family 8000 B2/C steps (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: always update the quota after association (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: BT Coex - disable RRC by default (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove IWL_UCODE_TLV_API_SF_NO_DUMMY_NOTIF (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove IWL_UCODE_TLV_API_DISABLE_STA_TX (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: bump API to 13 for devices that use iwlmvm (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: set LAR MCC on D3/D0 transitions (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support LAR updates from BIOS (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: take the MAC address from HW registers (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: allow disabling LAR via module param (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support new PHY_SKU nvm section for family 8000 B0 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: disable 11ac if 11n is disabled (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: iwlmvm: LAR: disable LAR support due to NVM vs TLV conflict (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: change last 5ghz channel to 165 & add support for 8000 family (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: use IWL_DEFAULT_MAX_TX_POWER for max_eirp (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: nvm: init correct nvm channel list for 8000 devices (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: LAR: Add chub mcc change notify command (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: dont declare support for 5ghz if not supported (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: ignore IBSS flag as regulatory NO-IR indication (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: consider LAR support during NVM parse (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: create regdomain from mcc_update_cmd response (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: init country code on init/recovery (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add MCC update FW API (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: disconnect if CSA time event fails scheduling (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: dvm: drop VO packets when mac80211 tells us to (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix compilation with IWLWIFI_DEBUGFS not set (Stanislaw Gruszka) [1134606] - [netdrv] wireless: Use eth_<foo>_addr instead of memset (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont override passive dwell in case of fragmented scan (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon low RSSI (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon statistics (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: restart firmware recording when no configuration is set (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon command response (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon channel switch (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add trigger for firmware dump upon missed beacons (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add the cause of the firmware dump in the dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add framework for triggers for fw dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: use only 40 ms for fragmented scan (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: allow to force the Rx chains from debugfs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: add new TLV capability flag for BT PLCR (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont iterate interfaces to disconnect in net-detect (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: new Alive / error table API (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support beacon statistics for BSS client (Stanislaw Gruszka) [1134606] - [net] cfg80211: add nl80211 beacon-only statistics (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont write to DBGC_OUT_CTRL when stopping the recording (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove deprecated scan API code (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: deprecate -9.ucode for 3160 / 7260 / 7265 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support radio statistics as global survey (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add statistics API version 10 (Stanislaw Gruszka) [1134606] - [net] cfg80211: add scan time to survey data (Stanislaw Gruszka) [1134606] - [netdrv] cfg80211: remove channel from survey names (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: apply destination before releasing reset (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove unused function in BT coex (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix BT coex shared antenna activity check (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: print single stream params via debugfs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: avoid ss_force from being reset after tx idle (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: increase the number of PAPD channel groups to 9 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: consider TDLS queues as used during drain (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: disable MIMO for low latency P2P (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: adapt rate matching to new STBC/BFER (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: disable beamformer unless FW supports it (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont try to stop scans that are not running anymore (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: better match tx response rate to the LQ table (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: call ieee80211_scan_completed() even if scan abort fails (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: reduce quota threshold (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont send a command the firmware doesnt know (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Fix building channels in scan_config_cmd (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Enable EBS also in single scan on umac interface (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Fix a few EBS error handling bugs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: allow to define the stuck queue timer per queue (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: enable watchdog on Tx queues for mvm (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: ignore stale TDLS ch-switch responses (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: improve TDLS ch-sw state machine (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: prepare the enablement of 31 TFD queues (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: enable forcing single stream Tx decision (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: remove space padding after sysassert description (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add beamformer support (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: dont dump useless data when a TFD queue hangs (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont reprobe if we fail during reconfig and fw_restart is false (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: check IWL_UCODE_TLV_API_SCD_CFG in API and not in capa (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: fix rx chains configuration in phy ctxt cmd (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: support secured boot flow for family 8000 B step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: use a new API for enabling STBC (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: refactor ht/vht init (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: remove stats argument from functions (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: really disable TDLS queues (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: BT Coex - set all the co-running values to 0 (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Do not consider invalid HW queues in queue mask (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support family 8000 C step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: init ref_lock (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: document switch case fall-through in iwl_mvm_send_sta_key (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: use STBC regardless of power save mode (Stanislaw Gruszka) [1134606] - [netdrv] Revert iwlwifi: mvm: drop non VO frames when flushing (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add support for new LTR command (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: BT Coex - fine tune the MPLUT register (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: move U-APSD decision to authentication (Stanislaw Gruszka) [1134606] - [netdrv] mac80211: move U-APSD enablement to vif flags (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: ignore temperature updates in the RX statistics notification (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: cleanup unuseful and overflowing traces (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: generate statistics debugfs code (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: move statistics API to new header file (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: sync statistics firmware API (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: correctly set the NMI register (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add rxf and txf to dump data (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add support for dumping a secondary SRAM (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add debugfs file for misbehaving U-APSD AP (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: let the firmware configure the scheduler (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: remove unused TLV capability flags (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add print of he nvm version (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: set max_out_time equal to frag_passive_dwell in fragmented scan (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: allow to disable MIMO for P2P only (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: allow to collect debug data from non-sleepable context (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: make sure state isnt in d0i3 when stopping fw monitor (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Add debugfs entry to enable scan offload notification (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: add new config and PCI IDs for 4165 series (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: make sure state isnt in d0i3 when collecting fw dbg (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: repeat initial legacy rates in LQ table (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: dont indicate no BA if STA was in powersave (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: organize and cleanup consts (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Alter passive scan fragmentation parameters in case of multi-MAC (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: call to pcie_apply_destination also on family 8000 B step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: ask the fw to wakeup (from d0i3) on sysassert (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: tlv: add support for IWL_UCODE_TLV_SDIO_ADMA_ADDR TLV (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: use iwl_mvm_sta_from_mac80211() consistently (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: use iwl_mvm_vif_from_mac80211() consistently (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: remove useless extern definition of iwl4265_2ac_sdio_cfg (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: clean refs before stop_device() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: dvm: main: Use setup_timer (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: dvm: tt: Use setup_timer (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support 2 different channels (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: wait for d0i3 exit on hw restart (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: consider d0i3_disable in iwl_mvm_is_d0i3_supported() (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: support multiple d0i3 modes (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support IWL_D0I3_MODE_ON_SUSPEND d0i3 mode (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: allow both d0i3 and d3 wowlan configuration modes (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: add basic reference accounting (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: convert the SRAM dump to the generic memory dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: change SMEM dump to general purpose memory dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add smem content to dump data (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support additional nvm_file in family 8000 B step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: rs: fix max rate allowed if no rate is allowed (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: clear tt values when entering CT-kill (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: Set the HW step in the core dump (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: allow RSSI compensation (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add debugfs to trigger fw debug logs collection (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: pcie: let the Manageability Engine know when we leave (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: support LnP 1x1 antenna configuration (Stanislaw Gruszka) [1134606] - [netdrv] Revert iwlwifi: use correct fw file in 8000 b-step (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: mvm: add fw runtime stack to dump data (Stanislaw Gruszka) [1134606] - [netdrv] iwlwifi: remove MODULE_VERSION (Stanislaw Gruszka) [1134606] [2.6.32-565] - [x86] perf/intel: Add INST_RETIRED.ALL workarounds (Jiri Olsa) [1189949] - [x86] perf/intel: Add Broadwell core support (Jiri Olsa) [1189949] - [x86] perf/intel: Add new cache events table for Haswell (Jiri Olsa) [1189949] MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8133 CVE-2014-3184 CVE-2014-4652 CVE-2014-9683 CVE-2015-0239 CVE-2015-3339 CVE-2014-3940 CVE-2014-8709 Oracle Linux 6 [2.2.6-4] - Move OpenSSL init out of version check Resolves: Bug#1189394 radiusd segfaults after update - Comment-out ippool-dhcp.conf inclusion Resolves: Bug#1189386 radiusd fails to start after 'clean' installation [2.2.6-3] - Disable OpenSSL version check Resolves: Bug#1189011 [2.2.6-2] - Fix a number of new Coverity errors and compiler warnings. Resolves: Bug#1188598 [2.2.6-1] - Upgrade to the latest upstream release v2.2.6 Resolves: Bug#921563 raddebug not working correctly Resolves: Bug#921567 raddebug -t 0 exists immediately Resolves: Bug#1060319 MSCHAP Authentication is not working using automatic windows user credentials Resolves: Bug#1078736 Rebase FreeRADIUS to 2.2.4 Resolves: Bug#1135439 Default message digest defaults to sha1 Resolves: Bug#1142669 EAP-TLS and OCSP validation causing segmentation fault Resolves: Bug#1173388 dictionary.mikrotik missing Attributes - Remove radutmp rotation Resolves: Bug#904578 radutmp should not rotate - Check for start_servers not exceeding max_servers Resolves: Bug#1146828 radiusd silently fails when start_servers is higher than max_servers MODERATE Copyright 2015 Oracle, Inc. CVE-2014-2015 Oracle Linux 6 [2.6.6-64.0.1] - Add Oracle Linux distribution in platform.py [orabug 21288328] (Keshav Sharma) [2.6.6-64] - Enable use of deepcopy() with instance methods Resolves: rhbz#1223037 [2.6.6-63] - Since -libs now provide python-ordered dict, added ordereddict dist-info to site-packages Resolves: rhbz#1199997 [2.6.6-62] - Fix CVE-2014-7185/4650/1912 CVE-2013-1752 Resolves: rhbz#1206572 [2.6.6-61] - Fix logging module error when multiprocessing module is not initialized Resolves: rhbz#1204966 [2.6.6-60] - Add provides for python-ordereddict Resolves: rhbz#1199997 [2.6.6-59] - Let ConfigParse handle options without values - Add check phase to specfile, fix and skip relevant failing tests Resolves: rhbz#1031709 [2.6.6-58] - Make Popen.communicate catch EINTR error Resolves: rhbz#1073165 [2.6.6-57] - Add choices for sort option of cProfile for better output Resolves: rhbz#1160640 [2.6.6-56] - Make multiprocessing ignore EINTR Resolves: rhbz#1180864 [2.6.6-55] - Fix iteration over files with very long lines Resolves: rhbz#794632 [2.6.6-54] - Fix subprocess.Popen.communicate() being broken by SIGCHLD handler. Resolves: rhbz#1065537 - Rebuild against latest valgrind-devel. Resolves: rhbz#1142170 [2.6.6-53] - Bump release up to ensure proper upgrade path. Related: rhbz#958256 MODERATE Copyright 2015 Oracle, Inc. CVE-2013-1752 CVE-2014-1912 CVE-2014-4650 CVE-2014-7185 Oracle Linux 6 [5.0.5-113.0.1] - add autofs-5.0.5-lookup-mounts.patch [Orabug:12658280] (Bert Barbe) use tcp instead of udp [5.0.5-113] - bz1201195 - autofs: MAPFMT_DEFAULT is not macro in lookup_program.c - fix macro usage in lookup_program.c. - Resolves: rhbz#1201195 [5.0.5-112] - bz1124083 - Autofs stopped mounting /net/hostname/mounts after seeing duplicate exports in the NFS server - fix use after free in patch to handle duplicate in multi mounts. - change log messages to try and make them more sensible. - fix log entry for rev 5.0.5-111 below. - Related: rhbz#1124083 [5.0.5-111] - bz1153130 - autofs-5.0.5-109 with upgrade to RHEL 6.6 no longer recognizes +yp: in auto.master - fix fix master map type check. - bz1156387 - autofs /net maps do not refresh list of shares exported on the NFS server - fix typo in update_hosts_mounts(). - fix hosts map update on reload. - bz1160446 - priv escalation via interpreter load path for program based automount maps - add a prefix to program map stdvars. - add config option to force use of program map stdvars. - bz1175671 - automount segment fault in parse_sun.so for negative parser tests - fix incorrect check in parse_mount(). - bz1124083 - Autofs stopped mounting /net/hostname/mounts after seeing duplicate exports in the NFS server - fix fix map entry duplicate offset detection (dependednt patch). - handle duplicates in multi mounts. - Resolves: rhbz#1153130 rhbz#1156387 rhbz#1160446 rhbz#1175671 rhbz#1124083 [5.0.5-110] - bz1163957 - Autofs unable to mount indirect after attempt to mount wildcard - make negative cache update consistent for all lookup modules. - ensure negative cache isn't updated on remount. - dont add wildcard to negative cache. - Resolves: rhbz#1163957 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8169 Oracle Linux 6 [9.0.3-43] - Resolves #1225589 - unable to create rhel 7.1 replica from rhel 6 replica CA because subsystem user does not exist [9.0.3-42] - Resolves #1221900 - pki-core: cross-site scripting flaw in the dogtag administration page (port 9180, port 9444) [rhel-6.7] [9.0.3-41] - Resolves #1212557 - ipa-server-install fails when configuring CA [9.0.3-40] - Resolves #1171848 - IPA - port 9443 (pki-core) is vulnerable to SSLv3 POODLE (based upon upstream changes provided by cfu and alee) MODERATE Copyright 2015 Oracle, Inc. CVE-2012-2662 Oracle Linux 6 [1.3.3-4.3] - Add missing checks for small/truncated files resolves: rhbz#1158993 - Fix typo in man page Win::Hivex.3.pm resolves: rhbz#1164693 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9273 Oracle Linux 6 [1:5.5-54.0.1] - Add Oracle ACFS to hrStorage (John Haxby) [orabug 18510373] [1:5.5-54] - Quicker loading of IP-MIB::ipAddrTable (#1191393) [1:5.5-53] - Quicker loading of IP-MIB::ipAddressTable (#1191393) [1:5.5-52] - Fixed snmptrapd crash when '-OQ' parameter is used and invalid trap is received (#CVE-2014-3565) [1:5.5-51] - added faster caching into IP-MIB::ipNetToMediaTable (#789500) - fixed compilation with '-Werror=format-security' (#1181994) - added clear error message when port specified in 'clientaddrr' config option cannot be bound (#886468) - fixed error check in IP-MIB::ipAddressTable (#1012430) - fixed agentx client crash on failed response (#1023570) - fixed dashes in net-snmp-config.h (#1034441) - fixed crash on monitor trigger (#1050970) - fixed 'netsnmp_assert 1 == new_val->high failed' message in system log (#1065210) - fixed parsing of 64bit counters from SMUX subagents (#1069046) - Fixed HOST-RESOURCES-MIB::hrProcessorTable on machines with >100 CPUs (#1070075) - fixed net-snmp-create-v3-user to have the same content on 32 and 64bit installations (#1073544) - fixed IPADDRESS value length in Python bindings (#1100099) - fixed hrStorageTable to contain 31 bits integers (#1104293) - fixed links to developer man pages (#1119567) - fixed storageUseNFS functionality in hrStorageTable (#1125793) - fixed netsnmp_set Python bindings call truncating at the first '\000' character (#1126914) - fixed log level of SMUX messages (#1140234) - use python/README to net-snmp-python subpackage (#1157373) - fixed forwarding of traps with RequestID=0 in snmptrapd (#1146948) - fixed typos in NET-SNMP-PASS-MIB and SMUX-MIB (#1162040) - fixed close() overhead of extend commands (#1188295) - fixed lmSensorsTable not reporting sensors with duplicate names (#967871) - fixed hrDeviceTable with interfaces with large ifIndex (#1195547) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3565 Oracle Linux 6 [1.8.6p3-19] - RHEL-6.7 erratum - modified the authlogicfix patch to fix #1144448 - fixed a bug in the ldapusermatchfix patch Resolves: rhbz#1144448 Resolves: rhbz#1142122 [1.8.6p3-18] - RHEL-6.7 erratum - fixed the mantypos-ldap.patch Resolves: rhbz#1138267 [1.8.6p3-17] - RHEL-6.7 erratum - added patch for CVE-2014-9680 - added BuildRequires for tzdata Resolves: rhbz#1200253 [1.8.6p3-16] - RHEL-6.7 erratum - added zlib-devel build required to enable zlib compression support - fixed two typos in the sudoers.ldap man page - fixed a hang when duplicate nss entries are specified in nsswitch.conf - SSSD: implemented sorting of the result entries according to the sudoOrder attribute - LDAP: fixed logic handling the computation of the 'user matched' flag - fixed restoring of the SIGPIPE signal in the tgetpass function - fixed listpw, verifypw + authenticate option logic in LDAP/SSSD Resolves: rhbz#1106433 Resolves: rhbz#1138267 Resolves: rhbz#1147498 Resolves: rhbz#1138581 Resolves: rhbz#1142122 Resolves: rhbz#1094548 Resolves: rhbz#1144448 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9680 Oracle Linux 6 [3:2.1.12-25] - fix CVE-2002-0389 - local users able to read private mailing list archives [3:2.1.12-24] - fix CVE-2015-2775 - directory traversal in MTA transports [3:2.1.12-23] - fix #1095359 - handle update when some mailing lists have been created by newer Mailman than this one [3:2.1.12-22] - fix #1095359 - add support for DMARC [3:2.1.12-21] - fix #1056366 - fix bad subject of the welcome email when creating list using newlist command [3:2.1.12-20] - fix #745409 - do not set Indexes in httpd configuration for public archive - fix #1008139 - fix traceback when list_data_dir is not a child of var_prefix [3:2.1.12-19] - fix #765807 - fix traceback when message is received to moderated list MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2775 CVE-2002-0389 Oracle Linux 6 [2.7.6-20.0.1.el6] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [libxml2-2.7.6-20.el6] - CVE-2015-1819 Enforce the reader to run in constant memory(rhbz#1214163) [libxml2-2.7.6-19.el6] - Stop parsing on entities boundaries errors - Fix missing entities after CVE-2014-3660 fix (rhbz#1149086) [libxml2-2.7.6-18.el6] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149086) - Fix html serialization error and htmlSetMetaEncoding (rhbz#1004513) [libxml2-2.7.6-17.el6] - Fix a set of regressions introduced in CVE-2014-0191 (rhbz#1105011) [libxml2-2.7.6-16.el6] - Improve handling of xmlStopParser(CVE-2013-2877) [libxml2-2.7.6-15.el6] - Do not fetch external parameter entities (CVE-2014-0191) [libxml2-2.7.6-14.el6] - Fix a regression in 2.9.0 breaking validation while streaming (rhbz#863166) [2.7.6-13.el6] - detect and stop excessive entities expansion upon replacement (rhbz#912575) [2.7.6-12.el6] - fix out of range heap access (CVE-2012-5134) [2.7.6-11.el6] - Change the XPath code to percolate allocation error (CVE-2011-1944) [2.7.6-10.el6] - Fix an off by one pointer access (CVE-2011-3102) [2.7.6-9.el6] - Fix a failure to report xmlreader parsing failures - Fix parser local buffers size problems (rhbz#843742) - Fix entities local buffers size problems (rhbz#843742) - Fix an error in previous commit (rhbz#843742) - Do not fetch external parsed entities - Impose a reasonable limit on attribute size (rhbz#843742) - Impose a reasonable limit on comment size (rhbz#843742) - Impose a reasonable limit on PI size (rhbz#843742) - Cleanups and new limit APIs for dictionaries (rhbz#843742) - Introduce some default parser limits (rhbz#843742) - Implement some default limits in the XPath module - Fixup limits parser (rhbz#843742) - Enforce XML_PARSER_EOF state handling through the parser - Avoid quadratic behaviour in some push parsing cases (rhbz#843742) - More avoid quadratic behaviour (rhbz#843742) - Strengthen behaviour of the push parser in problematic situations (rhbz#843742) - More fixups on the push parser behaviour (rhbz#843742) - Fix a segfault on XSD validation on pattern error - Fix an unimplemented part in RNG value validation [2.7.6-8.el6] - remove chunk in patch related to configure.in as it breaks rebuild - Resolves: rhbz#788846 [2.7.6-7.el6] - fix previous build to force compilation of randomization code - Resolves: rhbz#788846 [2.7.6-6.el6] - adds randomization to hash and dict structures CVE-2012-0841 - Resolves: rhbz#788846 [2.7.6-5.el6] - Make sure the parser returns when getting a Stop order CVE-2011-3905 - Fix an allocation error when copying entities CVE-2011-3919 - Resolves: rhbz#771910 [2.7.6-4] - Fixes another XPath problem CVE-2011-2834 - Resolves: rhbz#732335 [2.7.6-3] - Fixes various other issues in 2.7.6 XPath evaluation - Resolves: rhbz#732335 [2.7.6-2] - Fix a potential crasher in XPath or XSLT, CVE-2011-1944 - Resolves: rhbz#710397 [2.7.6-1] - Upstream release of 2.7.6 - restore thread support off by default in 2.7.5 [2.7.5-1] - Upstream release of 2.7.5 - fix a couple of Relax-NG validation problems - couple more fixes [2.7.4-2] - fix a problem with little data at startup affecting inkscape #523002 [2.7.4-1] - upstream release 2.7.4 - symbol versioning of libxml2 shared libs - very large number of bug fixes [2.7.3-4] - two patches for parsing problems CVE-2009-2414 and CVE-2009-2416 [2.7.3-3] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild [2.7.3-2] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild [2.7.3-1] - new release 2.7.3 - limit default max size of text nodes - special parser mode for PHP - bug fixes and more compiler checks [2.7.2-7] - Pull back into Python 2.6 [2.7.2-6] - AutoProvides requires BuildRequires pkgconfig [2.7.2-5] - rebuild to get provides(libxml-2.0) into HEAD rawhide [2.7.2-4] - Rebuild for pkgconfig logic [2.7.2-3] - Rebuild for Python 2.6 [2.7.2-2.fc11] - two patches for size overflows problems CVE-2008-4225 and CVE-2008-4226 [2.7.2-1.fc10] - new release 2.7.2 - Fixes the known problems in 2.7.1 - increase the set of options when saving documents [2.7.1-2.fc10] - fix a nasty bug in 2.7.x, http://bugzilla.gnome.org/show_bug.cgi?id=554660 [2.7.1-1.fc10] - fix python serialization which was broken in 2.7.0 - Resolve: rhbz#460774 [2.7.0-1.fc10] - upstream release of 2.7.0 - switch to XML 1.0 5th edition - switch to RFC 3986 for URI parsing - better entity handling - option to remove hardcoded limitations in the parser - more testing - a new API to allocate entity nodes - and lot of fixes and clanups [2.6.32-4.fc10] - fix for entities recursion problem - Resolve: rhbz#459714 [2.6.32-3.fc10] - cleanup based on Fedora packaging guidelines, should fix #226079 - separate a -static package [2.6.32-2.fc10] - try to fix multiarch problems like #440206 [2.6.32-1.fc9] - upstream release 2.6.32 see http://xmlsoft.org/news.html - many bug fixed upstream [2.6.31-2] - Autorebuild for GCC 4.3 [2.6.31-1.fc9] - upstream release 2.6.31 see http://xmlsoft.org/news.html - many bug fixed upstream [2.6.30-1] - upstream release 2.6.30 see http://xmlsoft.org/news.html - many bug fixed upstream [2.6.29-1] - upstream release 2.6.29 see http://xmlsoft.org/news.html - many bug fixed upstream [2.6.28-2] - Bump revision to fix N-V-R problem [2.6.28-1] - upstream release 2.6.28 see http://xmlsoft.org/news.html - many bug fixed upstream [2.6.27-2] - rebuild against python 2.5 [2.6.27-1] - upstream release 2.6.27 see http://xmlsoft.org/news.html - very large amount of bug fixes reported upstream [2.6.26-2.1.1] - rebuild [2.6.26-2.1] - rebuild [2.6.26-2] - fix bug #192873 [2.6.26-1] - upstream release 2.6.26 see http://xmlsoft.org/news.html * Tue Jun 06 2006 Daniel Veillard <veillard@redhat.com> - upstream release 2.6.25 broken, do not ship ! LOW Copyright 2015 Oracle, Inc. CVE-2015-1819 Oracle Linux 6 [1:0.7.3-6] - AP WMM: Fix integer underflow in WMM Action frame parser (rh #1221178) (rh #1226396) [1:0.7.3-5] - Add domain_match config option from upstream (rh #1186806) (rh #1178263) - Include peer certificate in EAP events for use by clients - Add dbus signal for information about server certification - eapol_test: Add option for writing server certificate chain to a file LOW Copyright 2015 Oracle, Inc. CVE-2015-4142 Oracle Linux 7 [32:9.9.4-18.2] - Fix CVE-2015-4620 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4620 Oracle Linux 6 [2.20-3] - Updated pcre buildrequires to require pcre-devel >= 7.8-7 Related: rhbz#1193030 [2.20-2] - Fixed invalid UTF-8 byte sequence error in PCRE mode (by pcre-backported-fixes patch) Resolves: rhbz#1193030 - Fixed buffer overrun for grep -F Resolves: CVE-2015-1345 - Fixed bogus date in the changelog [2.20-1] - New version Resolves: rhbz#1064668 Resolves: rhbz#982215 Resolves: rhbz#1126757 Resolves: rhbz#1167766 Resolves: rhbz#1171806 - Fixed \w and \W behaviour in multibyte locales Resolves: rhbz#799863 - Documented --fixed-regexp option Resolves: rhbz#1103270 LOW Copyright 2015 Oracle, Inc. CVE-2012-5667 CVE-2015-1345 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [31.8.0-1.0.1.el5_11] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [31.8.0-1] - Update to 31.8.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-2724 CVE-2015-2725 CVE-2015-2731 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2741 Oracle Linux 6 [2.8.5-18] - fix CVE-2015-0282 (#1198159) - fix CVE-2015-0294 (#1198159) [2.8.5-17] - Corrected value initialization in mpi printing (#1129241) [2.8.5-16] - Check for expiry information in the CA certificates (#1159778) [2.8.5-15] - fix issue with integer padding in certificates and keys (#1036385) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8155 CVE-2015-0282 CVE-2015-0294 Oracle Linux 6 [1:4.2.8.2-11.0.1] - Replaced RedHat colors with Oracle colors, and the filename redhat.soc with oracle.soc in specfile (jingdong.lu@oracle.com) - Build with --with-vendor='Oracle America, Inc.' (jingdong.lu@oracle.com) [1:4.2.8.2-11] - Resolves: rhbz#1223696 some labels in print dialog are not translated, even though the translations exist [1:4.2.8.2-10] - Resolves: rhbz#1217466 CVE-2015-1774 HWP filter fix [1:4.2.8.2-9] - Resolves: rhbz#1209852 enable accidentally disabled GIO UCP [1:4.2.8.2-8] - Related: rhbz#1150048 rpmdiff: avoid multilib conflict [1:4.2.8.2-7] - Related: rhbz#1150048 packaging fix [1:4.2.8.2-6] - Related: rhbz#1150048 rpmdiff fixes [1:4.2.8.2-5] - Related: rhbz#1150048 fix some indic shortcuts [1:4.2.8.2-4] - Resolves: rhbz#1150048 rebase to latest stable 4.2.8.2 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1774 Oracle Linux 6 [4.2.6p5-5] - reject packets without MAC when authentication is enabled (CVE-2015-1798) - protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799) - fix generation of MD5 keys with ntp-keygen on big-endian systems (CVE-2015-3405) - log when stepping clock for leap second or ignoring it with -x (#1204625) [4.2.6p5-4] - fix typos in ntpd man page (#1194463) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9297 CVE-2014-9298 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 Oracle Linux 6 [1.8.10-17.0.2] - Fix ocfs2 dissector (John Haxby) [orabug 21505640] [1.8.10-17.0.1.el6] - Add oracle-ocfs2-network.patch to allow disassembly of OCFS2 interconnect [1.8.10-17] - security patches - Resolves: CVE-2015-2189 CVE-2015-2191 [1.8.10-16] - security patches - Resolves: CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0564 [1.8.10-15] - fix AES-GCM decoding - Related: rhbz#1095065 [1.8.10-14] - fix requires: shadow-utils - Resolves: rhbz#1121275 [1.8.10-13] - add elliptic curves decoding in DTLS HELLO - Resolves: rhbz#1131203 [1.8.10-12] - add AES-GCM decryption - Resolves: rhbz#1095065 [1.8.10-11] - fix reading from pipes - Resolves: rhbz#1104210 [1.8.10-10] - introduced nanosecond time precision - Resolves: rhbz#1146578 [1.8.10-9] - fix gtk2 required version - Resolves: rhbz#1160388 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0564 CVE-2015-2189 CVE-2015-2191 Oracle Linux 6 [3.0.0-47.el6] - Resolves: #1220788 - Some IPA schema files are not RFC 4512 compliant [3.0.0-46.el6] - Use tls version range in NSSHTTPS initialization - Resolves: #1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server - Resolves: #1012224 - host certificate not issued to client during ipa-client-install [3.0.0-45.el6] - Resolves: #1205660 - ipa-client rpm should require keyutils [3.0.0-44.el6] - Release 3.0.0-44 - Resolves: #1201454 - ipa breaks sshd config [3.0.0-43.el6] - Release 3.0.0-43 - Resolves: #1191040 - ipa-client-automount: failing with error LDAP server returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. - Resolves: #1185207 - ipa-client dont end new line character in /etc/nsswitch.conf - Resolves: #1166241 - CVE-2010-5312 CVE-2012-6662 ipa: various flaws - Resolves: #1161722 - IDM client registration failure in a high load environment - Resolves: #1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server - Resolves: #1146870 - ipa-client-install fails with 'KerbTransport instance has no attribute '__conn'' traceback - Resolves: #1132261 - ipa-client-install failing produces a traceback instead of useful error message - Resolves: #1131571 - Do not allow IdM server/replica/client installation in a FIPS-140 mode - Resolves: #1198160 - /usr/sbin/ipa-server-install --uninstall does not clean /var/lib/ipa/pki-ca - Resolves: #1198339 - ipa-client-install adds extra sss to sudoers in nsswitch.conf - Require: 389-ds-base >= 1.2.11.15-51 - Require: mod_nss >= 1.0.10 - Require: pki-ca >= 9.0.3-40 - Require: python-nss >= 0.16 MODERATE Copyright 2015 Oracle, Inc. CVE-2010-5312 CVE-2012-6662 Oracle Linux 6 [32:9.8.2-0.37.rc1.1] - Fix CVE-2015-4620 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4620 Oracle Linux 6 [0.56.13-8] - Update CVE-2015-3246 patch based on review comments Resolves: #1235518 [0.56.13-7] - Dont use 512-bit RSA private keys in tests Related: #1235518 - Fix testsuite failures if more than one architecture is building concurrently Related: #1235518 [0.56.13-6] - Fix CVE-2015-3246 Resolves: #1235518 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3245 CVE-2015-3246 Oracle Linux 7 [0.60-7] - Update CVE-2015-3246 patch based on review comments Resolves: #1235519 [0.60-6] - Fix CVE-2015-3246 Resolves: #1235519 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3245 CVE-2015-3246 Oracle Linux 7 [1.5.3-86.el7_1.5] - kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch [bz#1243726] - Resolves: bz#1243726 (CVE-2015-3214 qemu-kvm: qemu: i8254: out-of-bounds memory access in pit_ioport_read function [rhel-7.1.z]) [1.5.3-86.el7_1.4] - kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch [bz#1243689] - kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch [bz#1243689] - kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch [bz#1243689] - Resolves: bz#1243689 (EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow during I/O buffer memory access [rhel-7.1.z]) [1.5.3-86.el7_1.3] - kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch [bz#1233643] - Resolves: bz#1233643 ([abrt] qemu-kvm: bdrv_error_action(): qemu-kvm killed by SIGABRT) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3214 CVE-2015-5154 Oracle Linux 7 [1.14.4-12.1] - Fix crash when doing gestures at unlock screen Resolves: rhbz#1227103 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3213 Oracle Linux 6 Oracle Linux 7 [32:9.8.2-0.37.rc1.2] - Fix CVE-2015-5477 [32:9.8.2-0.37.rc1.1] - Fix CVE-2015-4620 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5477 Oracle Linux 5 [30:9.3.6-25.P1.3] - Fix CVE-2015-5477 [30:9.3.6-25.P1.2] - Remove files backup after patching (Related: #1171971) [30:9.3.6-25.P1.1] - Fix CVE-2014-8500 (#1171971) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5477 Oracle Linux 5 [32:9.7.0-21.P2.2] - Fix CVE-2015-5477 [32:9.7.0-21.P2.1] - Fix CVE-2014-8500 (#1171972) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5477 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [1:1.6.0.35-1.13.8.1.0.1.el5_11] - Add oracle-enterprise.patch [1:1.6.0.36-1.13.8.1] - Update to new tarball, containing fix for TCK regression (PR2565) - Resolves: rhbz#1235149 [1:1.6.0.36-1.13.8.0] - Update to IcedTea 1.13.8 - Update no_pr2125.patch to work against new version. - Resolves: rhbz#1235149 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4000 CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 Oracle Linux 7 [3.10.0-229.11.1] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.11.1] - [fs] Fixing lease renewal (Steve Dickson) [1226328 1205048] - [fs] revert 'nfs: Fixing lease renewal' (Carlos Maiolino) [1226328 1205048] - [redhat] spec: Update dracut dependency to 033-241.|ael7b]_1.5 (Phillip Lougher) [1241571 1241344] [3.10.0-229.10.1] - [redhat] spec: Update dracut dependency to pull in drbg module (Phillip Lougher) [1241571 1241344] [3.10.0-229.9.1] - [crypto] krng: Remove krng (Herbert Xu) [1238210 1229738] - [crypto] drbg: Add stdrng alias and increase priority (Herbert Xu) [1238210 1229738] - [crypto] seqiv: Move IV seeding into init function (Herbert Xu) [1238210 1229738] - [crypto] eseqiv: Move IV seeding into init function (Herbert Xu) [1238210 1229738] - [crypto] chainiv: Move IV seeding into init function (Herbert Xu) [1238210 1229738] - [s390] crypto: ghash - Fix incorrect ghash icv buffer handling (Herbert Xu) [1238211 1207598] - [kernel] module: Call module notifier on failure after complete_formation() (Bandan Das) [1238937 1236273] - [net] ipv4: kABI fix for 0bbf87d backport (Aristeu Rozanski) [1238208 1184764] - [net] ipv4: Convert ipv4.ip_local_port_range to be per netns (Aristeu Rozanski) [1238208 1184764] - [of] Eliminate of_allnodes list (Gustavo Duarte) [1236983 1210533] - [scsi] ipr: Increase default adapter init stage change timeout (Steve Best) [1236139 1229217] - [fs] libceph: fix double __remove_osd() problem (Sage Weil) [1236462 1229488] - [fs] ext4: fix data corruption caused by unwritten and delayed extents (Lukas Czerner) [1235563 1213487] - [kernel] watchdog: update watchdog_thresh properly (Ulrich Obergfell) [1223924 1216074] - [kernel] watchdog: update watchdog attributes atomically (Ulrich Obergfell) [1223924 1216074] - [virt] kvm: ensure hard lockup detection is disabled by default (Andrew Jones) [1236461 1111262] - [watchdog] control hard lockup detection default (Andrew Jones) [1236461 1111262] - [watchdog] Fix print-once on enable (Andrew Jones) [1236461 1111262] [3.10.0-229.8.1] - [fs] fs-cache: The retrieval remaining-pages counter needs to be atomic_t (David Howells) [1231809 1130457] - [net] libceph: tcp_nodelay support (Sage Weil) [1231803 1197952] - [powerpc] pseries: Simplify check for suspendability during suspend/migration (Gustavo Duarte) [1231638 1207295] - [powerpc] pseries: Introduce api_version to migration sysfs interface (Gustavo Duarte) [1231638 1207295] - [powerpc] pseries: Little endian fixes for post mobility device tree update (Gustavo Duarte) [1231638 1207295] - [fs] sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT (Steve Dickson) [1227825 1111712] - [fs] nfs: Fixing lease renewal (Benjamin Coddington) [1226328 1205048] - [powerpc] iommu: ddw: Fix endianness (Steve Best) [1224406 1189040] - [usb] fix use-after-free bug in usb_hcd_unlink_urb() (Don Zickus) [1223239 1187256] - [net] ipv4: Missing sk_nulls_node_init() in ping_unhash() (Denys Vlasenko) [1218104 1218105] {CVE-2015-3636} - [net] nf_conntrack: reserve two bytes for nf_ct_ext->len (Marcelo Leitner) [1211096 1206164] {CVE-2014-9715} - [net] ipv6: Don't reduce hop limit for an interface (Denys Vlasenko) [1208494 1208496] {CVE-2015-2922} - [x86] kernel: execution in the early microcode loader (Jacob Tanenbaum) [1206829 1206830] {CVE-2015-2666} - [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Seth Jennings) [1202861 1198843] {CVE-2015-1805} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2922 CVE-2015-3636 CVE-2014-9715 CVE-2015-2666 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.1.1-1.0.1] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.1.1-1] - Update to 38.1.1 ESR IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4495 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.2.0-4.0.1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one - Force requirement of newer gdk-pixbuf2 to ensure a proper update (Todd Vierling) [orabug 19847484] [38.2.0-4] - Update to 38.2.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4473 CVE-2015-4475 CVE-2015-4478 CVE-2015-4479 CVE-2015-4480 CVE-2015-4484 CVE-2015-4485 CVE-2015-4486 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4493 Oracle Linux 6 [2.6.32-573.3.1] - [md] Revert 'dm: don't schedule delayed run of the queue if nothing to do' (Mike Snitzer) [1246095 1240767] - [md] Revert 'dm: only run the queue on completion if congested or no requests pending' (Mike Snitzer) [1246095 1240767] [2.6.32-573.2.1] - [net] udp: fix behavior of wrong checksums (Denys Vlasenko) [1240758 1240759] {CVE-2015-5364 CVE-2015-5366} - [fs] vfs: Unhash and evict unused children dentries after rmdir (Lukas Czerner) [1243400 1241030] - [fs] vfs: Prevent syncing frozen file system (Lukas Czerner) [1243404 1241791] - [fs] vfs: Prevent freeing unlinked file to be indefinitely delayed (Lukas Czerner) [1243406 1236736] - [fs] vmcore: continue vmcore initialization if PT_NOTE is found empty (Baoquan He) [1245195 1236437] - [fs] vmcore: prevent PT_NOTE p_memsz overflow during header update (Baoquan He) [1245195 1236437] - [kernel] audit/fix non-modular users of module_init in core code (Baoquan He) [1245195 1236437] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5364 CVE-2015-5366 Oracle Linux 5 [2.5-123.0.1.el5_11.3] - Switch to use malloc when the input line is too long [Orabug 19951108] (Jason Luan) - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) [2.5-123.3] - Fix invalid-free when using getaddrinfo() and AI_IDN (CVE-2013-7424, [2.5-123.1] - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). MODERATE Copyright 2015 Oracle, Inc. CVE-2013-7424 Oracle Linux 5 [5.5.45-1] - Rebase to 5.5.45 Includes fixes for: CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0411 CVE-2015-0432 CVE-2015-0501 CVE-2015-2568 CVE-2015-0499 CVE-2015-2571 CVE-2015-0433 CVE-2015-0441 CVE-2015-0505 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 Resolves: #1247020 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 CVE-2014-6568 CVE-2015-0374 CVE-2015-0381 CVE-2015-0382 CVE-2015-0391 CVE-2015-0411 CVE-2015-0432 Oracle Linux 6 [1.6.11-15] - add security fixes for CVE-2015-0248, CVE-2015-0251, CVE-2015-3187 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0248 CVE-2015-0251 CVE-2015-3187 Oracle Linux 6 [3.6.20-1.2] - Add patch for compiler warnings highlighted by rpmdiff. Related: rhbz#1244727 [3.6.20-1.el6_7.1] - fix for CVE-2015-3416 Resolves: #1244727 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3416 Oracle Linux 7 [3.7.17-6.1] - Fixes for CVE-2015-3415 CVE-2015-3414 CVE-2015-3416 Resolves: rhbz#1244731 [3.7.17-6] - Release bump for ppc64le [3.7.17-5] - Release bump [3.7.17-4.1] - Backport 64k page fix from latest upstream (#1118151) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3414 CVE-2015-3415 CVE-2015-3416 Oracle Linux 6 Oracle Linux 7 [1:5.5-54.0.1.el6_7.1] - Add Oracle ACFS to hrStorage (John Haxby) [orabug 18510373] [1:5.5-54.el6_7.1] - Fixed parsing of invalid variables in incoming packets (#1248410) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5621 Oracle Linux 6 Oracle Linux 7 [1.1.1-20.1] - fix CVE-2015-3238 - DoS due to blocking pipe with very long password MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3238 Oracle Linux 5 [3.19.1-1] - Rebase nss to 3.19.1 - Pick up upstream fix for client auth. regression caused by 3.19.1 - Revert upstream change to minimum key sizes - Remove patches that rendered obsolote by the rebase - Update existing patches on account of the rebase [3.18.0-7] - Pick up upstream patch from nss-3.19.1 - Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64) - Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2721 CVE-2015-2730 Oracle Linux 7 [1:5.5.44-1] - Rebase to 5.5.44 Resolves: #1247021 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4752 CVE-2015-4757 CVE-2015-3152 Oracle Linux 7 [2.4.6-31.0.1.el7_1.1] - replace index.html with Oracle's index page oracle_index.html [2.4.6-31.1] - core: fix chunk header parsing defect (CVE-2015-3183) - core: replace of ap_some_auth_required with ap_some_authn_required and ap_force_authn hook (CVE-2015-3185) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3183 CVE-2015-3185 Oracle Linux 6 [2.2.15-47.0.1] - replace index.html with Oracle's index page oracle_index.html - update vstring in specfile [2.2.15-47] - fix regressions caused by fix for CVE-2015-3183 [2.2.15-46] - core: fix chunk header parsing defect (CVE-2015-3183) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3183 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.2.0-4.0.1.el6_7] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [38.2.0-4] - Update to 38.2.0 [38.1.0-4] - Update to 38.1.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4473 CVE-2015-4487 CVE-2015-4488 CVE-2015-4489 CVE-2015-4491 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.2.1-1.0.1] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.2.1-1] - Update to 38.2.1 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4497 CVE-2015-4498 Oracle Linux 6 Oracle Linux 7 [2.24.1-6] - Fix CVE 2015-4491 - Resolves #1253210 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-4491 Oracle Linux 6 Oracle Linux 7 [0:1.1.1-11.7] - Gracefully handle parsers without FSP support (e.g. Java 5 GCJ) - Resolves: CVE-2015-0254 [0:1.1.1-11.6] - Prevent XXE and RCE in JSTL XML tags - Apply correction for previous CVE-2015-0254 patch (prevent XXE in <x:transform>) - Resolves: CVE-2015-0254 [0:1.1.1-11.5] - Prevent XXE and RCE in JSTL XML tags - Resolves: CVE-2015-0254 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0254 Oracle Linux 6 Oracle Linux 7 [3.14.3-23] - Pick up upstream freebl patch for CVE-2015-2730 - Check for P == Q or P ==-Q before adding P and Q MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2730 Oracle Linux 6 Oracle Linux 7 [32:9.8.2-0.37.rc1.4] - Apply previously not applied patch for CVE-2015-5722 [32:9.8.2-0.37.rc1.3] - Fix CVE-2015-5722 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5722 Oracle Linux 5 [30:9.3.6-25.P1.4] - Fix CVE-2015-5722 [30:9.3.6-25.P1.3] - Fix CVE-2015-5477 [30:9.3.6-25.P1.2] - Remove files backup after patching (Related: #1171971) [30:9.3.6-25.P1.1] - Fix CVE-2014-8500 (#1171971) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5722 Oracle Linux 5 [32:9.7.0-21.P2.3] - Fix CVE-2015-5722 [32:9.7.0-21.P2.2] - Fix CVE-2015-5477 [32:9.7.0-21.P2.1] - Fix CVE-2014-8500 (#1171972) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5722 Oracle Linux 6 Oracle Linux 7 [1.4.5-5] - CVE-2015-1802: missing range check in bdfReadProperties (bug 1258892) - CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258892) - CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258892) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1802 CVE-2015-1803 CVE-2015-1804 Oracle Linux 7 [0.12.4-9.1] - Avoid race conditions reading monitor configs from guest. This race could trigger memory corruption host-side Resolves: rhbz#1239127 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3247 Oracle Linux 6 [0.12.4-12.1] - Avoid race conditions reading monitor configs from guest. This race could trigger memory corruption host-side Resolves: rhbz#1239124 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3247 Oracle Linux 7 [1.5.4-4.1] - Fix buffer_slow_realign() function to respect output data (CVE-2015-3281, #1241537) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3281 Oracle Linux 7 [1.7.14-7.1] - add security fixes for CVE-2015-0248, CVE-2015-0251, CVE-2015-3184, CVE-2015-3187 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0248 CVE-2015-0251 CVE-2015-3187 CVE-2015-3184 Oracle Linux 7 [3.10.0-229.14.1.OL7] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.14.1] - [s390] zcrypt: Fixed reset and interrupt handling of AP queues (Hendrik Brueckner) [1248381 1238230] [3.10.0-229.13.1] - [dma] ioat: fix tasklet tear down (Herton R. Krzesinski) [1251523 1210093] - [drm] radeon: Fix VGA switcheroo problem related to hotplug (missing hunk) (Rob Clark) [1207879 1223472] - [security] keys: Ensure we free the assoc array edit if edit is valid (David Howells) [1246039 1244171] {CVE-2015-1333} - [net] tcp: properly handle stretch acks in slow start (Florian Westphal) [1243903 1151756] - [net] tcp: fix no cwnd growth after timeout (Florian Westphal) [1243903 1151756] - [net] tcp: increase throughput when reordering is high (Florian Westphal) [1243903 1151756] - [of] Fix sysfs_dirent cache integrity issue (Gustavo Duarte) [1249120 1225539] - [tty] vt: don't set font mappings on vc not supporting this (Jarod Wilson) [1248384 1213538] - [scsi] fix regression in scsi_send_eh_cmnd() (Ewan Milne) [1243412 1167454] - [net] udp: fix behavior of wrong checksums (Denys Vlasenko) [1240760 1240761] {CVE-2015-5364 CVE-2015-5366} - [fs] Convert MessageID in smb2_hdr to LE (Sachin Prabhu) [1238693 1161441] - [x86] bpf_jit: fix compilation of large bpf programs (Denys Vlasenko) [1236938 1236939] {CVE-2015-4700} - [net] sctp: fix ASCONF list handling (Marcelo Leitner) [1227960 1206474] {CVE-2015-3212} - [fs] ext4: allocate entire range in zero range (Lukas Czerner) [1193909 1187071] {CVE-2015-0275} - [x86] ASLR bruteforce possible for vdso library (Jacob Tanenbaum) [1184898 1184899] {CVE-2014-9585} [3.10.0-229.12.1] - [ethernet] ixgbe: remove CIAA/D register reads from bad VF check (John Greene) [1245597 1205903] - [kernel] sched: Avoid throttle_cfs_rq() racing with period_timer stopping (Rik van Riel) [1241078 1236413] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9585 CVE-2015-5364 CVE-2015-5366 CVE-2015-0275 CVE-2015-1333 CVE-2015-3212 CVE-2015-4700 Oracle Linux 7 [1.5.3-86.el7_1.6] - kvm-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch [bz#1248764] - kvm-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch [bz#1248764] - kvm-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch [bz#1248764] - kvm-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch [bz#1248764] - kvm-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch [bz#1248764] - kvm-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch [bz#1248764] - kvm-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch [bz#1248764] - Resolves: bz#1248764 (CVE-2015-5165 qemu-kvm: Qemu: rtl8139 uninitialized heap memory information leakage to guest [rhel-7.1.z]) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5165 Oracle Linux 6 [0.12.1.2-2.479.el6_7.1] - kvm-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch [bz#1248761] - kvm-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch [bz#1248761] - kvm-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch [bz#1248761] - kvm-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch [bz#1248761] - kvm-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch [bz#1248761] - kvm-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch [bz#1248761] - kvm-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch [bz#1248761] - Resolves: bz#1248761 (CVE-2015-5165 qemu-kvm: Qemu: rtl8139 uninitialized heap memory information leakage to guest [rhel-6.7.z]) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5165 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.3.0-2.0.1.el6_7] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one - Force requirement of newer gdk-pixbuf2 to ensure a proper update (Todd Vierling) [orabug 19847484] [38.3.0-2] - Update to 38.3.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4500 CVE-2015-4509 CVE-2015-4510 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [2.3.43-29] - CVE-2015-6908 openldap: ber_get_next denial of service vulnerability (#1263170) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-6908 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.3.0-1.0.1.el6_7] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [38.3.0-1] - Update to 38.3.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4500 CVE-2015-4509 CVE-2015-4517 CVE-2015-4519 CVE-2015-4520 CVE-2015-4521 CVE-2015-4522 CVE-2015-7174 CVE-2015-7175 CVE-2015-7176 CVE-2015-7177 CVE-2015-7180 Oracle Linux 6 [0.12.4-12.3] - CVE-2015-5260 CVE-2015-5261 fixed various security flaws Resolves: rhbz#1262769 [0.12.4-12.2] - Validate surface_id Resolves: rhbz#1262769 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5260 CVE-2015-5261 Oracle Linux 7 [0.12.4-9.3] - CVE-2015-5260 CVE-2015-5261 fixed various security flaws Resolves: rhbz#1262771 [0.12.4-9.2] - Validate surface_id Resolves: rhbz#1262771 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5260 CVE-2015-5261 Oracle Linux 6 Oracle Linux 7 [0.2.8.4-25] - Resolves: rhbz#1227428 - CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 [0.2.8.4-24] - Resolves: rhbz#1227429 CVE-2015-0848 libwmf: heap overflow when decoding BMP images IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 Oracle Linux 6 Oracle Linux 7 [1:1.8.0.65-0.b17] - October 2015 security update to u65b17. - Add script for generating OpenJDK tarballs from a local Mercurial tree. - Update RH1191652 patch to build against current AArch64 tree. - Use appropriate source ID to avoid unpacking both tarballs on AArch64. - Fix library removal script so jpeg, giflib and png sources are removed. - Update system-lcms.patch to regenerated upstream (8042159) version. - Drop LCMS update from rhel6-built.patch - Resolves: rhbz#1257654 [1:1.8.0.51-4.b16] - bumped release to do an build, so test whether 1251560 was really fixed - Resolves: rhbz#1254197 [1:1.8.0.60-4.b27] - updated to u60 (1255352) - Resolves: rhbz#1257654 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4868 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Oracle Linux 6 Oracle Linux 7 CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Oracle Linux 5 [1:1.7.0.91-2.6.2.1.0.1] - Add oracle-enterprise.patch - Fix DISTRO_NAME to 'Oracle Linux' [1:1.7.0.91-2.6.2.1] - added and applied patch500 8072932or8074489.patch to fix tck failure - Resolves: rhbz#1271918 [1:1.7.0.91-2.6.2.0] - Drop patch for PR2521/RH1242587 now resolved upstream. - Resolves: rhbz#1271918 [1:1.7.0.91-2.6.2.0] - Bump to 2.6.2 and u91b00. - Resolves: rhbz#1271918 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Oracle Linux 6 [0.12.1.2-2.479.el6_7.2] - kvm-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch [bz#1263274] - Resolves: bz#1263274 (CVE-2015-5279 qemu-kvm: qemu: Heap overflow vulnerability in ne2000_receive() function [rhel-6.7.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5279 Oracle Linux 5 [kvm-83-274.0.1.el5] - Added kvm-add-oracle-workaround-for-libvirt-bug.patch - Added kvm-Introduce-oel-machine-type.patch [kvm-83.274.el5] - net-add-checks-to-validate-ring-buffer-pointers.patch [bz#1263272] - Resolves: bz#1263272 (CVE-2015-5279 kvm: qemu: Heap overflow vulnerability in ne2000_receive() function [rhel-5.11.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5279 Oracle Linux 6 Oracle Linux 7 [4.2.6p5-5.el6_7.2] - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5300 CVE-2015-7704 Oracle Linux 7 [1.5.3-86.el7_1.8] - kvm-qtest-ide-test-disable-flush-test.patch [bz#1273098] - Resolves: bz#1273098 (qemu-kvm build failure race condition in tests/ide-test) [1.5.3-86.el7_1.7] - kvm-CVE-2015-1779-incrementally-decode-websocket-frames.patch [bz#1205050] - kvm-CVE-2015-1779-limit-size-of-HTTP-headers-from-websoc.patch [bz#1205050] - Resolves: bz#1205050 (CVE-2015-1779 qemu-kvm: qemu: vnc: insufficient resource limiting in VNC websockets decoder [rhel-7.1.z]) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1779 Oracle Linux 7 [3.10.0-229.20.1.OL7] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-229.20.1] - Revert: [crypto] nx - Check for bogus firmware properties (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving NX-AES-CBC to be processed logic (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving NX-AES-CCM to be processed logic and sg_list bounds (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving limit and bound logic in CTR and fix IV vector (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving NX-AES-ECB to be processed logic (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving NX-AES-GCM to be processed logic (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Moving NX-AES-XCBC to be processed logic (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Fix SHA concurrence issue and sg limit bounds (Phillip Lougher) [1247127 1190103] - Revert: [crypto] nx - Fixing the limit number of bytes to be processed (Phillip Lougher) [1247127 1190103] [3.10.0-229.19.1] - Revert: [fs] xfs: DIO write completion size updates race (Phillip Lougher) [1258942 1213370] - Revert: [fs] xfs: direct IO EOF zeroing needs to drain AIO (Phillip Lougher) [1258942 1213370] [3.10.0-229.18.1] - [scsi] sd: split sd_init_command (Ewan Milne) [1264141 1109348] - [scsi] sd: retry discard commands (Ewan Milne) [1264141 1109348] - [scsi] sd: retry write same commands (Ewan Milne) [1264141 1109348] - [scsi] sd: don't use scsi_setup_blk_pc_cmnd for discard requests (Ewan Milne) [1264141 1109348] - [scsi] sd: don't use scsi_setup_blk_pc_cmnd for write same requests (Ewan Milne) [1264141 1109348] - [scsi] sd: don't use scsi_setup_blk_pc_cmnd for flush requests (Ewan Milne) [1264141 1109348] - [scsi] set sc_data_direction in common code (Ewan Milne) [1264141 1109348] - [scsi] restructure command initialization for TYPE_FS requests (Ewan Milne) [1264141 1109348] - [scsi] move the nr_phys_segments assert into scsi_init_io (Ewan Milne) [1264141 1109348] - [fs] xfs: remove bitfield based superblock updates (Brian Foster) [1261781 1225075] - [netdrv] ixgbe: fix X540 Completion timeout (John Greene) [1257633 1173786] - [lib] radix-tree: handle allocation failure in radix_tree_insert() (Seth Jennings) [1264142 1260613] - [crypto] nx - Fixing the limit number of bytes to be processed (Herbert Xu) [1247127 1190103] - [crypto] nx - Fix SHA concurrence issue and sg limit bounds (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving NX-AES-XCBC to be processed logic (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving NX-AES-GCM to be processed logic (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving NX-AES-ECB to be processed logic (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving limit and bound logic in CTR and fix IV vector (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving NX-AES-CCM to be processed logic and sg_list bounds (Herbert Xu) [1247127 1190103] - [crypto] nx - Moving NX-AES-CBC to be processed logic (Herbert Xu) [1247127 1190103] - [crypto] nx - Check for bogus firmware properties (Herbert Xu) [1247127 1190103] - [md] raid1: extend spinlock to protect raid1_end_read_request against inconsistencies (Jes Sorensen) [1263416 1255758] - [md] raid1: fix test for 'was read error from last working device' (Jes Sorensen) [1263416 1255758] - [fs] xfs: direct IO EOF zeroing needs to drain AIO (Brian Foster) [1258942 1213370] - [fs] xfs: DIO write completion size updates race (Brian Foster) [1258942 1213370] - [fs] pnfs: Fix a memory leak when attempted pnfs fails (Steve Dickson) [1256640 1234986] [3.10.0-229.17.1] - [hv] vmbus: Cleanup vmbus_establish_gpadl() (Vitaly Kuznetsov) [1262096 1211914] - [scsi] iscsi: let session recovery_tmo sysfs writes persist across recovery (Chris Leech) [1261879 1139038] - [scsi] ipr: Fix invalid array indexing for HRRQ (Gustavo Duarte) [1260625 1251184] - [scsi] ipr: Fix incorrect trace indexing (Gustavo Duarte) [1260625 1251184] - [net] netfilter: synproxy: fix sending window update to client (Phil Sutter) [1257289 1257290 1251031 1242094] - [net] netfilter: ip6t_synproxy: fix NULL pointer dereference (Phil Sutter) [1257289 1257290 1251031 1242094] - [fs] nfsv4: Always drain the slot table before re-establishing the lease (Benjamin Coddington) [1256649 1240790] - [fs] Recover from stateid-type error on SETATTR (Benjamin Coddington) [1256639 1214410] - [netdrv] virtio-net: drop NETIF_F_FRAGLIST (Jason Wang) [1247839 1247840] {CVE-2015-5156} - [x86] mm: add memory tracking to native_pmdp_get_and_clear (David Bulkow) [1263525 1227357] - [fs] dcache: d_walk() might skip too much (Denys Vlasenko) [1173812 1173813] {CVE-2014-8559} - [fs] dcache: deal with deadlock in d_walk() (Denys Vlasenko) [1173812 1173813] {CVE-2014-8559} - [fs] dcache: move d_rcu from overlapping d_child to overlapping d_alias (Denys Vlasenko) [1173812 1173813] {CVE-2014-8559} - [fs] dcache: fold try_to_ascend() into the sole remaining caller (Denys Vlasenko) [1173812 1173813] {CVE-2014-8559} [3.10.0-229.16.1] - [virt] kvm: x86: reset RVI upon system reset (Marcelo Tosatti) [1225087 1209995] [3.10.0-229.15.1] - [cpufreq] intel_pstate: Fix overflow in busy_scaled due to long delay (Prarit Bhargava) [1255496 1228346] - [netdrv] be2net: avoid vxlan offloading on multichannel configs (Ivan Vecera) [1256609 1232327] MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8559 CVE-2015-5156 Oracle Linux 7 [3.15-5.0.1] - add libreswan-oracle.patch to detect Oracle Linux distro [3.15-5] - Resolves: rhbz#1273719 libreswan FIPS test mistakenly looks for non-existent file hashes [3.15-4] - Resolves: rhbz#1268775 libreswan should support strictcrlpolicy alias - Resolves: rhbz#1268776 Pluto crashes after stop when I use floating ip address - Resolves: rhbz#1268773 Pluto crashes on INITIATOR site during 'service ipsec stop' - Resolves: rhbz#1208022 libreswan ignores module blacklist rules - Resolves: rhbz#1270673 ipsec does not work properly on loopback [3.15-2] - Resolves: rhbz#1259208 CVE-2015-3240 - Merge rhel6 and rhel7 spec into one - Be lenient for racoon padding behaviour - Fix seedev option to /dev/random - Some IKEv1 PAM methods always gave 'Permission denied' - Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7 - Parser fix to allow specifying time without unit (openswan compat) - Fix Labeled IPsec on rekeyed IPsec SA's - Workaround for wrong padding by racoon2 - Disable NSS HW GCM to workaround rhel6 xen builers bug MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3240 Oracle Linux 5 nspr [4.10.8-2] - Resolves: Bug 1269359 - CVE-2015-7183 - nspr: heap-buffer overflow in PL_ARENA_ALLOCATE can lead to crash (under ASAN), potential memory corruption [rhel-5.11.z] nss [3.19.1-2] - Resolves: Bug 1269354 - CVE-2015-7182 CVE-2015-7181 CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 Oracle Linux 6 Oracle Linux 7 nspr [4.10.8-2] - Resolves: Bug 1269360 - CVE-2015-7183 - nspr: heap-buffer overflow in PL_ARENA_ALLOCATE can lead to crash (under ASAN), potential memory corruption nss [3.19.1-5.0.1] - Added nss-vendor.patch to change vendor [3.19.1-5] - Rebuild against updated NSPR [3.19.1-4] - Sync up with the rhel-6.6 branch - Resolves: Bug 1224450 nss-util [3.19.1-2] - Resolves: Bug 1269355 - CVE-2015-7182 CVE-2015-7181 CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-7181 CVE-2015-7182 CVE-2015-7183 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.4.0-1.0.1.el5_11] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.4.0-1] - Update to 38.4.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-4513 CVE-2015-7188 CVE-2015-7189 CVE-2015-7193 CVE-2015-7194 CVE-2015-7196 CVE-2015-7197 CVE-2015-7198 Oracle Linux 6 [1.12.4-47.4] - Resolves: rhbz#1268783 - Memory leak / possible DoS with krb auth. [1.12.4-47.3] - Resolves: rhbz#1268784 - SSSD POSIX attribute check is too strict [1.12.4-47.2] - Resolves: rhbz#1264098 - cleanup_groups should sanitize dn of groups [1.12.4-47.1] - Resolves: rhbz#1258398 - sysdb sudo search doesn't escape special characters LOW Copyright 2015 Oracle, Inc. CVE-2015-5292 Oracle Linux 5 [3.0.3-147.el5] - net: add checks to validate ring buffer pointers - Resolves: bz#1263273 (xen: qemu: Heap overflow vulnerability in ne2000_receive() function) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5279 Oracle Linux 7 [9.2.14-1] - update to 9.2.14 per release notes http://www.postgresql.org/docs/9.2/static/release-9-2-14.html [9.2.13-1] - update to 9.2.13 per release notes http://www.postgresql.org/docs/9.2/static/release-9-2-13.html [9.2.12-1] - update to 9.2.12 per release notes http://www.postgresql.org/docs/9.2/static/release-9-2-12.html [9.2.11-1] - update to 9.2.11 per release notes http://www.postgresql.org/docs/9.2/static/release-9-2-11.html MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5288 CVE-2015-5289 Oracle Linux 7 [2.23.52.0.1-55] - Add missing delta to patch that fixes parsing corrupted archives. (#1162666) [2.23.52.0.1-54] - Import patch for PR 18270: Create AArch64 GOT entries for local symbols. (#1238783) [2.23.52.0.1-51] - Fix incorrectly generated binaries and DSOs on PPC platforms. (#1247126) [2.23.52.0.1-50] - Fix memory corruption parsing corrupt archives. (#1162666) [2.23.52.0.1-49] - Fix directory traversal vulnerability. (#1162655) [2.23.52.0.1-48] - Fix stack overflow in SREC parser. (#1162621) [2.23.52.0.1-47] - Fix stack overflow whilst parsing a corrupt iHex file. (#1162607) [2.23.52.0.1-46] - Fix out of bounds memory accesses when parsing corrupt PE binaries. (#1162594, #1162570) [2.23.52.0.1-45] - Change strings program to default to -a. Fix problems parsing files containg corrupt ELF group sections. (#1157276) [2.23.52.0.1-44] - Avoid reading beyond function boundary when disassembling. (#1060282) - For binary ouput, we don't have an ELF bfd output so can't access elf_elfheader. (#1226864) [2.23.52.0.1-43] - Don't discard stap probe note sections on aarch64 (#1225091) [2.23.52.0.1-42] - Clamp maxpagesize at 1 (rather than 0) to avoid segfaults in the linker when passed a bogus max-page-size argument. (#1203449) [2.23.52.0.1-41] - Fixup bfd elf_link_add_object_symbols for ppc64 to prevent subsequent uninitialized accesses elsewhere. (#1172766) [2.23.52.0.1-40] - Minor testsuite adjustments for PPC changes in -38/-39. (#1183838) Fix md_assemble for PPC to handle arithmetic involving the TOC better. (#1183838) [2.23.52.0.1-39] - Fix ppc64: segv in libbfd (#1172766). [2.23.52.0.1-38] - Unconditionally apply ppc64le patches (#1183838). [2.23.52.0.1-37] - Andreas's backport of z13 and dependent fixes for s390, including tesetcase fix from Apr 27, 2015. (#1182153) [2.23.52.0.1-35] - Fixup testsuite for AArch64 (#1182111) - Add support for @localentry for LE PPC64 (#1194164) [2.23.52.0.1-34] - Do not install windmc(1) man page (#850832) [2.23.52.0.1-33] - Don't replace R_390_TLS_LE{32,64} with R_390_TLS_TPOFF for PIE (#872148) - Enable relro by default for arm and aarch64 (#1203449) - Backport 3 RELRO improvements for ppc64/ppc64le from upstream (#1175624) [2.23.52.0.1-31] - Backport upstream RELRO fixes. (#1200138) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8503 CVE-2014-8504 CVE-2014-8737 CVE-2014-8738 CVE-2014-8484 CVE-2014-8485 CVE-2014-8501 CVE-2014-8502 Oracle Linux 6 [8.4.20-4] - fix for CVE-2015-5288 (rhbz#1273446) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5288 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [1:1.6.0.35-1.13.9.4.0.1.el5_11] - Add oracle-enterprise.patch [1:1.6.0.37-1.13.9.4] - Update with new IcedTea & b37 tarballs, including fix for appletviewer regression. - Resolves: rhbz#1271926 [1:1.6.0.37-1.13.9.3] - Update with new IcedTea & b37 tarballs, including more Kerberos fixes for TCK regression. - Resolves: rhbz#1271926 [1:1.6.0.37-1.13.9.2] - Update with new IcedTea & b37 tarballs, including Kerberos fixes for TCK regression. - Resolves: rhbz#1271926 [1:1.6.0.37-1.13.9.1] - Update with newer tarball, including 6763122 fix for TCK regression. - Resolves: rhbz#1271926 [1:1.6.0.37-1.13.9.1] - Drop java-1.6.0-openjdk-pstack.patch. 6310967, the upstream version, is applied in OpenJDK 6. - Resolves: rhbz#1271926 [1:1.6.0.37-1.13.9.0] - Update to IcedTea 1.13.9 - Resolves: rhbz#1271926 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4835 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4903 CVE-2015-4911 Oracle Linux 7 [6.6.1p1-22] - Use the correct constant for glob limits (#1160377) [6.6.1p1-21] - Extend memory limit for remote glob in sftp acc. to stat limit (#1160377) [6.6.1p1-20] - Fix vulnerabilities published with openssh-7.0 (#1265807) - Privilege separation weakness related to PAM support - Use-after-free bug related to PAM support [6.6.1p1-19] - Increase limit of files for glob match in sftp to 8192 (#1160377) [6.6.1p1-18] - Add GSSAPIKexAlgorithms option for server and client application (#1253062) [6.6.1p1-17] - Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864) - XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231) - weakness of agent locking (ssh-add -x) to password guessing (#1238238) [6.6.1p1-16] - only query each keyboard-interactive device once (CVE-2015-5600) (#1245971) [6.6.1p1-15] - One more typo in manual page documenting TERM variable (#1162683) - Fix race condition with auditing messages answers (#1240613) [6.6.1p1-14] - Fix ldif schema to have correct spacing on newlines (#1184938) - Add missing values for sshd test mode (#1187597) - ssh-copy-id: tcsh doesnt work with multiline strings (#1201758) - Fix memory problems with newkeys and array transfers (#1223218) - Enhance AllowGroups documentation in man page (#1150007) [6.6.1p1-13] - Increase limit of files for glob match in sftp (#1160377) - Add pam_reauthorize.so to /etc/pam.d/sshd (#1204233) - Show all config values in sshd test mode (#1187597) - Document required selinux boolean for working ssh-ldap-helper (#1178116) - Consistent usage of pam_namespace in sshd (#1125110) - Fix auditing when using combination of ForcedCommand and PTY (#1199112) - Add sftp option to force mode of created files (#1197989) - Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper (#1201753) - Provide documentation line for systemd service and socket (#1181591) - Provide LDIF version of LPK schema (#1184938) - Document TERM environment variable (#1162683) - Fix ssh-copy-id on non-sh remote shells (#1201758) - Do not read RSA1 hostkeys for HostBased authentication in FIPS (#1197666) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5600 CVE-2015-6563 CVE-2015-6564 Oracle Linux 7 [2.7.5-34.0.1] - Add Oracle Linux distribution in platform.py [orabug 20812544] [2.7.5-34] - Revert fix for rhbz#1117751 as it leads to regressions Resolves: rhbz#1117751 [2.7.5-33] - Only restore SIG_PIPE when Popen called with restore_sigpipe Resolves: rhbz#1117751 [2.7.5-32] - Backport SSLSocket.version function - Temporary disable test_gdb on ppc64le rhbz#1260558 Resolves: rhbz#1259421 [2.7.5-31] - Update load_cert_chain function to accept None keyfile Resolves: rhbz#1250611 [2.7.5-30] - Change Patch224 according to latest update in PEP493 Resolves:rhbz#1219108 [2.7.5-29] - Popen shouldn't ignore SIG_PIPE Resolves: rhbz#1117751 [2.7.5-28] - Exclude python subprocess temp files from cleaning Resolves: rhbz#1058482 [2.7.5-27] - Add list for cprofile sort option Resolves:rhbz#1237107 [2.7.5-26] - Add switch to toggle cert verification on or off globally Resolves:rhbz#1219108 [2.7.5-25] - PEP476 enable cert verifications by default Resolves:rhbz#1219110 [2.7.5-24] - Massive backport of ssl module from python3 aka PEP466 Resolves: rhbz#1111461 [2.7.5-23] - Fixed CVE-2013-1753, CVE-2013-1752, CVE-2014-4616, CVE-2014-4650, CVE-2014-7185 Resolves: rhbz#1206574 [2.7.5-22] - Fix importing readline producing erroneous output Resolves: rhbz#1189301 [2.7.5-21] - Add missing import in bdist_rpm Resolves: rhbz#1177613 [2.7.5-20] - Avoid double close of subprocess pipes Resolves: rhbz#1103452 [2.7.5-19] - make multiprocessing ignore EINTR Resolves: rhbz#1181624 MODERATE Copyright 2015 Oracle, Inc. CVE-2013-1753 CVE-2014-4616 CVE-2013-1752 CVE-2014-4650 CVE-2014-7185 Oracle Linux 7 [2.11-24] - fix for CVE-2014-9112 [2.11-23] - better check for read() error (rhbz#1138148) - fix ru translation (rhbz#1075513) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9112 Oracle Linux 7 [2.20-2] - Fixed invalid UTF-8 byte sequence error in PCRE mode (by pcre-backported-fixes patch) Resolves: rhbz#1217080 - Fixed buffer overrun for grep -F Resolves: CVE-2015-1345 - Fixed \w and \W behaviour in multibyte locales Resolves: rhbz#1159012 - Documented --fixed-regexp option Resolves: rhbz#1103259 - Updated pcre buildrequires to require pcre-devel >= 7.8-7 Related: rhbz#1217080 LOW Copyright 2015 Oracle, Inc. CVE-2015-1345 Oracle Linux 7 [2.4.40-8] - NSS does not support string ordering (#1231522) - implement and correct order of parsing attributes (#1231522) - add multi_mask and multi_strength to correctly handle sets of attributes (#1231522) - add new cipher suites and correct AES-GCM attributes (#1245279) - correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279) [2.4.40-7] - Merge two MozNSS cipher suite definition patches into one. (#1245279) - Use what NSS considers default for DEFAULT cipher string. (#1245279) - Remove unnecesary defaults from ciphers' definitions (#1245279) [2.4.40-6] - fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977) [2.4.40-5] - enhancement: support TLS 1.1 and later (#1231522,#1160467) - fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522) - fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228) [2.4.40-4] - fix: rpm -V complains (#1230263) -- make the previous fix do what was intended [2.4.40-3] - fix: rpm -V complains (#1230263) [2.4.40-2] - fix: missing frontend database indexing (#1226600) [2.4.40-1] - new upstream release (#1147982) - fix: PIE and RELRO check (#1092562) - fix: slaptest doesn't convert perlModuleConfig lines (#1184585) - fix: OpenLDAP crash in NSS shutdown handling (#1158005) - fix: slapd.service may fail to start if binding to NIC ip (#1198781) - fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152) - improve check_password (#1174723, #1196243) - provide an unversioned symlink to check_password.so.1.1 (#1174634) - add findutils to requires (#1209229) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3276 Oracle Linux 7 [1.4.3-10] - check length of data extracted from the SSH_MSG_KEXINIT packet (CVE-2015-1782) [1.4.3-9] - curl consumes too much memory during scp download (#1080459) - prevent a not-connected agent from closing STDIN (#1147717) LOW Copyright 2015 Oracle, Inc. CVE-2015-1782 Oracle Linux 7 [3.2.2-2] - Fix xfs_metadump disclosure flaw, CVE-2012-2150 (#1251118) [3.2.2-1] - Update to upstream v3.2.2, plus fixes from v3.2.3 (#1223991) - repair: fix unnecessary secondary scan if only last sb is corrupt (#1201238) - repair: check ino alignment value to avoid mod by zero (#1223444) LOW Copyright 2015 Oracle, Inc. CVE-2012-2150 Oracle Linux 7 [3.10.0-327.OL7] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-327] - [mm] free compound page with correct order (Andrea Arcangeli) [1274867] - [netdrv] revert 'ixgbe: Refactor busy poll socket code to address multiple issues' (John Greene) [1261275] - [powerpc] dma: dma_set_coherent_mask() should not be GPL only (Gustavo Duarte) [1275976] [3.10.0-326] - [md] dm-cache: the CLEAN_SHUTDOWN flag was not being set (Mike Snitzer) [1274450] - [md] dm-btree: fix leak of bufio-backed block in btree_split_beneath error path (Mike Snitzer) [1274393] - [md] dm-btree-remove: fix a bug when rebalancing nodes after removal (Mike Snitzer) [1274396] - [fs] nfsd: fix duplicated destroy_delegation code introduced by backport ('J. Bruce Fields') [1273228] - [fs] xfs: validate transaction header length on log recovery (Brian Foster) [1164135] - [net] ipv6: don't use CHECKSUM_PARTIAL on MSG_MORE/UDP_CORK sockets (Hannes Frederic Sowa) [1271759] - [net] add length argument to skb_copy_and_csum_datagram_iovec (Sabrina Dubroca) [1269228] - [x86] kvm: fix edge EOI and IOAPIC reconfig race (Radim Krcmar) [1271333] - [x86] kvm: set KVM_REQ_EVENT when updating IRR (Radim Krcmar) [1271333] - [kernel] Initialize msg/shm IPC objects before doing ipc_addid() (Lennert Buytenhek) [1271507] {CVE-2015-7613} [3.10.0-325] - [fs] nfsd: ensure that delegation stateid hash references are only put once ('J. Bruce Fields') [1233284] - [fs] nfsd: ensure that the ol stateid hash reference is only put once ('J. Bruce Fields') [1233284] - [fs] nfsv4: Fix a nograce recovery hang (Benjamin Coddington) [1264478] - [fs] vfs: Test for and handle paths that are unreachable from their mnt_root ('Eric W. Biederman') [1209371] {CVE-2015-2925} - [fs] dcache: Handle escaped paths in prepend_path ('Eric W. Biederman') [1209371] {CVE-2015-2925} - [fs] xfs: add an xfs_zero_eof() tracepoint (Brian Foster) [1260383] - [fs] xfs: always drain dio before extending aio write submission (Brian Foster) [1260383] - [md] dm-cache: fix NULL pointer when switching from cleaner policy (Mike Snitzer) [1269959] - [mm] Temporary fix for BUG_ON() triggered by THP vs. gup() race (David Gibson) [1268999] - [hid] usbhid: improve handling of Clear-Halt and reset (Don Zickus) [1260123] - [drm] qxl: fix framebuffer dirty rectangle tracking (Gerd Hoffmann) [1268293] - [s390] hmcdrv: fix interrupt registration (Hendrik Brueckner) [1262735] - [block] blk-mq: fix deadlock when reading cpu_list (Jeff Moyer) [1260615] - [block] blk-mq: avoid inserting requests before establishing new mapping (Jeff Moyer) [1260615] - [block] blk-mq: fix q->mq_usage_counter access race (Jeff Moyer) [1260615] - [block] blk-mq: Fix use after of free q->mq_map (Jeff Moyer) [1260615] - [block] blk-mq: fix sysfs registration/unregistration race (Jeff Moyer) [1260615] - [block] blk-mq: avoid setting hctx->tags->cpumask before allocation (Jeff Moyer) [1260615] - [netdrv] cxgb4: Enhance driver to update FW, when FW is too old (Sai Vemuri) [1077966] - [netdrv] cxgb4: Force uninitialized state if FW in adapter is unsupported (Sai Vemuri) [1077966] - [powerpc] revert 'Use the POWER8 Micro Partition Prefetch Engine in KVM HV on POWER8' (Thomas Huth) [1269653] [3.10.0-324] - [netdrv] i40e/i40evf: set AQ count after memory allocation (Neil Horman) [1267663] - [netdrv] i40e: fix offload of GRE tunnels (Neil Horman) [1267663] - [netdrv] i40evf: don't blow away MAC address (Neil Horman) [1267663] - [netdrv] i40e/i40evf: grab the AQ spinlocks before clearing registers (Neil Horman) [1267663] - [netdrv] i40e: Fix a memory leak in X722 rss config path (Neil Horman) [1267663] - [netdrv] i40evf: Use numa_mem_id() to better support memoryless node (Neil Horman) [1267663] - [netdrv] i40e: Use numa_mem_id() to better support memoryless node (Neil Horman) [1267663] - [netdrv] i40e: fix 32 bit build warnings (Neil Horman) [1267663] - [netdrv] i40e: fix kbuild warnings (Neil Horman) [1267663] - [netdrv] i40evf: tweak init timing (Neil Horman) [1267663] - [netdrv] i40e: warn on double free (Neil Horman) [1267663] - [netdrv] i40e: refactor interrupt enable (Neil Horman) [1267663] - [netdrv] i40e: Strip VEB stats if they are disabled in HW (Neil Horman) [1267663] - [netdrv] i40e/i40evf: add new device id 1588 (Neil Horman) [1267663] - [netdrv] i40e: Remove useless message (Neil Horman) [1267663] - [netdrv] i40e: limit debugfs io ops (Neil Horman) [1267663] - [netdrv] i40e: use QOS field consistently (Neil Horman) [1267663] - [netdrv] i40e: count drops in netstat interface (Neil Horman) [1267663] - [netdrv] i40e/i40evf: fix Tx hang workaround code (Neil Horman) [1267663] - [netdrv] i40e: fixup padding issue in get_cee_dcb_cfg_v1_resp (Neil Horman) [1267663] - [netdrv] i40e: Fix a port VLAN configuration bug (Neil Horman) [1267663] - [netdrv] i40e/i40evf: fix up type clash in i40e_aq_rc_to_posix conversion (Neil Horman) [1267663] - [netdrv] i40e: rtnl_lock called twice in i40e_pci_error_resume() (Neil Horman) [1267663] - [netdrv] i40evf: missing rtnl_unlock in i40evf_resume() (Neil Horman) [1267663] [3.10.0-323] - [scsi] report 'INQUIRY result too short' once (Vitaly Kuznetsov) [1254049] - [scsi] scsi_scan: don't dump trace when scsi_prep_async_scan() is called twice (Vitaly Kuznetsov) [1254049] - [fs] userfaultfd: add missing mmput() in error path (Andrea Arcangeli) [1263480] - [mm] check if section present during memory block registering (Jan Stancek) [1256723] - [mm] avoid setting up anonymous pages into file mapping (Larry Woodman) [1261582] - [mm] add p[te|md] revert 'protnone helpers for use by NUMA balancing' (Thomas Huth) [1256718] - [powerpc] revert 'mm: convert p[te|md]_numa users to p[te|md]_protnone_numa' (Thomas Huth) [1256718] - [powerpc] revert 'mm: add paranoid warnings for unexpected DSISR_PROTFAULT' (Thomas Huth) [1256718] - [mm] revert 'convert p[te|md]_mknonnuma and remaining page table manipulations' (Thomas Huth) [1256718] - [mm] revert 'numa: Do not mark PTEs pte_numa when splitting huge pages' (Thomas Huth) [1256718] - [mm] revert 'remove remaining references to NUMA hinting bits and helpers' (Thomas Huth) [1256718] - [mm] revert 'numa: do not trap faults on the huge zero page' (Thomas Huth) [1256718] - [mm] revert 'numa: add paranoid check around pte_protnone_numa' (Thomas Huth) [1256718] - [mm] revert 'numa: avoid unnecessary TLB flushes when setting NUMA hinting entries' (Thomas Huth) [1256718] - [powerpc] mm: Change the swap encoding in pte (Thomas Huth) [1256718] - [x86] perf: Fix multi-segment problem of perf_event_intel_uncore (Jiri Olsa) [1257825] - [lib] partially revert '[lib] vsprintf: implement bitmap printing through '*pb[l]'' (Maurizio Lombardi) [1260118] - [drm] radeon: update no_64bit_msi flag for certain ASICs (Oded Gabbay) [1262429] - [drm] nouveau: fbcon: take runpm reference when userspace has an open fd (Ben Skeggs) [1176163] - [drm] qxl: validate monitors config modes (Dave Airlie) [1242847] - [drm] radeon: don't attempt WC mappings on powerpc (Dave Airlie) [1262429] - [drm] drm/qxl: recreate the primary surface when the bo is not primary (Dave Airlie) [1258301] - [drm] qxl: only report first monitor as connected if we have no state (Dave Airlie) [1258301] - [drm] dp_mst: drop cancel work sync in the mstb destroy path (Dave Airlie) [1251331] - [drm] dp_mst: split connector registration into two parts (Dave Airlie) [1251331] - [drm] dp_mst: update the link_address_sent before sending the link address (Dave Airlie) [1251331] - [drm] dp_mst: fixup handling hotplug on port removal (Dave Airlie) [1251331] - [drm] dp_mst: don't pass port into the path builder function (Dave Airlie) [1251331] - [drm] dp_mst: make functions that always return 0 return void (Dave Airlie) [1251331] - [kernel] uprobes: fix kABI broken by the exported return_instance (Oleg Nesterov) [1207373] - [kernel] uprobes: Make arch_uretprobe_is_alive(RP_CHECK_CALL) more clever (Oleg Nesterov) [1207373] - [kernel] uprobes: Add the 'enum rp_check ctx' arg to arch_uretprobe_is_alive() (Oleg Nesterov) [1207373] - [kernel] uprobes: Change prepare_uretprobe() to (try to) flush the dead frames (Oleg Nesterov) [1207373] - [kernel] uprobes: Change handle_trampoline() to flush the frames invalidated by longjmp() (Oleg Nesterov) [1207373] - [kernel] uprobes: Reimplement arch_uretprobe_is_alive() (Oleg Nesterov) [1207373] - [kernel] uprobes: Export 'struct return_instance', introduce arch_uretprobe_is_alive() (Oleg Nesterov) [1207373] - [kernel] uprobes: Change handle_trampoline() to find the next chain beforehand (Oleg Nesterov) [1207373] - [kernel] uprobes: Change prepare_uretprobe() to use uprobe_warn() (Oleg Nesterov) [1207373] - [kernel] uprobes: Send SIGILL if handle_trampoline() fails (Oleg Nesterov) [1207373] - [kernel] uprobes: Introduce free_ret_instance() (Oleg Nesterov) [1207373] - [kernel] uprobes: Introduce get_uprobe() (Oleg Nesterov) [1207373] - [kernel] lockdep: Fix a race between /proc/lock_stat and module unload (Jerome Marchand) [1183891] - [kernel] lockdep: Fix the module unload key range freeing logic (Jerome Marchand) [1183891] - [kernel] module: Free lock-classes if parse_args failed (Jerome Marchand) [1183891] - [cpufreq] revert 'intel_pstate: honor user space min_perf_pct override on resume' (Prarit Bhargava) [1269518] [3.10.0-322] - [fs] nfs: fix v4.2 SEEK on files over 2 gigs ('J. Bruce Fields') [1262181] - [fs] nfs: verify open flags before allowing open (Benjamin Coddington) [1164431] - [fs] nfsv4.1: Fix pnfs_put_lseg races (Benjamin Coddington) [1263155] - [fs] nfsv4.1: pnfs_send_layoutreturn should use GFP_NOFS (Benjamin Coddington) [1263155] - [fs] nfsv4.1: Pin the inode and super block in asynchronous layoutreturns (Benjamin Coddington) [1263155] - [fs] nfsv4.1: Pin the inode and super block in asynchronous layoutcommit (Benjamin Coddington) [1263155] - [md] raid0: apply base queue limits *before* disk_stack_limits (Jes Sorensen) [1265182] - [net] revert 'ipv6: Don't reduce hop limit for an interface' (Sabrina Dubroca) [1258324] - [x86] kvmclock: abolish PVCLOCK_COUNTS_FROM_ZERO (Radim Krcmar) [1263030] - [x86] revert 'kvm: x86: zero kvmclock_offset when vcpu0 initializes kvmclock system MSR' (Radim Krcmar) [1263030] - [x86] kvm: svm: reset mmu on VCPU reset (Igor Mammedov) [1255217] - [edac] sb_edac: correctly fetch DIMM width on Ivy Bridge and Haswell (Aristeu Rozanski) [1112413] - [edac] sb_edac: look harder for DDRIO on Haswell systems (Aristeu Rozanski) [1112413] - [tools] perf-trace: Fix race condition at the end of started workloads (Jiri Olsa) [1250068] - [netdrv] cxgb4: Fix tx flit calculation (Sai Vemuri) [1266248] - [netdrv] igb: assume MSI-X interrupts during initialization (Stefan Assmann) [1263625] - [cpufreq] intel_pstate: disable Skylake processors (Prarit Bhargava) [1267343] - [infiniband] mlx4: Report checksum offload cap for RAW QP when query device (Doug Ledford) [1265795] - [infiniband] core: Add support of checksum capability reporting for RC and RAW (Doug Ledford) [1265795] [3.10.0-321] - [netdrv] i40e/i40evf: check for stopped admin queue (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: refactor tx timeout logic (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Bump i40e to 1.3.21 and i40evf to 1.3.13 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add get AQ result command to nvmupdate utility (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add exec_aq command to nvmupdate utility (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add wait states to NVM state machine (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add GetStatus command for nvmupdate (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add handling of writeback descriptor (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: save aq writeback for future inspection (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Bump i40e to 1.3.9 and i40evf to 1.3.5 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Cache the CEE TLV status returned from firmware (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add VIRTCHNL_VF_OFFLOAD flag (Stefan Assmann) [1267255] - [netdrv] i40evf: Remove PF specific register definitions from the VF (Stefan Assmann) [1267255] - [netdrv] i40evf: Use the correct defines to match the VF registers (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add capability to gather VEB per TC stats (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add TX/RX outer UDP checksum support for X722 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add support for writeback on ITR feature for X722 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: RSS changes for X722 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Update register.h file for X722 (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Update FW API with X722 support (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add flags for X722 capabilities (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add device ids for X722 (Stefan Assmann) [1267255] - [netdrv] i40e: use BIT and BIT_ULL macros (Stefan Assmann) [1267255] - [netdrv] i40e: clean up error status messages (Stefan Assmann) [1267255] - [netdrv] i40evf: support virtual channel API version 1.1 (Stefan Assmann) [1267255] - [netdrv] i40evf: handle big resets (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: add macros for virtual channel API version and device capability (Stefan Assmann) [1267255] - [netdrv] i40e: add VF capabilities to virtual channel interface (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Fix and refactor dynamic ITR code (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Bump version to 1.3.6 for i40e and 1.3.2 for i40evf (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add support for pre-allocated pages for PD (Stefan Assmann) [1267255] - [netdrv] i40evf: add MAC address filter in open, not init (Stefan Assmann) [1267255] - [netdrv] i40evf: don't delete all the filters (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Update the admin queue command header (Stefan Assmann) [1267255] - [netdrv] i40evf: Allow for an abundance of vectors (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: improve Tx performance with a small tweak (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Update Flex-10 related device/function capabilities (Stefan Assmann) [1267255] - [netdrv] i40e/i40evf: Add stats to track FD ATR and SB dynamic enable state (Stefan Assmann) [1267255] - [netdrv] i40e: Fix for recursive RTNL lock during PROMISC change (Stefan Assmann) [1267254] - [netdrv] i40e: Fix RS bit update in Tx path and disable force WB workaround (Stefan Assmann) [1267254] - [netdrv] i40e: add GRE tunnel type to csum encoding (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: refactor tx timeout logic (Stefan Assmann) [1267254] - [netdrv] i40e: Move i40e_get_head into header file (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: check for stopped admin queue (Stefan Assmann) [1267254] - [netdrv] i40e: fix VLAN inside VXLAN (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Bump i40e to 1.3.21 and i40evf to 1.3.13 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add get AQ result command to nvmupdate utility (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add exec_aq command to nvmupdate utility (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add wait states to NVM state machine (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add GetStatus command for nvmupdate (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add handling of writeback descriptor (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: save aq writeback for future inspection (Stefan Assmann) [1267254] - [netdrv] i40e: rename variable to prevent clash of understanding (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Bump i40e to 1.3.9 and i40evf to 1.3.5 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Cache the CEE TLV status returned from firmware (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add VIRTCHNL_VF_OFFLOAD flag (Stefan Assmann) [1267254] - [netdrv] i40e: Remove redundant and unneeded messages (Stefan Assmann) [1267254] - [netdrv] i40e: correct spelling error (Stefan Assmann) [1267254] - [netdrv] i40e: Fix comment for ethtool diagnostic link test (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add capability to gather VEB per TC stats (Stefan Assmann) [1267254] - [netdrv] i40e: Fix ethtool offline diagnostic with netqueues (Stefan Assmann) [1267254] - [netdrv] i40e: Fix legacy interrupt mode in the driver (Stefan Assmann) [1267254] - [netdrv] i40e: Move function calls to i40e_shutdown instead of i40e_suspend (Stefan Assmann) [1267254] - [netdrv] i40e: add RX to port CRC errors label (Stefan Assmann) [1267254] - [netdrv] i40e: don't degrade __le16 (Stefan Assmann) [1267254] - [netdrv] i40e: Add AQ commands for NVM Update for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add ATR HW eviction support for X722 (Stefan Assmann) [1267254] - [netdrv] i40e: Add IWARP support for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add TX/RX outer UDP checksum support for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add support for writeback on ITR feature for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: RSS changes for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Update register.h file for X722 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Update FW API with X722 support (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add flags for X722 capabilities (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add device ids for X722 (Stefan Assmann) [1267254] - [netdrv] i40e: use BIT and BIT_ULL macros (Stefan Assmann) [1267254] - [netdrv] i40e: provide correct API version to older VF drivers (Stefan Assmann) [1267254] - [netdrv] i40e: support virtual channel API 1.1 (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: add macros for virtual channel API version and device capability (Stefan Assmann) [1267254] - [netdrv] i40e: add VF capabilities to virtual channel interface (Stefan Assmann) [1267254] - [netdrv] i40e: clean up unneeded gotos (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Fix and refactor dynamic ITR code (Stefan Assmann) [1267254] - [netdrv] i40e: only report generic filters in get_ts_info (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Bump version to 1.3.6 for i40e and 1.3.2 for i40evf (Stefan Assmann) [1267254] - [netdrv] i40e: Refine an error message to avoid confusion (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add support for pre-allocated pages for PD (Stefan Assmann) [1267254] - [netdrv] i40e: un-disable VF after reset (Stefan Assmann) [1267254] - [netdrv] i40e: do a proper reset when disabling a VF (Stefan Assmann) [1267254] - [netdrv] i40e: correctly program filters for VFs (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Update the admin queue command header (Stefan Assmann) [1267254] - [netdrv] i40e: Remove incorrect #ifdef's (Stefan Assmann) [1267254] - [netdrv] i40e: ignore duplicate port VLAN requests (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: improve Tx performance with a small tweak (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Update Flex-10 related device/function capabilities (Stefan Assmann) [1267254] - [netdrv] i40e/i40evf: Add stats to track FD ATR and SB dynamic enable state (Stefan Assmann) [1267254] - [netdrv] i40e: Implement ndo_features_check() (Stefan Assmann) [1267254] [3.10.0-320] - [md] raid1: Avoid raid1 resync getting stuck (Jes Sorensen) [1256954] - [fs] gfs2: fallocate: do not rely on file_update_time to mark the inode dirty (Andrew Price) [1264521] - [fs] gfs2: Update timestamps on fallocate (Andrew Price) [1264521] - [fs] gfs2: Update i_size properly on fallocate (Andrew Price) [1264521] - [fs] gfs2: Use inode_newsize_ok and get_write_access in fallocate (Andrew Price) [1264521] - [fs] revert 'nfs: Make close(2) asynchronous when closing NFS O_DIRECT files' (Benjamin Coddington) [1263385] - [fs] gfs2: Average in only non-zero round-trip times for congestion stats (Robert S Peterson) [1162821] - [fs] lockd: fix rpcbind crash on lockd startup failure ('J. Bruce Fields') [1253782] - [fs] Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount (Benjamin Coddington) [1263376] - [fs] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags() (Lukas Czerner) [1247436] - [net] sctp: fix race on protocol/netns initialization (Marcelo Leitner) [1251807] {CVE-2015-5283} - [x86] Mark Broadwell-DE SoC Supported (Prarit Bhargava) [1131685] - [kernel] sched,numa: limit amount of virtual memory scanned in task_numa_work (Rik van Riel) [1261722] - [drivers] base: show nohz_full cpus in sysfs (Rik van Riel) [1212618] - [drivers] base: show isolated cpus in sysfs (Rik van Riel) [1212618] - [cpufreq] intel_pstate: add quirk to disable HWP on Skylake-S processors (Jerry Snitselaar) [1263069] - [drivers] core: Add symlink to device-tree from devices with an OF node (Gustavo Duarte) [1258828] - [powerpc] device: Add dev_of_node() accessor (Gustavo Duarte) [1258828] - [powerpc] iommu: Support 'hybrid' iommu/direct DMA ops for coherent_mask < dma_mask (Gustavo Duarte) [1246880] - [powerpc] iommu: Cleanup setting of DMA base/offset (Gustavo Duarte) [1246880] - [powerpc] iommu: Remove dma_data union (Gustavo Duarte) [1246880] - [powerpc] kvm: book3s-hv: Fix handling of interrupted VCPUs (Thomas Huth) [1263568] - [powerpc] kvm: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store() (Thomas Huth) [1263577] [3.10.0-319] - [netdrv] cxgb4: Make necessary changes after reverting FCoE (Sai Vemuri) [1258657] - [netdrv] revert 'cxgb4: add cxgb4_fcoe.c for FCoE' (Sai Vemuri) [1258657] - [infiniband] iw_cxgb4: Cleanup register defines/MACROS (Sai Vemuri) [1251611] - [infiniband] iw_cxgb4: 32b platform fixes (Sai Vemuri) [1251611] - [infiniband] iw_cxgb4: use BAR2 GTS register for T5 kernel mode CQs (Sai Vemuri) [1251611] - [infiniband] iw_cxgb4: enforce qp/cq id requirements (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix incorrect sequence numbers shown in devlog (Sai Vemuri) [1251611] - [netdrv] cxgb4: remove unused fn to enable/disable db coalescing (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf: function and argument name cleanup (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add debugfs facility to inject FL starvation (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add PHY firmware support for T420-BT cards (Sai Vemuri) [1251611] - [netdrv] cxgb4: Update T4/T5 adapter register ranges (Sai Vemuri) [1251611] - [netdrv] cxgb4: Optimize and cleanup setup memory window code (Sai Vemuri) [1251611] - [netdrv] cxgb4: replace ntoh{s, l} and hton{s, l} calls with the generic byteorder (Sai Vemuri) [1251611] - [netdrv] cxgb4: Remove dead function t4_read_edc and t4_read_mc (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf: Cleanup macros, add comments and add new MACROS (Sai Vemuri) [1251611] - [netdrv] cxgb3/4/4vf: Update drivers to use dma_rmb/wmb where appropriate (Sai Vemuri) [1251611] - [netdrv] cxgb4: add cxgb4_fcoe.c for FCoE (Sai Vemuri) [1251611] - [infiniband] iw_cxgb4: Remove negative advice dmesg warnings (Sai Vemuri) [1251611] - [netdrv] cxgb4: Initialize RSS mode for all Ports (Sai Vemuri) [1251611] - [netdrv] cxgb4: Discard the packet if the length is greater than mtu (Sai Vemuri) [1251611] - [netdrv] cxgb4: Move SGE Ingress DMA state monitor code to a new routine (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add device node to ULD info (Sai Vemuri) [1251611] - [netdrv] cxgb4: Pass in a Congestion Channel Map to t4_sge_alloc_rxq() (Sai Vemuri) [1251611] - [netdrv] cxgb4: Enable congestion notification from SGE for IQs and FLs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Make sure that Freelist size is larger than Egress Congestion Threshold (Sai Vemuri) [1251611] - [netdrv] cxgb4: drop __GFP_NOFAIL allocation (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix MC1 memory offset calculation (Sai Vemuri) [1251611] - [netdrv] cxgb4: Don't call t4_slow_intr_handler when we're not the Master PF (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add comment for calculate tx flits and sge length code (Sai Vemuri) [1251611] - [netdrv] cxgb4: Use device node in page allocation (Sai Vemuri) [1251611] - [netdrv] cxgb4: Freelist starving threshold varies from adapter to adapter (Sai Vemuri) [1251611] - [netdrv] cxgb4: Increased the value of MAX_IMM_TX_PKT_LEN from 128 to 256 bytes (Sai Vemuri) [1251611] - [netdrv] cxgb4: Move ethtool related code to a separate file (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix to dump devlog, even if FW is crashed (Sai Vemuri) [1251611] - [netdrv] cxgb4: Firmware macro changes for fw verison 1.13.32.0 (Sai Vemuri) [1251611] - [infiniband] cxgb4: Serialize CQ event upcalls with CQ destruction (Sai Vemuri) [1251611] - [infiniband] cxgb4: Don't hang threads forever waiting on WR replies (Sai Vemuri) [1251611] - [netdrv] cxgb4vf: Fix sparse warnings (Sai Vemuri) [1251611] - [netdrv] cxgb4: Disable interrupts and napi before unregistering netdev (Sai Vemuri) [1251611] - [netdrv] cxgb4: Allocate dynamic mem. for egress and ingress queue maps (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix frame size warning for 32 bit arch (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf/csiostor: Make PCI Device ID Tables be 'const' (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add device ID for new adapter (Sai Vemuri) [1251611] - [netdrv] cxgb4: fix coccinelle warnings (Sai Vemuri) [1251611] - [netdrv] cxgb4: Try and provide an RDMA CIQ per cpu (Sai Vemuri) [1251611] - [netdrv] cxgb4: Use pci_enable_msix_range() instead of pci_enable_msix() (Sai Vemuri) [1251611] - [netdrv] cxgb4: Move offload Rx queue allocation to separate function (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix PCI-E Memory window interface for big-endian systems (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support in cxgb4 to get expansion rom version via ethtool (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix trace observed while dumping clip_tbl (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support in debugfs to dump the congestion control table (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support to dump mailbox content in debugfs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for ULP RX logic analyzer output in debugfs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Added support in debugfs to display TP logic analyzer output (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support in debugfs to display sensor information (Sai Vemuri) [1251611] - [netdrv] chelsio: cxgb4: fix sparse warning (Sai Vemuri) [1251611] - [netdrv] cxgb4: Delete an unnecessary check before the function call 'release_firmware' (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add low latency socket busy_poll support (Sai Vemuri) [1251611] - [netdrv] cxgb4: Improve IEEE DCBx support, other minor open-lldp fixes (Sai Vemuri) [1251611] - [netdrv] cxgb4: Remove preprocessor check for CONFIG_CXGB4_DCB (Sai Vemuri) [1251611] - [netdrv] cxgb4: Move firmware version MACRO to t4fw_version.h (Sai Vemuri) [1251611] - [netdrv] cxgb4: Added support in debugfs to dump different timer and clock values of the adapter (Sai Vemuri) [1251611] - [netdrv] cxgb4: Added support in debugfs to dump PM module stats (Sai Vemuri) [1251611] - [netdrv] cxgb4: Addded support in debugfs to dump CIM outbound queue content (Sai Vemuri) [1251611] - [netdrv] cxgb4: Added support in debugfs to dump cim ingress bound queue contents (Sai Vemuri) [1251611] - [netdrv] cxgb4: Added support in debugfs to dump sge_qinfo (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fixes cxgb4_inet6addr_notifier unregister call (Sai Vemuri) [1251611] - [netdrv] mode_t whack-a-mole: chelsio (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add debugfs options to dump the rss key, config for PF, VF, etc (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add debugfs entry to dump the contents of the flash (Sai Vemuri) [1251611] - [netdrv] cxgb4: Update ipv6 address handling api (Sai Vemuri) [1251611] - [netdrv] cxgb4: Ripping out old hard-wired initialization code in driver (Sai Vemuri) [1251611] - [netdrv] iw_cxgb4/cxgb4/cxgb4vf/cxgb4i/csiostor: Cleanup register defines/macros related to all other cpl messages (Sai Vemuri) [1251611] - [netdrv] iw_cxgb4/cxgb4/cxgb4i: Cleanup register defines/MACROS related to CM CPL messages (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for mps_tcam debugfs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for cim_qcfg entry in debugfs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for cim_la entry in debugfs (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for devlog (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add PCI device ID for new T5 adapter (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf/csiostor: Cleanup PL, XGMAC, SF and MC related register defines (Sai Vemuri) [1251611] - [netdrv] cxgb4/csiostor: Cleanup TP, MPS and TCAM related register defines (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxg4vf/csiostor: Cleanup MC, MA and CIM related register defines (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf/csiostor: Cleanup SGE and PCI related register defines (Sai Vemuri) [1251611] - [infiniband] cxgb4/cxgb4vf/csiostor: Cleanup SGE register defines (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fix decoding QSA module for ethtool get settings (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add support for QSA modules (Sai Vemuri) [1251611] - [netdrv] cxgb4/csiostor: Don't use MASTER_MUST for fw_hello call (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf: global named must be unique (Sai Vemuri) [1251611] - [netdrv] cxgb4: Update firmware version after flashing it via ethtool (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf: Use new interfaces to calculate BAR2 SGE Queue Register addresses (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf: Add code to calculate T5 BAR2 Offsets for SGE Queue Registers (Sai Vemuri) [1251611] - [netdrv] cxgb4vf: Add and initialize some sge params for VF driver (Sai Vemuri) [1251611] - [netdrv] cxgb4: Update FW version string to match FW binary version 1.12.25.0 (Sai Vemuri) [1251611] - [netdrv] cxgb4: Add a check for flashing FW using ethtool (Sai Vemuri) [1251611] - [netdrv] cxgb4: Fill in supported link mode for SFP modules (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf/csiostor: Add T4/T5 PCI ID Table (Sai Vemuri) [1251611] - [infiniband] cxgb4/cxgb4vf/csiostor: Cleanup macros/register defines related to PCIE, RSS and FW (Sai Vemuri) [1251611] - [netdrv] cxgb4/cxgb4vf/csiostor: Cleanup macros/register defines related to port and VI (Sai Vemuri) [1251611] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2013-7421 CVE-2014-9644 CVE-2014-8171 CVE-2010-5313 CVE-2014-3647 CVE-2014-7842 CVE-2015-2925 CVE-2015-4170 CVE-2015-5283 CVE-2015-6526 CVE-2015-7613 CVE-2015-7837 CVE-2014-9419 CVE-2015-0239 CVE-2015-3339 Oracle Linux 7 [1.13.2-9] - Add patch and test case for 'KDC does not return proper client principal for client referrals' - Resolves: #1259846 [1.13.2-9] - Ammend patch for RedHat bug #1252454 ('testsuite complains 'Lifetime has increased by 32436 sec while 0 sec passed!', while rhel5-libkrb5 passes') to handle the newly introduced valgrind hits. [1.13.2-8] - Add a patch to fix RH Bug #1250154 ('[s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL') The code 'accidently' works on x86/AMD64 because declaring a variable |char| results in an |unsigned char| by default while most other platforms (e.g. { s390x, ppc64, ppc64le, ...}) default to |signed char| (still have to use lint(1) to clean up 38 more instances of this kind of bug). [1.13.2-7] - Obsolete multilib versions of server packages to fix RH bug #1251913 ('krb5 should obsolete the multilib versions of krb5-server and krb5-server-ldap'). The following packages are declared obsolete: - krb5-server-1.11.3-49.el7.i686 - krb5-server-1.11.3-49.el7.ppc - krb5-server-1.11.3-49.el7.s390 - krb5-server-ldap-1.11.3-49.el7.i686 - krb5-server-ldap-1.11.3-49.el7.ppc - krb5-server-ldap-1.11.3-49.el7.s390 [1.13.2-6] - Add a patch to fix RedHat bug #1252454 ('testsuite complains 'Lifetime has increased by 32436 sec while 0 sec passed!', while rhel5-libkrb5 passes') so that krb5 resolves GSS creds if |time_rec| is requested. [1.13.2-5] - Add a patch to fix RedHat bug #1251586 ('KDC sends multiple requests to ipa-otpd for the same authentication') which causes the KDC to send multiple retries to ipa-otpd for TCP transports while it should only be done for UDP. [1.13.2-4] - the rebase to krb5 1.13.2 in vers 1.13.2-0 also fixed: - Redhat Bug #1247761 ('RFE: Minor krb5 spec file cleanup and sync with recent Fedora 22/23 changes') - Redhat Bug #1247751 ('krb5-config returns wrong -specs path') - Redhat Bug #1247608 ('Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ('A Generalized Framework for Kerberos Pre-Authentication')') - Removed 'krb5-1.10-kprop-mktemp.patch' and 'krb5-1.3.4-send-pr-tempfile.patch', both are no longer used since the rebase to krb5 1.13.1 [1.13.2-3] - Add patch to fix Redhat Bug #1222903 ('[SELinux] AVC denials may appear when kadmind starts'). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the 'random' port usage. [1.13.2-2] - Add fix for RedHat Bug #1164304 ('Upstream unit tests loads the installed shared libraries instead the ones from the build') [1.13.2-1] - the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed: - Bug 1144498 ('Fix the race condition in the libkrb5 replay cache') - Bug 1163402 ('kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64') - Bug 1185770 ('Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c') - Bug 1204211 ('CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other') [1.13.2-0] - Update to krb5-1.13.2 - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 [1.13.1-2] - the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed RH bug #1156144 ('krb5 upstream test t_kdb.py failure') [1.13.1-1] - fix for CVE-2015-2694 (#1218020) 'requires_preauth bypass in PKINIT-enabled KDC'. In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. [1.13.1-0] - Update to krb5-1.13.1 - patch krb5-1.12-selinux-label was updated and renamed to krb5-1.13-selinux-label - patch krb5-1.11-dirsrv-accountlock was updated and renamed to krb5-1.13-dirsrv-accountlock - drop patch for krb5-1.12-pwdch-fast, fixed in krb5-1.13 - drop patch for krb5-1.12ish-kpasswd_tcp, fixed in krb5-1.13 - drop patch for krb5-master-rcache-internal-const, no longer needed - drop patch for krb5-master-rcache-acquirecred-cleanup, no longer needed - drop patch for krb5-master-rcache-acquirecred-source, no longer needed - drop patch for krb5-master-rcache-acquirecred-test, no longer needed - drop patch for krb5-master-move-otp-sockets, no longer needed - drop patch for krb5-master-mechd, no longer needed - drop patch for krb5-master-strdupcheck, no longer needed - drop patch for krb5-master-compatible-keys, no longer needed - drop patch for krb5-1.12-system-exts, fixed in krb5-1.13 - drop patch for 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted, no longer needed - drop patch for 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals, no longer needed - drop patch for 0003-Use-an-intermediate-memory-cache-in-ksu, no longer needed - drop patch for 0004-Make-ksu-respect-the-default_ccache_name-setting, no longer needed - drop patch for 0005-Copy-config-entries-to-the-ksu-target-ccache, no longer needed - drop patch for 0006-Use-more-randomness-for-ksu-secondary-cache-names, no longer needed - drop patch for 0007-Make-krb5_cc_new_unique-create-DIR-directories, no longer needed - drop patch for krb5-1.12-kpasswd-skip-address-check, fixed in krb5-1.13 - drop patch for 0000-Refactor-cm-functions-in-sendto_kdc.c, no longer needed - drop patch for 0001-Simplify-sendto_kdc.c, no longer needed - drop patch for 0002-Add-helper-to-determine-if-a-KDC-is-the-master, no longer needed - drop patch for 0003-Use-k5_transport-_strategy-enums-for-k5_sendto, no longer needed - drop patch for 0004-Build-support-for-TLS-used-by-HTTPS-proxy-support, no longer needed - drop patch for 0005-Add-ASN.1-codec-for-KKDCP-s-KDC-PROXY-MESSAGE, no longer needed - drop patch for 0006-Dispatch-style-protocol-switching-for-transport, no longer needed - drop patch for 0007-HTTPS-transport-Microsoft-KKDCPP-implementation, no longer needed - drop patch for 0008-Load-custom-anchors-when-using-KKDCP, no longer needed - drop patch for 0009-Check-names-in-the-server-s-cert-when-using-KKDCP, no longer needed - drop patch for 0010-Add-some-longer-form-docs-for-HTTPS, no longer needed - drop patch for 0011-Have-k5test.py-provide-runenv-to-python-tests, no longer needed - drop patch for 0012-Add-a-simple-KDC-proxy-test-server, no longer needed - drop patch for 0013-Add-tests-for-MS-KKDCP-client-support, no longer needed - drop patch for krb5-1.12ish-tls-plugins, fixed in krb5-1.13.1 - drop patch for krb5-1.12-nodelete-plugins, fixed in krb5-1.13.1 - drop patch for krb5-1.12-ksu-untyped-default-ccache-name, fixed in krb5-1.13.1 - drop patch for krb5-1.12-ksu-no-ccache, fixed in krb5-1.13.1 - drop patch for krb5-ksu_not_working_with_default_principal, fixed in krb5-1.13.1 - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 - drop patch for CVE_2014_5354_support_keyless_principals_in_ldap, fixed in krb5-1.13.1 - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 - added patch krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED - added patch krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling - Minor spec cleanup MODERATE Copyright 2015 Oracle, Inc. CVE-2014-5355 CVE-2015-2694 Oracle Linux 7 [5.11-31] - fix #1255396 - Make the build ID output consistent with other tools [5.11-30] - fix CVE-2014-8116 - bump the acceptable ELF program headers count to 2048 [5.11-29] - fix #839229 - fix detection of version of XML files [5.11-28] - fix #839229 - fix detection of version of XML files [5.11-27] - fix CVE-2014-0207 - cdf_read_short_sector insufficient boundary check - fix CVE-2014-0237 - cdf_unpack_summary_info() excessive looping DoS - fix CVE-2014-0238 - CDF property info parsing nelements infinite loop - fix CVE-2014-3478 - mconvert incorrect handling of truncated pascal string - fix CVE-2014-3479 - fix extensive backtracking in regular expression - fix CVE-2014-3480 - cdf_count_chain insufficient boundary check - fix CVE-2014-3487 - cdf_read_property_info insufficient boundary check - fix CVE-2014-3538 - unrestricted regular expression matching - fix CVE-2014-3587 - fix cdf_read_property_info - fix CVE-2014-3710 - out-of-bounds read in elf note headers - fix CVE-2014-8116 - multiple denial of service issues (resource consumption) - fix CVE-2014-8117 - denial of service issue (resource consumption) - fix CVE-2014-9652 - out of bounds read in mconvert() - fix CVE-2014-9653 - malformed elf file causes access to uninitialized memory [5.11-26] - fix #1080452 - remove .orig files from magic directory [5.11-25] - fix #1224667, #1224668 - show additional info for Linux swap files [5.11-24] - fix #1064268 - fix stray return -1 [5.11-23] - fix #1094648 - improve Minix detection pattern to fix false positives - fix #1161912 - trim white-spaces during ISO9660 detection - fix #1157850 - fix detection of ppc64le ELF binaries - fix #1161911 - display 'from' field on 32bit ppc core - fix #1064167 - revert MAXMIME patch - fix #1064268 - detect Dwarf debuginfo as 'not stripped' - fix #1082689 - fix invalid read when matched pattern is the last one tried - fix #1080362 - remove deadcode and OFFSET_OOB redefinition [5.11-22] - fix #1067688 - add support for aarch64 ELF binaries MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3478 CVE-2014-3538 CVE-2014-3587 CVE-2014-0207 CVE-2014-0237 CVE-2014-0238 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3710 CVE-2014-8116 CVE-2014-8117 CVE-2014-9653 CVE-2014-9652 Oracle Linux 7 [7.29.0-25.0.1] - disable check to make build pass [7.29.0-25] - fix spurious failure of test 1500 on ppc64le (#1218272) [7.29.0-24] - use the default min/max TLS version provided by NSS (#1170339) - improve handling of timeouts and blocking direction to speed up FTP (#1218272) [7.29.0-23] - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) [7.29.0-22] - reject CRLFs in URLs passed to proxy (CVE-2014-8150) [7.29.0-21] - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) [7.29.0-20] - eliminate unnecessary delay when resolving host from /etc/hosts (#1130239) - allow to enable/disable new AES cipher-suites (#1066065) - call PR_Cleanup() on curl tool exit if NSPR is used (#1071254) - implement non-blocking TLS handshake (#1091429) - fix limited connection re-use for unencrypted HTTP (#1101092) - disable libcurl-level downgrade to SSLv3 (#1154060) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161182) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1166264) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3613 CVE-2014-3707 CVE-2014-8150 CVE-2015-3143 CVE-2015-3148 Oracle Linux 7 [2.17-106.0.1.1] - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. [2.17-106.1] - Rebuild with corrected release. [2.17-106] - Add fix for CVE-2015-5277 (#1275920). IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5277 Oracle Linux 7 rubygem-bundler [1.7.8-3] - Enforce higher Thor version, which is required by Bundler. Related: rhbz#1194243 [1.7.8-2] - Update to Bundler 1.7.8. Resolves: rhbz#1194243 - Use symlinks for vendored libraries. Resolves: rhbz#1163076 [1.3.1-3] - Mass rebuild 2013-12-27 [1.3.1-2] - Always include Patch100 in SRPM. [1.3.1-1] rubygem-thor [0.19.1-1] - Update to thor 1.19.1. Resolves: rhbz#1209921 MODERATE Copyright 2015 Oracle, Inc. CVE-2013-0334 Oracle Linux 7 [0.16.1-5] - Revert 0.16.1-4 - Use samba by default - Resolves: rhbz#1271618 [0.16.1-4] - Fix regressions in 0.16.x releases - Resolves: rhbz#1258745 - Resolves: rhbz#1258488 [0.16.1-3] - Fix regression accepting DNS domain names - Resolves: rhbz#1243771 [0.16.1-2] - Fix discarded patch: ipa-packages.patch [0.16.1-1] - Updated to upstream 0.16.1 - Resolves: rhbz#1241832 - Resolves: rhbz#1230941 [0.16.0-1] - Updated to upstream 0.16.0 - Resolves: rhbz#1174911 - Resolves: rhbz#1142191 - Resolves: rhbz#1142148 [0.14.6-5] - Don't crash when full_name_format is not in sssd.conf [#1051033] This is a regression from a prior update. [0.14.6-4] - Fix full_name_format printf(3) related failure [#1048087] [0.14.6-3] - Mass rebuild 2013-12-27 [0.14.6-2] - Start oddjob after joining a domain [#967023] [0.14.6-1] - Update to upstream 0.14.6 point release - Set 'kerberos method = system keytab' in smb.conf properly [#997580] - Limit Netbios name to 15 chars when joining AD domain [#1001667] [0.14.5-1] - Update to upstream 0.14.5 point release - Fix regression conflicting --unattended and -U as in --user args [#996223] - Pass discovered server address to adcli tool [#996995] [0.14.4-1] - Update to upstream 0.14.4 point release - Fix up the [sssd] section in sssd.conf if it's screwed up [#987491] - Add an --unattended argument to realm command line client [#976593] - Clearer 'realm permit' manual page example [#985800] [0.14.3-1] - Update to upstream 0.14.3 point release - Populate LoginFormats correctly [#967011] - Documentation clarifications [#985773] [#967565] - Set sssd.conf default_shell per domain [#967569] - Notify in terminal output when installing packages [#984960] - If joined via adcli, delete computer with adcli too [#967008] - If input is not a tty, then read from stdin without getpass() - Configure pam_winbind.conf appropriately [#985819] - Refer to FreeIPA as IPA [#967019] - Support use of kerberos ccache to join when winbind [#985817] [0.14.2-3] - Run test suite when building the package - Fix rpmlint errors [0.14.2-2] - Install oddjobd and oddjob-mkhomedir when joining domains [#969441] [0.14.2-1] - Update to upstream 0.14.2 version - Discover FreeIPA 3.0 with AD trust correctly [#966148] - Only allow joining one realm by default [#966650] - Enable the oddjobd service after joining a domain [#964971] - Remove sssd.conf allow lists when permitting all [#965760] - Add dependency on authconfig [#964675] - Remove glib-networking dependency now that we no longer use SSL. [0.14.1-1] - Update to upstream 0.14.1 version - Fix crasher/regression using passwords with joins [#961435] - Make second Ctrl-C just quit realm tool [#961325] - Fix critical warning when leaving IPA realm [#961320] - Don't print out journalctl command in obvious situations [#961230] - Document the --all option to 'realm discover' [#961279] - No need to require sssd-tools package [#961254] - Enable services even in install mode [#960887] - Use the AD domain name in sssd.conf directly [#960270] - Fix critical warning when service Release() method [#961385] [0.14.0-1] - Work around broken krb5 with empty passwords [#960001] - Add manual page for realmd.conf [#959357] - Update to upstream 0.14.0 version [0.13.91-1] - Fix regression when using one time password [#958667] - Support for permitting logins by group [#887675] [0.13.90-1] - Add option to disable package-kit installs [#953852] - Add option to use unqualified names [#953825] - Better discovery of domains [#953153] - Concept of managing parts of the system [#914892] - Fix problems with cache directory [#913457] - Clearly explain when realm cannot be joined [#878018] - Many other upstream enhancements and fixes [0.13.3-2] - Add missing glib-networking dependency, currently used for FreeIPA discovery [#953151] [0.13.3-1] - Update for upstream 0.13.3 version - Add dependency on systemd for installing service file [0.13.2-2] - Fix problem with sssd not starting after joining [0.13.2-1] - Update to upstream 0.13.2 version [0.13.1-1] - Update to upstream 0.13.1 version for bug fixes [0.12-2] - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild [0.12-1] - Update to upstream 0.12 version for bug fixes [0.11-1] - Update to upstream 0.11 version [0.10-1] - Update to upstream 0.10 version [0.9-1] - Update to upstream 0.9 version [0.8-2] - Add openldap-devel build requirement [0.8-1] - Update to upstream 0.8 version - Add support for translations [0.7-2] - Build requires gtk-doc [0.7-1] - Update to upstream 0.7 version - Remove files no longer present in upstream version - Put documentation in its own realmd-devel-docs subpackage - Update upstream URLs [0.6-1] - Update to upstream 0.6 version [0.5-2] - Remove missing SssdIpa.service file from the files list. This file will return upstream in 0.6 [0.5-1] - Update to upstream 0.5 version [0.4-1] - Update to upstream 0.4 version - Cleanup various rpmlint warnings [0.3-2] - Add doc files - Own directories - Remove obsolete parts of spec file - Remove explicit dependencies - Updated License line to LGPLv2+ [0.3] - Build fixes [0.2] - Initial RPM MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2704 Oracle Linux 7 [2.17-105.0.1] - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. [2.17-105] - Fix up test case for initial-exec fix (#1248208). [2.17-104] - Mark all TLS variables in libc.so as initial-exec (#1248208). [2.17-103] - Apply correct fix for #1195672. [2.17-102] - Remove workaround for kernel netlink bug (#1089836). - Use only 32-bit instructions in optimized 32-bit POWER functions (#1240796). [2.17-101] - Correct the AArch64 ABI baseline for libpthread (#1234622). [2.17-100] - Prevent tst-rec-dlopen from intermittently failing in parallel builds due to a missing makefile dependency (#1225959). [2.17-99] - Increase AArch64 TLS descriptor performance (#1202952). [2.17-98] - Move arch-specific header files from glibc-headers to glibc-devel (#1230328). [2.17-97] - Rebase high-precision timing support for microbenchmark (#1214326). [2.17-96] - Rebase microbenchmarks from upstream for performance testing (#1214326) - Fix running microbenchmark script bench.pl from source (#1084395) [2.17-95] - Enable systemtap support for all architectures (#1225490). [2.17-94] - Fix ruserok API scalability issues (#1216246). [2.17-93] - Backport fixes and enhancements for ppc64 and ppc64le (#1162895). - Correct DT_PPC64_NUM in elf/elf.h. - Correct IBM long double frexpl. - Correct IBM long double nextafterl. [2.17-92] - Backport fixes for various security flaws (#1209107): - Prevent heap buffer overflow in swscanf (CVE-2015-1472, CVE-2015-1473, - Prevent integer overflow in _IO_wstr_overflow (#1195762). - Prevent potential denial of service in internal_fnmatch (#1197730). - Prevent buffer overflow in gethostbyname_r and related functions with misaligned buffer (CVE-2015-1781, #1199525). [2.17-91] - Allow more shared libraries with static TLS to be loaded (#1227699). [2.17-90] - Work around kernel netlink bug on some specialized hardware setup (#1089836). - Fix invalid file descriptor reuse when sending DNS query (CVE-2013-7423, #1194143). - Sync netinet/tcp.h with the kernel (#1219891). [2.17-89] - Avoid deadlock in malloc on backtrace (#1207032). - Actually test iconv modules (#1176906). - Use calloc to allocate xports (#1159169). - Return EAI_AGAIN for AF_UNSPEC when herrno is TRY_AGAIN (#1098042). [2.17-88] - Add librtkaio.abilist generated by make update-abi (#1173238). [2.18-87] - Enhance nscd inotify support (#1193797). [2.17-86] - Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (#1173537). [2.17-85] - Skip logging for DNSSEC responses (#1186620). - Also apply the RHEL6.7 Makerules patch (#1189278). [2.17-84] - Initialize nscd stats data (#1183456). [2.17-83] - Resize DTV if the current DTV isn't big enough (#1189278). [2.17-82] - Backport an alternate implementation of strstr and strcasestr for x86 that doesn't use the stack for temporaries requiring 16-byte alignment (#1150282). [2.17-81] - Fix recursive dlopen() (#1165212). - Correctly size profiling reloc table (#1144133). [2.17-80] - Work around a suspected gcc 4.8 bug (#1064066). [2.17-79] - Restructure spec file to unconditionally apply ppc64le support (#1182355). - Fix test failure in test-ildoubl on ppc64 (#1186491). MODERATE Copyright 2015 Oracle, Inc. CVE-2013-7423 CVE-2015-1781 CVE-2015-1472 CVE-2015-1473 Oracle Linux 7 [4.2.6p5-22] - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300) [4.2.6p5-20] - validate lengths of values in extension fields (CVE-2014-9297) - drop packets with spoofed source address ::1 (CVE-2014-9298) - reject packets without MAC when authentication is enabled (CVE-2015-1798) - protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799) - fix generation of MD5 keys with ntp-keygen on big-endian systems (CVE-2015-3405) - add option to set Differentiated Services Code Point (DSCP) (#1202828) - add nanosecond support to SHM refclock (#1117702) - allow creating all SHM segments with owner-only access (#1122012) - allow different thresholds for forward and backward step (#1193154) - allow symmetric keys up to 32 bytes again (#1191111) - don't step clock for leap second with -x option (#1191122) - don't drop packets with source port below 123 (#1171640) - retry joining multicast groups (#1207014) - increase memlock limit again (#1053569) - warn when monitor can't be disabled due to limited restrict (#1191108) - use larger RSA exponent in ntp-keygen (#1191116) - fix crash in ntpq mreadvar command (#1180721) - move sntp kod database to allow SELinux labeling (#1082934) - fix typos in ntpd man page (#1195211) - improve documentation of restrict command (#1213953) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9750 CVE-2014-9751 CVE-2014-9297 CVE-2014-9298 CVE-2015-1798 CVE-2015-1799 CVE-2015-3405 Oracle Linux 7 [1.3.1-3] - Do not mention that display number is required in the file name Resolves: bz#1195266 [1.3.1-2] - Resolves: bz#1248422 CVE-2014-8240 CVE-2014-8241 tigervnc: various flaws [1.3.1-1] - Drop unecessary patches - Re-base to 1.3.1 (bug #1199453) - Re-build against re-based xserver (bug #1194898) - Check the return value from XShmAttach (bug #1072733) - Add missing part of xserver114.patch (bug #1140603) - Keep pointer in sync (bug #1100661) - Make input device class global (bug #1119640) - Add IPv6 support (bug #1162722) - Set initial mode as prefered (bug #1181287) - Do not mention that display number is required in the file name (bug #1195266) - Enable Xinerama extension (bug #1199437) - Specify full path for runuser command (bug #1208817) [1.2.80-0.31.20130314svn5065] - Rebuilt against xorg-x11-server to pick up ppc64le fix (bug #1140424). MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8240 CVE-2014-8241 Oracle Linux 7 [0.7.92-3] - Fix tests/proxy-continuous Resolves: #1250935 [0.7.92-2] - Fix memory error due to implicit declaration of rest_proxy_call_get_url Resolves: #1183982 LOW Copyright 2015 Oracle, Inc. CVE-2015-2675 Oracle Linux 7 [2.1.1-1] - update to 2.1.1 (#1117882) - add -n option to gzip command to not save timestamp [2.1-1] - update to 2.1 (#1117882 #1169353 #1206504 #1209568 CVE-2015-1821 CVE-2015-1822 CVE-2015-1853) - extend chrony-helper to allow using servers from DNS SRV records (#1211600) - add servers from DHCP with iburst option by default (#1219492) - execute test suite [1.29.1-1] - update to 1.29.1 (#1053022, CVE-2014-0021) - fix selecting of sources with prefer option (#1061048) - fix potential bug in writing of drift files (#1061106) - replace hardening build flags with _hardened_build (#1061036) [1.29-4] - Mass rebuild 2014-01-24 [1.29-3] - Mass rebuild 2013-12-27 [1.29-2] - add ordering dependency to not start chronyd before ntpd stopped (#1011968) [1.29-1] - update to 1.29 (#995373, CVE-2012-4502, CVE-2012-4503) [1.28-1] - update to 1.28 - change default makestep limit to 10 seconds [1.28-0.2.pre1] - buildrequire systemd-units [1.28-0.1.pre1] - update to 1.28-pre1 - listen for commands only on localhost by default [1.27-3] - disable chrony-wait service by default (#961047) - drop old systemd scriptlets - don't own ntp-units.d directory - move files from /lib - remove unncessary dependency on syslog target [1.27-2] - suppress error messages from tr when generating key (#907914) - fix delta calculation with extreme frequency offsets [1.27-1] - update to 1.27 - start chrony-wait service with chronyd - start chronyd service after sntp - remove obsolete macros [1.27-0.5.pre1.git1ca844] - update to git snapshot 1ca844 - update systemd integration (#846303) - use systemd macros if available (#850151) - use correct vendor pool.ntp.org zone on RHEL (#845981) - don't log output of chrony-wait service [1.27-0.4.pre1] - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild [1.27-0.3.pre1] - update service file for systemd-timedated-ntp target (#816493) [1.27-0.2.pre1] use systemctl is-active instead of status in chrony-helper (#794771) [1.27-0.1.pre1] - update to 1.27-pre1 - generate SHA1 command key instead of MD5 [1.26-6.20110831gitb088b7] - remove old servers on DHCP update (#787042) [1.26-5.20110831gitb088b7] - improve chrony-helper to keep track of servers added from DHCP (#787042) - fix dhclient script to always return with zero exit code (#767859) [1.26-4.20110831gitb088b7] - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild [1.26-3.20110831gitb088b7] - update to git snapshot 20110831gitb088b7 - on first start generate password with 16 chars - change systemd service type to forking - add forced-command to chrony-helper (#735821) [1.26-2] - fix iburst with very high jitters and long delays - use timepps header from pps-tools-devel [1.26-1] - update to 1.26 - read options from sysconfig file if it exists [1.26-0.1.pre1] - update to 1.26-pre1 - fix service name in %triggerun - drop SysV init script - add chrony-wait service [1.25-2] - fix systemd scriptlets for the upgrade case [1.25-1] - update to 1.25 [1.25-0.3.pre2] - update to 1.25-pre2 - link with -Wl,-z,relro,-z,now options [1.25-0.2.pre1] - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild [1.25-0.1.pre1] - update to 1.25-pre1 - use iburst, four pool servers, rtcsync, stratumweight in default config - add systemd support - drop sysconfig file - suppress install-info errors [1.24-4.20100428git73d775] - update to 20100428git73d775 - replace initstepslew directive with makestep in default config - add NetworkManager dispatcher script - add dhclient script - retry server/peer name resolution at least once to workaround NetworkManager race condition on boot - don't verify chrony.keys [1.24-3.20100302git5fb555] - update to snapshot 20100302git5fb555 - compile with PPS API support [1.24-1] - update to 1.24 (#555367, CVE-2010-0292 CVE-2010-0293 CVE-2010-0294) - modify default config - step clock on start if it is off by more than 100 seconds - disable client log - build with -fPIE on sparc [1.24-0.1.pre1] - update to 1.24-pre1 [1.23-7.20081106gitbe42b4] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild [1.23-6.20081106gitbe42b4] - switch to editline - support arbitrary chronyc commands in init script [1.23-5.20081106gitbe42b4] - add patch with support for s390/s390x [1.23-4.20081106gitbe42b4] - fix building with broken libcap header (#483548) [1.23-3.20081106gitbe42b4] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild [1.23-2.20081106gitbe42b4] - fix info uninstall - generate random command key in init script - support cyclelogs, online, offline commands in init script - add logrotate script [1.23-1.20081106gitbe42b4] - initial release MODERATE Copyright 2015 Oracle, Inc. CVE-2015-1821 CVE-2015-1822 CVE-2015-1853 Oracle Linux 7 [0.2.8-1] - Rebase to netcf-0.2.8 - resolve rhbz#1165965 - CVE-2014-8119 - resolve rhbz#1159000 - support multiple IPv4 addresses in interface config (redhat driver) - resolve rhbz#1113983 - allow static IPv4 config simultaneous with DHCPv4 (redhat driver) - resolve rhbz#1170941 - remove extra quotes from IPV6ADDR_SECONDARIES (redhat+suse drivers) - resolve rhbz#1090011 - limit names of new interfaces to IFNAMSIZ characters - resolve rhbz#761246 - properly parse ifcfg files with comments past column 1 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8119 Oracle Linux 7 ModemManager [1.1.0-8.git20130913] - rfcomm: don't open the ttys until NetworkManager connects them (rh #1251954) [1.1.0-7.git20130913] - iface-modem: fix MODEM_STATE_IS_INTERMEDIATE macro (rh #1200958) NetworkManager [1.0.6-27.0.1] - fix build error on i386 [1:1.0.6-27] * build: update vala-tools build requirement (rh #1274000) [1:1.0.6-26] - wifi: emit NEW_BSS on ScanDone to update APs in Wi-Fi device (rh #1267327) [1:1.0.6-25] - vpn: cancel the secrets request on agent timeout (rh #1272023) - vpn: cancel the connect timer when vpn reconnects (rh #1272023) [1:1.0.6-24] - device: fix problem in not managing software devices (rh #1273879) [1:1.0.6-23] - wake-on-lan: ignore by default existing settings (rh #1270194) [1:1.0.6-22] - platform: fix detection of s390 CTC device (rh #1272974) - core: fix queuing activation while waiting for carrier (rh #1079353) [1:1.0.6-21] - core: fix invalid assertion in nm_clear_g_signal_handler() (rh #1183444) [1:1.0.6-20] - rebuild package [1:1.0.6-19] - device: fix race wrongly managing external-down device (2) (rh #1269199) [1:1.0.6-18] - device/vlan: update VLAN MAC address when parent's one changes [1:1.0.6-17] - dhcp6: destroy the lease when destroying a client (rh #1260727) - device: fix race wrongly managing external-down device (rh #1269199) [1:1.0.6-16] - device: silence spurious errors about activation schedule (rh #1269520) [1:1.0.6-15] - core: really fix enslaving team device to bridge (rh #1183444) [1:1.0.6-14] - platform: updating link cache when moving link to other netns (rh #1264361) - nmtui: fix possible crash during secret request (rh #1267672) - vpn: increase the plugin inactivity quit timer (rh #1268030) - core: fix enslaving team device to bridge (rh #1183444) [1:1.0.6-13] - vpn-connection: set the MTU for the VPN IP interface (rh #1267004) - modem-broadband: update modem's supported-ip-families (rh #1263959) - wifi: fix a crash in on_bss_proxy_acquired() (rh #1267462) [1:1.0.6-12] - core: increase IPv6LL DAD timeout to 15 seconds (rh #1101809) [1:1.0.6-11] - platform: better handle devices without permanent address (rh #1264024) [1:1.0.6-10] - dhcp: fix crash in internal DHCP client (rh #1260727) [1:1.0.6-9] - build: fix installing language files (rh #1265117) [1:1.0.6-8] - nmcli: allow creating ADSL connections with 'nmcli connection add' (rh #1264089) [1:1.0.6-7] - ifcfg-rh: ignore GATEWAY from network file for DHCP connections (rh #1262972) [1:1.0.6-6] - device: retry DHCP after timeout/expiration for assumed connections (rh #1246496) - device: retry creation of default connection after link is initialized (rh #1254089) [1:1.0.6-5] - config: add code comments to NetworkManager.conf file - iface-helper: enabled slaac/dhcp4 based on connection setting only (rh #1260243) - utils: avoid generation of duplicated assumed connection for veth devices (rh #1256430) - nmcli: improve handling of wake-on-lan property (rh #1260584) [1:1.0.6-4] - config: fix config-changed signal for s390x and ppc64 archs (rh #1062301) - device: fix handling ignore-auto-dns for IPv6 nameservers (rh #1261428) [1:1.0.6-3] - vpn: fix the tunelled VPN setup (rh #1238840) [1:1.0.6-2] - nmcli: fix argument parsing for config subcommand [1:1.0.6-1] - Align with the upstream 1.0.6 release: - device: add support for configuring Wake-On-Lan (rh #1141417) - device: don't disconnect after DHCP failure when there's static addresses (rh #1168388) - device: provide information about metered connections (rh #1200452) - device: fix an assert fail when cleaning up a slave connection (rh #1243371) - team: add support for setting MTU (rh #1255927) - config: avoid premature exit with configure-and-quit option (rh #1256772) [1:1.0.4-10] - supplicant: fix passing freq_list option to wpa_supplicant (rh #1254461) [1:1.0.4-9] - udev: fix call to ethtool in udev rules (rh #1247156) [1:1.0.4-8] - device: accept multiple addresses in a DHCPv6 lease (rh #1244293) [1:1.0.4-7] - device: fix a crash when unconfiguring a device (rh #1253744) [1:1.0.4-6] - ifcfg-rh: respect DEVTIMEOUT if link is not announced by udev yet (rh #1192633) [1:1.0.4-5] - core: avoid ethtool to autoload kernel module (rh #1247156) [1:1.0.4-4] - device: fix setting of a MTU (rh #1250019) [1:1.0.4-3] - daemon,libnm: fix handling of default routes for assumed connections (rh #1245648) [1:1.0.4-2] - cli: fix verifying flag-based properties (rh #1244048) [1:1.0.4-1] - Align with the upstream 1.0.4 release - Fix the libreswan plugin (rh #1238840) [1:1.0.4-0.2.git20150713.38bf2cb0] - vpn: send firewall zone to firewalld also for VPN connections (rh #1238124) [1:1.0.4-0.1.git20150713.38bf2cb0] - Update to a bit newer 1.0.4 git snapshot, to fix test failures - device: restart ping process when it exits with an error (rh #1128581) [1:1.0.3-2.git20150624.f245b49a] - config: allow rewriting resolv.conf on SIGUSR1 (rh #1062301) [1:1.0.3-1.git20150624.f245b49a] - Update to a bit newer 1.0.4 git snapshot, to fix test failures [1:1.0.3-1.git20150622.9c83d18d] - Update to a 1.0.4 git snapshot: - bond: add support for setting a MTU (rh #1177860) - core: delay initialization of the connection for devices without carrier at startup (rh #1079353) - route-manager: ensure the routes are set up properly with multiple interface in the same subnet (rh #1164441) - config: add support for reloading configuration (rh #1062301) - device: disallow ipv6.method=shared connections early during activation (rh #1183015) - device: don't save the newly added connection for a device until activation succeeds (rh #1174164) - rdisc: prevent solicitation loop for expiring DNS information (rh #1207730) - wifi: Indicate support of wireless radio bands (rh #1200451) - nmcli: Fix client hang upon multiple deletion attempts of the same connection (rh #1168657) - nmcli: Fix documentation for specifying a certificate path (rh #1182575) - device: add support for auto-connecting slave connection when activating a master (rh #1158529) - nmtui: Fix a crash when attempting an activation with no connection present (rh #1197203) - nmcli: Add auto-completion and hints for valid values in enumeration properties (rh #1034126) - core: load the the libnl library from the correct location (rh #1211859) - config: avoid duplicate connection UUIDs (rh #1171751) - device: enable IPv6 privacy extensions by default (rh #1187525) - device: fix handling if DHCP hostname for configure-and-quit (rh #1201497) - manager: reuse the device connection is active on when reactivating it (rh #1182085) - device: reject incorrect MTU settings from an IPv6 RA (rh #1194007) - default-route: allow preventing the connection to override externally configured default route (rh #1205405) - manager: reduce logging for interface activation (rh #1212196) - device: don't assume a connection for interfaces that only have an IPv6 link-local address (rh #1138426) - device: reject hop limits that are too low (CVE-2015-2924) (rh #1217090) [1:1.0.0-17.git20150121.b4ea599c] - dhclient: use fqdn.fqdn for server DDNS updates (rh #1212597) NetworkManager-libreswan [1.0.6-3] - Fix the pty hangup patch (rh #1271973) [1.0.6-2] - Fix recovery after failures (rh #1271973) [1.0.6-1] - Update to a newer upstream release (rh #1243057) network-manager-applet [1.0.6-2] - libnm-gtk: fix a possible crash on widgets destroy (rh #1267326) - libnm-gtk: use symbolic icons for password store menu (rh #1267330) [1.0.6-1] - Align with the 1.0.6 upstream release: - editor: add support for setting MTU on team connections (rh #1255927) - editor: offer bond connections in vlan slave picker (rh #1255735) [1.0.4-1] - Align with the upstream release [1.0.3-2.git20150617.a0b0166] - New snapshot: - editor: let users edit connection.interface-name property (rh #1139536) [1.0.3-1.git20160615.28a0e28] - New snapshot: - applet: make new auto connections only available for current user (rh #1176042) - editor: allow forcing always-on-top windows for installer (rh #1097883) - editor: allow changing bond MTU (rh #1177582) - editor: use ifname instead of UUID in slaves' master property (rh #1083186) - editor: allow adding Bluetooth connections (rh #1229471) [1.0.0-3.git20150122.76569a46] - Drop gnome-bluetooth BR because it does not work with newer versions (rh #1174547) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0272 CVE-2015-2924 Oracle Linux 7 [1:5.7.2-24] - Fixed lmSensorsTable not reporting sensors with duplicate names (#1252053) - Fixed close() overhead of extend commands (#1252048) - Fixed out-of-bounds write in python code (#1252034) [1:5.7.2-23] - Fixed parsing of invalid variables in incoming packets (#1248414) - Fixed HOST-RESOURCES-MIB::hrFSAccess flag when read-only filesystem becomes writable (#1241897) [1:5.7.2-22] - Fixed IP-MIB::ipSystemStatsInOctets and similar counters for IPv4 (#1235697) [1:5.7.2-21] - Fixed crash on reloading 'exec' configuration options (#1228893) - Fixed CVE-2014-3565, snmptrapd died when parsing certain traps (#1209361) - Fixed storageUseNFS functionality in hrStorageTable (#1193006) - Fixed forwarding of traps with RequestID=0 in snmptrapd (#1192511) - Fixed hrStorageTable to contain 31 bits integers (#1192221) - Fixed 'clientaddr' option for UDPv6 client messages (#1190679) - Fixed log level of SMUX messages (#1189393) - Fixed UDP-MIB::udpTable index on big-endian platforms (#1184433) - Fixed client utilities reporting 'read_config_store open failure on /var/lib/net-snmp/snmpapp.conf' (#1151310) - Fixed snmpd crash when failed to parse SMUX message headers (#1140236) - Added 'diskio' option to snmpd.conf, it's possible to monitor only selected devices in diskIOTable (#1092308) MODERATE Copyright 2015 Oracle, Inc. CVE-2014-3565 Oracle Linux 7 [1.13.0-40] - Resolves: rhbz#1270827 - local overrides: don't contact server with overridden name/id [1.13.0-39] - Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step [1.13.0-38] - Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth. [1.13.0-37] - Resolves: rhbz#1267836 - PAM responder crashed if user was not set [1.13.0-36] - Resolves: rhbz#1266107 - AD: Conditional jump or move depends on uninitialised value [1.13.0-35] - Resolves: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code [1.13.0-34] - Fix a Coverity warning in dyndns code - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands [1.13.0-33] - Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead of processing other commands [1.13.0-32] - Resolves: rhbz#1263735 - Could not resolve AD user from root domain [1.13.0-31] - Remove -d from sss_override manpage - Related: rhbz#1259512 - sss_override : The local override user is not found [1.13.0-30] - Patches required for better handling of failover with one-way trusts - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code [1.13.0-29] - Resolves: rhbz#1263587 - sss_override --name doesn't work with RFC2307 and ghost users [1.13.0-28] - Resolves: rhbz#1259512 - sss_override : The local override user is not found [1.13.0-27] - Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code [1.13.0-26] - Resolves: rhbz#1256398 - sssd cannot resolve user names containing backslash with ldap provider [1.13.0-25] - Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug but is not listed in the man page or in the arguments help [1.13.0-24] - Resolves: rhbz#1254518 - Fix crash in nss responder [1.13.0-23] - Support import/export for local overrides - Support FQDNs for local overrides - Resolves: rhbz#1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True' [1.13.0-22] - Resolves: rhbz#1244950 - Add index for 'objectSIDString' and maybe to other cache attributes [1.13.0-21] - Resolves: rhbz#1250415 - sssd: p11_child hardening [1.13.0-20] - Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain code [1.13.0-19] - Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC identity certificates [1.13.0-18] - Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected [1.13.0-17] - Fix wildcard_limit=0 - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface [1.13.0-16] - Fix race condition in invalidating the memory cache - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups [1.13.0-15] - Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled [1.13.0-14] - Bump release number - Related: rhbz#1246489 - sss_obfuscate fails with 'ImportError: No module named pysss' [1.13.0-13] - Fix missing dependency of sssd-tools - Resolves: rhbz#1246489 - sss_obfuscate fails with 'ImportError: No module named pysss' [1.13.0-12] - More memory cache related fixes - Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups [1.13.0-11] - Remove binary blob from SC patches as patch(1) can't handle those - Related: rhbz#854396 - [RFE] Support for smart cards [1.13.0-10] - Resolves: rhbz#1244949 - getgrgid for user's UID on a trust client prevents getpw* [1.13.0-9] - Fix memory cache integration tests - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups - Resolves: rhbz#854396 - [RFE] Support for smart cards [1.13.0-8] - Remove OTP from PAM stack correctly - Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Handle sssd-owned keytabs when sssd runs as root - Related: rhbz#1205144 - RFE: Support one-way trusts for IPA [1.13.0-7] - Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients [1.13.0-6] - Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support - Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant v6 in ipa domain [1.13.0-5] - Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes [1.13.0-4] - Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2 [1.13.0-3] - Add support for InfoPipe wildcard requests - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface [1.13.0-2] - Also package the initgr memcache - Related: rhbz#1205554 - Rebase SSSD to 1.13.x [1.13.0-1] - Rebase to 1.13.0 upstream - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD - Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups [1.13.0.3alpha] - Don't default to SSSD user - Related: rhbz#1205554 - Rebase SSSD to 1.13.x [1.13.0.2alpha] - Related: rhbz#1205554 - Rebase SSSD to 1.13.x - GPO default should be permissve [1.13.0.1alpha] - Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x - Relax the libldb requirement - Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in libtevent.so.0.9.21 - Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to binary SIDs - Resolves: rhbz#1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust - Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers - Resolves: rhbz#1217350 - ignore_group_members doesn't work for subdomains - Resolves: rhbz#1217127 - Override for IPA users with login does not list user all groups - Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix and use_fully_qualified_names set - Resolves: rhbz#1214719 - Group resolution is inconsistent with group overrides - Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers group membership resolution - Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name does not work - Resolves: rhbz#1214337 - Overrides with --login work in second attempt - Resolves: rhbz#1212489 - Disable the cleanup task by default - Resolves: rhbz#1211830 - external users do not resolve with 'default_domain_suffix' set in IPA server sssd.conf - Resolves: rhbz#1210854 - Only set the selinux context if the context differs from the local one - Resolves: rhbz#1209483 - When using id_provider=proxy with auth_provider=ldap, it does not work as expected - Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management Editor naming for some policies but not for all - Resolves: rhbz#1208507 - sysdb sudo search doesn't escape special characters - Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface - Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if the IPA domain differs from machine hostname's domain - Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix when checking for host keys - Resolves: rhbz#1204203 - sssd crashes intermittently - Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because sss is written in nsswitch.conf as default - Resolves: rhbz#1203642 - GPO access control looks for computer object in user's domain only - Resolves: rhbz#1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries - Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by UPN and doesn't find anything - Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA - Resolves: rhbz#1199541 - Read and use the TTL value when resolving a SRV query - Resolves: rhbz#1199533 - [RFE] Implement background refresh for users, groups or other cache objects - Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute for group name? - Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error - Resolves: rhbz#1187103 - [RFE] User's home directories are not taken from AD when there is an IPA trust with AD - Resolves: rhbz#1185536 - In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set - Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when account naturally expires - Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option: kerberos discovery is not using this option - Resolves: rhbz#1205160 - Complain loudly if backend doesn't start due to missing or invalid keytab [1.12.2-61] - Resolves: rhbz#1226119 - Properly handle AD's binary objectGUID [1.12.2-60] - Filter out domain-local groups during AD initgroups operation - Related: rhbz#1201840 - SSSD downloads too much information when fetching information about groups [1.12.2-59] - Resolves: rhbz#1201840 - SSSD downloads too much information when fetching information about groups LOW Copyright 2015 Oracle, Inc. CVE-2015-5292 Oracle Linux 7 [1.0.35-21] - Fix heap-based buffer overflow in texttopdf filter (bug #1241242, CVE-2015-3258, CVE-2015-3279). [1.0.35-20] - Improvements to cups-browsed efficiency patch (bug #1191691). [1.0.35-18] - Fix segfault in texttopdf filter (bug #1194263). - Improve cups-browsed efficiency (bug #1191691). - Fetch printer descriptions with cups-browsed (bug #1223719). - Fix cups-browsed '_' handling for printer names (bug #1167408). [1.0.35-17] - Build against newer poppler (bug #1217552). [1.0.35-16] - Applied upstream patch to fix BrowseAllow parsing issue (CVE-2014-4338, bug #1091568). - Applied upstream patch for cups-browsed DoS via process_browse_data() out-of-bounds read (CVE-2014-4337, bug #1111510). MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3258 CVE-2015-3279 Oracle Linux 7 [3.4.0-2] - fix /var/lib/openhpi permissions - Resolves: rhbz#1063367 [3.4.0-1] - update to 3.4.0 (#1127908) - Resolves: rhbz#1127908,rhbz#948461,rhbz#1208127,rhbz#1201827 LOW Copyright 2015 Oracle, Inc. CVE-2015-3248 Oracle Linux 7 [7:3.3.8-26] - Related: #1186768 - removing patch, because of missing tests and incorrent patch [7:3.3.8-25] - Related: #1102842 - squid rpm package misses /var/run/squid needed for smp mode. Squid needs write access to /var/run/squid. [7:3.3.8-24] - Related: #1102842 - squid rpm package misses /var/run/squid needed for smp mode. Creation of /var/run/squid was also needed to be in SPEC file. [7:3.3.8-23] - Related: #1102842 - squid rpm package misses /var/run/squid needed for smp mode. Creation of this directory was moved to tmpfiles.d conf file. [7:3.3.8-22] - Related: #1102842 - squid rpm package misses /var/run/squid needed for smp mode. Creation of this directory was moved to service file. [7:3.3.8-21] - Resolves: #1263338 - squid with digest auth on big endian systems start looping [7:3.3.8-20] - Resolves: #1186768 - security issue: Nonce replay vulnerability in Digest authentication [7:3.3.8-19] - Resolves: #1225640 - squid crashes by segfault when it reboots [7:3.3.8-18] - Resolves: #1102842 - squid rpm package misses /var/run/squid needed for smp mode [7:3.3.8-17] - Resolves: #1233265 - CVE-2015-3455 squid: incorrect X509 server certificate validation [7:3.3.8-16] - Resolves: #1080042 - Supply a firewalld service file with squid [7:3.3.8-15] - Resolves: #1161600 - Squid does not serve cached responses with Vary headers [7:3.3.8-14] - Resolves: #1198778 - Filedescriptor leaks on snmp [7:3.3.8-13] - Resolves: #1204375 - squid sends incorrect ssl chain breaking newer gnutls using applications MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3455 Oracle Linux 7 [1.10.14-7.0.1] - Add oracle-ocfs2-network.patch to allow disassembly of OCFS2 interconnect [1.10.14-7] - Rebase some tvbuff API from upstream to 1.10.14 - Fixes crash when tvb_length_remaining() is used - Related: CVE-2015-6244 [1.10.14-6] - Security patch - Resolves: CVE-2015-3182 [1.10.14-5] - Fix crash caused by -DGDK_PIXBUF_DEPRECATED on startup - Resolves: rhbz#1267959 [1.10.14-4] - Security patches - Resolves: CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6248 [1.10.14-3] - Security patches - Resolves: CVE-2015-3810 CVE-2015-3813 [1.10.14-2] - Add certificate verify message decoding in TLS extension - Resolves: #1239150 [1.10.14-1] - Upgrade to 1.10.14 - Resolves: #1238676 [1.10.3-20] - add master secret extension decoding in TLS extension - add encrypt-then-mac extension decoding in TLS extension - Resolves: #1222901 [1.10.3-19] - create pcap file if -F pcap specified - Resolves: #1227199 [1.10.3-18] - add key exchange algorithms decoding in TLS extension - Resolves: #1222600 [1.10.3-17] - add signature algorithms decoding in TLS extension - Resolves: #1221701 [1.10.3-16] - add relro check - Resolves: #1092532 [1.10.3-15] - add elliptic curves decoding in DTLS HELLO - Resolves: #1131202 [1.10.3-14] - introduced nanosecond time precision - Resolves: #1213339 [1.10.3-13] - security patches - Resolves: #1148267 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0563 CVE-2015-2188 CVE-2015-3182 CVE-2015-3810 CVE-2015-3811 CVE-2015-3812 CVE-2015-3813 CVE-2015-6243 CVE-2015-6244 CVE-2015-6245 CVE-2015-6246 CVE-2015-6248 CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 CVE-2015-0562 CVE-2015-0564 CVE-2015-2189 CVE-2015-2191 Oracle Linux 7 [2.02-0.29.0.1] - Fix comparison in patch for 18504756 - Remove symlink to grub environment file during uninstall on EFI platforms [bug 19231481] - update Oracle Linux certificates (Alexey Petrenko) - Put 'with' in menuentry instead of 'using' [bug 18504756] - Use different titles for UEK and RHCK kernels [bug 18504756] [2.02-0.29] - Fix DHCP6 timeouts due to failed network stack once more. Resolves: rhbz#1267139 [2.02-0.28] - Once again, rebuild for the right build target. Resolves: CVE-2015-5281 [2.02-0.27] - Remove multiboot and multiboot2 modules from the .efi builds; they should never have been there. Resolves: CVE-2015-5281 [2.02-0.26] - Be more aggressive about trying to make sure we use the configured SNP device in UEFI. Resolves: rhbz#1257475 [2.02-0.25] - Force file sync to disk on ppc64le machines. Resolves: rhbz#1212114 [2.02-0.24] - Undo 0.23 and fix it a different way. Resolves: rhbz#1124074 [2.02-0.23] - Reverse kernel sort order so they're displayed correctly. Resolves: rhbz#1124074 [2.02-0.22] - Make upgrades work reasonably well with grub2-setpassword . Related: rhbz#985962 [2.02-0.21] - Add a simpler grub2 password config tool Related: rhbz#985962 - Some more coverity nits. [2.02-0.20] - Deal with some coverity nits. Related: rhbz#1215839 Related: rhbz#1124074 [2.02-0.19] - Rebuild for Aarch64 - Deal with some coverity nits. Related: rhbz#1215839 Related: rhbz#1124074 [2.02-0.18] - Update for an rpmdiff problem with one of the man pages. Related: rhbz#1124074 LOW Copyright 2015 Oracle, Inc. CVE-2015-5281 Oracle Linux 7 [5.0.7-54.0.1] - add autofs-5.0.5-lookup-mounts.patch [Orabug:12658280] (Bert Barbe) [1:5.0.7-54] - bz1263508 - Heavy program map usage can lead to a hang - fix out of order call in program map lookup. - Resolves: rhbz#1263508 [1:5.0.7-53] - bz1238573 - RFE: autofs MAP_HASH_TABLE_SIZE description - update map_hash_table_size description. - Resolves: rhbz#1238573 [1:5.0.7-52] - bz1233069 - Direct map does not expire if map is initially empty - update patch to fix expiry problem. - Related: rhbz#1233069 [1:5.0.7-51] - bz1233065 - 'service autofs reload' does not reloads new mounts only when 'sss' or 'ldap' is used in '/etc/nsswitch.conf' file - init qdn before use in get_query_dn(). - fix left mount count return from umount_multi_triggers(). - fix return handling in sss lookup module. - move query dn calculation from do_bind() to do_connect(). - make do_connect() return a status. - make connect_to_server() return a status. - make find_dc_server() return a status. - make find_server() return a status. - fix return handling of do_reconnect() in ldap module. - bz1233067 - autofs is performing excessive direct mount map re-reads - fix direct mount stale instance flag reset. - bz1233069 - Direct map does not expire if map is initially empty - fix direct map expire not set for initial empty map. - Resolves: rhbz#1233065 rhbz#1233067 rhbz#1233069 [1:5.0.7-50] - bz1218045 - Similar but unrelated NFS exports block proper mounting of 'parent' mount point - remove unused offset handling code. - fix mount as you go offset selection. - Resolves: rhbz#1218045 [1:5.0.7-49] - bz1166457 - Autofs unable to mount indirect after attempt to mount wildcard - make negative cache update consistent for all lookup modules. - ensure negative cache isn't updated on remount. - dont add wildcard to negative cache. - bz1162041 - priv escalation via interpreter load path for program based automount maps - add a prefix to program map stdvars. - add config option to force use of program map stdvars. - bz1161474 - automount segment fault in parse_sun.so for negative parser tests - fix incorrect check in parse_mount(). - bz1205600 - Autofs stopped mounting /net/hostname/mounts after seeing duplicate exports in the NFS server - handle duplicates in multi mounts. - bz1201582 - autofs: MAPFMT_DEFAULT is not macro in lookup_program.c - fix macro usage in lookup_program.c. - Resolves: rhbz#1166457 rhbz#1162041 rhbz#1161474 rhbz#1205600 rhbz#1201582 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8169 Oracle Linux 7 [1.4.20-26] - Added Conficts on redhat-release packages without unbound-anchor.timer in presets (Related #1215645) [1.4.20-25] - Resolve ordering loop with nss-lookup.target and ntpdate (#1259806) [1.4.20-24] - Fix CVE-2014-8602 (#1253961) [1.4.20-23] - Removed usage of DLV from the default configuration (#1223339) [1.4.20-22] - unbound.service now Wants unbound-anchor.timer (Related: #1180267) [1.4.20-21] - Fix dependencies and minor scriptlet issues due to systemd timer unit (Related: #1180267) [1.4.20-20] - Install tmpfiles configuration into /usr/lib/tmpfiles.d (#1180995) - Fix root key management to comply to RFC5011 (#1180267) LOW Copyright 2015 Oracle, Inc. CVE-2014-8602 Oracle Linux 6 [2.0.9-25.0.1] - Add Fix-for-bug-21110293.patch [bug 21110293] - Add oracle-enterprise.patch and oracle-enterprise-po.patch - Remove libreport-plugin-rhtsupport pkg [2.0.9-25] - save all files changed by the reporter in the reporting GUI - Fixes CVE-2015-5302 - Resolves: #1282143 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5302 Oracle Linux 7 abrt [2.1.11-35.0.1] - Drop libreport-rhel and libreport-plugin-rhtsupport requires [2.1.11-35] - make /var/spool/abrt owned by root - remove 'r' from /var/spool/abrt for other users - abrt-action-install-debug-info: use secure temporary directory - stop saving abrt's core files to /var/spool/abrt if DebugLevel < 1 - Fixes for: CVE-2015-5273 and CVE-2015-5287 - Resolves: #1266853 libreport [2.1.11-31.0.1] - Update workflow xml for Oracle [18945470] - Add oracle-enterprise.patch and oracle-enterprise-po.patch - Remove libreport-plugin-rhtsupport and libreport-rhel - Added orabug20390725.patch to remove redhat reference [bug 20390725] - Added Bug20357383.patch to remove redhat reference [bug 20357383] [2.1.11-31] - save all files changed by the reporter in the reporting GUI - Fixes CVE-2015-5302 - Related: #1266853 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5273 CVE-2015-5287 CVE-2015-5302 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.4.0-1.0.1.el6_7] - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js [38.4.0-1] - Update to 38.4.0 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-7199 CVE-2015-7200 CVE-2015-4513 CVE-2015-7189 CVE-2015-7193 CVE-2015-7197 CVE-2015-7198 Oracle Linux 6 [0:3.2.1-3.5] - Fix Java object de-serialization vulnerability - Resolves: CVE-2015-7501 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-7501 Oracle Linux 7 [3.2.1-22] - Fix Java object de-serialization vulnerability - Resolves: CVE-2015-7501 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-7501 Oracle Linux 6 [2.7.6-20.0.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.7.6-20.1] - Fix a series of CVEs (rhbz#1286495) - CVE-2015-7941 Cleanup conditional section error handling - CVE-2015-8317 Fail parsing early on if encoding conversion failed - CVE-2015-7942 Another variation of overflow in Conditional sections - CVE-2015-7942 Fix an error in previous Conditional section patch - Fix parsing short unclosed comment uninitialized access - CVE-2015-7498 Avoid processing entities after encoding conversion failures - CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey - CVE-2015-5312 Another entity expansion issue - CVE-2015-7499 Add xmlHaltParser() to stop the parser - CVE-2015-7499 Detect incoherency on GROW - CVE-2015-7500 Fix memory access error due to incorrect entities boundaries - CVE-2015-8242 Buffer overead with HTML parser in push mode - Libxml violates the zlib interface and crashes MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 Oracle Linux 7 [2.9.1-6.0.1.el7_1.2] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.9.1-6.2] - Fix a series of CVEs (rhbz#1286496) - CVE-2015-7941 Stop parsing on entities boundaries errors - CVE-2015-7941 Cleanup conditional section error handling - CVE-2015-8317 Fail parsing early on if encoding conversion failed - CVE-2015-7942 Another variation of overflow in Conditional sections - CVE-2015-7942 Fix an error in previous Conditional section patch - Fix parsing short unclosed comment uninitialized access - CVE-2015-7498 Avoid processing entities after encoding conversion failures - CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey - CVE-2015-5312 Another entity expansion issue - CVE-2015-7499 Add xmlHaltParser() to stop the parser - CVE-2015-7499 Detect incoherency on GROW - CVE-2015-7500 Fix memory access error due to incorrect entities boundaries - CVE-2015-8242 Buffer overead with HTML parser in push mode - CVE-2015-1819 Enforce the reader to run in constant memory [2.9.1-6] - Fix missing entities after CVE-2014-3660 fix - CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650) - Fix regressions introduced by CVE-2014-0191 patch [2.9.1-5.1] - CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087) MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5312 CVE-2015-7497 CVE-2015-7498 CVE-2015-7499 CVE-2015-7500 CVE-2015-7941 CVE-2015-7942 CVE-2015-8241 CVE-2015-8242 CVE-2015-8317 CVE-2015-1819 Oracle Linux 7 [3.10.0-327.3.1.OL7] - Oracle Linux certificates (Alexey Petrenko) [3.10.0-327.3.1] - rebuild [3.10.0-327.2.1] - [netdrv] macvtap: unbreak receiving of gro skb with frag list (Jason Wang) [1279794 1273737] - [net] ipv6: drop frames with attached skb->sk in forwarding (Hannes Frederic Sowa) [1281701 1243966] - [net] ipv6: ip6_forward: perform skb->pkt_type check at the beginning (Hannes Frederic Sowa) [1281701 1243966] - [net] sctp: Fix race between OOTB responce and route removal (Jamie Bainbridge) [1281426 1277309] - [x86] mm: fix VM_FAULT_RETRY handling (Andrea Arcangeli) [1281427 1277226] - [x86] mm: consolidate VM_FAULT_RETRY handling (Andrea Arcangeli) [1281427 1277226] - [x86] mm: move mmap_sem unlock from mm_fault_error() to caller (Andrea Arcangeli) [1281427 1277226] - [mm] let mm_find_pmd fix buggy race with THP fault (Larry Woodman) [1281424 1273993] - [mm] ksm: unstable_tree_search_insert error checking cleanup (Andrea Arcangeli) [1281422 1274871] - [mm] ksm: use find_mergeable_vma in try_to_merge_with_ksm_page (Andrea Arcangeli) [1281422 1274871] - [mm] ksm: use the helper method to do the hlist_empty check (Andrea Arcangeli) [1281422 1274871] - [mm] ksm: don't fail stable tree lookups if walking over stale stable_nodes (Andrea Arcangeli) [1281422 1274871] - [mm] ksm: add cond_resched() to the rmap_walks (Andrea Arcangeli) [1281422 1274871] - [powerpc] kvm: book3s_hv: Synthesize segment fault if SLB lookup fails (Thomas Huth) [1281423 1269467] - [powerpc] kvm: book3s_hv: Create debugfs file for each guest's HPT (David Gibson) [1281420 1273692] - [powerpc] kvm: book3s_hv: Add helpers for lock/unlock hpte (David Gibson) [1281420 1273692] - [powerpc] pci: initialize hybrid_dma_data before use (Laurent Vivier) [1279793 1270717] - [md] raid10: don't clear bitmap bit when bad-block-list write fails (Jes Sorensen) [1279796 1267652] - [md] raid1: don't clear bitmap bit when bad-block-list write fails (Jes Sorensen) [1279796 1267652] - [md] raid10: submit_bio_wait() returns 0 on success (Jes Sorensen) [1279796 1267652] - [md] raid1: submit_bio_wait() returns 0 on success (Jes Sorensen) [1279796 1267652] - [md] crash in md-raid1 and md-raid10 due to incorrect list manipulation (Jes Sorensen) [1279796 1267652] - [md] raid10: ensure device failure recorded before write request returns (Jes Sorensen) [1279796 1267652] - [md] raid1: ensure device failure recorded before write request returns (Jes Sorensen) [1279796 1267652] - [block] nvme: Fix memory leak on retried commands (David Milburn) [1279792 1271860] - [cpufreq] intel_pstate: fix rounding error in max_freq_pct (Prarit Bhargava) [1281491 1263866] - [cpufreq] intel_pstate: fix PCT_TO_HWP macro (Prarit Bhargava) [1273926 1264990] - [cpufreq] revert 'intel_pstate: add quirk to disable HWP on Skylake-S processors' (Prarit Bhargava) [1273926 1264990] - [cpufreq] revert 'intel_pstate: disable Skylake processors' (Prarit Bhargava) [1273926 1264990] - [x86] kvm: svm: unconditionally intercept #DB (Paolo Bonzini) [1279469 1279470] {CVE-2015-8104} - [x86] virt: guest to host DoS by triggering an infinite loop in microcode (Paolo Bonzini) [1277560 1277561] {CVE-2015-5307} [3.10.0-327.1.1] - [x86] kvm: mmu: fix validation of mmio page fault (Bandan Das) [1275150 1267128] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5307 CVE-2015-8104 Oracle Linux 7 [1.8.3.1-6] - fix arbitrary code execution via crafted URLs Resolves: #1274737 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-7545 Oracle Linux 6 [2:1.2.49-2] - Security fix for CVE-2015-7981 and CVE-2015-8126 - Resolves: #1283572 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-7981 CVE-2015-8126 CVE-2015-8472 Oracle Linux 7 [1.2.50-7] - Security fix for CVE-2015-7981 and CVE-2015-8126 - Resolves: #1283576 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-7981 CVE-2015-8126 CVE-2015-8472 Oracle Linux 7 [2:1.5.13-7] - Security fix for CVE-2015-8126 - Changing png_ptr to info_ptf based on upstream - Related: #1283576 [2:1.5.13-6] - Security fix for CVE-2015-8126 - Resolves: #1283576 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-8126 CVE-2015-8472 Oracle Linux 5 [0.9.8e-37.0.1] - To disable SSLv2 client connections create the file /etc/sysconfig/openssl-ssl-client-kill-sslv2 (John Haxby) [orabug 21673934] - Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893] - fix CVE-2014-3570 - Bignum squaring may produce incorrect results - fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] [0.9.8e-37] - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3195 Oracle Linux 6 Oracle Linux 7 [1.0.1e-51.1] - fix CVE-2015-3194 - certificate verify crash with missing PSS parameter - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak - fix CVE-2015-3196 - race condition when handling PSK identity hint [1.0.1e-51] - fix the CVE-2015-1791 fix (broken server side renegotiation) [1.0.1e-50] - improved fix for CVE-2015-1791 - add missing parts of CVE-2015-0209 fix for corectness although unexploitable [1.0.1e-49] - fix CVE-2014-8176 - invalid free in DTLS buffering code - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent - fix CVE-2015-1791 - race condition handling NewSessionTicket - fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function [1.0.1e-48] - fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on read in multithreaded applications [1.0.1e-47] - fix CVE-2015-4000 - prevent the logjam attack on client - restrict the DH key size to at least 768 bits (limit will be increased in future) [1.0.1e-46] - drop the AES-GCM restriction of 2^32 operations because the IV is always 96 bits (32 bit fixed field + 64 bit invocation field) [1.0.1e-45] - update fix for CVE-2015-0287 to what was released upstream [1.0.1e-44] - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey() - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption - fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference - fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data - fix CVE-2015-0292 - integer underflow in base64 decoder - fix CVE-2015-0293 - triggerable assert in SSLv2 server [1.0.1e-43] - fix broken error detection when unwrapping unpadded key [1.0.1e-42.1] - fix the RFC 5649 for key material that does not need padding MODERATE Copyright 2015 Oracle, Inc. CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 Oracle Linux 6 Oracle Linux 7 [4.2.8.2-11.0.1.1] - Replaced RedHat colors with Oracle colors, and the filename redhat.soc with oracle.soc in specfile (jingdong.lu@oracle.com) - Build with --with-vendor='Oracle America, Inc.' (jingdong.lu@oracle.com) [1:4.2.8.2-11.1] - Resolves: rhbz#1285818 various flaws - CVE-2015-4551 Arbitrary file disclosure in Calc and Writer - CVE-2015-5212 Integer underflow in PrinterSetup length - CVE-2015-5213 Integer overflow in DOC files - CVE-2015-5214 Bookmarks in DOC documents are insufficiently checked causing memory corruption MODERATE Copyright 2015 Oracle, Inc. CVE-2015-4551 CVE-2015-5212 CVE-2015-5213 CVE-2015-5214 Oracle Linux 7 [2.02-0.33.0.1] - Fix comparison in patch for 18504756 - Remove symlink to grub environment file during uninstall on EFI platforms [bug 19231481] - update Oracle Linux certificates (Alexey Petrenko) - Put 'with' in menuentry instead of 'using' [bug 18504756] - Use different titles for UEK and RHCK kernels [bug 18504756] [2.02-0.33] - Don't remove 01_users, it's the wrong thing to do. Related:rhbz1290089 [2.02-0.32] - Rebuild for .z so the release number is different. Related: rhbz#1290089 [2.02-0.31] - More work on handling of GRUB2_PASSWORD Resolves: rhbz#1290089 [2.02-0.30] - Fix security issue when reading username and password Resolves: CVE-2015-8370 - Do a better job of handling GRUB_PASSWORD Resolves: rhbz#1290089 MODERATE Copyright 2015 Oracle, Inc. CVE-2015-8370 Oracle Linux 6 [2.6.32-573.12.1] - Revert: [netdrv] igb: add support for 1512 PHY (Stefan Assmann) [1278275 1238551] [2.6.32-573.11.1] - [kvm] svm: unconditionally intercept DB (Paolo Bonzini) [1279467 1279468] {CVE-2015-8104} - [x86] virt: guest to host DoS by triggering an infinite loop in microcode (Paolo Bonzini) [1277557 1277559] {CVE-2015-5307} [2.6.32-573.10.1] - [sound] Fix USB audio issues (wrong URB_ISO_ASAP semantics) (Jaroslav Kysela) [1273916 1255071] - [security] keys: Don't permit request_key() to construct a new keyring (David Howells) [1275927 1273463] {CVE-2015-7872} - [security] keys: Fix crash when attempt to garbage collect an uninstantiated keyring (David Howells) [1275927 1273463] {CVE-2015-7872} - [security] keys: Fix race between key destruction and finding a keyring by name (David Howells) [1275927 1273463] {CVE-2015-7872} - [ipc] Initialize msg/shm IPC objects before doing ipc_addid() (Stanislav Kozina) [1271504 1271505] {CVE-2015-7613} - [fs] vfs: Test for and handle paths that are unreachable from their mnt_root (Eric W. Biederman) [1209368 1209369] {CVE-2015-2925} - [fs] dcache: Handle escaped paths in prepend_path (Eric W. Biederman) [1209368 1209369] {CVE-2015-2925} - [netdrv] igb: add support for 1512 PHY (Stefan Assmann) [1278275 1238551] - [hid] fix unused rsize usage (Don Zickus) [1268203 1256568] - [hid] fix data access in implement() (Don Zickus) [1268203 1256568] - [fs] NFS: Hold i_lock in nfs_wb_page_cancel() while locking a request (Benjamin Coddington) [1273721 1135601] [2.6.32-573.9.1] - [mm] hugetlb: fix race in region tracking (Herton R. Krzesinski) [1274599 1260755] - [mm] hugetlb: improve, cleanup resv_map parameters (Herton R. Krzesinski) [1274599 1260755] - [mm] hugetlb: unify region structure handling (Herton R. Krzesinski) [1274599 1260755] - [mm] hugetlb: change variable name reservations to resv (Herton R. Krzesinski) [1274599 1260755] - [fs] dcache: Log ELOOP rather than creating a loop (Benjamin Coddington) [1272858 1254020] - [fs] dcache: Fix loop checks in d_materialise_unique (Benjamin Coddington) [1272858 1254020] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-2925 CVE-2015-7613 CVE-2015-5307 CVE-2015-8104 CVE-2015-7872 Oracle Linux 6 Oracle Linux 7 [32:9.8.2-0.44.rc1.5] - Fix CVE-2015-8000 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-8000 Oracle Linux 5 [30:9.3.6-25.P1.5] - Fix CVE-2015-8000 [30:9.3.6-25.P1.4] - Fix CVE-2015-5722 [30:9.3.6-25.P1.3] - Fix CVE-2015-5477 [30:9.3.6-25.P1.2] - Remove files backup after patching (Related: #1171971) [30:9.3.6-25.P1.1] - Fix CVE-2014-8500 (#1171971) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-8000 Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 [38.5.0-2.0.1] - Add firefox-oracle-default-prefs.js and firefox-oracle-default-bookmarks.html and remove the corresponding Red Hat files [38.5.0-2] - Update to 38.5.0 ESR CRITICAL Copyright 2015 Oracle, Inc. CVE-2015-7201 CVE-2015-7205 CVE-2015-7210 CVE-2015-7212 CVE-2015-7213 CVE-2015-7214 CVE-2015-7222 Oracle Linux 5 [32:9.7.0-21.P2.4] - Fix CVE-2015-8000 [32:9.7.0-21.P2.3] - Fix CVE-2015-5722 [32:9.7.0-21.P2.2] - Fix CVE-2015-5477 [32:9.7.0-21.P2.1] - Fix CVE-2014-8500 (#1171972) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-8000 Oracle Linux 5 [0:3.2-2jpp.4] - Fix Java object de-serialization vulnerability - Resolves: CVE-2015-7501 IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-7501 Oracle Linux 6 [0.12.1.2-2.479.el6_7.3] - kvm-net-pcnet-add-check-to-validate-receive-data-size-CV.patch [bz#1287950] - kvm-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch [bz#1287950] - Resolves: bz#1287950 (CVE-2015-7504 CVE-2015-7512 qemu-kvm: various flaws [rhel-6.7.z]) IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-7504 CVE-2015-7512 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-55.1.5] - [CIFS] Possible null ptr deref in SMB2_tcon (Steve French) [Orabug: 20433140] {CVE-2014-7145} [3.8.13-55.1.4] - net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [Orabug: 20425332] {CVE-2014-7841} [3.8.13-55.1.3] - ACPI: x2apic entry ignored (Cathy Avery) [Orabug: 19475776] - i40e: relax the firmware API version check (Shannon Nelson) [Orabug: 20216831] - x86, fpu: remove the logic of non-eager fpu mem allocation at the first usage (Annie Li) [Orabug: 20232585] - iommu/{vt-d,amd}: Remove multifunction assumption around grouping (Alex Williamson) [Orabug: 20192796] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7841 CVE-2014-7145 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.246.2] - net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [Orabug: 20425333] {CVE-2014-7841} [2.6.39-400.246.1] - sched: Fix possible divide by zero in avg_atom() calculation (Mateusz Guzik) [Orabug: 20148169] - include/linux/math64.h: add div64_ul() (Alex Shi) - deadlock when two nodes are converting same lock from PR to EX and idletimeout closes conn (Tariq Saeed) [Orabug: 18639535] - bonding: Bond master should reflect slave's features. (Ashish Samant) [Orabug: 20231825] - x86, fpu: remove the logic of non-eager fpu mem allocation at the first usage (Annie Li) [Orabug: 20239143] - x86, fpu: remove cpu_has_xmm check in the fx_finit() (Suresh Siddha) [Orabug: 20239143] - x86, fpu: make eagerfpu= boot param tri-state (Suresh Siddha) [Orabug: 20239143] - x86, fpu: enable eagerfpu by default for xsaveopt (Suresh Siddha) [Orabug: 20239143] - x86, fpu: decouple non-lazy/eager fpu restore from xsave (Suresh Siddha) [Orabug: 20239143] - x86, fpu: use non-lazy fpu restore for processors supporting xsave (Suresh Siddha) [Orabug: 20239143] - lguest, x86: handle guest TS bit for lazy/non-lazy fpu host models (Suresh Siddha) [Orabug: 20239143] - x86, fpu: always use kernel_fpu_begin/end() for in-kernel FPU usage (Suresh Siddha) [Orabug: 20239143] - x86, kvm: use kernel_fpu_begin/end() in kvm_load/put_guest_fpu() (Suresh Siddha) [Orabug: 20239143] - x86, fpu: remove unnecessary user_fpu_end() in save_xstate_sig() (Suresh Siddha) [Orabug: 20239143] - raid5: add AVX optimized RAID5 checksumming (Jim Kukunas) [Orabug: 20239143] - x86, fpu: drop the fpu state during thread exit (Suresh Siddha) [Orabug: 20239143] - x32: Add a thread flag for x32 processes (H. Peter Anvin) [Orabug: 20239143] - x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels (Suresh Siddha) [Orabug: 20239143] - x86, fpu: Consolidate inline asm routines for saving/restoring fpu state (Suresh Siddha) [Orabug: 20239143] - x86, signal: Cleanup ifdefs and is_ia32, is_x32 (Suresh Siddha) [Orabug: 20239143] into exported and internal interfaces (Linus Torvalds) [Orabug: 20239143] - i387: Uninline the generic FP helpers that we expose to kernel modules (Linus Torvalds) [Orabug: 20239143] - i387: use 'restore_fpu_checking()' directly in task switching code (Linus Torvalds) [Orabug: 20239143] - i387: fix up some fpu_counter confusion (Linus Torvalds) [Orabug: 20239143] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7841 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.36.14uek] - net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet (Daniel Borkmann) [Orabug: 20425334] {CVE-2014-7841} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7841 Oracle Linux 5 [0.9.8e-32.0.1] - Backport openssl 08-Jan-2015 security fixes (John Haxby) [orabug 20409893] - fix CVE-2014-3570 - Bignum squaring may produce incorrect results - fix CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record - fix CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] - fix CVE-2014-8275 - Certificate fingerprints can be modified - fix CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68] - ttusb-dec: buffer overflow in ioctl (Dan Carpenter) [Orabug: 20673373] {CVE-2014-8884} - mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support (Kirill A. Shutemov) [Orabug: 20673279] {CVE-2014-8173} - netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal) [Orabug: 20673235] {CVE-2014-8160} [3.8.13-67] - sparc64: Remove deprecated __GFP_NOFAIL from mdesc_kmalloc (Eric Snowberg) [Orabug: 20055909] - x86/xen: allow privcmd hypercalls to be preempted (David Vrabel) [Orabug: 20618880] - sched: Expose preempt_schedule_irq() (Thomas Gleixner) [Orabug: 20618880] - xen-netfront: Fix handling packets on compound pages with skb_linearize (Zoltan Kiss) [Orabug: 19546077] - qla2xxx: Add adapter checks for FAWWN functionality. (Saurav Kashyap) [Orabug: 20474227] - config: enable CONFIG_MODULE_SIG_SHA512 (Guangyu Sun) [Orabug: 20611400] - net: rds: use correct size for max unacked packets and bytes (Sasha Levin) [Orabug: 20585918] - watchdog: w83697hf_wdt: return ENODEV if no device was found (Stanislav Kholmanskikh) [Orabug: 18122938] - NVMe: Disable pci before clearing queue (Keith Busch) [Orabug: 20564650] [3.8.13-66] - bnx2fc: upgrade to 2.8.2 (Dan Duval) [Orabug: 20523502] - bnx2i: upgrade to 2.11.0.0 (Dan Duval) [Orabug: 20523502] - bnx2x: upgrade to 1.712.10 (Dan Duval) [Orabug: 20523502] - cnic: upgrade to 2.721.01 (Dan Duval) [Orabug: 20523502] - bnx2: upgrade to 2.712.01 (Dan Duval) [Orabug: 20523502] - Update lpfc version for 10.6.61 (rkennedy) [Orabug: 20539686] - Remove consolidated merge lines from previous patch, they require a 3.19 kernel to build with. (rkennedy) [Orabug: 20539686] - Implement support for wire-only DIF devices (rkennedy) [Orabug: 20539686] - lpfc: Update copyright to 2015 (rkennedy) [Orabug: 20539686] - lpfc: Update Copyright on changed files (James Smart) [Orabug: 20539686] - lpfc: Fix for lun discovery issue with 8Gig adapter. (rkennedy) [Orabug: 20539686] - lpfc: Fix crash in device reset handler. (rkennedy) [Orabug: 20539686] - lpfc: application causes OS crash when running diagnostics (rkennedy) [Orabug: 20539686] - lpfc: Fix internal loopback failure (rkennedy) [Orabug: 20539686] - lpfc: Fix premature release of rpi bit in bitmask (rkennedy) [Orabug: 20539686] - lpfc: Initiator sends wrong BBCredit value for either FLOGI or FLOGI_ACC (rkennedy) [Orabug: 20539686] - lpfc: Fix null ndlp derefernce in target_reset_handler (rkennedy) [Orabug: 20539686] - lpfc: Fix FDMI Fabric support (rkennedy) [Orabug: 20539686] - lpfc: Fix provide host name and OS name in RSNN-NN FC-GS command (rkennedy) [Orabug: 20539686] - lpfc: Parse the new 20G, 25G and 40G link speeds in the lpfc driver (rkennedy) [Orabug: 20539686] - lpfc: lpfc does not support option_rom_version sysfs attribute on newer adapters (rkennedy) [Orabug: 20539686] - lpfc: Fix setting of EQ delay Multiplier (rkennedy) [Orabug: 20539686] - lpfc: Fix host reset escalation killing all IOs. (rkennedy) [Orabug: 20539686] - lpfc: Linux lpfc driver doesnt re-establish the link after a cable pull on LPe12002 (rkennedy) [Orabug: 20539686] - lpfc: Fix to handle PLOGI when already logged in (rkennedy) [Orabug: 20539686] - lpfc: EnableBootCode from hbacmd fails on Lancer (rkennedy) [Orabug: 20539686] - lpfc: Add Lancer Temperature Event support to the lpfc driver (rkennedy) [Orabug: 20539686] - lpfc: Fix the iteration count to match the 30 sec comment (rkennedy) [Orabug: 20539686] - lpfc: fix low priority issues from fortify source code scan (James Smart) [Orabug: 20539686] - lpfc: fix high priority issues from fortify source code scan (James Smart) [Orabug: 20539686] - lpfc: fix for handling unmapped ndlp in target reset handler (James Smart) [Orabug: 20539686] - lpfc: fix crash from page fault caused by use after rport delete (James Smart) [Orabug: 20539686] - lpfc: fix locking issues with abort data paths (James Smart) [Orabug: 20539686] - lpfc: fix race between LOGO/PLOGI handling causing NULL pointer (James Smart) [Orabug: 20539686] - lpfc: fix quarantined XRI recovery qualifier state in link bounce (James Smart) [Orabug: 20539686] - lpfc: fix discovery timeout during nameserver login (James Smart) [Orabug: 20539686] - lpfc: fix IP Reset processing - wait for RDY before proceeding (James Smart) [Orabug: 20539686] - lpfc: Update lpfc version to driver version 10.2.8000.0 (James Smart) [Orabug: 20539686] - net: Check for presence of IFLA_AF_SPEC (Thomas Graf) [Orabug: 20382857] - net: Validate IFLA_BRIDGE_MODE attribute length (Thomas Graf) [Orabug: 20382857] - be2net: fix alignment on line wrap (Kalesh AP) [Orabug: 20382857] - be2net: remove multiple assignments on a single line (Kalesh AP) [Orabug: 20382857] - be2net: remove space after typecasts (Kalesh AP) [Orabug: 20382857] - be2net: remove unnecessary blank lines after an open brace (Kalesh AP) [Orabug: 20382857] - be2net: insert a blank line after function/struct//enum definitions (Kalesh AP) [Orabug: 20382857] - be2net: remove multiple blank lines (Kalesh AP) [Orabug: 20382857] - be2net: add blank line after declarations (Kalesh AP) [Orabug: 20382857] - be2net: remove return statements for void functions (Kalesh AP) [Orabug: 20382857] - be2net: add speed reporting for 20G-KR interface (Vasundhara Volam) [Orabug: 20382857] - be2net: add speed reporting for 40G/KR interface (Kalesh AP) [Orabug: 20382857] - be2net: fix sparse warnings in be_cmd_req_port_type{} (Suresh Reddy) [Orabug: 20382857] - be2net: fix a sparse warning in be_cmd_modify_eqd() (Kalesh AP) [Orabug: 20382857] - enic: fix rx napi poll return value (Govindarajulu Varadarajan) [Orabug: 20342354] - net: rename vlan_tx_* helpers since 'tx' is misleading there (Jiri Pirko) [Orabug: 20342354] - enic: free all rq buffs when allocation fails (Govindarajulu Varadarajan) [Orabug: 20342354] - net: ethernet: cisco: enic: enic_dev: Remove some unused functions (Rickard Strandqvist) [Orabug: 20342354] - enic: add stats for dma mapping error (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: check dma_mapping_error (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: make vnic_wq_buf doubly linked (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix rx skb checksum (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix work done in tx napi_poll (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: update desc properly in rx_copybreak (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: handle error condition properly in enic_rq_indicate_buf (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: Do not call napi_disable when preemption is disabled. (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix possible deadlock in enic_stop/ enic_rfs_flw_tbl_free (Govindarajulu Varadarajan) [Orabug: 20342354] - drivers/net: Convert remaining uses of pr_warning to pr_warn (Joe Perches) [Orabug: 20342354] - enic: implement rx_copybreak (Govindarajulu Varadarajan) [Orabug: 20342354] - PCI: Remove DEFINE_PCI_DEVICE_TABLE macro use (Benoit Taine) [Orabug: 20342354] - enic: add pci_zalloc_consistent to kcompat.h (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: use pci_zalloc_consistent (Joe Perches) [Orabug: 20342354] - enic: Add ethtool support to show classifier filters added by the driver (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: remove #ifdef CONFIG_RFS_ACCEL around filter structures (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix return values in enic_set_coalesce (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix compile issue when CONFIG_NET_RX_BUSY_POLL is N (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: add kcompat file (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: Make dummy rfs functions inline to fix !CONFIG_RFS_ACCEL build (Geert Uytterhoeven) [Orabug: 20342354] - enic: do tx cleanup in napi poll (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: add low latency socket busy_poll support (Govindarajulu Varadarajan) [Orabug: 20342354] - net: vlan: add protocol argument to packet tagging functions (Patrick McHardy) [Orabug: 20342354] - net: vlan: prepare for 802.1ad VLAN filtering offload (Patrick McHardy) [Orabug: 20342354] - net: vlan: rename NETIF_F_HW_VLAN_* feature flags to NETIF_F_HW_VLAN_CTAG_* (Patrick McHardy) [Orabug: 20342354] - enic: fix lockdep around devcmd_lock (Tony Camuso) [Orabug: 20342354] - enic: Add Accelerated RFS support (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: alloc/free rx_cpu_rmap (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: devcmd for adding IP 5 tuple hardware filters (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: fix return value in _vnic_dev_cmd (Govindarajulu Varadarajan) [Orabug: 20342354] - net: use SPEED_UNKNOWN and DUPLEX_UNKNOWN when appropriate (Jiri Pirko) [Orabug: 20342354] - enic: Fix 64 bit divide on 32bit system (Govindarajulu Varadarajan) [Orabug: 20342354] - enic: Add support for adaptive interrupt coalescing (Sujith Sankar) [Orabug: 20342354] - net: get rid of SET_ETHTOOL_OPS (Wilfried Klaebe) [Orabug: 20342354] - enic: Use pci_enable_msix_range() instead of pci_enable_msix() (Alexander Gordeev) [Orabug: 20342354] - bnx2x: Not use probe_defer (Vaughan Cao) [Orabug: 20405577] - Revert 'nfsd4: fix leak of inode reference on delegation failure' (Dan Duval) [Orabug: 20280060] - ipoib/ib core: set module_unload_allowed = 0 as default (Qing Huang) [Orabug: 20048920] - xfs: fix directory hash ordering bug (Mark Tinguely) [Orabug: 19695297] - xfs: fix node forward in xfs_node_toosmall (Mark Tinguely) [Orabug: 19695297] - XFS: Assertion failed: first <= last && last < BBTOB(bp->b_length), file: fs/xfs/xfs_trans_buf.c, line: 568 (Dave Chinner) [Orabug: 19695297] - mlx4_vnic: Skip fip discover restart if pkey index not changed (Yuval Shaia) [Orabug: 19153757] [3.8.13-65] - uek-rpm: ol7: update update-el to 7.1 (Guangyu Sun) [Orabug: 20524699] [3.8.13-64] - storvsc: ring buffer failures may result in I/O freeze (Long Li) [Orabug: 20328185] - crypto: add missing crypto module aliases (Mathias Krause) [Orabug: 20429934] {CVE-2013-7421} - crypto: include crypto- module prefix in template (Kees Cook) [Orabug: 20429934] {CVE-2014-9644} - crypto: prefix module autoloading with 'crypto-' (Kees Cook) [Orabug: 20429934] {CVE-2013-7421} - be2iscsi : Bump the driver version (John Soni Jose) [Orabug: 20426078] - be2iscsi : Fix memory leak in the unload path (John Soni Jose) [Orabug: 20426078] - be2iscsi : Fix the PCI request region reserving. (John Soni Jose) [Orabug: 20426078] - be2iscsi : Fix the retry count for boot targets (John Soni Jose) [Orabug: 20426078] - fuse: Ensure request structure is not modified after being reused. (Ashish Samant) [Orabug: 20396380] - x86, apic, kexec: Add disable_cpu_apicid kernel parameter (HATAYAMA Daisuke) [Orabug: 20344754] - nfsd4: zero op arguments beyond the 8th compound op (J. Bruce Fields) [Orabug: 20070817] - ocfs2: implement delayed dropping of last dquot reference (Jan Kara) [Orabug: 19559063] - ib/sdp: fix null dereference of sk->sk_wq in sdp_rx_irq() (Chuck Anderson) [Orabug: 20482741] [3.8.13-63] - ext4: protect write with sb_start/end_write in ext4_file_dio_write (Guangyu Sun) [Orabug: 20427284] - fs/pipe.c: skip file_update_time on frozen fs (Dmitry Monakhov) [Orabug: 20427126] - hpsa: remove 'action required' phrasing (Stephen M. Cameron) [Orabug: 20363086] - hpsa: remove spin lock around command allocation (Stephen M. Cameron) [Orabug: 20363086] - hpsa: always call pci_set_master after pci_enable_device (Robert Elliott) [Orabug: 20363086] - hpsa: Convert SCSI LLD ->queuecommand() for host_lock less operation (Nicholas Bellinger) [Orabug: 20363086] - hpsa: do not be so noisy about check conditions (Stephen M. Cameron) [Orabug: 20363086] - hpsa: use atomics for commands_outstanding (Stephen M. Cameron) [Orabug: 20363086] - hpsa: get rid of type/attribute/direction bit field where possible (Stephen M. Cameron) [Orabug: 20363086] - hpsa: fix endianness issue with scatter gather elements (Stephen M. Cameron) [Orabug: 20363086] - hpsa: fix allocation sizes for CISS_REPORT_LUNs commands (Stephen M. Cameron) [Orabug: 20363086] - hpsa: correct off-by-one sizing of chained SG block (Webb Scales) [Orabug: 20363086] - hpsa: fix a couple pci id table mistakes (Stephen M. Cameron) [Orabug: 20363086] - hpsa: remove dev_warn prints from RAID-1ADM (Robert Elliott) [Orabug: 20363086] - hpsa: Clean up warnings from sparse. (Don Brace) [Orabug: 20363086] - hpsa: add missing pci_set_master in kdump path (Tomas Henzl) [Orabug: 20363086] - hpsa: refine the pci enable/disable handling (Tomas Henzl) [Orabug: 20363086] - hpsa: Fallback to MSI rather than to INTx if MSI-X failed (Alexander Gordeev) [Orabug: 20363086] - libata: prevent HSM state change race between ISR and PIO (David Jeffery) [Orabug: 20019302] [3.8.13-62] - i40e: Bump i40e version to 1.2.2 and i40evf version to 1.0.6 (Catherine Sullivan) [Orabug: 20199714] - i40e: get pf_id from HW rather than PCI function (Shannon Nelson) [Orabug: 20199714] - i40e: increase ARQ size (Mitch Williams) [Orabug: 20199714] - i40e: Increase reset delay (Kevin Scott) [Orabug: 20199714] - i40evf: make early init sequence even more robust (Mitch Williams) [Orabug: 20199714] - i40e: fix netdev_stat macro definition (Shannon Nelson) [Orabug: 20199714] - i40e: Define and use i40e_is_vf macro (Anjali Singhai Jain) [Orabug: 20199714] - i40e: Add a virtual channel op to config RSS (Anjali Singhai Jain) [Orabug: 20199714] - i40e: dont enable PTP support on more than one PF per port (Jacob Keller) [Orabug: 20199714] - i40e: allow various base numbers in debugfs aq commands (Shannon Nelson) [Orabug: 20199714] - i40e: remove useless debug noise (Shannon Nelson) [Orabug: 20199714] - i40e: Remove unneeded break statement (Shannon Nelson) [Orabug: 20199714] - i40e: trigger SW INT with no ITR wait (Shannon Nelson) [Orabug: 20199714] - i40evf: remove unnecessary else (Mitch Williams) [Orabug: 20199714] - i40evf: make checkpatch happy (Mitch Williams) [Orabug: 20199714] - i40evf: update header comments (Mitch Williams) [Orabug: 20199714] - i40e: dont overload fields (Mitch Williams) [Orabug: 20199714] - i40e: Prevent link flow control settings when PFC is enabled (Neerav Parikh) [Orabug: 20199714] - i40e: Update VEBs enabled_tc after reconfiguration (Neerav Parikh) [Orabug: 20199714] - i40e: Bump version to 1.1.23 (Catherine Sullivan) [Orabug: 20199714] - i40e: re-enable VFLR interrupt sooner (Mitch Williams) [Orabug: 20199714] - i40e: only warn once of PTP nonsupport in 100Mbit speed (Shannon Nelson) [Orabug: 20199714] - i40evf: dont use more queues than CPUs (Mitch Williams) [Orabug: 20199714] - i40evf: make early init processing more robust (Mitch Williams) [Orabug: 20199714] - i40e: clean up throttle rate code (Jesse Brandeburg) [Orabug: 20199714] - i40e: dont do link_status or stats collection on every ARQ (Shannon Nelson) [Orabug: 20199714] - i40e: poll firmware slower (Kamil Krawczyk) [Orabug: 20199714] - i40e: properly parse MDET registers (Mitch Williams) [Orabug: 20199714] - i40e: configure VM ID in qtx_ctl (Mitch Williams) [Orabug: 20199714] - i40e: enable debug earlier (Shannon Nelson) [Orabug: 20199714] - i40e: better wording for resource tracking errors (Shannon Nelson) [Orabug: 20199714] - i40e: scale msix vector use when more cores than vectors (Shannon Nelson) [Orabug: 20199714] - i40e: remove debugfs dump stats (Shannon Nelson) [Orabug: 20199714] - i40e: avoid disable of interrupt when changing ITR (Jesse Brandeburg) [Orabug: 20199714] - i40evf: Add support for 10G base T parts (Paul M Stillwell Jr) [Orabug: 20199714] - i40e: fix link checking logic (Mitch Williams) [Orabug: 20199714] - i40evf: properly handle multiple AQ messages (Mitch Williams) [Orabug: 20199714] - i40e: Add condition to enter fdir flush and reinit (Akeem G Abodunrin) [Orabug: 20199714] - i40e: Bump version (Catherine Sullivan) [Orabug: 20199714] - i40e: Moving variable declaration out of the loops (Akeem G Abodunrin) [Orabug: 20199714] - i40e: Add 10GBaseT support (Mitch Williams) [Orabug: 20199714] - i40e: process link events when setting up switch (Mitch Williams) [Orabug: 20199714] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2013-7421 CVE-2014-9644 CVE-2014-3610 CVE-2014-7975 CVE-2014-8134 CVE-2014-8133 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-55.1.8] - kvm: fix excessive pages un-pinning in kvm_iommu_map error path. (Quentin Casasnovas) [Orabug: 20687313] {CVE-2014-3601} {CVE-2014-8369} {CVE-2014-3601} [3.8.13-55.1.7] - ttusb-dec: buffer overflow in ioctl (Dan Carpenter) [Orabug: 20673376] {CVE-2014-8884} - mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support (Kirill A. Shutemov) [Orabug: 20673281] {CVE-2014-8173} - netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal) [Orabug: 20673239] {CVE-2014-8160} - tracing/syscalls: Ignore numbers outside NR_syscalls' range (Rabin Vincent) [Orabug: 20673163] {CVE-2014-7826} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7825 CVE-2014-7826 CVE-2014-8160 CVE-2014-8173 CVE-2014-8884 CVE-2014-8369 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.248.3] - kvm: fix excessive pages un-pinning in kvm_iommu_map error path. (Quentin Casasnovas) [Orabug: 20687314] {CVE-2014-3601} {CVE-2014-8369} {CVE-2014-3601} - Revert 'mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support' (Guangyu Sun) [Orabug: 20673281] {CVE-2014-8173} [2.6.39-400.248.2] - netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal) [Orabug: 20679630] {CVE-2014-8160} - mac80211: fix fragmentation code, particularly for encryption (Johannes Berg) [Orabug: 20673313] {CVE-2014-8709} - mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support (Kirill A. Shutemov) [Orabug: 20673282] {CVE-2014-8173} - tracing/syscalls: Ignore numbers outside NR_syscalls' range (Rabin Vincent) [Orabug: 20673164] {CVE-2014-7825} {CVE-2014-7826} - tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 (Will Deacon) [Orabug: 20673164] {CVE-2014-7825} {CVE-2014-7826} [2.6.39-400.248.1] - NVMe: Disable pci before clearing queue (Keith Busch) [Orabug: 20533100] - x86, fpu: disable eagerfpu by default (Santosh Shilimkar) [Orabug: 20521543] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7825 CVE-2014-7826 CVE-2014-8160 CVE-2014-8709 CVE-2014-8369 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.2uek] - netfilter: conntrack: disable generic tracking for known protocols (Florian Westphal) [Orabug: 20679631] {CVE-2014-8160} - mac80211: fix fragmentation code, particularly for encryption (Johannes Berg) [Orabug: 20673314] {CVE-2014-8709} - tracing/syscalls: Ignore numbers outside NR_syscalls' range (Rabin Vincent) [Orabug: 20673165] {CVE-2014-7825} {CVE-2014-7826} - tracing/syscalls: Fix perf syscall tracing when syscall_nr == -1 (Will Deacon) [Orabug: 20673165] {CVE-2014-7825} {CVE-2014-7826} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-7825 CVE-2014-7826 CVE-2014-8160 CVE-2014-8709 CVE-2014-8369 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.1.2] - IB/core: Prevent integer overflow in ib_umem_get address arithmetic (Shachar Raindel) [Orabug: 20799875] {CVE-2014-8159} {CVE-2014-8159} [3.8.13-68.1.1] - xen-pciback: limit guest control of command register (Jan Beulich) [Orabug: 20697017] {CVE-2015-2150} {CVE-2015-2150} - net: sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [Orabug: 20780347] {CVE-2015-1421} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8159 CVE-2015-1421 CVE-2015-2150 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.249.3] - IB/core: Prevent integer overflow in ib_umem_get address arithmetic (Shachar Raindel) [Orabug: 20788393] {CVE-2014-8159} {CVE-2014-8159} [2.6.39-400.249.2] - xen-pciback: limit guest control of command register (Jan Beulich) [Orabug: 20704156] {CVE-2015-2150} {CVE-2015-2150} - net: sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [Orabug: 20780348] {CVE-2015-1421} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8159 CVE-2015-1421 CVE-2015-2150 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.3] - net: sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [Orabug: 20780349] {CVE-2015-1421} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1421 Oracle Linux 6 [1.0.1m-2.0.1] - update to upstream 1.0.1m - update to fips canister 2.0.9 - regenerated below patches openssl-1.0.1-beta2-rpmbuild.patch openssl-1.0.1m-rhcompat.patch openssl-1.0.1m-ecc-suiteb.patch openssl-1.0.1m-fips-mode.patch openssl-1.0.1m-version.patch openssl-1.0.1m-evp-devel.patch [1.0.1j-2.0.4] - [Orabug 20182267] The openssl-fips-devel package should Provide: openssl-devel and openssl-devel(x86-64) like the standard -devel package - The openssl-fips-devel package should include fips.h and fips_rand.h for apps that want to build against FIPS* APIs [1.0.1j-2.0.3] - [Orabug 20086847] reintroduce patch openssl-1.0.1e-ecc-suiteb.patch, update ec_curve.c which gets copied into build tree to match the patch (ie only have curves which are advertised). The change items from the orignal patch are as follows: - do not advertise ECC curves we do not support - fix CPU identification on Cyrix CPUs [1.0.1j-2.0.2] - update README.FIPS with step-by-step install instructions [1.0.1j-2.0.1] - update to upstream 1.0.1j - change name to openssl-fips - change Obsoletes: openssl to Conflicts: openssl - add Provides: openssl [1.0.1i-2.0.3.fips] - update to fips canister 2.0.8 to remove Dual EC DRBG - run gcc -v so the gcc build version is captured in the build log [1.0.1i-2.0.2.fips] - flip EVP_CIPH_* flag bits for compatibility with original RH patched pkg [1.0.1i-2.0.1.fips] - build against upstream 1.0.1i - build against fips validated canister 2.0.7 - add patch to support fips=1 - rename pkg to openssl-fips and Obsolete openssl [1.0.1e-16.14] - fix CVE-2010-5298 - possible use of memory after free - fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment - fix CVE-2014-0198 - possible NULL pointer dereference - fix CVE-2014-0221 - DoS from invalid DTLS handshake packet - fix CVE-2014-0224 - SSL/TLS MITM vulnerability - fix CVE-2014-3470 - client-side DoS when using anonymous ECDH [1.0.1e-16.7] - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension [1.0.1e-16.4] - fix CVE-2013-4353 - Invalid TLS handshake crash [1.0.1e-16.3] - fix CVE-2013-6450 - possible MiTM attack on DTLS1 [1.0.1e-16.2] - fix CVE-2013-6449 - crash when version in SSL structure is incorrect [1.0.1e-16.1] - add back some no-op symbols that were inadvertently dropped [1.0.1e-16] - do not advertise ECC curves we do not support - fix CPU identification on Cyrix CPUs [1.0.1e-15] - make DTLS1 work in FIPS mode - avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode [1.0.1e-14] - installation of dracut-fips marks that the FIPS module is installed [1.0.1e-13] - avoid dlopening libssl.so from libcrypto [1.0.1e-12] - fix small memory leak in FIPS aes selftest - fix segfault in openssl speed hmac in the FIPS mode [1.0.1e-11] - document the nextprotoneg option in manual pages original patch by Hubert Kario [1.0.1e-9] - always perform the FIPS selftests in library constructor if FIPS module is installed [1.0.1e-8] - fix use of rdrand if available - more commits cherry picked from upstream - documentation fixes [1.0.1e-7] - additional manual page fix - use symbol versioning also for the textual version [1.0.1e-6] - additional manual page fixes - cleanup speed command output for ECDH ECDSA [1.0.1e-5] - use _prefix macro [1.0.1e-4] - add relro linking flag [1.0.1e-2] - add support for the -trusted_first option for certificate chain verification [1.0.1e-1] - rebase to the 1.0.1e upstream version [1.0.0-28] - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv() everywhere instead of getenv() (#839735) [1.0.0-27] - fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645) - drop superfluous lib64 fixup in pkgconfig .pc files (#770872) - force BIO_accept_new(*:<port-number>) to listen on IPv4 [1.0.0-26] - use PKCS#8 when writing private keys in FIPS mode as the old PEM encryption mode is not FIPS compatible (#812348) [1.0.0-25] - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - properly initialize tkeylen in the CVE-2012-0884 fix [1.0.0-24] - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185) [1.0.0-23] - fix problem with the SGC restart patch that might terminate handshake incorrectly - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) [1.0.0-22] - fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes [1.0.0-21] - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) [1.0.0-20] - fix x86cpuid.pl - patch by Paolo Bonzini [1.0.0-19] - add known answer test for SHA2 algorithms [1.0.0-18] - fix missing initialization of a variable in the CHIL engine (#740188) [1.0.0-17] - initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207 (#736087) [1.0.0-16] - merge the optimizations for AES-NI, SHA1, and RC4 from the intelx engine to the internal implementations [1.0.0-15] - better documentation of the available digests in apps (#693858) - backported CHIL engine fixes (#693863) - allow testing build without downstream patches (#708511) - enable partial RELRO when linking (#723994) - add intelx engine with improved performance on new Intel CPUs - add OPENSSL_DISABLE_AES_NI environment variable which disables the AES-NI support (does not affect the intelx engine) [1.0.0-14] - use the AES-NI engine in the FIPS mode [1.0.0-11] - add API necessary for CAVS testing of the new DSA parameter generation [1.0.0-10] - fix OCSP stapling vulnerability - CVE-2011-0014 (#676063) - correct the README.FIPS document [1.0.0-8] - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 key generation method - use FIPS-186-3 method for DSA parameter generation - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable to allow using MD5 when the system is in the maintenance state even if the /proc fips flag is on - make openssl pkcs12 command work by default in the FIPS mode [1.0.0-7] - listen on ipv6 wildcard in s_server so we accept connections from both ipv4 and ipv6 (#601612) - fix openssl speed command so it can be used in the FIPS mode with FIPS allowed ciphers (#619762) [1.0.0-6] - disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864 (#649304) [1.0.0-5] - fix race in extension parsing code - CVE-2010-3864 (#649304) [1.0.0-4] - openssl man page fix (#609484) [1.0.0-3] - fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738) - fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732) [1.0.0-2] - make CA dir readable - the private keys are in private subdir (#584810) - a few fixes from upstream CVS - make X509_NAME_hash_old work in FIPS mode (#568395) [1.0.0-1] - update to final 1.0.0 upstream release [1.0.0-0.22.beta5] - make TLS work in the FIPS mode [1.0.0-0.21.beta5] - gracefully handle zero length in assembler implementations of OPENSSL_cleanse (#564029) - do not fail in s_server if client hostname not resolvable (#561260) [1.0.0-0.20.beta5] - new upstream release [1.0.0-0.19.beta4] - fix CVE-2009-4355 - leak in applications incorrectly calling CRYPTO_free_all_ex_data() before application exit (#546707) - upstream fix for future TLS protocol version handling [1.0.0-0.18.beta4] - add support for Intel AES-NI [1.0.0-0.17.beta4] - upstream fix compression handling on session resumption - various null checks and other small fixes from upstream - upstream changes for the renegotiation info according to the latest draft [1.0.0-0.16.beta4] - fix non-fips mingw build (patch by Kalev Lember) - add IPV6 fix for DTLS [1.0.0-0.15.beta4] - add better error reporting for the unsafe renegotiation [1.0.0-0.14.beta4] - fix build on s390x [1.0.0-0.13.beta4] - disable enforcement of the renegotiation extension on the client (#537962) - add fixes from the current upstream snapshot [1.0.0-0.12.beta4] - keep the beta status in version number at 3 so we do not have to rebuild openssh and possibly other dependencies with too strict version check [1.0.0-0.11.beta4] - update to new upstream version, no soname bump needed - fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used so the compatibility with unfixed clients is not broken. The protocol extension is also not final. [1.0.0-0.10.beta3] - fix use of freed memory if SSL_CTX_free() is called before SSL_free() (#521342) [1.0.0-0.9.beta3] - fix typo in DTLS1 code (#527015) - fix leak in error handling of d2i_SSL_SESSION() [1.0.0-0.8.beta3] - fix RSA and DSA FIPS selftests - reenable fixed x86_64 camellia assembler code (#521127) [1.0.0-0.7.beta3] - temporarily disable x86_64 camellia assembler code (#521127) [1.0.0-0.6.beta3] - fix openssl dgst -dss1 (#520152) [1.0.0-0.5.beta3] - drop the compat symlink hacks [1.0.0-0.4.beta3] - constify SSL_CIPHER_description() [1.0.0-0.3.beta3] - fix WWW:Curl:Easy reference in tsget [1.0.0-0.2.beta3] - enable MD-2 [1.0.0-0.1.beta3] - update to new major upstream release [0.9.8k-7] - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Wed Jul 22 2009 Bill Nottingham <notting@redhat.com> - do not build special 'optimized' versions for i686, as that's the base arch in Fedora now [0.9.8k-6] - abort if selftests failed and random number generator is polled - mention EVP_aes and EVP_sha2xx routines in the manpages - add README.FIPS - make CA dir absolute path (#445344) - change default length for RSA key generation to 2048 (#484101) [0.9.8k-5] - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 (DTLS DoS problems) (#501253, #501254, #501572) [0.9.8k-4] - support compatibility DTLS mode for CISCO AnyConnect (#464629) [0.9.8k-3] - correct the SHLIB_VERSION define [0.9.8k-2] - add support for multiple CRLs with same subject - load only dynamic engine support in FIPS mode [0.9.8k-1] - update to new upstream release (minor bug fixes, security fixes and machine code optimizations only) [0.9.8j-10] - move libraries to /usr/lib (#239375) [0.9.8j-9] - add a static subpackage [0.9.8j-8] - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild [0.9.8j-7] - must also verify checksum of libssl.so in the FIPS mode - obtain the seed for FIPS rng directly from the kernel device - drop the temporary symlinks [0.9.8j-6] - drop the temporary triggerpostun and symlinking in post - fix the pkgconfig files and drop the unnecessary buildrequires on pkgconfig as it is a rpmbuild dependency (#481419) [0.9.8j-5] - add temporary triggerpostun to reinstate the symlinks [0.9.8j-4] - no pairwise key tests in non-fips mode (#479817) [0.9.8j-3] - even more robust test for the temporary symlinks [0.9.8j-2] - try to ensure the temporary symlinks exist [0.9.8j-1] - new upstream version with necessary soname bump (#455753) - temporarily provide symlink to old soname to make it possible to rebuild the dependent packages in rawhide - add eap-fast support (#428181) - add possibility to disable zlib by setting - add fips mode support for testing purposes - do not null dereference on some invalid smime files - add buildrequires pkgconfig (#479493) [0.9.8g-11] - do not add tls extensions to server hello for SSLv3 either [0.9.8g-10] - move root CA bundle to ca-certificates package [0.9.8g-9] - fix CVE-2008-0891 - server name extension crash (#448492) - fix CVE-2008-1672 - server key exchange message omit crash (#448495) [0.9.8g-8] - super-H arch support - drop workaround for bug 199604 as it should be fixed in gcc-4.3 [0.9.8g-7] - sparc handling [0.9.8g-6] - update to new root CA bundle from mozilla.org (r1.45) [0.9.8g-5] - Autorebuild for GCC 4.3 [0.9.8g-4] - merge review fixes (#226220) - adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846) [0.9.8g-3] - set default paths when no explicit paths are set (#418771) - do not add tls extensions to client hello for SSLv3 (#422081) [0.9.8g-2] - enable some new crypto algorithms and features - add some more important bug fixes from openssl CVS [0.9.8g-1] - update to latest upstream release, SONAME bumped to 7 [0.9.8b-17] - update to new CA bundle from mozilla.org [0.9.8b-16] - fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801) - fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191) - add alpha sub-archs (#296031) [0.9.8b-15] - rebuild [0.9.8b-14] - use localhost in testsuite, hopefully fixes slow build in koji - CVE-2007-3108 - fix side channel attack on private keys (#250577) - make ssl session cache id matching strict (#233599) [0.9.8b-13] - allow building on ARM architectures (#245417) - use reference timestamps to prevent multilib conflicts (#218064) - -devel package must require pkgconfig (#241031) [0.9.8b-12] - detect duplicates in add_dir properly (#206346) [0.9.8b-11] - the previous change still didn't make X509_NAME_cmp transitive [0.9.8b-10] - make X509_NAME_cmp transitive otherwise certificate lookup is broken (#216050) [0.9.8b-9] - aliasing bug in engine loading, patch by IBM (#213216) [0.9.8b-8] - CVE-2006-2940 fix was incorrect (#208744) [0.9.8b-7] - fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276) - fix CVE-2006-2940 - parasitic public keys DoS (#207274) - fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940) - fix CVE-2006-4343 - sslv2 client DoS (#206940) [0.9.8b-6] - fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180) [0.9.8b-5] - set buffering to none on stdio/stdout FILE when bufsize is set (#200580) patch by IBM [0.9.8b-4.1] - rebuild with new binutils (#200330) [0.9.8b-4] - add a temporary workaround for sha512 test failure on s390 (#199604) * Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737) - add patches for BN threadsafety, AES cache collision attack hazard fix and pkcs7 code memleak fix from upstream CVS [0.9.8b-3.1] - rebuild [0.9.8b-3] - dropped libica and ica engine from build * Wed Jun 21 2006 Joe Orton <jorton@redhat.com> - update to new CA bundle from mozilla.org; adds CA certificates from netlock.hu and startcom.org [0.9.8b-2] - fixed a few rpmlint warnings - better fix for #173399 from upstream - upstream fix for pkcs12 [0.9.8b-1] - upgrade to new version, stays ABI compatible - there is no more linux/config.h (it was empty anyway) [0.9.8a-6] - fix stale open handles in libica (#177155) - fix build if 'rand' or 'passwd' in buildroot path (#178782) - initialize VIA Padlock engine (#186857) [0.9.8a-5.2] - bump again for double-long bug on ppc(64) [0.9.8a-5.1] - rebuilt for new gcc4.1 snapshot and glibc changes [0.9.8a-5] - don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG in SSL_OP_ALL (#175779) * Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com> - rebuilt [0.9.8a-4] - fix build (-lcrypto was erroneusly dropped) of the updated libica - updated ICA engine to 1.3.6-rc3 [0.9.8a-3] - disable builtin compression methods for now until they work properly (#173399) [0.9.8a-2] - don't set -rpath for openssl binary [0.9.8a-1] - new upstream version - patches partially renumbered [0.9.7f-11] - updated IBM ICA engine library and patch to latest upstream version [0.9.7f-10] - fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which disables the countermeasure against man in the middle attack in SSLv2 (#169863) - use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803) [0.9.7f-9] - add *.so.soversion as symlinks in /lib (#165264) - remove unpackaged symlinks (#159595) - fixes from upstream (constant time fixes for DSA, bn assembler div on ppc arch, initialize memory on realloc) [0.9.7f-8] - Updated ICA engine IBM patch to latest upstream version. [0.9.7f-7] - fix CAN-2005-0109 - use constant time/memory access mod_exp so bits of private key aren't leaked by cache eviction (#157631) - a few more fixes from upstream 0.9.7g [0.9.7f-6] - use poll instead of select in rand (#128285) - fix Makefile.certificate to point to /etc/pki/tls - change the default string mask in ASN1 to PrintableString+UTF8String [0.9.7f-5] - update to revision 1.37 of Mozilla CA bundle [0.9.7f-4] - move certificates to _sysconfdir/pki/tls (#143392) - move CA directories to _sysconfdir/pki/CA - patch the CA script and the default config so it points to the CA directories [0.9.7f-3] - uninitialized variable mustn't be used as input in inline assembly - reenable the x86_64 assembly again [0.9.7f-2] - add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken - disable broken bignum assembly on x86_64 [0.9.7f-1] - reenable optimizations on ppc64 and assembly code on ia64 - upgrade to new upstream version (no soname bump needed) - disable thread test - it was testing the backport of the RSA blinding - no longer needed - added support for changing serial number to Makefile.certificate (#151188) - make ca-bundle.crt a config file (#118903) [0.9.7e-3] - libcrypto shouldn't depend on libkrb5 (#135961) [0.9.7e-2] - rebuild [0.9.7e-1] - new upstream source, updated patches - added patch so we are hopefully ABI compatible with upcoming 0.9.7f * Thu Feb 10 2005 Tomas Mraz <tmraz@redhat.com> - Support UTF-8 charset in the Makefile.certificate (#134944) - Added cmp to BuildPrereq [0.9.7a-46] - generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32) [0.9.7a-45] - Fixed and updated libica-1.3.4-urandom.patch patch (#122967) [0.9.7a-44] - rebuild [0.9.7a-43] - rebuild [0.9.7a-42] - rebuild [0.9.7a-41] - remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040) [0.9.7a-40] - Include latest libica version with important bugfixes * Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com> - rebuilt [0.9.7a-38] - Updated ICA engine IBM patch to latest upstream version. [0.9.7a-37] - build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik) [0.9.7a-36] - handle %{_arch}=i486/i586/i686/athlon cases in the intermediate header (#124303) [0.9.7a-35] - add security fixes for CAN-2004-0079, CAN-2004-0112 * Tue Mar 16 2004 Phil Knirsch <pknirsch@redhat.com> - Fixed libica filespec. [0.9.7a-34] - ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix the intermediate header [0.9.7a-33] - add an intermediate <openssl/opensslconf.h> which points to the right arch-specific opensslconf.h on multilib arches * Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com> - rebuilt [0.9.7a-32] - Updated libica to latest upstream version 1.3.5. [0.9.7a-31] - Update ICA crypto engine patch from IBM to latest version. * Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com> - rebuilt [0.9.7a-29] - rebuilt [0.9.7a-28] - Fixed libica build. * Wed Feb 04 2004 Nalin Dahyabhai <nalin@redhat.com> - add '-ldl' to link flags added for Linux-on-ARM (#99313) [0.9.7a-27] - updated ca-bundle.crt: removed expired GeoTrust roots, added freessl.com root, removed trustcenter.de Class 0 root [0.9.7a-26] - Fix link line for libssl (bug #111154). [0.9.7a-25] - add dependency on zlib-devel for the -devel package, which depends on zlib symbols because we enable zlib for libssl (#102962) [0.9.7a-24] - Use /dev/urandom instead of PRNG for libica. - Apply libica-1.3.5 fix for /dev/urandom in icalinux.c - Use latest ICA engine patch from IBM. [0.9.7a-22.1] - rebuild [0.9.7a-22] - rebuild (22 wasn't actually built, fun eh?) [0.9.7a-23] - re-disable optimizations on ppc64 * Tue Sep 30 2003 Joe Orton <jorton@redhat.com> - add a_mbstr.c fix for 64-bit platforms from CVS [0.9.7a-22] - add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged as not needing executable stacks [0.9.7a-21] - rebuild * Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com> - re-enable optimizations on ppc64 * Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com> - remove exclusivearch [0.9.7a-20] - only parse a client cert if one was requested - temporarily exclusivearch for %{ix86} * Tue Sep 23 2003 Nalin Dahyabhai <nalin@redhat.com> - add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544) and heap corruption (CAN-2003-0545) - update RHNS-CA-CERT files - ease back on the number of threads used in the threading test [0.9.7a-19] - rebuild to fix gzipped file md5sums (#91211) [0.9.7a-18] - Updated libica to version 1.3.4. [0.9.7a-17] - rebuild [0.9.7a-10.9] - free the kssl_ctx structure when we free an SSL structure (#99066) [0.9.7a-16] - rebuild [0.9.7a-15] - lower thread test count on s390x [0.9.7a-14] - rebuild [0.9.7a-13] - disable assembly on arches where it seems to conflict with threading [0.9.7a-12] - Updated libica to latest upstream version 1.3.0 [0.9.7a-9.9] - rebuild [0.9.7a-11] - rebuild [0.9.7a-10] - ubsec: don't stomp on output data which might also be input data [0.9.7a-9] - temporarily disable optimizations on ppc64 * Mon Jun 09 2003 Nalin Dahyabhai <nalin@redhat.com> - backport fix for engine-used-for-everything from 0.9.7b - backport fix for prng not being seeded causing problems, also from 0.9.7b - add a check at build-time to ensure that RSA is thread-safe - keep perlpath from stomping on the libica configure scripts * Fri Jun 06 2003 Nalin Dahyabhai <nalin@redhat.com> - thread-safety fix for RSA blinding [0.9.7a-8] - rebuilt [0.9.7a-7] - Added libica-1.2 to openssl (featurerequest). [0.9.7a-6] - fix building with incorrect flags on ppc64 [0.9.7a-5] - add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's attack (CAN-2003-0131) [ 0.9.7a-4] - add patch to enable RSA blinding by default, closing a timing attack (CAN-2003-0147) [0.9.7a-3] - disable use of BN assembly module on x86_64, but continue to allow inline assembly (#83403) [0.9.7a-2] - disable EC algorithms [0.9.7a-1] - update to 0.9.7a [0.9.7-8] - add fix to guard against attempts to allocate negative amounts of memory - add patch for CAN-2003-0078, fixing a timing attack [0.9.7-7] - Add openssl-ppc64.patch [0.9.7-6] - EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(), to get the right behavior when passed uninitialized context structures (#83766) - build with -mcpu=ev5 on alpha family (#83828) * Wed Jan 22 2003 Tim Powers <timp@redhat.com> - rebuilt [0.9.7-4] - Added IBM hw crypto support patch. * Wed Jan 15 2003 Nalin Dahyabhai <nalin@redhat.com> - add missing builddep on sed [0.9.7-3] - debloat - fix broken manpage symlinks [0.9.7-2] - fix double-free in 'openssl ca' [0.9.7-1] - update to 0.9.7 final [0.9.7-0] - update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7) * Wed Dec 11 2002 Nalin Dahyabhai <nalin@redhat.com> - update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7) [0.9.6b-30] - add configuration stanza for x86_64 and use it on x86_64 - build for linux-ppc on ppc - start running the self-tests again [0.9.6b-29hammer.3] - Merge fixes from previous hammer packages, including general x86-64 and multilib [0.9.6b-29] - rebuild [0.9.6b-28] - update asn patch to fix accidental reversal of a logic check [0.9.6b-27] - update asn patch to reduce chance that compiler optimization will remove one of the added tests [0.9.6b-26] - rebuild [0.9.6b-25] - add patch to fix ASN.1 vulnerabilities [0.9.6b-24] - add backport of Ben Laurie's patches for OpenSSL 0.9.6d [0.9.6b-23] - own {_datadir}/ssl/misc * Fri Jun 21 2002 Tim Powers <timp@redhat.com> - automated rebuild * Sun May 26 2002 Tim Powers <timp@redhat.com> - automated rebuild [0.9.6b-20] - free ride through the build system (whee!) [0.9.6b-19] - rebuild in new environment [0.9.6b-17, 0.9.6b-18] - merge RHL-specific bits into stronghold package, rename [stronghold-0.9.6c-2] - add support for Chrysalis Luna token * Tue Mar 26 2002 Gary Benson <gbenson@redhat.com> - disable AEP random number generation, other AEP fixes [0.9.6b-15] - only build subpackages on primary arches [0.9.6b-13] - on ia32, only disable use of assembler on i386 - enable assembly on ia64 [0.9.6b-11] - fix sparcv9 entry [stronghold-0.9.6c-1] - upgrade to 0.9.6c - bump BuildArch to i686 and enable assembler on all platforms - synchronise with shrimpy and rawhide - bump soversion to 3 * Wed Oct 10 2001 Florian La Roche <Florian.LaRoche@redhat.de> - delete BN_LLONG for s390x, patch from Oliver Paukstadt [0.9.6b-9] - update AEP driver patch * Mon Sep 10 2001 Nalin Dahyabhai <nalin@redhat.com> - adjust RNG disabling patch to match version of patch from Broadcom [0.9.6b-8] - disable the RNG in the ubsec engine driver [0.9.6b-7] - tweaks to the ubsec engine driver [0.9.6b-6] - tweaks to the ubsec engine driver [0.9.6b-5] - update ubsec engine driver from Broadcom [0.9.6b-4] - move man pages back to %{_mandir}/man?/foo.?ssl from %{_mandir}/man?ssl/foo.? - add an [ engine ] section to the default configuration file * Thu Aug 09 2001 Nalin Dahyabhai <nalin@redhat.com> - add a patch for selecting a default engine in SSL_library_init() [0.9.6b-3] - add patches for AEP hardware support - add patch to keep trying when we fail to load a cert from a file and there are more in the file - add missing prototype for ENGINE_ubsec() in engine_int.h [0.9.6b-2] - actually add hw_ubsec to the engine list * Tue Jul 17 2001 Nalin Dahyabhai <nalin@redhat.com> - add in the hw_ubsec driver from CVS [0.9.6b-1] - update to 0.9.6b * Thu Jul 05 2001 Nalin Dahyabhai <nalin@redhat.com> - move .so symlinks back to %{_libdir} * Tue Jul 03 2001 Nalin Dahyabhai <nalin@redhat.com> - move shared libraries to /lib (#38410) * Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com> - switch to engine code base * Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com> - add a script for creating dummy certificates - move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.? * Thu Jun 07 2001 Florian La Roche <Florian.LaRoche@redhat.de> - add s390x support * Fri Jun 01 2001 Nalin Dahyabhai <nalin@redhat.com> - change two memcpy() calls to memmove() - don't define L_ENDIAN on alpha [stronghold-0.9.6a-1] - Add 'stronghold-' prefix to package names. - Obsolete standard openssl packages. * Wed May 16 2001 Joe Orton <jorton@redhat.com> - Add BuildArch: i586 as per Nalin's advice. * Tue May 15 2001 Joe Orton <jorton@redhat.com> - Enable assembler on ix86 (using new .tar.bz2 which does include the asm directories). * Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com> - make subpackages depend on the main package * Tue May 01 2001 Nalin Dahyabhai <nalin@redhat.com> - adjust the hobble script to not disturb symlinks in include/ (fix from Joe Orton) * Fri Apr 27 2001 Nalin Dahyabhai <nalin@redhat.com> - drop the m2crypo patch we weren't using * Tue Apr 24 2001 Nalin Dahyabhai <nalin@redhat.com> - configure using 'shared' as well * Sun Apr 08 2001 Nalin Dahyabhai <nalin@redhat.com> - update to 0.9.6a - use the build-shared target to build shared libraries - bump the soversion to 2 because we're no longer compatible with our 0.9.5a packages or our 0.9.6 packages - drop the patch for making rsatest a no-op when rsa null support is used - put all man pages into <section>ssl instead of <section> - break the m2crypto modules into a separate package * Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com> - use BN_LLONG on s390 * Mon Mar 12 2001 Nalin Dahyabhai <nalin@redhat.com> - fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit) * Sat Mar 03 2001 Nalin Dahyabhai <nalin@redhat.com> - move c_rehash to the perl subpackage, because it's a perl script now * Fri Mar 02 2001 Nalin Dahyabhai <nalin@redhat.com> - update to 0.9.6 - enable MD2 - use the libcrypto.so and libssl.so targets to build shared libs with - bump the soversion to 1 because we're no longer compatible with any of the various 0.9.5a packages circulating around, which provide lib*.so.0 * Wed Feb 28 2001 Florian La Roche <Florian.LaRoche@redhat.de> - change hobble-openssl for disabling MD2 again * Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com> - re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152 bytes or so, causing EVP_DigestInit() to zero out stack variables in apps built against a version of the library without it * Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com> - disable some inline assembly, which on x86 is Pentium-specific - re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all) * Thu Feb 08 2001 Florian La Roche <Florian.LaRoche@redhat.de> - fix s390 patch * Fri Dec 08 2000 Than Ngo <than@redhat.com> - added support s390 * Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com> - remove -Wa,* and -m* compiler flags from the default Configure file (#20656) - add the CA.pl man page to the perl subpackage * Thu Nov 02 2000 Nalin Dahyabhai <nalin@redhat.com> - always build with -mcpu=ev5 on alpha * Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com> - add a symlink from cert.pem to ca-bundle.crt * Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com> - add a ca-bundle file for packages like Samba to reference for CA certificates * Tue Oct 24 2000 Nalin Dahyabhai <nalin@redhat.com> - remove libcrypto's crypt(), which doesn't handle md5crypt (#19295) * Mon Oct 02 2000 Nalin Dahyabhai <nalin@redhat.com> - add unzip as a buildprereq (#17662) - update m2crypto to 0.05-snap4 * Tue Sep 26 2000 Bill Nottingham <notting@redhat.com> - fix some issues in building when it's not installed * Wed Sep 06 2000 Nalin Dahyabhai <nalin@redhat.com> - make sure the headers we include are the ones we built with (aaaaarrgh!) * Fri Sep 01 2000 Nalin Dahyabhai <nalin@redhat.com> - add Richard Henderson's patch for BN on ia64 - clean up the changelog * Tue Aug 29 2000 Nalin Dahyabhai <nalin@redhat.com> - fix the building of python modules without openssl-devel already installed * Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com> - byte-compile python extensions without the build-root - adjust the makefile to not remove temporary files (like .key files when building .csr files) by marking them as .PRECIOUS * Sat Aug 19 2000 Nalin Dahyabhai <nalin@redhat.com> - break out python extensions into a subpackage * Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> - tweak the makefile some more * Tue Jul 11 2000 Nalin Dahyabhai <nalin@redhat.com> - disable MD2 support * Thu Jul 06 2000 Nalin Dahyabhai <nalin@redhat.com> - disable MDC2 support * Sun Jul 02 2000 Nalin Dahyabhai <nalin@redhat.com> - tweak the disabling of RC5, IDEA support - tweak the makefile * Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com> - strip binaries and libraries - rework certificate makefile to have the right parts for Apache * Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com> - use %{_perl} instead of /usr/bin/perl - disable alpha until it passes its own test suite * Fri Jun 09 2000 Nalin Dahyabhai <nalin@redhat.com> - move the passwd.1 man page out of the passwd package's way * Fri Jun 02 2000 Nalin Dahyabhai <nalin@redhat.com> - update to 0.9.5a, modified for U.S. - add perl as a build-time requirement - move certificate makefile to another package - disable RC5, IDEA, RSA support - remove optimizations for now * Wed Mar 01 2000 Florian La Roche <Florian.LaRoche@redhat.de> - Bero told me to move the Makefile into this package * Wed Mar 01 2000 Florian La Roche <Florian.LaRoche@redhat.de> - add lib*.so symlinks to link dynamically against shared libs * Tue Feb 29 2000 Florian La Roche <Florian.LaRoche@redhat.de> - update to 0.9.5 - run ldconfig directly in post/postun - add FAQ * Sat Dec 18 1999 Bernhard Rosenkrdnzer <bero@redhat.de> - Fix build on non-x86 platforms * Fri Nov 12 1999 Bernhard Rosenkrdnzer <bero@redhat.de> - move /usr/share/ssl/* from -devel to main package * Tue Oct 26 1999 Bernhard Rosenkrdnzer <bero@redhat.de> - inital packaging - changes from base: - Move /usr/local/ssl to /usr/share/ssl for FHS compliance - handle RPM_OPT_FLAGS openssl-1.0.1-beta2-rpmbuild.patch openssl-0.9.8a-no-rpath.patch MODERATE Copyright 2015 Oracle, Inc. CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.1.3] - isofs: Fix unchecked printing of ER records (Jan Kara) [Orabug: 20930551] {CVE-2014-9584} - KEYS: close race between key lookup and freeing (Sasha Levin) [Orabug: 20930548] {CVE-2014-9529} {CVE-2014-9529} - mm: memcg: do not allow task about to OOM kill to bypass the limit (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: do not declare OOM from __GFP_NOFAIL allocations (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - fs: buffer: move allocation failure loop into the allocator (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: handle non-error OOM situations more gracefully (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: do not trap chargers with full callstack on OOM (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: rework and document OOM waiting and wakeup (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: enable memcg OOM killer only for user faults (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - x86: finish user fault error path with fatal signal (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - arch: mm: pass userspace fault flag to generic fault handler (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (Stephen Smalley) [Orabug: 20930501] {CVE-2014-3215} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3215 CVE-2014-8171 CVE-2014-9529 CVE-2014-9584 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.249.4] - isofs: Fix unchecked printing of ER records (Jan Kara) [Orabug: 20930552] {CVE-2014-9584} - selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (Stephen Smalley) [Orabug: 20930502] {CVE-2014-3215} - Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs (Andy Lutomirski) [Orabug: 20930518] {CVE-2014-3215} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3215 CVE-2014-9584 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.4] - isofs: Fix unchecked printing of ER records (Jan Kara) [Orabug: 20930553] {CVE-2014-9584} - selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (Stephen Smalley) [Orabug: 20930502] {CVE-2014-3215} - Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs (Andy Lutomirski) [Orabug: 20930519] {CVE-2014-3215} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-3215 CVE-2014-9584 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.2.2] - crypto: aesni - fix memory usage in GCM decryption (Stephan Mueller) [Orabug: 21077385] {CVE-2015-3331} [3.8.13-68.2.1] - xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (Konrad Rzeszutek Wilk) [Orabug: 20807438] {CVE-2015-2150} - xen-blkfront: fix accounting of reqs when migrating (Roger Pau Monne) [Orabug: 20860817] - Doc/cpu-hotplug: Specify race-free way to register CPU hotplug callbacks (Srivatsa S. Bhat) [Orabug: 20917697] - net/iucv/iucv.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - net/core/flow.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - mm, vmstat: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - profile: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - trace, ring-buffer: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - hwmon, via-cputemp: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - hwmon, coretemp: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - octeon, watchdog: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - oprofile, nmi-timer: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - intel-idle: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - drivers/base/topology.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - acpi-cpufreq: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - scsi, fcoe: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - scsi, bnx2fc: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - scsi, bnx2i: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - arm64, debug-monitors: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - arm64, hw_breakpoint.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, kvm: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, oprofile, nmi: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, pci, amd-bus: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, hpet: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, intel, cacheinfo: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, amd, ibs: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, therm_throt.c: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, mce: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, intel, uncore: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, vsyscall: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, cpuid: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - x86, msr: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - powerpc, sysfs: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - sparc, sysfs: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - s390, smp: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - s390, cacheinfo: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - arm, hw-breakpoint: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - ia64, err-inject: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - ia64, topology: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - ia64, palinfo: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - CPU hotplug, perf: Fix CPU hotplug callback registration (Srivatsa S. Bhat) [Orabug: 20917697] - CPU hotplug: Provide lockless versions of callback registration functions (Srivatsa S. Bhat) [Orabug: 20917697] - isofs: Fix unchecked printing of ER records (Jan Kara) [Orabug: 20930551] {CVE-2014-9584} - KEYS: close race between key lookup and freeing (Sasha Levin) [Orabug: 20930548] {CVE-2014-9529} {CVE-2014-9529} - mm: memcg: do not allow task about to OOM kill to bypass the limit (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: do not declare OOM from __GFP_NOFAIL allocations (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - fs: buffer: move allocation failure loop into the allocator (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: handle non-error OOM situations more gracefully (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: do not trap chargers with full callstack on OOM (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: rework and document OOM waiting and wakeup (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - mm: memcg: enable memcg OOM killer only for user faults (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - x86: finish user fault error path with fatal signal (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - arch: mm: pass userspace fault flag to generic fault handler (Johannes Weiner) [Orabug: 20930539] {CVE-2014-8171} - selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (Stephen Smalley) [Orabug: 20930501] {CVE-2014-3215} - IB/core: Prevent integer overflow in ib_umem_get address arithmetic (Shachar Raindel) [Orabug: 20799875] {CVE-2014-8159} {CVE-2014-8159} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-2150 CVE-2015-3331 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.2] - crypto: aesni - fix memory usage in GCM decryption (Stephan Mueller) [Orabug: 21077389] {CVE-2015-3331} [2.6.39-400.250.1] - xen/pciback: Don't disable PCI_COMMAND on PCI device reset. (Konrad Rzeszutek Wilk) [Orabug: 20807440] {CVE-2015-2150} - xen-blkfront: fix accounting of reqs when migrating (Roger Pau Monne) [Orabug: 20727114] - Revert 'qla2xxx: Ramp down queue depth for attached SCSI devices when driver resources are low.' (Chad Dupuis) [Orabug: 20657415] - x86/xen: allow privcmd hypercalls to be preempted (David Vrabel) [Orabug: 20618759] - sched: Expose preempt_schedule_irq() (Thomas Gleixner) [Orabug: 20618759] - isofs: Fix unchecked printing of ER records (Jan Kara) [Orabug: 20930552] {CVE-2014-9584} - selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID. (Stephen Smalley) [Orabug: 20930502] {CVE-2014-3215} - Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs (Andy Lutomirski) [Orabug: 20930518] {CVE-2014-3215} - IB/core: Prevent integer overflow in ib_umem_get address arithmetic (Shachar Raindel) [Orabug: 20788393] {CVE-2014-8159} {CVE-2014-8159} - xen-pciback: limit guest control of command register (Jan Beulich) [Orabug: 20704156] {CVE-2015-2150} {CVE-2015-2150} - net: sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [Orabug: 20780348] {CVE-2015-1421} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-2150 CVE-2015-3331 Oracle Linux 6 Oracle Linux 7 [1.6.1-1.0.1] - Update source to 1.6.1 from https://github.com/docker/docker/releases/tag/v1.6.1 Symlink traversal on container respawn allows local privilege escalation (CVE-2015-3629) Insecure opening of file-descriptor 1 leading to privilege escalation (CVE-2015-3627) Read/write proc paths allow host modification & information disclosure (CVE-2015-3630) Volume mounts allow LSM profile escalation (CVE-2015-3631) AppArmor policy improvements IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-3629 CVE-2015-3627 CVE-2015-3630 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.3.2] - x86_64, vdso: Fix the vdso address randomization algorithm (Andy Lutomirski) [Orabug: 21226729] {CVE-2014-9585} - isofs: Fix infinite looping over CE entries (Jan Kara) [Orabug: 21225975] {CVE-2014-9420} - x86_64, switch_to(): Load TLS descriptors before switching DS and ES (Andy Lutomirski) [Orabug: 21225937] {CVE-2014-9419} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.5] - x86_64, vdso: Fix the vdso address randomization algorithm (Andy Lutomirski) [Orabug: 21226730] {CVE-2014-9585} - isofs: Fix infinite looping over CE entries (Jan Kara) [Orabug: 21225976] {CVE-2014-9420} - x86_64, switch_to(): Load TLS descriptors before switching DS and ES (Andy Lutomirski) [Orabug: 21225938] {CVE-2014-9419} [2.6.39-400.250.4] - IB/ipoib: Disable TSO in connected mode (Yuval Shaia) [Orabug: 20637991] [2.6.39-400.250.3] - af_unix: dont send SCM_CREDENTIALS by default (Eric Dumazet) [Orabug: 20604916] - scm: Capture the full credentials of the scm sender (Tim Chen) [Orabug: 20604916] - af_unix: limit recursion level (Eric Dumazet) [Orabug: 20604916] - af_unix: Allow credentials to work across user and pid namespaces. (Eric W. Biederman) [Orabug: 20604916] - scm: Capture the full credentials of the scm sender. (Eric W. Biederman) [Orabug: 20604916] - BUG_ON(lockres->l_level != DLM_LOCK_EX && !checkpointed) tripped in ocfs2_ci_checkpointed (Tariq Saeed) [Orabug: 20189959] - sched: Prevent divide by zero when cpu power calculation is 0 (Todd Vierling) [Orabug: 17936435] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.5] - x86_64, vdso: Fix the vdso address randomization algorithm (Andy Lutomirski) [Orabug: 21226731] {CVE-2014-9585} - isofs: Fix infinite looping over CE entries (Jan Kara) [Orabug: 21225977] {CVE-2014-9420} - x86_64, switch_to(): Load TLS descriptors before switching DS and ES (Andy Lutomirski) [Orabug: 21225939] {CVE-2014-9419} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-9419 CVE-2014-9420 CVE-2014-9585 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.3.3] - x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Andy Lutomirski) [Orabug: 21308309] {CVE-2015-2830} - x86, mm/ASLR: Fix stack randomization on 64-bit systems (Hector Marco-Gisbert) [Orabug: 21307919] {CVE-2015-1593} {CVE-2015-1593} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1593 CVE-2015-2830 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.6] - x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Andy Lutomirski) [Orabug: 21308308] {CVE-2015-2830} - x86, mm/ASLR: Fix stack randomization on 64-bit systems (Hector Marco-Gisbert) [Orabug: 21307918] {CVE-2015-1593} {CVE-2015-1593} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1593 CVE-2015-2830 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.6] - x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Andy Lutomirski) [Orabug: 21308307] {CVE-2015-2830} - x86, mm/ASLR: Fix stack randomization on 64-bit systems (Hector Marco-Gisbert) [Orabug: 21307917] {CVE-2015-1593} {CVE-2015-1593} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1593 CVE-2015-2830 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-68.3.4] - ipv6: Don't reduce hop limit for an interface (D.S. Ljungmark) [Orabug: 21444790] {CVE-2015-2922} - ipv4: Missing sk_nulls_node_init() in ping_unhash(). (David S. Miller) [Orabug: 21444687] {CVE-2015-3636} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2922 CVE-2015-3636 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.7] - ipv6: Don't reduce hop limit for an interface (D.S. Ljungmark) [Orabug: 21444791] {CVE-2015-2922} - ipv4: Missing sk_nulls_node_init() in ping_unhash(). (David S. Miller) [Orabug: 21444688] {CVE-2015-3636} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2922 CVE-2015-3636 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.7] - ipv6: Don't reduce hop limit for an interface (D.S. Ljungmark) [Orabug: 21444792] {CVE-2015-2922} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-2922 Oracle Linux 6 Oracle Linux 7 MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9683 CVE-2015-0239 CVE-2015-3339 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.9] - x86, tls: Interpret an all-zero struct user_desc as 'no segment' (Andy Lutomirski) [Orabug: 21514969] - x86, tls, ldt: Stop checking lm in LDT_empty (Andy Lutomirski) [Orabug: 21514969] [2.6.39-400.250.8] - KVM: x86: SYSENTER emulation is broken (Nadav Amit) [Orabug: 21502740] {CVE-2015-0239} {CVE-2015-0239} - x86/tls: Validate TLS entries to protect espfix (Andy Lutomirski) [Orabug: 20223777] {CVE-2014-8133} - fs: take i_mutex during prepare_binprm for set[ug]id executables (Jann Horn) [Orabug: 21502255] {CVE-2015-3339} - eCryptfs: Remove buggy and unnecessary write in file name decode routine (Michael Halcrow) [Orabug: 21502066] {CVE-2014-9683} MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8133 CVE-2014-9683 CVE-2015-0239 CVE-2015-3339 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.9uek] - x86, tls: Interpret an all-zero struct user_desc as 'no segment' (Andy Lutomirski) [Orabug: 21518750] - x86, tls, ldt: Stop checking lm in LDT_empty (Andy Lutomirski) [Orabug: 21518750] [2.6.32-400.37.8uek] - KVM: x86: SYSENTER emulation is broken (Nadav Amit) [Orabug: 21502741] {CVE-2015-0239} {CVE-2015-0239} - x86/tls: Validate TLS entries to protect espfix (Andy Lutomirski) [Orabug: 20223778] {CVE-2014-8133} - fs: take i_mutex during prepare_binprm for set[ug]id executables (Jann Horn) [Orabug: 21502256] {CVE-2015-3339} - eCryptfs: Remove buggy and unnecessary write in file name decode routine (Michael Halcrow) [Orabug: 21502067] {CVE-2014-9683} MODERATE Copyright 2015 Oracle, Inc. CVE-2014-8133 CVE-2014-9683 CVE-2015-0239 CVE-2015-3339 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-98] - KVM: x86: SYSENTER emulation is broken (Nadav Amit) [Orabug: 21502729] {CVE-2015-0239} {CVE-2015-0239} - fs: take i_mutex during prepare_binprm for set[ug]id executables (Jann Horn) [Orabug: 21502159] {CVE-2015-3339} [3.8.13-97] - add ql2400, ql2500 firmware versions to prerequisites (Dan Duval) [Orabug: 21474929] - correct QLogic firmware dependencies in the spec file (Dan Duval) [Orabug: 21474929] [3.8.13-96] - xen-blkfront: don't add indirect page to list when !feature_persistent (Bob Liu) [Orabug: 21459266] [3.8.13-95] - add firmware dependencies to spec files (Dan Duval) [Orabug: 21417522] [3.8.13-94] - ipv6: Don't reduce hop limit for an interface (D.S. Ljungmark) [Orabug: 21444784] {CVE-2015-2922} - ipv4: Missing sk_nulls_node_init() in ping_unhash(). (David S. Miller) [Orabug: 21444685] {CVE-2015-3636} [3.8.13-93] - config: sync up config files to make build clean (Guangyu Sun) [Orabug: 21425838] - acpi: fix typo in drivers/acpi/osl.c (Guangyu Sun) [Orabug: 21418329] [3.8.13-92] - Revert 'i40e: Add support for getlink, setlink ndo ops' (Brian Maly) [Orabug: 21314906] - x86: Do not try to sync identity map for non-mapped pages (Dave Hansen) [Orabug: 21326516] [3.8.13-91] - rds: re-entry of rds_ib_xmit/rds_iw_xmit (Wengang Wang) [Orabug: 21324074] - drm/mgag200: Reject non-character-cell-aligned mode widths (Adam Jackson) [Orabug: 20868823] - drm/mgag200: fix typo causing bw limits to be ignored on some chips (Dave Airlie) [Orabug: 20868823] - drm/mgag200: remove unused driver_private access (David Herrmann) [Orabug: 20868823] - drm/mgag200: Invalidate page tables when pinning a BO (Egbert Eich) [Orabug: 20868823] - drm/mgag200: Fix LUT programming for 16bpp (Egbert Eich) [Orabug: 20868823] - drm/mgag200: Fix framebuffer pitch calculation (Takashi Iwai) [Orabug: 20868823] - drm/mgag200: Add sysfs support for connectors (Egbert Eich) [Orabug: 20868823] - drm/mgag200: Add an crtc_disable callback to the crtc helper funcs (Egbert Eich) [Orabug: 20868823] - drm/mgag200: Fix logic in mgag200_bo_pin() (v2) (Egbert Eich) [Orabug: 20868823] - drm/mgag200: inline reservations (Maarten Lankhorst) [Orabug: 20868823] - drm/mgag200: do not attempt to acquire a reservation while in an interrupt handler (Maarten Lankhorst) [Orabug: 20868823] - drm/mgag200: Added resolution and bandwidth limits for various G200e products. (Julia Lemire) [Orabug: 20868823] - drm/mgag200: Reject modes that are too big for VRAM (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Don't do full cleanup if mgag200_device_init fails (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Hardware cursor support (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Add missing write to index before accessing data register (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Fix framebuffer base address programming (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Convert counter delays to jiffies (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Fix writes into MGA1064_PIX_CLK_CTL register (Christopher Harvey) [Orabug: 20868823] - drm/mgag200: Don't change unrelated registers during modeset (Christopher Harvey) [Orabug: 20868823] - Revert 'lpfc: Fix for lun discovery issue with 8Gig adapter.' (Guru Anbalagane) [Orabug: 21304962] [3.8.13-90] - x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization (Andy Lutomirski) [Orabug: 21308309] {CVE-2015-2830} - Update patched for lpfc from 10.6.61.0 to 10.6.61.1 for UEK R3 U6 release. (Dick Kennedy) - lpfc: Change buffer pool empty message to miscellaneous category (Dick Kennedy) - lpfc: Fix incorrect log message reported for empty FCF record. (Dick Kennedy) - lpfc: Fix rport leak. (Dick Kennedy) - lpfc: Correct loss of RSCNs during array takeaway/giveback testing. (Dick Kennedy) - lpfc: Fix crash in vport_delete. (Dick Kennedy) - lpfc: Fix to remove IRQF_SHARED flag for MSI/MSI-X vectors. (Dick Kennedy) - lpfc: Fix discovery issue when changing from Pt2Pt to Fabric. (Dick Kennedy) - lpfc: Correct reporting of vport state on fdisc command failure. (Dick Kennedy) - lpfc: Add support for RDP ELS command. (Dick Kennedy) - lpfc: Fix ABORTs WQ selection in terminate_rport_io (Dick Kennedy) - lpfc: Correct reference counting of rport (Dick Kennedy) - lpfc: Add support for ELS LCB. (Dick Kennedy) - lpfc: Correct loss of target discovery after cable swap. (Dick Kennedy) - dtrace: sigaltstack is no longer a stub syscall (Kris Van Hees) [Orabug: 21304183] - hpsa: add in new offline mode (Don Brace) [Orabug: 21289871] - hpsa: add in new controllers (Don Brace) [Orabug: 21289871] - hpsa: hpsa decode sense data for io and tmf (Don Brace) [Orabug: 21289871] - hpsa: enable bus mastering during init (Don Brace) [Orabug: 21289871] - hpsa: enhance kdump (Don Brace) [Orabug: 21289871] - hpsa: enhance error checking. (Don Brace) [Orabug: 21289871] - hpsa: enhance driver output (Don Brace) [Orabug: 21289871] - hpsa: update pci device table (Don Brace) [Orabug: 21289871] - vmw_pvscsi: Fix pvscsi_abort() function. (Arvind Kumar) [Orabug: 21266080] - qla2xxx: Update driver version to 8.07.00.18.39.0-k. (Sawan Chandak) [Orabug: 21241070] - qla2xxx: Restore physical port WWPN only, when port down detected for FA-WWPN port. (Sawan Chandak) [Orabug: 21241070] - qla2xxx: Fix virtual port configuration, when switch port is disabled/enabled. (Sawan Chandak) [Orabug: 21241070] - qla2xxx: Prevent multiple firmware dump collection for ISP27XX. (Himanshu Madhani) [Orabug: 21241070] - qla2xxx: Disable Interrupt handshake for ISP27XX. (Himanshu Madhani) [Orabug: 21241070] - qla2xxx: Add debugging info for MBX timeout. (Himanshu Madhani) [Orabug: 21241070] - qla2xxx: Add serdes read/write support for ISP27XX (Andrew Vasquez) [Orabug: 21241070] - qla2xxx: Add udev notification to save fw dump for ISP27XX (Himanshu Madhani) [Orabug: 21241070] - qla2xxx: Add message for sucessful FW dump collected for ISP27XX. (Himanshu Madhani) [Orabug: 21241070] - qla2xxx: Add support to load firmware from file for ISP 26XX/27XX. (Sawan Chandak) [Orabug: 21241070] - qla2xxx: Fix beacon blink for ISP27XX. (Nigel Kirkland) [Orabug: 21241070] - qla2xxx: Increase the wait time for firmware to be ready for P3P. (Chad Dupuis) [Orabug: 21241070] - qla2xxx: Fix printks in ql_log message (Yannick Guerrini) [Orabug: 21241070] - qla2xxx: Fix printk in qla25xx_setup_mode (Yannick Guerrini) [Orabug: 21241070] - bnx2i: update to 2.11.2.0 (Vaughan Cao) [Orabug: 21241055] - bnx2fc: update to 2.9.3 (Vaughan Cao) [Orabug: 21241055] - bnx2x: update to 1.712.33 (Vaughan Cao) [Orabug: 21241055] - cnic: update to 2.5.20h (Vaughan Cao) [Orabug: 21241055] - bnx2: update to 2.2.5o (Vaughan Cao) [Orabug: 21241055] - md: use SRCU to improve performance (Mikulas Patocka) [Orabug: 18231164] - kvm: raise KVM_SOFT_MAX_VCPUS to support more vcpus (Dan Duval) [Orabug: 21144488] - vsock: Make transport the proto owner (Andy King) [Orabug: 21266075] - VSOCK: Move af_vsock.h and vsock_addr.h to include/net (Asias He) [Orabug: 21266075] [3.8.13-89] - drivers: xen-blkfront: only talk_to_blkback() when in XenbusStateInitialising (Bob Liu) - xen/block: add multi-page ring support (Bob Liu) - driver: xen-blkfront: move talk_to_blkback to a more suitable place (Bob Liu) - drivers: xen-blkback: delay pending_req allocation to connect_ring (Bob Liu) - xen/grant: introduce func gnttab_unmap_refs_sync() (Bob Liu) - xen/blkback: safely unmap purge persistent grants (Bob Liu) - xenbus_client: Extend interface to support multi-page ring (Wei Liu) - be2net: update the driver version to 10.6.0.2 (Sathya Perla) [Orabug: 21275400] - be2net: update copyright year to 2015 (Vasundhara Volam) [Orabug: 21275400] - be2net: use be_virtfn() instead of !be_physfn() (Kalesh AP) [Orabug: 21275400] - be2net: simplify UFI compatibility checking (Vasundhara Volam) [Orabug: 21275400] - be2net: post full RXQ on interface enable (Suresh Reddy) [Orabug: 21275400] - be2net: check for INSUFFICIENT_VLANS error (Kalesh AP) [Orabug: 21275400] - be2net: receive pkts with L3, L4 errors on VFs (Somnath Kotur) [Orabug: 21275400] - be2net: log link status (Ivan Vecera) [Orabug: 21275400] - be2net: Fix a bug in Rx buffer posting (Ajit Khaparde) [Orabug: 21275400] - be2net: bump up the driver version to 10.6.0.1 (Sathya Perla) [Orabug: 21275400] - be2net: use PCI MMIO read instead of config read for errors (Suresh Reddy) [Orabug: 21275400] - be2net: restrict MODIFY_EQ_DELAY cmd to a max of 8 EQs (Suresh Reddy) [Orabug: 21275400] - be2net: Prevent VFs from enabling VLAN promiscuous mode (Vasundhara Volam) [Orabug: 21275400] - ethernet: codespell comment spelling fixes (Joe Perches) [Orabug: 21275400] - be2net: avoid creating the non-RSS default RXQ if FW allows to (Vasundhara Volam) [Orabug: 21275400] - be2net: use a wrapper to schedule and cancel error detection task (Sathya Perla) [Orabug: 21275400] - be2net: shorten AMAP_GET/SET_BITS() macro calls (Sathya Perla) [Orabug: 21275400] - be2net: MODULE_DEVICE_TABLE: fix some callsites (Andrew Morton) [Orabug: 21275400] - be2net: avoid unncessary swapping of fields in eth_tx_wrb (Sathya Perla) [Orabug: 21275400] - be2net: process port misconfig async event (Vasundhara Volam) [Orabug: 21275400] - be2net: refactor be_set_rx_mode() and be_vid_config() for readability (Sathya Perla) [Orabug: 21275400] - be2net: remove duplicate code in be_cmd_rx_filter() (Sathya Perla) [Orabug: 21275400] - be2net: use offset based FW flashing for Skyhawk chip (Vasundhara Volam) [Orabug: 21275400] - be2net: avoid flashing SH-B0 UFI image on SH-P2 chip (Vasundhara Volam) [Orabug: 21275400] - be2net: refactor code that checks flash file compatibility (Vasundhara Volam) [Orabug: 21275400] - be2net: replace (1 << x) with BIT(x) (Vasundhara Volam) [Orabug: 21275400] - be2net: move un-exported routines from be.h to respective src files (Sathya Perla) [Orabug: 21275400] - bridge: add flags argument to ndo_bridge_setlink and ndo_bridge_dellink (Roopa Prabhu) [Orabug: 21275400] - be2net: move definitions related to FW cmdsfrom be_hw.h to be_cmds.h (Vasundhara Volam) [Orabug: 21275400] - be2net: issue function reset cmd in resume path (Kalesh AP) [Orabug: 21275400] - be2net: add a log message for POST timeout in Lancer (Kalesh AP) [Orabug: 21275400] - be2net: fix failure case in setting flow control (Kalesh AP) [Orabug: 21275400] - be2net: move interface create code to a separate routine (Kalesh AP) [Orabug: 21275400] - VMCI: Guard against overflow in queue pair allocation (Jorgen Hansen) [Orabug: 21266077] - VMCI: Check userland-provided datagram size (Andy King) [Orabug: 21266077] - VMCI: Fix two UVA mapping bugs (Jorgen Hansen) [Orabug: 21266077] - VMCI: integer overflow in vmci_datagram_dispatch() (Dan Carpenter) [Orabug: 21266077] - VMCI: fix error handling path when registering guest driver (Dmitry Torokhov) [Orabug: 21266077] - VMCI: Add support for virtual IOMMU (Andy King) [Orabug: 21266077] - VMCI: Remove non-blocking/pinned queuepair support (Andy King) [Orabug: 21266077] [3.8.13-88] - Oracle Linux Kernel Module Signing Key (Alexey Petrenko) [Orabug: 21249387] - extrakeys.pub is not needed for the build (Alexey Petrenko) [Orabug: 21249387] - Fix kabi break due to find_special_page was introduced (Bob Liu) [Orabug: 21250018] - xen/gntdev: provide find_special_page VMA operation (David Vrabel) [Orabug: 21250018] - xen/gntdev: mark userspace PTEs as special on x86 PV guests (David Vrabel) [Orabug: 21250018] - xen-blkback: safely unmap grants in case they are still in use (Jennifer Herbert) [Orabug: 21250018] - xen/gntdev: safely unmap grants in case they are still in use (Jennifer Herbert) [Orabug: 21250018] - xen/gntdev: convert priv->lock to a mutex (David Vrabel) [Orabug: 21250018] - xen/grant-table: add a mechanism to safely unmap pages that are in use (Jennifer Herbert) [Orabug: 21250018] - xen-netback: use foreign page information from the pages themselves (Jennifer Herbert) [Orabug: 21250018] - xen: mark grant mapped pages as foreign (Jennifer Herbert) [Orabug: 21250018] - xen/grant-table: add helpers for allocating pages (David Vrabel) [Orabug: 21250018] - x86/xen: require ballooned pages for grant maps (Jennifer Herbert) [Orabug: 21250018] - xen: remove scratch frames for ballooned pages and m2p override (David Vrabel) [Orabug: 21250018] - xen/grant-table: pre-populate kernel unmap ops for xen_gnttab_unmap_refs() (David Vrabel) [Orabug: 21250018] - mm: add 'foreign' alias for the 'pinned' page flag (Jennifer Herbert) [Orabug: 21250018] - mm: provide a find_special_page vma operation (David Vrabel) [Orabug: 21250018] - NFS hangs in __ocfs2_cluster_lock due to race with ocfs2_unblock_lock (Tariq Saeed) [Orabug: 20933419] - swiotlb: don't assume PA 0 is invalid (Jan Beulich) [Orabug: 21249144] [3.8.13-87] - qla4xxx: Update driver version to v5.04.00.07.06.02-uek3 (Nilesh Javali) [Orabug: 21241091] - qla4xxx: check the return value of dma_alloc_coherent() (Maurizio Lombardi) [Orabug: 21241091] - scsi: qla4xxx: ql4_mbx.c: Cleaning up missing null-terminate in conjunction with strncpy (Rickard Strandqvist) [Orabug: 21241091] - scsi: qla4xxx: ql4_os.c: Cleaning up missing null-terminate in conjunction with strncpy (Rickard Strandqvist) [Orabug: 21241091] - qla4xxx: fix get_host_stats error propagation (Mike Christie) [Orabug: 21241091] - scsi_ibft: Fix finding Broadcom specific ibft sign (Vikas Chaudhary) [Orabug: 21241091] - dtrace: convert from sdt_instr_t to asm_instr_t (Kris Van Hees) [Orabug: 21267945] - dtrace: percpu: move from __get_cpu_var() to this_cpu_ptr() (Kris Van Hees) [Orabug: 21265599] - dtrace: do not vmalloc/vfree from probe context (Kris Van Hees) [Orabug: 21267934] - dtrace: restructuring for multi-arch support (Kris Van Hees) [Orabug: 21267922] - kallsyms: fix /proc/kallmodsyms to not be misled by const variables (Nick Alcock) [Orabug: 21257170] - storvsc: force discovery of LUNs that may have been removed. (K. Y. Srinivasan) [Orabug: 20768211] - storvsc: in responce to a scan event, scan the host (K. Y. Srinivasan) [Orabug: 20768211] - builds: configs: Enable mgs driver for OL7 (Santosh Shilimkar) [Orabug: 20505584] - aacraid: driver version change (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: AIF raw device remove support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: performance improvement changes (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: IOCTL fix (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: IOP RESET command handling changes (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: 240 simple volume support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: vpd page code 0x83 support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: MSI-x support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: 4KB sector support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: IOCTL pass-through command fix (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: AIF support for SES device add/remove (Mahesh Rajashekhara) [Orabug: 21208741] - scsi: use 64-bit LUNs (Hannes Reinecke) [Orabug: 21208741] - remove deprecated IRQF_DISABLED from SCSI (Michael Opdenacker) [Orabug: 21208741] - aacraid: kdump fix (Mahesh Rajashekhara) [Orabug: 21208741] - drivers: avoid parsing names as kthread_run() format strings (Kees Cook) [Orabug: 21208741] - aacraid: Fix for arrays are going offline in the system. System hangs (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: Dual firmware image support (Mahesh Rajashekhara) [Orabug: 21208741] - aacraid: suppress two GCC warnings (Paul Bolle) [Orabug: 21208741] - aacraid: 1024 max outstanding command support for Series 7 and above (Mahesh Rajashekhara) [Orabug: 21208741] [3.8.13-86] - kallsyms: fix /proc/kallmodsyms to not be misled by external symbols (Nick Alcock) [Orabug: 21245508] - wait: change waitfd() to use wait4(), not waitid(); reduce invasiveness (Nick Alcock) [Orabug: 21245391] - ixgbevf: upgrade to version 2.16.1 (Brian Maly) [Orabug: 21104474] - ipv6: don't call addrconf_dst_alloc again when enable lo (Gao feng) [Orabug: 21088702] - efi/xen: Pass missing argument to EFI runtime Xen hypercall (Daniel Kiper) [Orabug: 21247143] [3.8.13-85] - fanotify: fix notification of groups with inode & mount marks (Jan Kara) [Orabug: 21168905] - NVMe: Fix VPD B0 max sectors translation (Keith Busch) [Orabug: 21117187] - NVMe: Add translation for block limits (Keith Busch) [Orabug: 21117187] - nvme: Fix PRP list calculation for non-4k system page size (Murali Iyer) [Orabug: 21117187] - NVMe: Fix potential corruption on sync commands (Keith Busch) [Orabug: 21117187] - NVMe: Fix potential corruption during shutdown (Keith Busch) [Orabug: 21117187] - NVMe: Initialize device list head before starting (Keith Busch) [Orabug: 21117187] - NVMe: Asynchronous controller probe (Keith Busch) [Orabug: 21117187] - NVMe: Register management handle under nvme class (Keith Busch) [Orabug: 21117187] - NVMe: Update SCSI Inquiry VPD 83h translation (Keith Busch) [Orabug: 21117187] - NVMe: Update data structures for NVMe 1.2 (Matthew Wilcox) [Orabug: 21117187] - NVMe: Update namespace and controller identify structures to the 1.1a spec (Dimitri John Ledkov) [Orabug: 21117187] - NVMe: Update module version (Keith Busch) [Orabug: 21117187] - fnic: Override the limitation on number of scsi timeouts (Narsimhulu Musini) [Orabug: 21084835] - fnic: IOMMU Fault occurs when IO and abort IO is out of order (Anil Chintalapati (achintal)) [Orabug: 21084835] - Fnic: Fnic Driver crashed with NULL pointer reference (Hiral Shah) [Orabug: 21084835] - Fnic: For Standalone C series, 'sending VLAN request' message seen even if the link is down (Hiral Shah) [Orabug: 21084835] - Fnic: Improper resue of exchange Ids (Hiral Shah) [Orabug: 21084835] - Fnic: Memcopy only mimumum of data or trace buffer (Hiral Shah) [Orabug: 21084835] - Fnic: Not probing all the vNICS via fnic_probe on boot (Hiral Shah) [Orabug: 21084835] - fnic: assign FIP_ALL_FCF_MACS to fcoe_all_fcfs (Hiral Shah) [Orabug: 21084835] - uek-rpm: ol6: update build environment to 6.6 (Guangyu Sun) [3.8.13-84] - x86_64, vdso: Fix the vdso address randomization algorithm (Andy Lutomirski) [Orabug: 21226722] {CVE-2014-9585} [3.8.13-83] - snic: fix format string overflow (Brian Maly) [Orabug: 21091759] - scsi: add snic driver to makefile (Brian Maly) [Orabug: 21091759] - snic: enable snic in kernel configs (Brian Maly) [Orabug: 21091759] - snic: minor checkpatch fixes (Narsimhulu Musini) [Orabug: 21091759] - snic: Add Makefile, patch Kconfig, MAINTAINERS (Narsimhulu Musini) [Orabug: 21091759] - snic: Add event tracing to capture IO events. (Narsimhulu Musini) [Orabug: 21091759] - snic: Add sysfs entries to list stats and trace data (Narsimhulu Musini) [Orabug: 21091759] - snic: Add low level queuing interfaces (Narsimhulu Musini) [Orabug: 21091759] - snic: add SCSI handling, AEN, and fwreset handling (Narsimhulu Musini) [Orabug: 21091759] - snic: Add snic target discovery (Narsimhulu Musini) [Orabug: 21091759] - snic: Add meta request, handling of meta requests. (Narsimhulu Musini) [Orabug: 21091759] - snic: Add interrupt, resource firmware interfaces (Narsimhulu Musini) [Orabug: 21091759] - snic: snic module infrastructure (Narsimhulu Musini) [Orabug: 21091759] - xen/mmu: Move the setting of pvops.write_cr3 to later phase in bootup. (Konrad Rzeszutek Wilk) [Orabug: 21197204] - x86-64, xen, mmu: Provide an early version of write_cr3. (Konrad Rzeszutek Wilk) [Orabug: 21197204] - uek-rpm: build: Use SHA512 instead of SHA256 for module signing (Natalya Naumova) [Orabug: 20687425] - config: ol6: make CONFIG_SERIAL_8250_NR_UARTS 64 (Guangyu Sun) [Orabug: 21141039] - config: enable CONFIG_INTEL_TXT (Guangyu Sun) [Orabug: 21176777] - export host-only net/core and net/ipv4 parameters to a container as read-only (Thomas Tanaka) [Orabug: 21151210] - Revert 'i40e: Add FW check to disable DCB and wrap autoneg workaround with FW check' (Brian Maly) [Orabug: 21103806] - xen-netfront: print correct number of queues (David Vrabel) [Orabug: 21150627] - xen-netfront: release per-queue Tx and Rx resource when disconnecting (David Vrabel) [Orabug: 21150627] - xen-netfront: fix locking in connect error path (David Vrabel) [Orabug: 21150627] - xen-netfront: call netif_carrier_off() only once when disconnecting (David Vrabel) [Orabug: 21150627] - xen-netfront: don't nest queue locks in xennet_connect() (David Vrabel) [Orabug: 21150627] - xen-net{back, front}: Document multi-queue feature in netif.h (Andrew J. Bennieston) [Orabug: 21150627] - xen-netfront: recreate queues correctly when reconnecting (David Vrabel) [Orabug: 21150627] - xen-netfront: fix oops when disconnected from backend (David Vrabel) [Orabug: 21150627] - xen-netfront: initialise queue name in xennet_init_queue (Wei Liu) [Orabug: 21150627] - xen-netfront: Add support for multiple queues (Andrew J. Bennieston) [Orabug: 21150627] - xen-netfront: Factor queue-specific data into queue struct. (Andrew J. Bennieston) [Orabug: 21150627] - xen-netback: bookkeep number of active queues in our own module (Wei Liu) [Orabug: 21150627] - net: xen-netback: include linux/vmalloc.h again (Arnd Bergmann) [Orabug: 21150627] - xen-netback: Add support for multiple queues (Andrew J. Bennieston) [Orabug: 21150627] - xen-netback: Factor queue-specific data into queue struct (Wei Liu) [Orabug: 21150627] - xen-netback: Move grant_copy_op array back into struct xenvif. (Andrew J. Bennieston) [Orabug: 21150627] - ixgbe: Look up MAC address in Open Firmware or IDPROM (Martin K Petersen) [Orabug: 20983421] - ixgbe: update to ver 4.0.3 (Ethan Zhao) [Orabug: 20983421] [3.8.13-82] - config: enable some secure boot features for ol7 (Guangyu Sun) [Orabug: 18961720] - efi: Disable secure boot if shim is in insecure mode (Josh Boyer) [Orabug: 18961720] - hibernate: Disable in a signed modules environment (Josh Boyer) [Orabug: 18961720] - efi: Add EFI_SECURE_BOOT bit (Josh Boyer) [Orabug: 18961720] - Add option to automatically set securelevel when in Secure Boot mode (Matthew Garrett) [Orabug: 18961720] - asus-wmi: Restrict debugfs interface when securelevel is set (Matthew Garrett) [Orabug: 18961720] - x86: Restrict MSR access when securelevel is set (Matthew Garrett) [Orabug: 18961720] - uswsusp: Disable when securelevel is set (Matthew Garrett) [Orabug: 18961720] - kexec: Disable at runtime if securelevel has been set. (Matthew Garrett) [Orabug: 18961720] - acpi: Ignore acpi_rsdp kernel parameter when securelevel is set (Matthew Garrett) [Orabug: 18961720] - acpi: Limit access to custom_method if securelevel is set (Matthew Garrett) [Orabug: 18961720] - Restrict /dev/mem and /dev/kmem when securelevel is set. (Matthew Garrett) [Orabug: 18961720] - x86: Lock down IO port access when securelevel is enabled (Matthew Garrett) [Orabug: 18961720] - PCI: Lock down BAR access when securelevel is enabled (Matthew Garrett) [Orabug: 18961720] - Enforce module signatures when securelevel is greater than 0 (Matthew Garrett) [Orabug: 18961720] - Add BSD-style securelevel support (Matthew Garrett) [Orabug: 18961720] - MODSIGN: Support not importing certs from db (Josh Boyer) [Orabug: 18961720] - MODSIGN: Import certificates from UEFI Secure Boot (Josh Boyer) [Orabug: 18961720] - MODSIGN: Add module certificate blacklist keyring (Josh Boyer) [Orabug: 18961720] - Add an EFI signature blob parser and key loader. (Dave Howells) [Orabug: 18961720] - Add EFI signature data types (Dave Howells) [Orabug: 18961720] - efi: fix error handling in add_sysfs_runtime_map_entry() (Dan Carpenter) [Orabug: 18961720] - PEFILE: Relax the check on the length of the PKCS#7 cert (David Howells) [Orabug: 18961720] - kexec: purgatory: add clean-up for purgatory directory (Michael Welling) [Orabug: 18961720] - x86/purgatory: use approprate -m64/-32 build flag for arch/x86/purgatory (Vivek Goyal) [Orabug: 18961720] - kexec: remove CONFIG_KEXEC dependency on crypto (Vivek Goyal) [Orabug: 18961720] - kexec: create a new config option CONFIG_KEXEC_FILE for new syscall (Vivek Goyal) [Orabug: 18961720] - resource: fix the case of null pointer access (Vivek Goyal) [Orabug: 18961720] - kexec: verify the signature of signed PE bzImage (Vivek Goyal) [Orabug: 18961720] - kexec: support kexec/kdump on EFI systems (Vivek Goyal) [Orabug: 18961720] - kexec: support for kexec on panic using new system call (Vivek Goyal) [Orabug: 18961720] - kexec-bzImage64: support for loading bzImage using 64bit entry (Vivek Goyal) [Orabug: 18961720] - kexec: load and relocate purgatory at kernel load time (Vivek Goyal) [Orabug: 18961720] - purgatory: core purgatory functionality (Vivek Goyal) [Orabug: 18961720] - purgatory/sha256: provide implementation of sha256 in purgaotory context (Vivek Goyal) [Orabug: 18961720] - kexec: implementation of new syscall kexec_file_load (Vivek Goyal) [Orabug: 18961720] - kexec: new syscall kexec_file_load() declaration (Vivek Goyal) [Orabug: 18961720] - kexec: make kexec_segment user buffer pointer a union (Vivek Goyal) [Orabug: 18961720] - resource: provide new functions to walk through resources (Vivek Goyal) [Orabug: 18961720] - kexec: use common function for kimage_normal_alloc() and kimage_crash_alloc() (Vivek Goyal) [Orabug: 18961720] - kexec: move segment verification code in a separate function (Vivek Goyal) [Orabug: 18961720] - kexec: rename unusebale_pages to unusable_pages (Vivek Goyal) [Orabug: 18961720] - kernel: build bin2c based on config option CONFIG_BUILD_BIN2C (Vivek Goyal) [Orabug: 18961720] - bin2c: move bin2c in scripts/basic (Vivek Goyal) [Orabug: 18961720] - kexec: remove unnecessary return (Xishi Qiu) [Orabug: 18961720] - keys: remove duplicated loads of ksplice certificate (Guangyu Sun) [Orabug: 21034277] - X.509: Support parse long form of length octets in Authority Key Identifier (Chun-Yi Lee) [Orabug: 18961720] - KEYS: Pre-clear struct key on allocation (David Howells) [Orabug: 18961720] - KEYS: Fix searching of nested keyrings (David Howells) [Orabug: 18961720] - KEYS: Fix multiple key add into associative array (David Howells) [Orabug: 18961720] - KEYS: Fix the keyring hash function (David Howells) [Orabug: 18961720] - PKCS#7: Fix the parser cleanup to drain parsed out X.509 certs (David Howells) [Orabug: 18961720] - PKCS#7: Provide a single place to do signed info block freeing (David Howells) [Orabug: 18961720] - PKCS#7: Add a missing static (David Howells) [Orabug: 18961720] - X.509: Need to export x509_request_asymmetric_key() (David Howells) [Orabug: 18961720] - PKCS#7: X.509 certificate issuer and subject are mandatory fields in the ASN.1 (David Howells) [Orabug: 18961720] - PKCS#7: Use x509_request_asymmetric_key() (David Howells) [Orabug: 18961720] - X.509: x509_request_asymmetric_keys() doesn't need string length arguments (David Howells) [Orabug: 18961720] - PKCS#7: fix sparse non static symbol warning (Wei Yongjun) [Orabug: 18961720] - PKCS#7: Missing inclusion of linux/err.h (David Howells) [Orabug: 18961720] - ima: define '.ima' as a builtin 'trusted' keyring (Mimi Zohar) [Orabug: 18961720] - KEYS: validate certificate trust only with builtin keys (Dmitry Kasatkin) [Orabug: 18961720] - KEYS: validate certificate trust only with selected key (Dmitry Kasatkin) [Orabug: 18961720] - KEYS: verify a certificate is signed by a 'trusted' key (Mimi Zohar) [Orabug: 18961720] - KEYS: make partial key id matching as a dedicated function (Dmitry Kasatkin) [Orabug: 18961720] - KEYS: Reinstate EPERM for a key type name beginning with a '.' (David Howells) [Orabug: 18961720] - KEYS: special dot prefixed keyring name bug fix (Mimi Zohar) [Orabug: 18961720] - pefile: Validate PKCS#7 trust chain (David Howells) [Orabug: 18961720] - pefile: Digest the PE binary and compare to the PKCS#7 data (David Howells) [Orabug: 18961720] - pefile: Handle pesign using the wrong OID (Vivek Goyal) [Orabug: 18961720] - pefile: Parse the 'Microsoft individual code signing' data blob (David Howells) [Orabug: 18961720] - pefile: Parse the presumed PKCS#7 content of the certificate blob (David Howells) [Orabug: 18961720] - pefile: Strip the wrapper off of the cert data block (David Howells) [Orabug: 18961720] - pefile: Parse a PE binary to find a key and a signature contained therein (David Howells) [Orabug: 18961720] - Provide PE binary definitions (David Howells) [Orabug: 18961720] - KEYS: X.509: Fix a spelling mistake (David Howells) [Orabug: 18961720] - PKCS#7: Provide a key type for testing PKCS#7 (David Howells) [Orabug: 18961720] - PKCS#7: Find intersection between PKCS#7 message and known, trusted keys (David Howells) [Orabug: 18961720] - PKCS#7: Verify internal certificate chain (David Howells) [Orabug: 18961720] - PKCS#7: Find the right key in the PKCS#7 key list and verify the signature (David Howells) [Orabug: 18961720] - PKCS#7: Digest the data in a signed-data message (David Howells) [Orabug: 18961720] - PKCS#7: Implement a parser [RFC 2315] (David Howells) [Orabug: 18961720] - X.509: Export certificate parse and free functions (David Howells) [Orabug: 18961720] - X.509: Add bits needed for PKCS#7 (David Howells) [Orabug: 18961720] - x86/efi: Support initrd loaded above 4G (Yinghai Lu) [Orabug: 18961720] - x86, boot: Do not include boot.h in string.c (Vivek Goyal) [Orabug: 18961720] - x86, boot: Move memcmp() into string.h and string.c (Vivek Goyal) [Orabug: 18961720] - x86, boot: Create a separate string.h file to provide standard string functions (Vivek Goyal) [Orabug: 18961720] - kexec: add sysctl to disable kexec_load (Kees Cook) [Orabug: 18961720] - x86: Add xloadflags bit for EFI runtime support on kexec (Dave Young) [Orabug: 18961720] - x86/efi: Pass necessary EFI data for kexec via setup_data (Dave Young) [Orabug: 18961720] - efi: Export EFI runtime memory mapping to sysfs (Dave Young) [Orabug: 18961720] - efi: Export more EFI table variables to sysfs (Dave Young) [Orabug: 18961720] - x86/efi: Cleanup efi_enter_virtual_mode() function (Dave Young) [Orabug: 18961720] - x86/efi: Fix off-by-one bug in EFI Boot Services reservation (Dave Young) [Orabug: 18961720] - x86/efi: Add a wrapper function efi_map_region_fixed() (Dave Young) [Orabug: 18961720] - keys: change asymmetric keys to use common hash definitions (Dmitry Kasatkin) [Orabug: 18961720] - crypto: provide single place for hash algo information (Dmitry Kasatkin) [Orabug: 18961720] - KEYS: fix error return code in big_key_instantiate() (Wei Yongjun) [Orabug: 18961720] - KEYS: Fix keyring quota misaccounting on key replacement and unlink (David Howells) [Orabug: 18961720] - KEYS: Fix a race between negating a key and reading the error set (David Howells) [Orabug: 18961720] - KEYS: Make BIG_KEYS boolean (Josh Boyer) [Orabug: 18961720] - X.509: remove possible code fragility: enumeration values not handled (Antonio Alecrim Jr) [Orabug: 18961720] - X.509: add module description and license (Konstantin Khlebnikov) [Orabug: 18961720] - MPILIB: add module description and license (Konstantin Khlebnikov) [Orabug: 18961720] - KEYS: initialize root uid and session keyrings early (Mimi Zohar) [Orabug: 18961720] - KEYS: verify a certificate is signed by a 'trusted' key (Mimi Zohar) [Orabug: 18961720] - KEYS: Make the system 'trusted' keyring viewable by userspace (Mimi Zohar) [Orabug: 18961720] - KEYS: Set the asymmetric-key type default search method (David Howells) [Orabug: 18961720] - KEYS: Add a 'trusted' flag and a 'trusted only' flag (David Howells) [Orabug: 18961720] - KEYS: Separate the kernel signature checking keyring from module signing (David Howells) [Orabug: 18961720] - KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate (David Howells) [Orabug: 18961720] - KEYS: Load *.x509 files into kernel keyring (David Howells) [Orabug: 18961720] - X.509: Remove certificate date checks (David Howells) [Orabug: 18961720] - X.509: Handle certificates that lack an authorityKeyIdentifier field (David Howells) [Orabug: 18961720] - X.509: Check the algorithm IDs obtained from parsing an X.509 certificate (David Howells) [Orabug: 18961720] - X.509: Embed public_key_signature struct and create filler function (David Howells) [Orabug: 18961720] - X.509: struct x509_certificate needs struct tm declaring (David Howells) [Orabug: 18961720] - KEYS: Store public key algo ID in public_key_signature struct (David Howells) [Orabug: 18961720] - KEYS: Split public_key_verify_signature() and make available (David Howells) [Orabug: 18961720] - KEYS: Store public key algo ID in public_key struct (David Howells) [Orabug: 18961720] - KEYS: Move the algorithm pointer array from x509 to public_key.c (David Howells) [Orabug: 18961720] - KEYS: Rename public key parameter name arrays (David Howells) [Orabug: 18961720] - KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (Guangyu Sun) [Orabug: 18961720] - KEYS: Implement a big key type that can save to tmpfs (David Howells) [Orabug: 18961720] - KEYS: Expand the capacity of a keyring (David Howells) [Orabug: 18961720] - Add a generic associative array implementation. (David Howells) [Orabug: 18961720] - KEYS: Drop the permissions argument from __keyring_search_one() (David Howells) [Orabug: 18961720] - KEYS: Define a __key_get() wrapper to use rather than atomic_inc() (David Howells) [Orabug: 18961720] - KEYS: Search for auth-key by name rather than target key ID (David Howells) [Orabug: 18961720] - KEYS: Introduce a search context structure (David Howells) [Orabug: 18961720] - KEYS: Consolidate the concept of an 'index key' for key access (David Howells) [Orabug: 18961720] - KEYS: key_is_dead() should take a const key pointer argument (David Howells) [Orabug: 18961720] - KEYS: Use bool in make_key_ref() and is_key_possessed() (David Howells) [Orabug: 18961720] - KEYS: Skip key state checks when checking for possession (David Howells) [Orabug: 18961720] - userns: Avoid recursion in put_user_ns (Eric W. Biederman) [Orabug: 18961720] - x86/efi: Check krealloc return value (Borislav Petkov) [Orabug: 18961720] - x86/efi: Runtime services virtual mapping (Borislav Petkov) [Orabug: 18961720] - x86/mm/cpa: Map in an arbitrary pgd (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add last levels of error path (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add a PUD error unwinding path (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add a PTE pagetable populating function (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add a PMD pagetable populating function (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add a PUD pagetable populating function (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Add a PGD pagetable populating function (Borislav Petkov) [Orabug: 18961720] - x86/mm/pageattr: Lookup address in an arbitrary PGD (Borislav Petkov) [Orabug: 18961720] - x86/efi: Simplify EFI_DEBUG (Borislav Petkov) [Orabug: 18961720] - efi: Generalize handle_ramdisks() and rename to handle_cmdline_files(). (Roy Franz) [Orabug: 18961720] - efi: Rename memory allocation/free functions (Roy Franz) [Orabug: 18961720] - efi: Add system table pointer argument to shared functions. (Roy Franz) [Orabug: 18961720] - efi: Move common EFI stub code from x86 arch code to common location (Roy Franz) [Orabug: 18961720] - efivars: Mark local function as static (Bojan Prtvar) [Orabug: 18961720] - pstore: Introduce new argument 'compressed' in the read callback (Aruna Balakrishnaiah) [Orabug: 18961720] - pstore: Add new argument 'compressed' in pstore write callback (Aruna Balakrishnaiah) [Orabug: 18961720] - efi-pstore: Read and write to the 'compressed' flag of pstore (Aruna Balakrishnaiah) [Orabug: 18961720] - x86: Don't clear olpc_ofw_header when sentinel is detected (Daniel Drake) [Orabug: 18961720] - efivars: check for EFI_RUNTIME_SERVICES (Matt Fleming) [Orabug: 18961720] - pstore: Pass header size in the pstore write callback (Aruna Balakrishnaiah) [Orabug: 18961720] - efivars: If pstore_register fails, free unneeded pstore buffer (Lenny Szubowicz) [Orabug: 18961720] - efi, pstore: Cocci spatch 'memdup.spatch' (Thomas Meyer) [Orabug: 18961720] - efivar: fix oops in efivar_update_sysfs_entries() caused by memory reuse (Seiji Aguchi) [Orabug: 18961720] - efi: remove 'kfree(NULL)' (Dan Carpenter) [Orabug: 18961720] - efi: locking fix in efivar_entry_set_safe() (Dan Carpenter) [Orabug: 18961720] - efi, pstore: Read data from variable store before memcpy() (Matt Fleming) [Orabug: 18961720] - efi, pstore: Remove entry from list when erasing (Matt Fleming) [Orabug: 18961720] - efi, pstore: Initialise 'entry' before iterating (Matt Fleming) [Orabug: 18961720] - efi: split efisubsystem from efivars (Tom Gundersen) [Orabug: 18961720] - efivarfs: Move to fs/efivarfs (Matt Fleming) [Orabug: 18961720] - efivars: Move pstore code into the new EFI directory (Matt Fleming) [Orabug: 18961720] - efivars: efivar_entry API (Matt Fleming) [Orabug: 18961720] - efivars: Keep a private global pointer to efivars (Matt Fleming) [Orabug: 18961720] - efi: move utf16 string functions to efi.h (Matt Fleming) [Orabug: 18961720] - efivars: Handle duplicate names from get_next_variable() (Matt Fleming) [Orabug: 18961720] - x86, doc: Be explicit about what the x86 struct boot_params requires (Peter Jones) [Orabug: 18961720] - x86: Don't clear efi_info even if the sentinel hits (Josh Boyer) [Orabug: 18961720] - export kernel_write(), convert open-coded instances (Al Viro) [Orabug: 18961720] - efi_pstore: Introducing workqueue updating sysfs (Seiji Aguchi) [Orabug: 18961720] - x86/mm: Fix boot crash with DEBUG_PAGE_ALLOC=y and more than 512G RAM (Yinghai Lu) [Orabug: 18961720] - x86, mm: Make sure to find a 2M free block for the first mapped area (Yinghai Lu) [Orabug: 18961720] - x86: Fix adjust_range_size_mask calling position (Yinghai Lu) [Orabug: 18961720] - x86, kdump: Change crashkernel_high/low= to crashkernel=,high/low (Yinghai Lu) [Orabug: 18961720] - x86, kdump: Retore crashkernel= to allocate under 896M (Yinghai Lu) [Orabug: 18961720] - x86, kdump: Set crashkernel_low automatically (Yinghai Lu) [Orabug: 18961720] - x86: Don't panic if can not alloc buffer for swiotlb (Yinghai Lu) [Orabug: 18961720] - mm: Add alloc_bootmem_low_pages_nopanic() (Yinghai Lu) [Orabug: 18961720] - x86, 64bit, mm: hibernate use generic mapping_init (Yinghai Lu) [Orabug: 18961720] - x86, 64bit, mm: Mark data/bss/brk to nx (Yinghai Lu) [Orabug: 18961720] - x86: Merge early kernel reserve for 32bit and 64bit (Yinghai Lu) [Orabug: 18961720] - x86: Add Crash kernel low reservation (Yinghai Lu) [Orabug: 18961720] - x86, kdump: Remove crashkernel range find limit for 64bit (Yinghai Lu) [Orabug: 18961720] - memblock: Add memblock_mem_size() (Yinghai Lu) [Orabug: 18961720] - x86, boot: Not need to check setup_header version for setup_data (Yinghai Lu) [Orabug: 18961720] - x86, boot: Update comments about entries for 64bit image (Yinghai Lu) [Orabug: 18961720] - x86, boot: Support loading bzImage, boot_params and ramdisk above 4G (Yinghai Lu) [Orabug: 18961720] - x86, kexec, 64bit: Only set ident mapping for ram. (Yinghai Lu) [Orabug: 18961720] - x86, kexec: Replace ident_mapping_init and init_level4_page (Yinghai Lu) [Orabug: 18961720] - x86, kexec: Set ident mapping for kernel that is above max_pfn (Yinghai Lu) [Orabug: 18961720] - x86, kexec: Remove 1024G limitation for kexec buffer on 64bit (Yinghai Lu) [Orabug: 18961720] - x86, boot: Move lldt/ltr out of 64bit code section (Yinghai Lu) [Orabug: 18961720] - x86, boot: Move verify_cpu.S and no_longmode down (Yinghai Lu) [Orabug: 18961720] - x86, boot: Pass cmd_line_ptr with unsigned long instead (Yinghai Lu) [Orabug: 18961720] - x86, boot: Move checking of cmd_line_ptr out of common path (Yinghai Lu) [Orabug: 18961720] - x86, boot: Add get_cmd_line_ptr() (Yinghai Lu) [Orabug: 18961720] - x86, boot: Sanitize boot_params if not zeroed on creation (H. Peter Anvin) [Orabug: 18961720] - x86: Add get_ramdisk_image/size() (Yinghai Lu) [Orabug: 18961720] - x86: Merge early_reserve_initrd for 32bit and 64bit (Yinghai Lu) [Orabug: 18961720] - x86, 64bit: Don't set max_pfn_mapped wrong value early on native path (Yinghai Lu) [Orabug: 18961720] - x86, 64bit: #PF handler set page to cover only 2M per #PF (Yinghai Lu) [Orabug: 18961720] - x86, 64bit: Use a #PF handler to materialize early mappings on demand (H. Peter Anvin) [Orabug: 18961720] - x86, realmode: Separate real_mode reserve and setup (Yinghai Lu) [Orabug: 18961720] - x86, 64bit, realmode: Use init_level4_pgt to set trampoline_pgd directly (Yinghai Lu) [Orabug: 18961720] - x86, 64bit: Copy struct boot_params early (Yinghai Lu) [Orabug: 18961720] - x86, 64bit, mm: Add generic kernel/ident mapping helper (Yinghai Lu) [Orabug: 18961720] - x86, realmode: Set real_mode permissions early (Yinghai Lu) [Orabug: 18961720] - x86, 64bit, mm: Make pgd next calculation consistent with pud/pmd (Yinghai Lu) [Orabug: 18961720] - x86: Factor out e820_add_kernel_range() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Fix page table early allocation offset checking (Yinghai Lu) [Orabug: 18961720] - x86, mm: Let 'memmap=' take more entries one time (Yinghai Lu) [Orabug: 18961720] - mm: Kill NO_BOOTMEM version free_all_bootmem_node() (Yinghai Lu) [Orabug: 18961720] - sparc, mm: Remove calling of free_all_bootmem_node() (Yinghai Lu) [Orabug: 18961720] - x86, mm: kill numa_64.h (Yinghai Lu) [Orabug: 18961720] - x86, mm: kill numa_free_all_bootmem() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Use clamp_t() in init_range_memory_mapping (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move after_bootmem to mm_internel.h (Yinghai Lu) [Orabug: 18961720] - x86, mm: Unifying after_bootmem for 32bit and 64bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: use limit_pfn for end pfn (Yinghai Lu) [Orabug: 18961720] - x86, mm: use pfn instead of pos in split_mem_range (Yinghai Lu) [Orabug: 18961720] - x86, mm: use PFN_DOWN in split_mem_range() (Yinghai Lu) [Orabug: 18961720] - x86, mm: use round_up/down in split_mem_range() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Add check before clear pte above max_low_pfn on 32bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move function declaration into mm_internal.h (Yinghai Lu) [Orabug: 18961720] - x86, mm: change low/hignmem_pfn_init to static on 32bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move init_gbpages() out of setup.c (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move back pgt_buf_* to mm/init.c (Yinghai Lu) [Orabug: 18961720] - x86, mm: only call early_ioremap_page_table_range_init() once (Yinghai Lu) [Orabug: 18961720] - x86, mm: Add pointer about Xen mmu requirement for alloc_low_pages (Stefano Stabellini) [Orabug: 18961720] - x86, mm: Add alloc_low_pages(num) (Yinghai Lu) [Orabug: 18961720] - x86, mm, Xen: Remove mapping_pagetable_reserve() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move min_pfn_mapped back to mm/init.c (Yinghai Lu) [Orabug: 18961720] - x86, mm: Merge alloc_low_page between 64bit and 32bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Remove parameter in alloc_low_page for 64bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Remove early_memremap workaround for page table accessing on 64bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: setup page table in top-down (Yinghai Lu) [Orabug: 18961720] - x86, mm: Break down init_all_memory_mapping (Yinghai Lu) [Orabug: 18961720] - x86, mm: Don't clear page table if range is ram (Yinghai Lu) [Orabug: 18961720] - x86, mm: Use big page size for small memory range (Yinghai Lu) [Orabug: 18961720] - x86, mm: Align start address to correct big page size (Yinghai Lu) [Orabug: 18961720] - x86, mm: relocate initrd under all mem for 64bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Only direct map addresses that are marked as E820_RAM (Jacob Shin) [Orabug: 18961720] - x86, mm: use pfn_range_is_mapped() with reserve_initrd (Yinghai Lu) [Orabug: 18961720] - x86, mm: use pfn_range_is_mapped() with gart (Yinghai Lu) [Orabug: 18961720] - x86, mm: use pfn_range_is_mapped() with CPA (Yinghai Lu) [Orabug: 18961720] - x86, mm: Fixup code testing if a pfn is direct mapped (Jacob Shin) [Orabug: 18961720] - x86, mm: if kernel .text .data .bss are not marked as E820_RAM, complain and fix (Jacob Shin) [Orabug: 18961720] - x86, mm: Set memblock initial limit to 1M (Yinghai Lu) [Orabug: 18961720] - x86, mm: Separate out calculate_table_space_size() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Find early page table buffer together (Yinghai Lu) [Orabug: 18961720] - x86, mm: Change find_early_table_space() paramters (Yinghai Lu) [Orabug: 18961720] - x86, mm: Revert back good_end setting for 64bit (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move init_memory_mapping calling out of setup.c (Yinghai Lu) [Orabug: 18961720] - x86, mm: Move down find_early_table_space() (Yinghai Lu) [Orabug: 18961720] - x86, mm: Split out split_mem_range from init_memory_mapping (Yinghai Lu) [Orabug: 18961720] - x86, mm: Add global page_size_mask and probe one time only (Yinghai Lu) [Orabug: 18961720] [3.8.13-81] - i40e: Bump version to 1.3.2 (Catherine Sullivan) [Orabug: 20639907] - i40e: Use new 40G speeds (Brian Maly) [Orabug: 20639907] - i40e: handle possible memory allocation failure (Jesse Brandeburg) [Orabug: 20639907] - i40e/i40evf: Save WR_CSR_PROT field from DEV/FUNC capabilities (Kevin Scott) [Orabug: 20639907] - i40e: enable user dump of internal hardware state (Jesse Brandeburg) [Orabug: 20639907] - i40e: print FCoE capability reported by the device function (Vasu Dev) [Orabug: 20639907] - i40e: For VF reset (VFR and VFLR) add some more delay (Anjali Singhai Jain) [Orabug: 20639907] - i40e: move VF notification routines up (Mitch Williams) [Orabug: 20639907] - i40e: notify VFs of link state (Mitch Williams) [Orabug: 20639907] - i40evf: remove aq_pending (Mitch Williams) [Orabug: 20639907] - i40e: Add support to program FDir SB rules for VF from PF through ethtool (Anjali Singhai Jain) [Orabug: 20639907] - i40evf: fix bad indentation (Mitch Williams) [Orabug: 20639907] - i40e: stop VF rings (Mitch Williams) [Orabug: 20639907] - i40e: Bump to version 1.3.1 (Catherine Sullivan) [Orabug: 20639907] - i40evf: Refactor VF RSS code (Anjali Singhai Jain) [Orabug: 20639907] - i40evf: protect VLAN filter list (Mitch Williams) [Orabug: 20639907] - i40e: Communicate VSI id in place of VSI index to the VFs (Anjali Singhai Jain) [Orabug: 20639907] - i40e: stop flow director on shutdown (Mitch Williams) [Orabug: 20639907] - 40e/i40evf: Set Ethernet protocol correctly when Tx VLAN offloads are disabled (Brian Maly) [Orabug: 20639907] - i40e: fix invalid void return in FCoE code (Jesse Brandeburg) [Orabug: 20639907] - i40e: Change some memcpys to struct assignments (Jesse Brandeburg) [Orabug: 20639907] - i40e: Print some more info to help figure out the cause of HMC error (Anjali Singhai Jain) [Orabug: 20639907] - i40e: validate VSI param from VFs (Mitch Williams) [Orabug: 20639907] - i40evf: Fix Outer UDP RX checksum code (Anjali Singhai Jain) [Orabug: 20639907] - Update of TLB shootdown code for UV3. (Cliff Wickman) [Orabug: 20578414] - x86: UV BAU: Avoid NULL pointer reference in ptc_seq_show (James Custer) [Orabug: 20578414] - x86: UV BAU: Increase maximum CPUs per socket/hub (James Custer) [Orabug: 20578414] - x86/UV: Set n_lshift based on GAM_GR_CONFIG MMR for UV3 (Dimitri Sivanich) [Orabug: 20578414] - x86/UV: Fix NULL pointer dereference in uv_flush_tlb_others() if the 'nobau' boot option is used (cpw) [Orabug: 20578414] - x86: Update UV3 hub revision ID (Russ Anderson) [Orabug: 20578414] - x86, uv, uv3: Trim MMR register definitions after code changes for SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Check current gru hub support for SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Update Time Support for SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Update x2apic Support for SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Update Hub Info for SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Update ACPI Check to include SGI UV3 (Mike Travis) [Orabug: 20578414] - x86, uv, uv3: Update MMR register definitions for SGI Ultraviolet System 3 (UV3) (Mike Travis) [Orabug: 20578414] - xen/efi: Fix mismatch reference errors during build. (Marcos Matsunaga) [Orabug: 20951518] - PCI: Restore detection of read-only BARs (Myron Stowe) [Orabug: 21037617] - PCI: Add informational printk for invalid BARs (Myron Stowe) [Orabug: 21037617] - PCI: Handle read-only BARs on AMD CS553x devices (Myron Stowe) [Orabug: 21037617] [3.8.13-80] - dtrace: use strnlen_user() to get the length of env vars and cmdline args (Kris Van Hees) [Orabug: 20468084] - scsi: storvsc: Set the tablesize based on the information given by the host (K. Y. Srinivasan) [Orabug: 21027987] - Drivers: hv: vmbus: Support a vmbus API for efficiently sending page arrays (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Don't assume that the scatterlist is not chained (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Fix a bug in copy_from_bounce_buffer() (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Retrieve information about the capability of the target (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Always send on the selected outgoing channel (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Size the queue depth based on the ringbuffer size (K. Y. Srinivasan) [Orabug: 21027987] - scsi: storvsc: Increase the ring buffer size (K. Y. Srinivasan) [Orabug: 21027987] - hpsa: correct compiler warnings introduced by hpsa-add-local-workqueue patch (Don Brace) [Orabug: 20910674] - hpsa: Use local workqueues instead of system workqueues (Don Brace) [Orabug: 20910674] - hpsa: add in P840ar controller model name (Don Brace) [Orabug: 20910674] - hpsa: add in gen9 controller model names (Don Brace) [Orabug: 20910674] - hpsa: detect and report failures changing controller transport modes (Robert Elliott) [Orabug: 20910674] - hpsa: shorten the wait for the CISS doorbell mode change ack (Robert Elliott) [Orabug: 20910674] - hpsa: refactor duplicated scan completion code into a new routine (Webb Scales) [Orabug: 20910674] - hpsa: move SG descriptor set-up out of hpsa_scatter_gather() (Webb Scales) [Orabug: 20910674] - hpsa: do not use function pointers in fast path command submission (Stephen Cameron) [Orabug: 20910674] - hpsa: print CDBs instead of kernel virtual addresses for uncommon errors (Stephen Cameron) [Orabug: 20910674] - hpsa: do not use a void pointer for scsi_cmd field of struct CommandList (Stephen Cameron) [Orabug: 20910674] - hpsa: return failed from device reset/abort handlers (Don Brace) [Orabug: 20910674] - hpsa: check for ctlr lockup after command allocation in main io path (Stephen Cameron) [Orabug: 20910674] - hpsa: guard against overflowing raid map array (Stephen Cameron) [Orabug: 20910674] - hpsa: do not ack controller events on controllers that do not support it (Stephen Cameron) [Orabug: 20910674] - hpsa: remove incorrect BUG_ONs checking for raid offload enable (Stephen Cameron) [Orabug: 20910674] - hpsa: do not check for msi(x) in interrupt_pending (Stephen Cameron) [Orabug: 20910674] - hpsa: slightly optimize SA5_performant_completed (Don Brace) [Orabug: 20910674] - hpsa: count passthru cmds with atomics, not a spin locked int (Don Brace) [Orabug: 20910674] - hpsa: optimize cmd_alloc function by remembering last allocation (Robert Elliott) [Orabug: 20910674] - hpsa: fix race between abort handler and main i/o path (Webb Scales) [Orabug: 20910674] - hpsa: honor queue depth of physical devices (Don Brace) [Orabug: 20910674] - hpsa: use workqueue to resubmit failed ioaccel commands (Don Brace) [Orabug: 20910674] - hpsa: factor out hpsa_ciss_submit function (Stephen Cameron) [Orabug: 20910674] - hpsa: do not request device rescan on every ioaccel path error (Stephen Cameron) [Orabug: 20910674] - hpsa: do not queue commands internally in driver (Don Brace) [Orabug: 20910674] - hpsa: get rid of cmd_special_alloc and cmd_special_free (Stephen Cameron) [Orabug: 20910674] - hpsa: reserve some commands for use by driver (Stephen Cameron) [Orabug: 20910674] - hpsa: avoid unneccesary calls to resource freeing functions (Robert Elliott) [Orabug: 20910674] - hpsa: fix memory leak in hpsa_alloc_cmd_pool (Robert Elliott) [Orabug: 20910674] - hpsa: report allocation failures while allocating SG chain blocks (Robert Elliott) [Orabug: 20910674] - hpsa: pass error from pci_set_consistent_dma_mask from hpsa_message (Robert Elliott) [Orabug: 20910674] - hpsa: rename hpsa_request_irq to hpsa_request_irqs (Robert Elliott) [Orabug: 20910674] - hpsa: report failure to ioremap config table (Robert Elliott) [Orabug: 20910674] - hpsa: trivial message and comment clean ups (Stephen Cameron) [Orabug: 20910674] - hpsa: refactor hpsa_find_board_params() to encapsulate legacy test (Webb Scales) [Orabug: 20910674] - hpsa: downgrade the Waiting for no-op print to dev_info (Robert Elliott) [Orabug: 20910674] - hpsa: propagate return value from board ID lookup (Robert Elliott) [Orabug: 20910674] - hpsa: propagate hard_reset failures in reset_devices mode (Robert Elliott) [Orabug: 20910674] - hpsa: remove 0x from queue depth print which is in decimal (Robert Elliott) [Orabug: 20910674] - hpsa: notice all request_irq errors (Robert Elliott) [Orabug: 20910674] - hpsa: Fix -Wunused-but-set-variable warning (Fabian Frederick) [Orabug: 20910674] - hpsa: rename free_irqs to hpsa_free_irqs (Robert Elliott) [Orabug: 20910674] - hpsa: adjust RAID-1, RAID-1ADM, and RAID-6 names (Robert Elliott) [Orabug: 20910674] - hpsa: change how SA controllers are reset (Don Brace) [Orabug: 20910674] - hpsa: turn off interrupts when kdump starts (Tomas Henzl) [Orabug: 20910674] - hpsa: fix memory leak in kdump hard reset (Tomas Henzl) [Orabug: 20910674] - hpsa: correct endian sparse warnings (Don Brace) [Orabug: 20910674] [3.8.13-79] - Revert 'Implement support for wire-only DIF devices' (Vaughan Cao) [Orabug: 20952398] - xen-netfront: use correct linear area after linearizing an skb (David Vrabel) [Orabug: 20903396] - x86, sched: Add new topology for multi-NUMA-node CPUs (Dave Hansen) [Orabug: 20825479] - sched: Rework sched_domain topology definition (Vincent Guittot) [Orabug: 20825479] - x86 thermal: Disable power limit notification interrupt by default (Fenghua Yu) [Orabug: 20808816] - x86 thermal: Delete power-limit-notification console messages (Fenghua Yu) [Orabug: 20808816] - vfs: allow umount to handle mountpoints without revalidating them (Jeff Layton) [Orabug: 20425402] - ptp: dynamic allocation of PHC char devices (Jiri Benc) [Orabug: 20305451] - sched: Prevent divide by zero when cpu power calculation is 0 (Todd Vierling) [Orabug: 17936428] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8989 Oracle Linux 6 Oracle Linux 7 [1.0.7-2.0.7] - [Orabug 21533491] CVE-2015-1334: Don't use the container's /proc during attach [1.0.7-2.0.6] - [Orabug 21526922] CVE-2015-1331: LXCLOCK: USE /RUN/LXC/LOCK RATHER THAN /RUN/LOCK/LXC IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1334 CVE-2015-1331 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-98.1.1] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563041] {CVE-2015-5697} LOW Copyright 2015 Oracle, Inc. CVE-2015-5697 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.10] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563042] {CVE-2015-5697} - netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (Andrey Vagin) [Orabug: 21562780] {CVE-2014-9715} MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9715 CVE-2015-5697 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.10] - md: use kzalloc() when bitmap is disabled (Benjamin Randazzo) [Orabug: 21563043] {CVE-2015-5697} - netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len (Andrey Vagin) [Orabug: 21562781] {CVE-2014-9715} MODERATE Copyright 2015 Oracle, Inc. CVE-2014-9715 CVE-2015-5697 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-98.1.2] - udp: fix behavior of wrong checksums (Eric Dumazet) [Orabug: 21628850] {CVE-2015-5364} {CVE-2015-5366} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5364 CVE-2015-5366 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.250.11] - udp: fix behavior of wrong checksums (Eric Dumazet) [Orabug: 21628851] {CVE-2015-5364} {CVE-2015-5366} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5364 CVE-2015-5366 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.11uek] - udp: fix behavior of wrong checksums (Eric Dumazet) [Orabug: 21628852] {CVE-2015-5364} {CVE-2015-5366} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5364 CVE-2015-5366 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-98.2.2] - sctp: fix ASCONF list handling (Marcelo Ricardo Leitner) [Orabug: 21842668] {CVE-2015-3212} - KEYS: ensure we free the assoc array edit if edit is valid (Colin Ian King) [Orabug: 21842655] {CVE-2015-1333} IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1333 CVE-2015-3212 Oracle Linux 6 Oracle Linux 7 [1.8.3-1.0.1] - Enable configuration of Docker daemon via sysconfig [orabug 21804877] - Add documentation files to binary RPM [1.8.3] - Fix layer IDs lead to local graph poisoning (CVE-2014-8178) - Fix manifest validation and parsing logic errors allow pull-by-digest validation bypass (CVE-2014-8179) - Add --disable-legacy-registry to prevent a daemon from using a v1 registry IMPORTANT Copyright 2015 Oracle, Inc. CVE-2014-8178 CVE-2014-8179 Oracle Linux 6 Oracle Linux 7 [1.0.7-2.0.12] - [Orabug 22011867] ol6 ct shutdown script remounts /dev/pts/* devices as ro on host system. [1.0.7-2.0.11] - [Orabug 21842483] failed to create directory '/RUN/LXC/LOCK//CONTAINER/OL7.1/SNAPS' - CVE-2015-1335: Protect container mounts against symlinks. - Fixed build failure on OL6. IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1335 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-98.5.2] - virtio-net: drop NETIF_F_FRAGLIST (Jason Wang) [Orabug: 22145600] {CVE-2015-5156} [3.8.13-98.5.1] - netdev: fix NETIF_F_GSO_UDP_TUNNEL_BIT enum shift in i40e driver import (Todd Vierling) [Orabug: 22066176] MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5156 Oracle Linux 5 Oracle Linux 6 [2.6.39-400.264.5] - virtio-net: drop NETIF_F_FRAGLIST (Jason Wang) [Orabug: 22145599] {CVE-2015-5156} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5156 Oracle Linux 5 Oracle Linux 6 kernel-uek [2.6.32-400.37.12uek] - virtio-net: drop NETIF_F_FRAGLIST (Jason Wang) [Orabug: 22145596] {CVE-2015-5156} MODERATE Copyright 2015 Oracle, Inc. CVE-2015-5156 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-118] - Update ql2400/ql2500 firmware version to 8.02.00 (Dan Duval) [Orabug: 22159505] - update qla2400/ql2500 firmware version to 8.02.00 (Dan Duval) [Orabug: 22159505] [3.8.13-117] - virtio-net: drop NETIF_F_FRAGLIST (Jason Wang) [Orabug: 22145600] {CVE-2015-5156} - team: check return value of team_get_port_by_index_rcu() for NULL (Jiri Pirko) [Orabug: 21944235] - team: check return value of team_get_port_by_index_rcu() for NULL (Jiri Pirko) [Orabug: 21944235] [3.8.13-116] - team: check return value of team_get_port_by_index_rcu() for NULL (Jiri Pirko) [Orabug: 21944235] [3.8.13-115] - Disable VLAN 0 tagging for none VLAN traffic (Joe Jin) [Orabug: 20832922] - x86/efi: Make efi virtual runtime map passing more robust (Borislav Petkov) [Orabug: 22020990] - IB/rds_rdma: unloading of ofed stack causes page fault panic (Rama Nichanamatlu) [Orabug: 22039748] - xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) (Cathy Avery) [Orabug: 21924428] [3.8.13-114] - rds: revert commit 4348013 (Rama Nichanamatlu) [Orabug: 22039425] - qlcnic: Fix mailbox completion handling in spurious interrupt (Rajesh Borundia) - xen-netfront: set max_queue default to 8 (Joe Jin) [Orabug: 21981690] - xen-netfront: update num_queues to real created (Joe Jin) [Orabug: 21981690] - lpfc: Update version to 11.0.0.1 for patch set (James Smart) [Orabug: 21860804] - lpfc: Fix default RA_TOV and ED_TOV in the FC/FCoE driver for all topologies (James Smart) [Orabug: 21860804] - lpfc: The linux driver does not reinitiate discovery after a failed FLOGI (James Smart) [Orabug: 21860804] - lpfc: Fix for discovery failure in PT2PT when FLOGIs ELS ACC response gets aborted (James Smart) [Orabug: 21860804] - lpfc: Add support for Lancer G6 and 32G FC links (James Smart) [Orabug: 21860804] - fix: lpfc_send_rscn_event sends bigger buffer size (James Smart) [Orabug: 21860804] - lpfc: Fix possible use-after-free and double free (James Smart) [Orabug: 21860804] - lpfc: remove set but not used variables (James Smart) [Orabug: 21860804] - lpfc: Make the function lpfc_sli4_mbox_completions_pending static (James Smart) [Orabug: 21860804] - Fix kmalloc overflow in LPFC driver at large core count (James Smart) [Orabug: 21860804] - lpfc: Destroy lpfc_hba_index IDR on module exit (James Smart) [Orabug: 21860804] - lpfc: in sli3 use configured sg_seg_cnt for sg_tablesize (James Smart) [Orabug: 21860804] - lpfc: Remove unnessary cast (James Smart) [Orabug: 21860804] - lpfc: fix model description (James Smart) [Orabug: 21860804] - lpfc: Fix to drop PLOGIs from fabric node till LOGO proce ssing completes (James Smart) [Orabug: 21860804] - lpfc: Fix scsi task management error message. (James Smart) [Orabug: 21860804] - lpfc: Fix cq_id masking problem. (James Smart) [Orabug: 21860804] - lpfc: Fix scsi prep dma buf error. (James Smart) [Orabug: 21860804] - lpfc: Add support for using block multi-queue (James Smart) [Orabug: 21860804] - lpfc: Devices are not discovered during takeaway/giveback testing. (James Smart) [Orabug: 21860804] - lpfc: Fix vport deletion failure. (James Smart) [Orabug: 21860804] - lpfc: Check for active portpeerbeacon. (James Smart) [Orabug: 21860804] - RDS: fix race condition when sending a message on unbound socket. (Quentin Casasnovas) [Orabug: 21882586] {CVE-2015-6937} - RDS: make send_batch_count tunable effective (Santosh Shilimkar) [Orabug: 21882586] - RDS: make use of kfree_rcu() and avoid the call_rcu() chain (Santosh Shilimkar) [Orabug: 21882586] - RDS: verify the underlying transport exists before creating a connection (Sasha Levin) [Orabug: 21882586] - RDS: Disable broken APM feature code (Santosh Shilimkar) [Orabug: 22045256] - RDS: return EMSGSIZE for oversize requests before processing/queueing (Mukesh Kacker) [Orabug: 21882586] - RDS: Make active bonding parameters names consistent (Santosh Shilimkar) [Orabug: 21882586] - IB/mlx4: Use vmalloc for WR buffers when needed (Wengang Wang) [Orabug: 21835374] - mm: move kvfree to mm/util (Wengang Wang) [Orabug: 21835374] - x86/xen: Do not clip xen_e820_map to xen_e820_map_entries when sanitizing map (Malcolm Crossley) - netdev: fix NETIF_F_GSO_UDP_TUNNEL_BIT enum shift in i40e driver import (Todd Vierling) [Orabug: 21958024] [3.8.13-113] - mlx4_core: Release counters while releasing slave resources (Wengang Wang) [Orabug: 21116780] - IB/ipoib: Disable TSO in connected mode (Yuval Shaia) [Orabug: 21684386] - Revert 'IB/ipoib: Disable TSO in connected mode' (Yuval Shaia) [Orabug: 21968983] - Revert 'IB/ipoib: Disable TSO in connected mode' (Yuval Shaia) [Orabug: 21968983] [3.8.13-112] - i40e/i40evf: Bump i40e to 1.3.21 and i40evf to 1.3.13 (Catherine Sullivan) [Orabug: 21539654] - i40e/i40evf: add get AQ result command to nvmupdate utility (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: add exec_aq command to nvmupdate utility (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: add wait states to NVM state machine (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: add GetStatus command for nvmupdate (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: add handling of writeback descriptor (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: save aq writeback for future inspection (Shannon Nelson) [Orabug: 21539654] - i40e: rename variable to prevent clash of understanding (Shannon Nelson) [Orabug: 21539654] - i40e: Set defport behavior for the Main VSI when in promiscuous mode (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Bump i40e to 1.3.9 and i40evf to 1.3.5 (Catherine Sullivan) [Orabug: 21539654] - i40e/i40evf: Cache the CEE TLV status returned from firmware (Neerav Parikh) [Orabug: 21539654] - i40e/i40evf: add VIRTCHNL_VF_OFFLOAD flag (Anjali Singhai Jain) [Orabug: 21539654] - i40e: Remove redundant and unneeded messages (Greg Rose) [Orabug: 21539654] - i40evf: Remove PF specific register definitions from the VF (Anjali Singhai Jain) [Orabug: 21539654] - i40evf: Use the correct defines to match the VF registers (Anjali Singhai Jain) [Orabug: 21539654] - i40e: Fix comment for ethtool diagnostic link test (Greg Rose) [Orabug: 21539654] - i40e/i40evf: Add capability to gather VEB per TC stats (Neerav Parikh) [Orabug: 21539654] - i40e: Fix ethtool offline diagnostic with netqueues (Greg Rose) [Orabug: 21539654] - i40e: Fix legacy interrupt mode in the driver (Anjali Singhai Jain) [Orabug: 21539654] - i40e: Move function calls to i40e_shutdown instead of i40e_suspend (Catherine Sullivan) [Orabug: 21539654] - i40e: add RX to port CRC errors label (Shannon Nelson) [Orabug: 21539654] - i40e: dont degrade __le16 (Mitch Williams) [Orabug: 21539654] - i40e: Add AQ commands for NVM Update for X722 (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: Add ATR HW eviction support for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e: Add IWARP support for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add TX/RX outer UDP checksum support for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add support for writeback on ITR feature for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Update register.h file for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Update FW API with X722 support (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add flags for X722 capabilities (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add device ids for X722 (Anjali Singhai Jain) [Orabug: 21539654] - i40e: use BIT and BIT_ULL macros (Jesse Brandeburg) [Orabug: 21539654] - i40e: clean up error status messages (Shannon Nelson) [Orabug: 21539654] - i40e: clean up error status messages (Shannon Nelson) [Orabug: 21539654] - i40e: provide correct API version to older VF drivers (Mitch Williams) [Orabug: 21539654] - i40evf: support virtual channel API version 1.1 (Mitch Williams) [Orabug: 21539654] - i40evf: handle big resets (Mitch Williams) [Orabug: 21539654] - i40e: support virtual channel API 1.1 (Mitch Williams) [Orabug: 21539654] - i40e/i40evf: add macros for virtual channel API version and device capability (Mitch Williams) [Orabug: 21539654] - i40e: add VF capabilities to virtual channel interface (Mitch Williams) [Orabug: 21539654] - i40e: clean up unneeded gotos (Shannon Nelson) [Orabug: 21539654] - i40e/i40evf: Fix and refactor dynamic ITR code (Carolyn Wyborny) [Orabug: 21539654] - i40e: only report generic filters in get_ts_info (Jacob Keller) [Orabug: 21539654] - i40e/i40evf: Bump version to 1.3.6 for i40e and 1.3.2 for i40evf (Catherine Sullivan) [Orabug: 21539654] - i40e: Refine an error message to avoid confusion (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add support for pre-allocated pages for PD (Faisal Latif) [Orabug: 21539654] - i40evf: add MAC address filter in open, not init (Mitch Williams) [Orabug: 21539654] - i40evf: dont delete all the filters (Mitch Williams) [Orabug: 21539654] - i40e: un-disable VF after reset (Mitch Williams) [Orabug: 21539654] - i40e: do a proper reset when disabling a VF (Mitch Williams) [Orabug: 21539654] - i40e: correctly program filters for VFs (Mitch Williams) [Orabug: 21539654] - i40e/i40evf: Update the admin queue command header (Greg Rose) [Orabug: 21539654] - i40e: ignore duplicate port VLAN requests (Mitch Williams) [Orabug: 21539654] - i40evf: Allow for an abundance of vectors (Mitch Williams) [Orabug: 21539654] - i40e/i40evf: Update Flex-10 related device/function capabilities (Pawel Orlowski) [Orabug: 21539654] - i40e/i40evf: Add stats to track FD ATR and SB dynamic enable state (Anjali Singhai Jain) [Orabug: 21539654] - i40evf: dont configure unused RSS queues (Mitch Williams) [Orabug: 21539654] - i40evf: fix panic during MTU change (Mitch Williams) [Orabug: 21539654] - i40e: Bump version to 1.3.4 (Catherine Sullivan) [Orabug: 21539654] - i40e/i40evf: remove time_stamp member (Jesse Brandeburg) [Orabug: 21539654] - i40e/i40evf: force inline transmit functions (Jesse Brandeburg) [Orabug: 21539654] - i40e: Move the FD ATR/SB messages to a higher debug level (Anjali Singhai Jain) [Orabug: 21539654] - i40e: fix unrecognized FCOE EOF case (Vasu Dev) [Orabug: 21539654] - i40e: Remove unnecessary pf members (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add stats to count Tunnel ATR hits (Anjali Singhai Jain) [Orabug: 21539654] - i40e/i40evf: Add ATR support for tunneled TCP/IPv4/IPv6 packets. (Anjali Singhai Jain) [Orabug: 21539654] - i40e: Disable offline diagnostics if VFs are enabled (Greg Rose) [Orabug: 21539654] - i40e: Collect PFC XOFF RX stats even in single TC case (Neerav Parikh) [Orabug: 21539654] - i40e/i40evf: Fix mixed size frags and linearization (Anjali Singhai Jain) [Orabug: 21539654] [3.8.13-111] - qla2xxx: Update driver version to 8.07.00.26.39.0-k. (Sawan Chandak) [Orabug: 21946579] - qla2xxx: Add pci device id 0x2261. (Sawan Chandak) [Orabug: 21946579] - qla2xxx: Fix missing device login retries. (Arun Easi) [Orabug: 21946579] - qla2xxx: do not clear slot in outstanding cmd array (Himanshu Madhani) [Orabug: 21946579] - qla2xxx: Remove decrement of sp reference count in abort handler. (Chad Dupuis) [Orabug: 21946579] - qla2xxx: Add support to show MPI and PEP FW version for ISP27xx. (Sawan Chandak) [Orabug: 21946579] - qla2xxx: Do not reset ISP for error entry with an out of range handle. (Chad Dupuis) [Orabug: 21946579] - qla2xxx: Do not reset adapter if SRB handle is in range. (Chad Dupuis) [Orabug: 21946579] - qla2xxx: Do not crash system for sp ref count zero (Hiral Patel) [Orabug: 21946579] - qla2xxx: Pause risc before manipulating risc semaphore. (Joe Carnuccio) [Orabug: 21946579] - qla2xxx: Use ssdid to gate semaphore manipulation. (Joe Carnuccio) [Orabug: 21946579] - qla2xxx: Handle AEN8014 incoming port logout. (Joe Carnuccio) [Orabug: 21946579] - qla2xxx: Add serdes register read/write support for ISP25xx. (Joe Carnuccio) [Orabug: 21946579] - qla2xxx: Remove dead code (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Remove a superfluous test (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Avoid that sparse complains about duplicate [noderef] attributes (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Remove __constant_ prefix (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Replace two macros with an inline function (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Remove set-but-not-used variables (Bart Van Assche) [Orabug: 21946579] - qla2xxx: Declare local functions static (Bart Van Assche) [Orabug: 21946579] - bnx2i: rebase 2.11.2.0 (Brian Maly) [Orabug: 21955132] - bnx2fc: update to 2.9.6 (Brian Maly) [Orabug: 21955132] - bnx2x: update to 1.713.01 (Brian Maly) [Orabug: 21955132] - bnx2: update to 2.2.5p (Brian Maly) [Orabug: 21955132] [3.8.13-110] - xen-netfront: respect user provided max_queues (Wei Liu) [Orabug: 21976319] - net/xen-netfront: only napi_synchronize() if running (Chas Williams) [Orabug: 21976319] - net/xen-netfront: only clean up queues if present (Chas Williams) [Orabug: 21976319] - xen-netfront: Remove the meaningless code (Li, Liang Z) [Orabug: 21976319] - net/xen-netfront: Correct printf format in xennet_get_responses (Julien Grall) [Orabug: 21976319] - xen-netfront: properly destroy queues when removing device (David Vrabel) [Orabug: 21976319] - xen-netfront: Use setup_timer (Vaishali Thakkar) [Orabug: 21976319] - xen-netfront: transmit fully GSO-sized packets (Jonathan Davies) [Orabug: 21976319] - xen-netfront: Use static attribute groups for sysfs entries (Takashi Iwai) [Orabug: 21976319] - xen-netfront: use different locks for Rx and Tx stats (David Vrabel) [Orabug: 21976319] - xen-netfront: refactor making Tx requests (David Vrabel) [Orabug: 21976319] - xen-netfront: refactor skb slot counting (David Vrabel) [Orabug: 21976319] - drivers: net: xen-netfront: remove residual dead code (Vincenzo Maffione) [Orabug: 21976319] - xen-netfront: use napi_complete() correctly to prevent Rx stalling (David Vrabel) [Orabug: 21976319] - xen-netfront: always keep the Rx ring full of requests (David Vrabel) [Orabug: 21976319] - xen-netback: respect user provided max_queues (Wei Liu) [Orabug: 21976319] - xen-netback: require fewer guest Rx slots when not using GSO (David Vrabel) [Orabug: 21976319] - xen/netback: Wake dealloc thread after completing zerocopy work (Ross Lagerwall) [Orabug: 21976319] - xen-netback: Allocate fraglist early to avoid complex rollback (Ross Lagerwall) [Orabug: 21976319] - net/xen-netback: off by one in BUG_ON() condition (Dan Carpenter) [Orabug: 21976319] - xen-netback: remove duplicated function definition (Li, Liang Z) [Orabug: 21976319] - xen-netback: fix a BUG() during initialization (Palik, Imre) [Orabug: 21976319] - net/xen-netback: Dont mix hexa and decimal with 0x in the printf format (Julien Grall) [Orabug: 21976319] - net/xen-netback: Remove unused code in xenvif_rx_action (Julien Grall) [Orabug: 21976319] - xen: netback: read hotplug script once at start of day. (Ian Campbell) [Orabug: 21976319] - xen: netback: fix printf format string warning (Ian Campbell) [Orabug: 21976319] - xen/netback: Properly initialize credit_bytes (Ross Lagerwall) [Orabug: 21976319] - net:xen-netback - Change 1 to true for bool type variable. (Shailendra Verma) [Orabug: 21976319] - xen-netback: notify immediately after pushing Tx response. (David Vrabel) [Orabug: 21976319] - xen-netback: making the bandwidth limiter runtime settable (Palik, Imre) [Orabug: 21976319] - xen-netback: refactor xenvif_handle_frag_list() (David Vrabel) [Orabug: 21976319] - xen-netback: return correct ethtool stats (David Vrabel) [Orabug: 21976319] - xen-netback: release pending index before pushing Tx responses (David Vrabel) [Orabug: 21976319] - xen-netback: fix sparse warning (Lad, Prabhakar) [Orabug: 21976319] - xen-netback: always fully coalesce guest Rx packets (David Vrabel) [Orabug: 21976319] - xen-netback: stop the guest rx thread after a fatal error (David Vrabel) [Orabug: 21976319] - xen-netback: fixing the propagation of the transmit shaper timeout (Palik, Imre) [Orabug: 21976319] - xen-netback: support frontends without feature-rx-notify again (David Vrabel) [Orabug: 21976319] - netback: dont store invalid vif pointer (Jan Beulich) [Orabug: 21976319] - xen-netback: do not report success if backend_create_xenvif() fails (Alexey Khoroshilov) [Orabug: 21976319] - xen-netback: remove unconditional __pskb_pull_tail() in guest Tx path (Malcolm Crossley) [Orabug: 21976319] - xen-netback: reintroduce guest Rx stall detection (David Vrabel) [Orabug: 21976319] - xen-netback: fix unlimited guest Rx internal queue and carrier flapping (David Vrabel) [Orabug: 21976319] - xen-netback: make feature-rx-notify mandatory (David Vrabel) [Orabug: 21976319] - xen-netback: Remove __GFP_COLD (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Disable NAPI after disabling interrupts (Zoltan Kiss) [Orabug: 21976319] - xen-netback: move netif_napi_add before binding interrupt (Wei Liu) [Orabug: 21976319] - xen-netback: remove loop waiting function (Wei Liu) [Orabug: 21976319] - xen-netback: dont stop dealloc kthread too early (Wei Liu) [Orabug: 21976319] - xen-netback: move NAPI add/remove calls (Wei Liu) [Orabug: 21976319] - xen-netback: fix debugfs entry creation (Wei Liu) [Orabug: 21976319] - xen-netback: fix debugfs write length check (Wei Liu) [Orabug: 21976319] - xen-netback: Dont deschedule NAPI when carrier off (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Fix vif->disable handling (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Turn off the carrier if the guest is not able to receive (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Using a new state bit instead of carrier (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Fix pointer incrementation to avoid incorrect logging (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Fix releasing header slot on error path (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Fix releasing frag_list skbs in error path (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Fix handling frag_list on grant op error path (Zoltan Kiss) [Orabug: 21976319] - xen-netback: Adding debugfs 'io_ring_qX' files (Zoltan Kiss) [Orabug: 21976319] [3.8.13-109] - mm: check if section present during memory block registering (Yinghai Lu) [Orabug: 20382859] - be2net: post buffers before destroying RXQs in Lancer (Kalesh AP) - be2net: enable IFACE filters only after creating RXQs (Kalesh AP) - be2net: bump up the driver version to 10.6.0.3 (Sathya Perla) - be2net: make SET_LOOPBACK_MODE cmd asynchrounous (Suresh Reddy) - be2net: return error status from be_mcc_notify() (Suresh Reddy) - ipoib/ib: fix merge of Orabug 19468224 fix from uek2 into uek3 resulting in ipoib not functioning. (Rama Nichanamatlu) [Orabug: 21897912] - mlx4: indicate memory resource exhaustion (Ajaykumar Hotchandani) [Orabug: 21549766] - be2iscsi: Bump the driver version (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi: Fix updating the next pointer during WRB posting (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi: add obsolete warning messages (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi: ownership change (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi: update MAINTAINERS list (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi : Logout of FW Boot Session (Jitendra Bhivare) [Orabug: 21903294] - be2iscsi : Fix memory check before unmapping. (Jitendra Bhivare) [Orabug: 21903294] [3.8.13-108] - prevent spurious PMU NMIs on Haswell systems (Dan Duval) [Orabug: 21616327] - sched/x86: Fix up typo in topology detection (Dave Hansen) [Orabug: 21662502] - mlx4_ib: Memory leak on Dom0 with SRIOV. (Venkat Venkatsubra) [Orabug: 21675212] - mlx4_core: On CQ access violation print syndrome and vendor_error_syndrome (Venkat Venkatsubra) [Orabug: 21675224] - IB/ipoib: Disable TSO in connected mode (Yuval Shaia) [Orabug: 21684386] - xen/blkfront: remove redundant flush_op (Vitaly Kuznetsov) [Orabug: 21833822] - xen/blkfront: improve protection against issuing unsupported REQ_FUA (Vitaly Kuznetsov) [Orabug: 21833822] [3.8.13-107] - sctp: fix ASCONF list handling (Marcelo Ricardo Leitner) [Orabug: 21842665] {CVE-2015-3212} - KEYS: ensure we free the assoc array edit if edit is valid (Colin Ian King) [Orabug: 21842653] {CVE-2015-1333} [3.8.13-106] - NVMe: Setup max hardware sector count to 512KB (Santosh Shilimkar) [Orabug: 21818575] - Btrfs: optimize the error handling of use_block_rsv() (Ashish Samant) [Orabug: 21539248] - xen-blkfront: introduce blkfront_gather_backend_features() (Bob Liu) [Orabug: 21825900] - iw/rds: fixed big endianness conversion issue for dp->dp_ack_seq (Qing Huang) [Orabug: 21825863] - bonding: change error message to debug message in bond_release (Wengang Wang) [Orabug: 21825838] [3.8.13-105] - rds: make sure base connection is up on both sides (Ajaykumar Hotchandani) [Orabug: 21439115] - IB/ipoib: Disable TSO in connected mode (Yuval Shaia) [Orabug: 21439115] - ib/rds: fixed big endianness conversion issue for dp->dp_ack_seq (Qing Huang) [Orabug: 21439115] - ib/rds: fixed crashes caused by incoming requests with wrong destination (Qing Huang) [Orabug: 21439115] - RDS: Handle RDMA_CM_EVENT_TIMEWAIT_EXIT (Venkat Venkatsubra) [Orabug: 21439115] - RDS/IP: RDS takes 10 seconds to plumb the second IP back (Mukesh Kacker) [Orabug: 21439115] - RDS/IB: Tune failover-on-reboot scheduling (Mukesh Kacker) [Orabug: 21439115] - RDS: mark netdev UP for intfs added post module load (Mukesh Kacker) [Orabug: 21439115] - rds: fix list corruption and tx hang when netfilter is used (shamir rabinovitch) [Orabug: 21439115] - RDS: move more queing for loopback connections to separate queue (Mukesh Kacker) [Orabug: 21439115] - IPoIB/pkey: delete_child should only delete create_child devices (Mukesh Kacker) [Orabug: 21439115] - IB/ipoib: order:1 failure in ipoib_cm_alloc_rx_skb causes softlockup (Rama Nichanamatlu) [Orabug: 21439115] - rds: fix NULL pointer dereference panic during rds module unload (Rama Nichanamatlu) [Orabug: 21439115] - RDS:active bonding: disable failover across HCAs(failover groups) (Mukesh Kacker) [Orabug: 21439115] - RDS/IB: active bonding - failover down interfaces on reboot. (Guangyu Sun) [Orabug: 21439115] - RFE: remove pkey coupling to device name (Mukesh Kacker) [Orabug: 21439115] - RDS/IB: Remove dangling rcu_read_unlock() and other cleanups (Mukesh Kacker) [Orabug: 21439115] - rds: new extension header: rdma bytes (Shamir Rabinovitch) [Orabug: 21439115] - RDS: Ensure non-zero SL uses correct path before lane 0 connection is dropped (Ajaykumar Hotchandani) [Orabug: 21439115] - iser: handle RDMA_CM_EVENT_TIMEWAIT_EXIT in iser code (Shamir Rabinovitch) [Orabug: 21439115] - RDS: active bonding - failover/failback only to matching pkey (Mukesh Kacker) [Orabug: 21439115] - RDS: active bonding - ports may not failback if all ports go down (Mukesh Kacker) [Orabug: 21439115] - RDS: Use rds_local_wq for loopback connections in rds_conn_connect_if_down() (Chien-Hua Yen) [Orabug: 21439115] - RDS: add workqueue for local loopback connections (Chien-Hua Yen) [Orabug: 21439115] - APM/cma: Kernel panic during IB port failover test (Chien-Hua Yen) [Orabug: 21439115] - RDS: SA query optimization (Bang Nguyen) [Orabug: 21439115] - RDS: Remove cond_resched() in RX tasklet (Bang Nguyen) [Orabug: 21439115] - RDS: Replace queue_work() by cond_resched() in the tasklet to breakup RX stream (Bang Nguyen) [Orabug: 21439115] - RDS: looping to reap cq recv queue in rds_conn_shutdown (Chien-Hua Yen) [Orabug: 21439115] - rds: Fix regression in dynamic active bonding configuration (Bang Nguyen) [Orabug: 21439115] - RDS: Idle QoS connections during remote peer reboot causing application brownout (Chien-Hua Yen) [Orabug: 21439115] - rds: dynamic active bonding configuration (Bang Nguyen) [Orabug: 21439115] - RDS: active bonding needs to set brcast and mask for its primary interface (Chien-Hua Yen) [Orabug: 21439115] - (REAPPLY!) rds: limit the size allocated by rds_message_alloc() (Cong Wang) [Orabug: 21439115] - xen/events: Set irq_info->evtchn before binding the channel to CPU in __startup_pirq() (Boris Ostrovsky) [Orabug: 20891536] - xen/console: Update console event channel on resume (Boris Ostrovsky) [Orabug: 20891536] - xen/xenbus: Update xenbus event channel on resume (Boris Ostrovsky) [Orabug: 20891536] - xen/events: Clear cpu_evtchn_mask before resuming (Boris Ostrovsky) [Orabug: 20891536] - x86/efi: Quirk out SGI UV (Borislav Petkov) [Orabug: 21771830] - oracleasm: Classify device connectivity issues as global errors (Martin K. Petersen) [Orabug: 21760144] - IB/ipoib: Potential false positive with peer support for ib-crc-as-csum (Yuval Shaia) [Orabug: 21684866] [3.8.13-104] - idr: fix unexpected ID-removal when idr_remove(unallocated_id) (Lai Jiangshan) [Orabug: 21684956] - idr: remove WARN_ON_ONCE() on negative IDs (Tejun Heo) [Orabug: 21684956] - ipc,shm: fix shm_file deletion races (Greg Thelen) [Orabug: 21684956] - rds_rdma: setup connection before rds_cmsg_send (Wengang Wang) [Orabug: 21683962] - mm/hugetlb: Add locking to region_{add,change,truncate,count} when using shared files with hugepages (Mike Kravetz) [Orabug: 21683388] [3.8.13-103] - xen-netback: unref frags when handling a from-guest skb with a frag list (David Vrabel) [Orabug: 21571556] [3.8.13-102] - megaraid_sas : Firmware crash dump feature support (Sumit.Saxena@avagotech.com) [Orabug: 21660728] - NVMe: Use pci_stop_and_remove_bus_device_locked() (Keith Busch) [Orabug: 21576939] - xen/pciback: Dont print scary messages when unsupported by hypervisor. (Konrad Rzeszutek Wilk) [Orabug: 21660162] - config: ol7: enable teaming driver build (Guangyu Sun) [Orabug: 21517939] - config: enable CONFIG_CHELSIO_T4VF option (Guangyu Sun) [Orabug: 21500967] - ext4: fix warning in ext4_da_update_reserve_space() (Jan Kara) [Orabug: 21621299] - ext4: remove unused variable in ext4_free_blocks() (Lukas Czerner) [Orabug: 21621299] - quota: provide interface for readding allocated space into reserved space (Jan Kara) [Orabug: 21621299] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-1805 CVE-2014-7822 CVE-2015-6937 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-118.2.1] - ipc/sem.c: fully initialize sem_array before making it visible (Manfred Spraul) [Orabug: 22277382] {CVE-2015-7613} - ipc: fix msg newqueue add (Guru Anbalagane) [Orabug: 22277382] {CVE-2015-7613} [3.8.13-118.1.1] - sctp: fix race on protocol/netns initialization (Marcelo Ricardo Leitner) [Orabug: 22249981] {CVE-2015-5283} - Initialize msg/shm IPC objects before doing ipc_addid() (Linus Torvalds) [Orabug: 22250045] {CVE-2015-7613} - ixgbe: reset copper phy power mode (Ethan Zhao) [Orabug: 22271769] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5283 CVE-2015-7613 Oracle Linux 6 Oracle Linux 7 kernel-uek [3.8.13-118.2.2] - KVM: svm: unconditionally intercept #DB (Paolo Bonzini) [Orabug: 22333698] {CVE-2015-8104} - KVM: x86: work around infinite loop in microcode when #AC is delivered (Eric Northup) [Orabug: 22333689] {CVE-2015-5307} {CVE-2015-5307} - KVM: x86: Defining missing x86 vectors (Nadav Amit) [Orabug: 22333689] IMPORTANT Copyright 2015 Oracle, Inc. CVE-2015-5307 CVE-2015-8104