Oracle Linux Security Advisory ELSA-2024-11486

http://linux.oracle.com/errata/ELSA-2024-11486.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-7.4.0-503.19.1.el9_5.x86_64.rpm
kernel-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-abi-stablelists-5.14.0-503.19.1.el9_5.noarch.rpm
kernel-core-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-core-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-devel-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-devel-matched-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-modules-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-modules-core-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-modules-extra-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-debug-uki-virt-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-devel-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-devel-matched-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-doc-5.14.0-503.19.1.el9_5.noarch.rpm
kernel-headers-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-modules-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-modules-core-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-modules-extra-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-tools-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-tools-libs-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-uki-virt-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-uki-virt-addons-5.14.0-503.19.1.el9_5.x86_64.rpm
perf-5.14.0-503.19.1.el9_5.x86_64.rpm
python3-perf-5.14.0-503.19.1.el9_5.x86_64.rpm
rtla-5.14.0-503.19.1.el9_5.x86_64.rpm
rv-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-cross-headers-5.14.0-503.19.1.el9_5.x86_64.rpm
kernel-tools-libs-devel-5.14.0-503.19.1.el9_5.x86_64.rpm
libperf-5.14.0-503.19.1.el9_5.x86_64.rpm

aarch64:
bpftool-7.4.0-503.19.1.el9_5.aarch64.rpm
kernel-headers-5.14.0-503.19.1.el9_5.aarch64.rpm
kernel-tools-5.14.0-503.19.1.el9_5.aarch64.rpm
kernel-tools-libs-5.14.0-503.19.1.el9_5.aarch64.rpm
perf-5.14.0-503.19.1.el9_5.aarch64.rpm
python3-perf-5.14.0-503.19.1.el9_5.aarch64.rpm
rtla-5.14.0-503.19.1.el9_5.aarch64.rpm
rv-5.14.0-503.19.1.el9_5.aarch64.rpm
kernel-cross-headers-5.14.0-503.19.1.el9_5.aarch64.rpm
kernel-tools-libs-devel-5.14.0-503.19.1.el9_5.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-503.19.1.el9_5.src.rpm

Related CVEs:

CVE-2024-27399
CVE-2024-38564
CVE-2024-45020
CVE-2024-46697
CVE-2024-47675
CVE-2024-49888
CVE-2024-50099
CVE-2024-50110
CVE-2024-50115
CVE-2024-50124
CVE-2024-50125
CVE-2024-50142
CVE-2024-50148
CVE-2024-50192
CVE-2024-50223
CVE-2024-50255
CVE-2024-50262




Description of changes:

[5.14.0-503.19.1.el9_5.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-503.19.1.el9_5]
- xfrm: validate new SA's prefixlen using SA family when sel.family is unset (Sabrina Dubroca) [RHEL-66462 RHEL-66461] {CVE-2024-50142}
- xfrm: fix one more kernel-infoleak in algo dumping (CKI Backport Bot) [RHEL-65960] {CVE-2024-50110}
- Revert "Merge: [qed] softlockup triggered by ethtool -d  [rhel-9.5.z]" (Lucas Zampieri) [RHEL-61705]
- tracing/hwlat: Fix a race during cpuhp processing (Tomas Glozar) [RHEL-69468]
- tracing/timerlat: Fix a race during cpuhp processing (Tomas Glozar) [RHEL-69468] {CVE-2024-49866}
- tracing/timerlat: Drop interface_lock in stop_kthread() (Tomas Glozar) [RHEL-69468]
- tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline (Tomas Glozar) [RHEL-69468]
- ceph: remove the incorrect Fw reference check when dirtying pages (Xiubo Li) [RHEL-61416 RHEL-60255]

[5.14.0-503.18.1.el9_5]
- bpf: Fix a kernel verifier crash in stacksafe() (CKI Backport Bot) [RHEL-66097 RHEL-66098] {CVE-2024-45020}
- bpf: Fix a sdiv overflow issue (CKI Backport Bot) [RHEL-64598 RHEL-64597] {CVE-2024-49888}
- bpf: Fix out-of-bounds write in trie_get_next_key() (CKI Backport Bot) [RHEL-66877] {CVE-2024-50262}
- bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() (CKI Backport Bot) [RHEL-63331] {CVE-2024-47675}
- nfsd: ensure that nfsd4_fattr_args.context is zeroed out (Jay Shin) [RHEL-58884 RHEL-58883] {CVE-2024-46697}
- KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (Jon Maloy) [RHEL-65872] {CVE-2024-50115}
- net: tighten bad gso csum offset check in virtio_net_hdr (Guillaume Nault) [RHEL-67683]
- udp: fix receiving fraglist GSO packets (Guillaume Nault) [RHEL-67683]
- Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (CKI Backport Bot) [RHEL-66804] {CVE-2024-50255}
- Bluetooth: ISO: Fix UAF on iso_sock_timeout (Bastien Nocera) [RHEL-66321] {CVE-2024-50124}
- Bluetooth: SCO: Fix UAF on sco_sock_timeout (Bastien Nocera) [RHEL-65928] {CVE-2024-50125}
- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout (Bastien Nocera) [RHEL-65928] {CVE-2024-27398}
- bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE (CKI Backport Bot) [RHEL-44173] {CVE-2024-38564}
- Bluetooth: bnep: fix wild-memory-access in proto_unregister (CKI Backport Bot) [RHEL-66365] {CVE-2024-50148}
- Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout (CKI Backport Bot) [RHEL-57716 RHEL-36374] {CVE-2024-27399}

[5.14.0-503.17.1.el9_5]
- arm64: probes: Remove broken LDR (literal) uprobe support (CKI Backport Bot) [RHEL-66046] {CVE-2024-50099}
- qed: put cond_resched() in qed_dmae_operation_wait() (Michal Schmidt) [RHEL-61705 RHEL-6372]
- qed: allow the callee of qed_mcp_nvm_read() to sleep (Michal Schmidt) [RHEL-61705 RHEL-6372]
- qed: put cond_resched() in qed_grc_dump_ctx_data() (Michal Schmidt) [RHEL-61705 RHEL-6372]
- qed: make 'ethtool -d' 10 times faster (Michal Schmidt) [RHEL-61705 RHEL-6372]
- qed: allow sleep in qed_mcp_trace_dump() (Michal Schmidt) [RHEL-61705 RHEL-6372]
- sched/numa: Fix the potential null pointer dereference in task_numa_work() (CKI Backport Bot) [RHEL-66810] {CVE-2024-50223}
- irqchip/gic-v4: Correctly deal with set_affinity on lazily-mapped VPEs (Charles Mirabile) [RHEL-66969] {CVE-2024-50192}
- irqchip/gic-v4: Don't allow a VMOVP on a dying VPE (Charles Mirabile) [RHEL-66969] {CVE-2024-50192}
- perf/x86/intel/uncore: Support HBM and CXL PMON counters (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Cleanup unused unit structure (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Apply the unit control RB tree to PCI uncore units (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Apply the unit control RB tree to MSR uncore units (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Retrieve the unit ID from the unit control RB tree (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Support per PMU cpumask (Michael Petlan) [RHEL-65856]
- perf/x86/uncore: Save the unit control address of all units (Michael Petlan) [RHEL-65856]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata

Oracle9: ELSA-2024-11486: kernel security Moderate Security Advisory Updates

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

Summary

[5.14.0-503.19.1.el9_5.OL9] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5] - Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] - Add Oracle Linux IMA certificates [5.14.0-503.19.1.el9_5] - xfrm: validate new SA's prefixlen using SA family when sel.family is unset (Sabrina Dubroca) [RHEL-66462 RHEL-66461] {CVE-2024-50142} - xfrm: fix one more kernel-infoleak in algo dumping (CKI Backport Bot) [RHEL-65960] {CVE-2024-50110} - Revert "Merge: [qed] softlockup triggered by ethtool -d [rhel-9.5.z]" (Lucas Zampieri) [RHEL-61705] - tracing/hwlat: Fix a race during cpuhp processing (Tomas Glozar) [RHEL-69468] - tracing/timerlat: Fix a race during cpuhp processing (Tomas Glozar) [RHEL...

Read the Full Advisory

SRPMs

http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-503.19.1.el9_5.src.rpm

x86_64

bpftool-7.4.0-503.19.1.el9_5.x86_64.rpm kernel-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-abi-stablelists-5.14.0-503.19.1.el9_5.noarch.rpm kernel-core-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-core-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-devel-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-devel-matched-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-modules-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-modules-core-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-modules-extra-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-debug-uki-virt-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-devel-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-devel-matched-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-doc-5.14.0-503.19.1.el9_5.noarch.rpm kernel-headers-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-modules-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-modules-core-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-modules-extra-5.14.0-503.19.1.el9_5.x86_64.rpm kernel-tools-5.14.0-503.19.1.el9...

Read the Full Advisory

aarch64

bpftool-7.4.0-503.19.1.el9_5.aarch64.rpm kernel-headers-5.14.0-503.19.1.el9_5.aarch64.rpm kernel-tools-5.14.0-503.19.1.el9_5.aarch64.rpm kernel-tools-libs-5.14.0-503.19.1.el9_5.aarch64.rpm perf-5.14.0-503.19.1.el9_5.aarch64.rpm python3-perf-5.14.0-503.19.1.el9_5.aarch64.rpm rtla-5.14.0-503.19.1.el9_5.aarch64.rpm rv-5.14.0-503.19.1.el9_5.aarch64.rpm kernel-cross-headers-5.14.0-503.19.1.el9_5.aarch64.rpm kernel-tools-libs-devel-5.14.0-503.19.1.el9_5.aarch64.rpm

i386

Severity
Related CVEs: CVE-2024-27399 CVE-2024-38564 CVE-2024-45020 CVE-2024-46697 CVE-2024-47675 CVE-2024-49888 CVE-2024-50099 CVE-2024-50110 CVE-2024-50115 CVE-2024-50124 CVE-2024-50125 CVE-2024-50142 CVE-2024-50148 CVE-2024-50192 CVE-2024-50223 CVE-2024-50255 CVE-2024-50262

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved