Oracle Linux Security Advisory ELSA-2024-8617

http://linux.oracle.com/errata/ELSA-2024-8617.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-7.3.0-427.42.1.el9_4.x86_64.rpm
kernel-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-abi-stablelists-5.14.0-427.42.1.el9_4.noarch.rpm
kernel-core-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-core-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-modules-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-debug-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-doc-5.14.0-427.42.1.el9_4.noarch.rpm
kernel-headers-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-modules-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-tools-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-tools-libs-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm
perf-5.14.0-427.42.1.el9_4.x86_64.rpm
python3-perf-5.14.0-427.42.1.el9_4.x86_64.rpm
rtla-5.14.0-427.42.1.el9_4.x86_64.rpm
rv-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-cross-headers-5.14.0-427.42.1.el9_4.x86_64.rpm
kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.x86_64.rpm
libperf-5.14.0-427.42.1.el9_4.x86_64.rpm

aarch64:
bpftool-7.3.0-427.42.1.el9_4.aarch64.rpm
kernel-headers-5.14.0-427.42.1.el9_4.aarch64.rpm
kernel-tools-5.14.0-427.42.1.el9_4.aarch64.rpm
kernel-tools-libs-5.14.0-427.42.1.el9_4.aarch64.rpm
perf-5.14.0-427.42.1.el9_4.aarch64.rpm
python3-perf-5.14.0-427.42.1.el9_4.aarch64.rpm
kernel-cross-headers-5.14.0-427.42.1.el9_4.aarch64.rpm
kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-427.42.1.el9_4.src.rpm

Related CVEs:

CVE-2021-47383
CVE-2024-2201
CVE-2024-26640
CVE-2024-26826
CVE-2024-26923
CVE-2024-26935
CVE-2024-26961
CVE-2024-36244
CVE-2024-39472
CVE-2024-39504
CVE-2024-40904
CVE-2024-40931
CVE-2024-40960
CVE-2024-40972
CVE-2024-40977
CVE-2024-40995
CVE-2024-40998
CVE-2024-41005
CVE-2024-41013
CVE-2024-41014
CVE-2024-43854
CVE-2024-45018




Description of changes:

[5.14.0-427.42.1.el9_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-427.42.1.el9_4]
- redhat/configs: Add CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI retpoline check (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Clarify that syscall hardening isn't a BHI mitigation (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI handling of RRSBA (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr' (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix BHI documentation (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Fix return type of spectre_bhi_state() (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Make CONFIG_SPECTRE_BHI_ON the default (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- KVM: x86: Add BHI_NO (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Mitigate KVM by default (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Add BHI mitigation knob (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Enumerate Branch History Injection (BHI) bug (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Define SPEC_CTRL_BHI_DIS_S (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bhi: Add support for clearing branch history at syscall entry (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- perf/x86/amd/lbr: Use freeze based on availability (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- Documentation/kernel-parameters: Add spec_rstack_overflow to mitigations=off (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201}
- KVM: x86: Use a switch statement and macros in __feature_translate() (Maxim Levitsky) [RHEL-45492 RHEL-32430]
- KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace (Maxim Levitsky) [RHEL-45492 RHEL-32430]
- x86/entry/32: Convert do_fast_syscall_32() to bool return type (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- x86/entry: Add do_SYSENTER_32() prototype (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- x86/bugs: Reset speculation control settings on init (Prarit Bhargava) [RHEL-45492 RHEL-25415]
- mpls: Reduce skb re-allocations due to skb_cow() (Guillaume Nault) [RHEL-61696 RHEL-55145]
- scsi: core: Fix unremoved procfs host directory regression (Ewan D. Milne) [RHEL-39539 RHEL-39601 RHEL-33543 RHEL-35000] {CVE-2024-26935}
- tty: Fix out-of-bound vmalloc access in imageblit (Andrew Halaney) [RHEL-42095 RHEL-24205] {CVE-2021-47383}
- block: initialize integrity buffer to zero before writing it to media (Ming Lei) [RHEL-54769 RHEL-54768] {CVE-2024-43854}
- block: cleanup bio_integrity_prep (Ming Lei) [RHEL-54769 RHEL-25988]
- block: refactor to use helper (Ming Lei) [RHEL-54769 RHEL-25988]
- ceph: fix cap ref leak via netfs init_request (Patrick Donnelly) [RHEL-62666 RHEL-61459]
- redhat/configs: Enable CONFIG_OCTEON_EP_VF (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add ethtool support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add Tx/Rx processing and interrupt support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add support for ndo ops (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add Tx/Rx ring resource setup and cleanup (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add VF-PF mailbox communication. (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: add hardware configuration APIs (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep_vf: Add driver framework and device initialization (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: support firmware notifications for VFs (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: control net framework to support VF offloads (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: PF-VF mailbox version support (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- octeon_ep: add PF-VF mailbox communication (CKI Backport Bot) [RHEL-61744 RHEL-25860]
- x86/mm/ident_map: Use gbpages only where full GB page should be mapped. (Chris von Recklinghausen) [RHEL-62209 RHEL-26268]
- netfilter: nfnetlink_queue: un-break NF_REPEAT (Phil Sutter) [RHEL-62299]

[5.14.0-427.41.1.el9_4]
- iommu/amd: Fix panic accessing amd_iommu_enable_faulting (Jerry Snitselaar) [RHEL-55507 RHEL-37320 RHEL-40344]
- iommu/vt-d: Allocate DMAR fault interrupts locally (Jerry Snitselaar) [RHEL-55507 RHEL-28780]
- netfilter: nft_inner: validate mandatory meta and payload (Phil Sutter) [RHEL-47488 RHEL-47486] {CVE-2024-39504}
- netfilter: flowtable: initialise extack before use (CKI Backport Bot) [RHEL-58546 RHEL-58544] {CVE-2024-45018}
- ext4: do not create EA inode under buffer lock (Carlos Maiolino) [RHEL-48285 RHEL-48282] {CVE-2024-40972}
- ext4: fold quota accounting into ext4_xattr_inode_lookup_create() (Carlos Maiolino) [RHEL-48285 RHEL-48282] {CVE-2024-40972}
- ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (Carlos Maiolino) [RHEL-48519 RHEL-48517] {CVE-2024-40998}
- ext4: turn quotas off if mount failed after enabling quotas (Carlos Maiolino) [RHEL-48519 RHEL-48517] {CVE-2024-40998}
- mptcp: fix data re-injection from stale subflow (Davide Caratti) [RHEL-59920 RHEL-32669] {CVE-2024-26826}
- xfs: add bounds checking to xlog_recover_process_data (CKI Backport Bot) [RHEL-50864 RHEL-50862] {CVE-2024-41014}
- af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). (Davide Caratti) [RHEL-42771 RHEL-33410]
- af_unix: Fix garbage collector racing against connect() (Davide Caratti) [RHEL-42771 RHEL-33410] {CVE-2024-26923}
- af_unix: fix lockdep positive in sk_diag_dump_icons() (Davide Caratti) [RHEL-42771 RHEL-33410]
- xfs: don't walk off the end of a directory data block (CKI Backport Bot) [RHEL-50887 RHEL-50885] {CVE-2024-41013}
- ipv6: prevent possible NULL dereference in rt6_probe() (Hangbin Liu) [RHEL-48161 RHEL-45826] {CVE-2024-40960}
- mac802154: fix llsec key resources release in mac802154_llsec_key_del (Steve Best) [RHEL-42795 RHEL-34969] {CVE-2024-26961}
- mptcp: ensure snd_una is properly initialized on connect (Florian Westphal) [RHEL-47945 RHEL-47943] {CVE-2024-40931}
- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CKI Backport Bot) [RHEL-47560 RHEL-47558] {CVE-2024-40904}
- nvme-multipath: fix io accounting on failover (John Meneghini) [RHEL-59646 RHEL-56635]
- nvme: fix multipath batched completion accounting (John Meneghini) [RHEL-59646 RHEL-56635]
- xfs: fix log recovery buffer allocation for the legacy h_size fixup (Bill O'Donnell) [RHEL-46481 RHEL-46479] {CVE-2024-39472}
- tcp: add sanity checks to rx zerocopy (Paolo Abeni) [RHEL-58403 RHEL-29496] {CVE-2024-26640}
- netpoll: Fix race condition in netpoll_owner_active (CKI Backport Bot) [RHEL-49373 RHEL-49371] {CVE-2024-41005}
- wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (CKI Backport Bot) [RHEL-48321 RHEL-48319] {CVE-2024-40977}
- smb: client: fix hang in wait_for_response() for negproto (Jay Shin) [RHEL-61606 RHEL-57983]
- NFSv4.1/pnfs: fix NFS with TLS in pnfs (Benjamin Coddington) [RHEL-61467 RHEL-34576]
- ceph: remove the incorrect Fw reference check when dirtying pages (Xiubo Li) [RHEL-61415 RHEL-60255]
- net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (Davide Caratti) [RHEL-48483 RHEL-44375] {CVE-2024-40995}
- net/sched: taprio: extend minimum interval restriction to entire cycle too (Davide Caratti) [RHEL-44377 RHEL-44375] {CVE-2024-36244}
- net/sched: taprio: make q->picos_per_byte available to fill_sched_entry() (Davide Caratti) [RHEL-44377 RHEL-44375] {CVE-2024-36244}


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata

Oracle9: ELSA-2024-8617: kernel security Moderate Security Advisory Updates

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

Summary

[5.14.0-427.42.1.el9_4.OL9] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5] - Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] - Add Oracle Linux IMA certificates [5.14.0-427.42.1.el9_4] - redhat/configs: Add CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201} - x86/bugs: Fix BHI retpoline check (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201} - x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201} - x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (Waiman Long) [RHEL-45492 RHEL-28203] {CVE-2024-2201} - x86/bugs: Clarify that syscall hardening...

Read the Full Advisory

SRPMs

http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-427.42.1.el9_4.src.rpm

x86_64

bpftool-7.3.0-427.42.1.el9_4.x86_64.rpm kernel-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-abi-stablelists-5.14.0-427.42.1.el9_4.noarch.rpm kernel-core-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-core-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-devel-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-modules-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-debug-uki-virt-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-devel-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-devel-matched-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-doc-5.14.0-427.42.1.el9_4.noarch.rpm kernel-headers-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-modules-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-modules-core-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-modules-extra-5.14.0-427.42.1.el9_4.x86_64.rpm kernel-tools-5.14.0-427.42.1.el9...

Read the Full Advisory

aarch64

bpftool-7.3.0-427.42.1.el9_4.aarch64.rpm kernel-headers-5.14.0-427.42.1.el9_4.aarch64.rpm kernel-tools-5.14.0-427.42.1.el9_4.aarch64.rpm kernel-tools-libs-5.14.0-427.42.1.el9_4.aarch64.rpm perf-5.14.0-427.42.1.el9_4.aarch64.rpm python3-perf-5.14.0-427.42.1.el9_4.aarch64.rpm kernel-cross-headers-5.14.0-427.42.1.el9_4.aarch64.rpm kernel-tools-libs-devel-5.14.0-427.42.1.el9_4.aarch64.rpm

i386

Severity
Related CVEs: CVE-2021-47383 CVE-2024-2201 CVE-2024-26640 CVE-2024-26826 CVE-2024-26923 CVE-2024-26935 CVE-2024-26961 CVE-2024-36244 CVE-2024-39472 CVE-2024-39504 CVE-2024-40904 CVE-2024-40931 CVE-2024-40960 CVE-2024-40972 CVE-2024-40977 CVE-2024-40995 CVE-2024-40998 CVE-2024-41005 CVE-2024-41013 CVE-2024-41014 CVE-2024-43854 CVE-2024-45018

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved