[ELSA-2018-4025] Unbreakable Enterprise kernel security update

Severity Important

Affected Packages 12

CVEs 7

[4.1.12-112.14.14]
- drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 27234850] [Orabug: 27234850]

- hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 26988581]

- x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27416198]

- x86/IBRS: Dont try to change IBRS mode if IBRS is not available (Boris Ostrovsky) [Orabug: 27416198]

- x86/IBRS: Remove support for IBRS_ENABLED_USER mode (Boris Ostrovsky) [Orabug: 27416198]

- x86: Include linux/device.h in bugs_64.c (Boris Ostrovsky) [Orabug: 27418896]

- x86/spectre: Drop the warning about ibrs being obsolete. (Konrad Rzeszutek Wilk)

- x86/spec: Dont print the Missing arguments for option spectre_v2. (Konrad Rzeszutek Wilk)

- x86/spec: Also print IBRS if IBPB is disabled. (Konrad Rzeszutek Wilk)

- x86/IBPB: Provide debugfs interface for changing IBPB mode (Boris Ostrovsky) [Orabug: 27449065]

- xen: Make PV Dom0 Linux kernel NUMA aware (Elena Ufimtseva)

- net/rds: Fix incorrect error handling (Hakon Bugge) [Orabug: 26848729]

- net/rds: use multiple sge than buddy allocation in congestion code (Wei Lin Guay) [Orabug: 26848729]

- Revert RDS: fix the sg allocation based on actual message size (Wei Lin Guay) [Orabug: 26848729]

- Revert RDS: avoid large pages for sg allocation for TCP transport (Wei Lin Guay) [Orabug: 26848729]

- Revert net/rds: Reduce memory footprint in rds_sendmsg (Wei Lin Guay) [Orabug: 26848729]

- net/rds: reduce memory footprint during ib_post_recv in IB transport (Wei Lin Guay) [Orabug: 26848729]

- net/rds: reduce memory footprint during rds_sendmsg with IB transport (Wei Lin Guay) [Orabug: 26848729]

- net/rds: set the rds_ib_init_frag based on supported sge (Wei Lin Guay) [Orabug: 26848729]

- bnxt_en: Fix possible corrupted NVRAM parameters from firmware response. (Michael Chan) [Orabug: 27199588]

- x86, kasan: Fix build failure on KASAN=y && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

- x86, efi, kasan: Fix build failure on !KASAN && KMEMCHECK=y kernels (Andrey Ryabinin) [Orabug: 27255122]

- x86, efi, kasan: #undef memset/memcpy/memmove per arch (Andrey Ryabinin) [Orabug: 27255122]

- Revert Makefile: Build with -Werror=date-time if the compiler supports it (Gayatri Vasudevan) [Orabug: 27255122]

- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290300] {CVE-2017-8824}
- x86/efi: Initialize and display UEFI secure boot state a bit later during init (Daniel Kiper) [Orabug: 27309477]

- x86/espfix: Init espfix on the boot CPU side (Zhu Guihua) [Orabug: 27344552]

- x86/espfix: Add cpu parameter to init_espfix_ap() (Zhu Guihua) [Orabug: 27344552]

- ALSA: pcm: prevent UAF in snd_pcm_info (Robb Glasser) [Orabug: 27344841] {CVE-2017-0861} {CVE-2017-0861}
- fs/ocfs2: remove page cache for converted direct write (Wengang Wang)

- Revert ocfs2: code clean up for direct io (Wengang Wang)

- assoc_array: Fix a buggy node-splitting case (David Howells) [Orabug: 27364592] {CVE-2017-12193} {CVE-2017-12193}
- Sanitize move_pages() permission checks (Linus Torvalds) [Orabug: 27364690] {CVE-2017-14140}
- pti: compile fix for when PTI is disabled (Pavel Tatashin) [Orabug: 27383147] {CVE-2017-5754}
- sctp: do not peel off an assoc from one netns to another one (Xin Long) [Orabug: 27386999] {CVE-2017-15115}
- net: ipv4: fix for a race condition in raw_sendmsg (Mohamed Ghannam) [Orabug: 27390682] {CVE-2017-17712}
- mlx4: add mstflint secure boot access kernel support (Qing Huang) [Orabug: 27404202]

- x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk)

- x86/spec: STUFF_RSB before ENABLE_IBRS (Konrad Rzeszutek Wilk)

- x86: Move ENABLE_IBRS in the interrupt macro. (Konrad Rzeszutek Wilk) [Orabug: 27449045]

Package	Affected Version
pkg:rpm/oraclelinux/kernel-uek?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek
pkg:rpm/oraclelinux/kernel-uek-firmware?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek-firmware?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek
pkg:rpm/oraclelinux/kernel-uek-doc?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek-doc?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek
pkg:rpm/oraclelinux/kernel-uek-devel?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek-devel?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek
pkg:rpm/oraclelinux/kernel-uek-debug?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek-debug?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek
pkg:rpm/oraclelinux/kernel-uek-debug-devel?distro=oraclelinux-7	< 4.1.12-112.14.14.el7uek
pkg:rpm/oraclelinux/kernel-uek-debug-devel?distro=oraclelinux-6	< 4.1.12-112.14.14.el6uek

ID

ELSA-2018-4025

Severity

important

URL

https://linux.oracle.com/errata/ELSA-2018-4025.html

Published

2018-02-07T00:00:00
(6 years ago)

Modified

2018-02-07T00:00:00
(6 years ago)

Rights

Other Advisories

Source	# ID	URL
elsa	ELSA-2018-4025	http://linux.oracle.com/errata/ELSA-2018-4025.html
CVE	CVE-2017-5754	http://linux.oracle.com/cve/CVE-2017-5754.html
CVE	CVE-2017-12193	http://linux.oracle.com/cve/CVE-2017-12193.html
CVE	CVE-2017-8824	http://linux.oracle.com/cve/CVE-2017-8824.html
CVE	CVE-2017-0861	http://linux.oracle.com/cve/CVE-2017-0861.html
CVE	CVE-2017-15115	http://linux.oracle.com/cve/CVE-2017-15115.html
CVE	CVE-2017-17712	http://linux.oracle.com/cve/CVE-2017-17712.html
CVE	CVE-2017-14140	http://linux.oracle.com/cve/CVE-2017-14140.html

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:rpm/oraclelinux/kernel-uek?distro=oraclelinux-7	oraclelinux	kernel-uek	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek?distro=oraclelinux-6	oraclelinux	kernel-uek	< 4.1.12-112.14.14.el6uek	oraclelinux-6
Affected	pkg:rpm/oraclelinux/kernel-uek-firmware?distro=oraclelinux-7	oraclelinux	kernel-uek-firmware	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek-firmware?distro=oraclelinux-6	oraclelinux	kernel-uek-firmware	< 4.1.12-112.14.14.el6uek	oraclelinux-6
Affected	pkg:rpm/oraclelinux/kernel-uek-doc?distro=oraclelinux-7	oraclelinux	kernel-uek-doc	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek-doc?distro=oraclelinux-6	oraclelinux	kernel-uek-doc	< 4.1.12-112.14.14.el6uek	oraclelinux-6
Affected	pkg:rpm/oraclelinux/kernel-uek-devel?distro=oraclelinux-7	oraclelinux	kernel-uek-devel	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek-devel?distro=oraclelinux-6	oraclelinux	kernel-uek-devel	< 4.1.12-112.14.14.el6uek	oraclelinux-6
Affected	pkg:rpm/oraclelinux/kernel-uek-debug?distro=oraclelinux-7	oraclelinux	kernel-uek-debug	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek-debug?distro=oraclelinux-6	oraclelinux	kernel-uek-debug	< 4.1.12-112.14.14.el6uek	oraclelinux-6
Affected	pkg:rpm/oraclelinux/kernel-uek-debug-devel?distro=oraclelinux-7	oraclelinux	kernel-uek-debug-devel	< 4.1.12-112.14.14.el7uek	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-uek-debug-devel?distro=oraclelinux-6	oraclelinux	kernel-uek-debug-devel	< 4.1.12-112.14.14.el6uek	oraclelinux-6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date