[ELSA-2023-4819] kernel security and bug fix update

Severity Important

Affected Packages 13

CVEs 2

[3.10.0-1160.99.1.0.1.OL7]
- debug: lock down kgdb [Orabug: 34270798] {CVE-2022-21499}

[3.10.0-1160.99.1.OL7]
- Update Oracle Linux certificates (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15-2.0.9
- Update oracle(kernel-sig-key) value to match new certificate (Ilya Okomin)

[3.10.0-1160.99.1]
- x86/cpu/amd: Add a Zenbleed fix (Waiman Long) [2226841] {CVE-2023-20593}
- x86/cpu/amd: Move the errata checking functionality up (Waiman Long) [2226841] {CVE-2023-20593}
- x86/cpu: Restore AMD's DE_CFG MSR after resume (Waiman Long) [2226841] {CVE-2023-20593}

[3.10.0-1160.98.1]
- GFS2: gfs2_dir_get_hash_table(): avoiding deferred vfree() is easy here... (Andrew Price) [2190450]
- GFS2: use kvfree() instead of open-coding it (Andrew Price) [2190450]

[3.10.0-1160.97.1]
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() (Davide Caratti) [2216982] {CVE-2023-35788}
- netfilter: conntrack: re-fetch conntrack after insertion (Florian Westphal) [2188190]
- netfilter: conntrack: handle tcp challenge acks during connection reuse (Florian Westphal) [2128262]
- netfilter: conntrack: reduce timeout when receiving out-of-window fin or rst (Florian Westphal) [2128262]
- netfilter: conntrack: remove unneeded indent level (Florian Westphal) [2128262]
- netfilter: conntrack: ignore overly delayed tcp packets (Florian Westphal) [2128262]
- netfilter: conntrack: prepare tcp_in_window for ternary return value (Florian Westphal) [2128262]
- netfilter: conntrack: connection timeout after re-register (Florian Westphal) [2128262]
- netfilter: conntrack: always store window size un-scaled (Florian Westphal) [2128262]
- netfilter: conntrack: work around exceeded receive window (Florian Westphal) [2128262]
- netfilter: conntrack: avoid misleading 'invalid' in log message (Florian Westphal) [2128262]
- netfilter: remove BUG_ON() after skb_header_pointer() (Florian Westphal) [2128262]
- netfilter: nf_conntrack_tcp: re-init for syn packets only (Florian Westphal) [2128262]
- netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options (Florian Westphal) [2128262]
- netfilter: conntrack: re-init state for retransmitted syn-ack (Florian Westphal) [2128262]
- netfilter: conntrack: move synack init code to helper (Florian Westphal) [2128262]
- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (Florian Westphal) [2128262]
- netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options (Florian Westphal) [2128262]

[3.10.0-1160.96.1]
- sched/fair: Eliminate bandwidth race between throttling and distribution (Phil Auld) [2180681]
- sched/fair: Fix race between runtime distribution and assignment (Phil Auld) [2180681]
- sched/fair: Don't assign runtime for throttled cfs_rq (Phil Auld) [2180681]

Package	Affected Version
pkg:rpm/oraclelinux/python-perf?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/perf?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-tools?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-tools-libs?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-tools-libs-devel?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-headers?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-doc?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-devel?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-debug?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-debug-devel?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/kernel-abi-whitelists?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7
pkg:rpm/oraclelinux/bpftool?distro=oraclelinux-7	< 3.10.0-1160.99.1.0.1.el7

ID

ELSA-2023-4819

Severity

important

URL

https://linux.oracle.com/errata/ELSA-2023-4819.html

Published

2023-08-31T00:00:00
(12 months ago)

Modified

2023-08-31T00:00:00
(12 months ago)

Rights

Other Advisories

Source	# ID	URL
elsa	ELSA-2023-4819	https://linux.oracle.com/errata/ELSA-2023-4819.html
CVE	CVE-2023-20593	https://linux.oracle.com/cve/CVE-2023-20593.html
CVE	CVE-2023-35788	https://linux.oracle.com/cve/CVE-2023-35788.html

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:rpm/oraclelinux/python-perf?distro=oraclelinux-7	oraclelinux	python-perf	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/perf?distro=oraclelinux-7	oraclelinux	perf	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel?distro=oraclelinux-7	oraclelinux	kernel	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-tools?distro=oraclelinux-7	oraclelinux	kernel-tools	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-tools-libs?distro=oraclelinux-7	oraclelinux	kernel-tools-libs	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-tools-libs-devel?distro=oraclelinux-7	oraclelinux	kernel-tools-libs-devel	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-headers?distro=oraclelinux-7	oraclelinux	kernel-headers	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-doc?distro=oraclelinux-7	oraclelinux	kernel-doc	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-devel?distro=oraclelinux-7	oraclelinux	kernel-devel	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-debug?distro=oraclelinux-7	oraclelinux	kernel-debug	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-debug-devel?distro=oraclelinux-7	oraclelinux	kernel-debug-devel	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/kernel-abi-whitelists?distro=oraclelinux-7	oraclelinux	kernel-abi-whitelists	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7
Affected	pkg:rpm/oraclelinux/bpftool?distro=oraclelinux-7	oraclelinux	bpftool	< 3.10.0-1160.99.1.0.1.el7	oraclelinux-7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date