[ELSA-2024-5928] kernel security update
[5.14.0-427.33.1_4.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
[5.14.0-427.33.1_4]
- bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (Kamal Heib) [RHEL-44287] {CVE-2024-38540}
- netfilter: flowtable: validate pppoe header (Florian Westphal) [RHEL-44430 RHEL-33469] {CVE-2024-27016}
- crypto: bcm - Fix pointer arithmetic (cki-backport-bot) [RHEL-44116] {CVE-2024-38579}
- udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). (CKI Backport Bot) [RHEL-51035 RHEL-51033] {CVE-2024-41041}
- netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (Florian Westphal) [RHEL-42832 RHEL-33985] {CVE-2024-27019}
- netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV (Florian Westphal) [RHEL-42832 RHEL-33985]
- netfilter: nf_tables: NULL pointer dereference in nf_tables_updobj() (Florian Westphal) [RHEL-42832 RHEL-33985]
- netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path (Florian Westphal) [RHEL-41802 RHEL-33985] {CVE-2024-26925}
- netfilter: nf_tables: discard table flag update with pending basechain deletion (Florian Westphal) [RHEL-40231 RHEL-33985] {CVE-2024-35897}
- netfilter: nf_tables: reject table flag and netdev basechain updates (Florian Westphal) [RHEL-40231 RHEL-33985]
- netfilter: bridge: replace physindev with physinif in nf_bridge_info (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
- netfilter: propagate net to nf_bridge_get_physindev (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
- netfilter: nfnetlink_log: use proper helper for fetching physinif (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
- netfilter: nf_queue: remove excess nf_bridge variable (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
- netfilter: nft_limit: reject configurations that cause integer overflow (Florian Westphal) [RHEL-40065 RHEL-33985] {CVE-2024-26668}
- scsi: qedi: Fix crash while reading debugfs attribute (CKI Backport Bot) [RHEL-48339] {CVE-2024-40978}
- mm/huge_memory: don't unpoison huge_zero_folio (Aristeu Rozanski) [RHEL-47804] {CVE-2024-40914}
- tipc: force a dst refcount before doing decryption (Xin Long) [RHEL-48375 RHEL-6118] {CVE-2024-40983}
- netfilter: nft_set_rbtree: skip end interval element from gc (Florian Westphal) [RHEL-41265] {CVE-2024-26581}
- nvmet: fix a possible leak when destroy a ctrl during qp establishment (CKI Backport Bot) [RHEL-52021 RHEL-52019 RHEL-52020] {CVE-2024-42152}
- net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() (CKI Backport Bot) [RHEL-51756] {CVE-2024-42110}
- netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (Florian Westphal) [RHEL-40265 RHEL-33985] {CVE-2024-35898}
- netfilter: br_netfilter: remove WARN traps (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
- netfilter: br_netfilter: skip conntrack input hook for promisc packets (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
- netfilter: bridge: confirm multicast packets before passing them up the stack (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
- netfilter: nf_conntrack_bridge: initialize err to 0 (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
- netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (Florian Westphal) [RHEL-42842 RHEL-33985] {CVE-2024-27020}
[5.14.0-427.32.1_4]
- REDHAT: Makefile, dont reset dist-git-tmp if set (Lucas Zampieri)
- net/mlx5e: Fix netif state handling (Benjamin Poirier) [RHEL-43872 RHEL-43870] {CVE-2024-38608}
- net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args (Benjamin Poirier) [RHEL-43872 RHEL-43870] {CVE-2024-38608}
- tun: add missing verification for short frame (Patrick Talbert) [RHEL-50202 RHEL-50203] {CVE-2024-41091}
- tap: add missing verification for short frame (Patrick Talbert) [RHEL-50264 RHEL-50265] {CVE-2024-41090}
- vfio/pci: Lock external INTx masking ops (Alex Williamson) [RHEL-43421 RHEL-30023] {CVE-2024-26810}
- net: bridge: xmit: make sure we have at least eth header len bytes (cki-backport-bot) [RHEL-44299] {CVE-2024-38538}
- KVM: arm64: Ensure target address is granule-aligned for range TLBI (Sebastian Ott) [RHEL-52248 RHEL-31215]
- RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (cki-backport-bot) [RHEL-44250] {CVE-2024-38544}
- NFSv4: Fix memory leak in nfs4_set_security_label (CKI Backport Bot) [RHEL-52082] {CVE-2024-41076}
- md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING (Nigel Croxon) [RHEL-46421 RHEL-35393] {CVE-2024-39476}
- KVM: s390: fix LPSWEY handling (CKI Backport Bot) [RHEL-50074]
- cxl/port: Fix delete_endpoint() vs parent unregistration race (John W. Linville) [RHEL-39290 RHEL-23582] {CVE-2023-52771}
- net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (Petr Oros) [RHEL-49862 RHEL-17486] {CVE-2024-26855}
- ice: fix LAG and VF lock dependency in ice_reset_vf() (Petr Oros) [RHEL-49820 RHEL-17486] {CVE-2024-36003}
- net: wwan: iosm: Fix tainted pointer delete is case of region creation fail (Jose Ignacio Tornos Martinez) [RHEL-47992 RHEL-9429] {CVE-2024-40939}
- wifi: cfg80211: Lock wiphy in cfg80211_get_station (CKI Backport Bot) [RHEL-47770] {CVE-2024-40911}
- wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() (CKI Backport Bot) [RHEL-47788] {CVE-2024-40912}
- wifi: iwlwifi: mvm: check n_ssids before accessing the ssids (CKI Backport Bot) [RHEL-47920] {CVE-2024-40929}
- wifi: iwlwifi: mvm: don't read past the mfuart notifcation (CKI Backport Bot) [RHEL-48028] {CVE-2024-40941}
- seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors (Hangbin Liu) [RHEL-48098 RHEL-45826] {CVE-2024-40957}
- ipv6: fix possible race in __fib6_drop_pcpu_from() (Hangbin Liu) [RHEL-47572 RHEL-45826] {CVE-2024-40905}
- redhat/configs: Enable CONFIG_DRM_MGAG200_DISABLE_WRITECOMBINE (Jocelyn Falempe) [RHEL-39581 RHEL-28760]
- drm/mgag200: Add an option to disable Write-Combine (Jocelyn Falempe) [RHEL-39581 RHEL-28760]
- drm/mgag200: Fix caching setup for remapped video memory (Scott Weaver) [RHEL-39581 RHEL-24102]
- Revert 'drm/mgag200: Flush the cache to improve latency' (Scott Weaver) [RHEL-39581 RHEL-28760]
- net: psample: fix flag being set in wrong skb (Adrian Moreno) [RHEL-47275]
- net: openvswitch: store sampling probability in cb. (Adrian Moreno) [RHEL-47275]
- net: openvswitch: add psample action (Adrian Moreno) [RHEL-47275]
- net: psample: allow using rate as probability (Adrian Moreno) [RHEL-47275]
- net: psample: skip packet copy if no listeners (Adrian Moreno) [RHEL-47275]
- net: psample: add user cookie (Adrian Moreno) [RHEL-47275]
- i40e: fix: remove needless retries of NVM update (CKI Backport Bot) [RHEL-48169 RHEL-36692]
- ice: Reject pin requests with unsupported flags (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: Don't process extts if PTP is disabled (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: Fix improper extts handling (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: stop destroying and reinitalizing Tx tracker during reset (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: factor out ice_ptp_rebuild_owner() (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: rename ice_ptp_tx_cfg_intr (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: don't check has_ready_bitmap in E810 functions (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: rename verify_cached to has_ready_bitmap (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: pass reset type to PTP reset functions (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: introduce PTP state machine (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: make RX HW timestamp reading code more reusable (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: Rename E822 to E82X (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: periodically kick Tx timestamp interrupt (Petr Oros) [RHEL-50388 RHEL-17486]
- ice: Re-enable timestamping correctly after reset (Petr Oros) [RHEL-50388 RHEL-17486]
- ptp: introduce helpers to adjust by scaled parts per million (Petr Oros) [RHEL-50388 RHEL-17486]
- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc (Andrew Halaney) [RHEL-42566 RHEL-24205] {CVE-2023-52880}
- netfilter: complete validation of user input (Phil Sutter) [RHEL-47384 RHEL-37212] {CVE-2024-35962}
- netfilter: validate user input for expected length (Phil Sutter) [RHEL-41668 RHEL-37212] {CVE-2024-35896}
- scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (Ewan D. Milne) [RHEL-40051 RHEL-39719] {CVE-2024-36025}
- x86/xen: Add some null pointer checking to smp.c (Vitaly Kuznetsov) [RHEL-37615 RHEL-33260] {CVE-2024-26908}
- x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() (Prarit Bhargava) [RHEL-37615 RHEL-25415]
- ID
- ELSA-2024-5928
- Severity
- important
- URL
- https://linux.oracle.com/errata/ELSA-2024-5928.html
- Published
-
2024-08-28T00:00:00
(2 weeks ago) - Modified
-
2024-08-28T00:00:00
(2 weeks ago) - Rights
- Copyright 2024 Oracle, Inc.
- Other Advisories
-
-
ALAS-2024-1942
-
ALAS2-2024-2581
-
ALSA-2024:5101
-
DSA-5658-1
-
DSA-5680-1
-
DSA-5681-1
-
DSA-5730-1
-
DSA-5731-1
-
DSA-5747-1
-
ELSA-2024-12546
-
ELSA-2024-12547
-
ELSA-2024-12548
-
ELSA-2024-12549
-
ELSA-2024-12551
-
ELSA-2024-12552
-
ELSA-2024-12570
-
ELSA-2024-12571
-
ELSA-2024-12581
-
ELSA-2024-12582
-
ELSA-2024-12583
-
ELSA-2024-12584
-
ELSA-2024-12585
-
ELSA-2024-12610
-
ELSA-2024-12611
-
ELSA-2024-12612
-
ELSA-2024-5101
-
FEDORA-2024-010fe8772a
-
FEDORA-2024-bc0db39a14
-
FEDORA-2024-f35f9525d6
-
RHSA-2024:5101
-
RHSA-2024:5102
-
RHSA-2024:6242
-
RLSA-2024:5101
-
SSA:2024-157-01
-
SUSE-SU-2024:1643-1
-
SUSE-SU-2024:1644-1
-
SUSE-SU-2024:1646-1
-
SUSE-SU-2024:1648-1
-
SUSE-SU-2024:1659-1
-
SUSE-SU-2024:1663-1
-
SUSE-SU-2024:1870-1
-
SUSE-SU-2024:1978-1
-
SUSE-SU-2024:1979-1
-
SUSE-SU-2024:1983-1
-
SUSE-SU-2024:2008-1
-
SUSE-SU-2024:2010-1
-
SUSE-SU-2024:2011-1
-
SUSE-SU-2024:2019-1
-
SUSE-SU-2024:2135-1
-
SUSE-SU-2024:2183-1
-
SUSE-SU-2024:2184-1
-
SUSE-SU-2024:2185-1
-
SUSE-SU-2024:2189-1
-
SUSE-SU-2024:2190-1
-
SUSE-SU-2024:2203-1
-
SUSE-SU-2024:2360-1
-
SUSE-SU-2024:2372-1
-
SUSE-SU-2024:2381-1
-
SUSE-SU-2024:2394-1
-
SUSE-SU-2024:2561-1
-
SUSE-SU-2024:2571-1
-
SUSE-SU-2024:2802-1
-
SUSE-SU-2024:2892-1
-
SUSE-SU-2024:2893-1
-
SUSE-SU-2024:2894-1
-
SUSE-SU-2024:2896-1
-
SUSE-SU-2024:2901-1
-
SUSE-SU-2024:2902-1
-
SUSE-SU-2024:2923-1
-
SUSE-SU-2024:2929-1
-
SUSE-SU-2024:2939-1
-
SUSE-SU-2024:2940-1
-
SUSE-SU-2024:2947-1
-
SUSE-SU-2024:2948-1
-
SUSE-SU-2024:2973-1
-
SUSE-SU-2024:3189-1
-
SUSE-SU-2024:3190-1
-
SUSE-SU-2024:3194-1
-
SUSE-SU-2024:3195-1
-
SUSE-SU-2024:3209-1
-
USN-6688-1
-
USN-6741-1
-
USN-6742-1
-
USN-6742-2
-
USN-6743-1
-
USN-6743-2
-
USN-6743-3
-
USN-6765-1
-
USN-6766-1
-
USN-6766-2
-
USN-6766-3
-
USN-6795-1
-
USN-6816-1
-
USN-6817-1
-
USN-6817-2
-
USN-6817-3
-
USN-6818-1
-
USN-6818-2
-
USN-6818-3
-
USN-6818-4
-
USN-6819-1
-
USN-6819-2
-
USN-6819-3
-
USN-6819-4
-
USN-6820-1
-
USN-6820-2
-
USN-6821-1
-
USN-6821-2
-
USN-6821-3
-
USN-6821-4
-
USN-6828-1
-
USN-6868-1
-
USN-6868-2
-
USN-6871-1
-
USN-6872-1
-
USN-6872-2
-
USN-6873-1
-
USN-6873-2
-
USN-6874-1
-
USN-6878-1
-
USN-6892-1
-
USN-6893-1
-
USN-6893-2
-
USN-6893-3
-
USN-6895-1
-
USN-6895-2
-
USN-6895-3
-
USN-6895-4
-
USN-6896-1
-
USN-6896-2
-
USN-6896-3
-
USN-6896-4
-
USN-6896-5
-
USN-6898-1
-
USN-6898-2
-
USN-6898-3
-
USN-6898-4
-
USN-6900-1
-
USN-6917-1
-
USN-6918-1
-
USN-6919-1
-
USN-6926-1
-
USN-6926-2
-
USN-6926-3
-
USN-6927-1
-
USN-6938-1
-
USN-6949-1
-
USN-6949-2
-
USN-6951-1
-
USN-6951-2
-
USN-6951-3
-
USN-6951-4
-
USN-6952-1
-
USN-6952-2
-
USN-6953-1
-
USN-6955-1
-
USN-6979-1
-
USN-6999-1
-
USN-7003-1
-
USN-7003-2
-
USN-7003-3
-
USN-7004-1
-
USN-7005-1
-
USN-7005-2
-
USN-7006-1
-
USN-7007-1
-
USN-7008-1
-
USN-7009-1
-
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/oraclelinux/rv?distro=oraclelinux-9.4 | oraclelinux |
 rv
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/rtla?distro=oraclelinux-9.4 | oraclelinux |
rtla
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/python3-perf?distro=oraclelinux-9.4 | oraclelinux |
python3-perf
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/perf?distro=oraclelinux-9.4 | oraclelinux |
perf
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/libperf?distro=oraclelinux-9.4 | oraclelinux |
libperf
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel?distro=oraclelinux-9.4 | oraclelinux |
kernel
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-uki-virt?distro=oraclelinux-9.4 | oraclelinux |
kernel-uki-virt
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-tools?distro=oraclelinux-9.4 | oraclelinux |
kernel-tools
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-tools-libs?distro=oraclelinux-9.4 | oraclelinux |
kernel-tools-libs
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-tools-libs-devel?distro=oraclelinux-9.4 | oraclelinux |
kernel-tools-libs-devel
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-modules?distro=oraclelinux-9.4 | oraclelinux |
kernel-modules
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-modules-extra?distro=oraclelinux-9.4 | oraclelinux |
kernel-modules-extra
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-modules-core?distro=oraclelinux-9.4 | oraclelinux |
kernel-modules-core
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-headers?distro=oraclelinux-9.4 | oraclelinux |
kernel-headers
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-doc?distro=oraclelinux-9.4 | oraclelinux |
kernel-doc
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-devel?distro=oraclelinux-9.4 | oraclelinux |
kernel-devel
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-devel-matched?distro=oraclelinux-9.4 | oraclelinux |
kernel-devel-matched
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-uki-virt?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-uki-virt
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-modules?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-modules
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-modules-extra?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-modules-extra
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-modules-core?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-modules-core
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-devel?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-devel
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-devel-matched?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-devel-matched
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-debug-core?distro=oraclelinux-9.4 | oraclelinux |
kernel-debug-core
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-cross-headers?distro=oraclelinux-9.4 | oraclelinux |
kernel-cross-headers
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-core?distro=oraclelinux-9.4 | oraclelinux |
kernel-core
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/kernel-abi-stablelists?distro=oraclelinux-9.4 | oraclelinux |
kernel-abi-stablelists
|
< 5.14.0-427.33.1.el9_4 | oraclelinux-9.4 | ||
| Affected | pkg:rpm/oraclelinux/bpftool?distro=oraclelinux-9.4 | oraclelinux |
bpftool
|
< 7.3.0-427.33.1.el9_4 | oraclelinux-9.4 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |