kernel security update

2024-08-2800:00:00

linux.oracle.com

version 5.14.0-427.33.1_4

disabling uki signing

oracle linux certificates

vulnerability fixes

security patch

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

Percentile

16.3%

JSON

[5.14.0-427.33.1_4.OL9]

Disable UKI signing [Orabug: 36571828]
Update Oracle Linux certificates (Kevin Lyons)
Disable signing for aarch64 (Ilya Okomin)
Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
Update x509.genkey [Orabug: 24817676]
Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
Add Oracle Linux IMA certificates
[5.14.0-427.33.1_4]
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (Kamal Heib) [RHEL-44287] {CVE-2024-38540}
netfilter: flowtable: validate pppoe header (Florian Westphal) [RHEL-44430 RHEL-33469] {CVE-2024-27016}
crypto: bcm - Fix pointer arithmetic (cki-backport-bot) [RHEL-44116] {CVE-2024-38579}
udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). (CKI Backport Bot) [RHEL-51035 RHEL-51033] {CVE-2024-41041}
netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (Florian Westphal) [RHEL-42832 RHEL-33985] {CVE-2024-27019}
netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV (Florian Westphal) [RHEL-42832 RHEL-33985]
netfilter: nf_tables: NULL pointer dereference in nf_tables_updobj() (Florian Westphal) [RHEL-42832 RHEL-33985]
netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path (Florian Westphal) [RHEL-41802 RHEL-33985] {CVE-2024-26925}
netfilter: nf_tables: discard table flag update with pending basechain deletion (Florian Westphal) [RHEL-40231 RHEL-33985] {CVE-2024-35897}
netfilter: nf_tables: reject table flag and netdev basechain updates (Florian Westphal) [RHEL-40231 RHEL-33985]
netfilter: bridge: replace physindev with physinif in nf_bridge_info (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
netfilter: propagate net to nf_bridge_get_physindev (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
netfilter: nfnetlink_log: use proper helper for fetching physinif (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
netfilter: nf_queue: remove excess nf_bridge variable (Florian Westphal) [RHEL-42966 RHEL-37040] {CVE-2024-35839}
netfilter: nft_limit: reject configurations that cause integer overflow (Florian Westphal) [RHEL-40065 RHEL-33985] {CVE-2024-26668}
scsi: qedi: Fix crash while reading debugfs attribute (CKI Backport Bot) [RHEL-48339] {CVE-2024-40978}
mm/huge_memory: don’t unpoison huge_zero_folio (Aristeu Rozanski) [RHEL-47804] {CVE-2024-40914}
tipc: force a dst refcount before doing decryption (Xin Long) [RHEL-48375 RHEL-6118] {CVE-2024-40983}
netfilter: nft_set_rbtree: skip end interval element from gc (Florian Westphal) [RHEL-41265] {CVE-2024-26581}
nvmet: fix a possible leak when destroy a ctrl during qp establishment (CKI Backport Bot) [RHEL-52021 RHEL-52019 RHEL-52020] {CVE-2024-42152}
net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() (CKI Backport Bot) [RHEL-51756] {CVE-2024-42110}
netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (Florian Westphal) [RHEL-40265 RHEL-33985] {CVE-2024-35898}
netfilter: br_netfilter: remove WARN traps (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
netfilter: br_netfilter: skip conntrack input hook for promisc packets (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
netfilter: bridge: confirm multicast packets before passing them up the stack (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
netfilter: nf_conntrack_bridge: initialize err to 0 (CKI Backport Bot) [RHEL-42882] {CVE-2024-27415}
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (Florian Westphal) [RHEL-42842 RHEL-33985] {CVE-2024-27020}
[5.14.0-427.32.1_4]
REDHAT: Makefile, dont reset dist-git-tmp if set (Lucas Zampieri)
net/mlx5e: Fix netif state handling (Benjamin Poirier) [RHEL-43872 RHEL-43870] {CVE-2024-38608}
net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args (Benjamin Poirier) [RHEL-43872 RHEL-43870] {CVE-2024-38608}
tun: add missing verification for short frame (Patrick Talbert) [RHEL-50202 RHEL-50203] {CVE-2024-41091}
tap: add missing verification for short frame (Patrick Talbert) [RHEL-50264 RHEL-50265] {CVE-2024-41090}
vfio/pci: Lock external INTx masking ops (Alex Williamson) [RHEL-43421 RHEL-30023] {CVE-2024-26810}
net: bridge: xmit: make sure we have at least eth header len bytes (cki-backport-bot) [RHEL-44299] {CVE-2024-38538}
KVM: arm64: Ensure target address is granule-aligned for range TLBI (Sebastian Ott) [RHEL-52248 RHEL-31215]
RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (cki-backport-bot) [RHEL-44250] {CVE-2024-38544}
NFSv4: Fix memory leak in nfs4_set_security_label (CKI Backport Bot) [RHEL-52082] {CVE-2024-41076}
md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING (Nigel Croxon) [RHEL-46421 RHEL-35393] {CVE-2024-39476}
KVM: s390: fix LPSWEY handling (CKI Backport Bot) [RHEL-50074]
cxl/port: Fix delete_endpoint() vs parent unregistration race (John W. Linville) [RHEL-39290 RHEL-23582] {CVE-2023-52771}
net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() (Petr Oros) [RHEL-49862 RHEL-17486] {CVE-2024-26855}
ice: fix LAG and VF lock dependency in ice_reset_vf() (Petr Oros) [RHEL-49820 RHEL-17486] {CVE-2024-36003}
net: wwan: iosm: Fix tainted pointer delete is case of region creation fail (Jose Ignacio Tornos Martinez) [RHEL-47992 RHEL-9429] {CVE-2024-40939}
wifi: cfg80211: Lock wiphy in cfg80211_get_station (CKI Backport Bot) [RHEL-47770] {CVE-2024-40911}
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() (CKI Backport Bot) [RHEL-47788] {CVE-2024-40912}
wifi: iwlwifi: mvm: check n_ssids before accessing the ssids (CKI Backport Bot) [RHEL-47920] {CVE-2024-40929}
wifi: iwlwifi: mvm: don’t read past the mfuart notifcation (CKI Backport Bot) [RHEL-48028] {CVE-2024-40941}
seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors (Hangbin Liu) [RHEL-48098 RHEL-45826] {CVE-2024-40957}
ipv6: fix possible race in __fib6_drop_pcpu_from() (Hangbin Liu) [RHEL-47572 RHEL-45826] {CVE-2024-40905}
redhat/configs: Enable CONFIG_DRM_MGAG200_DISABLE_WRITECOMBINE (Jocelyn Falempe) [RHEL-39581 RHEL-28760]
drm/mgag200: Add an option to disable Write-Combine (Jocelyn Falempe) [RHEL-39581 RHEL-28760]
drm/mgag200: Fix caching setup for remapped video memory (Scott Weaver) [RHEL-39581 RHEL-24102]
Revert ‘drm/mgag200: Flush the cache to improve latency’ (Scott Weaver) [RHEL-39581 RHEL-28760]
net: psample: fix flag being set in wrong skb (Adrian Moreno) [RHEL-47275]
net: openvswitch: store sampling probability in cb. (Adrian Moreno) [RHEL-47275]
net: openvswitch: add psample action (Adrian Moreno) [RHEL-47275]
net: psample: allow using rate as probability (Adrian Moreno) [RHEL-47275]
net: psample: skip packet copy if no listeners (Adrian Moreno) [RHEL-47275]
net: psample: add user cookie (Adrian Moreno) [RHEL-47275]
i40e: fix: remove needless retries of NVM update (CKI Backport Bot) [RHEL-48169 RHEL-36692]
ice: Reject pin requests with unsupported flags (Petr Oros) [RHEL-50388 RHEL-17486]
ice: Don’t process extts if PTP is disabled (Petr Oros) [RHEL-50388 RHEL-17486]
ice: Fix improper extts handling (Petr Oros) [RHEL-50388 RHEL-17486]
ice: stop destroying and reinitalizing Tx tracker during reset (Petr Oros) [RHEL-50388 RHEL-17486]
ice: factor out ice_ptp_rebuild_owner() (Petr Oros) [RHEL-50388 RHEL-17486]
ice: rename ice_ptp_tx_cfg_intr (Petr Oros) [RHEL-50388 RHEL-17486]
ice: don’t check has_ready_bitmap in E810 functions (Petr Oros) [RHEL-50388 RHEL-17486]
ice: rename verify_cached to has_ready_bitmap (Petr Oros) [RHEL-50388 RHEL-17486]
ice: pass reset type to PTP reset functions (Petr Oros) [RHEL-50388 RHEL-17486]
ice: introduce PTP state machine (Petr Oros) [RHEL-50388 RHEL-17486]
ice: make RX HW timestamp reading code more reusable (Petr Oros) [RHEL-50388 RHEL-17486]
ice: Rename E822 to E82X (Petr Oros) [RHEL-50388 RHEL-17486]
ice: periodically kick Tx timestamp interrupt (Petr Oros) [RHEL-50388 RHEL-17486]
ice: Re-enable timestamping correctly after reset (Petr Oros) [RHEL-50388 RHEL-17486]
ptp: introduce helpers to adjust by scaled parts per million (Petr Oros) [RHEL-50388 RHEL-17486]
tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc (Andrew Halaney) [RHEL-42566 RHEL-24205] {CVE-2023-52880}
netfilter: complete validation of user input (Phil Sutter) [RHEL-47384 RHEL-37212] {CVE-2024-35962}
netfilter: validate user input for expected length (Phil Sutter) [RHEL-41668 RHEL-37212] {CVE-2024-35896}
scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() (Ewan D. Milne) [RHEL-40051 RHEL-39719] {CVE-2024-36025}
x86/xen: Add some null pointer checking to smp.c (Vitaly Kuznetsov) [RHEL-37615 RHEL-33260] {CVE-2024-26908}
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() (Prarit Bhargava) [RHEL-37615 RHEL-25415]

OSVersionArchitecturePackageVersionFilename
oracle linux9srckernel< 5.14.0-427.33.1.el9_4kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux9srckernel< 5.14.0-427.33.1.el9_4kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux9srckernel< 5.14.0-427.33.1.el9_4kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux9srckernel< 5.14.0-427.33.1.el9_4kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux9aarch64bpftool< 7.3.0-427.33.1.el9_4bpftool-7.3.0-427.33.1.el9_4.aarch64.rpm
oracle linux9aarch64bpftool< 7.3.0-427.33.1.el9_4bpftool-7.3.0-427.33.1.el9_4.aarch64.rpm
oracle linux9aarch64kernel-cross-headers< 5.14.0-427.33.1.el9_4kernel-cross-headers-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux9aarch64kernel-headers< 5.14.0-427.33.1.el9_4kernel-headers-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux9aarch64kernel-tools< 5.14.0-427.33.1.el9_4kernel-tools-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux9aarch64kernel-tools< 5.14.0-427.33.1.el9_4kernel-tools-5.14.0-427.33.1.el9_4.aarch64.rpm

OS	Version	Architecture	Package	Version	Filename
oracle linux	9	src	kernel	< 5.14.0-427.33.1.el9_4	kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux	9	src	kernel	< 5.14.0-427.33.1.el9_4	kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux	9	src	kernel	< 5.14.0-427.33.1.el9_4	kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux	9	src	kernel	< 5.14.0-427.33.1.el9_4	kernel-5.14.0-427.33.1.el9_4.src.rpm
oracle linux	9	aarch64	bpftool	< 7.3.0-427.33.1.el9_4	bpftool-7.3.0-427.33.1.el9_4.aarch64.rpm
oracle linux	9	aarch64	bpftool	< 7.3.0-427.33.1.el9_4	bpftool-7.3.0-427.33.1.el9_4.aarch64.rpm
oracle linux	9	aarch64	kernel-cross-headers	< 5.14.0-427.33.1.el9_4	kernel-cross-headers-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux	9	aarch64	kernel-headers	< 5.14.0-427.33.1.el9_4	kernel-headers-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux	9	aarch64	kernel-tools	< 5.14.0-427.33.1.el9_4	kernel-tools-5.14.0-427.33.1.el9_4.aarch64.rpm
oracle linux	9	aarch64	kernel-tools	< 5.14.0-427.33.1.el9_4	kernel-tools-5.14.0-427.33.1.el9_4.aarch64.rpm