(RHSA-2024:1367) Important: kernel security and bug fix update

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

• kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (CVE-2022-41858)

• kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

• kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

• kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

• kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)

• kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

• kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

• kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

• kernel: out-of-bounds write in qfq_change_class function (JIRA:RHEL-12696)

• kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18194)

• kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20296)

• kernel: inactive elements in nft_pipapo_walk (JIRA:RHEL-20695)

• kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22088)

• kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (JIRA:RHEL-18580)

• ipoib mcast lockup fix (JIRA:RHEL-19696)

• dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19108)

• kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19325)

• kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19449)

• kernel: vmxgfx: NULL pointer dereference in vmw_cmd_dx_define_query (JIRA:RHEL-22763)

• RHEL 8.5: Backport upstream memory cgroup commits up to v5.12 (JIRA:RHEL-9162)

• kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19459)

• ceph: several cap and snap fixes (JIRA:RHEL-20906)

• kernel NULL pointer at RIP: 0010:kyber_has_work+0x1c/0x60 (JIRA:RHEL-21782)

• rbd: don’t move requests to the running list on errors [8.x] (JIRA:RHEL-24201)