Cockpit and Kernel Updates for Oracle Linux
Posted on: 03/13/2019 07:25 AM

The following updates has been released for Oracle Linux:

ELSA-2019-0482 Moderate: Oracle Linux 7 cockpit security update
ELSA-2019-4570 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELSA-2019-4570 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
ELSA-2019-4575 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
ELSA-2019-4575 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELSA-2019-4577 Important: Oracle Linux 5 Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel security update
ELSA-2019-4577 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update

ELSA-2019-0482 Moderate: Oracle Linux 7 cockpit security update
Oracle Linux Security Advisory ELSA-2019-0482

http://linux.oracle.com/errata/ELSA-2019-0482.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
cockpit-173.2-1.0.1.el7.x86_64.rpm
cockpit-bridge-173.2-1.0.1.el7.x86_64.rpm
cockpit-doc-173.2-1.0.1.el7.x86_64.rpm
cockpit-machines-ovirt-173.2-1.0.1.el7.noarch.rpm
cockpit-system-173.2-1.0.1.el7.noarch.rpm
cockpit-ws-173.2-1.0.1.el7.i686.rpm
cockpit-ws-173.2-1.0.1.el7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/cockpit-173.2-1.0.1.el7.src.rpm



Description of changes:

[173.2-1.0.1]
- turn off display of subscriptions menu item in GUI
- Drop subscription-manager requirement since we do not ship it
(tianyue.lan@oralce.com)
- Remove Red Hat references.

[173.2-1]
- ws: Fix bug parsing invalid base64 headers rhbz#1672296



ELSA-2019-4570 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2019-4570

http://linux.oracle.com/errata/ELSA-2019-4570.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-4.14.35-1844.3.2.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-1844.3.2.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-1844.3.2.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-1844.3.2.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-1844.3.2.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-1844.3.2.el7uek.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1844.3.2.el7uek.src.rpm



Description of changes:

[4.14.35-1844.3.2.el7uek]
- uek-rpm: Remove hardcoded 'kernel_git_commit' macro from specfile (Victor Erminpour) [Orabug: 29357695]
- mm: cleancache: fix corruption on missed inode invalidation (Pavel Tikhomirov) [Orabug: 29364665] {CVE-2018-16862}
- l2tp: fix reading optional fields of L2TPv3 (Jacob Wen) [Orabug: 29368046]

[4.14.35-1844.3.1.el7uek]
- x86/speculation: Add support for STIBP always-on preferred mode (Thomas Lendacky) [Orabug: 29344486]
- x86/speculation: Provide IBPB always command line options (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add seccomp Spectre v2 user space protection mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Enable prctl mode for spectre_v2_user (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add prctl() control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prevent stale SPEC_CTRL msr content (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Split out TIF update (Thomas Gleixner) [Orabug: 29344486]
- ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Remove static key ibpb_enabled_key (Anjali Kulkarni) [Orabug: 29344486]
- x86/speculation: Prepare for conditional IBPB in switch_mm() (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Avoid __switch_to_xtra() calls (Thomas Gleixner) [Orabug: 29344486]
- x86/process: Consolidate and simplify switch_to_xtra() code (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare for per task indirect branch speculation control (Tim Chen) [Orabug: 29344486]
- x86/speculation: Add command line control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Unify conditional spectre v2 print functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculataion: Mark command line parser data __initdata (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Mark string arrays const correctly (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Reorder the spec_v2 code (Thomas Gleixner) [Orabug: 29344486]
- x86/l1tf: Show actual SMT state (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Rework SMT state change (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Expose sched_smt_present static key (Thomas Gleixner) [Orabug: 29344486]
- x86/Kconfig: Select SCHED_SMT if SMP enabled (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Make sched_smt_present track topology (Peter Zijlstra (Intel)) [Orabug: 29344486]
- x86/speculation: Reorganize speculation control MSRs update (Tim Chen) [Orabug: 29344486]
- x86/speculation: Rename SSBD update functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Disable STIBP when enhanced IBRS is in use (Tim Chen) [Orabug: 29344486]
- x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Clean up spectre_v2_parse_cmdline() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Update the TIF_SSBD comment (Tim Chen) [Orabug: 29344486]
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (Peter Zijlstra) [Orabug: 29344486]
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (Jiri Kosina) [Orabug: 29344486]
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (Jiri Kosina) [Orabug: 29344486]
- netfilter: nf_tables: deactivate expressions in rule replecement routine (Taehee Yoo) [Orabug: 29355502]
- btrfs: Verify that every chunk has corresponding block group at mount time (Qu Wenruo) [Orabug: 29355254] {CVE-2018-14612}
- mlx4_ib: Distribute completion vectors when zero is supplied (Håkon Bugge) [Orabug: 29324328]
- x86/speculation: Clean up retpoline code in bugs.c (Alejandro Jimenez) [Orabug: 29211613]
- x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE (WANG Chao) [Orabug: 29211613]
- x86/build: Fix compiler support check for CONFIG_RETPOLINE (Masahiro Yamada) [Orabug: 29211613]
- x86/retpoline: Remove minimal retpoline support (Zhenzhong Duan) [Orabug: 29211613]
- uek-rpm: Enable device-mapper era driver (Dave Aldridge) [Orabug: 29283140]
- uek-rpm: use multi-threaded xz compression for rpms (Alexander Burmashev) [Orabug: 29322860]
- uek-rpm: optimize find-requires usage (Alexander Burmashev) [Orabug: 29322860]
- find-debuginfo.sh: backport parallel files procession (Alexander Burmashev) [Orabug: 29322860]

[4.14.35-1844.3.0.el7uek]
- xfs: refactor short form directory structure verifier function (Darrick J. Wong) [Orabug: 29301204]
- xfs: provide a centralized method for verifying inline fork data (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for short form symlinks (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for shortform xattrs (Darrick J. Wong) [Orabug: 29301204]
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (Qu Wenruo) [Orabug: 29301101] {CVE-2018-14609}
- iommu/amd: Fix IOMMU page flush when detach device from a domain (Suravee Suthikulpanit) [Orabug: 29297191]
- x86/apic: Switch all APICs to Fixed delivery mode (Thomas Gleixner) [Orabug: 29262403]
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (Eduardo Habkost) [Orabug: 29229728]
- bnx2x: disable GSO where gso_size is too big for hardware (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- net: create skb_gso_validate_mac_len() (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- slub: make ->cpu_partial unsigned (Alexey Dobriyan) [Orabug: 28973025]


ELSA-2019-4570 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
Oracle Linux Security Advisory ELSA-2019-4570

http://linux.oracle.com/errata/ELSA-2019-4570.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
kernel-uek-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-debug-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-debug-devel-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-devel-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-tools-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-tools-libs-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-tools-libs-devel-4.14.35-1844.3.2.el7uek.aarch64.rpm
perf-4.14.35-1844.3.2.el7uek.aarch64.rpm
python-perf-4.14.35-1844.3.2.el7uek.aarch64.rpm
kernel-uek-headers-4.14.35-1844.3.2.el7uek.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1844.3.2.el7uek.src.rpm



Description of changes:

[4.14.35-1844.3.2.el7uek]
- uek-rpm: Remove hardcoded 'kernel_git_commit' macro from specfile (Victor Erminpour) [Orabug: 29357695]
- mm: cleancache: fix corruption on missed inode invalidation (Pavel Tikhomirov) [Orabug: 29364665] {CVE-2018-16862}
- l2tp: fix reading optional fields of L2TPv3 (Jacob Wen) [Orabug: 29368046]

[4.14.35-1844.3.1.el7uek]
- x86/speculation: Add support for STIBP always-on preferred mode (Thomas Lendacky) [Orabug: 29344486]
- x86/speculation: Provide IBPB always command line options (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add seccomp Spectre v2 user space protection mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Enable prctl mode for spectre_v2_user (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Add prctl() control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare arch_smt_update() for PRCTL mode (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prevent stale SPEC_CTRL msr content (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Split out TIF update (Thomas Gleixner) [Orabug: 29344486]
- ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Remove static key ibpb_enabled_key (Anjali Kulkarni) [Orabug: 29344486]
- x86/speculation: Prepare for conditional IBPB in switch_mm() (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Avoid __switch_to_xtra() calls (Thomas Gleixner) [Orabug: 29344486]
- x86/process: Consolidate and simplify switch_to_xtra() code (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Prepare for per task indirect branch speculation control (Tim Chen) [Orabug: 29344486]
- x86/speculation: Add command line control for indirect branch speculation (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Unify conditional spectre v2 print functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculataion: Mark command line parser data __initdata (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Mark string arrays const correctly (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Reorder the spec_v2 code (Thomas Gleixner) [Orabug: 29344486]
- x86/l1tf: Show actual SMT state (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Rework SMT state change (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Expose sched_smt_present static key (Thomas Gleixner) [Orabug: 29344486]
- x86/Kconfig: Select SCHED_SMT if SMP enabled (Thomas Gleixner) [Orabug: 29344486]
- sched/smt: Make sched_smt_present track topology (Peter Zijlstra (Intel)) [Orabug: 29344486]
- x86/speculation: Reorganize speculation control MSRs update (Tim Chen) [Orabug: 29344486]
- x86/speculation: Rename SSBD update functions (Thomas Gleixner) [Orabug: 29344486]
- x86/speculation: Disable STIBP when enhanced IBRS is in use (Tim Chen) [Orabug: 29344486]
- x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Remove unnecessary ret variable in cpu_show_common() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Clean up spectre_v2_parse_cmdline() (Tim Chen) [Orabug: 29344486]
- x86/speculation: Update the TIF_SSBD comment (Tim Chen) [Orabug: 29344486]
- sched/core: Fix cpu.max vs. cpuhotplug deadlock (Peter Zijlstra) [Orabug: 29344486]
- x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (Jiri Kosina) [Orabug: 29344486]
- x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (Jiri Kosina) [Orabug: 29344486]
- netfilter: nf_tables: deactivate expressions in rule replecement routine (Taehee Yoo) [Orabug: 29355502]
- btrfs: Verify that every chunk has corresponding block group at mount time (Qu Wenruo) [Orabug: 29355254] {CVE-2018-14612}
- mlx4_ib: Distribute completion vectors when zero is supplied (Håkon Bugge) [Orabug: 29324328]
- x86/speculation: Clean up retpoline code in bugs.c (Alejandro Jimenez) [Orabug: 29211613]
- x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE (WANG Chao) [Orabug: 29211613]
- x86/build: Fix compiler support check for CONFIG_RETPOLINE (Masahiro Yamada) [Orabug: 29211613]
- x86/retpoline: Remove minimal retpoline support (Zhenzhong Duan) [Orabug: 29211613]
- uek-rpm: Enable device-mapper era driver (Dave Aldridge) [Orabug: 29283140]
- uek-rpm: use multi-threaded xz compression for rpms (Alexander Burmashev) [Orabug: 29322860]
- uek-rpm: optimize find-requires usage (Alexander Burmashev) [Orabug: 29322860]
- find-debuginfo.sh: backport parallel files procession (Alexander Burmashev) [Orabug: 29322860]

[4.14.35-1844.3.0.el7uek]
- xfs: refactor short form directory structure verifier function (Darrick J. Wong) [Orabug: 29301204]
- xfs: provide a centralized method for verifying inline fork data (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for short form symlinks (Darrick J. Wong) [Orabug: 29301204]
- xfs: create structure verifier function for shortform xattrs (Darrick J. Wong) [Orabug: 29301204]
- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (Qu Wenruo) [Orabug: 29301101] {CVE-2018-14609}
- iommu/amd: Fix IOMMU page flush when detach device from a domain (Suravee Suthikulpanit) [Orabug: 29297191]
- x86/apic: Switch all APICs to Fixed delivery mode (Thomas Gleixner) [Orabug: 29262403]
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (Eduardo Habkost) [Orabug: 29229728]
- bnx2x: disable GSO where gso_size is too big for hardware (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- net: create skb_gso_validate_mac_len() (Daniel Axtens) [Orabug: 29125104] {CVE-2018-1000026}
- slub: make ->cpu_partial unsigned (Alexey Dobriyan) [Orabug: 28973025]



ELSA-2019-4575 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2019-4575

http://linux.oracle.com/errata/ELSA-2019-4575.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-doc-4.1.12-124.26.1.el6uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.26.1.el6uek.noarch.rpm
kernel-uek-4.1.12-124.26.1.el6uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.26.1.el6uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.26.1.el6uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.26.1.el6uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-4.1.12-124.26.1.el6uek.src.rpm



Description of changes:

[4.1.12-124.26.1.el6uek]
- NFS: commit direct writes even if they fail partially (J. Bruce
Fields) [Orabug: 28212440] - rds: update correct congestion map for
loopback transport (Mukesh Kacker) [Orabug: 29175685] - ext4: only look
at the bg_flags field if it is valid (Theodore Ts'o) [Orabug: 29316684]
{CVE-2018-10876} {CVE-2018-10876}
- uek-rpm: Add kernel-uek version to kernel-ueknano provides
(Somasundaram Krishnasamy) [Orabug: 29357643] - net: Set sk_prot_creator
when cloning sockets to the right proto (Christoph Paasch) [Orabug:
29422739] {CVE-2018-9568}
- ext4: always check block group bounds in ext4_init_block_bitmap()
(Theodore Ts'o) [Orabug: 29428607] {CVE-2018-10878}
- ext4: make sure bitmaps and the inode table don't overlap with bg
descriptors (Theodore Ts'o) [Orabug: 29428607] {CVE-2018-10878}
- vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags (David
Howells) [Orabug: 29428607] {CVE-2018-10878}
- iscsi: Capture iscsi debug messages using tracepoints (Fred Herard)
[Orabug: 29429855]

[4.1.12-124.25.4.el6uek]
- KEYS: add missing permission check for request_key() destination (Eric
Biggers) [Orabug: 29304551] {CVE-2017-17807}
- KEYS: Don't permit request_key() to construct a new keyring (David
Howells) [Orabug: 29304551] {CVE-2017-17807}
- mlx4_ib: Distribute completion vectors when zero is supplied (Håkon
Bugge) [Orabug: 29318191] - bnxt_en: Fix TX timeout during netpoll.
(Michael Chan) [Orabug: 29357977] - bnxt_en: Fix for system hang if
request_irq fails (Vikas Gupta) [Orabug: 29357977] - bnxt_en: Fix
firmware message delay loop regression. (Michael Chan) [Orabug:
29357977] - bnxt_en: reduce timeout on initial HWRM calls (Andy
Gospodarek) [Orabug: 29357977] - bnxt_en: Fix NULL pointer dereference
at bnxt_free_irq(). (Michael Chan) [Orabug: 29357977] - bnxt_en: Check
valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). (Michael Chan) [Orabug:
29357977] - bnxt_en: Do not modify max IRQ count after RDMA driver
requests/frees IRQs. (Michael Chan) [Orabug: 29357977] - mm: cleancache:
fix corruption on missed inode invalidation (Pavel Tikhomirov) [Orabug:
29364670] {CVE-2018-16862}
- l2tp: fix reading optional fields of L2TPv3 (Jacob Wen) [Orabug:
29368048] - net/packet: fix a race in packet_bind() and
packet_notifier() (Eric Dumazet) [Orabug: 29385593] {CVE-2018-18559}
- ext4: verify the depth of extent tree in ext4_find_extent() (Theodore
Ts'o) [Orabug: 29396712] {CVE-2018-10877} {CVE-2018-10877}

[4.1.12-124.25.3.el6uek]
- blk-mq: Do not invoke .queue_rq() for a stopped queue (Bart Van
Assche) [Orabug: 28766011] - uek-rpm: use multi-threaded xz compression
for rpms (Alexander Burmashev) [Orabug: 29323635] - uek-rpm: optimize
find-requires usage (Alexander Burmashev) [Orabug: 29323635] -
find-debuginfo.sh: backport parallel files procession (Alexander
Burmashev) [Orabug: 29323635] - KVM: SVM: Add MSR-based feature support
for serializing LFENCE (Tom Lendacky) [Orabug: 29335274]

[4.1.12-124.25.2.el6uek]
- Enable RANDOMIZE_BASE (John Haxby) [Orabug: 29305587] - slub: make
->cpu_partial unsigned (Alexey Dobriyan) [Orabug: 28620592] - dtrace:
support kernels built with RANDOMIZE_BASE (Kris Van Hees) [Orabug: 29204005]


ELSA-2019-4575 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2019-4575

http://linux.oracle.com/errata/ELSA-2019-4575.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-doc-4.1.12-124.26.1.el7uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.26.1.el7uek.noarch.rpm
kernel-uek-4.1.12-124.26.1.el7uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.26.1.el7uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.26.1.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.26.1.el7uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.1.12-124.26.1.el7uek.src.rpm



Description of changes:

[4.1.12-124.26.1.el7uek]
- NFS: commit direct writes even if they fail partially (J. Bruce
Fields) [Orabug: 28212440] - rds: update correct congestion map for
loopback transport (Mukesh Kacker) [Orabug: 29175685] - ext4: only look
at the bg_flags field if it is valid (Theodore Ts'o) [Orabug: 29316684]
{CVE-2018-10876} {CVE-2018-10876}
- uek-rpm: Add kernel-uek version to kernel-ueknano provides
(Somasundaram Krishnasamy) [Orabug: 29357643] - net: Set sk_prot_creator
when cloning sockets to the right proto (Christoph Paasch) [Orabug:
29422739] {CVE-2018-9568}
- ext4: always check block group bounds in ext4_init_block_bitmap()
(Theodore Ts'o) [Orabug: 29428607] {CVE-2018-10878}
- ext4: make sure bitmaps and the inode table don't overlap with bg
descriptors (Theodore Ts'o) [Orabug: 29428607] {CVE-2018-10878}
- vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags (David
Howells) [Orabug: 29428607] {CVE-2018-10878}
- iscsi: Capture iscsi debug messages using tracepoints (Fred Herard)
[Orabug: 29429855]

[4.1.12-124.25.4.el7uek]
- KEYS: add missing permission check for request_key() destination (Eric
Biggers) [Orabug: 29304551] {CVE-2017-17807}
- KEYS: Don't permit request_key() to construct a new keyring (David
Howells) [Orabug: 29304551] {CVE-2017-17807}
- mlx4_ib: Distribute completion vectors when zero is supplied (Håkon
Bugge) [Orabug: 29318191] - bnxt_en: Fix TX timeout during netpoll.
(Michael Chan) [Orabug: 29357977] - bnxt_en: Fix for system hang if
request_irq fails (Vikas Gupta) [Orabug: 29357977] - bnxt_en: Fix
firmware message delay loop regression. (Michael Chan) [Orabug:
29357977] - bnxt_en: reduce timeout on initial HWRM calls (Andy
Gospodarek) [Orabug: 29357977] - bnxt_en: Fix NULL pointer dereference
at bnxt_free_irq(). (Michael Chan) [Orabug: 29357977] - bnxt_en: Check
valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). (Michael Chan) [Orabug:
29357977] - bnxt_en: Do not modify max IRQ count after RDMA driver
requests/frees IRQs. (Michael Chan) [Orabug: 29357977] - mm: cleancache:
fix corruption on missed inode invalidation (Pavel Tikhomirov) [Orabug:
29364670] {CVE-2018-16862}
- l2tp: fix reading optional fields of L2TPv3 (Jacob Wen) [Orabug:
29368048] - net/packet: fix a race in packet_bind() and
packet_notifier() (Eric Dumazet) [Orabug: 29385593] {CVE-2018-18559}
- ext4: verify the depth of extent tree in ext4_find_extent() (Theodore
Ts'o) [Orabug: 29396712] {CVE-2018-10877} {CVE-2018-10877}

[4.1.12-124.25.3.el7uek]
- blk-mq: Do not invoke .queue_rq() for a stopped queue (Bart Van
Assche) [Orabug: 28766011] - uek-rpm: use multi-threaded xz compression
for rpms (Alexander Burmashev) [Orabug: 29323635] - uek-rpm: optimize
find-requires usage (Alexander Burmashev) [Orabug: 29323635] -
find-debuginfo.sh: backport parallel files procession (Alexander
Burmashev) [Orabug: 29323635] - KVM: SVM: Add MSR-based feature support
for serializing LFENCE (Tom Lendacky) [Orabug: 29335274]

[4.1.12-124.25.2.el7uek]
- Enable RANDOMIZE_BASE (John Haxby) [Orabug: 29305587] - slub: make
->cpu_partial unsigned (Alexey Dobriyan) [Orabug: 28620592] - dtrace:
support kernels built with RANDOMIZE_BASE (Kris Van Hees) [Orabug: 29204005]



ELSA-2019-4577 Important: Oracle Linux 5 Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2019-4577

http://linux.oracle.com/errata/ELSA-2019-4577.html

The following updated rpms for Oracle Linux 5 Extended Lifecycle Support
(ELS) have been uploaded to the Unbreakable Linux Network:

i386:
kernel-uek-2.6.39-400.307.1.el5uek.i686.rpm
kernel-uek-debug-2.6.39-400.307.1.el5uek.i686.rpm
kernel-uek-debug-devel-2.6.39-400.307.1.el5uek.i686.rpm
kernel-uek-devel-2.6.39-400.307.1.el5uek.i686.rpm
kernel-uek-doc-2.6.39-400.307.1.el5uek.noarch.rpm
kernel-uek-firmware-2.6.39-400.307.1.el5uek.noarch.rpm

x86_64:
kernel-uek-firmware-2.6.39-400.307.1.el5uek.noarch.rpm
kernel-uek-doc-2.6.39-400.307.1.el5uek.noarch.rpm
kernel-uek-2.6.39-400.307.1.el5uek.x86_64.rpm
kernel-uek-devel-2.6.39-400.307.1.el5uek.x86_64.rpm
kernel-uek-debug-devel-2.6.39-400.307.1.el5uek.x86_64.rpm
kernel-uek-debug-2.6.39-400.307.1.el5uek.x86_64.rpm



Description of changes:

[2.6.39-400.307.1.el5uek]
- proc: restrict kernel stack dumps to root (John Donnelly) [Orabug:
29114880] {CVE-2018-17972}
- alarmtimer: Prevent overflow for relative nanosleep (Thomas Gleixner)
[Orabug: 29269182] {CVE-2018-13053}
- ext4: only look at the bg_flags field if it is valid (Theodore Ts'o)
[Orabug: 29409428] {CVE-2018-10876} {CVE-2018-10876}
- vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags (David
Howells) [Orabug: 29409428] {CVE-2018-10876}
- net: Set sk_prot_creator when cloning sockets to the right proto
(Christoph Paasch) [Orabug: 29422741] {CVE-2018-9568}


ELSA-2019-4577 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2019-4577

http://linux.oracle.com/errata/ELSA-2019-4577.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

i386:
kernel-uek-2.6.39-400.307.1.el6uek.i686.rpm
kernel-uek-debug-2.6.39-400.307.1.el6uek.i686.rpm
kernel-uek-debug-devel-2.6.39-400.307.1.el6uek.i686.rpm
kernel-uek-devel-2.6.39-400.307.1.el6uek.i686.rpm
kernel-uek-doc-2.6.39-400.307.1.el6uek.noarch.rpm
kernel-uek-firmware-2.6.39-400.307.1.el6uek.noarch.rpm

x86_64:
kernel-uek-firmware-2.6.39-400.307.1.el6uek.noarch.rpm
kernel-uek-doc-2.6.39-400.307.1.el6uek.noarch.rpm
kernel-uek-2.6.39-400.307.1.el6uek.x86_64.rpm
kernel-uek-devel-2.6.39-400.307.1.el6uek.x86_64.rpm
kernel-uek-debug-devel-2.6.39-400.307.1.el6uek.x86_64.rpm
kernel-uek-debug-2.6.39-400.307.1.el6uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-2.6.39-400.307.1.el6uek.src.rpm



Description of changes:

[2.6.39-400.307.1.el6uek]
- proc: restrict kernel stack dumps to root (John Donnelly) [Orabug:
29114880] {CVE-2018-17972}
- alarmtimer: Prevent overflow for relative nanosleep (Thomas Gleixner)
[Orabug: 29269182] {CVE-2018-13053}
- ext4: only look at the bg_flags field if it is valid (Theodore Ts'o)
[Orabug: 29409428] {CVE-2018-10876} {CVE-2018-10876}
- vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags (David
Howells) [Orabug: 29409428] {CVE-2018-10876}
- net: Set sk_prot_creator when cloning sockets to the right proto
(Christoph Paasch) [Orabug: 29422741] {CVE-2018-9568}





Printed from Linux Compatible (https://www.linuxcompatible.org/news/story/cockpit_and_kernel_updates_for_oracle_linux.html)