A kernel security update has been released for Fedora 35.

SECURITY: Fedora 35 Update: kernel-5.18.11-100.fc35

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-8aab5b5cde
2022-07-15 01:35:20.762802
--------------------------------------------------------------------------------

Name : kernel
Product : Fedora 35
Version : 5.18.11
Release : 100.fc35
URL :   https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

--------------------------------------------------------------------------------
Update Information:

The 5.18.11 stable kernel update contains a number of important fixes across the
tree. In addition to the 5.18.11 stable patches, this build contains the
retbleed patches scheduled for 5.18.12 kernels.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jul 12 2022 Justin M. Forbes [5.18.11-100]
- Turn on configs for retbleed (Justin M. Forbes)
* Tue Jul 12 2022 Justin M. Forbes [5.18.11-0]
- x86/static_call: Serialize __static_call_fixup() properly (Thomas Gleixner)
- x86/speculation: Disable RRSBA behavior (Pawan Gupta)
- x86/kexec: Disable RET on kexec (Konrad Rzeszutek Wilk)
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported (Thadeu Lima de Souza Cascardo)
- x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry (Peter Zijlstra)
- x86/bugs: Add Cannon lake to RETBleed affected CPU list (Pawan Gupta)
- x86/retbleed: Add fine grained Kconfig knobs (Peter Zijlstra)
- x86/cpu/amd: Enumerate BTC_NO (Andrew Cooper)
- x86/common: Stamp out the stepping madness (Peter Zijlstra)
- KVM: VMX: Prevent RSB underflow before vmenter (Josh Poimboeuf)
- x86/speculation: Fill RSB on vmexit for IBRS (Josh Poimboeuf)
- KVM: VMX: Fix IBRS handling after vmexit (Josh Poimboeuf)
- KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS (Josh Poimboeuf)
- KVM: VMX: Convert launched argument to flags (Josh Poimboeuf)
- KVM: VMX: Flatten __vmx_vcpu_run() (Josh Poimboeuf)
- objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} (Josh Poimboeuf)
- x86/speculation: Remove x86_spec_ctrl_mask (Josh Poimboeuf)
- x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit (Josh Poimboeuf)
- x86/speculation: Fix SPEC_CTRL write on SMT state change (Josh Poimboeuf)
- x86/speculation: Fix firmware entry SPEC_CTRL handling (Josh Poimboeuf)
- x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n (Josh Poimboeuf)
- x86/cpu/amd: Add Spectral Chicken (Peter Zijlstra)
- objtool: Add entry UNRET validation (Thadeu Lima de Souza Cascardo)
- x86/bugs: Do IBPB fallback check only once (Josh Poimboeuf)
- x86/bugs: Add retbleed=ibpb (Peter Zijlstra)
- x86/xen: Add UNTRAIN_RET (Peter Zijlstra)
- x86/xen: Rename SYS* entry points (Peter Zijlstra)
- objtool: Update Retpoline validation (Peter Zijlstra)
- intel_idle: Disable IBRS during long idle (Peter Zijlstra)
- x86/bugs: Report Intel retbleed vulnerability (Peter Zijlstra)
- x86/bugs: Split spectre_v2_select_mitigation() and spectre_v2_user_select_mitigation() (Peter Zijlstra)
- x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS (Pawan Gupta)
- x86/bugs: Optimize SPEC_CTRL MSR writes (Peter Zijlstra)
- x86/entry: Add kernel IBRS implementation (Thadeu Lima de Souza Cascardo)
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (Peter Zijlstra)
- x86/bugs: Enable STIBP for JMP2RET (Kim Phillips)
- x86/bugs: Add AMD retbleed= boot parameter (Alexandre Chartre)
- x86/bugs: Report AMD retbleed vulnerability (Alexandre Chartre)
- x86: Add magic AMD return-thunk (Thadeu Lima de Souza Cascardo)
- objtool: Treat .text.__x86.* as noinstr (Peter Zijlstra)
- x86/entry: Avoid very early RET (Peter Zijlstra)
- x86: Use return-thunk in asm code (Peter Zijlstra)
- x86/sev: Avoid using __x86_return_thunk (Kim Phillips)
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation (Peter Zijlstra)
- x86/kvm: Fix SETcc emulation for return thunks (Peter Zijlstra)
- x86/bpf: Use alternative RET encoding (Peter Zijlstra)
- x86/ftrace: Use alternative RET encoding (Peter Zijlstra)
- x86,static_call: Use alternative RET encoding (Peter Zijlstra)
- objtool: skip non-text sections when adding return-thunk sites (Thadeu Lima de Souza Cascardo)
- x86,objtool: Create .return_sites (Peter Zijlstra)
- x86: Undo return-thunk damage (Peter Zijlstra)
- x86/retpoline: Use -mfunction-return (Peter Zijlstra)
- x86/retpoline: Swizzle retpoline thunk (Peter Zijlstra)
- x86/retpoline: Cleanup some #ifdefery (Peter Zijlstra)
- x86/cpufeatures: Move RETPOLINE flags to word 11 (Peter Zijlstra)
- x86/kvm/vmx: Make noinstr clean (Peter Zijlstra)
- x86/entry: Remove skip_r11rcx (Peter Zijlstra)
- x86/entry: Don't call error_entry() for XENPV (Lai Jiangshan)
- x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() (Lai Jiangshan)
- x86/entry: Switch the stack after error_entry() returns (Lai Jiangshan)
- x86/traps: Use pt_regs directly in fixup_bad_iret() (Lai Jiangshan)
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2090226 - CVE-2022-23816 CVE-2022-29900 hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions
  https://bugzilla.redhat.com/show_bug.cgi?id=2090226
[ 2 ] Bug #2103148 - CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions
  https://bugzilla.redhat.com/show_bug.cgi?id=2103148
[ 3 ] Bug #2103153 - CVE-2022-23825 hw: cpu: AMD: Branch Type Confusion (non-retbleed)
  https://bugzilla.redhat.com/show_bug.cgi?id=2103153
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-8aab5b5cde' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________