Updated Unbreakable Enterprise kernel packages has been released for Oracle Linux 7 to address security issues on some Intel CPUs
Oracle Linux Security Advisory ELSA-2019-4837
http://linux.oracle.com/errata/ELSA-2019-4837.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-doc-4.1.12-124.32.3.2.el7uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.32.3.2.el7uek.noarch.rpm
kernel-uek-4.1.12-124.32.3.2.el7uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.32.3.2.el7uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.32.3.2.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.32.3.2.el7uek.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.1.12-124.32.3.2.el7uek.src.rpm
Description of changes:
[4.1.12-124.32.3.2.el7uek]
- x86/tsx: Add config options to set tsx=on|off|auto (Michal Hocko)
[Orabug: 30419233] {CVE-2019-11135}
- x86/speculation/taa: Add documentation for TSX Async Abort (Pawan
Gupta) [Orabug: 30419233] {CVE-2019-11135}
- x86/tsx: Add "auto" option to the tsx= cmdline parameter (Pawan Gupta)
[Orabug: 30419233] {CVE-2019-11135}
- kvm/x86: Export MDS_NO=0 to guests when TSX is enabled (Pawan Gupta)
[Orabug: 30419233] {CVE-2019-11135}
- x86/speculation/taa: Add sysfs reporting for TSX Async Abort (Pawan
Gupta) [Orabug: 30419233] {CVE-2019-11135}
- x86/speculation/taa: Add mitigation for TSX Async Abort (Kanth
Ghatraju) [Orabug: 30419233] {CVE-2019-11135}
- x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default
(Pawan Gupta) [Orabug: 30419233] {CVE-2019-11135}
- x86/cpu: Add a helper function x86_read_arch_cap_msr() (Pawan Gupta)
[Orabug: 30419233] {CVE-2019-11135}
- x86/msr: Add the IA32_TSX_CTRL MSR (Pawan Gupta) [Orabug: 30419233]
{CVE-2019-11135}
[4.1.12-124.32.3.1.el7uek]
- kvm: x86: mmu: Recovery of shattered NX large pages (Junaid Shahid)
[Orabug: 29967631] {CVE-2018-12207}
- kvm: Add helper function for creating VM worker threads (Junaid
Shahid) [Orabug: 29967631] {CVE-2018-12207}
- kvm: mmu: ITLB_MULTIHIT mitigation (Paolo Bonzini) [Orabug: 29967631]
{CVE-2018-12207}
- KVM: x86: remove now unneeded hugepage gfn adjustment (Paolo Bonzini)
[Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: make FNAME(fetch) and __direct_map more similar (Paolo
Bonzini) [Orabug: 29967631] {CVE-2018-12207}
- kvm: x86: Do not release the page inside mmu_set_spte() (Junaid
Shahid) [Orabug: 29967631] {CVE-2018-12207}
- x86/cpu: Add Tremont to the cpu vulnerability whitelist (Pawan Gupta)
[Orabug: 29967631] {CVE-2018-12207}
- x86: Add ITLB_MULTIHIT bug infrastructure (Pawan Gupta) [Orabug:
29967631] {CVE-2018-12207}
- KVM: x86: MMU: Move mapping_level_dirty_bitmap() call in
mapping_level() (Takuya Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}
- Revert "KVM: x86: use the fast way to invalidate all pages" (Sean
Christopherson) [Orabug: 29967631] {CVE-2018-12207}
- kvm: Convert kvm_lock to a mutex (Junaid Shahid) [Orabug: 29967631]
{CVE-2018-12207}
- KVM: x86: MMU: Simplify force_pt_level calculation code in
FNAME(page_fault)() (Takuya Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: MMU: Make force_pt_level bool (Takuya Yoshikawa) [Orabug:
29967631] {CVE-2018-12207}
- KVM: x86: MMU: Remove unused parameter parent_pte from
kvm_mmu_get_page() (Takuya Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: extend usage of RET_MMIO_PF_* constants (Paolo Bonzini)
[Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: MMU: Make mmu_set_spte() return emulate value (Takuya
Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: MMU: Move parent_pte handling from kvm_mmu_get_page() to
link_shadow_page() (Takuya Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}
- KVM: x86: MMU: Move initialization of parent_ptes out from
kvm_mmu_alloc_page() (Takuya Yoshikawa) [Orabug: 29967631] {CVE-2018-12207}