Oracle Linux 6277 Published by

An unbreakable Enterprise kernel security update has been released for Oracle Linux 6.



El-errata: ELSA-2020-5866 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update


Oracle Linux Security Advisory ELSA-2020-5866

  http://linux.oracle.com/errata/ELSA-2020-5866.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-doc-4.1.12-124.43.4.el6uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.43.4.el6uek.noarch.rpm
kernel-uek-4.1.12-124.43.4.el6uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.43.4.el6uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.43.4.el6uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.43.4.el6uek.x86_64.rpm

SRPMS:
  http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-4.1.12-124.43.4.el6uek.src.rpm


Description of changes:

[4.1.12-124.43.4.el6uek]
- kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) (Jann Horn) [Orabug: 29434845] {CVE-2019-6974}
- KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) (Peter Shier) [Orabug: 29434898] {CVE-2019-7221}
- KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) (Paolo Bonzini) [Orabug: 29434924] {CVE-2019-7222}
- net: arc_emac: fix koops caused by sk_buff free (Alexander Kochetkov) [Orabug: 30254239] {CVE-2016-10906}
- GFS2: don't set rgrp gl_object until it's inserted into rgrp tree (Bob Peterson) [Orabug: 30254251] {CVE-2016-10905}
- GFS2: Fix rgrp end rounding problem for bsize < page size (Bob Peterson) [Orabug: 30254251] {CVE-2016-10905}
- x86/apic/msi: update address_hi on set msi affinity (Joe Jin) [Orabug: 31477035]
- x86/apic/msi: check and sync apic IRR on msi_set_affinity (Joe Jin) [Orabug: 31477035]
- net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (Sabrina Dubroca) [Orabug: 31872821] {CVE-2020-1749}
- nfs: Fix getxattr kernel panic and memory overflow (Jeffrey Mitchell) [Orabug: 31872910] {CVE-2020-25212}
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping (Ilya Dryomov) [Orabug: 31884169] {CVE-2020-25284}
- mm/hugetlb: fix a race between hugetlb sysctl handlers (Muchun Song) [Orabug: 31884239] {CVE-2020-25285}
- ext4: fix potential negative array index in do_split() (Eric Sandeen) [Orabug: 31895331] {CVE-2020-14314}

[4.1.12-124.43.3.el6uek]
- ARM: amba: Fix race condition with driver_override (Geert Uytterhoeven) [Orabug: 29671212] {CVE-2018-9415}
- block: blk_init_allocated_queue() set q->fq as NULL in the fail case (xiao jin) [Orabug: 30120513] {CVE-2018-20856}
- USB: serial: omninet: fix reference leaks at open (Johan Hovold) [Orabug: 30484761] {CVE-2017-8925}
- nl80211: validate beacon head (Johannes Berg) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: Use const more consistently in for_each_element macros (Jouni Malinen) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: add and use strongly typed element iteration macros (Johannes Berg) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: add helper to find an IE that matches a byte-array (Luca Coelho) [Orabug: 30556264] {CVE-2019-16746}
- cfg80211: allow finding vendor with OUI without specifying the OUI type (Emmanuel Grumbach) [Orabug: 30556264] {CVE-2019-16746}
- dccp: Fix memleak in __feat_register_sp (YueHaibing) [Orabug: 30732821] {CVE-2019-20096}
- fs/proc/proc_sysctl.c: Fix a NULL pointer dereference (YueHaibing) [Orabug: 30732938] {CVE-2019-20054}
- fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links (YueHaibing) [Orabug: 30732938] {CVE-2019-20054}
- scsi: libsas: stop discovering if oob mode is disconnected (Jason Yan) [Orabug: 30770913] {CVE-2019-19965}
- kernel/sysctl.c: fix out-of-bounds access when setting file-max (Will Deacon) [Orabug: 31350720] {CVE-2019-14898}
- sysctl: handle overflow for file-max (Christian Brauner) [Orabug: 31350720] {CVE-2019-14898}
- ath9k_htc: release allocated buffer if timed out (Navid Emamdoost) [Orabug: 31351572] {CVE-2019-19073}
- can: gs_usb: gs_can_open(): prevent memory leak (Navid Emamdoost) [Orabug: 31351682] {CVE-2019-19052}
- ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit() (Takashi Iwai) [Orabug: 31351837] {CVE-2019-15927}
- media: usb: siano: Fix general protection fault in smsusb (Alan Stern) [Orabug: 31351875] {CVE-2019-15218}
- crypto: vmac - separate tfm and request context (Eric Biggers) [Orabug: 31584410]
- SUNRPC: Fix a race with XPRT_CONNECTING (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Fix disconnection races (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Add a helper to wake up a sleeping rpc_task and set its status (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Reduce latency when send queue is congested (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: RPC transport queue must be low latency (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Fix a potential race in xprt_connect() (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() (NeilBrown) [Orabug: 31796770]
- SUNRPC: Fix races between socket connection and destroy code (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Prevent SYN+SYNACK+RST storms (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Report TCP errors to the caller (Trond Myklebust) [Orabug: 31796770]
- SUNRPC: Ensure we release the TCP socket once it has been closed (Trond Myklebust) [Orabug: 31796770]
- net-gro: fix use-after-free read in napi_gro_frags() (Eric Dumazet) [Orabug: 31856195] {CVE-2020-10720}
- PCI: Probe bridge window attributes once at enumeration-time (Bjorn Helgaas) [Orabug: 31867577]

[4.1.12-124.43.2.el6uek]
- ALSA: seq: Cancel pending autoload work at unbinding device (Takashi Iwai) [Orabug: 31352045] {CVE-2017-16528}
- USB: serial: io_ti: fix information leak in completion handler (Johan Hovold) [Orabug: 31352084] {CVE-2017-8924}
- sample-trace-array: Fix sleeping function called from invalid context (Kefeng Wang) [Orabug: 31543032]
- sample-trace-array: Remove trace_array 'sample-instance' (Kefeng Wang) [Orabug: 31543032]
- tracing: Sample module to demonstrate kernel access to Ftrace instances. (Divya Indi) [Orabug: 31543032]
- tracing: Adding new functions for kernel access to Ftrace instances (Aruna Ramakrishna) [Orabug: 31543032]
- tracing: Adding NULL checks for trace_array descriptor pointer (Divya Indi) [Orabug: 31543032]
- tracing: Verify if trace array exists before destroying it. (Divya Indi) [Orabug: 31543032]
- tracing: Declare newly exported APIs in include/linux/trace.h (Divya Indi) [Orabug: 31543032]
- tracing: Kernel access to Ftrace instances (Divya Indi) [Orabug: 31543032]

[4.1.12-124.43.1.el6uek]
- blktrace: Protect q->blk_trace with RCU (Jan Kara) [Orabug: 31123576] {CVE-2019-19768}
- media: technisat-usb2: break out of loop at end of buffer (Sean Young) [Orabug: 31224554] {CVE-2019-15505}
- btrfs: merge btrfs_find_device and find_device (Anand Jain) [Orabug: 31351746] {CVE-2019-18885}
- RDMA/cxgb4: Do not dma memory off of the stack (Greg KH) [Orabug: 31351783] {CVE-2019-17075}
- mwifiex: Abort at too short BSS descriptor element (Takashi Iwai) [Orabug: 31351916] {CVE-2019-3846}
- mwifiex: Fix possible buffer overflows at parsing bss descriptor (Takashi Iwai) [Orabug: 31351916] {CVE-2019-3846} {CVE-2019-3846}
- repair kABI breakage from "fs: prevent page refcount overflow in pipe_buf_get" (Dan Duval) [Orabug: 31351941] {CVE-2019-11487}
- mm: prevent get_user_pages() from overflowing page refcount (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}
- mm: add 'try_get_page()' helper function (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}
- fs: prevent page refcount overflow in pipe_buf_get (Matthew Wilcox) [Orabug: 31351941] {CVE-2019-11487}
- mm: make page ref count overflow check tighter and more explicit (Linus Torvalds) [Orabug: 31351941] {CVE-2019-11487}
- sctp: implement memory accounting on tx path (Xin Long) [Orabug: 31351960] {CVE-2019-3874}
- sunrpc: use SVC_NET() in svcauth_gss_* functions (Vasily Averin) [Orabug: 31351995] {CVE-2018-16884}
- sunrpc: use-after-free in svc_process_common() (Vasily Averin) [Orabug: 31351995] {CVE-2018-16884}
- af_packet: set defaule value for tmo (Mao Wenan) [Orabug: 31439107] {CVE-2019-20812}
- selinux: properly handle multiple messages in selinux_netlink_send() (Paul Moore) [Orabug: 31439369] {CVE-2020-10751}
- selinux: Print 'sclass' as string when unrecognized netlink message occurs (Marek Milkovic) [Orabug: 31439369] {CVE-2020-10751}
- mac80211: Do not send Layer 2 Update frame before authorization (Jouni Malinen) [Orabug: 31473652] {CVE-2019-5108}
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (Dedy Lansky) [Orabug: 31473652] {CVE-2019-5108}
- crypto: authenc - fix parsing key with misaligned rta_len (Eric Biggers) [Orabug: 31535529] {CVE-2020-10769}
- vgacon: Fix for missing check in scrollback handling (Yunhai Zhang) [Orabug: 31705121] {CVE-2020-14331} {CVE-2020-14331}
- rename kABI whitelists to lockedlists (Dan Duval) [Orabug: 31783151]

[4.1.12-124.42.4.el6uek]
- rds/ib: Make i_{recv,send}_hdrs non-contigious (Hans Westgaard Ry) [Orabug: 30634865]
- md: get sysfs entry after redundancy attr group create (Junxiao Bi) [Orabug: 31683116]
- md: fix deadlock causing by sysfs_notify (Junxiao Bi) [Orabug: 31683116]

[4.1.12-124.42.3.el6uek]
- can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices (Tomas Bortoli) [Orabug: 31351221] {CVE-2019-19535}
- media: hdpvr: Fix an error handling path in hdpvr_probe() (Arvind Yadav) [Orabug: 31352053] {CVE-2017-16644}
- fs/binfmt_misc.c: do not allow offset overflow (Thadeu Lima de Souza Cascardo) [Orabug: 31588258]
- clear inode and truncate pages before enqueuing for async inactivation (Gautham Ananthakrishna) [Orabug: 31744270]

[4.1.12-124.42.2.el6uek]
- mm: create alloc_last_chance debugfs entries (Mike Kravetz) [Orabug: 31295499]
- mm: perform 'last chance' reclaim efforts before allocation failure (Mike Kravetz) [Orabug: 31295499]
- mm: let page allocation slowpath retry 'order' times (Mike Kravetz) [Orabug: 31295499]
- fix kABI breakage from "netns: provide pure entropy for net_hash_mix()" (Dan Duval) [Orabug: 31351904] {CVE-2019-10638} {CVE-2019-10639}
- netns: provide pure entropy for net_hash_mix() (Eric Dumazet) [Orabug: 31351904] {CVE-2019-10638} {CVE-2019-10639}
- hrtimer: Annotate lockless access to timer->base (Eric Dumazet) [Orabug: 31380495]
- rds: ib: Revert "net/rds: Avoid stalled connection due to CM REQ retries" (Håkon Bugge) [Orabug: 31648141]
- rds: Clear reconnect pending bit (Håkon Bugge) [Orabug: 31648141]
- RDMA/netlink: Do not always generate an ACK for some netlink operations (Håkon Bugge) [Orabug: 31666975]
- genirq/proc: Return proper error code when irq_set_affinity() fails (Wen Yaxng) [Orabug: 31723450]

[4.1.12-124.42.1.el6uek]
- fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (Alexander Potapenko) [Orabug: 31350639] {CVE-2020-10732}
- crypto: user - fix memory leak in crypto_report (Navid Emamdoost) [Orabug: 31351640] {CVE-2019-19062}
- of: unittest: fix memory leak in unittest_data_add (Navid Emamdoost) [Orabug: 31351702] {CVE-2019-19049}
- IB/sa: Resolv use-after-free in ib_nl_make_request() (Divya Indi) [Orabug: 31656992]
- net-sysfs: call dev_hold if kobject_init_and_add success (YueHaibing) [Orabug: 31687545] {CVE-2019-20811}