El-errata: ELSA-2021-2570 Important: Oracle Linux 8 kernel security and bug fix update
Oracle Linux Security Advisory ELSA-2021-2570
http://linux.oracle.com/errata/ELSA-2021-2570.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:
x86_64:
bpftool-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-abi-stablelists-4.18.0-305.7.1.el8_4.noarch.rpm
kernel-core-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-cross-headers-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-debug-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-debug-core-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-debug-devel-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-debug-modules-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-debug-modules-extra-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-devel-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-doc-4.18.0-305.7.1.el8_4.noarch.rpm
kernel-headers-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-modules-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-modules-extra-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-tools-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-tools-libs-4.18.0-305.7.1.el8_4.x86_64.rpm
perf-4.18.0-305.7.1.el8_4.x86_64.rpm
python3-perf-4.18.0-305.7.1.el8_4.x86_64.rpm
kernel-tools-libs-devel-4.18.0-305.7.1.el8_4.x86_64.rpm
aarch64:
bpftool-4.18.0-305.7.1.el8_4.aarch64.rpm
kernel-cross-headers-4.18.0-305.7.1.el8_4.aarch64.rpm
kernel-headers-4.18.0-305.7.1.el8_4.aarch64.rpm
kernel-tools-4.18.0-305.7.1.el8_4.aarch64.rpm
kernel-tools-libs-4.18.0-305.7.1.el8_4.aarch64.rpm
perf-4.18.0-305.7.1.el8_4.aarch64.rpm
python3-perf-4.18.0-305.7.1.el8_4.aarch64.rpm
kernel-tools-libs-devel-4.18.0-305.7.1.el8_4.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-4.18.0-305.7.1.el8_4.src.rpm
Related CVEs:
CVE-2020-26541
CVE-2021-33034
Description of changes:
[4.18.0-305.7.1.el8_4.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 unlocked_driver_cb (Ivan Vecera) [1965457 1946986]
- net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct (Ivan Vecera) [1965457 1946986]
- net/sched: cls_flower: validate ct_state for invalid and reply flags (Ivan Vecera) [1965457 1946986]
- flow_dissector: fix TTL and TOS dissection on IPv4 fragments (Paolo Abeni) [1963952 1950288]
- Revert "sctp: Fix SHUTDOWN CTSN Ack in the peer restart case" (Xin Long) [1965632 1953839]
- sctp: do asoc update earlier in sctp_sf_do_dupcook_b (Xin Long) [1965632 1953839]
- sctp: do asoc update earlier in sctp_sf_do_dupcook_a (Xin Long) [1965632 1953839]
- Bluetooth: verify AMP hci_chan before amp_destroy (Gopal Tiwari) [1962544 1962546] {CVE-2021-33034}
- x86/kvm: Unify kvm_pv_guest_cpu_reboot() with kvm_guest_cpu_offline() (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Disable all PV features on crash (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Disable kvmclock on all CPUs on shutdown (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Teardown PV features on boot CPU as well (Lenny Szubowicz) [1964930 1934273]
- x86/kvm: Fix pr_info() for async PF setup/teardown (Lenny Szubowicz) [1964930 1934273]
- net/sched: act_ct: Fix ct template allocation for zone 0 (Marcelo Ricardo Leitner) [1965150 1881824]
[4.18.0-305.6.1.el8_4]
- openvswitch: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
- net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
- net/sched: act_ct: fix wild memory access when clearing fragments (Davide Caratti) [1963940 1924608]
- net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT (Ivan Vecera)
- redhat/configs: Add CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_REVOCATION_LIST (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: add 'x509_revocation_list' to gitignore (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- integrity: Load mokx variables into the blacklist keyring (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Add ability to preload revocation certs (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Move load_system_certificate_list to a common function (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- certs: Add EFI_CERT_X509_GUID support for dbx entries (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
- net/sched: cls_api: increase max_reclassify_loop (Davide Caratti) [1965148 1955136]
- dm writecache: fix performance degradation in ssd mode (Mike Snitzer) [1962241 1961859]
- scsi: fnic: Use scsi_host_busy_iter() to traverse commands (Ewan D. Milne) [1961705 1949250]
- scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (Ewan D. Milne) [1961705 1949250]
[4.18.0-305.5.1.el8_4]
- gfs2: report "already frozen/thawed" errors (Bob Peterson) [1961849 1932236]
- gfs2: move freeze glock outside the make_fs_rw and _ro functions (Bob Peterson) [1961849 1932236]
- gfs2: Add common helper for holding and releasing the freeze glock (Bob Peterson) [1961849 1932236]
- gfs2: in signal_our_withdraw wait for unfreeze of _this_ fs only (Bob Peterson) [1961849 1932236]
- gfs2: Don't freeze the file system during unmount (Bob Peterson) [1961849 1932236]
- gfs2: Fix regression in freeze_go_sync (Bob Peterson) [1961849 1932236]
- gfs2: The freeze glock should never be frozen (Bob Peterson) [1961849 1932236]
- gfs2: When freezing gfs2, use GL_EXACT and not GL_NOCACHE (Bob Peterson) [1961849 1932236]
- gfs2: read-only mounts should grab the sd_freeze_gl glock (Bob Peterson) [1961849 1932236]
- gfs2: freeze should work on read-only mounts (Bob Peterson) [1961849 1932236]
- gfs2: Abort gfs2_freeze if io error is seen (Bob Peterson) [1961849 1932236]
- CI: Disable result checking for realtime check (Veronika Kabatova)
- CI: Explicitly disable result checking for private CI (Veronika Kabatova)
- CI: Rename variable (Veronika Kabatova)
- CI: Update builder containers (Veronika Kabatova)
[4.18.0-305.4.1.el8_4]
- vmxnet3: Set the default of vxlan overlay offload to disabled (Cathy Avery) [1960702 1941714]
A kernel security and bug fix update has been released for Oracle Linux 8.