El-errata: ELSA-2021-9085 Important: Oracle Linux 8 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2021-9085
http://linux.oracle.com/errata/ELSA-2021-9085.html
The following updated rpms for Oracle Linux 8 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-5.4.17-2036.104.4.el8uek.x86_64.rpm
kernel-uek-debug-5.4.17-2036.104.4.el8uek.x86_64.rpm
kernel-uek-debug-devel-5.4.17-2036.104.4.el8uek.x86_64.rpm
kernel-uek-devel-5.4.17-2036.104.4.el8uek.x86_64.rpm
kernel-uek-doc-5.4.17-2036.104.4.el8uek.noarch.rpm
aarch64:
kernel-uek-5.4.17-2036.104.4.el8uek.aarch64.rpm
kernel-uek-debug-5.4.17-2036.104.4.el8uek.aarch64.rpm
kernel-uek-debug-devel-5.4.17-2036.104.4.el8uek.aarch64.rpm
kernel-uek-devel-5.4.17-2036.104.4.el8uek.aarch64.rpm
kernel-uek-doc-5.4.17-2036.104.4.el8uek.noarch.rpm
SRPMS:
http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.4.17-2036.104.4.el8uek.src.rpm
Description of changes:
[5.4.17-2036.104.4.el8uek]
- KVM: arm64: guest context in x18 instead of x29 (Mihai Carabas)
[Orabug: 32545182]
[5.4.17-2036.104.3.el8uek]
- config: enable CONFIG_MLX5_MPFS (Brian Maly) [Orabug: 32249042] - net:
Fix bridge enslavement failure (Ido Schimmel) [Orabug: 32503298] - inet:
do not call sublist_rcv on empty list (Florian Westphal) [Orabug:
32512814] - KVM: arm64: pmu: Don't mark a counter as chained if the odd
one is disabled (Eric Auger) [Orabug: 32499188] - random: wire
/dev/random with a DRBG instance (Saeed Mirzamohammadi) [Orabug:
32522087] - crypto: drbg - always try to free Jitter RNG instance
(Stephan Müller) [Orabug: 32522087] - crypto: drbg - always seeded with
SP800-90B compliant noise source (Stephan Müller) [Orabug: 32522087] -
crypto: jitter - SP800-90B compliance (Stephan Müller) [Orabug:
32522087] - crypto: jitter - add header to fix buildwarnings (Ben Dooks)
[Orabug: 32522087] - crypto: jitter - fix comments (Alexander E.
Patrakov) [Orabug: 32522087] - xen-blkback: fix error handling in
xen_blkbk_map() (Jan Beulich) [Orabug: 32492109] {CVE-2021-26930}
- xen-scsiback: don't "handle" error by BUG() (Jan Beulich) [Orabug:
32492101] {CVE-2021-26931}
- xen-netback: don't "handle" error by BUG() (Jan Beulich) [Orabug:
32492101] {CVE-2021-26931}
- xen-blkback: don't "handle" error by BUG() (Jan Beulich) [Orabug:
32492101] {CVE-2021-26931}
- Xen/gntdev: correct error checking in gntdev_map_grant_pages() (Jan
Beulich) [Orabug: 32492093] {CVE-2021-26932}
- Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
(Jan Beulich) [Orabug: 32492093] {CVE-2021-26932}
- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (Jan
Beulich) [Orabug: 32492093] {CVE-2021-26932}
- Xen/x86: don't bail early from clear_foreign_p2m_mapping() (Jan
Beulich) [Orabug: 32492093] {CVE-2021-26932}
[5.4.17-2036.104.2.el8uek]
- tcp: fix to update snd_wl1 in bulk receiver fast path (Neal Cardwell)
[Orabug: 32498822] - selinux: allow reading labels before policy is
loaded (Jonathan Lebon) [Orabug: 32492277] - selinux: allow labeling
before policy is loaded (Jonathan Lebon) [Orabug: 32492277] - KVM: SVM:
Initialize prev_ga_tag before use (Suravee Suthikulpanit) [Orabug:
32478549] - tools/power turbostat: Support additional CPU model numbers
(Len Brown) [Orabug: 32422451] - x86/cpu: Add Lakefield, Alder Lake and
Rocket Lake models to the to Intel CPU family (Tony Luck) [Orabug:
32422451] - x86/cpu: Add Sapphire Rapids CPU model number (Tony Luck)
[Orabug: 32422451] - tools/power turbostat: Support Tiger Lake (Chen Yu)
[Orabug: 32422451] - uek-rpm: config-aarch64: enable MEMORY HOTREMOVE
(Mihai Carabas) [Orabug: 32353851] - arm64/mm/hotplug: Ensure early
memory sections are all online (Anshuman Khandual) [Orabug: 32353851] -
arm64/mm/hotplug: Enable MEM_OFFLINE event handling (Anshuman Khandual)
[Orabug: 32353851] - arm64/mm/hotplug: Register boot memory hot remove
notifier earlier (Anshuman Khandual) [Orabug: 32353851] - arm64/mm:
Enable memory hot remove (Anshuman Khandual) [Orabug: 32353851] -
arm64/mm: Hold memory hotplug lock while walking for kernel page table
dump (Anshuman Khandual) [Orabug: 32353851] - KVM: arm64: Save/restore
sp_el0 as part of __guest_enter (Marc Zyngier) [Orabug: 32171445] -
net/mlx4_en: Handle TX error CQE (Moshe Shemesh) [Orabug: 32492969] -
net/mlx4_en: Avoid scheduling restart task if it is already running
(Moshe Shemesh) [Orabug: 32492969]
[5.4.17-2036.104.1.el8uek]
- vhost scsi: alloc vhost_scsi with kvzalloc() to avoid delay (Dongli
Zhang) [Orabug: 32471677] - HID: hid-input: fix stylus battery reporting
(Dmitry Torokhov) [Orabug: 32464784] {CVE-2020-0431}
- nbd: freeze the queue while we're adding connections (Josef Bacik)
[Orabug: 32447285] {CVE-2021-3348}
- futex: Handle faults correctly for PI futexes (Thomas Gleixner)
[Orabug: 32447187] {CVE-2021-3347}
- futex: Simplify fixup_pi_state_owner() (Thomas Gleixner) [Orabug:
32447187] {CVE-2021-3347}
- futex: Use pi_state_update_owner() in put_pi_state() (Thomas Gleixner)
[Orabug: 32447187] {CVE-2021-3347}
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (Thomas
Gleixner) [Orabug: 32447187] {CVE-2021-3347}
- futex: Don't enable IRQs unconditionally in put_pi_state() (Dan
Carpenter) [Orabug: 32447187] {CVE-2021-3347}
- futex: Provide and use pi_state_update_owner() (Thomas Gleixner)
[Orabug: 32447187] {CVE-2021-3347}
- futex: Replace pointless printk in fixup_owner() (Thomas Gleixner)
[Orabug: 32447187] {CVE-2021-3347}
- futex: Ensure the correct return value from futex_lock_pi() (Thomas
Gleixner) [Orabug: 32447187] {CVE-2021-3347}
- uek-rpm: Enable Oracle Pilot BMC module (Eric Snowberg) [Orabug:
32422662] - hwmon: Add a new Oracle Pilot BMC driver (Eric Snowberg)
[Orabug: 32422662] - arm64: Reserve only 256M on RPi for
crashkernel=auto (Vijay Kumar) [Orabug: 32301026]
[5.4.17-2036.104.0.el8uek]
- Revert "rds: Deregister all FRWR mr with free_mr" (aru kolappan)
[Orabug: 32426610] - thermal: intel_pch_thermal: Add PCI ids for
Lewisburg PCH. (Andres Freund) [Orabug: 32424705] - thermal: intel:
intel_pch_thermal: Add Cannon Lake Low Power PCH support (Sumeet
Pawnikar) [Orabug: 32424705] - thermal: intel: intel_pch_thermal: Add
Comet Lake (CML) platform support (Gayatri Kammela) [Orabug: 32424705] -
nfs: Fix security label length not being reset (Jeffrey Mitchell)
[Orabug: 32350989] - ovl: check permission to open real file (Miklos
Szeredi) [Orabug: 32046372] {CVE-2020-16120}
- ovl: verify permissions in ovl_path_open() (Miklos Szeredi) [Orabug:
32046372] {CVE-2020-16120}
- ovl: switch to mounter creds in readdir (Miklos Szeredi) [Orabug:
32046372] {CVE-2020-16120}
- ovl: pass correct flags for opening real directory (Miklos Szeredi)
[Orabug: 32046372] - A/A Bonding: Add synchronized bundle failback (Gerd
Rausch) [Orabug: 32381883]
An unbreakable Enterprise kernel security update has been released for Oracle Linux 8.