[El-errata] ELSA-2018-1319 Important: Oracle Linux 6 kernel security and bug fix update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue May 8 22:57:41 PDT 2018 

Oracle Linux Security Advisory ELSA-2018-1319

http://linux.oracle.com/errata/ELSA-2018-1319.html

The following updated rpms for Oracle Linux 6 have been uploaded to the 
Unbreakable Linux Network:

i386:
kernel-2.6.32-696.28.1.el6.i686.rpm
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-debug-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
kernel-headers-2.6.32-696.28.1.el6.i686.rpm
perf-2.6.32-696.28.1.el6.i686.rpm
python-perf-2.6.32-696.28.1.el6.i686.rpm

x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-2.6.32-696.28.1.el6.src.rpm



Description of changes:

[2.6.32-696.28.1.el6.OL6]
- Update genkey [bug 25599697]

[2.6.32-696.28.1.el6]
- [x86] entry/64: Don't use IST entry for #BP stack (Waiman Long) 
[1567078 1567079] {CVE-2018-8897}
- [x86] xen: do not use xen_info on HVM, set pv_info name to "Xen HVM" 
(Vitaly Kuznetsov) [1569141 1568241]

[2.6.32-696.27.1.el6]
- [mm] account skipped entries to avoid looping in find_get_pages (Dave 
Wysochanski) [1565989 1559386]
- [x86] pti/32: Don't use trampoline stack on Xen PV (Waiman Long) 
[1568327 1562725]
- [x86] pti: Use boot_cpu_has(X86_FEATURE_PTI_SUPPORT) for early call 
sites (Waiman Long) [1568327 1562725]
- [x86] pti: Set X86_FEATURE_PTI_SUPPORT early (Waiman Long) [1568327 
1562725]
- [x86] pti: Rename X86_FEATURE_NOPTI to X86_FEATURE_PTI_SUPPORT (Waiman 
Long) [1568327 1562725]
- [x86] pti/32: Fix setup_trampoline_page_table() bug (Waiman Long) 
[1568327 1562725]
- [x86] entry: Remove extra argument in call instruction (Waiman Long) 
[1568332 1562552]
- [x86] syscall: Fix ia32_ptregs handling bug in 64-bit kernel (Waiman 
Long) [1568332 1562552]
- [x86] efi/64: Align efi_pgd on even page boundary (Waiman Long) 
[1568535 1558845]
- [x86] pgtable/pae: Revert "Use separate kernel PMDs for user 
page-table" (Waiman Long) [1568535 1558845]
- [x86] pgtable/pae: Revert "Unshare kernel PMDs when PTI is enabled" 
(Waiman Long) [1568535 1558845]
- [x86] mm: Dump both kernel & user page tables at fault (Waiman Long) 
[1568535 1558845]
- [x86] entry/32: Fix typo in PARANOID_EXIT_TO_KERNEL_MODE (Waiman Long) 
[1568535 1558845]

[2.6.32-696.26.1.el6]
- [s390] qeth: check not more than 16 SBALEs on the completion queue 
(Hendrik Brueckner) [1557477 1520860]
- [x86] pti: Disable kaiser_add_mapping if X86_FEATURE_NOPTI (Waiman 
Long) [1561441 1557562] {CVE-2017-5754}
- [x86] irq/ioapic: Check for valid irq_cfg pointer in 
smp_irq_move_cleanup_interrupt (Waiman Long) [1553283 1550599] 
{CVE-2017-5754}
- [x86] kexec/64: Clear control page after PGD init (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] efi/64: Fix potential PTI data corruption problem (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Fix machine check with PTI on old AMD CPUs (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Enable PAGE_GLOBAL if not affected by Meltdown (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] retpoline: Avoid retpolines for built-in __init functions 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] kexec/32: Allocate 8k PGD for PTI (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] spec_ctrl: Patch out lfence on old 32-bit CPUs (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 
microcodes (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Enable IBRS processing on kernel entries & exits 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Stuff RSB on kernel entry (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32 (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/32: Add a PAE specific version of __pti_set_user_pgd (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Support PAE page table dumping (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Use separate kernel PMDs for user page-table 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/pae: Populate valid user PGD entries (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] pti: Enable x86-32 for kaiser.c (Waiman Long) [1553283 1550599] 
{CVE-2017-5754}
- [x86] pti: Disable PCID handling in x86-32 TLB flushing code (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Disable user PGD poisoning for PAE (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move more PTI functions out of pgtable_64.h (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move pgdp kernel/user conversion functions to pgtable.h 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/32: Allocate 8k page-tables when PTI is enabled (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Unshare kernel PMDs when PTI is enabled (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle debug exception similar to NMI (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switch to non-NMI entry/exit points 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switches to NMI handler code (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enable the use of trampoline stack (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Change INT80 to be an interrupt gate (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle Entry from Kernel-Mode on Entry-Stack (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Leave the kernel via trampoline stack (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enter the kernel via trampoline stack (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Restore segments before int registers (Waiman Long) 
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Split off return-to-kernel path (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] entry/32: Unshare NMI return path (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] entry/32: Put ESPFIX code into a macro (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Rename TSS_sysenter_sp0 to TSS_entry_stack (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Add X86_FEATURE_NOPTI to permanently disable PTI (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Simplify and fix up the SYSENTER stack #DB/NMI fixup 
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] doublefault: Set the right gs register for doublefault (Waiman 
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] syscall: int80 must not clobber r12-15 (Waiman Long) [1553283 
1550599] {CVE-2017-5754}
- [x86] syscall: change ia32_syscall() to create the full register frame 
in ia32_do_call() (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] cve: Make all Meltdown/Spectre percpu variables available to 
x86-32 (Waiman Long) [1553283 1550599] {CVE-2017-5754}

[2.6.32-696.25.1.el6]
- [net] packet: Allow packets with only a header (but no payload) 
(Lorenzo Bianconi) [1557896 1535024]
- [net] packet: make packet too small warning match condition (Lorenzo 
Bianconi) [1557896 1535024]
- [net] packet: bail out of packet_snd() if L2 header creation fails 
(Lorenzo Bianconi) [1557896 1535024]
- [net] packet: make packet_snd fail on len smaller than l2 header 
(Lorenzo Bianconi) [1557896 1535024]
- [net] dccp: use-after-free in DCCP code (Stefano Brivio) [1520818 
1520817] {CVE-2017-8824}
- [fs] nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) 
[1447640 1447641] {CVE-2017-7645}
- [netdrv] be2net: Fix UE detection logic for BE3 (Ivan Vecera) [1552706 
1437991]
- [x86] skip check for spurious faults for non-present faults (Daniel 
Vacek) [1551471 1495167]
- [x86] mm: Fix boot crash caused by incorrect loop count calculation in 
sync_global_pgds() (Daniel Vacek) [1551471 1495167]
- [scsi] lpfc: Null pointer dereference when log_verbose is set to 
0xffffffff (Dick Kennedy) [1540481 1538340]
- [mm] prevent concurrent unmap_mapping_range() on the same inode 
(Miklos Szeredi) [1538654 1408108]
- [s390] fix transactional execution control register handling (Hendrik 
Brueckner) [1538591 1520862]
- [netdrv] bnx2x: prevent crash when accessing PTP with interface down 
(Michal Schmidt) [1538586 1518669]
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic 
fixup (Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic 
(Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff 
(Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: fix handling of malformed TCP header and 
options (Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: SYN packets are allowed to contain data 
(Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] bluetooth: Prevent uninitialized data (Gopal Tiwari) [1519627 
1519626] {CVE-2017-1000410}

[2.6.32-696.24.1.el6]
- [kernel] sched/core: Rework rq->clock update skips (Lauro Ramos 
Venancio) [1551475 1212959]
- [kernel] sched: Remove useless code in yield_to() (Lauro Ramos 
Venancio) [1551475 1212959]
- [kernel] sched: Set skip_clock_update in yield_task_fair() (Lauro 
Ramos Venancio) [1551475 1212959]
- [kernel] sched, rt: Update rq clock when unthrottling of an otherwise 
idle CPU (Lauro Ramos Venancio) [1551475 1212959]
- [kernel] lockdep: Fix lock_is_held() on recursion (Lauro Ramos 
Venancio) [1551475 1212959]
- [net] bonding: discard lowest hash bit for 802.3ad layer3+4 (Hangbin 
Liu) [1550103 1532167]

More information about the El-errata mailing list