[El-errata] ELSA-2021-9086 Important: Oracle Linux 7 Unbreakable Enterprise kernel-container security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Mar 9 07:43:05 PST 2021 

Oracle Linux Security Advisory ELSA-2021-9086

http://linux.oracle.com/errata/ELSA-2021-9086.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
kernel-uek-container-5.4.17-2036.104.4.el7.x86_64.rpm
kernel-uek-container-debug-5.4.17-2036.104.4.el7.x86_64.rpm



SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-container-5.4.17-2036.104.4.el7.src.rpm



Description of changes:

[5.4.17-2036.104.4.el7uek]
- KVM: arm64: guest context in x18 instead of x29 (Mihai Carabas)  [Orabug: 32545182]

[5.4.17-2036.104.3.el7uek]
- config: enable CONFIG_MLX5_MPFS (Brian Maly)  [Orabug: 32249042]
- net: Fix bridge enslavement failure (Ido Schimmel)  [Orabug: 32503298]
- inet: do not call sublist_rcv on empty list (Florian Westphal)  [Orabug: 32512814]
- KVM: arm64: pmu: Don't mark a counter as chained if the odd one is disabled (Eric Auger)  [Orabug: 32499188]
- random: wire /dev/random with a DRBG instance (Saeed Mirzamohammadi)  [Orabug: 32522087]
- crypto: drbg - always try to free Jitter RNG instance (Stephan Müller)  [Orabug: 32522087]
- crypto: drbg - always seeded with SP800-90B compliant noise source (Stephan Müller)  [Orabug: 32522087]
- crypto: jitter - SP800-90B compliance (Stephan Müller)  [Orabug: 32522087]
- crypto: jitter - add header to fix buildwarnings (Ben Dooks)  [Orabug: 32522087]
- crypto: jitter - fix comments (Alexander E. Patrakov)  [Orabug: 32522087]
- xen-blkback: fix error handling in xen_blkbk_map() (Jan Beulich)  [Orabug: 32492109]  {CVE-2021-26930}
- xen-scsiback: don't "handle" error by BUG() (Jan Beulich)  [Orabug: 32492101]  {CVE-2021-26931}
- xen-netback: don't "handle" error by BUG() (Jan Beulich)  [Orabug: 32492101]  {CVE-2021-26931}
- xen-blkback: don't "handle" error by BUG() (Jan Beulich)  [Orabug: 32492101]  {CVE-2021-26931}
- Xen/gntdev: correct error checking in gntdev_map_grant_pages() (Jan Beulich)  [Orabug: 32492093]  {CVE-2021-26932}
- Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() (Jan Beulich)  [Orabug: 32492093]  {CVE-2021-26932}
- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() (Jan Beulich)  [Orabug: 32492093]  {CVE-2021-26932}
- Xen/x86: don't bail early from clear_foreign_p2m_mapping() (Jan Beulich)  [Orabug: 32492093]  {CVE-2021-26932}

[5.4.17-2036.104.2.el7uek]
- tcp: fix to update snd_wl1 in bulk receiver fast path (Neal Cardwell)  [Orabug: 32498822]
- selinux: allow reading labels before policy is loaded (Jonathan Lebon)  [Orabug: 32492277]
- selinux: allow labeling before policy is loaded (Jonathan Lebon)  [Orabug: 32492277]
- KVM: SVM: Initialize prev_ga_tag before use (Suravee Suthikulpanit)  [Orabug: 32478549]
- tools/power turbostat: Support additional CPU model numbers (Len Brown)  [Orabug: 32422451]
- x86/cpu: Add Lakefield, Alder Lake and Rocket Lake models to the to Intel CPU family (Tony Luck)  [Orabug: 32422451]
- x86/cpu: Add Sapphire Rapids CPU model number (Tony Luck)  [Orabug: 32422451]
- tools/power turbostat: Support Tiger Lake (Chen Yu)  [Orabug: 32422451]
- uek-rpm: config-aarch64: enable MEMORY HOTREMOVE (Mihai Carabas)  [Orabug: 32353851]
- arm64/mm/hotplug: Ensure early memory sections are all online (Anshuman Khandual)  [Orabug: 32353851]
- arm64/mm/hotplug: Enable MEM_OFFLINE event handling (Anshuman Khandual)  [Orabug: 32353851]
- arm64/mm/hotplug: Register boot memory hot remove notifier earlier (Anshuman Khandual)  [Orabug: 32353851]
- arm64/mm: Enable memory hot remove (Anshuman Khandual)  [Orabug: 32353851]
- arm64/mm: Hold memory hotplug lock while walking for kernel page table dump (Anshuman Khandual)  [Orabug: 32353851]
- KVM: arm64: Save/restore sp_el0 as part of __guest_enter (Marc Zyngier)  [Orabug: 32171445]
- net/mlx4_en: Handle TX error CQE (Moshe Shemesh)  [Orabug: 32492969]
- net/mlx4_en: Avoid scheduling restart task if it is already running (Moshe Shemesh)  [Orabug: 32492969]

[5.4.17-2036.104.1.el7uek]
- vhost scsi: alloc vhost_scsi with kvzalloc() to avoid delay (Dongli Zhang)  [Orabug: 32471677]
- HID: hid-input: fix stylus battery reporting (Dmitry Torokhov)  [Orabug: 32464784]  {CVE-2020-0431}
- nbd: freeze the queue while we're adding connections (Josef Bacik)  [Orabug: 32447285]  {CVE-2021-3348}
- futex: Handle faults correctly for PI futexes (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Simplify fixup_pi_state_owner() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Use pi_state_update_owner() in put_pi_state() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Don't enable IRQs unconditionally in put_pi_state() (Dan Carpenter)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Provide and use pi_state_update_owner() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Replace pointless printk in fixup_owner() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- futex: Ensure the correct return value from futex_lock_pi() (Thomas Gleixner)  [Orabug: 32447187]  {CVE-2021-3347}
- uek-rpm: Enable Oracle Pilot BMC module (Eric Snowberg)  [Orabug: 32422662]
- hwmon: Add a new Oracle Pilot BMC driver (Eric Snowberg)  [Orabug: 32422662]
- arm64: Reserve only 256M on RPi for crashkernel=auto (Vijay Kumar)  [Orabug: 32301026]

[5.4.17-2036.104.0.el7uek]
- Revert "rds: Deregister all FRWR mr with free_mr" (aru kolappan)  [Orabug: 32426610]
- thermal: intel_pch_thermal: Add PCI ids for Lewisburg PCH. (Andres Freund)  [Orabug: 32424705]
- thermal: intel: intel_pch_thermal: Add Cannon Lake Low Power PCH support (Sumeet Pawnikar)  [Orabug: 32424705]
- thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support (Gayatri Kammela)  [Orabug: 32424705]
- nfs: Fix security label length not being reset (Jeffrey Mitchell)  [Orabug: 32350989]
- ovl: check permission to open real file (Miklos Szeredi)  [Orabug: 32046372]  {CVE-2020-16120}
- ovl: verify permissions in ovl_path_open() (Miklos Szeredi)  [Orabug: 32046372]  {CVE-2020-16120}
- ovl: switch to mounter creds in readdir (Miklos Szeredi)  [Orabug: 32046372]  {CVE-2020-16120}
- ovl: pass correct flags for opening real directory (Miklos Szeredi)  [Orabug: 32046372]
- A/A Bonding: Add synchronized bundle failback (Gerd Rausch)  [Orabug: 32381883]

More information about the El-errata mailing list