[El-errata] ELSA-2025-22854 Moderate: Oracle Linux 10 kernel security update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Dec 11 06:49:23 UTC 2025
Oracle Linux Security Advisory ELSA-2025-22854
http://linux.oracle.com/errata/ELSA-2025-22854.html
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:
x86_64:
kernel-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-abi-stablelists-6.12.0-124.20.1.el10_1.noarch.rpm
kernel-core-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-cross-headers-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-core-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-devel-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-devel-matched-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-modules-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-modules-core-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-modules-extra-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-debug-uki-virt-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-devel-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-devel-matched-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-doc-6.12.0-124.20.1.el10_1.noarch.rpm
kernel-headers-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-modules-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-modules-core-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-modules-extra-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-modules-extra-matched-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-tools-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-tools-libs-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-tools-libs-devel-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-uki-virt-6.12.0-124.20.1.el10_1.x86_64.rpm
kernel-uki-virt-addons-6.12.0-124.20.1.el10_1.x86_64.rpm
libperf-6.12.0-124.20.1.el10_1.x86_64.rpm
perf-6.12.0-124.20.1.el10_1.x86_64.rpm
python3-perf-6.12.0-124.20.1.el10_1.x86_64.rpm
rtla-6.12.0-124.20.1.el10_1.x86_64.rpm
rv-6.12.0-124.20.1.el10_1.x86_64.rpm
aarch64:
kernel-cross-headers-6.12.0-124.20.1.el10_1.aarch64.rpm
kernel-headers-6.12.0-124.20.1.el10_1.aarch64.rpm
kernel-tools-6.12.0-124.20.1.el10_1.aarch64.rpm
kernel-tools-libs-6.12.0-124.20.1.el10_1.aarch64.rpm
kernel-tools-libs-devel-6.12.0-124.20.1.el10_1.aarch64.rpm
libperf-6.12.0-124.20.1.el10_1.aarch64.rpm
perf-6.12.0-124.20.1.el10_1.aarch64.rpm
python3-perf-6.12.0-124.20.1.el10_1.aarch64.rpm
rtla-6.12.0-124.20.1.el10_1.aarch64.rpm
rv-6.12.0-124.20.1.el10_1.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol10/SRPMS-updates/kernel-6.12.0-124.20.1.el10_1.src.rpm
Related CVEs:
CVE-2025-38737
CVE-2025-39925
CVE-2025-39979
CVE-2025-39981
CVE-2025-39982
CVE-2025-39983
CVE-2025-40047
CVE-2025-40058
CVE-2025-40185
Description of changes:
[6.12.0-124.20.1]
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985782]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Update module name for cryptographic module [Orabug: 37400433]
- Clean git history at setup stage
[6.12.0-124.20.1]
- iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
- net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
- dpll: zl3073x: Fix output pin registration (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Handle missing or corrupted flash configuration (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Refactor DPLL initialization (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: ZL3073X_I2C and ZL3073X_SPI should depend on NET (Ivan Vecera) [RHEL-114795]
- dpll: Make ZL3073X invisible (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Fix build failure (Ivan Vecera) [RHEL-114795]
- redhat/configs: enable CONFIG_ZL3073X* (Ivan Vecera) [RHEL-114795]
- redhat/configs: enable CONFIG_I2C_MUX_PCA954x on x86 (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to get fractional frequency offset (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to adjust phase (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Implement phase offset monitor feature (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to get phase offset on connected input pin (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to get/set esync on pins (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to get/set frequency on pins (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Implement input pin state setting in automatic mode (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Add support to get/set priority on input pins (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Implement input pin selection in manual mode (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Register DPLL devices and pins (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Read DPLL types and pin properties from system firmware (Ivan Vecera) [RHEL-114795]
- dpll: zl3073x: Fetch invariants during probe (Ivan Vecera) [RHEL-114795]
- dpll: Add basic Microchip ZL3073x support (Ivan Vecera) [RHEL-114795]
- dt-bindings: dpll: Add support for Microchip Azurite chip family (Ivan Vecera) [RHEL-114795]
- dt-bindings: dpll: Add DPLL device and pin (Ivan Vecera) [RHEL-114795]
- idpf: set mac type when adding and removing MAC filters (CKI Backport Bot) [RHEL-123372]
- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-76557]
- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-76557]
- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-76557]
- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114448]
- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114448]
[6.12.0-124.19.1]
- Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: MGMT: Fix sparse errors (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: MGMT: Fix possible UAFs (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: hci_sync: fix set_local_name race condition (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: MGMT: set_mesh: update LE scan interval and window (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: MGMT: Protect mgmt_pending list with its own lock (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete (CKI Backport Bot) [RHEL-122901] {CVE-2025-39981}
- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124134] {CVE-2025-39983}
- can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
- can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124110] {CVE-2025-39925}
- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123824] {CVE-2025-39982}
[6.12.0-124.18.1]
- ice: ice_adapter: release xa entry on adapter allocation failure (CKI Backport Bot) [RHEL-128472] {CVE-2025-40185}
- cifs: Fix oops due to uninitialised variable (CKI Backport Bot) [RHEL-120562] {CVE-2025-38737}
[6.12.0-124.17.1]
- x86/hyperv: Fix kdump on Azure CVMs (Li Tian) [RHEL-129777]
- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113919]
- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124974] {CVE-2025-40047}
More information about the El-errata
mailing list