[El-errata] ELSA-2025-4341 Important: Oracle Linux 9 kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu May 1 20:29:59 UTC 2025 

Oracle Linux Security Advisory ELSA-2025-4341

http://linux.oracle.com/errata/ELSA-2025-4341.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-7.4.0-503.40.1.el9_5.x86_64.rpm
kernel-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-abi-stablelists-5.14.0-503.40.1.el9_5.noarch.rpm
kernel-core-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-core-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-devel-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-devel-matched-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-modules-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-modules-core-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-modules-extra-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-debug-uki-virt-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-devel-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-devel-matched-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-doc-5.14.0-503.40.1.el9_5.noarch.rpm
kernel-headers-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-modules-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-modules-core-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-modules-extra-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-tools-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-tools-libs-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-uki-virt-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-uki-virt-addons-5.14.0-503.40.1.el9_5.x86_64.rpm
perf-5.14.0-503.40.1.el9_5.x86_64.rpm
python3-perf-5.14.0-503.40.1.el9_5.x86_64.rpm
rtla-5.14.0-503.40.1.el9_5.x86_64.rpm
rv-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-cross-headers-5.14.0-503.40.1.el9_5.x86_64.rpm
kernel-tools-libs-devel-5.14.0-503.40.1.el9_5.x86_64.rpm
libperf-5.14.0-503.40.1.el9_5.x86_64.rpm

aarch64:
bpftool-7.4.0-503.40.1.el9_5.aarch64.rpm
kernel-headers-5.14.0-503.40.1.el9_5.aarch64.rpm
kernel-tools-5.14.0-503.40.1.el9_5.aarch64.rpm
kernel-tools-libs-5.14.0-503.40.1.el9_5.aarch64.rpm
perf-5.14.0-503.40.1.el9_5.aarch64.rpm
python3-perf-5.14.0-503.40.1.el9_5.aarch64.rpm
rtla-5.14.0-503.40.1.el9_5.aarch64.rpm
rv-5.14.0-503.40.1.el9_5.aarch64.rpm
kernel-cross-headers-5.14.0-503.40.1.el9_5.aarch64.rpm
kernel-tools-libs-devel-5.14.0-503.40.1.el9_5.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//kernel-5.14.0-503.40.1.el9_5.src.rpm

Related CVEs:

CVE-2024-42292
CVE-2024-42322
CVE-2024-44990
CVE-2024-46826
CVE-2025-21927




Description of changes:

[5.14.0-503.40.1.el9_5.OL9]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates

[5.14.0-503.40.1.el9_5]
- nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() (Chris Leech) [RHEL-87479] {CVE-2025-21927}
- ipvs: properly dereference pe in ip_vs_add_service (Phil Sutter) [RHEL-75438] {CVE-2024-42322}
- bonding: fix null pointer deref in bond_ipsec_offload_ok (CKI Backport Bot) [RHEL-75453] {CVE-2024-44990}
- smb: client: don't retry IO on failed negprotos with soft mounts (Jay Shin) [RHEL-85523]
- bonding: Correctly support GSO ESP offload (CKI Backport Bot) [RHEL-73403]
- team: prevent adding a device which is already a team device lower (Hangbin Liu) [RHEL-73403]
- team: Fix feature exposure when no ports are present (Hangbin Liu) [RHEL-73403]
- team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL (Hangbin Liu) [RHEL-73403]
- team: Fix initial vlan_feature set in __team_compute_features (Hangbin Liu) [RHEL-73403]
- bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL (Hangbin Liu) [RHEL-73403]
- bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features (Hangbin Liu) [RHEL-73403]
- net, team, bonding: Add netdev_base_features helper (Hangbin Liu) [RHEL-73403]
- bonding: add ESP offload features when slaves support (Hangbin Liu) [RHEL-73403]
- net: team: rename team to team_core for linking (Hangbin Liu) [RHEL-73403]
- netfilter: br_netfilter: fix panic with metadata_dst skb (Ivan Vecera) [RHEL-71956]
- bridge: mcast: Fail MDB get request on empty entry (Ivan Vecera) [RHEL-71956]
- net: stmmac: dwmac-tegra: Fix link bring-up sequence (Jose Ignacio Tornos Martinez) [RHEL-73478]
- kobject_uevent: Fix OOB access within zap_modalias_env() (CKI KWF BOT) [RHEL-75435] {CVE-2024-42292}

[5.14.0-503.39.1.el9_5]
- igb: cope with large MAX_SKB_FRAGS (Corinna Vinschen) [RHEL-75552]
- x86/sev: Ensure that RMP table fixups are reserved (Bandan Das) [RHEL-84716]
- ELF: fix kernel.randomize_va_space double read (Rafael Aquini) [RHEL-75456] {CVE-2024-46826}
- smb: client: fix double put of @cfile in smb2_set_path_size() (Paulo Alcantara) [RHEL-79342] {CVE-2024-46796}
- smb: client: fix double put of @cfile in smb2_rename_path() (Paulo Alcantara) [RHEL-79342] {CVE-2024-46736}
- smb: client: fix FSCTL_GET_REPARSE_POINT against NetApp (Paulo Alcantara) [RHEL-79342]

More information about the El-errata mailing list