[El-errata] ELSA-2025-19409 Moderate: Oracle Linux 9 kernel security update

Tue Nov 4 10:04:14 UTC 2025

Oracle Linux Security Advisory ELSA-2025-19409

http://linux.oracle.com/errata/ELSA-2025-19409.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-abi-stablelists-5.14.0-570.60.1.0.1.el9_6.noarch.rpm
kernel-core-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-cross-headers-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-core-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-devel-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-devel-matched-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-core-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-extra-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-debug-uki-virt-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-devel-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-devel-matched-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-doc-5.14.0-570.60.1.0.1.el9_6.noarch.rpm
kernel-headers-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-modules-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-modules-core-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-modules-extra-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-tools-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-tools-libs-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-tools-libs-devel-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-uki-virt-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
kernel-uki-virt-addons-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
libperf-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
perf-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
python3-perf-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
rtla-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm
rv-5.14.0-570.60.1.0.1.el9_6.x86_64.rpm

aarch64:
kernel-cross-headers-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
kernel-headers-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
kernel-tools-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
kernel-tools-libs-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
kernel-tools-libs-devel-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
libperf-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
perf-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
python3-perf-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
rtla-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm
rv-5.14.0-570.60.1.0.1.el9_6.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-570.60.1.0.1.el9_6.src.rpm

Related CVEs:

CVE-2022-50367
CVE-2023-53494
CVE-2025-39702

Description of changes:

[5.14.0-570.60.1.0.1]
- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-570.60.1]
- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-117437]
- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-117437]
- crypto: xts - Handle EBUSY correctly (CKI Backport Bot) [RHEL-119235] {CVE-2023-53494}

[5.14.0-570.59.1]
- nvme-tcp: fix premature queue removal and I/O failover (Maurizio Lombardi) [RHEL-105111]
- KVM: arm64: Disable MPAM visibility by default and ignore VMM writes (Gavin Shan) [RHEL-120964]
- KVM: arm64: Add a macro for creating filtered sys_reg_descs entries (Gavin Shan) [RHEL-120964]
- NFSv4: Allow FREE_STATEID to clean up delegations (Benjamin Coddington) [RHEL-118857]
- SUNRPC: Cleanup/fix initial rq_pages allocation (Benjamin Coddington) [RHEL-108160]
- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116666] {CVE-2022-50367}
- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116384] {CVE-2025-39702}