[El-errata] ELSA-2025-19930 Moderate: Oracle Linux 9 kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Nov 12 16:42:02 UTC 2025 

Oracle Linux Security Advisory ELSA-2025-19930

http://linux.oracle.com/errata/ELSA-2025-19930.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-abi-stablelists-5.14.0-570.62.1.0.1.el9_6.noarch.rpm
kernel-core-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-cross-headers-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-core-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-devel-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-devel-matched-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-core-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-modules-extra-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-debug-uki-virt-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-devel-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-devel-matched-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-doc-5.14.0-570.62.1.0.1.el9_6.noarch.rpm
kernel-headers-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-modules-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-modules-core-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-modules-extra-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-tools-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-tools-libs-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-tools-libs-devel-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-uki-virt-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
kernel-uki-virt-addons-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
libperf-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
perf-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
python3-perf-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
rtla-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm
rv-5.14.0-570.62.1.0.1.el9_6.x86_64.rpm

aarch64:
kernel-cross-headers-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
kernel-headers-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
kernel-tools-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
kernel-tools-libs-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
kernel-tools-libs-devel-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
libperf-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
perf-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
python3-perf-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
rtla-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm
rv-5.14.0-570.62.1.0.1.el9_6.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-570.62.1.0.1.el9_6.src.rpm

Related CVEs:

CVE-2024-36350
CVE-2024-36357
CVE-2025-40300




Description of changes:

[5.14.0-570.62.1.0.1]
- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-570.62.1]
- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114270]
- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114270] {CVE-2025-40300}
- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114270]
- redhat/configs: Enable CONFIG_MITIGATION_TSA for x86 (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/process: Move the buffer clearing before MONITOR (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-36357 CVE-2024-36350}
- x86/microcode/AMD: Add TSA microcode SHAs (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-36357 CVE-2024-36350}
- KVM: SVM: Advertise TSA CPUID bits to guests (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-36357 CVE-2024-36350}
- x86/bugs: Add a Transient Scheduler Attacks mitigation (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-36357 CVE-2024-36350}
- x86/bugs: Rename MDS machinery to something more generic (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-36357 CVE-2024-36350}
(Waiman Long) [RHEL-83896 RHEL-83905]
- x86/idle: Remove .s output beautifying delimiters from simpler asm() templates (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/idle: Standardize argument types for MONITOR{,X} and MWAIT{,X} instruction wrappers on 'u32' (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and  prefer_mwait_c1_over_halt() (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Rename mmio_stale_data_clear to cpu_buf_vm_clear (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode: Consolidate the loader enablement checking (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2025-22047}
- x86/microcode/AMD: Add some forgotten models to the SHA check (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Load only SHA256-checksummed patches (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Add get_patch_level() (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Get rid of the _load_microcode_amd() forward declaration (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Merge early_apply_microcode() into its single callsite (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Remove unused save_microcode_in_initrd_amd() declarations (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Remove ugly linebreak in __verify_patch_section() signature (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpu: Introduce new microcode matching helper (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Remove ret local var in early_apply_microcode() (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Have __apply_microcode_amd() return bool (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Return bool from find_blobs_in_containers() (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Flush patch buffer mapping after application (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/CPU/AMD: Terminate the erratum_1386_microcode array (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-56721}
- x86/mm: Carve out INVLPG inline asm for use by others (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpu: Fix formatting of cpuid_bits[] in scattered.c (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpufeatures: Add X86_FEATURE_AMD_WORKLOAD_CLASS feature bit (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Split load_microcode_amd() (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Pay attention to the stepping dynamically (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Use code segment selector for VERW operand (Waiman Long) [RHEL-83896 RHEL-83905] {CVE-2024-50072}
- x86/microcode/AMD: Fix a -Wsometimes-uninitialized clang false positive (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/microcode/AMD: Use the family,model,stepping encoded in the patch ID (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/CPU/AMD: Improve the erratum 1386 workaround (Waiman Long) [RHEL-83896 RHEL-83905]
- x86: Add a comment about the "magic" behind shadow sti before mwait (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Revert "Reverse instruction order of CLEAR_CPU_BUFFERS" (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: KVM: Add support for SRSO_MSR_FIX (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (Waiman Long) [RHEL-83896 RHEL-83905]
- KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add SRSO_USER_KERNEL_NO support (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Do not use UNTRAIN_RET with IBPB on entry (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Skip RSB fill at VMEXIT (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpufeatures: Add a IBPB_NO_RET BUG flag (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Fix handling when SRSO mitigation is disabled (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add missing NO_SSB flag (Waiman Long) [RHEL-83896 RHEL-83905]
- Documentation/srso: Document a method for checking safe RET operates properly (Waiman Long) [RHEL-83896 RHEL-83905]
- redhat/configs: Add new CONFIG_MITIGATION_* kconfig files (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for GDS (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Remove GDS Force Kconfig option (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for SSB (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for Spectre V2 (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for SRBDS (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for Spectre v1 (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for RETBLEED (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for L1TF (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for MMIO Stable Data (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for TAA (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Add a separate config for MDS (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpufeatures: Flip the /proc/cpuinfo appearance logic (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/bugs: Switch to new Intel CPU model defines (Waiman Long) [RHEL-83896 RHEL-83905]
- x86/cpu: Use EXPORT_PER_CPU_SYMBOL_GPL() for x86_spec_ctrl_current (Waiman Long) [RHEL-83896 RHEL-83905]
- docs: move x86 documentation into Documentation/arch/ (Waiman Long) [RHEL-83896 RHEL-83905]
- cxgb4: Avoid removal of uninserted tid JIRA: https://issues.redhat.com/browse/RHEL-112152 (Jakub Ramaseuski)

[5.14.0-570.61.1]
- NFS: Extend rdirplus mount option with "force|none" (CKI Backport Bot) [RHEL-118450]
- sched: Fix stop_one_cpu_nowait() vs hotplug (Luis Claudio R. Goncalves) [RHEL-116212]
- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114433]
- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114433]
- debugfs: lockdown: Allow reading debugfs files that are not world readable (Mete Durlu) [RHEL-114433]

More information about the El-errata mailing list