ELSA-2021-2570

Описание

[4.18.0-305.7.1_4.OL8]

• Update Oracle Linux certificates (Kevin Lyons)
• Disable signing for aarch64 (Ilya Okomin)
• Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
• Update x509.genkey [Orabug: 24817676]
• Conflict with shim-ia32 and shim-x64 <= 15-11.0.5

[4.18.0-305.7.1_4]

• net: zero-initialize tc skb extension on allocation (Ivan Vecera) [1965457 1946986]
• net/sched: cls_flower: fix only mask bit check in the validate_ct_state (Ivan Vecera) [1965457 1946986]
• net: cls_api: Fix uninitialised struct field bo->unlocked_driver_cb (Ivan Vecera) [1965457 1946986]
• net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct (Ivan Vecera) [1965457 1946986]
• net/sched: cls_flower: validate ct_state for invalid and reply flags (Ivan Vecera) [1965457 1946986]
• flow_dissector: fix TTL and TOS dissection on IPv4 fragments (Paolo Abeni) [1963952 1950288]
• Revert 'sctp: Fix SHUTDOWN CTSN Ack in the peer restart case' (Xin Long) [1965632 1953839]
• sctp: do asoc update earlier in sctp_sf_do_dupcook_b (Xin Long) [1965632 1953839]
• sctp: do asoc update earlier in sctp_sf_do_dupcook_a (Xin Long) [1965632 1953839]
• Bluetooth: verify AMP hci_chan before amp_destroy (Gopal Tiwari) [1962544 1962546] {CVE-2021-33034}
• x86/kvm: Unify kvm_pv_guest_cpu_reboot() with kvm_guest_cpu_offline() (Lenny Szubowicz) [1964930 1934273]
• x86/kvm: Disable all PV features on crash (Lenny Szubowicz) [1964930 1934273]
• x86/kvm: Disable kvmclock on all CPUs on shutdown (Lenny Szubowicz) [1964930 1934273]
• x86/kvm: Teardown PV features on boot CPU as well (Lenny Szubowicz) [1964930 1934273]
• x86/kvm: Fix pr_info() for async PF setup/teardown (Lenny Szubowicz) [1964930 1934273]
• net/sched: act_ct: Fix ct template allocation for zone 0 (Marcelo Ricardo Leitner) [1965150 1881824]

[4.18.0-305.6.1_4]

• openvswitch: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
• net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets (Davide Caratti) [1963940 1924608]
• net/sched: act_ct: fix wild memory access when clearing fragments (Davide Caratti) [1963940 1924608]
• net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT (Ivan Vecera)
• redhat/configs: Add CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_REVOCATION_LIST (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• certs: add 'x509_revocation_list' to gitignore (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• integrity: Load mokx variables into the blacklist keyring (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• certs: Add ability to preload revocation certs (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• certs: Move load_system_certificate_list to a common function (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• certs: Add EFI_CERT_X509_GUID support for dbx entries (Vladis Dronov) [1965270 1893793] {CVE-2020-26541}
• net/sched: cls_api: increase max_reclassify_loop (Davide Caratti) [1965148 1955136]
• dm writecache: fix performance degradation in ssd mode (Mike Snitzer) [1962241 1961859]
• scsi: fnic: Use scsi_host_busy_iter() to traverse commands (Ewan D. Milne) [1961705 1949250]
• scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (Ewan D. Milne) [1961705 1949250]

[4.18.0-305.5.1_4]

• gfs2: report 'already frozen/thawed' errors (Bob Peterson) [1961849 1932236]
• gfs2: move freeze glock outside the make_fs_rw and _ro functions (Bob Peterson) [1961849 1932236]
• gfs2: Add common helper for holding and releasing the freeze glock (Bob Peterson) [1961849 1932236]
• gfs2: in signal_our_withdraw wait for unfreeze of this fs only (Bob Peterson) [1961849 1932236]
• gfs2: Don't freeze the file system during unmount (Bob Peterson) [1961849 1932236]
• gfs2: Fix regression in freeze_go_sync (Bob Peterson) [1961849 1932236]
• gfs2: The freeze glock should never be frozen (Bob Peterson) [1961849 1932236]
• gfs2: When freezing gfs2, use GL_EXACT and not GL_NOCACHE (Bob Peterson) [1961849 1932236]
• gfs2: read-only mounts should grab the sd_freeze_gl glock (Bob Peterson) [1961849 1932236]
• gfs2: freeze should work on read-only mounts (Bob Peterson) [1961849 1932236]
• gfs2: Abort gfs2_freeze if io error is seen (Bob Peterson) [1961849 1932236]
• CI: Disable result checking for realtime check (Veronika Kabatova)
• CI: Explicitly disable result checking for private CI (Veronika Kabatova)
• CI: Rename variable (Veronika Kabatova)
• CI: Update builder containers (Veronika Kabatova)

[4.18.0-305.4.1_4]

• vmxnet3: Set the default of vxlan overlay offload to disabled (Cathy Avery) [1960702 1941714]