Описание
ELSA-2025-17377: kernel security update (MODERATE)
[5.14.0-570.51.1.0.1_6.OL9]
- nvme-pci: remove two deallocate zeroes quirks [Orabug: 37756650]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
[5.14.0-570.51.1_6]
- wifi: ath12k: Decrement TID on RX peer frag setup error handling (CKI Backport Bot) [RHEL-114705] {CVE-2025-39761}
- RDMA/cxgb4: Notify rdma stack for IB_EVENT_QP_LAST_WQE_REACHED event (CKI Backport Bot) [RHEL-100798]
[5.14.0-570.50.1_6]
- security/keys: fix slab-out-of-bounds in key_task_permission (CKI Backport Bot) [RHEL-68092] {CVE-2024-50301}
- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (Jon Maloy) [RHEL-104730] {CVE-2025-38351}
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
kernel-cross-headers
5.14.0-570.51.1.0.1.el9_6
kernel-tools-libs-devel
5.14.0-570.51.1.0.1.el9_6
libperf
5.14.0-570.51.1.0.1.el9_6
python3-perf
5.14.0-570.51.1.0.1.el9_6
kernel-headers
5.14.0-570.51.1.0.1.el9_6
perf
5.14.0-570.51.1.0.1.el9_6
rtla
5.14.0-570.51.1.0.1.el9_6
rv
5.14.0-570.51.1.0.1.el9_6
kernel-tools
5.14.0-570.51.1.0.1.el9_6
kernel-tools-libs
5.14.0-570.51.1.0.1.el9_6
Oracle Linux x86_64
kernel
5.14.0-570.51.1.0.1.el9_6
kernel-abi-stablelists
5.14.0-570.51.1.0.1.el9_6
kernel-core
5.14.0-570.51.1.0.1.el9_6
kernel-debug-modules
5.14.0-570.51.1.0.1.el9_6
kernel-debug-modules-core
5.14.0-570.51.1.0.1.el9_6
kernel-debug-modules-extra
5.14.0-570.51.1.0.1.el9_6
kernel-modules
5.14.0-570.51.1.0.1.el9_6
kernel-modules-extra
5.14.0-570.51.1.0.1.el9_6
kernel-uki-virt-addons
5.14.0-570.51.1.0.1.el9_6
kernel-debug-devel
5.14.0-570.51.1.0.1.el9_6
kernel-debug-devel-matched
5.14.0-570.51.1.0.1.el9_6
kernel-devel
5.14.0-570.51.1.0.1.el9_6
kernel-devel-matched
5.14.0-570.51.1.0.1.el9_6
kernel-doc
5.14.0-570.51.1.0.1.el9_6
kernel-headers
5.14.0-570.51.1.0.1.el9_6
perf
5.14.0-570.51.1.0.1.el9_6
rtla
5.14.0-570.51.1.0.1.el9_6
rv
5.14.0-570.51.1.0.1.el9_6
kernel-cross-headers
5.14.0-570.51.1.0.1.el9_6
kernel-tools-libs-devel
5.14.0-570.51.1.0.1.el9_6
libperf
5.14.0-570.51.1.0.1.el9_6
kernel-debug
5.14.0-570.51.1.0.1.el9_6
kernel-debug-core
5.14.0-570.51.1.0.1.el9_6
kernel-debug-uki-virt
5.14.0-570.51.1.0.1.el9_6
kernel-modules-core
5.14.0-570.51.1.0.1.el9_6
kernel-tools
5.14.0-570.51.1.0.1.el9_6
kernel-tools-libs
5.14.0-570.51.1.0.1.el9_6
kernel-uki-virt
5.14.0-570.51.1.0.1.el9_6
python3-perf
5.14.0-570.51.1.0.1.el9_6
Связанные CVE
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypa...
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypa...
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virti
In the Linux kernel, the following vulnerability has been resolved: K ...