Описание
ELSA-2025-23241: kernel security update (IMPORTANT)
[5.14.0-611.16.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
[5.14.0-611.16.1]
- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499}
- tls: wait for pending async decryptions if tls_strp_msg_hold fails (CKI Backport Bot) [RHEL-128860] {CVE-2025-40176}
[5.14.0-611.15.1]
- nbd: override creds to kernel when calling sock_{send,recv}msg() (Ming Lei) [RHEL-123845]
- scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-127982]
- scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-127982]
- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-70006]
- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-70006]
- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-70006]
[5.14.0-611.14.1]
- iommufd: Fix race during abort for file descriptors (Eder Zulian) [RHEL-123786] {CVE-2025-39966}
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
kernel-cross-headers
5.14.0-611.16.1.el9_7
kernel-headers
5.14.0-611.16.1.el9_7
kernel-tools
5.14.0-611.16.1.el9_7
kernel-tools-libs
5.14.0-611.16.1.el9_7
kernel-tools-libs-devel
5.14.0-611.16.1.el9_7
libperf
5.14.0-611.16.1.el9_7
perf
5.14.0-611.16.1.el9_7
python3-perf
5.14.0-611.16.1.el9_7
rtla
5.14.0-611.16.1.el9_7
rv
5.14.0-611.16.1.el9_7
Oracle Linux x86_64
kernel
5.14.0-611.16.1.el9_7
kernel-abi-stablelists
5.14.0-611.16.1.el9_7
kernel-core
5.14.0-611.16.1.el9_7
kernel-cross-headers
5.14.0-611.16.1.el9_7
kernel-debug
5.14.0-611.16.1.el9_7
kernel-debug-core
5.14.0-611.16.1.el9_7
kernel-debug-devel
5.14.0-611.16.1.el9_7
kernel-debug-devel-matched
5.14.0-611.16.1.el9_7
kernel-debug-modules
5.14.0-611.16.1.el9_7
kernel-debug-modules-core
5.14.0-611.16.1.el9_7
kernel-debug-modules-extra
5.14.0-611.16.1.el9_7
kernel-debug-uki-virt
5.14.0-611.16.1.el9_7
kernel-devel
5.14.0-611.16.1.el9_7
kernel-devel-matched
5.14.0-611.16.1.el9_7
kernel-doc
5.14.0-611.16.1.el9_7
kernel-headers
5.14.0-611.16.1.el9_7
kernel-modules
5.14.0-611.16.1.el9_7
kernel-modules-core
5.14.0-611.16.1.el9_7
kernel-modules-extra
5.14.0-611.16.1.el9_7
kernel-tools
5.14.0-611.16.1.el9_7
kernel-tools-libs
5.14.0-611.16.1.el9_7
kernel-tools-libs-devel
5.14.0-611.16.1.el9_7
kernel-uki-virt
5.14.0-611.16.1.el9_7
kernel-uki-virt-addons
5.14.0-611.16.1.el9_7
libperf
5.14.0-611.16.1.el9_7
perf
5.14.0-611.16.1.el9_7
python3-perf
5.14.0-611.16.1.el9_7
rtla
5.14.0-611.16.1.el9_7
rv
5.14.0-611.16.1.el9_7
Связанные CVE
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.
In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.
In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above.
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns