Описание
ELSA-2025-7531: kernel security update (IMPORTANT)
[4.18.0-553.52.1_10.OL8]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.3
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34750652]
[4.18.0-553.52.1_10.gfd1b]
- netfilter: ipset: add missing range check in bitmap_ip_uadt (Florian Westphal) [RHEL-70268] {CVE-2024-53141}
- NFS: Extend rdirplus mount option with 'force|none' (Benjamin Coddington) [RHEL-16285]
- idpf: trigger SW interrupt when exiting wb_on_itr mode (Michal Schmidt) [RHEL-73266]
- idpf: add support for SW triggered interrupts (Michal Schmidt) [RHEL-73266]
- idpf: fix VF dynamic interrupt ctl register initialization (Michal Schmidt) [RHEL-73266]
- idpf: enable WB_ON_ITR (Michal Schmidt) [RHEL-73266]
- redhat: require recent enough linux-firmware for qed (Denys Vlasenko) [RHEL-6342]
- gfs2: deallocate inodes in gfs2_create_inode (Andreas Gruenbacher) [RHEL-7875]
- gfs2: Move GIF_ALLOC_FAILED check out of gfs2_ea_dealloc (Andreas Gruenbacher) [RHEL-7875]
- gfs2: Move gfs2_dinode_dealloc (Andreas Gruenbacher) [RHEL-7875]
- gfs2: Don't reread inodes unnecessarily (Andreas Gruenbacher) [RHEL-7875]
- gfs2: gfs2_create_inode error handling fix (Andreas Gruenbacher) [RHEL-7875]
- gfs2: No longer use 'extern' in function declarations (Andreas Gruenbacher) [RHEL-7875]
- hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() (CKI Backport Bot) [RHEL-63668] {CVE-2022-49011}
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
kernel-tools-libs-devel
4.18.0-553.52.1.el8_10
bpftool
4.18.0-553.52.1.el8_10
kernel-cross-headers
4.18.0-553.52.1.el8_10
kernel-headers
4.18.0-553.52.1.el8_10
kernel-tools
4.18.0-553.52.1.el8_10
kernel-tools-libs
4.18.0-553.52.1.el8_10
perf
4.18.0-553.52.1.el8_10
python3-perf
4.18.0-553.52.1.el8_10
Oracle Linux x86_64
kernel-tools-libs-devel
4.18.0-553.52.1.el8_10
bpftool
4.18.0-553.52.1.el8_10
kernel
4.18.0-553.52.1.el8_10
kernel-abi-stablelists
4.18.0-553.52.1.el8_10
kernel-core
4.18.0-553.52.1.el8_10
kernel-cross-headers
4.18.0-553.52.1.el8_10
kernel-debug
4.18.0-553.52.1.el8_10
kernel-debug-core
4.18.0-553.52.1.el8_10
kernel-debug-devel
4.18.0-553.52.1.el8_10
kernel-debug-modules
4.18.0-553.52.1.el8_10
kernel-debug-modules-extra
4.18.0-553.52.1.el8_10
kernel-devel
4.18.0-553.52.1.el8_10
kernel-doc
4.18.0-553.52.1.el8_10
kernel-headers
4.18.0-553.52.1.el8_10
kernel-modules
4.18.0-553.52.1.el8_10
kernel-modules-extra
4.18.0-553.52.1.el8_10
kernel-tools
4.18.0-553.52.1.el8_10
kernel-tools-libs
4.18.0-553.52.1.el8_10
perf
4.18.0-553.52.1.el8_10
python3-perf
4.18.0-553.52.1.el8_10
Связанные CVE
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak.
In the Linux kernel, the following vulnerability has been resolved: h ...
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks.