Описание
ELSA-2026-0445: kernel security update (MODERATE)
[5.14.0-611.20.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]
[5.14.0-611.20.1]
- HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806}
- sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}
- selftests/landlock: Add a new test for setuid() (Stepan Horacek) [RHEL-132712]
- selftests/landlock: Split signal_scoping_threads tests (Stepan Horacek) [RHEL-132712]
- landlock: Always allow signals between threads of the same process (Stepan Horacek) [RHEL-132712]
- landlock: Prepare to add second errata (Stepan Horacek) [RHEL-132712]
- landlock: Add the errata interface (Stepan Horacek) [RHEL-132712]
- selftests/landlock: Test signal scoping for threads (Stepan Horacek) [RHEL-132712]
- selftests/landlock: Test signal scoping (Stepan Horacek) [RHEL-132712]
- landlock: Add signal scoping (Stepan Horacek) [RHEL-132712]
[5.14.0-611.19.1]
- scsi: st: Skip buffer flush for information ioctls (John Meneghini) [RHEL-133543]
- scsi: st: Separate st-unique ioctl handling from SCSI common ioctl handling (John Meneghini) [RHEL-133543]
- audit: fix out-of-bounds read in audit_compare_dname_path() (Richard Guy Briggs) [RHEL-119176] {CVE-2025-39840}
[5.14.0-611.18.1]
- NFS: remove revoked delegation from server's delegation list (Benjamin Coddington) [RHEL-134237]
- redhat: use RELEASE_LOCALVERSION also for dist-get-tag (Jan Stancek)
- redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek)
[5.14.0-611.17.1]
- smb: client: handle lack of IPC in dfs_cache_refresh() (Paulo Alcantara) [RHEL-126165]
- smb: client: get rid of d_drop() in cifs_do_rename() (Paulo Alcantara) [RHEL-124917]
- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119150] {CVE-2025-39883}
Обновленные пакеты
Oracle Linux 9
Oracle Linux aarch64
kernel-cross-headers
5.14.0-611.20.1.el9_7
kernel-tools-libs-devel
5.14.0-611.20.1.el9_7
libperf
5.14.0-611.20.1.el9_7
kernel-tools
5.14.0-611.20.1.el9_7
kernel-tools-libs
5.14.0-611.20.1.el9_7
kernel-headers
5.14.0-611.20.1.el9_7
perf
5.14.0-611.20.1.el9_7
python3-perf
5.14.0-611.20.1.el9_7
rtla
5.14.0-611.20.1.el9_7
rv
5.14.0-611.20.1.el9_7
Oracle Linux x86_64
kernel
5.14.0-611.20.1.el9_7
kernel-abi-stablelists
5.14.0-611.20.1.el9_7
kernel-core
5.14.0-611.20.1.el9_7
kernel-debug
5.14.0-611.20.1.el9_7
kernel-debug-core
5.14.0-611.20.1.el9_7
kernel-debug-modules
5.14.0-611.20.1.el9_7
kernel-debug-modules-core
5.14.0-611.20.1.el9_7
kernel-debug-modules-extra
5.14.0-611.20.1.el9_7
kernel-debug-uki-virt
5.14.0-611.20.1.el9_7
kernel-modules
5.14.0-611.20.1.el9_7
kernel-modules-core
5.14.0-611.20.1.el9_7
kernel-modules-extra
5.14.0-611.20.1.el9_7
kernel-tools
5.14.0-611.20.1.el9_7
kernel-tools-libs
5.14.0-611.20.1.el9_7
kernel-uki-virt
5.14.0-611.20.1.el9_7
kernel-uki-virt-addons
5.14.0-611.20.1.el9_7
kernel-debug-devel
5.14.0-611.20.1.el9_7
kernel-debug-devel-matched
5.14.0-611.20.1.el9_7
kernel-devel
5.14.0-611.20.1.el9_7
kernel-devel-matched
5.14.0-611.20.1.el9_7
kernel-doc
5.14.0-611.20.1.el9_7
kernel-headers
5.14.0-611.20.1.el9_7
perf
5.14.0-611.20.1.el9_7
python3-perf
5.14.0-611.20.1.el9_7
rtla
5.14.0-611.20.1.el9_7
rv
5.14.0-611.20.1.el9_7
kernel-cross-headers
5.14.0-611.20.1.el9_7
kernel-tools-libs-devel
5.14.0-611.20.1.el9_7
libperf
5.14.0-611.20.1.el9_7
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83...
In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83...