ELSA-2026-13565

Описание

[5.14.0-611.54.1]

• Disable UKI signing [Orabug: 36571828]
• Update Oracle Linux certificates (Kevin Lyons)
• Disable signing for aarch64 (Ilya Okomin)
• Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
• Update x509.genkey [Orabug: 24817676]
• Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
• Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
• Add Oracle Linux IMA certificates
• Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-611.54.1]

• crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201]
• crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201]
• crypto: authencesn - reject short ahash digests during instance creation (Vladislav Dronov) [RHEL-172201]
• crypto: authencesn - Fix src offset when decrypting in-place (Vladislav Dronov) [RHEL-172201]
• crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Vladislav Dronov) [RHEL-172201] {CVE-2026-31431}
• crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (Vladislav Dronov) [RHEL-172201] {CVE-2026-23060}
• crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Vladislav Dronov) [RHEL-172201]
• crypto: af_alg - limit RX SG extraction by receive buffer budget (Vladislav Dronov) [RHEL-172201] {CVE-2026-31677}
• crypto: algif_aead - Revert to operating out-of-place (Vladislav Dronov) [RHEL-172201] {CVE-2026-31431}
• crypto: af-alg - fix NULL pointer dereference in scatterwalk (Vladislav Dronov) [RHEL-172201]

[5.14.0-611.53.1]

• tracing: Fix a warning when allocating buffered events fails (CKI KWF BOT) [RHEL-169366]
• tracing: Fix a possible race when disabling buffered events (CKI KWF BOT) [RHEL-169366]
• tracing: Fix incomplete locking when disabling buffered events (CKI KWF BOT) [RHEL-169366]
• thunderbolt: Fix wake on connect at runtime (Desnes Nunes) [RHEL-104807]
• thunderbolt: Fix a logic error in wake on connect (Desnes Nunes) [RHEL-104807]
• thunderbolt: Use wake on connect and disconnect over suspend (Desnes Nunes) [RHEL-104807]
• i2c: i801: Revert 'i2c: i801: replace acpi_lock with I2C bus lock' (David Arcari) [RHEL-155311]
• net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (CKI Backport Bot) [RHEL-157327] {CVE-2026-23270}

[5.14.0-611.52.1]

• libceph: reset sparse-read state in osd_fault() (CKI Backport Bot) [RHEL-150464] {CVE-2026-23136}

[5.14.0-611.51.1]

• nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Scott Mayhew) [RHEL-167016] {CVE-2026-31402}
• i40e: support generic devlink param 'max_mac_per_vf' (Mohammad Heib) [RHEL-121643]
• devlink: Add new 'max_mac_per_vf' generic device param (Mohammad Heib) [RHEL-121643]
• i40e: improve VF MAC filters accounting (Mohammad Heib) [RHEL-121643]

[5.14.0-611.50.1]

• smb: client: fix krb5 mount with username option (Paulo Alcantara) [RHEL-158987]
• md/raid1: fix data lost for writemostly rdev (Nigel Croxon) [RHEL-143624]