Oracle Linux Security Advisory ELSA-2025-21112 http://linux.oracle.com/errata/ELSA-2025-21112.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: kernel-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-abi-stablelists-5.14.0-611.7.1.el9_7.noarch.rpm kernel-core-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-cross-headers-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-core-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-devel-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-modules-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-debug-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-devel-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-doc-5.14.0-611.7.1.el9_7.noarch.rpm kernel-headers-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-modules-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-tools-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-tools-libs-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm kernel-uki-virt-addons-5.14.0-611.7.1.el9_7.x86_64.rpm libperf-5.14.0-611.7.1.el9_7.x86_64.rpm perf-5.14.0-611.7.1.el9_7.x86_64.rpm python3-perf-5.14.0-611.7.1.el9_7.x86_64.rpm rtla-5.14.0-611.7.1.el9_7.x86_64.rpm rv-5.14.0-611.7.1.el9_7.x86_64.rpm aarch64: kernel-cross-headers-5.14.0-611.7.1.el9_7.aarch64.rpm kernel-headers-5.14.0-611.7.1.el9_7.aarch64.rpm kernel-tools-5.14.0-611.7.1.el9_7.aarch64.rpm kernel-tools-libs-5.14.0-611.7.1.el9_7.aarch64.rpm kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.aarch64.rpm libperf-5.14.0-611.7.1.el9_7.aarch64.rpm perf-5.14.0-611.7.1.el9_7.aarch64.rpm python3-perf-5.14.0-611.7.1.el9_7.aarch64.rpm rtla-5.14.0-611.7.1.el9_7.aarch64.rpm rv-5.14.0-611.7.1.el9_7.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-611.7.1.el9_7.src.rpm Related CVEs: CVE-2022-50087 CVE-2022-50367 CVE-2023-53331 CVE-2023-53373 CVE-2023-53494 CVE-2025-38566 CVE-2025-38571 CVE-2025-39702 CVE-2025-39718 CVE-2025-39817 CVE-2025-39841 CVE-2025-39849 CVE-2025-40300 Description of changes: [5.14.0-611.7.1] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5] - Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535] - Add Oracle Linux IMA certificates - Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764] [5.14.0-611.7.1] - The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková) - crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494} - ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874] - ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874] - ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540] - xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730] - ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702} - s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434] - s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434] - vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718} [5.14.0-611.6.1] - pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331} - ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074] - scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841} - efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817} - SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810] - sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571} - smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880] - smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880] - smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880] - smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880] - smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880] - smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880] - fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819} - sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566} - wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849} - crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373} - ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187] - fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367} - firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087} - hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070] - RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070] - net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070] - net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070] - net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070] - net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070] - RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070] - net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070] - net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070] - net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070] - s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451] - s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451] - redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146] - KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146] - x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146] - x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146] - x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146] - x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146] - x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146] - x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146] - ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437] - ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437] - ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437] - redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272] - x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300} - x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300} - x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300} - x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300} - x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300} - x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300} - Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300} - randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272] - tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917] _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
