Oracle Linux Security Advisory ELSA-2024-12270

https://linux.oracle.com/errata/ELSA-2024-12270.html

The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-uek-4.14.35-2047.535.2.1.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-2047.535.2.1.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-2047.535.2.1.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-2047.535.2.1.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-2047.535.2.1.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-2047.535.2.1.el7uek.noarch.rpm


SRPMS:
https://oss.oracle.com:443/ol7/SRPMS-updates//kernel-uek-4.14.35-2047.535.2.1.el7uek.src.rpm

Related CVEs:

CVE-2023-6040
CVE-2024-1086




Description of changes:

[4.14.35-2047.535.2.1.el7uek]
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters (Florian Westphal)  [Orabug: 36467681]  {CVE-2024-1086}

[4.14.35-2047.535.2.el7uek]
- Fix null ptr in rds_tcp_recv_path (Allison Henderson)  [Orabug: 33499812]
- LTS version: v4.14.338 (Saeed Mirzamohammadi) 
- crypto: scompress - initialize per-CPU variables on each CPU (Sebastian Andrzej Siewior) 
- Revert "NFSD: Fix possible sleep during nfsd4_release_lockowner()" (Greg Kroah-Hartman) 
- i2c: s3c24xx: fix transferring more than one message in polling mode (Marek Szyprowski) 
- i2c: s3c24xx: fix read transfers in polling mode (Marek Szyprowski) 
- kdb: Fix a potential buffer overflow in kdb_local() (Christophe JAILLET) 
- kdb: Censor attempts to set PROMPT without ENABLE_MEM_READ (Daniel Thompson) 
- ipvs: avoid stat macros calls from preemptible context (Fedor Pchelkin) 
- net: ravb: Fix dma_addr_t truncation in error case (Nikita Yushchenko) 
- serial: imx: Correct clock error message in function probe() (Christoph Niedermaier) 
- apparmor: avoid crash when parsed profile name is empty (Fedor Pchelkin) 
- MIPS: Alchemy: Fix an out-of-bound access in db1550_dev_setup() (Christophe JAILLET) 
- MIPS: Alchemy: Fix an out-of-bound access in db1200_dev_setup() (Christophe JAILLET) 
- HID: wacom: Correct behavior when processing some confidence == false touches (Jason Gerecke) 
- wifi: mwifiex: configure BSSID consistently when starting AP (David Lin) 
- wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW accessors (Ilpo Järvinen) 
- wifi: rtlwifi: Remove bogus and dangerous ASPM disable/enable code (Ilpo Järvinen) 
- fbdev: flush deferred work in fb_deferred_io_fsync() (Nam Cao) 
- ALSA: oxygen: Fix right channel of capture volume mixer (Takashi Iwai) 
- usb: mon: Fix atomicity violation in mon_bin_vma_fault (Gui-Dong Han) 
- usb: chipidea: wait controller resume finished for wakeup irq (Xu Yang) 
- usb: dwc: ep0: Update request status in dwc3_ep0_stall_restart (Uttkarsh Aggarwal) 
- usb: phy: mxs: remove CONFIG_USB_OTG condition for mxs_phy_is_otg_host() (Xu Yang) 
- tick-sched: Fix idle and iowait sleeptime accounting vs CPU hotplug (Heiko Carstens) 
- binder: fix unused alloc->free_async_space (Carlos Llamas) 
- binder: fix race between mmput() and do_exit() (Carlos Llamas) 
- Input: atkbd - use ab83 as id when skipping the getid command (Hans de Goede) 
- binder: fix async space check for 0-sized buffers (Carlos Llamas) 
- watchdog: bcm2835_wdt: Fix WDIOC_SETTIMEOUT handling (Stefan Wahren) 
- watchdog: set cdev owner before adding (Curtis Klein) 
- gpu/drm/radeon: fix two memleaks in radeon_vm_init (Zhipeng Lu) 
- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (Zhipeng Lu) 
- drm/amd/pm: fix a double-free in si_dpm_init (Zhipeng Lu) 
- media: dvbdev: drop refcount on error path in dvb_device_open() (Dan Carpenter) 
- media: cx231xx: fix a memleak in cx231xx_init_isoc (Zhipeng Lu) 
- drm/radeon/trinity_dpm: fix a memleak in trinity_parse_power_table (Zhipeng Lu) 
- drm/radeon/dpm: fix a memleak in sumo_parse_power_table (Zhipeng Lu) 
- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (Yang Yingliang) 
- drm/drv: propagate errors from drm_modeset_register_all() (Dmitry Baryshkov) 
- drm/msm/mdp4: flush vblank event on disable (Dmitry Baryshkov) 
- ASoC: cs35l34: Fix GPIO name and drop legacy include (Linus Walleij) 
- ASoC: cs35l33: Fix GPIO name and drop legacy include (Linus Walleij) 
- drm/radeon: check return value of radeon_ring_lock() (Nikita Zhandarovich) 
- drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check() (Nikita Zhandarovich) 
- drm/radeon/r600_cs: Fix possible int overflows in r600_cs_check_reg() (Nikita Zhandarovich) 
- f2fs: fix to avoid dirent corruption (Chao Yu) 
- drm/bridge: Fix typo in post_disable() description (Dario Binacchi) 
- media: pvrusb2: fix use after free on context disconnection (Ricardo B. Marliere) 
- RDMA/usnic: Silence uninitialized symbol smatch warnings (Leon Romanovsky) 
- ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (Eric Dumazet) 
- Bluetooth: Fix bogus check for re-auth no supported with non-ssp (Luiz Augusto von Dentz) 
- wifi: rtlwifi: rtl8192se: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8192ee: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8192de: using calculate_bit_shift() (Su Hui) 
- rtlwifi: rtl8192de: make arrays static const, makes object smaller (Colin Ian King) 
- wifi: rtlwifi: rtl8192ce: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8192cu: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8192c: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8188ee: phy: using calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: add calculate_bit_shift() (Su Hui) 
- wifi: rtlwifi: rtl8821ae: phy: fix an undefined bitwise shift behavior (Su Hui) 
- rtlwifi: Use ffs in _phy_calculate_bit_shift (Joe Perches) 
- firmware: ti_sci: Fix an off-by-one in ti_sci_debugfs_create() (Christophe JAILLET) 
- net/ncsi: Fix netlink major/minor version numbers (Peter Delevoryas) 
- ncsi: internal.h: Fix a spello (Bhaskar Chowdhury) 
- wifi: libertas: stop selecting wext (Arnd Bergmann) 
- bpf, lpm: Fix check prefixlen before walking trie (Florian Lehner) 
- NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT (Trond Myklebust) 
- crypto: scomp - fix req->dst buffer overflow (Chengming Zhou) 
- crypto: scompress - Use per-CPU struct instead multiple variables (Sebastian Andrzej Siewior) 
- crypto: scompress - return proper error code for allocation failure (Sebastian Andrzej Siewior) 
- crypto: sahara - do not resize req->src when doing hash operations (Ovidiu Panait) 
- crypto: sahara - fix processing hash requests with req->nbytes < sg->length (Ovidiu Panait) 
- crypto: sahara - improve error handling in sahara_sha_process() (Ovidiu Panait) 
- crypto: sahara - fix wait_for_completion_timeout() error handling (Ovidiu Panait) 
- crypto: sahara - fix ahash reqsize (Ovidiu Panait) 
- crypto: virtio - Wait for tasklet to complete on device remove (wangyangxin) 
- pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() (Sergey Shtylyov) 
- crypto: sahara - fix error handling in sahara_hw_descriptor_create() (Ovidiu Panait) 
- crypto: sahara - fix processing requests with cryptlen < sg->length (Ovidiu Panait) 
- crypto: sahara - fix ahash selftest failure (Ovidiu Panait) 
- crypto: sahara - remove FLAGS_NEW_KEY logic (Ovidiu Panait) 
- crypto: af_alg - Disallow multiple in-flight AIO requests (Herbert Xu) 
- crypto: ccp - fix memleak in ccp_init_dm_workarea (Dinghao Liu) 
- crypto: virtio - Handle dataq logic with tasklet (Gonglei (Arei)) 
- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier (ZhaoLong Wang) 
- calipso: fix memory leak in netlbl_calipso_add_pass() (Gavrilov Ilia) 
- netlabel: remove unused parameter in netlbl_netlink_auditinfo() (Zheng Yejian) 
- net: netlabel: Fix kerneldoc warnings (Andrew Lunn) 
- ACPI: video: check for error while searching for backlight device parent (Nikita Kiryushin) 
- mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response (Ronald Monthero) 
- powerpc/imc-pmu: Add a null pointer check in update_events_in_group() (Kunwu Chan) 
- powerpc/powernv: Add a null pointer check in opal_event_init() (Kunwu Chan) 
- selftests/powerpc: Fix error handling in FPU/VMX preemption tests (Michael Ellerman) 
- powerpc/pseries/memhp: Fix access beyond end of drmem array (Nathan Lynch) 
- powerpc/pseries/memhotplug: Quieten some DLPAR operations (Laurent Dufour) 
- powerpc/44x: select I2C for CURRITUCK (Randy Dunlap) 
- powerpc: remove redundant 'default n' from Kconfig-s (Bartlomiej Zolnierkiewicz) 
- powerpc: add crtsavres.o to always-y instead of extra-y (Masahiro Yamada) 
- EDAC/thunderx: Fix possible out-of-bounds string access (Arnd Bergmann) 
- x86/lib: Fix overflow when counting digits (Colin Ian King) 
- coresight: etm4x: Fix width of CCITMIN field (James Clark) 
- uio: Fix use-after-free in uio_open (Guanghui Feng) 
- binder: fix comment on binder_alloc_new_buf() return value (Carlos Llamas) 
- drm/crtc: fix uninitialized variable use (Jani Nikula) 
- Input: xpad - add Razer Wolverine V2 support (Luca Weiss) 
- ARC: fix spare error (Vineet Gupta) 
- s390/scm: fix virtual vs physical address confusion (Vineeth Vijayan) 
- Input: atkbd - skip ATKBD_CMD_GETID in translated mode (Hans de Goede) 
- reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning (Krzysztof Kozlowski) 
- ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI (Steven Rostedt (Google)) 
- tracing: Add size check when printing trace_marker output (Steven Rostedt (Google)) 
- tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing (Steven Rostedt (Google)) 
- drm/crtc: Fix uninit-value bug in drm_mode_setcrtc (Ziqi Zhao) 
- jbd2: correct the printing of write_flags in jbd2_write_superblock() (Zhang Yi) 
- clk: rockchip: rk3128: Fix HCLK_OTG gate register (Weihao Li) 
- drm/exynos: fix a potential error pointer dereference (Xiang Yang) 
- ASoC: da7219: Support low DC impedance headset (David Rau) 
- net/tg3: fix race condition in tg3_reset_task() (Thinh Tran) 
- ASoC: rt5650: add mutex to avoid the jack detection failure (Shuming Fan) 
- ASoC: cs43130: Fix incorrect frame delay configuration (Maciej Strozek) 
- ASoC: cs43130: Fix the position of const qualifier (Maciej Strozek) 
- f2fs: explicitly null-terminate the xattr list (Eric Biggers) 
- LTS version: v4.14.337 (Saeed Mirzamohammadi) 
- ipv6: remove max_size check inline with ipv4 (Saeed Mirzamohammadi) 
- ipv6: make ip6_rt_gc_expire an atomic_t (Saeed Mirzamohammadi) 
- net/dst: use a smaller percpu_counter batch for dst entries accounting (Eric Dumazet) 
- net: add a route cache full diagnostic message (Peter Oskolkov) 
- netfilter: nf_tables: Reject tables of unsupported family (Phil Sutter) [Orabug: 36192153] {CVE-2023-6040}
- fuse: nlookup missing decrement in fuse_direntplus_link (ruanmeisi) 
- mm: fix unmap_mapping_range high bits shift bug (Jiajun Xie) 
- mm/memory-failure: check the mapcount of the precise page (Matthew Wilcox (Oracle)) 
- bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() (Michael Chan) 
- asix: Add check for usbnet_get_endpoints (Chen Ni) 
- net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues (Dinghao Liu) 
- net/qla3xxx: switch from 'pci_' to 'dma_' API (Christophe JAILLET)

[4.14.35-2047.535.1.el7uek]
- mm: avoid conflict between MADV_DOEXEC and upstream advice values (Anthony Yznaga)  [Orabug: 36334310]
- net/rds: print PPID/COMM of process doing user reset on RDS connection (Juan Garcia)  [Orabug: 36248431]


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata