kernel security and bug fix update

2018-03-0700:00:00

linux.oracle.com

167

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.2%

JSON

[3.10.0-693.21.1.OL7]
Oracle Linux certificates (Alexey Petrenko)
Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)([email protected])
Update x509.genkey [bug 24817676]
[3.10.0-693.21.1]
[x86] platform/uv: Mark tsc_check_sync as an init function (Frank Ramsay) [1547870 1526066]
[x86] platform/uv: Add check of TSC state set by UV BIOS (Frank Ramsay) [1547870 1526066]
[x86] tsc: Provide a means to disable TSC ART (Frank Ramsay) [1547870 1526066]
[x86] tsc: Drastically reduce the number of firmware bug warnings (Frank Ramsay) [1547870 1526066]
[x86] tsc: Skip TSC test and error messages if already unstable (Frank Ramsay) [1547870 1526066]
[x86] tsc: Add option that TSC on Socket 0 being non-zero is valid (Frank Ramsay) [1547870 1526066]
[x86] tsc: Remove the TSC_ADJUST clamp (Frank Ramsay) [1547870 1526066]
[3.10.0-693.20.1]
[x86] locking/qspinlock: Fix kabi problem in a non-KVM/XEN VM (Waiman Long) [1539797 1533529]
[3.10.0-693.19.1]
[watchdog] hpwdt: remove indirect call in drivers/watchdog/hpwdt.c (Josh Poimboeuf) [1539649 1535644]
[kernel] x86/spec_ctrl: cleanup __ptrace_may_access (Josh Poimboeuf) [1539649 1535644]
[x86] bugs: Drop one ‘mitigation’ from dmesg (Josh Poimboeuf) [1539649 1535644]
[x86] kvm: vmx: Make indirect call speculation safe (Josh Poimboeuf) [1539649 1535644]
[x86] kvm: x86: Make indirect calls in emulator speculation safe (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline: Optimize inline assembler for vmexit_fill_RSB (Josh Poimboeuf) [1539649 1535644]
[x86] mce: Make machine check speculation protected (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: fix ptrace IBPB optimization (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: Avoid returns in IBRS-disabled regions (Josh Poimboeuf) [1539649 1535644]
[x86] spectre/meltdown: avoid the vulnerability directory to weaken kernel security (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: Document retpolines and ibrs_enabled=3 (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: upgrade GCC retpoline warning to an error (Josh Poimboeuf) [1539649 1535644]
[x86] Use IBRS for firmware update path (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: stuff RSB on context switch with SMEP enabled (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: enforce sane combinations of IBRS and retpoline (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: use upstream RSB stuffing function (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: add ibrs_enabled=3 (ibrs_user) (Josh Poimboeuf) [1539649 1535644]
[kernel] x86/jump_label: warn on failed jump label patch (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: detect unretpolined modules (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline: Add LFENCE to the retpoline/RSB filling RSB macros (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline: Fill return stack buffer on vmexit (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline/xen: Convert Xen hypercall indirect jumps (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline/hyperv: Convert assembler indirect jumps (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline/ftrace: Convert ftrace assembler indirect jumps (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline/entry: Convert entry assembler indirect jumps (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline/crypto: Convert crypto assembler indirect jumps (Josh Poimboeuf) [1539649 1535644]
[x86] retpoline: Add initial retpoline support (Josh Poimboeuf) [1539649 1535644]
[x86] jump_label: add asm support for static keys (Josh Poimboeuf) [1539649 1535644]
[x86] asm: Make asm/alternative.h safe from assembly (Josh Poimboeuf) [1539649 1535644]
[tools] objtool: Support new GCC 6 switch jump table pattern (Josh Poimboeuf) [1539649 1535644]
[tools] objtool: Detect jumps to retpoline thunks (Josh Poimboeuf) [1539649 1535644]
[x86] spectre: Add boot time option to select Spectre v2 mitigation (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: print features changed by microcode loading (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: refactor the init and microcode loading paths (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: move initialization of X86_FEATURE_IBPB_SUPPORT (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: remove SPEC_CTRL_PCP_IBPB bit (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: remove ibrs_enabled variable (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: add ibp_disabled variable (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: add X86_FEATURE_IBP_DISABLE (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: remove IBP disable for AMD model 0x16 (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: remove performance measurements from documentation (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: make ipbp_enabled read-only (Josh Poimboeuf) [1539649 1535644]
[x86] spec_ctrl: remove ibpb_enabled=2 mode (Josh Poimboeuf) [1539649 1535644]
[x86] cpu: Implement CPU vulnerabilites sysfs functions (Josh Poimboeuf) [1539649 1535644]
[base] sysfs/cpu: Add vulnerability folder (Josh Poimboeuf) [1539649 1535644]
[x86] cpu: Merge bugs.c and bugs_64.c (Josh Poimboeuf) [1539649 1535644]
[x86] syscall: int80 must not clobber r12-15 (Josh Poimboeuf) [1539649 1535644]
[x86] syscall: change ia32_syscall() to create the full register frame in ia32_do_call() (Josh Poimboeuf) [1539649 1535644]
[x86] boot: Add early cmdline parsing for options with arguments (Josh Poimboeuf) [1539649 1535644]
[x86] boot: Pass in size to early cmdline parsing (Josh Poimboeuf) [1539649 1535644]
[x86] boot: Simplify early command line parsing (Josh Poimboeuf) [1539649 1535644]
[x86] boot: Fix early command-line parsing when partial word matches (Josh Poimboeuf) [1539649 1535644]
[x86] boot: Fix early command-line parsing when matching at end (Josh Poimboeuf) [1539649 1535644]
[scsi] storvsc: Fix scsi_cmd error assignments in storvsc_handle_error (Cathy Avery) [1536978 1502601]
[fs] nfs: RPC_MAX_AUTH_SIZE is in bytes (‘J. Bruce Fields’) [1533378 1495321]
[fs] nfsd: give out fewer session slots as limit approaches (Dave Wysochanski) [1533377 1492234]
[fs] nfsd: increase DRC cache limit (Dave Wysochanski) [1533377 1492234]
[x86] kvm: x86: fix RSM when PCID is non-zero (Paolo Bonzini) [1531662 1530711]
[x86] iommu/amd: Reduce delay waiting for command buffer space (Suravee Suthikulpanit) [1531456 1508644]
[x86] iommu/amd: Reduce amount of MMIO when submitting commands (Suravee Suthikulpanit) [1531456 1508644]
[x86] amd: Remove cmd_buf_size and evt_buf_size from struct amd_iommu (Suravee Suthikulpanit) [1531456 1508644]
[x86] amd: Fix the left value check of cmd buffer (Suravee Suthikulpanit) [1531456 1508644]
[x86] amd: Don’t put completion-wait semaphore on stack (Suravee Suthikulpanit) [1531456 1508644]
[x86] kvm: svm: obey guest PAT (Suravee Suthikulpanit) [1530976 1478185]
[tty] serial: 8250_pci: Add Amazon PCI serial device ID (Vitaly Kuznetsov) [1530137 1527545]
[ata] libata: sata_down_spd_limit should return if driver has not recorded sstatus speed (David Milburn) [1530136 1457140]
[fs] nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [1530135 1506382]
[fs] nfsv4.0: Fix a lock leak in nfs40_walk_client_list (Scott Mayhew) [1530135 1506382]
[fs] nfs: Create a common nfs4_match_client() function (Scott Mayhew) [1530135 1506382]
[fs] autofs - revert: take more care to not update last_used on path walk (Ian Kent) [1525994 1489542]
[vhost] vhost_net: correctly check tx avail during rx busy polling (Jason Wang) [1523784 1487551]
[crypto] shash - Fix has_key setting (Herbert Xu) [1522932 1505817]
[block] Fix a race between blk_cleanup_queue() and timeout handling (Ming Lei) [1522698 1513725]
[x86] tsc: Force TSC_ADJUST register to value >= zero (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Validate cpumask pointer before accessing it (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Try to adjust TSC if sync test fails (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Prepare warp test for TSC adjustment (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Move sync cleanup to a safe place (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Sync test only for the first cpu in a package (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Verify TSC_ADJUST from idle (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Store and check TSC ADJUST MSR (Prarit Bhargava) [1519850 1497055]
[x86] tsc: Detect random warps (Prarit Bhargava) [1519850 1497055]
[x86] kvm: mmu: always terminate page walks at level 1 (Paolo Bonzini) [1500382 1500381] {CVE-2017-12188}
[x86] kvm: nVMX: update last_nonleaf_level when initializing nested EPT (Denys Vlasenko) [1500382 1500381] {CVE-2017-12188}
[x86] kvm: fix singlestepping over syscall (Paolo Bonzini) [1464480 1464481] {CVE-2017-7518}
[3.10.0-693.18.1]
[md] raid5: fix a race condition in stripe batch (Nigel Croxon) [1535883 1496836]
[security] selinux: fix double free in selinux_parse_opts_str() (Paul Moore) [1532288 1456843]
[fs] nfs: revert ‘nfs: Move the flock open mode check into nfs_flock()’ (Benjamin Coddington) [1531095 1497225]

OSVersionArchitecturePackageVersionFilename
oracle linux7srckernel< 3.10.0-693.21.1.el7kernel-3.10.0-693.21.1.el7.src.rpm
oracle linux7x86_64kernel< 3.10.0-693.21.1.el7kernel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7noarchkernel-abi-whitelists< 3.10.0-693.21.1.el7kernel-abi-whitelists-3.10.0-693.21.1.el7.noarch.rpm
oracle linux7x86_64kernel-debug< 3.10.0-693.21.1.el7kernel-debug-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7x86_64kernel-debug-devel< 3.10.0-693.21.1.el7kernel-debug-devel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7x86_64kernel-devel< 3.10.0-693.21.1.el7kernel-devel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7noarchkernel-doc< 3.10.0-693.21.1.el7kernel-doc-3.10.0-693.21.1.el7.noarch.rpm
oracle linux7x86_64kernel-headers< 3.10.0-693.21.1.el7kernel-headers-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7x86_64kernel-tools< 3.10.0-693.21.1.el7kernel-tools-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux7x86_64kernel-tools-libs< 3.10.0-693.21.1.el7kernel-tools-libs-3.10.0-693.21.1.el7.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
oracle linux	7	src	kernel	< 3.10.0-693.21.1.el7	kernel-3.10.0-693.21.1.el7.src.rpm
oracle linux	7	x86_64	kernel	< 3.10.0-693.21.1.el7	kernel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	noarch	kernel-abi-whitelists	< 3.10.0-693.21.1.el7	kernel-abi-whitelists-3.10.0-693.21.1.el7.noarch.rpm
oracle linux	7	x86_64	kernel-debug	< 3.10.0-693.21.1.el7	kernel-debug-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	x86_64	kernel-debug-devel	< 3.10.0-693.21.1.el7	kernel-debug-devel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	x86_64	kernel-devel	< 3.10.0-693.21.1.el7	kernel-devel-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	noarch	kernel-doc	< 3.10.0-693.21.1.el7	kernel-doc-3.10.0-693.21.1.el7.noarch.rpm
oracle linux	7	x86_64	kernel-headers	< 3.10.0-693.21.1.el7	kernel-headers-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	x86_64	kernel-tools	< 3.10.0-693.21.1.el7	kernel-tools-3.10.0-693.21.1.el7.x86_64.rpm
oracle linux	7	x86_64	kernel-tools-libs	< 3.10.0-693.21.1.el7	kernel-tools-libs-3.10.0-693.21.1.el7.x86_64.rpm