Lucene search

K
oraclelinux
OracleLinuxELSA-2021-9008
HistoryJan 12, 2021 - 12:00 a.m.

Unbreakable Enterprise kernel-container security update

2021-01-1200:00:00
linux.oracle.com
108

8.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

[4.14.35-2025.404.1.1.el7]

  • target: fix XCOPY NAA identifier lookup (David Disseldorp) [Orabug: 32248040]
    {CVE-2020-28374}
    [4.14.35-2025.404.1.el7]
  • xenbus/xenbus_backend: Disallow pending watch messages (SeongJae Park) [Orabug: 32253412] {CVE-2020-29568}
  • xen/xenbus: Count pending messages for each watch (SeongJae Park) [Orabug: 32253412] {CVE-2020-29568}
  • xen/xenbus/xen_bus_type: Support will_handle watch callback (SeongJae Park) [Orabug: 32253412] {CVE-2020-29568}
  • xen/xenbus: Add ‘will_handle’ callback support in xenbus_watch_path() (SeongJae Park) [Orabug: 32253412] {CVE-2020-29568}
  • xen/xenbus: Allow watches discard events before queueing (SeongJae Park) [Orabug: 32253412] {CVE-2020-29568}
  • xen-blkback: set ring->xenblkd to NULL after kthread_stop() (Pawel Wieczorkiewicz) [Orabug: 32260256] {CVE-2020-29569}
    [4.14.35-2025.404.0.el7]
  • vhost scsi: Add support for LUN resets. (Mike Christie) [Orabug: 32201584]
  • vhost/scsi: Use copy_to_iter() to send control queue response (Bijan Mottahedeh) [Orabug: 32201584]
  • vhost scsi: add lun parser helper (Mike Christie) [Orabug: 32201584]
  • scsi: sd: Allow user to configure command retries (Mike Christie) [Orabug: 32201584]
  • scsi: core: Add limitless cmd retry support (Mike Christie) [Orabug: 32201584]
    [4.14.35-2025.403.5.el7]
  • dm crypt: Allow unaligned bio buffer lengths for skcipher devices (Sudhakar Panneerselvam) [Orabug: 32210463]
  • mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() (Andrea Arcangeli) [Orabug: 32212583] {CVE-2020-29368}
  • perf/core: Fix race in the perf_mmap_close() function (Jiri Olsa) [Orabug: 32233358] {CVE-2020-14351}
    [4.14.35-2025.403.4.el7]
  • icmp: randomize the global rate limiter (Eric Dumazet) [Orabug: 32227961] {CVE-2020-25705}
  • ocfs2: initialize ip_next_orphan (Wengang Wang) [Orabug: 32159055]
  • hv_netvsc: make recording RSS hash depend on feature flag (Stephen Hemminger) [Orabug: 32159975]
  • hv_netvsc: record hardware hash in skb (Stephen Hemminger) [Orabug: 32159975]
  • Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts (Peilin Ye) [Orabug: 32176263] {CVE-2020-28915}
  • fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h (Peilin Ye) [Orabug: 32176263] {CVE-2020-28915}
  • block: Fix use-after-free in blkdev_get() (Jason Yan) [Orabug: 32194608] {CVE-2020-15436}
  • serial: 8250: fix null-ptr-deref in serial8250_start_tx() (Yang Yingliang) [Orabug: 32194712] {CVE-2020-15437}
  • staging: rts5208: rename SG_END macro (Arnd Bergmann) [Orabug: 32218496]
  • misc: rtsx: rename SG_END macro (Arnd Bergmann) [Orabug: 32218496]
    [4.14.35-2025.403.3.el7]
  • RDMA/umem: Move to allocate SG table from pages (Maor Gottlieb) [Orabug: 32005117]
  • lib/scatterlist: Add support in dynamic allocation of SG table from pages (Maor Gottlieb) [Orabug: 32005117]
  • lib/scatterlist: Add SG_CHAIN and SG_END macros for LSB encodings (Anshuman Khandual) [Orabug: 32005117]
  • lib/scatterlist: Avoid potential scatterlist entry overflow (Tvrtko Ursulin) [Orabug: 32005117]
  • lib/scatterlist: Fix offset type in sg_alloc_table_from_pages (Tvrtko Ursulin) [Orabug: 32005117]
  • uek-rpm: Don’t build emb2 kernel for mips (Dave Kleikamp) [Orabug: 32176889]
  • vt: Disable KD_FONT_OP_COPY (Daniel Vetter) [Orabug: 32187748] {CVE-2020-28974}
  • page_frag: Recover from memory pressure (Dongli Zhang) [Orabug: 32201999]
  • xen/events: block rogue events for some time (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: defer eoi in case of excessive number of events (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: use a common cpu hotplug hook for event channels (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: switch user event channels to lateeoi model (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/pciback: use lateeoi irq binding (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/pvcallsback: use lateeoi irq binding (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/scsiback: use lateeoi irq binding (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/netback: use lateeoi irq binding (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/blkback: use lateeoi irq binding (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: add a new ‘late EOI’ evtchn framework (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: fix race in evtchn_fifo_unmask() (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: add a proper barrier to 2-level uevent unmasking (Juergen Gross) [Orabug: 32177538] {CVE-2020-27673}
  • xen/events: avoid removing an event channel while handling it (Juergen Gross) [Orabug: 32177548]
    [4.14.35-2025.403.2.el7]
  • tty: make FONTX ioctl use the tty pointer they were actually passed (Linus Torvalds) [Orabug: 32122729] {CVE-2020-25668}
  • vt: keyboard, extend func_buf_lock to readers (Jiri Slaby) [Orabug: 32122952] {CVE-2020-25656}
  • vt: keyboard, simplify vt_kdgkbsent (Jiri Slaby) [Orabug: 32122952] {CVE-2020-25656}
  • perf/core: Fix a memory leak in perf_event_parse_addr_filter() (kiyin()) [Orabug: 32131175] {CVE-2020-25704}
  • perf/core: Fix bad use of igrab() (Song Liu) [Orabug: 32131175] {CVE-2020-25704}
  • IB/mlx4: Adjust delayed work when a dup is observed (Hakon Bugge) [Orabug: 32136898]
  • IB/mlx4: Add support for REJ due to timeout (Hakon Bugge) [Orabug: 32136898]
  • IB/mlx4: Fix starvation in paravirt mux/demux (Hakon Bugge) [Orabug: 32136898]
  • IB/mlx4: Separate tunnel and wire bufs parameters (Hakon Bugge) [Orabug: 32136898]
  • IB/mlx4: Add support for MRA (Hakon Bugge) [Orabug: 32136898]
  • IB/mlx4: Add and improve logging (Hakon Bugge) [Orabug: 32136898]
  • xen/gntdev: fix up blockable calls to mn_invl_range_start (Michal Hocko) [Orabug: 32139244]
    [4.14.35-2025.403.1.el7]
  • lockdown: By default run in integrity mode. (Konrad Rzeszutek Wilk) [Orabug: 32131561]
  • Revert ‘iomap: Fix pipe page leakage during splicing’ (George Kennedy) [Orabug: 32136519]
  • kernel: add panic_on_taint (Rafael Aquini) [Orabug: 32138016]
  • Revert ‘pci: hardcode enumeration’ (Dave Aldridge) [Orabug: 32152249]
  • hv_utils: drain the timesync packets on onchannelcallback (Vineeth Pillai) [Orabug: 32152144]
  • hv_utils: return error if host timesysnc update is stale (Vineeth Pillai) [Orabug: 32152144]
    [4.14.35-2025.403.0.el7]
  • powercap: restrict energy meter to root access (Kanth Ghatraju) [Orabug: 32138487] {CVE-2020-8694} {CVE-2020-8695}
  • Btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Filipe Manana) [Orabug: 31864726]
  • btrfs: fix return value mixup in btrfs_get_extent (Pavel Machek) [Orabug: 31864726]
  • btrfs: inode: Verify inode mode to avoid NULL pointer dereference (Qu Wenruo) [Orabug: 31864726] {CVE-2019-19816}
  • x86/apic: Get rid of multi CPU affinity (Thomas Gleixner) [Orabug: 31975320]
  • hv_netvsc: Set probe mode to sync (Haiyang Zhang) [Orabug: 32132413]
  • net/rds: Check for NULL rds_ibdev in rds_ib_rx() only if rds_ib_srq_enabled (Sharath Srinivasan) [Orabug: 32113843]
  • perf symbols: Check if we read regular file in dso__load() (Jiri Olsa) [Orabug: 30696035]
  • rds: Restore MR use-once semantics (Hakon Bugge) [Orabug: 31990092] [Orabug: 31990095]
  • rds: Fix incorrect cmsg status and use-after-free (Hakon Bugge) [Orabug: 32003078] [Orabug: 32003081]
  • dm cache: remove all obsolete writethrough-specific code (Mike Snitzer) [Orabug: 32010352]
  • dm cache: pass cache structure to mode functions (Mike Snitzer) [Orabug: 32010352]
  • dm rq: don’t call blk_mq_queue_stopped() in dm_stop_queue() (Ming Lei) [Orabug: 32010352]
  • bcache: allocate meta data pages as compound pages (Coly Li) [Orabug: 32010352]
  • md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 (ChangSyun Peng) [Orabug: 32010352]
  • bcache: fix super block seq numbers comparision in register_cache_set() (Coly Li) [Orabug: 32010352]
  • md-cluster: fix wild pointer of unlock_all_bitmaps() (Zhao Heming) [Orabug: 32010352]
  • dm: use noio when sending kobject event (Mikulas Patocka) [Orabug: 32010352]
  • dm zoned: assign max_io_len correctly (Hou Tao) [Orabug: 32010352]
  • md: add feature flag MD_FEATURE_RAID0_LAYOUT (NeilBrown) [Orabug: 32010352]
  • dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone (Hannes Reinecke) [Orabug: 32010352]
  • dm mpath: switch paths in dm_blk_ioctl() code path (Martin Wilck) [Orabug: 32010352]
  • dm crypt: avoid truncating the logical block size (Eric Biggers) [Orabug: 32010352]
  • md: don’t flush workqueue unconditionally in md_open (Guoqing Jiang) [Orabug: 32010352]
  • x86/mce/therm_throt: Undo thermal polling properly on CPU offline (Thomas Gleixner) [Orabug: 32010658]
  • x86/mce/therm_throt: Do not access uninitialized therm_work (Chuansheng Liu) [Orabug: 32010658]
  • x86/mce/therm_throt: Mark throttle_active_work() as __maybe_unused (Arnd Bergmann) [Orabug: 32010658]
  • x86/mce/therm_throt: Mask out read-only and reserved MSR bits (Srinivas Pandruvada) [Orabug: 32010658]
  • x86/mce/therm_throt: Optimize notifications of thermal throttle (Srinivas Pandruvada) [Orabug: 32010658]
  • jiffies: add utility function to calculate delta in ms (Matteo Croce) [Orabug: 32010658]
  • rds: Force ordering of {set,clear}_bit operating on m_flags (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • rds: Do not send canceled operations to the transport layer (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Revert ‘RDS: Drop the connection as part of cancel to avoid hangs’ (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Revert ‘rds: fix warning in rds_send_drop_to()’ (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Revert ‘rds: Use correct conn when dropping connections due to cancel’ (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Revert ‘rds: prevent use-after-free of rds conn in rds_send_drop_to()’ (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Revert ‘rds: Use bitmap to designate dropped connections’ (Hakon Bugge) [Orabug: 31505749] [Orabug: 32014809]
  • Bluetooth: A2MP: Fix not initializing all members (Luiz Augusto von Dentz) [Orabug: 32021288] {CVE-2020-12352}
  • x86/kvm: move kvm_load/put_guest_xcr0 into atomic context (WANG Chao) [Orabug: 32021855]
  • arm64: Corrects warning: ISO C90 forbids mixed declarations and code (John Donnelly) [Orabug: 32040061]
  • hwrng: cavium: Corrects warning: unused variable ‘dev_id’ (John Donnelly) [Orabug: 32040066]
  • Lock down /proc/kcore (redux!) (Konrad Rzeszutek Wilk) [Orabug: 32053127]
  • lockdown: Lock down perf when in confidentiality mode (David Howells) [Orabug: 32053127]
  • Lock down kprobes (redux!) (Konrad Rzeszutek Wilk) [Orabug: 32053127]
  • debugfs: whitelist spectre mitigation when locked down (Eric Snowberg) [Orabug: 32053127]
  • debugfs: Return -EPERM when locked down (Eric Snowberg) [Orabug: 32053127]
  • debugfs: Restrict debugfs when the kernel is locked down (David Howells) [Orabug: 32053127]
  • lockdown: Add __kernel_is_confidentiality_mode to figure out whether … (Konrad Rzeszutek Wilk) [Orabug: 32053127]
  • dtrace: Restrict access when the kernel is locked down in confidentiality mode (Konrad Rzeszutek Wilk) [Orabug: 32053127]
  • bpf: Restrict bpf when kernel lockdown is in confidentiality mode (David Howells) [Orabug: 32053127]
  • security: Add a static lockdown policy LSM [diet-version] (Matthew Garrett) [Orabug: 32053127]
  • net/rds: Check for NULL rid_dev_rem_complete (Ka-Cheong Poon) [Orabug: 32058618]
  • scsi: Corrects warning: passing argument 1 of ‘wwn_to_u64’ mismatch (John Donnelly) [Orabug: 32059622]
  • ipvlan: Corrects warning: label ‘unregister_netdev’ defined but not used (John Donnelly) [Orabug: 32059740]
  • mm, compaction: raise compaction priority after it withdrawns (Vlastimil Babka) [Orabug: 32065218]
  • mm, reclaim: cleanup should_continue_reclaim() (Vlastimil Babka) [Orabug: 32065218]
  • mm, reclaim: make should_continue_reclaim perform dryrun detection (Hillf Danton) [Orabug: 32065218]
  • KVM: Drop ‘const’ attribute from old memslot in commit_memory_region() (Sean Christopherson) [Orabug: 32068898]
  • octeontx2-pf: Return proper RSS indirection table size always (Sunil Goutham) [Orabug: 32095651]
  • octeontx2-af: Free RVU REE irq properly (Smadar Fuks) [Orabug: 32095651]
  • octeontx2-af: Free RVU NIX IRQs properly. (Rakesh Babu) [Orabug: 32095651]
  • octeontx2-af: Fix the BPID mask (Subbaraya Sundeep) [Orabug: 32095651]
  • octeontx2-pf: Fix receive buffer size calculation (Sunil Goutham) [Orabug: 32095651]
  • octeontx2-af: Fix updating wrong multicast list index in NIX_RX_ACTION (Naveen Mamindlapalli) [Orabug: 32095651]
Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

8.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for ELSA-2021-9008