diff --git a/SPECS/jna/jna.spec b/SPECS/jna/jna.spec index 846793cbe9..8f389b088a 100644 --- a/SPECS/jna/jna.spec +++ b/SPECS/jna/jna.spec @@ -4,7 +4,7 @@ Summary: Java Native Access Name: jna Version: 4.4.0 -Release: 6%{?dist} +Release: 7%{?dist} License: Apache URL: http://github.com/twall/jna Group: Applications/System @@ -41,9 +41,16 @@ rm -rf %{buildroot} %build export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION} -#disabling all tests + +# Intermittent issue happens: +# +# BUILD FAILED +# /usr/src/photon/BUILD/jna-4.4.0/build.xml:717: API for native code has changed, or javah output is inconsistent. +# Re-run this build after checking /usr/src/photon/BUILD/jna-4.4.0/build/native-linux-x86-64/jni.checksum or updating jni.version and jni.md5 in build.xml +# +# Rerun the build will pass it +ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true || \ ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true -#$ANT_HOME/bin/ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/LibraryLoadTest.java" -Drelease=true %install export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION} @@ -72,6 +79,8 @@ ant -Ddist=$JNA_DIST_DIR dist -Drelease=true %{_prefix}/*.aar %changelog +* Tue Sep 05 2017 Alexey Makhalov 4.4.0-7 +- Rerun the build on failure * Thu Aug 17 2017 Harish Udaiya Kumar 4.4.0-6 - Removed clover.jar from jna-devel source-full.zip file * Mon Jun 19 2017 Divya Thaluru 4.4.0-5 diff --git a/SPECS/linux-api-headers/linux-api-headers.spec b/SPECS/linux-api-headers/linux-api-headers.spec index 9b7eaaf106..04943188bd 100644 --- a/SPECS/linux-api-headers/linux-api-headers.spec +++ b/SPECS/linux-api-headers/linux-api-headers.spec @@ -1,6 +1,6 @@ Summary: Linux API header files Name: linux-api-headers -Version: 4.9.43 +Version: 4.9.47 Release: 1%{?dist} License: GPLv2 URL: http://www.kernel.org/ @@ -8,7 +8,7 @@ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz -%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 +%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d BuildArch: noarch %description The Linux API Headers expose the kernel's API for use by Glibc. @@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de %defattr(-,root,root) %{_includedir}/* %changelog +* Mon Sep 04 2017 Alexey Makhalov 4.9.47-1 +- Version update * Mon Aug 14 2017 Alexey Makhalov 4.9.43-1 - Version update * Wed Jun 28 2017 Alexey Makhalov 4.9.34-1 diff --git a/SPECS/linux/linux-esx.spec b/SPECS/linux/linux-esx.spec index 3fa8050c44..3db018b165 100644 --- a/SPECS/linux/linux-esx.spec +++ b/SPECS/linux/linux-esx.spec @@ -1,7 +1,7 @@ %global security_hardening none Summary: Kernel Name: linux-esx -Version: 4.9.43 +Version: 4.9.47 Release: 1%{?dist} License: GPLv2 URL: http://www.kernel.org/ @@ -9,7 +9,7 @@ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz -%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 +%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d Source1: config-esx Source2: initramfs.trigger # common @@ -36,6 +36,8 @@ Patch19: 06-pv-ops-boot_clock.patch Patch20: 07-vmware-only.patch Patch21: vmware-balloon-late-initcall.patch Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch +# Fix CVE-2017-11600 +Patch23: xfrm-policy-check-policy-direction-value.patch BuildRequires: bc BuildRequires: kbd BuildRequires: kmod-devel @@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 %build # patch vmw_balloon driver @@ -189,6 +192,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg /usr/src/linux-headers-%{uname_r} %changelog +* Mon Sep 04 2017 Alexey Makhalov 4.9.47-1 +- Fix CVE-2017-11600 * Mon Aug 14 2017 Alexey Makhalov 4.9.43-1 - Version update - [feature] new sysctl option unprivileged_userns_clone diff --git a/SPECS/linux/linux-secure.spec b/SPECS/linux/linux-secure.spec index f13065a9fa..4ecf903cce 100644 --- a/SPECS/linux/linux-secure.spec +++ b/SPECS/linux/linux-secure.spec @@ -1,15 +1,15 @@ %global security_hardening none Summary: Kernel Name: linux-secure -Version: 4.9.43 -Release: 2%{?dist} +Version: 4.9.47 +Release: 1%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz -%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 +%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d Source1: config-secure Source2: aufs4.9.tar.gz %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 @@ -47,6 +47,8 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch Patch28: 0002-allow-also-ecb-cipher_null.patch Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch +# Fix CVE-2017-11600 +Patch30: xfrm-policy-check-policy-direction-value.patch # NSX requirements (should be removed) Patch99: LKCM.patch BuildRequires: bc @@ -142,6 +144,7 @@ EOF %patch27 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 pushd .. %patch99 -p0 @@ -257,6 +260,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg /usr/src/linux-headers-%{uname_r} %changelog +* Mon Sep 04 2017 Alexey Makhalov 4.9.47-1 +- Fix CVE-2017-11600 * Tue Aug 22 2017 Anish Swaminathan 4.9.43-2 - Add missing xen block drivers * Mon Aug 14 2017 Alexey Makhalov 4.9.43-1 diff --git a/SPECS/linux/linux.spec b/SPECS/linux/linux.spec index e7052beb76..7cb69922fa 100644 --- a/SPECS/linux/linux.spec +++ b/SPECS/linux/linux.spec @@ -1,15 +1,15 @@ %global security_hardening none Summary: Kernel Name: linux -Version: 4.9.43 -Release: 2%{?dist} +Version: 4.9.47 +Release: 1%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz -%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 +%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d Source1: config Source2: initramfs.trigger %define ena_version 1.1.3 @@ -44,6 +44,8 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch Patch25: 0002-allow-also-ecb-cipher_null.patch Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch +# Fix CVE-2017-11600 +Patch27: xfrm-policy-check-policy-direction-value.patch BuildRequires: bc BuildRequires: kbd @@ -138,6 +140,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 %build make mrproper @@ -297,6 +300,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg /usr/share/doc/* %changelog +* Mon Sep 04 2017 Alexey Makhalov 4.9.47-1 +- Fix CVE-2017-11600 * Tue Aug 22 2017 Anish Swaminathan 4.9.43-2 - Add missing xen block drivers * Mon Aug 14 2017 Alexey Makhalov 4.9.43-1 diff --git a/SPECS/linux/xfrm-policy-check-policy-direction-value.patch b/SPECS/linux/xfrm-policy-check-policy-direction-value.patch new file mode 100644 index 0000000000..61187e6f36 --- /dev/null +++ b/SPECS/linux/xfrm-policy-check-policy-direction-value.patch @@ -0,0 +1,44 @@ +From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Wed, 2 Aug 2017 19:50:14 +0200 +Subject: xfrm: policy: check policy direction value + +The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used +as an array index. This can lead to an out-of-bound access, kernel lockup and +DoS. Add a check for the 'dir' value. + +This fixes CVE-2017-11600. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Cc: # v2.6.21-rc1 +Reported-by: "bo Zhang" +Signed-off-by: Vladis Dronov +Signed-off-by: Steffen Klassert +--- + net/xfrm/xfrm_policy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index ff61d85..6f5a0dad 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, + struct xfrm_state *x_new[XFRM_MAX_DEPTH]; + struct xfrm_migrate *mp; + ++ /* Stage 0 - sanity checks */ + if ((err = xfrm_migrate_check(m, num_migrate)) < 0) + goto out; + ++ if (dir >= XFRM_POLICY_MAX) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* Stage 1 - find policy */ + if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { + err = -ENOENT; +-- +cgit v1.1 + diff --git a/tools/update_linux.sh b/tools/update_linux.sh new file mode 100755 index 0000000000..6e63e524f1 --- /dev/null +++ b/tools/update_linux.sh @@ -0,0 +1,18 @@ +#! /bin/sh + +specs="linux-api-headers/linux-api-headers.spec linux/linux.spec linux/linux-esx.spec linux/linux-secure.spec" + +tarball_url=`curl -s https://www.kernel.org | grep -Eo 'https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.[0-9]*.tar.xz'` +tarball=$(basename $tarball_url) +version=`echo $tarball | sed 's/linux-//; s/.tar.xz//'` +echo latest linux version: $version +test -f stage/SOURCES/$tarball && echo up to date && exit 0 +$(cd stage/SOURCES && wget $tarball_url) +sha1=`sha1sum stage/SOURCES/$tarball | awk '{print $1}'` +changelog_entry=$(echo "`date +"%a %b %d %Y"` `git config user.name` <`git config user.email`> $version-1") +for spec in $specs; do + sed -i '/^Version:/ s/4.9.[0-9]*/'$version'/' SPECS/$spec + sed -i '/^Release:/ s/[0-9]*%/1%/' SPECS/$spec + sed -i '/^%define sha1 linux/ s/=[0-9a-f]*$/='$sha1'/' SPECS/$spec + sed -i '/^%changelog/a* '"$changelog_entry"'\n- Version update' SPECS/$spec +done