diff --git a/.gitignore b/.gitignore index cea8fc0ba..04c51c676 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer SOURCES/centossecurebootca2.cer SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2 -SOURCES/linux-4.18.0-553.126.1.el8_10.tar.xz +SOURCES/linux-4.18.0-553.129.1.el8_10.tar.xz SOURCES/redhatsecureboot302.cer SOURCES/redhatsecureboot303.cer SOURCES/redhatsecureboot501.cer diff --git a/.kernel.metadata b/.kernel.metadata index 199e6de48..38385c217 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,8 +1,8 @@ 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer -49a61800f679818fca986bfc9c514faa2b368ef2 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2 -a19619db377884811bec5a2de6ff19c3a78c23c8 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2 -94908d687351961d0d28c1c3e0116eb95e7348e3 SOURCES/linux-4.18.0-553.126.1.el8_10.tar.xz +58e959545555dbee3c2480b2a5a82de711c66e82 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2 +a9412293ca3fa02952c7aa91ac7089b13d017b6a SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2 +4d1d35f4fd8435065c2a9f77aa4be2c002893a82 SOURCES/linux-4.18.0-553.129.1.el8_10.tar.xz 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer diff --git a/SOURCES/1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch b/SOURCES/1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch deleted file mode 100644 index 52ea78644..000000000 --- a/SOURCES/1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001 -From: Asim Viladi Oglu Manizada -Date: Sat, 16 May 2026 21:15:39 +0000 -Subject: smb: client: reject userspace cifs.spnego descriptions - -cifs.spnego key descriptions contain authority-bearing fields such as -pid, uid, creduid, and upcall_target that cifs.upcall treats as -kernel-originating inputs. However, userspace can also create keys of -this type through request_key(2) or add_key(2), allowing those fields to -be supplied without CIFS origin. - -Only accept cifs.spnego descriptions while CIFS is using its private -spnego_cred to request the key. - -Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos") -Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix -Reviewed-by: David Howells -Signed-off-by: Asim Viladi Oglu Manizada -Signed-off-by: Steve French ---- - fs/cifs/cifs_spnego.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c -index 3a41bbada04c76..44c40727568042 100644 ---- a/fs/cifs/cifs_spnego.c -+++ b/fs/cifs/cifs_spnego.c -@@ -8,6 +8,7 @@ - */ - - #include -+#include - #include - #include - #include -@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key) - kfree(key->payload.data[0]); - } - -+static int -+cifs_spnego_key_vet_description(const char *description) -+{ -+ /* -+ * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall. -+ * They are only valid when produced by CIFS while using the private -+ * spnego_cred installed below. Do not let userspace create this type -+ * of key through request_key(2)/add_key(2), since the helper treats -+ * pid/uid/creduid/upcall_target as kernel-originating fields. -+ */ -+ if (current_cred() != spnego_cred) -+ return -EPERM; -+ return 0; -+} - - /* - * keytype for CIFS spnego keys - */ - struct key_type cifs_spnego_key_type = { - .name = "cifs.spnego", -+ .vet_description = cifs_spnego_key_vet_description, - .instantiate = cifs_spnego_key_instantiate, - .destroy = cifs_spnego_key_destroy, - .describe = user_describe, --- -cgit 1.3-korg - diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 9f2ec0578..5970dfa00 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,11 +38,10 @@ # define buildid .local %define specversion 4.18.0 -%define pkgrelease 553.126.2.el8_10 -%define tarfile_release 553.126.1.el8_10 +%define pkgrelease 553.129.1.el8_10 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 553.126.2%{?dist} +%define specrelease 553.129.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -436,7 +435,7 @@ BuildRequires: xmlto BuildRequires: asciidoc %endif -Source0: linux-%{specversion}-%{tarfile_release}.tar.xz +Source0: linux-%{specversion}-%{pkgrelease}.tar.xz Source9: x509.genkey @@ -531,8 +530,6 @@ Patch999999: linux-kernel-test.patch # AlmaLinux Patch Patch1000: debrand-single-cpu.patch Patch1002: debrand-rh-i686-cpu.patch -Patch1100: 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch - Patch2001: 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch Patch2002: 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch Patch2003: 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch @@ -1099,9 +1096,9 @@ ApplyOptionalPatch() fi } -%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c -cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem -mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL} +%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c +cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem +mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} @@ -1110,7 +1107,6 @@ ApplyOptionalPatch linux-kernel-test.patch # Applying AlmaLinux Patch ApplyPatch debrand-single-cpu.patch ApplyPatch debrand-rh-i686-cpu.patch -ApplyPatch 1100-smb-client-reject-userspace-cifs.spnego-descriptions.patch ApplyPatch 0001-Enable-all-disabled-pci-devices-by-moving-to-unmaint.patch ApplyPatch 0002-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch ApplyPatch 0003-Bring-back-deprecated-pci-ids-to-mptsas-mptspi-drive.patch @@ -2717,11 +2713,7 @@ fi # # %changelog -* Thu May 28 2026 Andrew Lukoshko - 4.18.0-553.126.2 -- smb: client: reject userspace cifs.spnego descriptions (upstream commit - 3da1fdf4efbc) - -* Thu May 28 2026 Andrei Lukoshko - 4.18.0-553.126.1 +* Thu Jun 04 2026 Andrei Lukoshko - 4.18.0-553.129.1 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 @@ -2732,10 +2724,25 @@ fi - kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained -* Thu May 28 2026 Eduard Abdullin - 4.18.0-553.126.1 +* Thu Jun 04 2026 Eduard Abdullin - 4.18.0-553.129.1 - Use AlmaLinux OS secure boot cert - Debrand for AlmaLinux OS +* Tue Jun 02 2026 CKI KWF Bot [4.18.0-553.129.1.el8_10] +- smb: client: reject userspace cifs.spnego descriptions (Paulo Alcantara) [RHEL-178938] {CVE-2026-46243} + +* Fri May 29 2026 CKI KWF Bot [4.18.0-553.128.1.el8_10] +- smb: client: fix OOB reads parsing symlink error response (Paulo Alcantara) [RHEL-171465] {CVE-2026-31613} +- geneve: Suppress list corruption splat in geneve_destroy_tunnels(). (Antoine Tenart) [RHEL-168961] +- geneve: Fix use-after-free in geneve_find_dev(). (Antoine Tenart) [RHEL-168961] {CVE-2025-21858} +- netfilter: nf_tables: release flowtable after rcu grace period on error (Florian Westphal) [RHEL-160514] {CVE-2026-23392} + +* Wed May 27 2026 CKI KWF Bot [4.18.0-553.127.1.el8_10] +- smc: Fix use-after-free in tcp_write_timer_handler(). (Steve Best) [RHEL-167084] {CVE-2023-53781} +- nbd: defer config unlock in nbd_genl_connect (CKI Backport Bot) [RHEL-166939] {CVE-2025-68366} +- libceph: prevent potential out-of-bounds reads in handle_auth_done() (CKI Backport Bot) [RHEL-143892] {CVE-2026-22984} +- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CKI Backport Bot) [RHEL-143874] {CVE-2026-22990} + * Wed May 20 2026 CKI KWF Bot [4.18.0-553.126.1.el8_10] - crypto: af_alg - Work around empty control messages without MSG_MORE (Thomas Huth) [RHEL-175772] - crypto: af_alg - Fix regression on empty requests (Thomas Huth) [RHEL-175772]