From 8c5b71be611e73a9c8cd0b8e4ab635a8cbe9a95a Mon Sep 17 00:00:00 2001
From: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Date: Wed, 20 May 2026 08:27:39 +0000
Subject: [PATCH] kernel-5.14.0-708.el9

* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-708.el9]
- netfilter: flowtable: strictly check for maximum number of actions (CKI Backport Bot) [RHEL-176922] {CVE-2026-43329}
- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174565] {CVE-2026-43284}
- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171139] {CVE-2026-31684}
- cifs: make default value of retrans as zero (Paulo Alcantara) [RHEL-159632]
Resolves: RHEL-159632, RHEL-171139, RHEL-174565, RHEL-176922

Signed-off-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
---
 Makefile.rhelver |  2 +-
 kernel.changelog |  7 +++++++
 kernel.spec      | 14 ++++++++++----
 sources          |  6 +++---
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/Makefile.rhelver b/Makefile.rhelver
index 8e3132f66..adbc035ad 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 9
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 707
+RHEL_RELEASE = 708
 
 #
 # ZSTREAM
diff --git a/kernel.changelog b/kernel.changelog
index 6d4fac731..1b29e7b80 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,10 @@
+* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-708.el9]
+- netfilter: flowtable: strictly check for maximum number of actions (CKI Backport Bot) [RHEL-176922] {CVE-2026-43329}
+- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174565] {CVE-2026-43284}
+- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171139] {CVE-2026-31684}
+- cifs: make default value of retrans as zero (Paulo Alcantara) [RHEL-159632]
+Resolves: RHEL-159632, RHEL-171139, RHEL-174565, RHEL-176922
+
 * Mon May 18 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-707.el9]
 - ptrace: slightly saner 'get_dumpable()' logic (Ricardo Robaina) [RHEL-176447] {CVE-2026-46333}
 - mm/page_alloc: clear page->private in free_pages_prepare() (Rafael Aquini) [RHEL-174754] {CVE-2026-43303}
diff --git a/kernel.spec b/kernel.spec
index 93a3d1222..57031277d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 707
+%define pkgrelease 708
 %define kversion 5
-%define tarfile_release 5.14.0-707.el9
+%define tarfile_release 5.14.0-708.el9
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 707%{?buildid}%{?dist}
+%define specrelease 708%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-707.el9
+%define kabiversion 5.14.0-708.el9
 
 #
 # End of genspec.sh variables
@@ -3753,6 +3753,12 @@ fi
 #
 #
 %changelog
+* Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-708.el9]
+- netfilter: flowtable: strictly check for maximum number of actions (CKI Backport Bot) [RHEL-176922] {CVE-2026-43329}
+- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174565] {CVE-2026-43284}
+- net: sched: act_csum: validate nested VLAN headers (CKI Backport Bot) [RHEL-171139] {CVE-2026-31684}
+- cifs: make default value of retrans as zero (Paulo Alcantara) [RHEL-159632]
+
 * Mon May 18 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-707.el9]
 - ptrace: slightly saner 'get_dumpable()' logic (Ricardo Robaina) [RHEL-176447] {CVE-2026-46333}
 - mm/page_alloc: clear page->private in free_pages_prepare() (Rafael Aquini) [RHEL-174754] {CVE-2026-43303}
diff --git a/sources b/sources
index 30d326e32..5da151a00 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14.0-707.el9.tar.xz) = f3bb09ccef3ee99b87b8138eb1f4da43021e3e1dfb4eb99624698ea14ecb1cf41057077b1b2462485b59b8035aa6fa64f8cbf025e3da9096a0b178a880d1e43f
-SHA512 (kernel-abi-stablelists-5.14.0-707.el9.tar.bz2) = ae128c9db95d0cc905014fbced6afcc11d9cc4541d79e135c704cc08fc8c4ff0d071f48a7f10110c46a8cd82ce07836d9287d4872eef89b575420c95518733fa
-SHA512 (kernel-kabi-dw-5.14.0-707.el9.tar.bz2) = 2f9229196bcb36d5acb8c4347b43fe570aa9977531450d6a828d17955c54eeabdfa1fd71319ed3ca8c78e4f8315f49e1ae04d64fde1572ba375b72f22a92bf52
+SHA512 (linux-5.14.0-708.el9.tar.xz) = f51dc357d98c1e3a79ac200a2fdad8672faf44b757b2b2767dc6d36f6518c8de1faba0ed184320b8297c9ff01eb8c52b22e40bfb5815e56e5774979a9b3d9d18
+SHA512 (kernel-abi-stablelists-5.14.0-708.el9.tar.bz2) = 5ae7c14289e7b089beef856680ba698435b7148f16f13568ec126f822e284aeafeea564d4c4fdeaa4ec1f555c747c2c9e50673a3076a964eecd1d48544bb77f2
+SHA512 (kernel-kabi-dw-5.14.0-708.el9.tar.bz2) = 7fb42d829398fbf890d6792ea13055ce1fb3b067567161812955dcad18cb8a8571f68584b53b8de14eb91a91b9160934762433b8195e82d67b788a5af6d23113