diff --git a/.gitignore b/.gitignore index ff4b4ce14..52962853a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ -SOURCES/kernel-abi-stablelists-5.14.0-611.13.1.el9_7.tar.bz2 -SOURCES/kernel-kabi-dw-5.14.0-611.13.1.el9_7.tar.bz2 -SOURCES/linux-5.14.0-611.13.1.el9_7.tar.xz +SOURCES/kernel-abi-stablelists-5.14.0-611.16.1.el9_7.tar.bz2 +SOURCES/kernel-kabi-dw-5.14.0-611.16.1.el9_7.tar.bz2 +SOURCES/linux-5.14.0-611.16.1.el9_7.tar.xz SOURCES/nvidiagpuoot001.x509 SOURCES/olima1.x509 SOURCES/olimaca1.x509 diff --git a/.kernel.metadata b/.kernel.metadata index 2df13c9e5..88a9b2c78 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,6 +1,6 @@ -9e5df45479953a528f57f8717146c63bad358c2b SOURCES/kernel-abi-stablelists-5.14.0-611.13.1.el9_7.tar.bz2 -163e356b80c3c0b6c84ab86402ba385f20a43666 SOURCES/kernel-kabi-dw-5.14.0-611.13.1.el9_7.tar.bz2 -843af90a8e2fd626e5e36085af377c77b11dec6a SOURCES/linux-5.14.0-611.13.1.el9_7.tar.xz +31e7f4937937748cabdb75462568d316ce8865af SOURCES/kernel-abi-stablelists-5.14.0-611.16.1.el9_7.tar.bz2 +3c2b435e3a907e78a8bd4ed79c8e00db196365b3 SOURCES/kernel-kabi-dw-5.14.0-611.16.1.el9_7.tar.bz2 +33089a9379d98a1f2d067344a45048ea32cb4939 SOURCES/linux-5.14.0-611.16.1.el9_7.tar.xz 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509 diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver index bf8f71912..b6d4683a5 100644 --- a/SOURCES/Makefile.rhelver +++ b/SOURCES/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 7 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 611.13.1 +RHEL_RELEASE = 611.16.1 # # ZSTREAM diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog index e2d3d267e..c54e67add 100644 --- a/SOURCES/kernel.changelog +++ b/SOURCES/kernel.changelog @@ -1,3 +1,30 @@ +* Sun Dec 07 2025 CKI KWF Bot [5.14.0-611.16.1.el9_7] +- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499} +- tls: wait for pending async decryptions if tls_strp_msg_hold fails (CKI Backport Bot) [RHEL-128860] {CVE-2025-40176} +Resolves: RHEL-128860, RHEL-129261 + +* Thu Dec 04 2025 CKI KWF Bot [5.14.0-611.15.1.el9_7] +- nbd: override creds to kernel when calling sock_{send,recv}msg() (Ming Lei) [RHEL-123845] +- scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-127982] +- scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-127982] +- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-70006] +- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-70006] +Resolves: RHEL-123845, RHEL-127982, RHEL-70006 + +* Tue Dec 02 2025 CKI KWF Bot [5.14.0-611.14.1.el9_7] +- iommufd: Fix race during abort for file descriptors (Eder Zulian) [RHEL-123786] {CVE-2025-39966} +Resolves: RHEL-123786 + * Sat Nov 29 2025 CKI KWF Bot [5.14.0-611.13.1.el9_7] - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124105] {CVE-2025-39925} - can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124105] {CVE-2025-39925} diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 5dc07a8b0..2b1ccd55b 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -165,15 +165,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 611.13.1 +%define pkgrelease 611.16.1 %define kversion 5 -%define tarfile_release 5.14.0-611.13.1.el9_7 +%define tarfile_release 5.14.0-611.16.1.el9_7 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 611.13.1%{?buildid}%{?dist} +%define specrelease 611.16.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-611.13.1.el9_7 +%define kabiversion 5.14.0-611.16.1.el9_7 # # End of genspec.sh variables @@ -3768,7 +3768,7 @@ fi # # %changelog -* Thu Dec 11 2025 Andrew Lukoshko - 5.14.0-611.13.1 +* Mon Dec 22 2025 Andrew Lukoshko - 5.14.0-611.16.1 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 @@ -3779,11 +3779,35 @@ fi - kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained -* Thu Dec 11 2025 Eduard Abdullin - 5.14.0-611.13.1 +* Mon Dec 22 2025 Eduard Abdullin - 5.14.0-611.16.1 - Use AlmaLinux OS secure boot cert - Debrand for AlmaLinux OS - Add KVM support for ppc64le +* Sun Dec 07 2025 CKI KWF Bot [5.14.0-611.16.1.el9_7] +- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499} +- tls: wait for pending async decryptions if tls_strp_msg_hold fails (CKI Backport Bot) [RHEL-128860] {CVE-2025-40176} + +* Thu Dec 04 2025 CKI KWF Bot [5.14.0-611.15.1.el9_7] +- nbd: override creds to kernel when calling sock_{send,recv}msg() (Ming Lei) [RHEL-123845] +- scsi: lpfc: avoid crashing in lpfc_nlp_get() if lpfc_nodelist was freed (Ewan D. Milne) [RHEL-127982] +- scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (Ewan D. Milne) [RHEL-127982] +- crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix SNP panic notifier unregistration (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix dereferencing uninitialized error pointer (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Fix __sev_snp_shutdown_locked (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Move SEV/SNP Platform initialization to KVM (Lenny Szubowicz) [RHEL-70006] +- KVM: SVM: Add support to initialize SEV/SNP functionality in KVM (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Add new SEV/SNP platform shutdown API (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Register SNP panic notifier only if SNP is enabled (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Reset TMR size at SNP Shutdown (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Ensure implicit SEV/SNP init and shutdown in ioctls (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown (Lenny Szubowicz) [RHEL-70006] +- crypto: ccp - Abort doing SEV INIT if SNP INIT fails (Lenny Szubowicz) [RHEL-70006] + +* Tue Dec 02 2025 CKI KWF Bot [5.14.0-611.14.1.el9_7] +- iommufd: Fix race during abort for file descriptors (Eder Zulian) [RHEL-123786] {CVE-2025-39966} + * Sat Nov 29 2025 CKI KWF Bot [5.14.0-611.13.1.el9_7] - can: j1939: add missing calls in NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124105] {CVE-2025-39925} - can: j1939: implement NETDEV_UNREGISTER notification handler (CKI Backport Bot) [RHEL-124105] {CVE-2025-39925}