From afa473abd97495af130937f6820bf839427da91e Mon Sep 17 00:00:00 2001
From: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Date: Mon, 25 May 2026 08:22:55 +0000
Subject: [PATCH] kernel-5.14.0-709.el9

* Mon May 25 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-709.el9]
- netfilter: ctnetlink: ensure safe access to master conntrack (Florian Westphal) [RHEL-173885] {CVE-2026-43116}
- xfs: fix remote xattr valuelblk check (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- xfs: fix the xattr scrub to detect freemap/entries array collisions (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- xfs: strengthen attr leaf block freemap checking (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- xfs: refactor attr3 leaf table size computation (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
- Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync (CKI Backport Bot) [RHEL-172859] {CVE-2026-31772}
- Bluetooth: SCO: fix race conditions in sco_sock_connect() (CKI Backport Bot) [RHEL-172600] {CVE-2026-43023}
- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172573] {CVE-2026-43020}
Resolves: RHEL-172573, RHEL-172600, RHEL-172859, RHEL-173885, RHEL-174056

Signed-off-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
---
 Makefile.rhelver |  2 +-
 kernel.changelog | 13 +++++++++++++
 kernel.spec      | 20 ++++++++++++++++----
 sources          |  6 +++---
 4 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/Makefile.rhelver b/Makefile.rhelver
index adbc035ad..a52265ad7 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 9
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 708
+RHEL_RELEASE = 709
 
 #
 # ZSTREAM
diff --git a/kernel.changelog b/kernel.changelog
index 1b29e7b80..d5fca6bad 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,16 @@
+* Mon May 25 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-709.el9]
+- netfilter: ctnetlink: ensure safe access to master conntrack (Florian Westphal) [RHEL-173885] {CVE-2026-43116}
+- xfs: fix remote xattr valuelblk check (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: fix the xattr scrub to detect freemap/entries array collisions (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: strengthen attr leaf block freemap checking (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: refactor attr3 leaf table size computation (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync (CKI Backport Bot) [RHEL-172859] {CVE-2026-31772}
+- Bluetooth: SCO: fix race conditions in sco_sock_connect() (CKI Backport Bot) [RHEL-172600] {CVE-2026-43023}
+- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172573] {CVE-2026-43020}
+Resolves: RHEL-172573, RHEL-172600, RHEL-172859, RHEL-173885, RHEL-174056
+
 * Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-708.el9]
 - netfilter: flowtable: strictly check for maximum number of actions (CKI Backport Bot) [RHEL-176922] {CVE-2026-43329}
 - xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174565] {CVE-2026-43284}
diff --git a/kernel.spec b/kernel.spec
index 57031277d..84a8b9bae 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 708
+%define pkgrelease 709
 %define kversion 5
-%define tarfile_release 5.14.0-708.el9
+%define tarfile_release 5.14.0-709.el9
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 708%{?buildid}%{?dist}
+%define specrelease 709%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-708.el9
+%define kabiversion 5.14.0-709.el9
 
 #
 # End of genspec.sh variables
@@ -3753,6 +3753,18 @@ fi
 #
 #
 %changelog
+* Mon May 25 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-709.el9]
+- netfilter: ctnetlink: ensure safe access to master conntrack (Florian Westphal) [RHEL-173885] {CVE-2026-43116}
+- xfs: fix remote xattr valuelblk check (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: fix the xattr scrub to detect freemap/entries array collisions (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: strengthen attr leaf block freemap checking (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: refactor attr3 leaf table size computation (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: fix freemap adjustments when adding xattrs to leaf blocks (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- xfs: delete attr leaf freemap entries when empty (CKI Backport Bot) [RHEL-174056] {CVE-2026-43158}
+- Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync (CKI Backport Bot) [RHEL-172859] {CVE-2026-31772}
+- Bluetooth: SCO: fix race conditions in sco_sock_connect() (CKI Backport Bot) [RHEL-172600] {CVE-2026-43023}
+- Bluetooth: MGMT: validate LTK enc_size on load (CKI Backport Bot) [RHEL-172573] {CVE-2026-43020}
+
 * Wed May 20 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-708.el9]
 - netfilter: flowtable: strictly check for maximum number of actions (CKI Backport Bot) [RHEL-176922] {CVE-2026-43329}
 - xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174565] {CVE-2026-43284}
diff --git a/sources b/sources
index 5da151a00..8cabdbfde 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.14.0-708.el9.tar.xz) = f51dc357d98c1e3a79ac200a2fdad8672faf44b757b2b2767dc6d36f6518c8de1faba0ed184320b8297c9ff01eb8c52b22e40bfb5815e56e5774979a9b3d9d18
-SHA512 (kernel-abi-stablelists-5.14.0-708.el9.tar.bz2) = 5ae7c14289e7b089beef856680ba698435b7148f16f13568ec126f822e284aeafeea564d4c4fdeaa4ec1f555c747c2c9e50673a3076a964eecd1d48544bb77f2
-SHA512 (kernel-kabi-dw-5.14.0-708.el9.tar.bz2) = 7fb42d829398fbf890d6792ea13055ce1fb3b067567161812955dcad18cb8a8571f68584b53b8de14eb91a91b9160934762433b8195e82d67b788a5af6d23113
+SHA512 (linux-5.14.0-709.el9.tar.xz) = e28e0933111a1e91f75386baed7ae12a1ba5546378a8b7458d56b67598bad2b4326f10124d55e7bfeee717c0845cfae500d236d53c3886155a5d16eb2237861b
+SHA512 (kernel-abi-stablelists-5.14.0-709.el9.tar.bz2) = 01aeaa638f39325d2d10c531d643bba3376957af59dbcff66690593f665b5597463a8e0474ac358cc66c398bf3ce35ebaae13b73a105871e9d7dddfdd39e6602
+SHA512 (kernel-kabi-dw-5.14.0-709.el9.tar.bz2) = 40f7ce5d685881006a85260eace7c8c306222aad2633404336e6b055de9d715f3d3e6db9cd4db65cf90b2cc3101f3e4fa3749503856d28cf65346bccf98997be