From c99559a3cd2d3df4876c2786a1fa89c7078af930 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 31 Jan 2017 15:01:34 -0600 Subject: [PATCH] Disable debugging options and fix CVE-2017-2596 --- kernel.spec | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 0e14e5517..5a01c4f3c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -42,7 +42,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -125,7 +125,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -596,6 +596,9 @@ Patch852: selinux-allow-context-mounts-on-tmpfs-etc.patch # See http://lists.infradead.org/pipermail/linux-arm-kernel/2016-October/461597.html Patch853: 0001-Work-around-for-gcc7-and-arm64.patch +# CVE-2017-2596 rhbz 1417812 1417813 +Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch + # END OF PATCH DEFINITIONS %endif @@ -2166,6 +2169,10 @@ fi # # %changelog +* Tue Jan 31 2017 Justin M. Forbes - 4.10.0-0.rc6.git0.2 +- Reenable debugging options. +- Fix kvm nested virt CVE-2017-2596 rhbz (1417812 1417813) + * Mon Jan 30 2017 Justin M. Forbes - 4.10.0-0.rc6.git0.1 - Linux v4.10-rc6 - Disable debugging options.