[ubuntu/focal-security] linux-kvm 5.4.0-1058.61 (Accepted)

Andy Whitcroft apw at canonical.com
Tue Mar 8 21:35:48 UTC 2022


linux-kvm (5.4.0-1058.61) focal; urgency=medium

  * Disable unprivileged BPF by default (LP: #1961338)
    - [Config] azure: Enable CONFIG_BPF_UNPRIV_DEFAULT_OFF

  [ Ubuntu: 5.4.0-103.117 ]

  * CVE-2022-23960
    - arm64: Add part number for Arm Cortex-A77
    - arm64: Add Neoverse-N2, Cortex-A710 CPU part definition
    - arm64: Add Cortex-X2 CPU part definition
    - arm64: add ID_AA64ISAR2_EL1 sys register
    - SAUCE: arm64: entry.S: Add ventry overflow sanity checks
    - SAUCE: arm64: entry: Make the trampoline cleanup optional
    - SAUCE: arm64: entry: Free up another register on kpti's tramp_exit path
    - SAUCE: arm64: entry: Move the trampoline data page before the text page
    - SAUCE: arm64: entry: Allow tramp_alias to access symbols after the 4K
      boundary
    - SAUCE: arm64: entry: Don't assume tramp_vectors is the start of the vectors
    - SAUCE: arm64: entry: Move trampoline macros out of ifdef'd section
    - SAUCE: arm64: entry: Make the kpti trampoline's kpti sequence optional
    - SAUCE: arm64: entry: Allow the trampoline text to occupy multiple pages
    - SAUCE: arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations
    - SAUCE: arm64: entry: Add vectors that have the bhb mitigation sequences
    - SAUCE: arm64: entry: Add macro for reading symbol addresses from the
      trampoline
    - SAUCE: arm64: Add percpu vectors for EL1
    - SAUCE: arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of
      Spectre-v2
    - SAUCE: KVM: arm64: Add templates for BHB mitigation sequences
    - SAUCE: arm64: Mitigate spectre style branch history side channels
    - SAUCE: KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and
      migrated
    - SAUCE: arm64: Use the clearbhb instruction in mitigations
    - [Config]: set CONFIG_MITIGATE_SPECTRE_BRANCH_HISTORY=y
  * CVE-2022-25636
    - netfilter: nf_tables_offload: incorrect flow offload action array size
  * CVE-2022-0001
    - x86/speculation: Merge one test in spectre_v2_user_select_mitigation()
    - x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
    - SAUCE: x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
    - SAUCE: x86/speculation: Add eIBRS + Retpoline options
    - SAUCE: Documentation/hw-vuln: Update spectre doc
  * Disable unprivileged BPF by default (LP: #1961338)
    - bpf: Add kconfig knob for disabling unpriv bpf by default
    - [Config] set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y

Date: 2022-03-02 11:21:11.570647+00:00
Changed-By: Thadeu Lima de Souza Cascardo <thadeu.cascardo at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1058.61
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list