[ubuntu/jammy-security] linux-lowlatency-hwe-6.5 6.5.0-14.14.1~22.04.1 (Accepted)
Andy Whitcroft
apw at canonical.com
Wed Jan 17 09:09:39 UTC 2024
linux-lowlatency-hwe-6.5 (6.5.0-14.14.1~22.04.1) jammy; urgency=medium
* jammy/linux-lowlatency-hwe-6.5: 6.5.0-14.14.1~22.04.1 -proposed tracker
(LP: #2043484)
* disable shiftfs (LP: #2038522)
- [Config] lowlatency-hwe-6.5: disable shiftfs
* Packaging resync (LP: #1786013)
- [Packaging] update variants
[ Ubuntu: 6.5.0-14.14.1 ]
* mantic/linux-lowlatency: 6.5.0-14.14.1 -proposed tracker (LP: #2041531)
* Packaging resync (LP: #1786013)
- [Packaging] resync git-ubuntu-log
- [Packaging] resync update-dkms-versions helper
- debian/dkms-versions -- update from kernel-versions (main/2023.10.30)
* disable shiftfs (LP: #2038522)
- [Config] lowlatency: disable shiftfs
* usbip: error: failed to open /usr/share/hwdata//usb.ids (LP: #2039439)
- [Packaging] lowlatency: Make linux-tools-common depend on hwdata
* mantic/linux: 6.5.0-14.14 -proposed tracker (LP: #2042660)
* Boot log print hang on screen, no login prompt on Aspeed 2600 rev 52 BMC
(LP: #2042850)
- drm/ast: Add BMC virtual connector
* arm64 atomic issues cause disk corruption (LP: #2042573)
- locking/atomic: scripts: fix fallback ifdeffery
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
* mantic/linux: 6.5.0-12.12 -proposed tracker (LP: #2041536)
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
- [Packaging] update helper scripts
- debian/dkms-versions -- update from kernel-versions (main/2023.10.30)
* CVE-2023-5633
- drm/vmwgfx: Keep a gem reference to user bos in surfaces
* CVE-2023-5345
- fs/smb/client: Reset password pointer to NULL
* CVE-2023-39189
- netfilter: nfnetlink_osf: avoid OOB read
* CVE-2023-4244
- netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
* apparmor restricts read access of user namespace mediation sysctls to root
(LP: #2040194)
- SAUCE: apparmor: open userns related sysctl so lxc can check if restriction
are in place
* AppArmor spams kernel log with assert when auditing (LP: #2040192)
- SAUCE: apparmor: fix request field from a prompt reply that denies all
access
* apparmor notification files verification (LP: #2040250)
- SAUCE: apparmor: fix notification header size
* apparmor oops when racing to retrieve a notification (LP: #2040245)
- SAUCE: apparmor: fix oops when racing to retrieve notification
* SMC stats: Wrong bucket calculation for payload of exactly 4096 bytes
(LP: #2039575)
- net/smc: Fix pos miscalculation in statistics
* Support mipi camera on Intel Meteor Lake platform (LP: #2031412)
- SAUCE: iommu: intel-ipu: use IOMMU passthrough mode for Intel IPUs on Meteor
Lake
- SAUCE: platform/x86: int3472: Add handshake GPIO function
* CVE-2023-45898
- ext4: fix slab-use-after-free in ext4_es_insert_extent()
* CVE-2023-31085
- ubi: Refuse attaching if mtd's erasesize is 0
* CVE-2023-5717
- perf: Disallow mis-matched inherited group reads
* CVE-2023-5178
- nvmet-tcp: Fix a possible UAF in queue intialization setup
* CVE-2023-5158
- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
* CVE-2023-5090
- x86: KVM: SVM: always update the x2avic msr interception
* [SRU][J/L/M] UBUNTU: [Packaging] Make WWAN driver a loadable module
(LP: #2033406)
- [Packaging] Make WWAN driver loadable modules
* Unable to power off the system with MTL CPU (LP: #2039405)
- Revert "x86/smp: Put CPUs into INIT on shutdown if possible"
* usbip: error: failed to open /usr/share/hwdata//usb.ids (LP: #2039439)
- [Packaging] Make linux-tools-common depend on hwdata
* drop all references to is_rust_module.sh in kernels >= 6.5 (LP: #2038611)
- [Packaging] drop references to is_rust_module.sh
* disable shiftfs (LP: #2038522)
- SAUCE: ceph: enable unsafe idmapped mounts by default
- [Config] disable shiftfs
* Infinite systemd loop when power off the machine with multiple MD RAIDs
(LP: #2036184)
- md: Put the right device in md_seq_next
* [Mediatek] mt8195-demo: enable CONFIG_MTK_IOMMU as module for multimedia and
PCIE peripherals (LP: #2036587)
- [Config] Enable CONFIG_MTK_IOMMU on arm64
* Realtek 8852CE WiFi 6E country code udpates (LP: #2037273)
- wifi: rtw89: regd: update regulatory map to R64-R43
* Unable to use nvme drive to install Ubuntu 23.10 (LP: #2040157)
- misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to
probe
* CVE-2023-42754
- ipv4: fix null-deref in ipv4_link_failure
* linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
images (LP: #2019040)
- [Config] CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y
* Fix RCU warning on AMD laptops (LP: #2036377)
- power: supply: core: Use blocking_notifier_call_chain to avoid RCU complaint
* allow io_uring to be disabled in runtime (LP: #2035116)
- io_uring: add a sysctl to disable io_uring system-wide
* Fix unstable audio at low levels on Thinkpad P1G4 (LP: #2037077)
- ALSA: hda/realtek - ALC287 I2S speaker platform support
[ Ubuntu: 6.5.0-13.13.1 ]
* mantic/linux-lowlatency: 6.5.0-13.13.1 -proposed tracker (LP: #2041872)
* mantic/linux: 6.5.0-13.13 -proposed tracker (LP: #2042652)
* arm64 atomic issues cause disk corruption (LP: #2042573)
- locking/atomic: scripts: fix fallback ifdeffery
* mantic/linux: 6.5.0-11.11 -proposed tracker (LP: #2041879)
* CVE-2023-31085
- ubi: Refuse attaching if mtd's erasesize is 0
* CVE-2023-4244
- netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
* CVE-2023-5633
- drm/vmwgfx: Keep a gem reference to user bos in surfaces
* CVE-2023-5345
- fs/smb/client: Reset password pointer to NULL
* CVE-2023-5090
- x86: KVM: SVM: always update the x2avic msr interception
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
[ Ubuntu: 6.5.0-10.10.1 ]
* mantic/linux-lowlatency: 6.5.0-10.10.1 -proposed tracker (LP: #2039199)
* Packaging resync (LP: #1786013)
- [Packaging] update Ubuntu.md
- [Packaging] update update.conf
* mantic/linux: 6.5.0-10.10 -proposed tracker (LP: #2039204)
* CVE-2023-4921
- net: sched: sch_qfq: Fix UAF in qfq_dequeue()
* CVE-2023-42756
- netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP
* CVE-2023-4881
- netfilter: nftables: exthdr: fix 4-byte stack OOB write
* CVE-2023-5197
- netfilter: nf_tables: disallow rule removal from chain binding
[ Ubuntu: 6.5.0-9.9.1 ]
* mantic/linux-lowlatency: 6.5.0-9.9.1 -proposed tracker (LP: #2038688)
* mantic/linux: 6.5.0-9.9 -proposed tracker (LP: #2038687)
* update apparmor and LSM stacking patch set (LP: #2028253)
- re-apply apparmor 4.0.0
* Disable restricting unprivileged change_profile by default, due to LXD
latest/stable not yet compatible with this new apparmor feature
(LP: #2038567)
- SAUCE: apparmor: Make apparmor_restrict_unprivileged_unconfined opt-in
* mantic/linux: 6.5.0-8.8 -proposed tracker (LP: #2038577)
* update apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor3.2.0 [02/60]: rename SK_CTX() to aa_sock and make it an
inline fn
- SAUCE: apparmor3.2.0 [05/60]: Add sysctls for additional controls of unpriv
userns restrictions
- SAUCE: apparmor3.2.0 [08/60]: Stacking v38: LSM: Identify modules by more
than name
- SAUCE: apparmor3.2.0 [09/60]: Stacking v38: LSM: Add an LSM identifier for
external use
- SAUCE: apparmor3.2.0 [10/60]: Stacking v38: LSM: Identify the process
attributes for each module
- SAUCE: apparmor3.2.0 [11/60]: Stacking v38: LSM: Maintain a table of LSM
attribute data
- SAUCE: apparmor3.2.0 [12/60]: Stacking v38: proc: Use lsmids instead of lsm
names for attrs
- SAUCE: apparmor3.2.0 [13/60]: Stacking v38: integrity: disassociate
ima_filter_rule from security_audit_rule
- SAUCE: apparmor3.2.0 [14/60]: Stacking v38: LSM: Infrastructure management
of the sock security
- SAUCE: apparmor3.2.0 [15/60]: Stacking v38: LSM: Add the lsmblob data
structure.
- SAUCE: apparmor3.2.0 [16/60]: Stacking v38: LSM: provide lsm name and id
slot mappings
- SAUCE: apparmor3.2.0 [17/60]: Stacking v38: IMA: avoid label collisions with
stacked LSMs
- SAUCE: apparmor3.2.0 [18/60]: Stacking v38: LSM: Use lsmblob in
security_audit_rule_match
- SAUCE: apparmor3.2.0 [19/60]: Stacking v38: LSM: Use lsmblob in
security_kernel_act_as
- SAUCE: apparmor3.2.0 [20/60]: Stacking v38: LSM: Use lsmblob in
security_secctx_to_secid
- SAUCE: apparmor3.2.0 [21/60]: Stacking v38: LSM: Use lsmblob in
security_secid_to_secctx
- SAUCE: apparmor3.2.0 [22/60]: Stacking v38: LSM: Use lsmblob in
security_ipc_getsecid
- SAUCE: apparmor3.2.0 [23/60]: Stacking v38: LSM: Use lsmblob in
security_current_getsecid
- SAUCE: apparmor3.2.0 [24/60]: Stacking v38: LSM: Use lsmblob in
security_inode_getsecid
- SAUCE: apparmor3.2.0 [25/60]: Stacking v38: LSM: Use lsmblob in
security_cred_getsecid
- SAUCE: apparmor3.2.0 [26/60]: Stacking v38: LSM: Specify which LSM to
display
- SAUCE: apparmor3.2.0 [28/60]: Stacking v38: LSM: Ensure the correct LSM
context releaser
- SAUCE: apparmor3.2.0 [29/60]: Stacking v38: LSM: Use lsmcontext in
security_secid_to_secctx
- SAUCE: apparmor3.2.0 [30/60]: Stacking v38: LSM: Use lsmcontext in
security_inode_getsecctx
- SAUCE: apparmor3.2.0 [31/60]: Stacking v38: Use lsmcontext in
security_dentry_init_security
- SAUCE: apparmor3.2.0 [32/60]: Stacking v38: LSM: security_secid_to_secctx in
netlink netfilter
- SAUCE: apparmor3.2.0 [33/60]: Stacking v38: NET: Store LSM netlabel data in
a lsmblob
- SAUCE: apparmor3.2.0 [34/60]: Stacking v38: binder: Pass LSM identifier for
confirmation
- SAUCE: apparmor3.2.0 [35/60]: Stacking v38: LSM: security_secid_to_secctx
module selection
- SAUCE: apparmor3.2.0 [36/60]: Stacking v38: Audit: Keep multiple LSM data in
audit_names
- SAUCE: apparmor3.2.0 [37/60]: Stacking v38: Audit: Create audit_stamp
structure
- SAUCE: apparmor3.2.0 [38/60]: Stacking v38: LSM: Add a function to report
multiple LSMs
- SAUCE: apparmor3.2.0 [39/60]: Stacking v38: Audit: Allow multiple records in
an audit_buffer
- SAUCE: apparmor3.2.0 [40/60]: Stacking v38: Audit: Add record for multiple
task security contexts
- SAUCE: apparmor3.2.0 [41/60]: Stacking v38: audit: multiple subject lsm
values for netlabel
- SAUCE: apparmor3.2.0 [42/60]: Stacking v38: Audit: Add record for multiple
object contexts
- SAUCE: apparmor3.2.0 [43/60]: Stacking v38: netlabel: Use a struct lsmblob
in audit data
- SAUCE: apparmor3.2.0 [44/60]: Stacking v38: LSM: Removed scaffolding
function lsmcontext_init
- SAUCE: apparmor3.2.0 [45/60]: Stacking v38: AppArmor: Remove the exclusive
flag
- SAUCE: apparmor3.2.0 [46/60]: combine common_audit_data and
apparmor_audit_data
- SAUCE: apparmor3.2.0 [47/60]: setup slab cache for audit data
- SAUCE: apparmor3.2.0 [48/60]: rename audit_data->label to
audit_data->subj_label
- SAUCE: apparmor3.2.0 [49/60]: pass cred through to audit info.
- SAUCE: apparmor3.2.0 [50/60]: Improve debug print infrastructure
- SAUCE: apparmor3.2.0 [51/60]: add the ability for profiles to have a
learning cache
- SAUCE: apparmor3.2.0 [52/60]: enable userspace upcall for mediation
- SAUCE: apparmor3.2.0 [53/60]: cache buffers on percpu list if there is lock
contention
- SAUCE: apparmor3.2.0 [55/60]: advertise availability of exended perms
- SAUCE: apparmor3.2.0 [60/60]: [Config] enable
CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS
* LSM stacking and AppArmor for 6.2: additional fixes (LP: #2017903) // update
apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor3.2.0 [57/60]: fix profile verification and enable it
* udev fails to make prctl() syscall with apparmor=0 (as used by maas by
default) (LP: #2016908) // update apparmor and LSM stacking patch set
(LP: #2028253)
- SAUCE: apparmor3.2.0 [27/60]: Stacking v38: Fix prctl() syscall with
apparmor=0
* kinetic: apply new apparmor and LSM stacking patch set (LP: #1989983) //
update apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor3.2.0 [01/60]: add/use fns to print hash string hex value
- SAUCE: apparmor3.2.0 [03/60]: patch to provide compatibility with v2.x net
rules
- SAUCE: apparmor3.2.0 [04/60]: add user namespace creation mediation
- SAUCE: apparmor3.2.0 [06/60]: af_unix mediation
- SAUCE: apparmor3.2.0 [07/60]: Add fine grained mediation of posix mqueues
Date: 2023-11-22 15:08:24.392591+00:00
Changed-By: Roxana Nicolescu <roxana.nicolescu at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.5/6.5.0-14.14.1~22.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list