← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1951011] Re: linux-aws: Make a signed kernel

 

This bug was fixed in the package linux-aws - 5.4.0-1061.64

---------------
linux-aws (5.4.0-1061.64) focal; urgency=medium

  * focal/linux-aws: 5.4.0-1061.64 -proposed tracker (LP: #1952285)

  * Re-enable DEBUG_INFO_BTF where it was disabled (LP: #1945632)
    - [Config] aws: Enable CONFIG_DEBUG_INFO_BTF on all arches

  * Support builtin revoked certificates (LP: #1932029)
    - [Config] aws: Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  * linux-aws: Make a signed kernel (LP: #1951011)
    - [Packaging] aws: Enable signed kernel

  [ Ubuntu: 5.4.0-92.103 ]

  * focal/linux: 5.4.0-92.103 -proposed tracker (LP: #1952316)
  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.29)
  * CVE-2021-4002
    - tlb: mmu_gather: add tlb_flush_*_range APIs
    - hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  * Re-enable DEBUG_INFO_BTF where it was disabled (LP: #1945632)
    - [Config] Enable CONFIG_DEBUG_INFO_BTF on all arches
  * Focal linux-azure: Vm crash on Dv5/Ev5 (LP: #1950462)
    - KVM: VMX: eVMCS: make evmcs_sanitize_exec_ctrls() work again
    - jump_label: Fix usage in module __init
  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about
      cert lists that aren't present."
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table
  * Focal update: v5.4.157 upstream stable release (LP: #1951883)
    - ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
    - ARM: 9134/1: remove duplicate memcpy() definition
    - ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
    - ARM: 9141/1: only warn about XIP address when not compile testing
    - ipv6: use siphash in rt6_exception_hash()
    - ipv4: use siphash instead of Jenkins in fnhe_hashfun()
    - usbnet: sanity check for maxpacket
    - usbnet: fix error return code in usbnet_probe()
    - Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
    - ata: sata_mv: Fix the error handling of mv_chip_id()
    - nfc: port100: fix using -ERRNO as command type mask
    - net/tls: Fix flipped sign in tls_err_abort() calls
    - mmc: vub300: fix control-message timeouts
    - mmc: cqhci: clear HALT state after CQE enable
    - mmc: dw_mmc: exynos: fix the finding clock sample value
    - mmc: sdhci: Map more voltage level to SDHCI_POWER_330
    - mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning
      circuit
    - cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
    - net: lan78xx: fix division by zero in send path
    - tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function
    - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
    - IB/hfi1: Fix abba locking issue with sc_disable()
    - nvmet-tcp: fix data digest pointer calculation
    - nvme-tcp: fix data digest pointer calculation
    - RDMA/mlx5: Set user priority for DCT
    - arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
    - regmap: Fix possible double-free in regcache_rbtree_exit()
    - net: batman-adv: fix error handling
    - net: Prevent infinite while loop in skb_tx_hash()
    - RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string
    - nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
    - net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume
      fails
    - net: ethernet: microchip: lan743x: Fix dma allocation failure by using
      dma_set_mask_and_coherent
    - net: nxp: lpc_eth.c: avoid hang when bringing interface down
    - net/tls: Fix flipped sign in async_wait.err assignment
    - phy: phy_ethtool_ksettings_get: Lock the phy for consistency
    - phy: phy_start_aneg: Add an unlocked version
    - sctp: use init_tag from inithdr for ABORT chunk
    - sctp: fix the processing for INIT_ACK chunk
    - sctp: fix the processing for COOKIE_ECHO chunk
    - sctp: add vtag check in sctp_sf_violation
    - sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
    - sctp: add vtag check in sctp_sf_ootb
    - net: use netif_is_bridge_port() to check for IFF_BRIDGE_PORT
    - cfg80211: correct bridge/4addr mode check
    - KVM: s390: clear kicked_mask before sleeping again
    - KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu
    - perf script: Check session->header.env.arch before using it
    - Linux 5.4.157
  * keyboard not working on Medion notebook s17 series (LP: #1950536)
    - ACPI: resources: Add one more Medion model in IRQ override quirk
  * creat09 from ubuntu_ltp_syscalls and cve-2018-13405 from ubuntu_ltp/cve
    failed with XFS (LP: #1950239)
    - xfs: ensure that the inode uid/gid match values match the icdinode ones
    - xfs: merge the projid fields in struct xfs_icdinode
    - xfs: remove the icdinode di_uid/di_gid members
    - xfs: fix up non-directory creation in SGID directories
  * reuseport_bpf_numa in net from ubuntu_kernel_selftests fails on ppc64le
    (LP: #1867570)
    - selftests/net: Fix reuseport_bpf_numa by skipping unavailable nodes
  * Focal update: v5.4.156 upstream stable release (LP: #1951295)
    - parisc: math-emu: Fix fall-through warnings
    - net: switchdev: do not propagate bridge updates across bridges
    - tee: optee: Fix missing devices unregister during optee_remove
    - ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default
    - xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF
    - xtensa: xtfpga: Try software restart before simulating CPU reset
    - NFSD: Keep existing listeners on portlist error
    - dma-debug: fix sg checks in debug_dma_map_sg()
    - ASoC: wm8960: Fix clock configuration on slave mode
    - netfilter: ipvs: make global sysctl readonly in non-init netns
    - lan78xx: select CRC32
    - net: dsa: lantiq_gswip: fix register definition
    - NIOS2: irqflags: rename a redefined register name
    - net: hns3: reset DWRR of unused tc to zero
    - net: hns3: add limit ets dwrr bandwidth cannot be 0
    - net: hns3: disable sriov before unload hclge layer
    - net: stmmac: Fix E2E delay mechanism
    - net: enetc: fix ethtool counter name for PM0_TERR
    - can: rcar_can: fix suspend/resume
    - can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state
      notification
    - can: peak_pci: peak_pci_remove(): fix UAF
    - can: j1939: j1939_tp_rxtimer(): fix errant alert in j1939_tp_rxtimer
    - can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
    - can: j1939: j1939_xtp_rx_dat_one(): cancel session if receive TP.DT with
      error length
    - can: j1939: j1939_xtp_rx_rts_session_new(): abort TP less than 9 bytes
    - ceph: fix handling of "meta" errors
    - ocfs2: fix data corruption after conversion from inline format
    - ocfs2: mount fails with buffer overflow in strlen
    - elfcore: correct reference to CONFIG_UML
    - ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset
    - ALSA: hda/realtek: Add quirk for Clevo PC50HS
    - ASoC: DAPM: Fix missing kctl change notifications
    - audit: fix possible null-pointer dereference in audit_filter_rules
    - powerpc64/idle: Fix SP offsets when saving GPRs
    - KVM: PPC: Book3S HV: Fix stack handling in idle_kvm_start_guest()
    - KVM: PPC: Book3S HV: Make idle_kvm_start_guest() return 0 if it went to
      guest
    - powerpc/idle: Don't corrupt back chain when going idle
    - mm, slub: fix mismatch between reconstructed freelist depth and cnt
    - mm, slub: fix potential memoryleak in kmem_cache_open()
    - nfc: nci: fix the UAF of rf_conn_info object
    - isdn: cpai: check ctr->cnr to avoid array index out of bound
    - netfilter: Kconfig: use 'default y' instead of 'm' for bool config option
    - selftests: netfilter: remove stray bash debug line
    - gcc-plugins/structleak: add makefile var for disabling structleak
    - btrfs: deal with errors when checking if a dir entry exists during log
      replay
    - net: stmmac: add support for dwmac 3.40a
    - ARM: dts: spear3xx: Fix gmac node
    - isdn: mISDN: Fix sleeping function called from invalid context
    - platform/x86: intel_scu_ipc: Update timeout value in comment
    - ALSA: hda: avoid write to STATESTS if controller is in reset
    - Input: snvs_pwrkey - add clk handling
    - scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()
    - tracing: Have all levels of checks prevent recursion
    - ARM: 9122/1: select HAVE_FUTEX_CMPXCHG
    - pinctrl: stm32: use valid pin identifier in stm32_pinctrl_resume()
    - Linux 5.4.156
  * ubuntu_ltp / finit_module02 fails on v4.15 and other kernels
    (LP: #1950644) // Focal update: v5.4.156 upstream stable release
    (LP: #1951295)
    - vfs: check fd has read access in kernel_read_file_from_fd()
  * Focal update: v5.4.155 upstream stable release (LP: #1951291)
    - ovl: simplify file splice
    - ALSA: usb-audio: Add quirk for VF0770
    - ALSA: seq: Fix a potential UAF by wrong private_free call order
    - ALSA: hda/realtek: Complete partial device name to avoid ambiguity
    - ALSA: hda/realtek: Add quirk for Clevo X170KM-G
    - ALSA: hda/realtek - ALC236 headset MIC recording issue
    - ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW
    - nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^'
    - s390: fix strrchr() implementation
    - csky: don't let sigreturn play with priveleged bits of status register
    - csky: Fixup regs.sr broken in ptrace
    - btrfs: unlock newly allocated extent buffer after error
    - btrfs: deal with errors when replaying dir entry during log replay
    - btrfs: deal with errors when adding inode reference during log replay
    - btrfs: check for error when looking up inode during dir entry replay
    - watchdog: orion: use 0 for unset heartbeat
    - x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails
    - mei: me: add Ice Lake-N device id.
    - xhci: guard accesses to ep_state in xhci_endpoint_reset()
    - xhci: Fix command ring pointer corruption while aborting a command
    - xhci: Enable trust tx length quirk for Fresco FL11 USB controller
    - cb710: avoid NULL pointer subtraction
    - efi/cper: use stack buffer for error record decoding
    - efi: Change down_interruptible() in virt_efi_reset_system() to
      down_trylock()
    - usb: musb: dsps: Fix the probe error path
    - Input: xpad - add support for another USB ID of Nacon GC-100
    - USB: serial: qcserial: add EM9191 QDL support
    - USB: serial: option: add Quectel EC200S-CN module support
    - USB: serial: option: add Telit LE910Cx composition 0x1204
    - USB: serial: option: add prod. id for Quectel EG91
    - EDAC/armada-xp: Fix output of uncorrectable error counter
    - nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
    - x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically
    - powerpc/xive: Discard disabled interrupts in get_irqchip_state()
    - iio: adc: aspeed: set driver data when adc probe.
    - iio: adc128s052: Fix the error handling path of 'adc128_probe()'
    - iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED
    - iio: light: opt3001: Fixed timeout error when 0 lux
    - iio: ssp_sensors: add more range checking in ssp_parse_dataframe()
    - iio: ssp_sensors: fix error code in ssp_print_mcu_debug()
    - iio: dac: ti-dac5571: fix an error code in probe()
    - sctp: account stream padding length for reconf chunk
    - gpio: pca953x: Improve bias setting
    - net: arc: select CRC32
    - net: korina: select CRC32
    - net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp
    - net: stmmac: fix get_hw_feature() on old hardware
    - net: encx24j600: check error in devm_regmap_init_encx24j600
    - ethernet: s2io: fix setting mac address during resume
    - nfc: fix error handling of nfc_proto_register()
    - NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
    - NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
    - pata_legacy: fix a couple uninitialized variable bugs
    - ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators()
    - mlxsw: thermal: Fix out-of-bounds memory accesses
    - platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call
    - drm/panel: olimex-lcd-olinuxino: select CRC32
    - drm/msm: Fix null pointer dereference on pointer edp
    - drm/msm/dsi: Fix an error code in msm_dsi_modeset_init()
    - drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling
    - acpi/arm64: fix next_platform_timer() section mismatch error
    - mqprio: Correct stats in mqprio_dump_class_stats().
    - qed: Fix missing error code in qed_slowpath_start()
    - r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256
    - ionic: don't remove netdev->dev_addr when syncing uc list
    - Linux 5.4.155
  * [UBUNTU 20.04] kernel:  unable to read partitions on virtio-block dasd (kvm)
    (LP: #1950144) // Focal update: v5.4.155 upstream stable release
    (LP: #1951291)
    - virtio: write back F_VERSION_1 before validate
  * Focal update: v5.4.154 upstream stable release (LP: #1951288)
    - net: phy: bcm7xxx: Fixed indirect MMD operations
    - ext4: correct the error path of ext4_write_inline_data_end()
    - HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS
    - netfilter: ip6_tables: zero-initialize fragment offset
    - HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs
    - netfilter: nf_nat_masquerade: make async masq_inet6_event handling generic
    - netfilter: nf_nat_masquerade: defer conntrack walk to work queue
    - mac80211: Drop frames from invalid MAC address in ad-hoc mode
    - m68k: Handle arrivals of multiple signals correctly
    - net: prevent user from passing illegal stab size
    - mac80211: check return value of rhashtable_init
    - net: sun: SUNVNET_COMMON should depend on INET
    - drm/amdgpu: fix gart.bo pin_count leak
    - scsi: ses: Fix unsigned comparison with less than zero
    - scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported"
    - sched: Always inline is_percpu_thread()
    - Linux 5.4.154
  * Focal update: v5.4.153 upstream stable release (LP: #1950014)
    - Partially revert "usb: Kconfig: using select for USB_COMMON dependency"
    - USB: cdc-acm: fix racy tty buffer accesses
    - USB: cdc-acm: fix break reporting
    - usb: typec: tcpm: handle SRC_STARTUP state if cc changes
    - xen/privcmd: fix error handling in mmap-resource processing
    - mmc: meson-gx: do not use memcpy_to/fromio for dram-access-quirk
    - ovl: fix missing negative dentry check in ovl_rename()
    - nfsd: fix error handling of register_pernet_subsys() in init_nfsd()
    - nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero
    - xen/balloon: fix cancelled balloon action
    - ARM: dts: omap3430-sdp: Fix NAND device node
    - ARM: dts: qcom: apq8064: use compatible which contains chipid
    - MIPS: BPF: Restore MIPS32 cBPF JIT
    - bpf, mips: Validate conditional branch offsets
    - soc: qcom: socinfo: Fixed argument passed to platform_set_data()
    - ARM: dts: qcom: apq8064: Use 27MHz PXO clock as DSI PLL reference
    - soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment
    - ARM: dts: imx: Add missing pinctrl-names for panel on M53Menlo
    - ARM: dts: imx: Fix USB host power regulator polarity on M53Menlo
    - arm64: dts: qcom: pm8150: use qcom,pm8998-pon binding
    - xtensa: move XCHAL_KIO_* definitions to kmem_layout.h
    - xtensa: use CONFIG_USE_OF instead of CONFIG_OF
    - xtensa: call irqchip_init only when CONFIG_USE_OF is selected
    - bpf, arm: Fix register clobbering in div/mod implementation
    - bpf: Fix integer overflow in prealloc_elems_and_freelist()
    - phy: mdio: fix memory leak
    - net_sched: fix NULL deref in fifo_set_limit()
    - powerpc/fsl/dts: Fix phy-connection-type for fm1mac3
    - ptp_pch: Load module automatically if ID matches
    - arm64: dts: freescale: Fix SP805 clock-names
    - arm64: dts: ls1028a: add missing CAN nodes
    - ARM: imx6: disable the GIC CPU interface before calling stby-poweroff
      sequence
    - net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size()
    - net/sched: sch_taprio: properly cancel timer from taprio_destroy()
    - net: sfp: Fix typo in state machine debug string
    - netlink: annotate data races around nlk->bound
    - bus: ti-sysc: Use CLKDM_NOAUTO for dra7 dcan1 for errata i893
    - video: fbdev: gbefb: Only instantiate device when built for IP32
    - drm/nouveau/debugfs: fix file release memory leak
    - gve: Correct available tx qpl check
    - rtnetlink: fix if_nlmsg_stats_size() under estimation
    - gve: fix gve_get_stats()
    - i40e: fix endless loop under rtnl
    - i40e: Fix freeing of uninitialized misc IRQ vector
    - net: prefer socket bound to interface when not in VRF
    - i2c: acpi: fix resource leak in reconfiguration device addition
    - bpf, s390: Fix potential memory leak about jit_data
    - RISC-V: Include clone3() on rv32
    - x86/platform/olpc: Correct ifdef symbol to intended CONFIG_OLPC_XO15_SCI
    - x86/hpet: Use another crystalball to evaluate HPET usability
    - x86/Kconfig: Correct reference to MWINCHIP3D
    - Linux 5.4.153
  * Focal update: v5.4.152 upstream stable release (LP: #1950009)
    - net: mdio: introduce a shutdown method to mdio device drivers
    - xen-netback: correct success/error reporting for the SKB-with-fraglist case
    - sparc64: fix pci_iounmap() when CONFIG_PCI is not set
    - ext2: fix sleeping in atomic bugs on error
    - scsi: sd: Free scsi_disk device via put_device()
    - usb: testusb: Fix for showing the connection speed
    - usb: dwc2: check return value after calling platform_get_resource()
    - selftests: be sure to make khdr before other targets
    - selftests:kvm: fix get_warnings_count() ignoring fscanf() return warn
    - scsi: ses: Retry failed Send/Receive Diagnostic commands
    - tools/vm/page-types: remove dependency on opt_file for idle page tracking
    - KVM: do not shrink halt_poll_ns below grow_start
    - kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[]
    - perf/x86: Reset destroy callback on event init failure
    - silence nfscache allocation warnings with kvzalloc
    - libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD.
    - Linux 5.4.152
  * linux-aws: Fix backport of RDMA/efa: Expose maximum  TX doorbell batch
    (LP: #1949882)
    - SAUCE: aws: Fix backport of RDMA/efa: Expose maximum TX doorbell batch

 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>  Thu, 02 Dec 2021 11:20:57
-0700

** Changed in: linux-aws (Ubuntu Focal)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26541

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-4002

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1951011

Title:
  linux-aws: Make a signed kernel

Status in linux-aws package in Ubuntu:
  New
Status in linux-aws-hwe package in Ubuntu:
  Invalid
Status in linux-aws source package in Xenial:
  Invalid
Status in linux-aws-hwe source package in Xenial:
  In Progress
Status in linux-aws source package in Bionic:
  In Progress
Status in linux-aws-hwe source package in Bionic:
  Invalid
Status in linux-aws source package in Focal:
  Fix Released
Status in linux-aws-hwe source package in Focal:
  Invalid
Status in linux-aws source package in Hirsute:
  In Progress
Status in linux-aws-hwe source package in Hirsute:
  Invalid
Status in linux-aws source package in Impish:
  In Progress
Status in linux-aws-hwe source package in Impish:
  Invalid

Bug description:
  SRU Justification

  [Impact]

  Ubuntu AWS kernels on secure boot instances will not load.

  [Fix]

  Generate signed kernels and packages

  [Test Plan]

  Boot in a secure boot (UEFI) environment.

  [Where things could go wrong]

  This is a new packaging feature.

  [Other Info]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1951011/+subscriptions