From 26d5c1680247337e547b5fa02a37f14349e94bbd Mon Sep 17 00:00:00 2001 From: Christopher Co <35273088+christopherco@users.noreply.github.com> Date: Mon, 12 Apr 2021 12:38:14 -0700 Subject: [PATCH] kernel: update to 5.10.28.1 (#846) Update the kernel to 5.10.28.1. - 5.10.28.1 addresses the following CVEs: CVE-2020-27170, CVE-2020-27171, CVE-2021-28375, CVE-2021-28660, CVE-2021-28950, CVE-2021-28951, CVE-2021-28952, CVE-2021-28971, CVE-2021-28972, CVE-2021-29266, CVE-2021-28964, CVE-2020-35508, CVE-2020-16120, CVE-2021-29264, CVE-2021-29265, CVE-2021-29646, CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-30002 - update uname_r define It is generally expected that users can run "dnf install kernel-devel-$(uname -r)" to pull the proper kernel-devel package associated with the currently running kernel. Currently "uname -r" returns something like "5.10.28.1-rolling-lts-mariner-1.cm1". RPM package naming has the following convention: [name]-[version]-[release].[arch].rpm where [version] and [release] cannot contain any dash characters. Therefore it is impossible to name a corresponding kernel-devel RPM to match kernel-devel-$(uname -r). In 5.10.28.1, we changed the kernel Makefile's EXTRAVERSION value from "EXTRAVERSION=.1-rolling-lts-mariner" to "EXTRAVERSION=.1", dropping the extra "rolling-lts-mariner" from the uname. This allows the "dnf install kernel-devel-$(uname -r)" to work as intended. Signed-off-by: Chris Co --- .../kernel-signed-aarch64.spec | 10 ++++-- .../kernel-signed-x64/kernel-signed-x64.spec | 10 ++++-- .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 5 ++- .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 7 ++-- SPECS/kernel-hyperv/config | 5 +-- .../kernel-hyperv.signatures.json | 4 +-- SPECS/kernel-hyperv/kernel-hyperv.spec | 10 ++++-- SPECS/kernel/CVE-2020-16120.nopatch | 3 ++ SPECS/kernel/CVE-2020-27170.nopatch | 3 ++ SPECS/kernel/CVE-2020-27171.nopatch | 3 ++ SPECS/kernel/CVE-2020-35508.nopatch | 3 ++ SPECS/kernel/CVE-2021-28375.nopatch | 3 ++ SPECS/kernel/CVE-2021-28660.nopatch | 3 ++ SPECS/kernel/CVE-2021-28950.nopatch | 3 ++ SPECS/kernel/CVE-2021-28951.nopatch | 3 ++ SPECS/kernel/CVE-2021-28952.nopatch | 3 ++ SPECS/kernel/CVE-2021-28964.nopatch | 3 ++ SPECS/kernel/CVE-2021-28971.nopatch | 3 ++ SPECS/kernel/CVE-2021-28972.nopatch | 3 ++ SPECS/kernel/CVE-2021-29264.nopatch | 3 ++ SPECS/kernel/CVE-2021-29265.nopatch | 3 ++ SPECS/kernel/CVE-2021-29266.nopatch | 3 ++ SPECS/kernel/CVE-2021-29646.nopatch | 3 ++ SPECS/kernel/CVE-2021-29647.nopatch | 3 ++ SPECS/kernel/CVE-2021-29649.nopatch | 3 ++ SPECS/kernel/CVE-2021-29650.nopatch | 3 ++ SPECS/kernel/CVE-2021-30002.nopatch | 3 ++ SPECS/kernel/config | 7 ++-- SPECS/kernel/config_aarch64 | 4 +-- SPECS/kernel/kernel.signatures.json | 8 ++--- SPECS/kernel/kernel.spec | 35 +++++++++++++++++-- cgmanifest.json | 16 ++++----- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- .../scripts/toolchain/container/Dockerfile | 2 +- .../toolchain/container/toolchain-md5sums | 2 +- .../container/toolchain_build_in_chroot.sh | 8 ++--- .../container/toolchain_build_temp_tools.sh | 8 ++--- 42 files changed, 160 insertions(+), 53 deletions(-) create mode 100644 SPECS/kernel/CVE-2020-16120.nopatch create mode 100644 SPECS/kernel/CVE-2020-27170.nopatch create mode 100644 SPECS/kernel/CVE-2020-27171.nopatch create mode 100644 SPECS/kernel/CVE-2020-35508.nopatch create mode 100644 SPECS/kernel/CVE-2021-28375.nopatch create mode 100644 SPECS/kernel/CVE-2021-28660.nopatch create mode 100644 SPECS/kernel/CVE-2021-28950.nopatch create mode 100644 SPECS/kernel/CVE-2021-28951.nopatch create mode 100644 SPECS/kernel/CVE-2021-28952.nopatch create mode 100644 SPECS/kernel/CVE-2021-28964.nopatch create mode 100644 SPECS/kernel/CVE-2021-28971.nopatch create mode 100644 SPECS/kernel/CVE-2021-28972.nopatch create mode 100644 SPECS/kernel/CVE-2021-29264.nopatch create mode 100644 SPECS/kernel/CVE-2021-29265.nopatch create mode 100644 SPECS/kernel/CVE-2021-29266.nopatch create mode 100644 SPECS/kernel/CVE-2021-29646.nopatch create mode 100644 SPECS/kernel/CVE-2021-29647.nopatch create mode 100644 SPECS/kernel/CVE-2021-29649.nopatch create mode 100644 SPECS/kernel/CVE-2021-29650.nopatch create mode 100644 SPECS/kernel/CVE-2021-30002.nopatch diff --git a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec index 429a1501b8..bf4b839b50 100644 --- a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec +++ b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec @@ -1,9 +1,9 @@ %global debug_package %{nil} -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Signed Linux Kernel for aarch64 systems Name: kernel-signed-aarch64 -Version: 5.10.21.1 -Release: 4%{?dist} +Version: 5.10.28.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -82,6 +82,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Update to kernel release 5.10.21.1-4 diff --git a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec index 74a33f49cf..a6dad6bae1 100644 --- a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec +++ b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec @@ -1,9 +1,9 @@ %global debug_package %{nil} -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Signed Linux Kernel for x86_64 systems Name: kernel-signed-x64 -Version: 5.10.21.1 -Release: 4%{?dist} +Version: 5.10.28.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -82,6 +82,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Update to kernel release 5.10.21.1-4 diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 703056fc96..c1f8622a0c 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0" + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index ac60fa30cd..2fd0309092 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.21.1 +Version: 5.10.28.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -219,6 +219,9 @@ fi %{_sbindir}/lsvmbus %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 + * Thu Mar 11 2021 Chris Co - 5.10.21.1-1 - Update source to 5.10.21.1 diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 819e36f9d9..dd26972790 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0" + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 427c88f355..2c9c389355 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.21.1 -Release: 4%{?dist} +Version: 5.10.28.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -35,6 +35,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Update to kernel release 5.10.21.1-4 diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index 545c6e2af1..b5f02fd2cb 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/x86_64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1537,7 +1537,6 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_PERFORMANCE is not set # CONFIG_PCIE_DPC is not set # CONFIG_PCIE_PTM is not set -# CONFIG_PCIE_BW is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y CONFIG_PCI_QUIRKS=y @@ -3260,6 +3259,7 @@ CONFIG_UIO=m # CONFIG_UIO_PRUSS is not set # CONFIG_UIO_MF624 is not set CONFIG_UIO_HV_GENERIC=m +# CONFIG_VFIO is not set CONFIG_VIRT_DRIVERS=y # CONFIG_VBOXGUEST is not set # CONFIG_NITRO_ENCLAVES is not set @@ -3278,6 +3278,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index c969898bbe..62db6fa6d6 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "config": "c5426e82771a878a06758657e7442ae693f76a88994b3cad36ead19c4a48f2a5", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0", + "config": "409a59c15de0b9a2417df76b89dfe9796449a2e1b45ea0d48ea09013a012c947", + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 5c8ec3fa8b..b38dbfe8e6 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -1,10 +1,10 @@ %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.21.1 -Release: 2%{?dist} +Version: 5.10.28.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -274,6 +274,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source + * Thu Mar 18 2021 Chris Co - 5.10.21.1-2 - Enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS diff --git a/SPECS/kernel/CVE-2020-16120.nopatch b/SPECS/kernel/CVE-2020-16120.nopatch new file mode 100644 index 0000000000..e514b1760c --- /dev/null +++ b/SPECS/kernel/CVE-2020-16120.nopatch @@ -0,0 +1,3 @@ +CVE-2020-16120 - already patched in 5.10.28.1 stable kernel +Upstream: 05acefb4872dae89e772729efb194af754c877e8 +Stable: 48bd024b8a40d73ad6b086de2615738da0c7004f \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-27170.nopatch b/SPECS/kernel/CVE-2020-27170.nopatch new file mode 100644 index 0000000000..780f091b43 --- /dev/null +++ b/SPECS/kernel/CVE-2020-27170.nopatch @@ -0,0 +1,3 @@ +CVE-2020-27170 - already patched in 5.10.28.1 stable kernel +Upstream: f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 +Stable: c4d37eea1c641a9319baf34253cc373abb39d3e1 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-27171.nopatch b/SPECS/kernel/CVE-2020-27171.nopatch new file mode 100644 index 0000000000..53fe35470e --- /dev/null +++ b/SPECS/kernel/CVE-2020-27171.nopatch @@ -0,0 +1,3 @@ +CVE-2020-27171 - already patched in 5.10.28.1 stable kernel +Upstream: 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 +Stable: ac1b87a18c1ffbe3d093000b762121b5aae0a3f9 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-35508.nopatch b/SPECS/kernel/CVE-2020-35508.nopatch new file mode 100644 index 0000000000..6539919373 --- /dev/null +++ b/SPECS/kernel/CVE-2020-35508.nopatch @@ -0,0 +1,3 @@ +CVE-2020-35508 - already patched in 5.10.28.1 stable kernel +Upstream: b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 +Stable: b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28375.nopatch b/SPECS/kernel/CVE-2021-28375.nopatch new file mode 100644 index 0000000000..0b86960ef1 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28375.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28375 - already patched in 5.10.28.1 stable kernel +Upstream: 20c40794eb85ea29852d7bc37c55713802a543d6 +Stable: 52feb58f9b5b078b5a39ed8ba8ab3b4546e16ff2 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28660.nopatch b/SPECS/kernel/CVE-2021-28660.nopatch new file mode 100644 index 0000000000..549a0f047c --- /dev/null +++ b/SPECS/kernel/CVE-2021-28660.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28660 - already patched in 5.10.28.1 stable kernel +Upstream: 74b6b20df8cfe90ada777d621b54c32e69e27cd7 +Stable: d972a516958dee489911d9f57ee7a177834ef248 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28950.nopatch b/SPECS/kernel/CVE-2021-28950.nopatch new file mode 100644 index 0000000000..70212dc214 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28950.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28950 - already patched in 5.10.28.1 stable kernel +Upstream: 775c5033a0d164622d9d10dd0f0a5531639ed3ed +Stable: d955f13ea2120269319d6133d0dd82b66d1eeca3 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28951.nopatch b/SPECS/kernel/CVE-2021-28951.nopatch new file mode 100644 index 0000000000..1627975ec5 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28951.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28951 - already patched in 5.10.28.1 stable kernel +Upstream: 3ebba796fa251d042be42b929a2d916ee5c34a49 +Stable: 6cae8095490caae12875300243ec94b39b6a2a78 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28952.nopatch b/SPECS/kernel/CVE-2021-28952.nopatch new file mode 100644 index 0000000000..e7af4379ab --- /dev/null +++ b/SPECS/kernel/CVE-2021-28952.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28952 - already patched in 5.10.28.1 stable kernel +Upstream: 1c668e1c0a0f74472469cd514f40c9012b324c31 +Stable: 26b08c08a5f3008fe45822d8b163f1516178c42b \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28964.nopatch b/SPECS/kernel/CVE-2021-28964.nopatch new file mode 100644 index 0000000000..dbcb485de7 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28964.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28964 - already patched in 5.10.28.1 stable kernel +Upstream: dbcc7d57bffc0c8cac9dac11bec548597d59a6a5 +Stable: 38ffe9eaeb7cce383525439f0948f9eb74632e1d \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28971.nopatch b/SPECS/kernel/CVE-2021-28971.nopatch new file mode 100644 index 0000000000..58b652a973 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28971.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28971 - already patched in 5.10.28.1 stable kernel +Upstream: d88d05a9e0b6d9356e97129d4ff9942d765f46ea +Stable: 514ea597be8e4b6a787bc34da111c44944fbf5a5 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28972.nopatch b/SPECS/kernel/CVE-2021-28972.nopatch new file mode 100644 index 0000000000..6021df2e18 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28972.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28972 - already patched in 5.10.28.1 stable kernel +Upstream: cc7a0bb058b85ea03db87169c60c7cfdd5d34678 +Stable: be1f58e58f7644ab33f1413685c84173766408d3 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29264.nopatch b/SPECS/kernel/CVE-2021-29264.nopatch new file mode 100644 index 0000000000..761811b866 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29264.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29264 - already patched in 5.10.28.1 stable kernel +Upstream: d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f +Stable: b8bfda6e08b8a419097eea5a8e57671bc36f9939 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29265.nopatch b/SPECS/kernel/CVE-2021-29265.nopatch new file mode 100644 index 0000000000..040f5b9146 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29265.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29265 - already patched in 5.10.28.1 stable kernel +Upstream: 9380afd6df70e24eacbdbde33afc6a3950965d22 +Stable: ab5c3186686aa87c741381d10a948817f1deb9b2 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29266.nopatch b/SPECS/kernel/CVE-2021-29266.nopatch new file mode 100644 index 0000000000..1ae1f2f361 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29266.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29266 - already patched in 5.10.28.1 stable kernel +Upstream: f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9 +Stable: 49ca3100fbaf864853c922c8f7a8fe7090a83860 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29646.nopatch b/SPECS/kernel/CVE-2021-29646.nopatch new file mode 100644 index 0000000000..df31acf6b4 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29646.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29646 - already patched in 5.10.28.1 stable kernel +Upstream: 0217ed2848e8538bcf9172d97ed2eeb4a26041bb +Stable: 50f41f2e29ff1980f7edfca40bbf81a4336b9feb \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29647.nopatch b/SPECS/kernel/CVE-2021-29647.nopatch new file mode 100644 index 0000000000..7801161956 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29647.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29647 - already patched in 5.10.28.1 stable kernel +Upstream: 50535249f624d0072cd885bcdce4e4b6fb770160 +Stable: fce6fb90218935f7319265459484b3762c80d0a8 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29649.nopatch b/SPECS/kernel/CVE-2021-29649.nopatch new file mode 100644 index 0000000000..ff8c9b3b15 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29649.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29649 - already patched in 5.10.28.1 stable kernel +Upstream: f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 +Stable: ccd5565feea346697c1d1e8e9cd042218b49c44b \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29650.nopatch b/SPECS/kernel/CVE-2021-29650.nopatch new file mode 100644 index 0000000000..69276bf16b --- /dev/null +++ b/SPECS/kernel/CVE-2021-29650.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29650 - already patched in 5.10.28.1 stable kernel +Upstream: 175e476b8cdf2a4de7432583b49c871345e4f8a1 +Stable: 3fdebc2d8e7965f946a3d716ffdd482e66c1f46c \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-30002.nopatch b/SPECS/kernel/CVE-2021-30002.nopatch new file mode 100644 index 0000000000..fe6ca441f7 --- /dev/null +++ b/SPECS/kernel/CVE-2021-30002.nopatch @@ -0,0 +1,3 @@ +CVE-2021-30002 - already patched in 5.10.28.1 stable kernel +Upstream: fb18802a338b36f675a388fc03d2aa504a0d0899 +Stable: 5400770e31e8b80efc25b4c1d619361255174d11 \ No newline at end of file diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 96e62c87a9..ab8eb61126 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/x86_64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1754,7 +1754,6 @@ CONFIG_PCIEASPM_DEFAULT=y CONFIG_PCIE_PME=y # CONFIG_PCIE_DPC is not set # CONFIG_PCIE_PTM is not set -# CONFIG_PCIE_BW is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y CONFIG_PCI_QUIRKS=y @@ -5507,6 +5506,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # @@ -5514,7 +5514,7 @@ CONFIG_DXGKRNL=m # CONFIG_XEN_BALLOON=y CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT=512 +CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y CONFIG_XEN_DEV_EVTCHN=m CONFIG_XEN_BACKEND=y @@ -5800,7 +5800,6 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m # CONFIG_AD7291 is not set # CONFIG_AD7606_IFACE_PARALLEL is not set # CONFIG_AD799X is not set -# CONFIG_ADI_AXI_ADC is not set # CONFIG_HX711 is not set # CONFIG_INA2XX_ADC is not set # CONFIG_LTC2471 is not set diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 2fa5fb3472..7473b76c28 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/arm64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -2031,7 +2031,6 @@ CONFIG_PCIEASPM_DEFAULT=y CONFIG_PCIE_PME=y CONFIG_PCIE_DPC=y CONFIG_PCIE_PTM=y -# CONFIG_PCIE_BW is not set # CONFIG_PCIE_EDR is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y @@ -7559,6 +7558,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=y CONFIG_DXGKRNL=y +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 521fba017a..b5b7d9c05d 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { - "config": "ed2ad5c004ef1a40cb8f33aa7f5a2c23fa74b4485e12f4f92a90e880002f2b6f", - "config_aarch64": "f2222dc3ff9739cb08a6ef009ad8742552ab1cbc90d075f9746647df297301c4", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0", + "config": "8bee0b32b330cb87653f25b8b88ebc817ddeed9f950d4220be9e72ebb60a5c9c", + "config_aarch64": "4bc0a7d39e49ad18c68cddff33316d910edc726f0c5cb4b3bf5a6e92ec394d8a", + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } -} +} \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 1009b3e9c7..7ae994d018 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -1,10 +1,10 @@ %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.21.1 -Release: 4%{?dist} +Version: 5.10.28.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -136,6 +136,26 @@ Patch1107: CVE-2021-26932.nopatch Patch1108: CVE-2021-27365.nopatch Patch1109: CVE-2021-27364.nopatch Patch1110: CVE-2021-27363.nopatch +Patch1111: CVE-2020-27170.nopatch +Patch1112: CVE-2020-27171.nopatch +Patch1113: CVE-2021-28375.nopatch +Patch1114: CVE-2021-28660.nopatch +Patch1115: CVE-2021-28950.nopatch +Patch1116: CVE-2021-28951.nopatch +Patch1117: CVE-2021-28952.nopatch +Patch1118: CVE-2021-28971.nopatch +Patch1119: CVE-2021-28972.nopatch +Patch1120: CVE-2021-29266.nopatch +Patch1121: CVE-2021-28964.nopatch +Patch1122: CVE-2020-35508.nopatch +Patch1123: CVE-2020-16120.nopatch +Patch1124: CVE-2021-29264.nopatch +Patch1125: CVE-2021-29265.nopatch +Patch1126: CVE-2021-29646.nopatch +Patch1127: CVE-2021-29647.nopatch +Patch1128: CVE-2021-29649.nopatch +Patch1129: CVE-2021-29650.nopatch +Patch1130: CVE-2021-30002.nopatch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -474,6 +494,15 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source +- Address CVE-2020-27170, CVE-2020-27171, CVE-2021-28375, CVE-2021-28660, + CVE-2021-28950, CVE-2021-28951, CVE-2021-28952, CVE-2021-28971, + CVE-2021-28972, CVE-2021-29266, CVE-2021-28964, CVE-2020-35508, + CVE-2020-16120, CVE-2021-29264, CVE-2021-29265, CVE-2021-29646, + CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-30002 + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Enable CONFIG_CRYPTO_DRBG_HASH, CONFIG_CRYPTO_DRBG_CTR diff --git a/cgmanifest.json b/cgmanifest.json index ca4fafc531..0da46eeb4c 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1745,8 +1745,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2055,8 +2055,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2065,8 +2065,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2075,8 +2075,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index eec5b2e6b6..9b90f92922 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-1.cm1.noarch.rpm glibc-2.28-18.cm1.aarch64.rpm glibc-devel-2.28-18.cm1.aarch64.rpm glibc-i18n-2.28-18.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index cbd169a517..c7e11ff0da 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-1.cm1.noarch.rpm glibc-2.28-18.cm1.x86_64.rpm glibc-devel-2.28-18.cm1.x86_64.rpm glibc-i18n-2.28-18.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 2f8f0652ba..9f367d4eb3 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-5.cm1.aarch64.rpm kbd-debuginfo-2.0.4-5.cm1.aarch64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-1.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 47c43fa599..bd43396526 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-5.cm1.x86_64.rpm kbd-debuginfo-2.0.4-5.cm1.x86_64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-1.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 4dc69069cd..abf4b36d3d 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -68,7 +68,7 @@ COPY [ "./toolchain-md5sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz -O kernel-5.10.21.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz -O kernel-5.10.28.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN md5sum -c $LFS/tools/toolchain-md5sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-md5sums b/toolkit/scripts/toolchain/container/toolchain-md5sums index f005773f76..cc08717a8f 100644 --- a/toolkit/scripts/toolchain/container/toolchain-md5sums +++ b/toolkit/scripts/toolchain/container/toolchain-md5sums @@ -59,7 +59,7 @@ bc62e7df6f75357b6dd1ec34600dbeaf jdk8u212-b04-langtools.tar.bz2 d0272e7a6107c64dae62b80ca7ec65e2 jdk8u212-b04-nashorn.tar.bz2 befd51c2b53a442e1fa6644bba89a95a jdk8u212-b04.tar.bz2 94afc90c1f7bef4a27fdd59ece39c878 kbproto-1.0.7.tar.bz2 -385192d9be43a19ffa5a1a6074278d79 kernel-5.10.21.1.tar.gz +e0c6f0946012317df6dc4a56b82410e3 kernel-5.10.28.1.tar.gz d953ed6b47694dadf0e6042f8f9ff451 libarchive-3.4.2.tar.gz 968ac4d42a1a71754313527be2ab5df3 libcap-2.26.tar.xz ba983eba5a9f05d152a0725b8e863151 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index 5931fcb3ff..bd2bab8f47 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,14 +57,14 @@ set -e # cd /sources -echo Linux-5.10.21.1 API Headers -tar xf kernel-5.10.21.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +echo Linux-5.10.28.1 API Headers +tar xf kernel-5.10.28.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 make mrproper make headers cp -rv usr/include/* /usr/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 touch /logs/status_kernel_headers_complete echo 6.8. Man-pages-5.02 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index b557c0a921..8df1b2accb 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -113,14 +113,14 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -echo Linux-5.10.21.1 API Headers -tar xf kernel-5.10.21.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +echo Linux-5.10.28.1 API Headers +tar xf kernel-5.10.28.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 make mrproper make headers cp -rv usr/include/* /tools/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 touch $LFS/logs/temptoolchain/status_kernel_headers_complete