%global security_hardening none Summary: Kernel Name: linux-secure Version: 4.9.101 Release: 1%{?kat_build:.%kat_build}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz %define sha1 linux=12b399649df63355823d482fd91711b1be3e7f1b Source1: config-secure Source2: aufs4.9.tar.gz %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 Source3: initramfs.trigger # common Patch0: x86-vmware-read-tsc_khz-only-once-at-boot-time.patch Patch1: x86-vmware-use-tsc_khz-value-for-calibrate_cpu.patch Patch2: x86-vmware-add-basic-paravirt-ops-support.patch Patch3: x86-vmware-add-paravirt-sched-clock.patch Patch4: x86-vmware-log-kmsg-dump-on-panic.patch Patch5: double-tcp_mem-limits.patch Patch6: linux-4.9-sysctl-sched_weighted_cpuload_uses_rla.patch Patch7: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch Patch9: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch Patch10: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch Patch11: vsock-transport-for-9p.patch Patch12: x86-vmware-sta.patch # secure Patch13: 0001-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch Patch14: 0002-Added-rap_plugin.patch Patch15: 0003-Added-PAX_RANDKSTACK.patch # HyperV Patches Patch16: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch Patch17: 0005-Drivers-hv-utils-Fix-the-mapping-between-host-versio.patch Patch18: 0006-Drivers-hv-vss-Improve-log-messages.patch Patch19: 0007-Drivers-hv-vss-Operation-timeouts-should-match-host-.patch Patch20: 0008-Drivers-hv-vmbus-Use-all-supported-IC-versions-to-ne.patch Patch21: 0009-Drivers-hv-Log-the-negotiated-IC-versions.patch Patch22: 0010-vmbus-fix-missed-ring-events-on-boot.patch Patch23: 0011-vmbus-remove-goto-error_clean_msglist-in-vmbus_open.patch Patch24: 0012-vmbus-dynamically-enqueue-dequeue-the-channel-on-vmb.patch Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch #FIPS patches - allow some algorithms Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch Patch28: 0002-allow-also-ecb-cipher_null.patch Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch # Fix CVE-2017-1000252 Patch31: kvm-dont-accept-wrong-gsi-values.patch Patch32: vmxnet3-avoid-xmit-reset-due-to-a-race-in-vmxnet3.patch Patch33: vmxnet3-use-correct-flag-to-indicate-LRO-feature.patch Patch34: netfilter-ipset-pernet-ops-must-be-unregistered-last.patch Patch35: vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch # Fixes for CVE-2018-1000026 Patch36: 0001-net-create-skb_gso_validate_mac_len.patch Patch37: 0002-bnx2x-disable-GSO-where-gso_size-is-too-big-for-hard.patch # Fix for CVE-2017-18216 Patch39: 0001-ocfs2-subsystem.su_mutex-is-required-while-accessing.patch # Fix for CVE-2018-8043 Patch40: 0001-net-phy-mdio-bcm-unimac-fix-potential-NULL-dereferen.patch # Fix for CVE-2018-8087 Patch41: 0001-mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new.patch # Fix for CVE-2017-18241 Patch42: 0001-f2fs-fix-a-panic-caused-by-NULL-flush_cmd_control.patch # Fix for CVE-2017-18224 Patch43: 0001-ocfs2-ip_alloc_sem-should-be-taken-in-ocfs2_get_bloc.patch # For Spectre Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch Patch54: 0143-x86-bpf-jit-prevent-speculative-execution-when-JIT-i.patch Patch55: 0144-uvcvideo-prevent-speculative-execution.patch Patch56: 0145-carl9170-prevent-speculative-execution.patch Patch57: 0146-p54-prevent-speculative-execution.patch Patch58: 0147-qla2xxx-prevent-speculative-execution.patch Patch59: 0148-cw1200-prevent-speculative-execution.patch Patch60: 0149-Thermal-int340x-prevent-speculative-execution.patch Patch61: 0150-ipv4-prevent-speculative-execution.patch Patch62: 0151-ipv6-prevent-speculative-execution.patch Patch64: 0153-net-mpls-prevent-speculative-execution.patch Patch65: 0154-udf-prevent-speculative-execution.patch Patch66: 0155-userns-prevent-speculative-execution.patch # Fix CVE-2018-3639 (Speculative Store Bypass) Patch201: 0001-x86-amd-don-t-set-X86_BUG_SYSRET_SS_ATTRS-when-runni.patch Patch202: 0002-x86-nospec-Simplify-alternative_msr_write.patch Patch203: 0003-x86-bugs-Concentrate-bug-detection-into-a-separate-f.patch Patch204: 0004-x86-bugs-Concentrate-bug-reporting-into-a-separate-f.patch Patch205: 0005-x86-bugs-Read-SPEC_CTRL-MSR-during-boot-and-re-use-r.patch Patch206: 0006-x86-bugs-KVM-Support-the-combination-of-guest-and-ho.patch Patch207: 0007-x86-bugs-Expose-sys-.-spec_store_bypass.patch Patch208: 0008-x86-cpufeatures-Add-X86_FEATURE_RDS.patch Patch209: 0009-x86-bugs-Provide-boot-parameters-for-the-spec_store_.patch Patch210: 0010-x86-bugs-intel-Set-proper-CPU-features-and-setup-RDS.patch Patch211: 0011-x86-bugs-Whitelist-allowed-SPEC_CTRL-MSR-values.patch Patch212: 0012-x86-bugs-AMD-Add-support-to-disable-RDS-on-Fam-15-16.patch Patch213: 0013-x86-KVM-VMX-Expose-SPEC_CTRL-Bit-2-to-the-guest.patch Patch214: 0014-x86-speculation-Create-spec-ctrl.h-to-avoid-include-.patch Patch215: 0015-prctl-Add-speculation-control-prctls.patch Patch216: 0016-x86-process-Optimize-TIF-checks-in-__switch_to_xtra.patch Patch217: 0017-x86-process-Correct-and-optimize-TIF_BLOCKSTEP-switc.patch Patch218: 0018-x86-process-Optimize-TIF_NOTSC-switch.patch Patch219: 0019-x86-process-Allow-runtime-control-of-Speculative-Sto.patch Patch220: 0020-x86-speculation-Add-prctl-for-Speculative-Store-Bypa.patch Patch221: 0021-nospec-Allow-getting-setting-on-non-current-task.patch Patch222: 0022-proc-Provide-details-on-speculation-flaw-mitigations.patch Patch223: 0023-seccomp-Enable-speculation-flaw-mitigations.patch Patch224: 0024-x86-bugs-Make-boot-modes-__ro_after_init.patch Patch225: 0025-prctl-Add-force-disable-speculation.patch Patch226: 0026-seccomp-Use-PR_SPEC_FORCE_DISABLE.patch Patch227: 0027-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch Patch228: 0028-seccomp-Move-speculation-migitation-control-to-arch-.patch Patch229: 0029-x86-speculation-Make-seccomp-the-default-mode-for-Sp.patch Patch230: 0030-x86-bugs-Rename-_RDS-to-_SSBD.patch Patch231: 0031-proc-Use-underscores-for-SSBD-in-status.patch Patch232: 0032-Documentation-spec_ctrl-Do-some-minor-cleanups.patch Patch233: 0033-x86-bugs-Fix-__ssb_select_mitigation-return-type.patch Patch234: 0034-x86-bugs-Make-cpu_show_common-static.patch Patch235: 0035-x86-bugs-Fix-the-parameters-alignment-and-missing-vo.patch Patch236: 0036-x86-cpu-Make-alternative_msr_write-work-for-32-bit-c.patch Patch237: 0037-KVM-SVM-Move-spec-control-call-after-restore-of-GS.patch Patch238: 0038-x86-speculation-Use-synthetic-bits-for-IBRS-IBPB-STI.patch Patch239: 0039-x86-cpufeatures-Disentangle-MSR_SPEC_CTRL-enumeratio.patch Patch240: 0040-x86-cpufeatures-Disentangle-SSBD-enumeration.patch Patch241: 0041-x86-cpu-AMD-Fix-erratum-1076-CPB-bit.patch Patch242: 0042-x86-cpufeatures-Add-FEATURE_ZEN.patch Patch243: 0043-x86-speculation-Handle-HT-correctly-on-AMD.patch Patch244: 0044-x86-bugs-KVM-Extend-speculation-control-for-VIRT_SPE.patch Patch245: 0045-x86-speculation-Add-virtualized-speculative-store-by.patch Patch246: 0046-x86-speculation-Rework-speculative_store_bypass_upda.patch Patch247: 0047-x86-bugs-Unify-x86_spec_ctrl_-set_guest-restore_host.patch Patch248: 0048-x86-bugs-Expose-x86_spec_ctrl_base-directly.patch Patch249: 0049-x86-bugs-Remove-x86_spec_ctrl_set.patch Patch250: 0050-x86-bugs-Rework-spec_ctrl-base-and-mask-logic.patch Patch251: 0051-x86-speculation-KVM-Implement-support-for-VIRT_SPEC_.patch Patch252: 0052-KVM-SVM-Implement-VIRT_SPEC_CTRL-support-for-SSBD.patch Patch253: 0053-x86-bugs-Rename-SSBD_NO-to-SSB_NO.patch # NSX requirements (should be removed) Patch99: LKCM.patch %if 0%{?kat_build:1} Patch1000: %{kat_build}.patch %endif BuildRequires: bc BuildRequires: kbd BuildRequires: kmod-devel BuildRequires: glib-devel BuildRequires: xerces-c-devel BuildRequires: xml-security-c-devel BuildRequires: libdnet-devel BuildRequires: libmspack-devel BuildRequires: Linux-PAM-devel BuildRequires: openssl-devel BuildRequires: procps-ng-devel Requires: filesystem kmod Requires(post):(coreutils or toybox) %define uname_r %{version}-%{release}-secure %description Security hardened Linux kernel. %package lkcm Summary: LKCM module Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description lkcm The Linux package contains the LKCM driver module %package devel Summary: Kernel Dev Group: System Environment/Kernel Requires: python2 gawk Requires: %{name} = %{version}-%{release} %description devel The Linux package contains the Linux kernel dev files %package docs Summary: Kernel docs Group: System Environment/Kernel Requires: python2 Requires: %{name} = %{version}-%{release} %description docs The Linux package contains the Linux kernel doc files %prep %setup -q -n linux-%{version} %setup -D -b 2 -n linux-%{version} # apply aufs patch patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-kbuild.patch patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-base.patch patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-mmap.patch patch -p1 < ../aufs4-standalone-aufs4.9/aufs4-standalone.patch cp -a ../aufs4-standalone-aufs4.9/Documentation/ . cp -a ../aufs4-standalone-aufs4.9/fs/ . cp ../aufs4-standalone-aufs4.9/include/uapi/linux/aufs_type.h include/uapi/linux/ cat >> %{SOURCE1} << "EOF" CONFIG_AUFS_FS=m CONFIG_AUFS_BRANCH_MAX_127=y # CONFIG_AUFS_BRANCH_MAX_511 is not set # CONFIG_AUFS_BRANCH_MAX_1023 is not set # CONFIG_AUFS_BRANCH_MAX_32767 is not set CONFIG_AUFS_SBILIST=y # CONFIG_AUFS_HNOTIFY is not set # CONFIG_AUFS_EXPORT is not set # CONFIG_AUFS_XATTR is not set # CONFIG_AUFS_FHSM is not set # CONFIG_AUFS_RDU is not set # CONFIG_AUFS_SHWH is not set # CONFIG_AUFS_BR_RAMFS is not set # CONFIG_AUFS_BR_FUSE is not set CONFIG_AUFS_BDEV_LOOP=y # CONFIG_AUFS_DEBUG is not set EOF %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch16 -p1 %patch17 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch31 -p1 %patch32 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 %patch39 -p1 %patch40 -p1 %patch41 -p1 %patch42 -p1 %patch43 -p1 # spectre %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch56 -p1 %patch57 -p1 %patch58 -p1 %patch59 -p1 %patch60 -p1 %patch61 -p1 %patch62 -p1 %patch64 -p1 %patch65 -p1 %patch66 -p1 # secure %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch201 -p1 %patch202 -p1 %patch203 -p1 %patch204 -p1 %patch205 -p1 %patch206 -p1 %patch207 -p1 %patch208 -p1 %patch209 -p1 %patch210 -p1 %patch211 -p1 %patch212 -p1 %patch213 -p1 %patch214 -p1 %patch215 -p1 %patch216 -p1 %patch217 -p1 %patch218 -p1 %patch219 -p1 %patch220 -p1 %patch221 -p1 %patch222 -p1 %patch223 -p1 %patch224 -p1 %patch225 -p1 %patch226 -p1 %patch227 -p1 %patch228 -p1 %patch229 -p1 %patch230 -p1 %patch231 -p1 %patch232 -p1 %patch233 -p1 %patch234 -p1 %patch235 -p1 %patch236 -p1 %patch237 -p1 %patch238 -p1 %patch239 -p1 %patch240 -p1 %patch241 -p1 %patch242 -p1 %patch243 -p1 %patch244 -p1 %patch245 -p1 %patch246 -p1 %patch247 -p1 %patch248 -p1 %patch249 -p1 %patch250 -p1 %patch251 -p1 %patch252 -p1 %patch253 -p1 pushd .. %patch99 -p0 popd %if 0%{?kat_build:1} %patch1000 -p1 %endif %build # patch vmw_balloon driver sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c make mrproper cp %{SOURCE1} .config sed -i 's/CONFIG_LOCALVERSION="-secure"/CONFIG_LOCALVERSION="-%{release}-secure"/' .config make LC_ALL= oldconfig make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} # build LKCM module bldroot=`pwd` pushd ../LKCM make -C $bldroot M=`pwd` modules popd %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ rm -f $MODULE.{sig,dig} \ xz $MODULE \ done \ %{nil} # __os_install_post strips signature from modules. We need to resign it again # and then compress. Extra step is added to the default __spec_install_post. %define __spec_install_post\ %{?__debug_package:%{__debug_install_post}}\ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ %{nil} %install install -vdm 755 %{buildroot}/etc install -vdm 755 %{buildroot}/boot install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r} install -vdm 755 %{buildroot}/etc/modprobe.d install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install # install LKCM module bldroot=`pwd` pushd ../LKCM make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install popd cp -v arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} cp -v System.map %{buildroot}/boot/System.map-%{uname_r} cp -v .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # Since we use compressed modules we cann't use load pinning, # because .ko files will be loaded from the memory (LoadPin: obj=<unknown>) cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" # GRUB Environment Block photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge photon_linux=vmlinuz-%{uname_r} photon_initrd=initrd.img-%{uname_r} EOF # Register myself to initramfs mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF" --add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn" EOF # cleanup dangling symlinks rm -f %{buildroot}/lib/modules/%{uname_r}/source rm -f %{buildroot}/lib/modules/%{uname_r}/build # create /use/src/linux-headers-*/ content find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy # copy .config manually to be where it's expected to be cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} # symling to the build folder ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/build %include %{SOURCE3} %post /sbin/depmod -a %{uname_r} ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %post lkcm /sbin/depmod -a %{uname_r} %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} %config(noreplace) /boot/linux-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} /lib/firmware/* /lib/modules/* %exclude /lib/modules/%{uname_r}/build %exclude /usr/src %exclude /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz %files lkcm %defattr(-,root,root) /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz %files docs %defattr(-,root,root) %{_defaultdocdir}/linux-%{uname_r}/* %files devel %defattr(-,root,root) /lib/modules/%{uname_r}/build /usr/src/linux-headers-%{uname_r} %changelog * Mon May 21 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.101-1 - Update to version 4.9.101 and fix CVE-2018-3639. * Wed May 09 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.99-1 - Update to version 4.9.99 * Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-2 - Fix CVE-2017-18216, CVE-2018-8043, CVE-2018-8087, CVE-2017-18241, - CVE-2017-18224. * Fri May 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.98-1 - Update to version 4.9.98 * Wed May 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-3 - Fix CVE-2017-18255. * Tue May 01 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.97-2 - Fix CVE-2018-1000026. * Mon Apr 30 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.97-1 - Update to version 4.9.97. Apply 3rd vmxnet3 patch. * Mon Apr 23 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.94-2 - Add full retpoline support by building with retpoline-enabled gcc. * Wed Apr 18 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.94-1 - Update to version 4.9.94. Fix panic in ip_set. * Mon Apr 02 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.92-1 - Update to version 4.9.92. Apply vmxnet3 patches. * Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 - Update to version 4.9.90 * Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 - Update to version 4.9.89 * Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2 - Extra hardening: slab_nomerge, disable /proc/kcore * Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1 - Update to version 4.9.80 * Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1 - Update version to 4.9.79 * Fri Jan 26 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.78-1 - Update version to 4.9.78. * Wed Jan 10 2018 Bo Gan <ganb@vmware.com> 4.9.76-1 - Version update * Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-3 - Second Spectre fix, clear user controlled registers upon syscall entry * Sun Jan 07 2018 Bo Gan <ganb@vmware.com> 4.9.75-2 - Initial Spectre fix * Fri Jan 05 2018 Bo Gan <ganb@vmware.com> 4.9.75-1 - Verion update (fix Intel Meltdown) * Thu Jan 04 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-3 - Update vsock transport for 9p with newer version. * Wed Jan 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-2 - Fix SMB3 mount regression. * Tue Jan 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.74-1 - Version update - Add patches to fix CVE-2017-8824, CVE-2017-17448 and CVE-2017-17450. * Thu Dec 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.71-1 - Version update * Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1 - Version update * Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1 - Version update * Wed Nov 08 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.60-2 - Update LKCM module - Add -lkcm subpackage * Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1 - Version update * Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3 - Add patch "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD" to fix CVE-2017-1000252. * Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2 - Build hang (at make oldconfig) fix. * Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1 - Version update * Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3 - Allow privileged CLONE_NEWUSER from nested user namespaces. * Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2 - Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) * Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1 - Version update * Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2 - Requires coreutils or toybox * Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1 - Fix CVE-2017-11600 * Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2 - Add missing xen block drivers * Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 - Version update - [feature] new sysctl option unprivileged_userns_clone * Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2 - Fix CVE-2017-7542 - [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid panic on modprobe tcrypt * Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1 - Version update * Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6 - Fix initramfs triggers * Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5 - Allow some algorithms in FIPS mode - Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports - bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree - Enable additional NF features * Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4 - Add patches in Hyperv codebase * Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3 - Add missing hyperv drivers * Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-2 - Disable scheduler beef up patch * Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-1 - Fix CVE-2017-11176 and CVE-2017-10911 * Fri Jul 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-3 - Remove aufs source tarballs from git repo * Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> 4.9.34-2 - Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires * Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1 - [feature] 9P FS security support - [feature] DM Delay target support - Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605 * Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1 - Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076 CVE-2017-9077 and CVE-2017-9242 - [feature] IPV6 netfilter NAT table support * Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1 - Fix CVE-2017-7487 and CVE-2017-9059 * Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 4.9.28-2 - Enable IPVLAN module. * Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1 - Version update * Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1 - Version update * Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1 - Version update - Removed version suffix from config file name * Thu Apr 27 2017 Bo Gan <ganb@vmware.com> 4.9.24-2 - Support dynamic initrd generation * Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1 - Fix CVE-2017-6874 and CVE-2017-7618. - .config: build nvme and nvme-core in kernel. * Tue Mar 21 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-3 - Added LKCM module * Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-2 - .config: NSX requirements for crypto and netfilter * Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1 - Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074 - .config: disable XEN guest (needs rap_plugin verification) * Wed Feb 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-2 - rap_plugin improvement: throw error on function type casting function signatures were cleaned up using this feature. - Added RAP_ENTRY for asm functions. * Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1 - Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546, CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576. - Added aufs support. - Added PAX_RANDKSTACK feature. - Extra func signatures cleanup to fix 1809717 and 1809722. - .config: added CRYPTO_FIPS support. * Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1 - Update to linux-4.9.2 to fix CVE-2016-10088 - Rename package to linux-secure. - Added KSPP cmdline params: slub_debug=P page_poison=1 * Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2 - BuildRequires Linux-PAM-devel * Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1 - Update to linux-4.9.0 - Add paravirt stolen time accounting feature (from linux-esx), but disable it by default (no-vmw-sta cmdline parameter) - Use vmware_io_delay() to keep "void fn(void)" signature * Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-2 - Expand `uname -r` with release number - Resign and compress modules after stripping - .config: add syscalls tracing support - .config: add cgrup_hugetlb support - .config: add netfilter_xt_{set,target_ct} support - .config: add netfilter_xt_match_{cgroup,ipvs} support - .config: disable /dev/mem * Mon Oct 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-1 Initial commit.