Browse code
kernels: Update to version 4.9.90
The SMB3 mount issue has been fixed in 4.9.90 by commit fca16f9a02
(SMB3: Validate negotiate request must always be signed) and commit
df09b6f7b (CIFS: Enable encryption during session setup phase). So
remove revert-SMB-validate-negotiate-even-if-signing-off.patch
Change-Id: I00accf2095220643e96340574527af116db92d4e
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4944
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Srivatsa S. Bhat authored on 2018/03/28 07:00:15Showing 6 changed files
- SPECS/linux-api-headers/linux-api-headers.spec
- SPECS/linux/linux-aws.spec
- SPECS/linux/linux-esx.spec
- SPECS/linux/linux-secure.spec
- SPECS/linux/linux.spec
- SPECS/linux/revert-SMB-validate-negotiate-even-if-signing-off.patch
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
Summary: Linux API header files |
| 2 | 2 |
Name: linux-api-headers |
| 3 |
-Version: 4.9.89 |
|
| 3 |
+Version: 4.9.90 |
|
| 4 | 4 |
Release: 1%{?dist}
|
| 5 | 5 |
License: GPLv2 |
| 6 | 6 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
| 8 | 8 |
Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 11 |
-%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967 |
|
| 11 |
+%define sha1 linux=e6f8a32fdfe078407073514fbdda968f59406725 |
|
| 12 | 12 |
BuildArch: noarch |
| 13 | 13 |
%description |
| 14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
| ... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de
|
| 25 | 25 |
%defattr(-,root,root) |
| 26 | 26 |
%{_includedir}/*
|
| 27 | 27 |
%changelog |
| 28 |
+* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 |
|
| 29 |
+- Update to version 4.9.90 |
|
| 28 | 30 |
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 |
| 29 | 31 |
- Update to version 4.9.89 |
| 30 | 32 |
* Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-aws |
| 4 |
-Version: 4.9.89 |
|
| 4 |
+Version: 4.9.90 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967 |
|
| 12 |
+%define sha1 linux=e6f8a32fdfe078407073514fbdda968f59406725 |
|
| 13 | 13 |
Source1: config-aws |
| 14 | 14 |
Source2: initramfs.trigger |
| 15 | 15 |
# common |
| ... | ... |
@@ -42,7 +42,6 @@ Patch25: 0002-allow-also-ecb-cipher_null.patch |
| 42 | 42 |
Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
| 43 | 43 |
# Fix CVE-2017-1000252 |
| 44 | 44 |
Patch28: kvm-dont-accept-wrong-gsi-values.patch |
| 45 |
-Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 46 | 45 |
# For Spectre |
| 47 | 46 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 48 | 47 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -201,7 +200,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 201 | 201 |
%patch25 -p1 |
| 202 | 202 |
%patch26 -p1 |
| 203 | 203 |
%patch28 -p1 |
| 204 |
-%patch32 -p1 |
|
| 205 | 204 |
|
| 206 | 205 |
%patch52 -p1 |
| 207 | 206 |
%patch53 -p1 |
| ... | ... |
@@ -421,6 +419,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 421 | 421 |
/usr/share/doc/* |
| 422 | 422 |
|
| 423 | 423 |
%changelog |
| 424 |
+* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 |
|
| 425 |
+- Update to version 4.9.90 |
|
| 424 | 426 |
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 |
| 425 | 427 |
- Update to version 4.9.89 |
| 426 | 428 |
* Fri Mar 16 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-4 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-esx |
| 4 |
-Version: 4.9.89 |
|
| 4 |
+Version: 4.9.90 |
|
| 5 | 5 |
Release: 1%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967 |
|
| 12 |
+%define sha1 linux=e6f8a32fdfe078407073514fbdda968f59406725 |
|
| 13 | 13 |
Source1: config-esx |
| 14 | 14 |
Source2: initramfs.trigger |
| 15 | 15 |
# common |
| ... | ... |
@@ -39,7 +39,6 @@ Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.pat |
| 39 | 39 |
# Fix CVE-2017-1000252 |
| 40 | 40 |
Patch24: kvm-dont-accept-wrong-gsi-values.patch |
| 41 | 41 |
Patch25: init-do_mounts-recreate-dev-root.patch |
| 42 |
-Patch29: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 43 | 42 |
# For Spectre |
| 44 | 43 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 45 | 44 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -116,7 +115,6 @@ The Linux package contains the Linux kernel doc files |
| 116 | 116 |
%patch22 -p1 |
| 117 | 117 |
%patch24 -p1 |
| 118 | 118 |
%patch25 -p1 |
| 119 |
-%patch29 -p1 |
|
| 120 | 119 |
|
| 121 | 120 |
%patch52 -p1 |
| 122 | 121 |
%patch53 -p1 |
| ... | ... |
@@ -228,6 +226,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 228 | 228 |
/usr/src/linux-headers-%{uname_r}
|
| 229 | 229 |
|
| 230 | 230 |
%changelog |
| 231 |
+* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 |
|
| 232 |
+- Update to version 4.9.90 |
|
| 231 | 233 |
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 |
| 232 | 234 |
- Update to version 4.9.89 |
| 233 | 235 |
* Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 |
-Version: 4.9.89 |
|
| 4 |
+Version: 4.9.90 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967 |
|
| 12 |
+%define sha1 linux=e6f8a32fdfe078407073514fbdda968f59406725 |
|
| 13 | 13 |
Source1: config-secure |
| 14 | 14 |
Source2: aufs4.9.tar.gz |
| 15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
| ... | ... |
@@ -48,7 +48,6 @@ Patch28: 0002-allow-also-ecb-cipher_null.patch |
| 48 | 48 |
Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
| 49 | 49 |
# Fix CVE-2017-1000252 |
| 50 | 50 |
Patch31: kvm-dont-accept-wrong-gsi-values.patch |
| 51 |
-Patch35: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 52 | 51 |
# For Spectre |
| 53 | 52 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 54 | 53 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -169,7 +168,6 @@ EOF |
| 169 | 169 |
%patch28 -p1 |
| 170 | 170 |
%patch29 -p1 |
| 171 | 171 |
%patch31 -p1 |
| 172 |
-%patch35 -p1 |
|
| 173 | 172 |
|
| 174 | 173 |
# spectre |
| 175 | 174 |
%patch52 -p1 |
| ... | ... |
@@ -317,6 +315,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 317 | 317 |
/usr/src/linux-headers-%{uname_r}
|
| 318 | 318 |
|
| 319 | 319 |
%changelog |
| 320 |
+* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 |
|
| 321 |
+- Update to version 4.9.90 |
|
| 320 | 322 |
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 |
| 321 | 323 |
- Update to version 4.9.89 |
| 322 | 324 |
* Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
%global security_hardening none |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 |
-Version: 4.9.89 |
|
| 4 |
+Version: 4.9.90 |
|
| 5 | 5 |
Release: 1%{?kat_build:.%kat_build}%{?dist}
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| ... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
| 9 | 9 |
Vendor: VMware, Inc. |
| 10 | 10 |
Distribution: Photon |
| 11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz
|
| 12 |
-%define sha1 linux=81a81adbdc191ce09133d1d512b87a53e87fa967 |
|
| 12 |
+%define sha1 linux=e6f8a32fdfe078407073514fbdda968f59406725 |
|
| 13 | 13 |
Source1: config |
| 14 | 14 |
Source2: initramfs.trigger |
| 15 | 15 |
%define ena_version 1.1.3 |
| ... | ... |
@@ -45,7 +45,6 @@ Patch25: 0002-allow-also-ecb-cipher_null.patch |
| 45 | 45 |
Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
| 46 | 46 |
# Fix CVE-2017-1000252 |
| 47 | 47 |
Patch28: kvm-dont-accept-wrong-gsi-values.patch |
| 48 |
-Patch32: revert-SMB-validate-negotiate-even-if-signing-off.patch |
|
| 49 | 48 |
# For Spectre |
| 50 | 49 |
Patch52: 0141-locking-barriers-introduce-new-observable-speculatio.patch |
| 51 | 50 |
Patch53: 0142-bpf-prevent-speculative-execution-in-eBPF-interprete.patch |
| ... | ... |
@@ -159,7 +158,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
| 159 | 159 |
%patch25 -p1 |
| 160 | 160 |
%patch26 -p1 |
| 161 | 161 |
%patch28 -p1 |
| 162 |
-%patch32 -p1 |
|
| 163 | 162 |
|
| 164 | 163 |
%patch52 -p1 |
| 165 | 164 |
%patch53 -p1 |
| ... | ... |
@@ -342,6 +340,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 342 | 342 |
/usr/share/doc/* |
| 343 | 343 |
|
| 344 | 344 |
%changelog |
| 345 |
+* Tue Mar 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.90-1 |
|
| 346 |
+- Update to version 4.9.90 |
|
| 345 | 347 |
* Thu Mar 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.89-1 |
| 346 | 348 |
- Update to version 4.9.89 |
| 347 | 349 |
* Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1 |
| 348 | 350 |
deleted file mode 100644 |
| ... | ... |
@@ -1,57 +0,0 @@ |
| 1 |
- |
|
| 2 |
-This code reverts the commit mentioned below. (Apply it with patch -p1, |
|
| 3 |
-not patch -p1 -R). |
|
| 4 |
- |
|
| 5 |
-commit 0e1b85a41a25ac888fb64a60ad2949dbc2ab61ed |
|
| 6 |
-Author: Steve French <smfrench@gmail.com> |
|
| 7 |
-Date: Wed Sep 20 19:57:18 2017 -0500 |
|
| 8 |
- |
|
| 9 |
- SMB: Validate negotiate (to protect against downgrade) even if signing off |
|
| 10 |
- |
|
| 11 |
- commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream. |
|
| 12 |
- |
|
| 13 |
- As long as signing is supported (ie not a guest user connection) and |
|
| 14 |
- connection is SMB3 or SMB3.02, then validate negotiate (protect |
|
| 15 |
- against man in the middle downgrade attacks). We had been doing this |
|
| 16 |
- only when signing was required, not when signing was just enabled, |
|
| 17 |
- but this more closely matches recommended SMB3 behavior and is |
|
| 18 |
- better security. Suggested by Metze. |
|
| 19 |
- |
|
| 20 |
- Signed-off-by: Steve French <smfrench@gmail.com> |
|
| 21 |
- Reviewed-by: Jeremy Allison <jra@samba.org> |
|
| 22 |
- Acked-by: Stefan Metzmacher <metze@samba.org> |
|
| 23 |
- Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> |
|
| 24 |
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
| 25 |
- |
|
| 26 |
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c |
|
| 27 |
-index 69b610ad..b98d96a 100644 |
|
| 28 |
-+++ b/fs/cifs/smb2pdu.c |
|
| 29 |
-@@ -531,22 +531,15 @@ int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) |
|
| 30 |
- |
|
| 31 |
- /* |
|
| 32 |
- * validation ioctl must be signed, so no point sending this if we |
|
| 33 |
-- * can not sign it (ie are not known user). Even if signing is not |
|
| 34 |
-- * required (enabled but not negotiated), in those cases we selectively |
|
| 35 |
-+ * can not sign it. We could eventually change this to selectively |
|
| 36 |
- * sign just this, the first and only signed request on a connection. |
|
| 37 |
-- * Having validation of negotiate info helps reduce attack vectors. |
|
| 38 |
-+ * This is good enough for now since a user who wants better security |
|
| 39 |
-+ * would also enable signing on the mount. Having validation of |
|
| 40 |
-+ * negotiate info for signed connections helps reduce attack vectors |
|
| 41 |
- */ |
|
| 42 |
-- if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) |
|
| 43 |
-+ if (tcon->ses->server->sign == false) |
|
| 44 |
- return 0; /* validation requires signing */ |
|
| 45 |
- |
|
| 46 |
-- if (tcon->ses->user_name == NULL) {
|
|
| 47 |
-- cifs_dbg(FYI, "Can't validate negotiate: null user mount\n"); |
|
| 48 |
-- return 0; /* validation requires signing */ |
|
| 49 |
-- } |
|
| 50 |
-- |
|
| 51 |
-- if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) |
|
| 52 |
-- cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n"); |
|
| 53 |
-- |
|
| 54 |
- vneg_inbuf.Capabilities = |
|
| 55 |
- cpu_to_le32(tcon->ses->server->vals->req_capabilities); |
|
| 56 |
- memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, |