@@ -4,7 +4,7 @@

 Summary:        Java Native Access

 Name:           jna

 Version:        4.4.0

-Release:        6%{?dist}

+Release:        7%{?dist}

 License:        Apache

 URL:            http://github.com/twall/jna

 Group:          Applications/System

@@ -41,9 +41,16 @@ rm -rf %{buildroot}

 %build

 export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION}

-#disabling all tests

+

+# Intermittent issue happens:

+#

+# BUILD FAILED

+# /usr/src/photon/BUILD/jna-4.4.0/build.xml:717: API for native code has changed, or javah output is inconsistent.

+# Re-run this build after checking /usr/src/photon/BUILD/jna-4.4.0/build/native-linux-x86-64/jni.checksum or updating jni.version and jni.md5 in build.xml

+#

+# Rerun the build will pass it

+ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true || \

 ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true

-#$ANT_HOME/bin/ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/LibraryLoadTest.java" -Drelease=true

 %install

 export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION}

@@ -72,6 +79,8 @@ ant -Ddist=$JNA_DIST_DIR dist -Drelease=true

 %{_prefix}/*.aar

 %changelog

+*   Tue Sep 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.0-7

+-   Rerun the build on failure

 *   Thu Aug 17 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.0-6

 -   Removed clover.jar from jna-devel source-full.zip file

 *   Mon Jun 19 2017 Divya Thaluru <dthaluru@vmware.com> 4.4.0-5

@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.9.43

+Version:	4.9.47

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d

 BuildArch:	noarch

 %description

 The Linux API Headers expose the kernel's API for use by Glibc.

@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1

+-   Version update

 *   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

 -   Version update

 *   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-esx

-Version:        4.9.43

+Version:        4.9.47

 Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d

 Source1:        config-esx

 Source2:        initramfs.trigger

 # common

@@ -36,6 +36,8 @@ Patch19:        06-pv-ops-boot_clock.patch

 Patch20:        07-vmware-only.patch

 Patch21:        vmware-balloon-late-initcall.patch

 Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11600

+Patch23:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod-devel

@@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files

 %patch20 -p1

 %patch21 -p1

 %patch22 -p1

+%patch23 -p1

 %build

 # patch vmw_balloon driver

@@ -189,6 +192,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1

+-   Fix CVE-2017-11600

 *   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

 -   Version update

 -   [feature] new sysctl option unprivileged_userns_clone

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-secure

-Version:        4.9.43

-Release:        2%{?dist}

+Version:        4.9.47

+Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d

 Source1:        config-secure

 Source2:        aufs4.9.tar.gz

 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906

@@ -47,6 +47,8 @@ Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch28:        0002-allow-also-ecb-cipher_null.patch

 Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11600

+Patch30:        xfrm-policy-check-policy-direction-value.patch

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

 BuildRequires:  bc

@@ -142,6 +144,7 @@ EOF

 %patch27 -p1

 %patch28 -p1

 %patch29 -p1

+%patch30 -p1

 pushd ..

 %patch99 -p0

@@ -257,6 +260,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1

+-   Fix CVE-2017-11600

 *   Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2

 -   Add missing xen block drivers

 *   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:        4.9.43

-Release:        2%{?dist}

+Version:        4.9.47

+Release:        1%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d

 Source1:	config

 Source2:	initramfs.trigger

 %define ena_version 1.1.3

@@ -44,6 +44,8 @@ Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch25:        0002-allow-also-ecb-cipher_null.patch

 Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

+# Fix CVE-2017-11600

+Patch27:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -138,6 +140,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch24 -p1

 %patch25 -p1

 %patch26 -p1

+%patch27 -p1

 %build

 make mrproper

@@ -297,6 +300,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1

+-   Fix CVE-2017-11600

 *   Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2

 -   Add missing xen block drivers

 *   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

new file mode 100644

@@ -0,0 +1,44 @@

+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001

+From: Vladis Dronov <vdronov@redhat.com>

+Date: Wed, 2 Aug 2017 19:50:14 +0200

+Subject: xfrm: policy: check policy direction value

+

+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used

+as an array index. This can lead to an out-of-bound access, kernel lockup and

+DoS. Add a check for the 'dir' value.

+

+This fixes CVE-2017-11600.

+

+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928

+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")

+Cc: <stable@vger.kernel.org> # v2.6.21-rc1

+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>

+Signed-off-by: Vladis Dronov <vdronov@redhat.com>

+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

+---

+ net/xfrm/xfrm_policy.c | 6 ++++++

+ 1 file changed, 6 insertions(+)

+

+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c

+index ff61d85..6f5a0dad 100644

+--- a/net/xfrm/xfrm_policy.c

+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,

+ 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];

+ 	struct xfrm_migrate *mp;

+ 

++	/* Stage 0 - sanity checks */

+ 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)

+ 		goto out;

+ 

++	if (dir >= XFRM_POLICY_MAX) {

++		err = -EINVAL;

++		goto out;

++	}

++

+ 	/* Stage 1 - find policy */

+ 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {

+ 		err = -ENOENT;

+-- 

+cgit v1.1

+

new file mode 100755

@@ -0,0 +1,18 @@

+#! /bin/sh

+

+specs="linux-api-headers/linux-api-headers.spec linux/linux.spec linux/linux-esx.spec linux/linux-secure.spec"

+

+tarball_url=`curl -s https://www.kernel.org  | grep -Eo 'https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.[0-9]*.tar.xz'`

+tarball=$(basename $tarball_url)

+version=`echo $tarball | sed 's/linux-//; s/.tar.xz//'`

+echo latest linux version: $version

+test -f stage/SOURCES/$tarball && echo up to date && exit 0

+$(cd stage/SOURCES && wget $tarball_url)

+sha1=`sha1sum stage/SOURCES/$tarball | awk '{print $1}'`

+changelog_entry=$(echo "`date +"%a %b %d %Y"` `git config user.name` <`git config user.email`> $version-1")

+for spec in $specs; do

+	sed -i '/^Version:/ s/4.9.[0-9]*/'$version'/' SPECS/$spec

+	sed -i '/^Release:/ s/[0-9]*%/1%/' SPECS/$spec

+	sed -i '/^%define sha1 linux/ s/=[0-9a-f]*$/='$sha1'/' SPECS/$spec

+	sed -i '/^%changelog/a*   '"$changelog_entry"'\n-   Version update' SPECS/$spec

+done