Extras:
- added script to update linux version
- jna: rerun the build on failure
Change-Id: I1734ab9dc3a0177c0a40f08d0b279e3fd98565bd
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3693
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -4,7 +4,7 @@ |
4 | 4 |
Summary: Java Native Access |
5 | 5 |
Name: jna |
6 | 6 |
Version: 4.4.0 |
7 |
-Release: 6%{?dist} |
|
7 |
+Release: 7%{?dist} |
|
8 | 8 |
License: Apache |
9 | 9 |
URL: http://github.com/twall/jna |
10 | 10 |
Group: Applications/System |
... | ... |
@@ -41,9 +41,16 @@ rm -rf %{buildroot} |
41 | 41 |
|
42 | 42 |
%build |
43 | 43 |
export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION} |
44 |
-#disabling all tests |
|
44 |
+ |
|
45 |
+# Intermittent issue happens: |
|
46 |
+# |
|
47 |
+# BUILD FAILED |
|
48 |
+# /usr/src/photon/BUILD/jna-4.4.0/build.xml:717: API for native code has changed, or javah output is inconsistent. |
|
49 |
+# Re-run this build after checking /usr/src/photon/BUILD/jna-4.4.0/build/native-linux-x86-64/jni.checksum or updating jni.version and jni.md5 in build.xml |
|
50 |
+# |
|
51 |
+# Rerun the build will pass it |
|
52 |
+ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true || \ |
|
45 | 53 |
ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/*.java" -Drelease=true |
46 |
-#$ANT_HOME/bin/ant -Dcflags_extra.native=-DNO_JAWT -Dtests.exclude-patterns="**/LibraryLoadTest.java" -Drelease=true |
|
47 | 54 |
|
48 | 55 |
%install |
49 | 56 |
export JAVA_HOME=/usr/lib/jvm/OpenJDK-%{JAVA8_VERSION} |
... | ... |
@@ -72,6 +79,8 @@ ant -Ddist=$JNA_DIST_DIR dist -Drelease=true |
72 | 72 |
%{_prefix}/*.aar |
73 | 73 |
|
74 | 74 |
%changelog |
75 |
+* Tue Sep 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.0-7 |
|
76 |
+- Rerun the build on failure |
|
75 | 77 |
* Thu Aug 17 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.0-6 |
76 | 78 |
- Removed clover.jar from jna-devel source-full.zip file |
77 | 79 |
* Mon Jun 19 2017 Divya Thaluru <dthaluru@vmware.com> 4.4.0-5 |
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.9.43 |
|
3 |
+Version: 4.9.47 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
11 |
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
%description |
14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
25 | 25 |
%defattr(-,root,root) |
26 | 26 |
%{_includedir}/* |
27 | 27 |
%changelog |
28 |
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1 |
|
29 |
+- Version update |
|
28 | 30 |
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
29 | 31 |
- Version update |
30 | 32 |
* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1 |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.9.43 |
|
4 |
+Version: 4.9.47 |
|
5 | 5 |
Release: 1%{?dist} |
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
... | ... |
@@ -9,7 +9,7 @@ Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
12 |
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -36,6 +36,8 @@ Patch19: 06-pv-ops-boot_clock.patch |
36 | 36 |
Patch20: 07-vmware-only.patch |
37 | 37 |
Patch21: vmware-balloon-late-initcall.patch |
38 | 38 |
Patch22: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
39 |
+# Fix CVE-2017-11600 |
|
40 |
+Patch23: xfrm-policy-check-policy-direction-value.patch |
|
39 | 41 |
BuildRequires: bc |
40 | 42 |
BuildRequires: kbd |
41 | 43 |
BuildRequires: kmod-devel |
... | ... |
@@ -93,6 +95,7 @@ The Linux package contains the Linux kernel doc files |
93 | 93 |
%patch20 -p1 |
94 | 94 |
%patch21 -p1 |
95 | 95 |
%patch22 -p1 |
96 |
+%patch23 -p1 |
|
96 | 97 |
|
97 | 98 |
%build |
98 | 99 |
# patch vmw_balloon driver |
... | ... |
@@ -189,6 +192,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
189 | 189 |
/usr/src/linux-headers-%{uname_r} |
190 | 190 |
|
191 | 191 |
%changelog |
192 |
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1 |
|
193 |
+- Fix CVE-2017-11600 |
|
192 | 194 |
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
193 | 195 |
- Version update |
194 | 196 |
- [feature] new sysctl option unprivileged_userns_clone |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 |
-Version: 4.9.43 |
|
5 |
-Release: 2%{?dist} |
|
4 |
+Version: 4.9.47 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
12 |
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d |
|
13 | 13 |
Source1: config-secure |
14 | 14 |
Source2: aufs4.9.tar.gz |
15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
... | ... |
@@ -47,6 +47,8 @@ Patch26: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
47 | 47 |
Patch27: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
48 | 48 |
Patch28: 0002-allow-also-ecb-cipher_null.patch |
49 | 49 |
Patch29: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
50 |
+# Fix CVE-2017-11600 |
|
51 |
+Patch30: xfrm-policy-check-policy-direction-value.patch |
|
50 | 52 |
# NSX requirements (should be removed) |
51 | 53 |
Patch99: LKCM.patch |
52 | 54 |
BuildRequires: bc |
... | ... |
@@ -142,6 +144,7 @@ EOF |
142 | 142 |
%patch27 -p1 |
143 | 143 |
%patch28 -p1 |
144 | 144 |
%patch29 -p1 |
145 |
+%patch30 -p1 |
|
145 | 146 |
|
146 | 147 |
pushd .. |
147 | 148 |
%patch99 -p0 |
... | ... |
@@ -257,6 +260,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
257 | 257 |
/usr/src/linux-headers-%{uname_r} |
258 | 258 |
|
259 | 259 |
%changelog |
260 |
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1 |
|
261 |
+- Fix CVE-2017-11600 |
|
260 | 262 |
* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2 |
261 | 263 |
- Add missing xen block drivers |
262 | 264 |
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.9.43 |
|
5 |
-Release: 2%{?dist} |
|
4 |
+Version: 4.9.47 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5 |
|
12 |
+%define sha1 linux=49110526c8e572513bd3295495ccd28754b5292d |
|
13 | 13 |
Source1: config |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
%define ena_version 1.1.3 |
... | ... |
@@ -44,6 +44,8 @@ Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch |
44 | 44 |
Patch24: 0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch |
45 | 45 |
Patch25: 0002-allow-also-ecb-cipher_null.patch |
46 | 46 |
Patch26: add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
47 |
+# Fix CVE-2017-11600 |
|
48 |
+Patch27: xfrm-policy-check-policy-direction-value.patch |
|
47 | 49 |
|
48 | 50 |
BuildRequires: bc |
49 | 51 |
BuildRequires: kbd |
... | ... |
@@ -138,6 +140,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. |
138 | 138 |
%patch24 -p1 |
139 | 139 |
%patch25 -p1 |
140 | 140 |
%patch26 -p1 |
141 |
+%patch27 -p1 |
|
141 | 142 |
|
142 | 143 |
%build |
143 | 144 |
make mrproper |
... | ... |
@@ -297,6 +300,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
297 | 297 |
/usr/share/doc/* |
298 | 298 |
|
299 | 299 |
%changelog |
300 |
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1 |
|
301 |
+- Fix CVE-2017-11600 |
|
300 | 302 |
* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2 |
301 | 303 |
- Add missing xen block drivers |
302 | 304 |
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1 |
303 | 305 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,44 @@ |
0 |
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Vladis Dronov <vdronov@redhat.com> |
|
2 |
+Date: Wed, 2 Aug 2017 19:50:14 +0200 |
|
3 |
+Subject: xfrm: policy: check policy direction value |
|
4 |
+ |
|
5 |
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used |
|
6 |
+as an array index. This can lead to an out-of-bound access, kernel lockup and |
|
7 |
+DoS. Add a check for the 'dir' value. |
|
8 |
+ |
|
9 |
+This fixes CVE-2017-11600. |
|
10 |
+ |
|
11 |
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 |
|
12 |
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") |
|
13 |
+Cc: <stable@vger.kernel.org> # v2.6.21-rc1 |
|
14 |
+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com> |
|
15 |
+Signed-off-by: Vladis Dronov <vdronov@redhat.com> |
|
16 |
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
|
17 |
+--- |
|
18 |
+ net/xfrm/xfrm_policy.c | 6 ++++++ |
|
19 |
+ 1 file changed, 6 insertions(+) |
|
20 |
+ |
|
21 |
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c |
|
22 |
+index ff61d85..6f5a0dad 100644 |
|
23 |
+--- a/net/xfrm/xfrm_policy.c |
|
24 |
+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, |
|
25 |
+ struct xfrm_state *x_new[XFRM_MAX_DEPTH]; |
|
26 |
+ struct xfrm_migrate *mp; |
|
27 |
+ |
|
28 |
++ /* Stage 0 - sanity checks */ |
|
29 |
+ if ((err = xfrm_migrate_check(m, num_migrate)) < 0) |
|
30 |
+ goto out; |
|
31 |
+ |
|
32 |
++ if (dir >= XFRM_POLICY_MAX) { |
|
33 |
++ err = -EINVAL; |
|
34 |
++ goto out; |
|
35 |
++ } |
|
36 |
++ |
|
37 |
+ /* Stage 1 - find policy */ |
|
38 |
+ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { |
|
39 |
+ err = -ENOENT; |
|
40 |
+-- |
|
41 |
+cgit v1.1 |
|
42 |
+ |
0 | 43 |
new file mode 100755 |
... | ... |
@@ -0,0 +1,18 @@ |
0 |
+#! /bin/sh |
|
1 |
+ |
|
2 |
+specs="linux-api-headers/linux-api-headers.spec linux/linux.spec linux/linux-esx.spec linux/linux-secure.spec" |
|
3 |
+ |
|
4 |
+tarball_url=`curl -s https://www.kernel.org | grep -Eo 'https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.9.[0-9]*.tar.xz'` |
|
5 |
+tarball=$(basename $tarball_url) |
|
6 |
+version=`echo $tarball | sed 's/linux-//; s/.tar.xz//'` |
|
7 |
+echo latest linux version: $version |
|
8 |
+test -f stage/SOURCES/$tarball && echo up to date && exit 0 |
|
9 |
+$(cd stage/SOURCES && wget $tarball_url) |
|
10 |
+sha1=`sha1sum stage/SOURCES/$tarball | awk '{print $1}'` |
|
11 |
+changelog_entry=$(echo "`date +"%a %b %d %Y"` `git config user.name` <`git config user.email`> $version-1") |
|
12 |
+for spec in $specs; do |
|
13 |
+ sed -i '/^Version:/ s/4.9.[0-9]*/'$version'/' SPECS/$spec |
|
14 |
+ sed -i '/^Release:/ s/[0-9]*%/1%/' SPECS/$spec |
|
15 |
+ sed -i '/^%define sha1 linux/ s/=[0-9a-f]*$/='$sha1'/' SPECS/$spec |
|
16 |
+ sed -i '/^%changelog/a* '"$changelog_entry"'\n- Version update' SPECS/$spec |
|
17 |
+done |