@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.86

+Version:	4.4.88

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

+%define sha1 linux=40ac50fad1c01f1f40a4f93a20ea698861b35c94

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Fri Sep 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.88-1

+-   Version update

 *   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

 -   Version update

 *   Wed Aug 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

@@ -1,6 +1,6 @@

 #

 # Automatically generated file; DO NOT EDIT.

-# Linux/x86 4.4.20 Kernel Configuration

+# Linux/x86 4.4.88 Kernel Configuration

 #

 CONFIG_64BIT=y

 CONFIG_X86_64=y

@@ -229,12 +229,14 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y

 # CONFIG_PROFILING is not set

 CONFIG_HAVE_OPROFILE=y

 CONFIG_OPROFILE_NMI_TIMER=y

-# CONFIG_KPROBES is not set

+CONFIG_KPROBES=y

 # CONFIG_JUMP_LABEL is not set

+CONFIG_OPTPROBES=y

 # CONFIG_UPROBES is not set

 # CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set

 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y

 CONFIG_ARCH_USE_BUILTIN_BSWAP=y

+CONFIG_KRETPROBES=y

 CONFIG_HAVE_IOREMAP_PROT=y

 CONFIG_HAVE_KPROBES=y

 CONFIG_HAVE_KRETPROBES=y

@@ -1111,7 +1113,6 @@ CONFIG_OPENVSWITCH_VXLAN=m

 CONFIG_OPENVSWITCH_GENEVE=m

 CONFIG_VSOCKETS=y

 CONFIG_VMWARE_VMCI_VSOCKETS=y

-# CONFIG_NETLINK_MMAP is not set

 # CONFIG_NETLINK_DIAG is not set

 CONFIG_MPLS=y

 CONFIG_NET_MPLS_GSO=m

@@ -1133,6 +1134,7 @@ CONFIG_NET_FLOW_LIMIT=y

 # Network testing

 #

 # CONFIG_NET_PKTGEN is not set

+# CONFIG_NET_TCPPROBE is not set

 # CONFIG_HAMRADIO is not set

 # CONFIG_CAN is not set

 # CONFIG_IRDA is not set

@@ -2845,6 +2847,7 @@ CONFIG_TRACING_SUPPORT=y

 #

 # CONFIG_LKDTM is not set

 # CONFIG_TEST_LIST_SORT is not set

+# CONFIG_KPROBES_SANITY_TEST is not set

 # CONFIG_BACKTRACE_SELF_TEST is not set

 # CONFIG_RBTREE_TEST is not set

 # CONFIG_INTERVAL_TREE_TEST is not set

@@ -2884,6 +2887,7 @@ CONFIG_DOUBLEFAULT=y

 # CONFIG_DEBUG_TLBFLUSH is not set

 # CONFIG_IOMMU_STRESS is not set

 CONFIG_HAVE_MMIOTRACE_SUPPORT=y

+# CONFIG_X86_DECODER_SELFTEST is not set

 CONFIG_IO_DELAY_TYPE_0X80=0

 CONFIG_IO_DELAY_TYPE_0XED=1

 CONFIG_IO_DELAY_TYPE_UDELAY=2

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.86

+Version:       4.4.88

 Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

+%define sha1 linux=40ac50fad1c01f1f40a4f93a20ea698861b35c94

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -36,8 +36,6 @@ Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

 Patch22:       net-9p-vsock.patch

 Patch23:       p9fs_dir_readdir-offset-support.patch

 Patch24:       Implement-the-f-xattrat-family-of-functions.patch

-# Fix CVE-2017-11600

-Patch25:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires: bc

 BuildRequires: kbd

@@ -99,7 +97,6 @@ The Linux package contains the Linux kernel doc files

 %patch22 -p1

 %patch23 -p1

 %patch24 -p1

-%patch25 -p1

 %build

 # patch vmw_balloon driver

@@ -188,6 +185,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Fri Sep 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.88-1

+-   Enable kprobes

 *   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

 -   Fix CVE-2017-11600

 *   Wed Aug 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

@@ -1,7 +1,7 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.86

+Version:    	4.4.88

 Release:    	1%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

@@ -9,7 +9,7 @@ Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

+%define sha1 linux=40ac50fad1c01f1f40a4f93a20ea698861b35c94

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -38,8 +38,6 @@ Patch17:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch18:        0002-allow-also-ecb-cipher_null.patch

 # Fix CVE-2017-10911

 Patch19:        xen-blkback-dont-leak-stack-data-via-response-ring.patch

-# Fix CVE-2017-11600

-Patch20:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -130,7 +128,6 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch17 -p1

 %patch18 -p1

 %patch19 -p1

-%patch20 -p1

 %build

 make mrproper

@@ -283,6 +280,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Fri Sep 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.88-1

+-   Version update

 *   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

 -   Fix CVE-2017-11600

 *   Thu Aug 17 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

deleted file mode 100644

@@ -1,44 +0,0 @@

-From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001

-From: Vladis Dronov <vdronov@redhat.com>

-Date: Wed, 2 Aug 2017 19:50:14 +0200

-Subject: xfrm: policy: check policy direction value

-

-The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used

-as an array index. This can lead to an out-of-bound access, kernel lockup and

-DoS. Add a check for the 'dir' value.

-

-This fixes CVE-2017-11600.

-

-References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928

-Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")

-Cc: <stable@vger.kernel.org> # v2.6.21-rc1

-Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>

-Signed-off-by: Vladis Dronov <vdronov@redhat.com>

-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

- net/xfrm/xfrm_policy.c | 6 ++++++

- 1 file changed, 6 insertions(+)

-

-diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c

-index ff61d85..6f5a0dad 100644

-+++ b/net/xfrm/xfrm_policy.c

-@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,

- 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];

- 	struct xfrm_migrate *mp;

- 

-+	/* Stage 0 - sanity checks */

- 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)

- 		goto out;

- 

-+	if (dir >= XFRM_POLICY_MAX) {

-+		err = -EINVAL;

-+		goto out;

-+	}

-+

- 	/* Stage 1 - find policy */

- 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {

- 		err = -ENOENT;

-cgit v1.1

-