@@ -1,14 +1,14 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.4.82

-Release:	2%{?dist}

+Version:	4.4.86

+Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

 Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=27a2c7d466ec5b93712a9e17fa564652a0c06142

+%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

 BuildArch:	noarch

 # From SPECS/linux and used by linux-esx only

 # It provides f*xattrat syscalls

@@ -29,6 +29,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

+-   Version update

 *   Wed Aug 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

 -   Implement the f*xattrat family of syscalls

 *   Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:       Kernel

 Name:          linux-esx

-Version:       4.4.82

-Release:       2%{?dist}

+Version:       4.4.86

+Release:       1%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

 Vendor:        VMware, Inc.

 Distribution:  Photon

 Source0:       http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=27a2c7d466ec5b93712a9e17fa564652a0c06142

+%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

 Source1:       config-esx

 Patch0:        double-tcp_mem-limits.patch

 Patch1:        linux-4.4-sysctl-sched_weighted_cpuload_uses_rla.patch

@@ -36,6 +36,8 @@ Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

 Patch22:       net-9p-vsock.patch

 Patch23:       p9fs_dir_readdir-offset-support.patch

 Patch24:       Implement-the-f-xattrat-family-of-functions.patch

+# Fix CVE-2017-11600

+Patch25:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires: bc

 BuildRequires: kbd

@@ -97,6 +99,7 @@ The Linux package contains the Linux kernel doc files

 %patch22 -p1

 %patch23 -p1

 %patch24 -p1

+%patch25 -p1

 %build

 # patch vmw_balloon driver

@@ -185,6 +188,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

+-   Fix CVE-2017-11600

 *   Wed Aug 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

 -   Implement the f*xattrat family of syscalls

 *   Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-1

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:    	4.4.82

-Release:    	2%{?dist}

+Version:    	4.4.86

+Release:    	1%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:    	http://www.kernel.org/pub/linux/kernel/v4.x/%{name}-%{version}.tar.xz

-%define sha1 linux=27a2c7d466ec5b93712a9e17fa564652a0c06142

+%define sha1 linux=f70a59faebdb8f5d8e865b7f9eca1e05b4044b63

 Source1:	config

 %define ena_version 1.1.3

 Source2:    	https://github.com/amzn/amzn-drivers/archive/ena_linux_1.1.3.tar.gz

@@ -38,6 +38,8 @@ Patch17:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch18:        0002-allow-also-ecb-cipher_null.patch

 # Fix CVE-2017-10911

 Patch19:        xen-blkback-dont-leak-stack-data-via-response-ring.patch

+# Fix CVE-2017-11600

+Patch20:        xfrm-policy-check-policy-direction-value.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -128,6 +130,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel.

 %patch17 -p1

 %patch18 -p1

 %patch19 -p1

+%patch20 -p1

 %build

 make mrproper

@@ -280,6 +283,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/perf-core

 %changelog

+*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.86-1

+-   Fix CVE-2017-11600

 *   Thu Aug 17 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-2

 -   .config: disable XEN_BALLOON_MEMORY_HOTPLUG

 *   Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 4.4.82-1

new file mode 100644

@@ -0,0 +1,44 @@

+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001

+From: Vladis Dronov <vdronov@redhat.com>

+Date: Wed, 2 Aug 2017 19:50:14 +0200

+Subject: xfrm: policy: check policy direction value

+

+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used

+as an array index. This can lead to an out-of-bound access, kernel lockup and

+DoS. Add a check for the 'dir' value.

+

+This fixes CVE-2017-11600.

+

+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928

+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")

+Cc: <stable@vger.kernel.org> # v2.6.21-rc1

+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>

+Signed-off-by: Vladis Dronov <vdronov@redhat.com>

+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

+---

+ net/xfrm/xfrm_policy.c | 6 ++++++

+ 1 file changed, 6 insertions(+)

+

+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c

+index ff61d85..6f5a0dad 100644

+--- a/net/xfrm/xfrm_policy.c

+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,

+ 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];

+ 	struct xfrm_migrate *mp;

+ 

++	/* Stage 0 - sanity checks */

+ 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)

+ 		goto out;

+ 

++	if (dir >= XFRM_POLICY_MAX) {

++		err = -EINVAL;

++		goto out;

++	}

++

+ 	/* Stage 1 - find policy */

+ 	if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {

+ 		err = -ENOENT;

+-- 

+cgit v1.1

+