From aa6ed6d6e9060fe6d6f5bee44fb47355518bb304 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Fri, 3 Jun 2022 12:05:46 -0400 Subject: [PATCH 01/16] fix(oracle-oval): Support multiple ELSAs per CVE This is notably important for when there are additional FIPS and ksplice package patches available --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 57 +++- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 320 ++++++++++++++---- .../oracle-oval/testdata/fixtures/happy.yaml | 12 +- .../testdata/fixtures/multiple-elsas.yaml | 20 ++ .../oval/oracle/2021/ELSA-2021-4451.json | 263 ++++++++++++++ .../oval/oracle/2022/ELSA-2022-9221.json | 245 ++++++++++++++ pkg/vulnsrc/oracle-oval/types.go | 5 + pkg/vulnsrctest/vulnsrctest.go | 2 +- 8 files changed, 828 insertions(+), 96 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 13cd268e..3e744d26 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -88,8 +88,10 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { elsaID := strings.Split(oval.Title, ":")[0] var vulnIDs []string + var cveIDs []string for _, cve := range oval.Cves { vulnIDs = append(vulnIDs, cve.ID) + cveIDs = append(cveIDs, cve.ID) } if len(vulnIDs) == 0 { vulnIDs = append(vulnIDs, elsaID) @@ -110,17 +112,20 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return xerrors.Errorf("failed to put data source: %w", err) } - advisory := types.Advisory{ + advisory := Advisory{ FixedVersion: affectedPkg.Package.FixedVersion, + Cves: cveIDs, } - for _, vulnID := range vulnIDs { - if err := vs.dbc.PutAdvisoryDetail(tx, vulnID, affectedPkg.Package.Name, []string{platformName}, advisory); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) - } + if err := vs.dbc.PutAdvisoryDetail(tx, elsaID, affectedPkg.Package.Name, []string{platformName}, advisory); err != nil { + return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) } } + if err := vs.dbc.PutVulnerabilityID(tx, elsaID); err != nil { + return xerrors.Errorf("failed to save the vulnerability ID: %w", err) + } + var references []string for _, ref := range oval.References { references = append(references, ref.URI) @@ -128,20 +133,13 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { for _, vulnID := range vulnIDs { vuln := types.VulnerabilityDetail{ - Description: oval.Description, - References: referencesFromContains(references, []string{elsaID, vulnID}), - Title: oval.Title, - Severity: severityFromThreat(oval.Severity), + References: referencesFromContains(references, []string{elsaID, vulnID}), + Severity: severityFromThreat(oval.Severity), } if err := vs.dbc.PutVulnerabilityDetail(tx, vulnID, source.ID, vuln); err != nil { return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) } - - // for optimization - if err := vs.dbc.PutVulnerabilityID(tx, vulnID); err != nil { - return xerrors.Errorf("failed to save the vulnerability ID: %w", err) - } } } return nil @@ -150,10 +148,37 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) { bucket := fmt.Sprintf(platformFormat, release) - advisories, err := vs.dbc.GetAdvisories(bucket, pkgName) + rawAdvisories, err := vs.dbc.ForEachAdvisory([]string{bucket}, pkgName) if err != nil { - return nil, xerrors.Errorf("failed to get Oracle Linux advisories: %w", err) + return nil, xerrors.Errorf("unable to iterate advisories: %w", err) + } + + var advisories []types.Advisory + for vulnID, v := range rawAdvisories { + if len(v.Content) == 0 { + continue + } + + var adv Advisory + if err = json.Unmarshal(v.Content, &adv); err != nil { + return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) + } + + for _, cveID := range adv.Cves { + advisory := types.Advisory{ + FixedVersion: adv.FixedVersion, + } + if strings.HasPrefix(vulnID, "CVE-") { + advisory.VulnerabilityID = vulnID + } else { + advisory.VulnerabilityID = cveID + advisory.VendorIDs = []string{vulnID} + } + + advisories = append(advisories, advisory) + } } + return advisories, nil } diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 846cb4cd..a5fbb13f 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -1,11 +1,12 @@ package oracleoval import ( - "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" "os" "path/filepath" "testing" + "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" + "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" @@ -36,34 +37,18 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ + Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, + Value: Advisory{ FixedVersion: "30:9.3.3-8.el5", + Cves: []string{ + "CVE-2007-0493", + "CVE-2007-0494", + }, }, }, { Key: []string{"vulnerability-detail", "CVE-2007-0493", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", - Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ "http://linux.oracle.com/cve/CVE-2007-0493.html", "http://linux.oracle.com/errata/ELSA-2007-0057.html", @@ -74,8 +59,6 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-2007-0494", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", - Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ "http://linux.oracle.com/cve/CVE-2007-0494.html", "http://linux.oracle.com/errata/ELSA-2007-0057.html", @@ -84,11 +67,7 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-id", "CVE-2007-0493"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2007-0494"}, + Key: []string{"vulnerability-id", "ELSA-2007-0057"}, Value: map[string]interface{}{}, }, }, @@ -114,83 +93,232 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, - Value: types.Advisory{ + Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-doc"}, + Value: Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + Cves: []string{ + "CVE-2018-1094", + "CVE-2018-19824", + }, }, }, { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, - Value: types.Advisory{ + Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-firmware"}, + Value: Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + Cves: []string{ + "CVE-2018-1094", + "CVE-2018-19824", + }, }, }, { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: types.Advisory{ + Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-doc"}, + Value: Advisory{ FixedVersion: "4.1.12-124.24.3.el6uek", + Cves: []string{ + "CVE-2018-1094", + "CVE-2018-19824", + }, }, }, { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: types.Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", + Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 7", "kernel-uek-firmware"}, + Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", + Cves: []string{ + "CVE-2018-1094", + "CVE-2018-19824", + }, }, }, { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, - Value: types.Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", + Key: []string{"vulnerability-detail", "CVE-2018-1094", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/cve/CVE-2018-1094.html", + "https://linux.oracle.com/errata/ELSA-2019-4510.html", + }, + Severity: types.SeverityHigh, }, }, { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, - Value: types.Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", + Key: []string{"vulnerability-detail", "CVE-2018-19824", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/cve/CVE-2018-19824.html", + "https://linux.oracle.com/errata/ELSA-2019-4510.html", + }, + Severity: types.SeverityHigh, }, }, { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: types.Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", + Key: []string{"vulnerability-id", "ELSA-2019-4510"}, + Value: map[string]interface{}{}, + }, + }, + }, + { + name: "happy path multi flavors", + dir: filepath.Join("testdata", "multi-flavor"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 8"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", }, }, { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: types.Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-c++"}, + Value: Advisory{ + FixedVersion: "3.6.16-4.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, }, }, { - Key: []string{"vulnerability-detail", "CVE-2018-1094", "oracle-oval"}, + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-dane"}, + Value: Advisory{ + FixedVersion: "3.6.16-4.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-devel"}, + Value: Advisory{ + FixedVersion: "3.6.16-4.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "nettle-devel"}, + Value: Advisory{ + FixedVersion: "3.4.1-7.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls"}, + Value: Advisory{ + FixedVersion: "3.6.16-4.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "nettle"}, + Value: Advisory{ + FixedVersion: "3.4.1-7.el8", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + + { + Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-c++"}, + Value: Advisory{ + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-dane"}, + Value: Advisory{ + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-devel"}, + Value: Advisory{ + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + { + Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls"}, + Value: Advisory{ + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + Cves: []string{ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231", + }, + }, + }, + + { + Key: []string{"vulnerability-detail", "CVE-2021-20232", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2019-4510: Unbreakable Enterprise kernel security update (IMPORTANT)", - Description: "[4.1.12-124.24.3]\n- ext4: update i_disksize when new eof exceeds it (Shan Hai) [Orabug: 28940828] \n- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28940828] \n- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28940828] \n- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (Hui Peng) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Replace probing flag with active refcount (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Avoid nested autoresume calls (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: update inline int ext4_has_metadata_csum(struct super_block *sb) (John Donnelly) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: always initialize the crc32c checksum driver (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094} {CVE-2018-1094}\n- Revert 'bnxt_en: Reduce default rings on multi-port cards.' (Brian Maly) [Orabug: 28687746] \n- mlx4_core: Disable P_Key Violation Traps (Hakon Bugge) [Orabug: 27693633] \n- rds: RDS connection does not reconnect after CQ access violation error (Venkat Venkatsubra) [Orabug: 28733324]\n\n[4.1.12-124.24.2]\n- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 28069548] \n- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded (Mihai Carabas) [Orabug: 28069548] \n- KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548] \n- KVM: x86: pass host_initiated to functions that read MSRs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug: 28069548] \n- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (Radim Krcmar) [Orabug: 28069548] \n- ocfs2: dont clear bh uptodate for block read (Junxiao Bi) [Orabug: 28762940] \n- ocfs2: clear journal dirty flag after shutdown journal (Junxiao Bi) [Orabug: 28924775] \n- ocfs2: fix panic due to unrecovered local alloc (Junxiao Bi) [Orabug: 28924775] \n- net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 28947481] \n- x86/speculation: Always disable IBRS in disable_ibrs_and_friends() (Alejandro Jimenez) [Orabug: 29139710]", References: []string{ - "https://linux.oracle.com/cve/CVE-2018-1094.html", - "https://linux.oracle.com/errata/ELSA-2019-4510.html", + "https://linux.oracle.com/cve/CVE-2021-20232.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, - Severity: types.SeverityHigh, + Severity: types.SeverityMedium, }, }, { - Key: []string{"vulnerability-detail", "CVE-2018-19824", "oracle-oval"}, + Key: []string{"vulnerability-detail", "CVE-2021-3580", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2019-4510: Unbreakable Enterprise kernel security update (IMPORTANT)", - Description: "[4.1.12-124.24.3]\n- ext4: update i_disksize when new eof exceeds it (Shan Hai) [Orabug: 28940828] \n- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28940828] \n- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28940828] \n- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (Hui Peng) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Replace probing flag with active refcount (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Avoid nested autoresume calls (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: update inline int ext4_has_metadata_csum(struct super_block *sb) (John Donnelly) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: always initialize the crc32c checksum driver (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094} {CVE-2018-1094}\n- Revert 'bnxt_en: Reduce default rings on multi-port cards.' (Brian Maly) [Orabug: 28687746] \n- mlx4_core: Disable P_Key Violation Traps (Hakon Bugge) [Orabug: 27693633] \n- rds: RDS connection does not reconnect after CQ access violation error (Venkat Venkatsubra) [Orabug: 28733324]\n\n[4.1.12-124.24.2]\n- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 28069548] \n- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded (Mihai Carabas) [Orabug: 28069548] \n- KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548] \n- KVM: x86: pass host_initiated to functions that read MSRs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug: 28069548] \n- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (Radim Krcmar) [Orabug: 28069548] \n- ocfs2: dont clear bh uptodate for block read (Junxiao Bi) [Orabug: 28762940] \n- ocfs2: clear journal dirty flag after shutdown journal (Junxiao Bi) [Orabug: 28924775] \n- ocfs2: fix panic due to unrecovered local alloc (Junxiao Bi) [Orabug: 28924775] \n- net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 28947481] \n- x86/speculation: Always disable IBRS in disable_ibrs_and_friends() (Alejandro Jimenez) [Orabug: 29139710]", References: []string{ - "https://linux.oracle.com/cve/CVE-2018-19824.html", - "https://linux.oracle.com/errata/ELSA-2019-4510.html", + "https://linux.oracle.com/cve/CVE-2021-3580.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, - Severity: types.SeverityHigh, + Severity: types.SeverityMedium, }, }, { - Key: []string{"vulnerability-id", "CVE-2018-1094"}, + Key: []string{"vulnerability-detail", "CVE-2021-20231", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-20231.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", + }, + Severity: types.SeverityMedium, + }, + }, + + { + Key: []string{"vulnerability-id", "ELSA-2021-4451"}, Value: map[string]interface{}{}, }, { - Key: []string{"vulnerability-id", "CVE-2018-19824"}, + Key: []string{"vulnerability-id", "ELSA-2022-9221"}, Value: map[string]interface{}{}, }, }, @@ -209,15 +337,14 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ + Value: Advisory{ FixedVersion: "9.3.3-8.el5", + Cves: nil, }, }, { Key: []string{"vulnerability-detail", "ELSA-2007-0057", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", - Description: "[0:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ "http://linux.oracle.com/errata/ELSA-2007-0057.html", }, @@ -237,8 +364,6 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-0001-0001", "oracle-oval"}, Value: types.VulnerabilityDetail{ - Title: "ELSA-0001-0001: Moderate: empty security update (N/A)", - Description: "empty description", References: []string{ "http://linux.oracle.com/cve/CVE-0001-0001.html", "http://linux.oracle.com/errata/ELSA-0001-0001.html", @@ -247,7 +372,7 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-id", "CVE-0001-0001"}, + Key: []string{"vulnerability-id", "ELSA-0001-0001"}, Value: map[string]interface{}{}, }, }, @@ -287,12 +412,18 @@ func TestVulnSrc_Get(t *testing.T) { { name: "happy path", fixtures: []string{"testdata/fixtures/happy.yaml"}, - version: "8", - pkgName: "bind", + version: "7", + pkgName: "java-11-openjdk", want: []types.Advisory{ { - VulnerabilityID: "ELSA-2019-1145", - FixedVersion: "32:9.11.4-17.P2.el8_0", + VulnerabilityID: "CVE-2019-2602", + VendorIDs: []string{"ELSA-2019-0778"}, + FixedVersion: "1:11.0.3.7-0.0.1.el7_6", + }, + { + VulnerabilityID: "CVE-2019-2684", + VendorIDs: []string{"ELSA-2019-0778"}, + FixedVersion: "1:11.0.3.7-0.0.1.el7_6", }, }, }, @@ -310,6 +441,45 @@ func TestVulnSrc_Get(t *testing.T) { pkgName: "bind", wantErr: "failed to unmarshal advisory JSON", }, + { + name: "multi-flavors", + fixtures: []string{"testdata/fixtures/multiple-elsas.yaml"}, + version: "8", + pkgName: "gnutls", + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2021-20231", + VendorIDs: []string{"ELSA-2021-4451"}, + FixedVersion: "3.6.16-4.el8", + }, + { + VulnerabilityID: "CVE-2021-20232", + VendorIDs: []string{"ELSA-2021-4451"}, + FixedVersion: "3.6.16-4.el8", + }, + { + VulnerabilityID: "CVE-2021-3580", + VendorIDs: []string{"ELSA-2021-4451"}, + FixedVersion: "3.6.16-4.el8", + }, + + { + VulnerabilityID: "CVE-2021-20231", + VendorIDs: []string{"ELSA-2022-9221"}, + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + }, + { + VulnerabilityID: "CVE-2021-20232", + VendorIDs: []string{"ELSA-2022-9221"}, + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + }, + { + VulnerabilityID: "CVE-2021-3580", + VendorIDs: []string{"ELSA-2022-9221"}, + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index 05fb8b16..54584c0e 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -1,7 +1,11 @@ -- bucket: Oracle Linux 8 +- bucket: Oracle Linux 7 pairs: - - bucket: bind + - bucket: java-11-openjdk pairs: - - key: ELSA-2019-1145 + - key: ELSA-2019-0778 value: - FixedVersion: "32:9.11.4-17.P2.el8_0" + FixedVersion: "1:11.0.3.7-0.0.1.el7_6" + Cves: [ + "CVE-2019-2602", + "CVE-2019-2684" + ] diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml new file mode 100644 index 00000000..d247f9f7 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml @@ -0,0 +1,20 @@ +- bucket: Oracle Linux 8 + pairs: + - bucket: gnutls + pairs: + - key: ELSA-2021-4451 + value: + FixedVersion: "3.6.16-4.el8" + Cves: [ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231" + ] + - key: ELSA-2022-9221 + value: + FixedVersion: "10:3.6.16-4.0.1.el8_fips" + Cves: [ + "CVE-2021-20232", + "CVE-2021-3580", + "CVE-2021-20231" + ] diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json new file mode 100644 index 00000000..4c92c71a --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2021/ELSA-2021-4451.json @@ -0,0 +1,263 @@ +{ + "Title": "ELSA-2021-4451: gnutls and nettle security, bug fix, and enhancement update (MODERATE)", + "Description": "gnutls\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change\n\nnettle\n[3.4.1-7]\n- Backport CVE-2021-3580 from upstream 3.7.3 release (#1967990)\n\n[3.4.1-6]\n- Enable CTR mode optimization when the block size is 16\n\n[3.4.1-5]\n- Backport powerpc64 optimization patches from upstream (#1855228)\n Patch from Christopher M. Riedl.", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-4451.html", + "ID": "ELSA-2021-4451" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-c++ is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-c++ is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-dane is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-dane is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-devel is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-utils is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-utils is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "nettle-devel is earlier than 0:3.4.1-7.el8" + }, + { + "Comment": "nettle-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "nettle is earlier than 0:3.4.1-7.el8" + }, + { + "Comment": "nettle is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "nettle is earlier than 0:3.4.1-7.el8" + }, + { + "Comment": "nettle is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-c++ is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-c++ is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-dane is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-dane is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-devel is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-utils is earlier than 0:3.6.16-4.el8" + }, + { + "Comment": "gnutls-utils is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "nettle-devel is earlier than 0:3.4.1-7.el8" + }, + { + "Comment": "nettle-devel is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "MODERATE", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ] + } \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json new file mode 100644 index 00000000..c948ef2a --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-flavor/vuln-list/oval/oracle/2022/ELSA-2022-9221.json @@ -0,0 +1,245 @@ +{ + "Title": "ELSA-2022-9221: gnutls security update (MODERATE)", + "Description": "[3.6.16-4.0.1_fips]\n- Allow RSA keygen with modulus sizes bigger than 3072 bits and validate the seed length\n as defined in FIPS 186-4 section B.3.2 [Orabug: 33200526]\n- Allow bigger known RSA modulus sizes when calling\n rsa_generate_fips186_4_keypair directly [Orabug: 33200526]\n- Change Epoch from 1 to 10\n\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2022-9221.html", + "ID": "ELSA-2022-9221" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-c++ is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-c++ is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-c++ is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-dane is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-dane is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-dane is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-devel is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-devel is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-devel is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-utils is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-utils is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-utils is fips patched" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-c++ is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-c++ is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-c++ is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-dane is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-dane is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-dane is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-devel is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-devel is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-devel is fips patched" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "gnutls-utils is earlier than 10:3.6.16-4.0.1.el8_fips" + }, + { + "Comment": "gnutls-utils is signed with the Oracle Linux 8 key" + }, + { + "Comment": "gnutls-utils is fips patched" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "MODERATE", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20232.html", + "ID": "CVE-2021-20232" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-3580.html", + "ID": "CVE-2021-3580" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-20231.html", + "ID": "CVE-2021-20231" + } + ] + } \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index 83dbf1a7..38c9ff35 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -41,3 +41,8 @@ type AffectedPackage struct { Package Package OSVer string } + +type Advisory struct { + FixedVersion string `json:",omitempty"` + Cves []string +} diff --git a/pkg/vulnsrctest/vulnsrctest.go b/pkg/vulnsrctest/vulnsrctest.go index 405ddd9d..949ed446 100644 --- a/pkg/vulnsrctest/vulnsrctest.go +++ b/pkg/vulnsrctest/vulnsrctest.go @@ -87,5 +87,5 @@ func TestGet(t *testing.T, vulnsrc Getter, args TestGetArgs) { }) assert.NoError(t, err) - assert.Equal(t, args.WantValues, got) + assert.ElementsMatch(t, args.WantValues, got) } From 1dbc8c6ca74e847fa18735ed8a3fa0811f8ff7ac Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Mon, 6 Jun 2022 13:20:52 -0400 Subject: [PATCH 02/16] Ensure advisory datasource is populated --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 3e744d26..f6ea4c0d 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -175,6 +175,14 @@ func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) advisory.VendorIDs = []string{vulnID} } + if v.Source != (types.DataSource{}) { + advisory.DataSource = &types.DataSource{ + ID: v.Source.ID, + Name: v.Source.Name, + URL: v.Source.URL, + } + } + advisories = append(advisories, advisory) } } From 9059075dbf6df9e7e74e20d4ecb881886a547925 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Tue, 7 Jun 2022 16:17:12 -0400 Subject: [PATCH 03/16] Fix case of multiple ELSAs for the same flavor package --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 150 ++- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 1120 +++++++++++++++-- .../oracle-oval/testdata/fixtures/happy.yaml | 15 +- .../testdata/fixtures/multiple-elsas.yaml | 40 +- .../oval/oracle/2021/ELSA-2021-9306.json | 440 +++++++ .../oval/oracle/2021/ELSA-2021-9362.json | 440 +++++++ pkg/vulnsrc/oracle-oval/types.go | 9 +- 7 files changed, 2048 insertions(+), 166 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9306.json create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index f6ea4c0d..10e80cd0 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -84,14 +84,19 @@ func (vs VulnSrc) save(ovals []OracleOVAL) error { } func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { + advisories := make(map[string]map[string]map[string]Advisory) + for _, platform := range targetPlatforms { + advisories[platform] = make(map[string]map[string]Advisory) + } + + vulnerabilityDetails := make(map[string]types.VulnerabilityDetail) + for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] var vulnIDs []string - var cveIDs []string for _, cve := range oval.Cves { vulnIDs = append(vulnIDs, cve.ID) - cveIDs = append(cveIDs, cve.ID) } if len(vulnIDs) == 0 { vulnIDs = append(vulnIDs, elsaID) @@ -112,36 +117,101 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return xerrors.Errorf("failed to put data source: %w", err) } - advisory := Advisory{ - FixedVersion: affectedPkg.Package.FixedVersion, - Cves: cveIDs, + platformAdvisories := advisories[platformName] + + packageAdvisories, exists := platformAdvisories[affectedPkg.Package.Name] + if !exists { + packageAdvisories = make(map[string]Advisory) + platformAdvisories[affectedPkg.Package.Name] = packageAdvisories } - if err := vs.dbc.PutAdvisoryDetail(tx, elsaID, affectedPkg.Package.Name, []string{platformName}, advisory); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) + for _, vulnID := range vulnIDs { + cveAdvisory, cveAdvisoryExists := packageAdvisories[vulnID] + if !cveAdvisoryExists { + cveAdvisory = Advisory{ + Entries: []Entry{}, + } + } + + found := false + for i, entry := range cveAdvisory.Entries { + entryFlavor := getFlavor(entry.FixedVersion) + affectedFlavor := getFlavor(affectedPkg.Package.FixedVersion) + + if entryFlavor == affectedFlavor { + found = true + // This fixed version is newer than the previously found fixed version + if version.NewVersion(entry.FixedVersion).Compare(version.NewVersion(affectedPkg.Package.FixedVersion)) < 0 { + cveAdvisory.Entries[i].FixedVersion = affectedPkg.Package.FixedVersion + } + + // Add the ELSA ID to the vendor ID list + if !ustrings.InSlice(elsaID, entry.VendorIDs) { + cveAdvisory.Entries[i].VendorIDs = append(entry.VendorIDs, elsaID) + } + } + } + + if !found { + cveAdvisory.Entries = append(cveAdvisory.Entries, Entry{ + FixedVersion: affectedPkg.Package.FixedVersion, + VendorIDs: []string{elsaID}, + }) + } + + packageAdvisories[vulnID] = cveAdvisory } } - if err := vs.dbc.PutVulnerabilityID(tx, elsaID); err != nil { - return xerrors.Errorf("failed to save the vulnerability ID: %w", err) + // Collect vulnerability details - references and severity + // A CVE can be present in multiple ELSAs. Collect all the applicable references as we process them, later when done we'll insert + // the references. + for _, vulnID := range vulnIDs { + convertedSeverity := severityFromThreat(oval.Severity) + + vulDetails, found := vulnerabilityDetails[vulnID] + if !found { + vulDetails = types.VulnerabilityDetail{ + References: []string{}, + Severity: convertedSeverity, + } + } + + // If multple ELSAs for the same CVE have differing severities, use the highest one + if convertedSeverity > vulDetails.Severity { + vulDetails.Severity = convertedSeverity + } + + for _, ref := range oval.References { + if referencesFromContains(ref.URI, []string{elsaID, vulnID}) && !ustrings.InSlice(ref.URI, vulDetails.References) { + vulDetails.References = append(vulDetails.References, ref.URI) + } + } + vulnerabilityDetails[vulnID] = vulDetails } + } - var references []string - for _, ref := range oval.References { - references = append(references, ref.URI) + // Now that we've processed all the reports, we can save the vulnerability and advisory information + for vulnID, details := range vulnerabilityDetails { + if err := vs.dbc.PutVulnerabilityID(tx, vulnID); err != nil { + return xerrors.Errorf("failed to save the vulnerability ID: %w", err) } - for _, vulnID := range vulnIDs { - vuln := types.VulnerabilityDetail{ - References: referencesFromContains(references, []string{elsaID, vulnID}), - Severity: severityFromThreat(oval.Severity), - } + if err := vs.dbc.PutVulnerabilityDetail(tx, vulnID, source.ID, details); err != nil { + return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) + } + } - if err := vs.dbc.PutVulnerabilityDetail(tx, vulnID, source.ID, vuln); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) + for platformName, cveEntries := range advisories { + for packageName, packageEntry := range cveEntries { + for cveId, advisory := range packageEntry { + if err := vs.dbc.PutAdvisoryDetail(tx, cveId, packageName, []string{platformName}, advisory); err != nil { + return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) + } } } } + return nil } @@ -164,15 +234,11 @@ func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) } - for _, cveID := range adv.Cves { + for _, entry := range adv.Entries { advisory := types.Advisory{ - FixedVersion: adv.FixedVersion, - } - if strings.HasPrefix(vulnID, "CVE-") { - advisory.VulnerabilityID = vulnID - } else { - advisory.VulnerabilityID = cveID - advisory.VendorIDs = []string{vulnID} + FixedVersion: entry.FixedVersion, + VulnerabilityID: vulnID, + VendorIDs: entry.VendorIDs, } if v.Source != (types.DataSource{}) { @@ -185,6 +251,7 @@ func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) advisories = append(advisories, advisory) } + } return advisories, nil @@ -216,16 +283,31 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa return pkgs } -func referencesFromContains(sources []string, matches []string) []string { - references := []string{} - for _, s := range sources { - for _, m := range matches { - if strings.Contains(s, m) { - references = append(references, s) +func referencesFromContains(source string, matches []string) bool { + for _, m := range matches { + if strings.Contains(source, m) { + return true + } + } + return false +} + +// Determine the "flavor" of the package: +// - "normal" +// - FIPS validated +// - ksplice userspace. there can be "ksplice1" and "ksplice2" +func getFlavor(version string) string { + if strings.HasSuffix(strings.ToLower(version), "_fips") { + return "fips" + } else { + subs := strings.Split(strings.ToLower(version), ".") + for _, s := range subs { + if strings.HasPrefix(s, "ksplice") { + return s } } + return "" } - return ustrings.Unique(references) } func severityFromThreat(sev string) types.Severity { diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index a5fbb13f..92161287 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -5,11 +5,11 @@ import ( "path/filepath" "testing" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" ) func TestMain(m *testing.M) { @@ -37,12 +37,46 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, + Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "30:9.3.3-8.el5", + VendorIDs: []string{"ELSA-2007-0057"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "30:9.3.3-8.el5", + VendorIDs: []string{"ELSA-2007-0057"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "30:9.3.3-8.el5", + VendorIDs: []string{"ELSA-2007-0057"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, Value: Advisory{ - FixedVersion: "30:9.3.3-8.el5", - Cves: []string{ - "CVE-2007-0493", - "CVE-2007-0494", + Entries: []Entry{ + { + FixedVersion: "30:9.3.3-8.el5", + VendorIDs: []string{"ELSA-2007-0057"}, + }, }, }, }, @@ -50,8 +84,8 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2007-0493", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ - "http://linux.oracle.com/cve/CVE-2007-0493.html", "http://linux.oracle.com/errata/ELSA-2007-0057.html", + "http://linux.oracle.com/cve/CVE-2007-0493.html", }, Severity: types.SeverityMedium, }, @@ -60,14 +94,18 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2007-0494", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ - "http://linux.oracle.com/cve/CVE-2007-0494.html", "http://linux.oracle.com/errata/ELSA-2007-0057.html", + "http://linux.oracle.com/cve/CVE-2007-0494.html", }, Severity: types.SeverityMedium, }, }, { - Key: []string{"vulnerability-id", "ELSA-2007-0057"}, + Key: []string{"vulnerability-id", "CVE-2007-0493"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2007-0494"}, Value: map[string]interface{}{}, }, }, @@ -92,52 +130,289 @@ func TestVulnSrc_Update(t *testing.T) { URL: "https://linux.oracle.com/security/oval/", }, }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, { - Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-doc"}, + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Cves: []string{ - "CVE-2018-1094", - "CVE-2018-19824", + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, }, }, }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { - Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-firmware"}, + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Cves: []string{ - "CVE-2018-1094", - "CVE-2018-19824", + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 6", "kernel-uek-doc"}, + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Cves: []string{ - "CVE-2018-1094", - "CVE-2018-19824", + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, }, }, }, + { - Key: []string{"advisory-detail", "ELSA-2019-4510", "Oracle Linux 7", "kernel-uek-firmware"}, + Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Cves: []string{ - "CVE-2018-1094", - "CVE-2018-19824", + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, }, }, }, + { + Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + VendorIDs: []string{"ELSA-2019-4510"}, + }, + }, + }, + }, + { Key: []string{"vulnerability-detail", "CVE-2018-1094", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ - "https://linux.oracle.com/cve/CVE-2018-1094.html", "https://linux.oracle.com/errata/ELSA-2019-4510.html", + "https://linux.oracle.com/cve/CVE-2018-1094.html", }, Severity: types.SeverityHigh, }, @@ -146,14 +421,18 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2018-19824", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ - "https://linux.oracle.com/cve/CVE-2018-19824.html", "https://linux.oracle.com/errata/ELSA-2019-4510.html", + "https://linux.oracle.com/cve/CVE-2018-19824.html", }, Severity: types.SeverityHigh, }, }, { - Key: []string{"vulnerability-id", "ELSA-2019-4510"}, + Key: []string{"vulnerability-id", "CVE-2018-1094"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2018-19824"}, Value: map[string]interface{}{}, }, }, @@ -170,114 +449,301 @@ func TestVulnSrc_Update(t *testing.T) { URL: "https://linux.oracle.com/security/oval/", }, }, + { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-c++"}, + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls"}, Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-dane"}, + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls"}, Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls-devel"}, + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls"}, Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, + { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "nettle-devel"}, + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle"}, Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "gnutls"}, + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle"}, Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2021-4451", "Oracle Linux 8", "nettle"}, + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle"}, Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-c++"}, + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-dane"}, + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, { - Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls-devel"}, + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, }, }, }, + { - Key: []string{"advisory-detail", "ELSA-2022-9221", "Oracle Linux 8", "gnutls"}, + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-dane"}, Value: Advisory{ - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - Cves: []string{ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231", + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-dane"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-dane"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-utils"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-utils"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-utils"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.6.16-4.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + { + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + VendorIDs: []string{"ELSA-2022-9221"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "3.4.1-7.el8", + VendorIDs: []string{"ELSA-2021-4451"}, + }, }, }, }, @@ -286,6 +752,7 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2021-20232", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-4451.html", "https://linux.oracle.com/cve/CVE-2021-20232.html", "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, @@ -296,6 +763,7 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2021-3580", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-4451.html", "https://linux.oracle.com/cve/CVE-2021-3580.html", "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, @@ -306,6 +774,7 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-2021-20231", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-4451.html", "https://linux.oracle.com/cve/CVE-2021-20231.html", "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, @@ -314,11 +783,447 @@ func TestVulnSrc_Update(t *testing.T) { }, { - Key: []string{"vulnerability-id", "ELSA-2021-4451"}, + Key: []string{"vulnerability-id", "CVE-2021-20232"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-3580"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-20231"}, + Value: map[string]interface{}{}, + }, + }, + }, + { + name: "happy path multiple ELSAs", + dir: filepath.Join("testdata", "multi-elsas"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 8"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-tools"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-tools"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el7uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-tools"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el7uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-devel"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.203.5.el8uek", + VendorIDs: []string{"ELSA-2021-9362"}, + }, + }, + }, + }, + { + Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-doc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "5.4.17-2102.202.5.el8uek", + VendorIDs: []string{"ELSA-2021-9306"}, + }, + }, + }, + }, + + { + Key: []string{"vulnerability-detail", "CVE-2021-33034", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-9362.html", + "https://linux.oracle.com/cve/CVE-2021-33034.html", + }, + Severity: types.SeverityHigh, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2020-36310", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-9306.html", + "https://linux.oracle.com/cve/CVE-2020-36310.html", + }, + Severity: types.SeverityHigh, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2021-23133", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-9306.html", + "https://linux.oracle.com/cve/CVE-2021-23133.html", + "https://linux.oracle.com/errata/ELSA-2021-9362.html", + }, + Severity: types.SeverityHigh, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-23133"}, Value: map[string]interface{}{}, }, { - Key: []string{"vulnerability-id", "ELSA-2022-9221"}, + Key: []string{"vulnerability-id", "CVE-2021-33034"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2020-36310"}, Value: map[string]interface{}{}, }, }, @@ -338,8 +1243,12 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, Value: Advisory{ - FixedVersion: "9.3.3-8.el5", - Cves: nil, + Entries: []Entry{ + { + FixedVersion: "9.3.3-8.el5", + VendorIDs: []string{"ELSA-2007-0057"}, + }, + }, }, }, { @@ -365,14 +1274,14 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"vulnerability-detail", "CVE-0001-0001", "oracle-oval"}, Value: types.VulnerabilityDetail{ References: []string{ - "http://linux.oracle.com/cve/CVE-0001-0001.html", "http://linux.oracle.com/errata/ELSA-0001-0001.html", + "http://linux.oracle.com/cve/CVE-0001-0001.html", }, Severity: types.SeverityUnknown, }, }, { - Key: []string{"vulnerability-id", "ELSA-0001-0001"}, + Key: []string{"vulnerability-id", "CVE-0001-0001"}, Value: map[string]interface{}{}, }, }, @@ -412,18 +1321,13 @@ func TestVulnSrc_Get(t *testing.T) { { name: "happy path", fixtures: []string{"testdata/fixtures/happy.yaml"}, - version: "7", - pkgName: "java-11-openjdk", + version: "8", + pkgName: "bind", want: []types.Advisory{ { - VulnerabilityID: "CVE-2019-2602", - VendorIDs: []string{"ELSA-2019-0778"}, - FixedVersion: "1:11.0.3.7-0.0.1.el7_6", - }, - { - VulnerabilityID: "CVE-2019-2684", - VendorIDs: []string{"ELSA-2019-0778"}, - FixedVersion: "1:11.0.3.7-0.0.1.el7_6", + VulnerabilityID: "ELSA-2019-1145", + FixedVersion: "32:9.11.4-17.P2.el8_0", + VendorIDs: []string{"ELSA-2019-1145"}, }, }, }, diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index 54584c0e..2ce57002 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -1,11 +1,10 @@ -- bucket: Oracle Linux 7 +- bucket: Oracle Linux 8 pairs: - - bucket: java-11-openjdk + - bucket: bind pairs: - - key: ELSA-2019-0778 + - key: ELSA-2019-1145 value: - FixedVersion: "1:11.0.3.7-0.0.1.el7_6" - Cves: [ - "CVE-2019-2602", - "CVE-2019-2684" - ] + Entries: + - FixedVersion: "32:9.11.4-17.P2.el8_0" + VendorIDs: + - ELSA-2019-1145 diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml index d247f9f7..e92f0ae8 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml @@ -2,19 +2,31 @@ pairs: - bucket: gnutls pairs: - - key: ELSA-2021-4451 + - key: CVE-2021-20232 value: - FixedVersion: "3.6.16-4.el8" - Cves: [ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231" - ] - - key: ELSA-2022-9221 + Entries: + - FixedVersion: "3.6.16-4.el8" + VendorIDs: + - ELSA-2021-4451 + - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + VendorIDs: + - ELSA-2022-9221 + - key: CVE-2021-3580 value: - FixedVersion: "10:3.6.16-4.0.1.el8_fips" - Cves: [ - "CVE-2021-20232", - "CVE-2021-3580", - "CVE-2021-20231" - ] + Entries: + - FixedVersion: "3.6.16-4.el8" + VendorIDs: + - ELSA-2021-4451 + - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + VendorIDs: + - ELSA-2022-9221 + - key: CVE-2021-20231 + value: + Entries: + - FixedVersion: "3.6.16-4.el8" + VendorIDs: + - ELSA-2021-4451 + - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + VendorIDs: + - ELSA-2022-9221 + \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9306.json b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9306.json new file mode 100644 index 00000000..8f6672ac --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9306.json @@ -0,0 +1,440 @@ +{ + "Title": "ELSA-2021-9306: Unbreakable Enterprise kernel security update (IMPORTANT)", + "Description": "[5.4.17-2102.202.5]\n- sctp: delay auto_asconf init until binding the first addr (Xin Long) [Orabug: 32907967] {CVE-2021-23133} {CVE-2021-23133}\n- dm ioctl: fix out of bounds array access when no devices (Mikulas Patocka) [Orabug: 32860491] {CVE-2021-31916}\n- uek-rpm: update kABI lists for the new symbols (Saeed Mirzamohammadi) [Orabug: 32883836] \n- md/raid1: properly indicate failure when ending a failed write request (Paul Clements) [Orabug: 32888143] \n- scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (James Smart) [Orabug: 32827840]\n\n[5.4.17-2102.202.4]\n- uek-rpm: Update missing configs as compared to OL8.4 RHCK (Saeed Mirzamohammadi) [Orabug: 32837542] \n- video: hyperv_fb: Add ratelimit on error message (Michael Kelley) [Orabug: 32867569] \n- Drivers: hv: vmbus: Initialize unload_event statically (Andrea Parri (Microsoft)) [Orabug: 32867569] \n- Drivers: hv: vmbus: Increase wait time for VMbus unload (Michael Kelley) [Orabug: 32867569] \n- uek-rpm: Remove hwcap directive and /etc/ld.so.conf.d/*.conf file (Victor Erminpour) [Orabug: 32816428]\n\n[5.4.17-2102.202.3]\n- LTS tag: v5.4.94 (Jack Vogel) \n- fs: fix lazytime expiration handling in __writeback_single_inode() (Eric Biggers) \n- writeback: Drop I_DIRTY_TIME_EXPIRE (Jan Kara) \n- dm integrity: conditionally disable 'recalculate' feature (Mikulas Patocka) \n- tools: Factor HOSTCC, HOSTLD, HOSTAR definitions (Jean-Philippe Brucker) \n- SMB3.1.1: do not log warning message if server doesn't populate salt (Steve French) \n- arm64: mm: use single quantity to represent the PA to VA translation (Ard Biesheuvel) \n- tracing: Fix race in trace_open and buffer resize call (Gaurav Kohli) \n- io_uring: Fix current-\u003efs handling in io_sq_wq_submit_work() (Nicolai Stange) \n- HID: wacom: Correct NULL dereference on AES pen proximity (Jason Gerecke) \n- Revert 'mm/slub: fix a memory leak in sysfs_slab_add()' (Wang Hai) \n- gpio: mvebu: fix pwm .get_state period calculation (Baruch Siach) \n- LTS tag: v5.4.93 (Jack Vogel) \n- tcp: fix TCP_USER_TIMEOUT with zero window (Enke Chen) \n- net: dsa: b53: fix an off by one in checking 'vlan-\u003evid' (Dan Carpenter) \n- net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled (Tariq Toukan) \n- net: mscc: ocelot: allow offloading of bridge on top of LAG (Vladimir Oltean) \n- ipv6: set multicast flag on the multicast route (Matteo Croce) \n- net_sched: reject silly cell_log in qdisc_get_rtab() (Eric Dumazet) \n- net_sched: avoid shift-out-of-bounds in tcindex_set_parms() (Eric Dumazet) \n- ipv6: create multicast route with RTPROT_KERNEL (Matteo Croce) \n- udp: mask TOS bits in udp_v4_early_demux() (Guillaume Nault) \n- kasan: fix incorrect arguments passing in kasan_add_zero_shadow (Lecopzer Chen) \n- kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow (Lecopzer Chen) \n- skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too (Alexander Lobakin) \n- lightnvm: fix memory leak when submit fails (Pan Bian) \n- sh_eth: Fix power down vs. is_opened flag ordering (Geert Uytterhoeven) \n- net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (Rasmus Villemoes) \n- sh: dma: fix kconfig dependency for G2_DMA (Necip Fazil Yildiran) \n- netfilter: rpfilter: mask ecn bits before fib lookup (Guillaume Nault) \n- x86/cpu/amd: Set __max_die_per_package on AMD (Yazen Ghannam) \n- pinctrl: ingenic: Fix JZ4760 support (Paul Cercueil) \n- driver core: Extend device_is_dependent() (Rafael J. Wysocki) \n- xhci: tegra: Delay for disabling LFPS detector (JC Kuo) \n- xhci: make sure TRB is fully written before giving it to the controller (Mathias Nyman) \n- usb: bdc: Make bdc pci driver depend on BROKEN (Patrik Jakobsson) \n- usb: udc: core: Use lock when write to soft_connect (Thinh Nguyen) \n- usb: gadget: aspeed: fix stop dma register setting. (Ryan Chen) \n- USB: ehci: fix an interrupt calltrace error (Longfang Liu) \n- ehci: fix EHCI host controller initialization sequence (Eugene Korenevsky) \n- serial: mvebu-uart: fix tx lost characters at power off (Pali Rohar) \n- stm class: Fix module init return on allocation failure (Wang Hui) \n- intel_th: pci: Add Alder Lake-P support (Alexander Shishkin) \n- x86/mmx: Use KFPU_387 for MMX string operations (Andy Lutomirski) \n- x86/topology: Make __max_die_per_package available unconditionally (Borislav Petkov) \n- x86/fpu: Add kernel_fpu_begin_mask() to selectively initialize state (Andy Lutomirski) \n- irqchip/mips-cpu: Set IPI domain parent chip (Mathias Kresin) \n- cifs: do not fail __smb_send_rqst if non-fatal signals are pending (Ronnie Sahlberg) \n- iio: ad5504: Fix setting power-down state (Lars-Peter Clausen) \n- can: peak_usb: fix use after free bugs (Vincent Mailhol) \n- can: vxcan: vxcan_xmit: fix use after free bug (Vincent Mailhol) \n- can: dev: can_restart: fix use after free bug (Vincent Mailhol) \n- selftests: net: fib_tests: remove duplicate log test (Hangbin Liu) \n- platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list (Hans de Goede) \n- i2c: octeon: check correct size of maximum RECV_LEN packet (Wolfram Sang) \n- powerpc: Fix alignment bug within the init sections (Ariel Marcovitch) \n- scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression (Arnd Bergmann) \n- pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting (Billy Tsai) \n- powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S (Youling Tang) \n- drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 (Ben Skeggs) \n- drm/nouveau/mmu: fix vram heap sizing (Ben Skeggs) \n- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (Ben Skeggs) \n- drm/nouveau/privring: ack interrupts the same way as RM (Ben Skeggs) \n- drm/nouveau/bios: fix issue shadowing expansion ROMs (Ben Skeggs) \n- drm/amd/display: Fix to be able to stop crc calculation (Wayne Lin) \n- drm/amdgpu/psp: fix psp gfx ctrl cmds (Victor Zhao) \n- riscv: defconfig: enable gpio support for HiFive Unleashed (Sagar Shrikant Kadam) \n- dts: phy: fix missing mdio device and probe failure of vsc8541-01 device (Sagar Shrikant Kadam) \n- x86/xen: Add xen_no_vector_callback option to test PCI INTX delivery (David Woodhouse) \n- xen: Fix event channel callback via INTX/GSI (David Woodhouse) \n- arm64: make atomic helpers __always_inline (Arnd Bergmann) \n- clk: tegra30: Add hda clock default rates to clock driver (Peter Geis) \n- HID: Ignore battery for Elan touchscreen on ASUS UX550 (Seth Miller) \n- HID: logitech-dj: add the G602 receiver (Filipe Lains) \n- riscv: Fix sifive serial driver (Damien Le Moal) \n- riscv: Fix kernel time_init() (Damien Le Moal) \n- scsi: sd: Suppress spurious errors when WRITE SAME is being disabled (Ewan D. Milne) \n- scsi: qedi: Correct max length of CHAP secret (Nilesh Javali) \n- scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback (Can Guo) \n- dm integrity: select CRYPTO_SKCIPHER (Anthony Iliopoulos) \n- HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device (Kai-Heng Feng) \n- ASoC: Intel: haswell: Add missing pm_ops (Cezary Rojewski) \n- drm/i915/gt: Prevent use of engine-\u003ewa_ctx after error (Chris Wilson) \n- drm/syncobj: Fix use-after-free (Daniel Vetter) \n- drm/atomic: put state on error path (Pan Bian) \n- dm integrity: fix a crash if 'recalculate' used without 'internal_hash' (Mikulas Patocka) \n- dm: avoid filesystem lookup in dm_get_dev_t() (Hannes Reinecke) \n- mmc: sdhci-xenon: fix 1.8v regulator stabilization (Alex Leibovich) \n- mmc: core: don't initialize block size from ext_csd if not present (Peter Collingbourne) \n- btrfs: send: fix invalid clone operations when cloning from the same file and root (Filipe Manana) \n- btrfs: don't clear ret in btrfs_start_dirty_block_groups (Josef Bacik) \n- btrfs: fix lockdep splat in btrfs_recover_relocation (Josef Bacik) \n- btrfs: don't get an EINTR during drop_snapshot for reloc (Josef Bacik) \n- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (Hans de Goede) \n- ALSA: hda/via: Add minimum mute flag (Takashi Iwai) \n- ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (Takashi Iwai) \n- platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634 (Jiaxun Yang) \n- platform/x86: i2c-multi-instantiate: Don't create platform device for INT3515 ACPI nodes (Heikki Krogerus) \n- i2c: bpmp-tegra: Ignore unknown I2C_M flags (Mikko Perttunen) \n- LTS tag: v5.4.92 (Jack Vogel) \n- spi: cadence: cache reference clock rate during probe (Michael Hennerich) \n- mac80211: check if atf has been disabled in __ieee80211_schedule_txq (Lorenzo Bianconi) \n- mac80211: do not drop tx nulldata packets on encrypted links (Felix Fietkau) \n- tipc: fix NULL deref in tipc_link_xmit() (Hoang Le) \n- net, sctp, filter: remap copy_from_user failure error (Daniel Borkmann) \n- rxrpc: Fix handling of an unsupported token type in rxrpc_read() (David Howells) \n- net: avoid 32 x truesize under-estimation for tiny skbs (Eric Dumazet) \n- net: sit: unregister_netdevice on newlink's error path (Jakub Kicinski) \n- net: stmmac: Fixed mtu channged by cache aligned (David Wu) \n- rxrpc: Call state should be read with READ_ONCE() under some circumstances (Baptiste Lepers) \n- net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands (Petr Machata) \n- net: dcb: Validate netlink message in DCB handler (Petr Machata) \n- esp: avoid unneeded kmap_atomic call (Willem de Bruijn) \n- rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request (Andrey Zhizhikin) \n- net: mvpp2: Remove Pause and Asym_Pause support (Stefan Chulski) \n- mlxsw: core: Increase critical threshold for ASIC thermal zone (Vadim Pasternak) \n- mlxsw: core: Add validation of transceiver temperature thresholds (Vadim Pasternak) \n- net: ipv6: Validate GSO SKB before finish IPv6 processing (Aya Levin) \n- netxen_nic: fix MSI/MSI-x interrupts (Manish Chopra) \n- udp: Prevent reuseport_select_sock from reading uninitialized socks (Baptiste Lepers) \n- bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback (Mircea Cirjaliu) \n- bpf: Don't leak memory in bpf getsockopt when optlen == 0 (Stanislav Fomichev) \n- nfsd4: readdirplus shouldn't return parent of export (J. Bruce Fields) \n- spi: npcm-fiu: Disable clock in probe error path (Lukas Wunner) \n- spi: npcm-fiu: simplify the return expression of npcm_fiu_probe() (Qinglang Miao) \n- elfcore: fix building with clang (Arnd Bergmann) \n- xen/privcmd: allow fetching resource sizes (Roger Pau Monne) \n- compiler.h: Raise minimum version of GCC to 5.1 for arm64 (Will Deacon) \n- usb: ohci: Make distrust_firmware param default to false (Hamish Martin) \n- LTS tag: v5.4.91 (Jack Vogel) \n- netfilter: nft_compat: remove flush counter optimization (Florian Westphal) \n- netfilter: nf_nat: Fix memleak in nf_nat_init (Dinghao Liu) \n- netfilter: conntrack: fix reading nf_conntrack_buckets (Jesper Dangaard Brouer) \n- ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (Geert Uytterhoeven) \n- ALSA: fireface: Fix integer overflow in transmit_midi_msg() (Geert Uytterhoeven) \n- dm: eliminate potential source of excessive kernel log noise (Mike Snitzer) \n- net: sunrpc: interpret the return value of kstrtou32 correctly (j.nixdorf@avm.de) \n- iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (Lu Baolu) \n- mm, slub: consider rest of partial list if acquire_slab() fails (Jann Horn) \n- drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence (Hans de Goede) \n- IB/mlx5: Fix error unwinding when set_has_smi_cap fails (Parav Pandit) \n- RDMA/mlx5: Fix wrong free of blue flame register on error (Mark Bloch) \n- bnxt_en: Improve stats context resource accounting with RDMA driver loaded. (Michael Chan) \n- RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (Dinghao Liu) \n- RDMA/restrack: Don't treat as an error allocation ID wrapping (Leon Romanovsky) \n- ext4: fix superblock checksum failure when setting password salt (Jan Kara) \n- NFS: nfs_igrab_and_active must first reference the superblock (Trond Myklebust) \n- NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter (Trond Myklebust) \n- pNFS: Stricter ordering of layoutget and layoutreturn (Trond Myklebust) \n- pNFS: Mark layout for return if return-on-close was not sent (Trond Myklebust) \n- pNFS: We want return-on-close to complete when evicting the inode (Trond Myklebust) \n- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (Dave Wysochanski) \n- nvme-tcp: fix possible data corruption with bio merges (Sagi Grimberg) \n- ASoC: Intel: fix error code cnl_set_dsp_D0() (Dan Carpenter) \n- ASoC: meson: axg-tdmin: fix axg skew offset (Jerome Brunet) \n- ASoC: meson: axg-tdm-interface: fix loopback (Jerome Brunet) \n- dump_common_audit_data(): fix racy accesses to -\u003ed_name (Al Viro) \n- perf intel-pt: Fix 'CPU too large' error (Adrian Hunter) \n- ARM: picoxcell: fix missing interrupt-parent properties (Arnd Bergmann) \n- drm/msm: Call msm_init_vram before binding the gpu (Craig Tatlor) \n- ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (Shawn Guo) \n- usb: typec: Fix copy paste error for NVIDIA alt-mode description (Peter Robinson) \n- drm/amdgpu: fix a GPU hang issue when remove device (Dennis Li) \n- nvmet-rdma: Fix list_del corruption on queue establishment failure (Israel Rukshin) \n- nvme-pci: mark Samsung PM1725a as IGNORE_DEV_SUBNQN (Gopal Tiwari) \n- selftests: fix the return value for UDP GRO test (Po-Hsu Lin) \n- net: ethernet: fs_enet: Add missing MODULE_LICENSE (Michael Ellerman) \n- misdn: dsp: select CONFIG_BITREVERSE (Arnd Bergmann) \nto fix build error on ARC (Randy Dunlap) \n- bfq: Fix computation of shallow depth (Jan Kara) \n- lib/raid6: Let rules work with macOS userland (John Millikin) \n- hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values (Uwe Kleine-Konig) \n- habanalabs: Fix memleak in hl_device_reset (Dinghao Liu) \n- habanalabs: register to pci shutdown callback (Oded Gabbay) \n- ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram (Rasmus Villemoes) \n- regulator: bd718x7: Add enable times (Guido Gunther) \n- btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (Filipe Manana) \n- netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin) \n- ARC: build: move symlink creation to arch/arc/Makefile to avoid race (Masahiro Yamada) \n- ARC: build: add boot_targets to PHONY (Masahiro Yamada) \n- ARC: build: add uImage.lzma to the top-level target (Masahiro Yamada) \n- ARC: build: remove non-existing bootpImage from KBUILD_IMAGE (Masahiro Yamada) \n- dm integrity: fix flush with external metadata device (Mikulas Patocka) \n- cifs: fix interrupted close commands (Paulo Alcantara) \n- smb3: remove unused flag passed into close functions (Steve French) \n- ext4: don't leak old mountpoint samples (Theodore Ts'o) \n- ext4: fix bug for rename with RENAME_WHITEOUT (yangerkun) \n- drm/i915/backlight: fix CPU mode backlight takeover on LPT (Jani Nikula) \n- btrfs: tree-checker: check if chunk item end overflows (Su Yue) \n- r8152: Add Lenovo Powered USB-C Travel Hub (Leon Schuermann) \n- dm integrity: fix the maximum number of arguments (Mikulas Patocka) \n- dm snapshot: flush merged data before committing metadata (Akilesh Kailash) \n- dm raid: fix discard limits for raid1 (Mike Snitzer) \n- mm/hugetlb: fix potential missing huge page size info (Miaohe Lin) \n- ACPI: scan: Harden acpi_device_add() against device ID overflows (Dexuan Cui) \n- RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd() (Tom Rix) \n- MIPS: relocatable: fix possible boot hangup with KASLR enabled (Alexander Lobakin) \n- MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB (Paul Cercueil) \n- mips: lib: uncached: fix non-standard usage of variable 'sp' (Anders Roxell) \n- mips: fix Section mismatch in reference (Anders Roxell) \n- tracing/kprobes: Do the notrace functions check without kprobes on ftrace (Masami Hiramatsu) \n- x86/hyperv: check cpu mask after interrupt has been disabled (Wei Liu) \n- ASoC: dapm: remove widget from dirty list on free (Thomas Hebb) \n- btrfs: prevent NULL pointer dereference in extent_io_tree_panic (Su Yue) \n- kbuild: enforce -Werror=return-type (Olaf Hering) \n- IB/ipoib: Improve latency in ipoib/cm connection formation (Manjunath Patil) [Orabug: 32852998]\n\n[5.4.17-2102.202.2]\n- vfio/pci: restore remap elision logic in vfio_pci_mmap_fault() (Ankur Arora) [Orabug: 32478548]\n\n[5.4.17-2102.202.1]\n- LTS tag: v5.4.90 (Jack Vogel) \n- regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init() (Dan Carpenter) \n- net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet (Vasily Averin) \n- block: fix use-after-free in disk_part_iter_next (Ming Lei) \n- KVM: arm64: Don't access PMCR_EL0 when no PMU is available (Marc Zyngier) \n- net: mvpp2: disable force link UP during port init procedure (Stefan Chulski) \n- regulator: qcom-rpmh-regulator: correct hfsmps515 definition (Dmitry Baryshkov) \n- wan: ds26522: select CONFIG_BITREVERSE (Arnd Bergmann) \n- regmap: debugfs: Fix a memory leak when calling regmap_attach_dev (Xiaolei Wang) \n- net/mlx5e: Fix two double free cases (Dinghao Liu) \n- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (Dinghao Liu) \n- iommu/intel: Fix memleak in intel_irq_remapping_alloc (Dinghao Liu) \n- lightnvm: select CONFIG_CRC32 (Arnd Bergmann) \n- block: rsxx: select CONFIG_CRC32 (Arnd Bergmann) \n- wil6210: select CONFIG_CRC32 (Arnd Bergmann) \n- qed: select CONFIG_CRC32 (Arnd Bergmann) \n- dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (Shravya Kumbham) \n- dmaengine: xilinx_dma: fix incompatible param warning in _child_probe() (Shravya Kumbham) \n- dmaengine: xilinx_dma: check dma_async_device_register return value (Shravya Kumbham) \n- dmaengine: mediatek: mtk-hsdma: Fix a resource leak in the error handling path of the probe function (Christophe JAILLET) \n- i2c: i801: Fix the i2c-mux gpiod_lookup_table not being properly terminated (Hans de Goede) \n- spi: stm32: FIFO threshold level - fix align packet size (Roman Guskov) \n- cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() (Colin Ian King) \n- can: kvaser_pciefd: select CONFIG_CRC32 (Arnd Bergmann) \n- can: m_can: m_can_class_unregister(): remove erroneous m_can_clk_stop() (Marc Kleine-Budde) \n- can: tcan4x5x: fix bittiming const, use common bittiming from m_can driver (Marc Kleine-Budde) \n- dmaengine: dw-edma: Fix use after free in dw_edma_alloc_chunk() (Dan Carpenter) \n- i2c: sprd: use a specific timeout to avoid system hang up issue (Chunyan Zhang) \n- ARM: OMAP2+: omap_device: fix idling of devices during probe (Andreas Kemnade) \n- HID: wacom: Fix memory leakage caused by kfifo_alloc (Ping Cheng) \n- iio: imu: st_lsm6dsx: fix edge-trigger interrupts (Lorenzo Bianconi) \n- vmlinux.lds.h: Add PGO and AutoFDO input sections (Nick Desaulniers) \n- exfat: Month timestamp metadata accidentally incremented (Valdis Kletnieks) \n- x86/resctrl: Don't move a task to the same resource group (Fenghua Yu) \n- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (Fenghua Yu) \n- chtls: Fix chtls resources release sequence (Ayush Sawal) \n- chtls: Added a check to avoid NULL pointer dereference (Ayush Sawal) \n- chtls: Replace skb_dequeue with skb_peek (Ayush Sawal) \n- chtls: Fix panic when route to peer not configured (Ayush Sawal) \n- chtls: Remove invalid set_tcb call (Ayush Sawal) \n- chtls: Fix hardware tid leak (Ayush Sawal) \n- net/mlx5e: ethtool, Fix restriction of autoneg with 56G (Aya Levin) \n- net/mlx5: Use port_num 1 instead of 0 when delete a RoCE address (Mark Zhang) \n- net: dsa: lantiq_gswip: Exclude RMII from modes that report 1 GbE (Aleksander Jan Bajkowski) \n- s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (Julian Wiedmann) \n- nexthop: Unlink nexthop group entry in error path (Ido Schimmel) \n- nexthop: Fix off-by-one error in error path (Ido Schimmel) \n- octeontx2-af: fix memory leak of lmac and lmac-\u003ename (Colin Ian King) \n- net: ip: always refragment ip defragmented packets (Florian Westphal) \n- net: fix pmtu check in nopmtudisc mode (Florian Westphal) \n- tools: selftests: add test for changing routes with PTMU exceptions (Sean Tranchetti) \n- net: ipv6: fib: flush exceptions when purging route (Sean Tranchetti) \n- net/sonic: Fix some resource leaks in error handling paths (Christophe JAILLET) \n- net: vlan: avoid leaks on register_vlan_dev() failures (Jakub Kicinski) \n- net: stmmac: dwmac-sun8i: Balance internal PHY power (Samuel Holland) \n- net: stmmac: dwmac-sun8i: Balance internal PHY resource references (Samuel Holland) \n- net: hns3: fix a phy loopback fail issue (Yonglong Liu) \n- net: hns3: fix the number of queues actually used by ARQ (Yufeng Mo) \n- net: cdc_ncm: correct overhead in delayed_ndp_size (Jouni K. Seppanen) \n- vfio iommu: Add dma available capability (Matthew Rosato) \n- x86/asm/32: Add ENDs to some functions and relabel with SYM_CODE_* (Jiri Slaby) \n- LTS tag: v5.4.89 (Jack Vogel) \n- scsi: target: Fix XCOPY NAA identifier lookup (David Disseldorp) {CVE-2020-28374}\n- KVM: x86: fix shift out of bounds reported by UBSAN (Paolo Bonzini) \n- x86/mtrr: Correct the range check before performing MTRR type lookups (Ying-Tsun Huang) \n- netfilter: nft_dynset: report EOPNOTSUPP on missing set feature (Pablo Neira Ayuso) \n- netfilter: xt_RATEEST: reject non-null terminated string from userspace (Florian Westphal) \n- netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin) \n- netfilter: x_tables: Update remaining dereference to RCU (Subash Abhinov Kasiviswanathan) \n- drm/i915: clear the gpu reloc batch (Matthew Auld) \n- dmabuf: fix use-after-free of dmabuf's file-\u003ef_inode (Charan Teja Reddy) \n- Revert 'device property: Keep secondary firmware node secondary by type' (Bard Liao) \n- btrfs: send: fix wrong file path when there is an inode with a pending rmdir (Filipe Manana) \n- ALSA: hda/realtek: Add two 'Intel Reference board' SSID in the ALC256. (PeiSen Hou) \n- ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7 (Kai-Heng Feng) \n- ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 (Kailang Yang) \n- ALSA: hda/conexant: add a new hda codec CX11970 (bo liu) \n- ALSA: hda/via: Fix runtime PM for Clevo W35xSS (Takashi Iwai) \n- kvm: check tlbs_dirty directly (Lai Jiangshan) \n- x86/mm: Fix leak of pmd ptlock (Dan Williams) \n- USB: serial: keyspan_pda: remove unused variable (Johan Hovold) \n- usb: gadget: configfs: Fix use-after-free issue with udc_name (Eddie Hung) \n- usb: gadget: configfs: Preserve function ordering after bind failure (Chandana Kishori Chiluveru) \n- usb: gadget: Fix spinlock lockup on usb_function_deactivate (Sriharsha Allenki) \n- USB: gadget: legacy: fix return error code in acm_ms_bind() (Yang Yingliang) \n- usb: gadget: u_ether: Fix MTU size mismatch with RX packet size (Manish Narani) \n- usb: gadget: function: printer: Fix a memory leak for interface descriptor (Zqiang) \n- usb: gadget: f_uac2: reset wMaxPacketSize (Jerome Brunet) \n- usb: gadget: select CONFIG_CRC32 (Arnd Bergmann) \n- ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks (Takashi Iwai) \n- USB: usblp: fix DMA to stack (Johan Hovold) \n- USB: yurex: fix control-URB timeout handling (Johan Hovold) \n- USB: serial: option: add Quectel EM160R-GL (Bjorn Mork) \n- USB: serial: option: add LongSung M5710 module support (Daniel Palmer) \n- USB: serial: iuu_phoenix: fix DMA from stack (Johan Hovold) \n- usb: uas: Add PNY USB Portable SSD to unusual_uas (Thinh Nguyen) \n- usb: usbip: vhci_hcd: protect shift size (Randy Dunlap) \n- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (Michael Grzeschik) \n- usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (Yu Kuai) \n- usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (Serge Semin) \n- USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). (Tetsuo Handa) \n- USB: cdc-acm: blacklist another IR Droid device (Sean Young) \n- usb: gadget: enable super speed plus (taehyun.cho) \n- staging: mt7621-dma: Fix a resource leak in an error handling path (Christophe JAILLET) \n- powerpc: Handle .text.{hot,unlikely}.* in linker script (Nathan Chancellor) \n- crypto: asym_tpm: correct zero out potential secrets (Greg Kroah-Hartman) \n- crypto: ecdh - avoid buffer overflow in ecdh_set_secret() (Ard Biesheuvel) \n- Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close (Hans de Goede) \n- kbuild: don't hardcode depmod path (Dominique Martinet) \n- net/sched: sch_taprio: ensure to reset/destroy all child qdiscs (Davide Caratti) \n- ionic: account for vlan tag len in rx buffer len (Shannon Nelson) \n- vhost_net: fix ubuf refcount incorrectly when sendmsg fails (Yunjian Wang) \n- net: usb: qmi_wwan: add Quectel EM160R-GL (Bjorn Mork) \n- CDC-NCM: remove 'connected' log message (Roland Dreier) \n- net: dsa: lantiq_gswip: Fix GSWIP_MII_CFG(p) register access (Martin Blumenstingl) \n- net: dsa: lantiq_gswip: Enable GSWIP_MII_CFG_EN also for internal PHYs (Martin Blumenstingl) \n- r8169: work around power-saving bug on some chip versions (Heiner Kallweit) \n- net: hdlc_ppp: Fix issues when mod_timer is called while timer is running (Xie He) \n- erspan: fix version 1 check in gre_parse_header() (Cong Wang) \n- net: hns: fix return value check in __lb_other_process() (Yunjian Wang) \n- net: sched: prevent invalid Scell_log shift count (Randy Dunlap) \n- ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() (Guillaume Nault) \n- net: mvpp2: fix pkt coalescing int-threshold configuration (Stefan Chulski) \n- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (Yunjian Wang) \n- net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered (Grygorii Strashko) \n- net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc (Antoine Tenart) \n- net-sysfs: take the rtnl lock when storing xps_rxqs (Antoine Tenart) \n- net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc (Antoine Tenart) \n- net-sysfs: take the rtnl lock when storing xps_cpus (Antoine Tenart) \n- net: ethernet: Fix memleak in ethoc_probe (Dinghao Liu) \n- net/ncsi: Use real net-device for response handler (John Wang) \n- virtio_net: Fix recursive call to cpus_read_lock() (Jeff Dike) \n- qede: fix offload for IPIP tunnel packets (Manish Chopra) \n- net: ethernet: mvneta: Fix error handling in mvneta_probe (Dinghao Liu) \n- ibmvnic: continue fatal error reset after passive init (Lijun Pan) \n- net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (Stefan Chulski) \n- atm: idt77252: call pci_disable_device() on error path (Dan Carpenter) \n- ethernet: ucc_geth: set dev-\u003emax_mtu to 1518 (Rasmus Villemoes) \n- ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (Rasmus Villemoes) \n- net: systemport: set dev-\u003emax_mtu to UMAC_MAX_MTU_SIZE (Florian Fainelli) \n- net: mvpp2: prs: fix PPPoE with ipv6 packet parse (Stefan Chulski) \n- net: mvpp2: Add TCAM entry to drop flow control pause frames (Stefan Chulski) \n- iavf: fix double-release of rtnl_lock (Jakub Kicinski) \n- i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (Sylwester Dziedziuch) \n- proc: fix lookup in /proc/net subdirectories after setns(2) (Alexey Dobriyan) \n- proc: change -\u003enlink under proc_subdir_lock (Alexey Dobriyan) \n- depmod: handle the case of /sbin/depmod without /sbin in PATH (Linus Torvalds) \n- lib/genalloc: fix the overflow when size is too big (Huang Shijie) \n- scsi: scsi_transport_spi: Set RQF_PM for domain validation commands (Bart Van Assche) \n- scsi: ide: Do not set the RQF_PREEMPT flag for sense requests (Bart Van Assche) \n- scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk -\u003epoweroff() (Adrian Hunter) \n- scsi: ufs: Fix wrong print message in dev_err() (Bean Huo) \n- workqueue: Kick a worker based on the actual activation of delayed works (Yunfeng Ye) \n- LTS tag: v5.4.88 (Jack Vogel) \n- exec: Transform exec_update_mutex into a rw_semaphore (Eric W. Biederman) \n- rwsem: Implement down_read_interruptible (Eric W. Biederman) \n- rwsem: Implement down_read_killable_nested (Eric W. Biederman) \n- perf: Break deadlock involving exec_update_mutex (peterz@infradead.org) \n- iio:imu:bmi160: Fix alignment and data leak issues (Jonathan Cameron) \n- kdev_t: always inline major/minor helper functions (Josh Poimboeuf) \n- dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() (Yu Kuai) \n- dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate() (Yu Kuai) \n- dmaengine: at_hdmac: Substitute kzalloc with kmalloc (Tudor Ambarus) \n- Revert 'mtd: spinand: Fix OOB read' (Felix Fietkau) \n- Revert 'drm/amd/display: Fix memory leaks in S3 resume' (Alex Deucher) \n- LTS tag: v5.4.87 (Jack Vogel) \n- dm verity: skip verity work if I/O error when system is shutting down (Hyeongseok Kim) \n- ALSA: pcm: Clear the full allocated memory at hw_params (Takashi Iwai) \n- tick/sched: Remove bogus boot 'safety' check (Thomas Gleixner) \n- um: ubd: Submit all data segments atomically (Gabriel Krisman Bertazi) \n- fs/namespace.c: WARN if mnt_count has become negative (Eric Biggers) \n- module: delay kobject uevent until after module init call (Jessica Yu) \n- f2fs: avoid race condition for shrinker count (Jaegeuk Kim) \n- NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode (Trond Myklebust) \n- i3c master: fix missing destroy_workqueue() on error in i3c_master_register (Qinglang Miao) \n- powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() (Qinglang Miao) \n- rtc: pl031: fix resource leak in pl031_probe (Zheng Liang) \n- quota: Don't overflow quota file offsets (Jan Kara) \n- module: set MODULE_STATE_GOING state when a module fails to load (Miroslav Benes) \n- rtc: sun6i: Fix memleak in sun6i_rtc_clk_init (Dinghao Liu) \n- fcntl: Fix potential deadlock in send_sig{io, urg}() (Boqun Feng) \n- bfs: don't use WARNING: string when it's just info. (Randy Dunlap) \n- ALSA: rawmidi: Access runtime-\u003eavail always in spinlock (Takashi Iwai) \n- ALSA: seq: Use bool for snd_seq_queue internal flags (Takashi Iwai) \n- f2fs: fix shift-out-of-bounds in sanity_check_raw_super() (Chao Yu) \n- media: gp8psk: initialize stats at power control logic (Mauro Carvalho Chehab) \n- misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (Anant Thazhemadam) \n- reiserfs: add check for an invalid ih_entry_count (Rustam Kovhaev) \n- Bluetooth: hci_h5: close serdev device and free hu in h5_close (Anant Thazhemadam) \n- scsi: cxgb4i: Fix TLS dependency (Randy Dunlap) \n- cgroup: Fix memory leak when parsing multiple source parameters (Qinglang Miao) \n- of: fix linker-section match-table corruption (Johan Hovold) \n- null_blk: Fix zone size initialization (Damien Le Moal) \n- tools headers UAPI: Sync linux/const.h with the kernel headers (Arnaldo Carvalho de Melo) \n(Petr Vorel) \n- scsi: block: Fix a race in the runtime power management code (Bart Van Assche) \n- jffs2: Fix NULL pointer dereference in rp_size fs option parsing (Jamie Iles) \n- jffs2: Allow setting rp_size to zero during remounting (lizhe) \n- powerpc/bitops: Fix possible undefined behaviour with fls() and fls64() (Christophe Leroy) \n- KVM: x86: reinstate vendor-agnostic check on SPEC_CTRL cpuid bits (Paolo Bonzini) \n- KVM: x86: avoid incorrect writes to host MSR_IA32_SPEC_CTRL (Paolo Bonzini) \n- ext4: don't remount read-only with errors=continue on reboot (Jan Kara) \n- btrfs: fix race when defragmenting leads to unnecessary IO (Filipe Manana) \n- vfio/pci: Move dummy_resources_list init in vfio_pci_probe() (Eric Auger) \n- fscrypt: remove kernel-internal constants from UAPI header (Eric Biggers) \n- fscrypt: add fscrypt_is_nokey_name() (Eric Biggers) \n- f2fs: prevent creating duplicate encrypted filenames (Eric Biggers) \n- ubifs: prevent creating duplicate encrypted filenames (Eric Biggers) \n- ext4: prevent creating duplicate encrypted filenames (Eric Biggers) \n- thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed (Zhuguangqing) \n- md/raid10: initialize r10_bio-\u003eread_slot before use. (Kevin Vigor) \n- net/sched: sch_taprio: reset child qdiscs before freeing them (Davide Caratti) \n- uek/ol/config-aarch64: Update uek6 kernel with RPI IOT configs (Vijay Kumar) [Orabug: 32833361] \n- dts/bcm2711: set gpio6 to level=0 and pull=down (Vijay Kumar) [Orabug: 32833361] \n- dts: bcm283x: Fix vc4's firmware bus DMA limitations (Nicolas Saenz Julienne) [Orabug: 32833361] \n- uek6/config-aarch64-rpi: Enable CONFIG_RTC_DRV_ABEOZ9 (Vijay Kumar) [Orabug: 32833361] \n- rtc/ab-eoz9: Add support for ABEOA9 SPI chip (Vijay Kumar) [Orabug: 32833361] \n- rtc: abracon: add abeoa9 device id (Tom Saeger) [Orabug: 32833361] \n- arm64/dts/bcm2711: Set SPI_CE0_N to output for GPIO8 (Vijay Kumar) [Orabug: 32833361] \n- uek-rpm/ol8: Build rpi kernel (Tom Saeger) [Orabug: 32833361] \n- uek-rpm: add rpi specific config (Tom Saeger) [Orabug: 32833361] \n- firmware/raspberrypi: Notify firmware of a reboot (Phil Elwell) [Orabug: 32833361] \n- firmware: raspberrypi: Report the fw variant during probe (Dave Stevenson) [Orabug: 32833361] \n- raspberrypi-firmware: Export the general transaction function. (Eric Anholt) [Orabug: 32833361] \n- firmware: bcm2835: Support ARCH_BCM270x (Noralf Tronnes) [Orabug: 32833361] \n- Add NO_WAIT_RESP flag (Phil Elwell) [Orabug: 32833361] \n- bcm2835-dma: Add proper 40-bit DMA support (Phil Elwell) [Orabug: 32833361] \n- dmaengine: Add support for BCM2708 (Florian Meier) [Orabug: 32833361] \n- dmaengine: bcm2835: Load driver early and support legacy API (Noralf Tronnes) [Orabug: 32833361] \n- RPi: char: broadcom: Add vcio module (Noralf Tronnes) [Orabug: 32833361] \n- RPi: Add /dev/gpiomem device for rootless user GPIO access (Luke Wren) [Orabug: 32833361] \n- RPi: vcsm: VideoCore shared memory service for BCM2835 (Tim Gover) [Orabug: 32833361] \n- RPi: vc_mem: Add vc_mem driver for querying firmware memory addresses (popcornmix) [Orabug: 32833361] \n- RPi4/dts: set alias for i2c device (Vijay Kumar) [Orabug: 32833361] \n- dts: Enable i2c4 for RPi4 (Vijay Kumar) [Orabug: 32833361] \n- RPi:dts/bcm2711: Enable pwm for RPi4 board (Vijay Kumar) [Orabug: 32833361] \n- RPi: transplant rpi_backlight to it's expected place (Andrew Thomas) [Orabug: 32833361] \n- RPi: pinctrl-bcm2835: Set base to 0 for BCM2711 (Andrew Thomas) [Orabug: 32833361] \n- RPi: pinctrl-bcm2835: Set base to 0 give expected gpio numbering (notro) [Orabug: 32833361] \n- RPi: spidev: add rpi4 spidev0 (Tom Saeger) [Orabug: 32833361] \n- RPi: dts: rpi4 add gpiomem (Tom Saeger) [Orabug: 32833361] \n- RPi: dts: enable rpi4 touchscreen, i2c, and spi (Tom Saeger) [Orabug: 32833361] \n- RPi: rpi_display: add backlight driver and overlay (P33M) [Orabug: 32833361] \n- HID: quirks: Add quirk for Lenovo optical mouse (Saeed Mirzamohammadi) [Orabug: 32820273] \n- x86/amd: Disable IBS on Rome processors due to erratum 1215 (Boris Ostrovsky) [Orabug: 32817184] \n- perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 (Kan Liang) [Orabug: 32806848]\n\n[5.4.17-2102.202.0]\n- LTS tag: v5.4.86 (Jack Vogel) \n- x86/CPU/AMD: Save AMD NodeId as cpu_die_id (Yazen Ghannam) \n- Revert: 'ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS' (Steven Rostedt (VMware)) \n- rtc: ep93xx: Fix NULL pointer dereference in ep93xx_rtc_read_time (Nikita Shubin) \n- regulator: axp20x: Fix DLDO2 voltage control register mask for AXP22x (DingHua Ma) \n- PCI: Fix pci_slot_release() NULL pointer dereference (Jubin Zhong) \n- platform/x86: intel-vbtn: Allow switch events on Acer Switch Alpha 12 (Carlos Garnacho) \n- libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (Dan Williams) \n- xen/xenbus: Count pending messages for each watch (SeongJae Park) \n- xen/xenbus: Allow watches discard events before queueing (SeongJae Park) \n- dma-buf/dma-resv: Respect num_fences when initializing the shared fence list. (Maarten Lankhorst) \n- device-dax/core: Fix memory leak when rmmod dax.ko (Wang Hai) \n- clk: tegra: Do not return 0 on failure (Nicolin Chen) \n- clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 (Terry Zhou) \n- clk: ingenic: Fix divider calculation with div tables (Paul Cercueil) \n- pinctrl: sunxi: Always call chained_irq_{enter, exit} in sunxi_pinctrl_irq_handler (Yangtao Li) \n- md/cluster: fix deadlock when node is doing resync job (Zhao Heming) \n- md/cluster: block reshape with remote resync job (Zhao Heming) \n- iio:adc:ti-ads124s08: Fix alignment and data leak issues. (Jonathan Cameron) \n- iio:adc:ti-ads124s08: Fix buffer being too long. (Jonathan Cameron) \n- iio:imu:bmi160: Fix too large a buffer. (Jonathan Cameron) \n- iio:pressure:mpl3115: Force alignment of buffer (Jonathan Cameron) \n- iio:magnetometer:mag3110: Fix alignment and data leak issues. (Jonathan Cameron) \n- iio:light:st_uvis25: Fix timestamp alignment and prevent data leak. (Jonathan Cameron) \n- iio:light:rpr0521: Fix timestamp alignment and prevent data leak. (Jonathan Cameron) \n- iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume (Qinglang Miao) \n- iio: buffer: Fix demux update (Nuno Sa) \n- scsi: qla2xxx: Fix crash during driver load on big endian machines (Arun Easi) \n- mtd: rawnand: meson: fix meson_nfc_dma_buffer_release() arguments (Sergei Antonov) \n- mtd: rawnand: qcom: Fix DMA sync on FLASH_STATUS register read (Praveenkumar I) \n- mtd: parser: cmdline: Fix parsing of part-names with colons (Sven Eckelmann) \n- mtd: spinand: Fix OOB read (Miquel Raynal) \n- soc: qcom: smp2p: Safely acquire spinlock without IRQs (Evan Green) \n- spi: atmel-quadspi: Fix AHB memory accesses (Tudor Ambarus) \n- spi: atmel-quadspi: Disable clock in probe error path (Lukas Wunner) \n- spi: mt7621: Don't leak SPI master in probe error path (Lukas Wunner) \n- spi: mt7621: Disable clock in probe error path (Lukas Wunner) \n- spi: synquacer: Disable clock in probe error path (Lukas Wunner) \n- spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path (Lukas Wunner) \n- spi: sc18is602: Don't leak SPI master in probe error path (Lukas Wunner) \n- spi: rb4xx: Don't leak SPI master in probe error path (Lukas Wunner) \n- spi: pic32: Don't leak DMA channels in probe error path (Lukas Wunner) \n- spi: mxic: Don't leak SPI master in probe error path (Lukas Wunner) \n- spi: gpio: Don't leak SPI master in probe error path (Lukas Wunner) \n- spi: fsl: fix use of spisel_boot signal on MPC8309 (Rasmus Villemoes) \n- spi: davinci: Fix use-after-free on unbind (Lukas Wunner) \n- spi: atmel-quadspi: Fix use-after-free on unbind (Lukas Wunner) \n- spi: spi-sh: Fix use-after-free on unbind (Lukas Wunner) \n- spi: pxa2xx: Fix use-after-free on unbind (Lukas Wunner) \n- drm/i915: Fix mismatch between misplaced vma check and vma insert (Chris Wilson) \n- drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() (Zwane Mwaikambo) \n- drm/amd/display: Fix memory leaks in S3 resume (Stylon Wang) \n- platform/x86: mlx-platform: remove an unused variable (Arnd Bergmann) \n- jfs: Fix array index bounds check in dbAdjTree (Dave Kleikamp) \n- jffs2: Fix ignoring mounting options problem during remounting (lizhe) \n- jffs2: Fix GC exit abnormally (Zhe Li) \n- ubifs: wbuf: Don't leak kernel memory to flash (Richard Weinberger) \n- SMB3: avoid confusing warning message on mount to Azure (Steve French) \n- ceph: fix race in concurrent __ceph_remove_cap invocations (Luis Henriques) \n- um: Remove use of asprinf in umid.c (Anton Ivanov) \n- ima: Don't modify file descriptor mode on the fly (Roberto Sassu) \n- powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (David Hildenbrand) \n- powerpc/powernv/memtrace: Don't leak kernel memory to user space (David Hildenbrand) \n- powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (Alexey Kardashevskiy) \n- powerpc/mm: Fix verification of MMU_FTR_TYPE_44x (Christophe Leroy) \n- powerpc/8xx: Fix early debug when SMC1 is relocated (Christophe Leroy) \n- powerpc/xmon: Change printk() to pr_cont() (Christophe Leroy) \n- powerpc/feature: Add CPU_FTR_NOEXECUTE to G2_LE (Christophe Leroy) \n- powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter (Tyrel Datwyler) \n- powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at (Mathieu Desnoyers) \n- xprtrdma: Fix XDRBUF_SPARSE_PAGES support (Chuck Lever) \n- ARM: dts: at91: sama5d2: fix CAN message ram offset and size (Nicolas Ferre) \n- ARM: dts: pandaboard: fix pinmux for gpio user button of Pandaboard ES (H. Nikolaus Schaller) \n- KVM: arm64: Introduce handling of AArch32 TTBCR2 traps (Marc Zyngier) \n- ext4: fix deadlock with fs freezing and EA inodes (Jan Kara) \n- ext4: fix a memory leak of ext4_free_data (Chunguang Xu) \n- btrfs: trim: fix underflow in trim length to prevent access beyond device boundary (Qu Wenruo) \n- btrfs: do not shorten unpin len for caching block groups (Josef Bacik) \n- USB: serial: keyspan_pda: fix write unthrottling (Johan Hovold) \n- USB: serial: keyspan_pda: fix tx-unthrottle use-after-free (Johan Hovold) \n- USB: serial: keyspan_pda: fix write-wakeup use-after-free (Johan Hovold) \n- USB: serial: keyspan_pda: fix stalled writes (Johan Hovold) \n- USB: serial: keyspan_pda: fix write deadlock (Johan Hovold) \n- USB: serial: keyspan_pda: fix dropped unthrottle interrupts (Johan Hovold) \n- USB: serial: digi_acceleport: fix write-wakeup deadlocks (Johan Hovold) \n- USB: serial: mos7720: fix parallel-port state restore (Johan Hovold) \n- EDAC/amd64: Fix PCI component registration (Borislav Petkov) \n- EDAC/i10nm: Use readl() to access MMIO registers (Qiuxu Zhuo) \n- crypto: arm/aes-ce - work around Cortex-A57/A72 silion errata (Ard Biesheuvel) \n- crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() (Ard Biesheuvel) \n- powerpc/perf: Exclude kernel samples while counting events in user space. (Athira Rajeev) \n- perf/x86/intel: Fix rtm_abort_event encoding on Ice Lake (Kan Liang) \n- perf/x86/intel: Add event constraint for CYCLE_ACTIVITY.STALLS_MEM_ANY (Kan Liang) \n- staging: comedi: mf6x4: Fix AI end-of-conversion detection (Ian Abbott) \n- ASoC: cx2072x: Fix doubly definitions of Playback and Capture streams (Takashi Iwai) \n- binder: add flag to clear buffer on txn complete (Todd Kjos) \n- s390/dasd: fix list corruption of lcu list (Stefan Haberland) \n- s390/dasd: fix list corruption of pavgroup group list (Stefan Haberland) \n- s390/dasd: prevent inconsistent LCU device data (Stefan Haberland) \n- s390/dasd: fix hanging device offline processing (Stefan Haberland) \n- s390/kexec_file: fix diag308 subcode when loading crash kernel (Philipp Rudo) \n- s390/smp: perform initial CPU reset also for SMT siblings (Sven Schnelle) \n- ALSA: core: memalloc: add page alignment for iram (Robin Gong) \n- ALSA: usb-audio: Disable sample read check if firmware doesn't give back (Takashi Iwai) \n- ALSA: usb-audio: Add VID to support native DSD reproduction on FiiO devices (Amadej Kastelic) \n- ALSA: hda/realtek: Apply jack fixup for Quanta NL3 (Chris Chiu) \n- ALSA: hda/realtek: Add quirk for MSI-GP73 (Takashi Iwai) \n- ALSA/hda: apply jack fixup for the Acer Veriton N4640G/N6640G/N2510G (Chris Chiu) \n- ALSA: pcm: oss: Fix a few more UBSAN fixes (Takashi Iwai) \n- ALSA: hda/realtek - Add supported for more Lenovo ALC285 Headset Button (Kailang Yang) \n- ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 (Chris Chiu) \n- ALSA: hda/realtek - Enable headset mic of ASUS X430UN with ALC256 (Chris Chiu) \n- ALSA: hda/realtek: make bass spk volume adjustable on a yoga laptop (Hui Wang) \n- ALSA: hda/ca0132 - Fix AE-5 rear headphone pincfg. (Connor McAdams) \n- ALSA: hda: Fix regressions on clear and reconfig sysfs (Takashi Iwai) \n- ACPI: PNP: compare the string length in the matching_id() (Hui Wang) \n- Revert 'ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks' (Daniel Scally) \n- PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup() (Rafael J. Wysocki) \n- ALSA: hda/ca0132 - Change Input Source enum strings. (Connor McAdams) \n- Input: cyapa_gen6 - fix out-of-bounds stack access (Arnd Bergmann) \n- media: ipu3-cio2: Make the field on subdev format V4L2_FIELD_NONE (Sakari Ailus) \n- media: ipu3-cio2: Validate mbus format in setting subdev format (Sakari Ailus) \n- media: ipu3-cio2: Serialise access to pad format (Sakari Ailus) \n- media: ipu3-cio2: Return actual subdev format (Sakari Ailus) \n- media: ipu3-cio2: Remove traces of returned buffers (Sakari Ailus) \n- media: netup_unidvb: Don't leak SPI master in probe error path (Lukas Wunner) \n- media: sunxi-cir: ensure IR is handled when it is continuous (Sean Young) \n- media: gspca: Fix memory leak in probe (Alan Stern) \n- vfio/pci/nvlink2: Do not attempt NPU2 setup on POWER8NVL NPU (Alexey Kardashevskiy) \n- Input: goodix - add upside-down quirk for Teclast X98 Pro tablet (Simon Beginn) \n- initramfs: fix clang build failure (Arnd Bergmann) \n- Input: cros_ec_keyb - send 'scancodes' in addition to key events (Dmitry Torokhov) \n- drm/amdkfd: Fix leak in dmabuf import (Felix Kuehling) \n- drm/amd/display: Prevent bandwidth overflow (Chris Park) \n- lwt: Disable BH too in run_lwt_bpf() (Dongdong Wang) \n- fix namespaced fscaps when !CONFIG_SECURITY (Serge Hallyn) \n- cfg80211: initialize rekey_data (Sara Sharon) \n- ARM: sunxi: Add machine match for the Allwinner V3 SoC (Paul Kocialkowski) \n- perf probe: Fix memory leak when synthesizing SDT probes (Arnaldo Carvalho de Melo) \n- kconfig: fix return value of do_error_if() (Masahiro Yamada) \n- clk: sunxi-ng: Make sure divider tables have sentinel (Jernej Skrabec) \n- clk: s2mps11: Fix a resource leak in error handling paths in the probe function (Christophe JAILLET) \n- clk: at91: sam9x60: remove atmel,osc-bypass support (Alexandre Belloni) \n- virtio_ring: Fix two use after free bugs (Dan Carpenter) \n- virtio_net: Fix error code in probe() (Dan Carpenter) \n- virtio_ring: Cut and paste bugs in vring_create_virtqueue_packed() (Dan Carpenter) \n- qlcnic: Fix error code in probe (Dan Carpenter) \n- perf record: Fix memory leak when using '--user-regs=?' to list registers (Zheng Zengkai) \n- pwm: lp3943: Dynamically allocate PWM chip base (Lokesh Vutla) \n- pwm: zx: Add missing cleanup in error path (Uwe Kleine-Konig) \n- clk: ti: Fix memleak in ti_fapll_synth_setup (Zhang Qilong) \n- watchdog: coh901327: add COMMON_CLK dependency (Arnd Bergmann) \n- watchdog: qcom: Avoid context switch in restart handler (Manivannan Sadhasivam) \n- libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (Zhang Qilong) \n- net: korina: fix return value (Vincent Stehle) \n- net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function (Christophe JAILLET) \n- net: bcmgenet: Fix a resource leak in an error handling path in the probe functin (Christophe JAILLET) \n- lan743x: fix rx_napi_poll/interrupt ping-pong (Sven Van Asbroeck) \n- checkpatch: fix unescaped left brace (Dwaipayan Ray) \n- mm: don't wake kswapd prematurely when watermark boosting is disabled (Johannes Weiner) \n- sparc: fix handling of page table constructor failure (Matthew Wilcox (Oracle)) \n- powerpc/ps3: use dma_mapping_error() (Vincent Stehle) \n- nfc: s3fwrn5: Release the nfc firmware (Bongsu Jeon) \n- RDMA/cma: Don't overwrite sgid_attr after device is released (Leon Romanovsky) \n- sunrpc: fix xs_read_xdr_buf for partial pages receive (Dan Aloni) \n- um: chan_xterm: Fix fd leak (Anton Ivanov) \n- um: tty: Fix handling of close in tty lines (Anton Ivanov) \n- um: Monitor error events in IRQ controller (Anton Ivanov) \n- ubifs: Fix error return code in ubifs_init_authentication() (Wang ShaoBo) \n- watchdog: Fix potential dereferencing of null pointer (Wang Wensheng) \n- watchdog: sprd: check busy bit before new loading rather than after that (Lingling Xu) \n- watchdog: sprd: remove watchdog disable from resume fail path (Lingling Xu) \n- watchdog: sirfsoc: Add missing dependency on HAS_IOMEM (Guenter Roeck) \n- watchdog: armada_37xx: Add missing dependency on HAS_IOMEM (Guenter Roeck) \n- irqchip/alpine-msi: Fix freeing of interrupts on allocation error path (Marc Zyngier) \n- ASoC: wm_adsp: remove 'ctl' from list on error in wm_adsp_create_control() (Dan Carpenter) \n- mac80211: don't set set TDLS STA bandwidth wider than possible (Johannes Berg) \n- crypto: atmel-i2c - select CONFIG_BITREVERSE (Arnd Bergmann) \n- extcon: max77693: Fix modalias string (Marek Szyprowski) \n- mtd: rawnand: gpmi: Fix the random DMA timeout issue (Han Xu) \n- mtd: rawnand: meson: Fix a resource leak in init (Dan Carpenter) \n- mtd: rawnand: gpmi: fix reference count leak in gpmi ops (Zhang Qilong) \n- clk: tegra: Fix duplicated SE clock entry (Dmitry Osipenko) \n- remoteproc: qcom: Fix potential NULL dereference in adsp_init_mmio() (Zhang Changzhong) \n- remoteproc: qcom: fix reference leak in adsp_start (Zhang Qilong) \n- remoteproc: q6v5-mss: fix error handling in q6v5_pds_enable (Zhang Qilong) \n- RDMA/core: Do not indicate device ready when device enablement fails (Jack Morgenstein) \n- can: m_can: m_can_config_endisable(): remove double clearing of clock stop request bit (Sean Nyekjaer) \n- erofs: avoid using generic_block_bmap (Huang Jianan) \n- iwlwifi: mvm: hook up missing RX handlers (Johannes Berg) \n- s390/cio: fix use-after-free in ccw_device_destroy_console (Qinglang Miao) \n- bus: fsl-mc: fix error return code in fsl_mc_object_allocate() (Zhang Changzhong) \n- platform/chrome: cros_ec_spi: Don't overwrite spi::mode (Stephen Boyd) \n- x86/kprobes: Restore BTF if the single-stepping is cancelled (Masami Hiramatsu) \n- nfs_common: need lock during iterate through the list (Cheng Lin) \n- nfsd: Fix message level for normal termination (kazuo ito) \n- speakup: fix uninitialized flush_lock (Yang Yingliang) \n- usb: oxu210hp-hcd: Fix memory leak in oxu_create (Zhang Qilong) \n- usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe (Zhang Qilong) \n- powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S (Christophe Leroy) \n- ASoC: amd: change clk_get() to devm_clk_get() and add missed checks (Chuhong Yuan) \n- drm/mediatek: avoid dereferencing a null hdmi_phy on an error message (Colin Ian King) \n- powerpc/pseries/hibernation: remove redundant cacheinfo update (Nathan Lynch) \n- powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (Nathan Lynch) \n- platform/x86: mlx-platform: Fix item counter assignment for MSN2700, MSN24xx systems (Vadim Pasternak) \n- scsi: fnic: Fix error return code in fnic_probe() (Zhang Changzhong) \n- seq_buf: Avoid type mismatch for seq_buf_init (Arnd Bergmann) \n- scsi: pm80xx: Fix error return in pm8001_pci_probe() (Zhang Qilong) \n- scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe (Qinglang Miao) \n- arm64: dts: meson: g12a: x96-max: fix PHY deassert timing requirements (Stefan Agner) \n- ARM: dts: meson: fix PHY deassert timing requirements (Stefan Agner) \n- arm64: dts: meson: fix PHY deassert timing requirements (Stefan Agner) \n- Bluetooth: btmtksdio: Add the missed release_firmware() in mtk_setup_firmware() (Jing Xiangfeng) \n- Bluetooth: btusb: Add the missed release_firmware() in btusb_mtk_setup_firmware() (Jing Xiangfeng) \n- cpufreq: scpi: Add missing MODULE_ALIAS (Pali Rohar) \n- cpufreq: loongson1: Add missing MODULE_ALIAS (Pali Rohar) \n- cpufreq: sun50i: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- cpufreq: st: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- cpufreq: qcom: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- cpufreq: mediatek: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- cpufreq: highbank: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- cpufreq: ap806: Add missing MODULE_DEVICE_TABLE (Pali Rohar) \n- clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI (Keqian Zhu) \n- clocksource/drivers/arm_arch_timer: Use stable count reader in erratum sne (Keqian Zhu) \n- phy: renesas: rcar-gen3-usb2: disable runtime pm in case of failure (Wang Li) \n- dm ioctl: fix error return code in target_message (Qinglang Miao) \n- ASoC: jz4740-i2s: add missed checks for clk_get() (Chuhong Yuan) \n- net/mlx5: Properly convey driver version to firmware (Leon Romanovsky) \n- MIPS: Don't round up kernel sections size for memblock_add() (Alexander Sverdlin) \n- memstick: r592: Fix error return in r592_probe() (Jing Xiangfeng) \n- arm64: dts: rockchip: Fix UART pull-ups on rk3328 (Chen-Yu Tsai) \n- pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe() (Yu Kuai) \n- bpf: Fix bpf_put_raw_tracepoint()'s use of __module_address() (Andrii Nakryiko) \n- ARM: dts: at91: sama5d2: map securam as device (Claudiu Beznea) \n- iio: hrtimer-trigger: Mark hrtimer to expire in hard interrupt context (Lars-Peter Clausen) \n- clocksource/drivers/cadence_ttc: Fix memory leak in ttc_setup_clockevent() (Yu Kuai) \n- clocksource/drivers/orion: Add missing clk_disable_unprepare() on error path (Yang Yingliang) \n- powerpc/64: Fix an EMIT_BUG_ENTRY in head_64.S (Jordan Niethe) \n- powerpc/perf: Fix crash with is_sier_available when pmu is not set (Athira Rajeev) \n- media: saa7146: fix array overflow in vidioc_s_audio() (Dan Carpenter) \n- hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (Zhang Qilong) \n- vfio-pci: Use io_remap_pfn_range() for PCI IO memory (Jason Gunthorpe) \n- selftests/seccomp: Update kernel config (Mickael Salaun) \n- NFS: switch nfsiod to be an UNBOUND workqueue. (NeilBrown) \n- net: sunrpc: Fix 'snprintf' return value check in 'do_xprt_debugfs' (Fedor Tokarev) \n- NFSv4: Fix the alignment of page data in the getdeviceinfo reply (Trond Myklebust) \n- SUNRPC: xprt_load_transport() needs to support the netid 'rdma6' (Trond Myklebust) \n- NFSv4.2: condition READDIR's mask for security label based on LSM state (Olga Kornievskaia) \n- SUNRPC: rpc_wake_up() should wake up tasks in the correct order (Trond Myklebust) \n- ath10k: Release some resources in an error handling path (Christophe JAILLET) \n- ath10k: Fix an error handling path (Christophe JAILLET) \n- ath10k: Fix the parsing error in service available event (Rakesh Pillai) \n- platform/x86: dell-smbios-base: Fix error return code in dell_smbios_init (Qinglang Miao) \n- ARM: dts: at91: at91sam9rl: fix ADC triggers (Alexandre Belloni) \n- soc: amlogic: canvas: add missing put_device() call in meson_canvas_get() (Yu Kuai) \n- arm64: dts: meson-sm1: fix typo in opp table (Dongjin Kim) \n- arm64: dts: meson: fix spi-max-frequency on Khadas VIM2 (Artem Lapkin) \n- PCI: iproc: Fix out-of-bound array accesses (Bharat Gooty) \n- PCI: Fix overflow in command-line resource alignment requests (Colin Ian King) \n- PCI: Bounds-check command-line resource alignment requests (Bjorn Helgaas) \n- arm64: dts: qcom: c630: Polish i2c-hid devices (Bjorn Andersson) \n- arm64: dts: ls1028a: fix ENETC PTP clock input (Michael Walle) \n- genirq/irqdomain: Don't try to free an interrupt that has no mapping (Marc Zyngier) \n- power: supply: bq24190_charger: fix reference leak (Zhang Qilong) \n- power: supply: axp288_charger: Fix HP Pavilion x2 10 DMI matching (Hans de Goede) \n- arm64: dts: rockchip: Set dr_mode to 'host' for OTG on rk3328-roc-cc (Chen-Yu Tsai) \n- arm64: dts: armada-3720-turris-mox: update ethernet-phy handle name (Marek Behun) \n- ARM: dts: Remove non-existent i2c1 from 98dx3236 (Chris Packham) \n- HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() (Jing Xiangfeng) \n- slimbus: qcom-ngd-ctrl: Avoid sending power requests without QMI (Bjorn Andersson) \n- media: max2175: fix max2175_set_csm_mode() error code (Dan Carpenter) \n- mips: cdmm: fix use-after-free in mips_cdmm_bus_discover (Qinglang Miao) \n- media: imx214: Fix stop streaming (Daniel Gomez) \n- samples: bpf: Fix lwt_len_hist reusing previous BPF map (Daniel T. Lee) \n- platform/x86: mlx-platform: Remove PSU EEPROM from MSN274x platform configuration (Vadim Pasternak) \n- platform/x86: mlx-platform: Remove PSU EEPROM from default platform configuration (Vadim Pasternak) \n- media: siano: fix memory leak of debugfs members in smsdvb_hotplug (Keita Suzuki) \n- arm64: tegra: Fix DT binding for IO High Voltage entry (Vidya Sagar) \n- dmaengine: mv_xor_v2: Fix error return code in mv_xor_v2_probe() (Zhihao Cheng) \n- cw1200: fix missing destroy_workqueue() on error in cw1200_init_common (Qinglang Miao) \n- rsi: fix error return code in rsi_reset_card() (Zhang Changzhong) \n- qtnfmac: fix error return code in qtnf_pcie_probe() (Wang Hai) \n- orinoco: Move context allocation after processing the skb (Sebastian Andrzej Siewior) \n- mmc: pxamci: Fix error return code in pxamci_probe (Zhihao Cheng) \n- ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host (Cristian Birsan) \n- ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host (Cristian Birsan) \n- memstick: fix a double-free bug in memstick_check (Qinglang Miao) \n- RDMA/cxgb4: Validate the number of CQEs (Kamal Heib) \n- clk: meson: Kconfig: fix dependency for G12A (Kevin Hilman) \n- Input: omap4-keypad - fix runtime PM error handling (Zhang Qilong) \n- drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe (Zhihao Cheng) \n- soc: ti: Fix reference imbalance in knav_dma_probe (Zhang Qilong) \n- soc: ti: knav_qmss: fix reference leak in knav_queue_probe (Zhang Qilong) \n- spi: fix resource leak for drivers without .remove callback (Uwe Kleine-Konig) \n- crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe (Zhang Qilong) \n- crypto: crypto4xx - Replace bitwise OR with logical OR in crypto4xx_build_pd (Nathan Chancellor) \n- EDAC/mce_amd: Use struct cpuinfo_x86.cpu_die_id for AMD NodeId (Yazen Ghannam) \n- powerpc/feature: Fix CPU_FTRS_ALWAYS by removing CPU_FTRS_GENERIC_32 (Christophe Leroy) \n- powerpc: Avoid broken GCC __attribute__((optimize)) (Ard Biesheuvel) \n- selftests/bpf: Fix broken riscv build (Bjorn Topel) \n- spi: mxs: fix reference leak in mxs_spi_probe (Zhang Qilong) \n- usb/max3421: fix return error code in max3421_probe() (Yang Yingliang) \n- Input: ads7846 - fix unaligned access on 7845 (Dmitry Torokhov) \n- Input: ads7846 - fix integer overflow on Rt calculation (Oleksij Rempel) \n- Input: ads7846 - fix race that causes missing releases (David Jander) \n- drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() (Yang Yingliang) \n- video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() (Yang Yingliang) \n- media: solo6x10: fix missing snd_card_free in error handling case (Qinglang Miao) \n- scsi: core: Fix VPD LUN ID designator priorities (Martin Wilck) \n- ASoC: meson: fix COMPILE_TEST error (Jerome Brunet) \n- media: v4l2-fwnode: Return -EINVAL for invalid bus-type (Lad Prabhakar) \n- media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_enc_pm() (Yu Kuai) \n- media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm() (Yu Kuai) \n- media: mtk-vcodec: add missing put_device() call in mtk_vcodec_init_dec_pm() (Yu Kuai) \n- media: tm6000: Fix sizeof() mismatches (Colin Ian King) \n- staging: gasket: interrupt: fix the missed eventfd_ctx_put() in gasket_interrupt.c (Jing Xiangfeng) \n- staging: greybus: codecs: Fix reference counter leak in error handling (Zhang Qilong) \n- crypto: qat - fix status check in qat_hal_put_rel_rd_xfer() (Jack Xu) \n- MIPS: BCM47XX: fix kconfig dependency bug for BCM47XX_BCMA (Necip Fazil Yildiran) \n- RDMa/mthca: Work around -Wenum-conversion warning (Arnd Bergmann) \n- ASoC: arizona: Fix a wrong free in wm8997_probe (Zhang Qilong) \n- spi: sprd: fix reference leak in sprd_spi_remove (Zhang Qilong) \n- ASoC: wm8998: Fix PM disable depth imbalance on error (Zhang Qilong) \n- selftest/bpf: Add missed ip6ip6 test back (Hangbin Liu) \n- mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure (Tsuchiya Yuto) \n- spi: bcm63xx-hsspi: fix missing clk_disable_unprepare() on error in bcm63xx_hsspi_resume (Qinglang Miao) \n- spi: tegra114: fix reference leak in tegra spi ops (Zhang Qilong) \n- spi: tegra20-sflash: fix reference leak in tegra_sflash_resume (Zhang Qilong) \n- spi: tegra20-slink: fix reference leak in slink ops of tegra20 (Zhang Qilong) \n- spi: mt7621: fix missing clk_disable_unprepare() on error in mt7621_spi_probe (Qinglang Miao) \n- spi: spi-ti-qspi: fix reference leak in ti_qspi_setup (Zhang Qilong) \n- Bluetooth: hci_h5: fix memory leak in h5_close (Anant Thazhemadam) \n- Bluetooth: Fix null pointer dereference in hci_event_packet() (Anmol Karn) \n- arm64: dts: exynos: Correct psci compatible used on Exynos7 (Pawel Chmiel) \n- arm64: dts: exynos: Include common syscon restart/poweroff for Exynos7 (Pawel Chmiel) \n- brcmfmac: Fix memory leak for unpaired brcmf_{alloc/free} (Seung-Woo Kim) \n- spi: stm32: fix reference leak in stm32_spi_resume (Zhang Qilong) \n- selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (Paul Moore) \n- ASoC: pcm: DRAIN support reactivation (Cezary Rojewski) \n- spi: spi-mem: fix reference leak in spi_mem_access_start (Zhang Qilong) \n- drm/msm/dsi_pll_10nm: restore VCO rate during restore_state (Dmitry Baryshkov) \n- f2fs: call f2fs_get_meta_page_retry for nat page (Jaegeuk Kim) \n- spi: img-spfi: fix reference leak in img_spfi_resume (Zhang Qilong) \n- powerpc/64: Set up a kernel stack for secondaries before cpu_restore() (Jordan Niethe) \n- drm/amdgpu: fix build_coefficients() argument (Arnd Bergmann) \n- ARM: dts: aspeed: tiogapass: Remove vuart (Vijay Khemka) \n- ASoC: sun4i-i2s: Fix lrck_period computation for I2S justified mode (Clement Peron) \n- crypto: inside-secure - Fix sizeof() mismatch (Colin Ian King) \n- crypto: talitos - Fix return type of current_desc_hdr() (Christophe Leroy) \n- crypto: talitos - Endianess in current_desc_hdr() (Christophe Leroy) \n- drm/amdgpu: fix incorrect enum type (Arnd Bergmann) \n- sched: Reenable interrupts in do_sched_yield() (Thomas Gleixner) \n- sched/deadline: Fix sched_dl_global_validate() (Peng Liu) \n- x86/apic: Fix x2apic enablement without interrupt remapping (David Woodhouse) \n- ARM: p2v: fix handling of LPAE translation in BE mode (Ard Biesheuvel) \n- x86/mm/ident_map: Check for errors from ident_pud_init() (Arvind Sankar) \n- RDMA/rxe: Compute PSN windows correctly (Bob Pearson) \n- ARM: dts: aspeed: s2600wf: Fix VGA memory region location (Joel Stanley) \n- selinux: fix error initialization in inode_doinit_with_dentry() (Tianyue Ren) \n- rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (Dan Carpenter) \n- RDMA/bnxt_re: Set queue pair state when being queried (Kamal Heib) \n- Revert 'i2c: i2c-qcom-geni: Fix DMA transfer race' (Douglas Anderson) \n- soc: qcom: geni: More properly switch to DMA mode (Douglas Anderson) \n- soc: mediatek: Check if power domains can be powered on at boot time (Nicolas Boichat) \n- soc: renesas: rmobile-sysc: Fix some leaks in rmobile_init_pm_domains() (Dan Carpenter) \n- arm64: dts: renesas: cat875: Remove rxc-skew-ps from ethernet-phy node (Biju Das) \n- arm64: dts: renesas: hihope-rzg2-ex: Drop rxc-skew-ps from ethernet-phy node (Biju Das) \n- drm/tve200: Fix handling of platform_get_irq() error (Krzysztof Kozlowski) \n- drm/mcde: Fix handling of platform_get_irq() error (Krzysztof Kozlowski) \n- drm/aspeed: Fix Kconfig warning \u0026 subsequent build errors (Randy Dunlap) \n- drm/gma500: fix double free of gma_connector (Tom Rix) \n- md: fix a warning caused by a race between concurrent md_ioctl()s (Dae R. Jeong) \n- crypto: af_alg - avoid undefined behavior accessing salg_name (Eric Biggers) \n- media: msi2500: assign SPI bus number dynamically (Antti Palosaari) \n- quota: Sanity-check quota file headers on load (Jan Kara) \n- Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() (Peilin Ye) \n- serial_core: Check for port state when tty is in error state (Alexey Kardashevskiy) \n- HID: i2c-hid: add Vero K147 to descriptor override (Julian Sax) \n- scsi: megaraid_sas: Check user-provided offsets (Arnd Bergmann) \n- coresight: etb10: Fix possible NULL ptr dereference in etb_enable_perf() (Sai Prakash Ranjan) \n- coresight: tmc-etr: Fix barrier packet insertion for perf buffer (Suzuki K Poulose) \n- coresight: tmc-etr: Check if page is valid before dma_map_page() (Mao Jinlong) \n- coresight: tmc-etf: Fix NULL ptr dereference in tmc_enable_etf_sink_perf() (Sai Prakash Ranjan) \n- ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU (Krzysztof Kozlowski) \n- ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410 (Krzysztof Kozlowski) \n- ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU (Krzysztof Kozlowski) \n- usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul (Fabio Estevam) \n- USB: gadget: f_rndis: fix bitrate for SuperSpeed and above (Will McVicker) \n- usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus (Jack Pham) \n- USB: gadget: f_midi: setup SuperSpeed Plus descriptors (Will McVicker) \n- USB: gadget: f_acm: add support for SuperSpeed Plus (taehyun.cho) \n- USB: serial: option: add interface-number sanity check to flag handling (Johan Hovold) \n- usb: mtu3: fix memory corruption in mtu3_debugfs_regset() (Dan Carpenter) \n- soc/tegra: fuse: Fix index bug in get_process_id (Nicolin Chen) \n- kbuild: avoid split lines in .mod files (Masahiro Yamada) \n- perf/x86/intel: Check PEBS status correctly (Stephane Eranian) \n- drm/amd/display: Init clock value by current vbios CLKs (Brandon Syu) \n- iwlwifi: pcie: add one missing entry for AX210 (Luca Coelho) \n- dm table: Remove BUG_ON(in_interrupt()) (Thomas Gleixner) \n- scsi: mpt3sas: Increase IOCInit request timeout to 30s (Sreekanth Reddy) \n- vxlan: Copy needed_tailroom from lowerdev (Sven Eckelmann) \n- vxlan: Add needed_headroom for lower device (Sven Eckelmann) \n- arm64: syscall: exit userspace before unmasking exceptions (Mark Rutland) \n- habanalabs: put devices before driver removal (Ofir Bitton) \n- drm/tegra: sor: Disable clocks on error in tegra_sor_init() (Qinglang Miao) \n- kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling (Nicholas Piggin) \n- drm/tegra: replace idr_init() by idr_init_base() (Deepak R Varma) \n- net: mvpp2: add mvpp2_phylink_to_port() helper (Russell King) \n- selftests: fix poll error in udpgro.sh (Paolo Abeni) \n- ixgbe: avoid premature Rx buffer reuse (Bjorn Topel) \n- i40e: avoid premature Rx buffer reuse (Bjorn Topel) \n- i40e: optimise prefetch page refcount (Li RongQing) \n- i40e: Refactor rx_bi accesses (Bjorn Topel) \n- RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (Leon Romanovsky) \n- selftests/bpf/test_offload.py: Reset ethtool features after failed setting (Toke Hoiland-Jorgensen) \n- netfilter: nft_ct: Remove confirmation check for NFT_CT_ID (Brett Mastbergen) \n- gpio: eic-sprd: break loop when getting NULL device resource (Chunyan Zhang) \n- Revert 'gpio: eic-sprd: Use devm_platform_ioremap_resource()' (Baolin Wang) \n- afs: Fix memory leak when mounting with multiple source parameters (David Howells) \n- netfilter: nft_dynset: fix timeouts later than 23 days (Pablo Neira Ayuso) \n- netfilter: nft_compat: make sure xtables destructors have run (Florian Westphal) \n- netfilter: x_tables: Switch synchronization to RCU (Subash Abhinov Kasiviswanathan) \n- pinctrl: aspeed: Fix GPIO requests on pass-through banks (Andrew Jeffery) \n- blk-mq: In blk_mq_dispatch_rq_list() 'no budget' is a reason to kick (Douglas Anderson) \n- block: factor out requeue handling from dispatch code (Johannes Thumshirn) \n- block: Simplify REQ_OP_ZONE_RESET_ALL handling (Damien Le Moal) \n- clk: renesas: r9a06g032: Drop __packed for portability (Geert Uytterhoeven) \n- can: softing: softing_netdev_open(): fix error handling (Zhang Qilong) \n- xsk: Replace datagram_poll by sock_poll_wait (Xuan Zhuo) \n- xsk: Fix xsk_poll()'s return type (Luc Van Oostenryck) \n- scsi: bnx2i: Requires MMU (Randy Dunlap) \n- gpio: mvebu: fix potential user-after-free on probe (Baruch Siach) \n- gpio: zynq: fix reference leak in zynq_gpio functions (Qinglang Miao) \n- PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (Zhang Qilong) \n- ARM: dts: imx6qdl-kontron-samx6i: fix I2C_PM scl pin (Bernd Bauer) \n- ARM: dts: imx6qdl-wandboard-revd1: Remove PAD_GPIO_6 from enetgrp (Fabio Estevam) \n- ARM: dts: sun7i: pcduino3-nano: enable RGMII RX/TX delay on PHY (Adam Sampson) \n- ARM: dts: sun8i: v3s: fix GIC node memory range (Icenowy Zheng) \n- pinctrl: baytrail: Avoid clearing debounce value when turning it off (Andy Shevchenko) \n- pinctrl: merrifield: Set default bias in case no particular value given (Andy Shevchenko) \n- ARM: dts: sun8i: v40: bananapi-m2-berry: Fix ethernet node (Pablo Greco) \n- ARM: dts: sun8i: r40: bananapi-m2-berry: Fix dcdc1 regulator (Pablo Greco) \n- RAS/CEC: Correct ce_add_elem()'s returned values (William Roche) [Orabug: 32774757] \n- bpf, x86: Validate computation of branch displacements for x86-64 (Piotr Krysiuk) [Orabug: 32759959] {CVE-2021-29154}\n- KVM: SVM: avoid infinite loop on NPF from bad address (John Donnelly) [Orabug: 32759746] {CVE-2020-36310}\n- uek-rpm: Add Amazon Elastic Network Adapter module to nano rpm. (Somasundaram Krishnasamy) [Orabug: 32795492]", + "Platform": [ + "Oracle Linux 7", + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-9306.html", + "ID": "ELSA-2021-9306" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-23133.html", + "ID": "CVE-2021-23133" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2020-36310.html", + "ID": "CVE-2020-36310" + } + ], + "Criteria": { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-tools is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools-libs is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-tools-libs is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "perf is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "perf is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "python-perf is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "python-perf is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools is earlier than 0:5.4.17-2102.202.5.el7uek" + }, + { + "Comment": "kernel-uek-tools is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 7 is installed" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.202.5.el8uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + } + ], + "Criterions": null + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-23133.html", + "ID": "CVE-2021-23133" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2020-36310.html", + "ID": "CVE-2020-36310" + } + ] + } \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json new file mode 100644 index 00000000..6550b199 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json @@ -0,0 +1,440 @@ +{ + "Title": "ELSA-2021-9362: Unbreakable Enterprise kernel security update (IMPORTANT)", + "Description": "[5.4.17-2102.203.5]\n- rds/ib: move rds_ib_clear_irq_miss() to .h file (Manjunath Patil) [Orabug: 33044344]\n\n[5.4.17-2102.203.4]\n- rds/ib: recover rds connection from interrupt loss scenario (Manjunath Patil) [Orabug: 32974199] \n- Revert Allow mce to reset instead of panic on UE (William Roche) [Orabug: 32820275] \n- bpf: Fix masking negation logic upon negative dst register (Daniel Borkmann) [Orabug: 32911990] {CVE-2021-31829}\n- rds/ib: handle posted ACK during connection shutdown (Manjunath Patil) [Orabug: 32863585] \n- rds/ib: reap tx completions during connection shutdown (Manjunath Patil) [Orabug: 32863585]\n\n[5.4.17-2102.203.3]\n- ksplice: use -fno-reorder-functions -fno-section-anchors (Vegard Nossum) [Orabug: 32908850] \n- ksplice: fixup for -ffunction-sections -fdata-sections (Vegard Nossum) [Orabug: 32908850] \n- xfs: fix xlog_finish_defer_ops (Wengang Wang) [Orabug: 32982353] \n- scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (Quinn Tran) [Orabug: 32989005] \n- blk-mq: fix blk_mq_all_tag_iter (Ming Lei) [Orabug: 32957629] \n- blk-mq: split out a __blk_mq_get_driver_tag helper (Christoph Hellwig) [Orabug: 32957629] \n- blk-mq: drain I/O when all CPUs in a hctx are offline (Ming Lei) [Orabug: 32957629] \n- blk-mq: add blk_mq_all_tag_iter (Ming Lei) [Orabug: 32957629] \n- Bluetooth: verify AMP hci_chan before amp_destroy (Archie Pusaka) [Orabug: 32912099] {CVE-2021-33034}\n- perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1 (Kan Liang) [Orabug: 32925098] \n- net: sched: fix tx action reschedule issue with stopped queue (Yunsheng Lin) [Orabug: 32911885] \n- net: sched: fix tx action rescheduling issue during deactivation (Yunsheng Lin) [Orabug: 32911885] \n- net: sched: fix packet stuck problem for lockless qdisc (Yunsheng Lin) [Orabug: 32911885] \n- scsi: bnx2fc: Return failure if io_req is already in ABTS processing (Gulam Mohamed) [Orabug: 32999623]\n\n[5.4.17-2102.203.2]\n- LTS tag: v5.4.114 (Jack Vogel) \n- net: phy: marvell: fix detection of PHY on Topaz switches (Pali Rohar) \n- ARM: 9071/1: uprobes: Dont hook on thumb instructions (Fredrik Strupe) \n- r8169: dont advertise pause in jumbo mode (Heiner Kallweit) \n- r8169: tweak max read request size for newer chips also in jumbo mtu mode (Heiner Kallweit) \n- r8169: improve rtl_jumbo_config (Heiner Kallweit) \n- r8169: fix performance regression related to PCIe max read request size (Heiner Kallweit) \n- r8169: simplify setting PCI_EXP_DEVCTL_NOSNOOP_EN (Heiner Kallweit) \n- r8169: remove fiddling with the PCIe max read request size (Heiner Kallweit) \n- arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems (Andre Przywara) \n- ARM: footbridge: fix PCI interrupt mapping (Russell King) \n- gro: ensure frag0 meets IP header alignment (Eric Dumazet) \n- ibmvnic: remove duplicate napi_schedule call in open function (Lijun Pan) \n- ibmvnic: remove duplicate napi_schedule call in do_reset function (Lijun Pan) \n- ibmvnic: avoid calling napi_disable() twice (Lijun Pan) \n- i40e: fix the panic when running bpf in xdpdrv mode (Jason Xing) \n- net: ip6_tunnel: Unregister catch-all devices (Hristo Venev) \n- net: sit: Unregister catch-all devices (Hristo Venev) \n- net: davicom: Fix regulator not turned off on failed probe (Christophe JAILLET) \n- netfilter: nft_limit: avoid possible divide error in nft_limit_init (Eric Dumazet) \n- net: macb: fix the restore of cmp registers (Claudiu Beznea) \n- netfilter: arp_tables: add pre_exit hook for table unregister (Florian Westphal) \n- netfilter: bridge: add pre_exit hooks for ebtable unregistration (Florian Westphal) \n- libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (Vaibhav Jain) \n- netfilter: conntrack: do not print icmpv6 as unknown via /proc (Pablo Neira Ayuso) \n- scsi: libsas: Reset num_scatter if libata marks qc as NODATA (Jolly Shah) \n- riscv: Fix spelling mistake SPARSEMEM to SPARSMEM (Kefeng Wang) \n- vfio/pci: Add missing range check in vfio_pci_mmap (Christian A. Ehrhardt) \n- arm64: alternatives: Move length validation in alternative_{insn, endif} (Nathan Chancellor) \n- arm64: fix inline asm in load_unaligned_zeropad() (Peter Collingbourne) \n- readdir: make sure to verify directory entry for legacy interfaces too (Linus Torvalds) \n- dm verity fec: fix misaligned RS roots IO (Jaegeuk Kim) \n- HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (Ping Cheng) \n- Input: i8042 - fix Pegatron C15B ID entry (Arnd Bergmann) \n- Input: s6sy761 - fix coordinate read bit shift (Caleb Connolly) \n- virt_wifi: Return micros for BSS TSF values (A. Cody Schuffelen) \n- mac80211: clear sta-\u003efast_rx when STA removed from 4-addr VLAN (Seevalamuthu Mariappan) \n- pcnet32: Use pci_resource_len to validate PCI resource (Guenter Roeck) \n- net: ieee802154: forbid monitor for add llsec seclevel (Alexander Aring) \n- net: ieee802154: stop dump llsec seclevels for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec devkey (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec devkey (Alexander Aring) \n- net: ieee802154: stop dump llsec devkeys for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec dev (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec dev (Alexander Aring) \n- net: ieee802154: stop dump llsec devs for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec key (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec key (Alexander Aring) \n- net: ieee802154: stop dump llsec keys for monitors (Alexander Aring) \n- scsi: scsi_transport_srp: Dont block target in SRP_PORT_LOST state (Martin Wilck) \n- ASoC: fsl_esai: Fix TDM slot setup for I2S mode (Alexander Shiyan) \n- drm/msm: Fix a5xx/a6xx timestamps (Rob Clark) \n- ARM: omap1: fix building with clang IAS (Arnd Bergmann) \n- ARM: keystone: fix integer overflow warning (Arnd Bergmann) \n- neighbour: Disregard DEAD dst in neigh_update (Tong Zhu) \n- ASoC: max98373: Added 30ms turn on/off time delay (Ryan Lee) \n- arc: kernel: Return -EFAULT if copy_to_user() fails (Wang Qing) \n- lockdep: Add a missing initialization hint to the INFO: Trying to register non-static key message (Tetsuo Handa) \n- ARM: dts: Fix moving mmc devices with aliases for omap4 \u0026 5 (Tony Lindgren) \n- ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race (Tony Lindgren) \n- dmaengine: dw: Make it dependent to HAS_IOMEM (Andy Shevchenko) \n- gpio: sysfs: Obey valid_mask (Matti Vaittinen) \n- Input: nspire-keypad - enable interrupts only when opened (Fabian Vogt) \n- net/sctp: fix race condition in sctp_destroy_sock (Or Cohen) {CVE-2021-23133}\n- scsi: qla2xxx: Fix stuck login session using prli_pend_timer (Quinn Tran) \n- scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (Shyam Sundar) \n- scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (Quinn Tran) \n- scsi: qla2xxx: Dual FCP-NVMe target port support (Michael Hernandez) \n- Revert scsi: qla2xxx: Fix stuck login session using prli_pend_timer (Sasha Levin) \n- Revert scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (Sasha Levin) \n- LTS tag: v5.4.113 (Jack Vogel) \n- xen/events: fix setting irq affinity (Juergen Gross) \n- perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches (Arnaldo Carvalho de Melo) \n- perf tools: Use %zd for size_t printf formats on 32-bit (Chris Wilson) \n- perf tools: Use - driver core: Fix locking bug in deferred_probe_timeout_work_func() (Saravana Kannan) \n- netfilter: x_tables: fix compat match/target pad out-of-bound write (Florian Westphal) \n- block: dont ignore REQ_NOWAIT for direct IO (Pavel Begunkov) \n- riscv,entry: fix misaligned base for excp_vect_table (Zihao Yu) \n- idr test suite: Create anchor before launching throbber (Matthew Wilcox (Oracle)) \n- idr test suite: Take RCU read lock in idr_find_test_1 (Matthew Wilcox (Oracle)) \n- radix tree test suite: Register the main thread with the RCU library (Matthew Wilcox (Oracle)) \n- block: only update parent bi_status when bio fail (Yufen Yu) \n- drm/tegra: dc: Dont set PLL clock to 0Hz (Dmitry Osipenko) \n- gfs2: report already frozen/thawed errors (Bob Peterson) \n- drm/imx: imx-ldb: fix out of bounds array access warning (Arnd Bergmann) \n- KVM: arm64: Disable guest access to trace filter controls (Suzuki K Poulose) \n- KVM: arm64: Hide system instruction access to Trace registers (Suzuki K Poulose) \n- interconnect: core: fix error return code of icc_link_destroy() (Jia-Ju Bai) \n- LTS tag: v5.4.112 (Jack Vogel) \n- Revert cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb-\u003eprepath. (Greg Kroah-Hartman) \n- net: ieee802154: stop dump llsec params for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec seclevel (Alexander Aring) \n- net: ieee802154: forbid monitor for set llsec params (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec devkey (Alexander Aring) \n- net: ieee802154: fix nl802154 add llsec key (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec dev (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec key (Alexander Aring) \n- net: ieee802154: nl-mac: fix check on panid (Alexander Aring) \n- net: mac802154: Fix general protection fault (Pavel Skripkin) \n- drivers: net: fix memory leak in peak_usb_create_dev (Pavel Skripkin) \n- drivers: net: fix memory leak in atusb_probe (Pavel Skripkin) \n- net: tun: set tun-\u003edev-\u003eaddr_len during TUNSETLINK processing (Phillip Potter) \n- cfg80211: remove WARN_ON() in cfg80211_sme_connect (Du Cheng) \n- net: sched: bump refcount for new action in ACT replace mode (Kumar Kartikeya Dwivedi) \n- dt-bindings: net: ethernet-controller: fix typo in NVMEM (Rafal Milecki) \n- clk: socfpga: fix iomem pointer cast on 64-bit (Krzysztof Kozlowski) \n- RDMA/addr: Be strict with gid size (Leon Romanovsky) \n- RDMA/cxgb4: check for ipv6 address properly while destroying listener (Potnuri Bharat Teja) \n- net/mlx5: Fix PBMC register mapping (Aya Levin) \n- net/mlx5: Fix placement of log_max_flow_counter (Raed Salem) \n- net: hns3: clear VF down state bit before request link status (Guangbin Huang) \n- openvswitch: fix send of uninitialized stack memory in ct limit reply (Ilya Maximets) \n- net: openvswitch: conntrack: simplify the return expression of ovs_ct_limit_get_default_limit() (Zheng Yongjun) \n- perf inject: Fix repipe usage (Adrian Hunter) \n- s390/cpcmd: fix inline assembly register clobbering (Alexander Gordeev) \n- workqueue: Move the position of debug_work_activate() in __queue_work() (Zqiang) \n- clk: fix invalid usage of list cursor in unregister (Lukasz Bartosik) \n- clk: fix invalid usage of list cursor in register (Lukasz Bartosik) \n- net: macb: restore cmp registers on resume path (Claudiu Beznea) \n- scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs (Can Guo) \n- scsi: ufs: core: Fix task management request completion timeout (Can Guo) \n- scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs (Bart Van Assche) \n- scsi: ufs: Avoid busy-waiting by eliminating tag conflicts (Bart Van Assche) \n- scsi: ufs: Fix irq return code (Venkat Gopalakrishnan) \n- net: udp: Add support for getsockopt(..., ..., UDP_GRO, ..., ...); (Norman Maurer) \n- drm/msm: Set drvdata to NULL when msm_drm_init() fails (Stephen Boyd) \n- i40e: Fix display statistics for veb_tc (Eryk Rybak) \n- soc/fsl: qbman: fix conflicting alignment attributes (Arnd Bergmann) \n- net/mlx5: Dont request more than supported EQs (Daniel Jurgens) \n- net/mlx5e: Fix ethtool indication of connector type (Aya Levin) \n- ASoC: sunxi: sun4i-codec: fill ASoC card owner (Bastian Germann) \n- net: phy: broadcom: Only advertise EEE for supported modes (Florian Fainelli) \n- nfp: flower: ignore duplicate merge hints from FW (Yinjun Zhang) \n- net/ncsi: Avoid channel_monitor hrtimer deadlock (Milton Miller) \n- ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces (Stefan Riedmueller) \n- net:tipc: Fix a double free in tipc_sk_mcast_rcv (Lv Yunlong) \n- cxgb4: avoid collecting SGE_QBASE regs during traffic (Rahul Lakkireddy) \n- gianfar: Handle error code at MAC address change (Claudiu Manoil) \n- can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE (Oliver Hartkopp) \n- arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0 (Oliver Stabler) \n- sch_red: fix off-by-one checks in red_check_params() (Eric Dumazet) \n- amd-xgbe: Update DMA coherency values (Shyam Sundar S K) \n- hostfs: fix memory handling in follow_link() (Al Viro) \n- hostfs: Use kasprintf() instead of fixed buffer formatting (Andy Shevchenko) \n- i40e: Fix kernel oops when i40e driver removes VFs (Eryk Rybak) \n- i40e: Added Asym_Pause to supported link modes (Mateusz Palczewski) \n- xfrm: Fix NULL pointer dereference on policy lookup (Steffen Klassert) \n- ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (Shengjiu Wang) \n- ASoC: SOF: Intel: HDA: fix core status verification (Guennadi Liakhovetski) \n- ASoC: SOF: Intel: hda: remove unnecessary parentheses (Payal Kshirsagar) \n- esp: delete NETIF_F_SCTP_CRC bit from features for esp offload (Xin Long) \n- net: xfrm: Localize sequence counter per network namespace (Ahmed S. Darwish) \n- regulator: bd9571mwv: Fix AVS and DVFS voltage range (Geert Uytterhoeven) \n- xfrm: interface: fix ipv4 pmtu check to honor ip header df (Eyal Birger) \n- net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits (Martin Blumenstingl) \n- net: dsa: lantiq_gswip: Dont use PHY auto polling (Martin Blumenstingl) \n- virtio_net: Add XDP meta data support (Yuya Kusakabe) \n- i2c: turn recovery error on init to debug (Wolfram Sang) \n- usbip: synchronize event handler with sysfs code paths (Shuah Khan) \n- usbip: vudc synchronize sysfs code paths (Shuah Khan) \n- usbip: stub-dev synchronize sysfs code paths (Shuah Khan) \n- usbip: add sysfs_lock to synchronize sysfs code paths (Shuah Khan) \n- net: let skb_orphan_partial wake-up waiters. (Paolo Abeni) \n- net-ipv6: bugfix - raw \u0026 sctp - switch to ipv6_can_nonlocal_bind() (Maciej zenczykowski) \n- net: hsr: Reset MAC header for Tx path (Kurt Kanzenbach) \n- mac80211: fix TXQ AC confusion (Johannes Berg) \n- net: sched: sch_teql: fix null-pointer dereference (Pavel Tikhomirov) \n- i40e: Fix sparse error: vsi-\u003enetdev could be null (Arkadiusz Kubalewski) \n- i40e: Fix sparse warning: missing error code err (Arkadiusz Kubalewski) \n- net: ensure mac header is set in virtio_net_hdr_to_skb() (Eric Dumazet) \n- bpf, sockmap: Fix sk-\u003eprot unhash op reset (John Fastabend) \n- ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (Lv Yunlong) \n- net: hso: fix null-ptr-deref during tty device unregistration (Anirudh Rayabharam) \n- ice: Cleanup fltr list in case of allocation issues (Robert Malz) \n- ice: Fix for dereference of NULL pointer (Jacek Bulatek) \n- ice: Increase control queue timeout (Fabio Pricoco) \n- batman-adv: initialize struct batadv_tvlv_tt_vlan_data-\u003ereserved field (Tetsuo Handa) \n- ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin (Marek Behun) \n- parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers (Gao Xiang) \n- parisc: parisc-agp requires SBA IOMMU driver (Helge Deller) \n- fs: direct-io: fix missing sdio-\u003eboundary (Jack Qiu) \n- nds32: flush_dcache_page: use page_mapping_file to avoid races with swapoff (Mike Rapoport) \n- ia64: fix user_stack_pointer() for ptrace() (Sergei Trofimovich) \n- gcov: re-fix clang-11+ support (Nick Desaulniers) \n- drm/i915: Fix invalid access to ACPI _DSM objects (Takashi Iwai) \n- net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock (Martin Blumenstingl) \n- net: ipv6: check for validity before dereferencing cfg-\u003efc_nlinfo.nlh (Muhammad Usama Anjum) \n- xen/evtchn: Change irq_info lock to raw_spinlock_t (Luca Fancellu) \n- nfc: Avoid endless loops caused by repeated llcp_sock_connect() (Xiaoming Ni) \n- nfc: fix memory leak in llcp_sock_connect() (Xiaoming Ni) {CVE-2020-25672}\n- nfc: fix refcount leak in llcp_sock_connect() (Xiaoming Ni) {CVE-2020-25671}\n- nfc: fix refcount leak in llcp_sock_bind() (Xiaoming Ni) {CVE-2020-25670}\n- ASoC: intel: atom: Stop advertising non working S24LE support (Hans de Goede) \n- ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (Takashi Iwai) \n- ALSA: aloop: Fix initialization of controls (Jonas Holmberg) \n- counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register (Fabrice Gasnier) \n- LTS tag: v5.4.111 (Jack Vogel) \n- init/Kconfig: make COMPILE_TEST depend on HAS_IOMEM (Masahiro Yamada) \n- init/Kconfig: make COMPILE_TEST depend on !S390 (Heiko Carstens) \n- nvme-mpath: replace direct_make_request with generic_make_request (Sagi Grimberg) \n- bpf, x86: Validate computation of branch displacements for x86-32 (Piotr Krysiuk) \n- cifs: Silently ignore unknown oplock break handle (Vincent Whitchurch) \n- cifs: revalidate mapping when we open files for SMB1 POSIX (Ronnie Sahlberg) \n- ia64: fix format strings for err_inject (Sergei Trofimovich) \n- ia64: mca: allocate early mca with GFP_ATOMIC (Sergei Trofimovich) \n- scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (Martin Wilck) \n- x86/build: Turn off -fcf-protection for realmode targets (Arnd Bergmann) \n- platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (Esteve Varela Colominas) \n- netfilter: conntrack: Fix gre tunneling over ipv6 (Ludovic Senecaux) \n- drm/msm: Ratelimit invalid-fence message (Rob Clark) \n- drm/msm/adreno: a5xx_power: Dont apply A540 lm_setup to other GPUs (Konrad Dybcio) \n- mac80211: choose first enabled channel for monitor (Karthikeyan Kathirvel) \n- mISDN: fix crash in fritzpci (Tong Zhang) \n- net: pxa168_eth: Fix a potential data race in pxa168_eth_remove (Pavel Andrianov) \n- net/mlx5e: Enforce minimum value check for ICOSQ size (Tariq Toukan) \n- bpf, x86: Use kvmalloc_array instead kmalloc_array in bpf_jit_comp (Yonghong Song) \n- platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (Alban Bedel) \n- bus: ti-sysc: Fix warning on unbind if reset is not deasserted (Tony Lindgren) \n- ARM: dts: am33xx: add aliases for mmc interfaces (Mans Rullgard) \n- LTS tag: v5.4.110 (Jack Vogel) \n- drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (Du Cheng) \n- staging: rtl8192e: Change state information from u16 to u8 (Atul Gopinathan) \n- staging: rtl8192e: Fix incorrect source in memcpy() (Atul Gopinathan) \n- usb: dwc2: Prevent core suspend when port connection flag is 0 (Artur Petrosyan) \n- usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. (Artur Petrosyan) \n- usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference (Tong Zhang) \n- USB: cdc-acm: fix use-after-free after probe failure (Johan Hovold) \n- USB: cdc-acm: fix double free on probe failure (Johan Hovold) \n- USB: cdc-acm: downgrade message to debug (Oliver Neukum) \n- USB: cdc-acm: untangle a circular dependency between callback and softint (Oliver Neukum) \n- cdc-acm: fix BREAK rx code path adding necessary calls (Oliver Neukum) \n- usb: xhci-mtk: fix broken streams issue on 0.96 xHCI (Chunfeng Yun) \n- usb: musb: Fix suspend with devices connected for a64 (Tony Lindgren) \n- USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (Vincent Palatin) \n- usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (Shuah Khan) \n- firewire: nosy: Fix a use-after-free bug in nosy_ioctl() (Zheyu Ma) \n- extcon: Fix error handling in extcon_dev_register (Dinghao Liu) \n- extcon: Add stubs for extcon_register_notifier_all() functions (Krzysztof Kozlowski) \n- pinctrl: rockchip: fix restore error in resume (Wang Panzhenzhuan) \n- vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends (Jason Gunthorpe) \n- reiserfs: update reiserfs_xattrs_initialized() condition (Tetsuo Handa) \n- drm/amdgpu: check alignment on CPU page for bo map (Xi Ruoyao) \n- drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (Nirmoy Das) \n- mm: fix race by making init_zero_pfn() early_initcall (Ilya Lipnitskiy) \n- tracing: Fix stack trace event size (Steven Rostedt (VMware)) \n- PM: runtime: Fix ordering in pm_runtime_get_suppliers() (Adrian Hunter) \n- PM: runtime: Fix race getting/putting suppliers at probe (Adrian Hunter) \n- xtensa: move coprocessor_flush to the .text section (Max Filippov) \n- ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook (Hui Wang) \n- ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (Hui Wang) \n- ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks (Takashi Iwai) \n- ALSA: hda: Re-add dropped snd_poewr_change_state() calls (Takashi Iwai) \n- ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (Ikjoon Jang) \n- bpf: Remove MTU check in __bpf_skb_max_len (Jesper Dangaard Brouer) \n- net: wan/lmc: unregister device when no matching device is found (Tong Zhang) \n- appletalk: Fix skb allocation size in loopback case (Doug Brown) \n- net: ethernet: aquantia: Handle error cleanup of start on open (Nathan Rossi) \n- ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (Shuah Khan) \n- brcmfmac: clear EAP/association status bits on linkdown events (Luca Pesce) \n- can: tcan4x5x: fix max register value (Sasha Levin) \n- net: introduce CAN specific pointer in the struct net_device (Oleksij Rempel) \n- can: dev: move driver related infrastructure into separate subdir (Marc Kleine-Budde) \n- flow_dissector: fix TTL and TOS dissection on IPv4 fragments (Davide Caratti) \n- net: mvpp2: fix interrupt mask/unmask skip condition (Sasha Levin) \n- ext4: do not iput inode under running transaction in ext4_rename() (zhangyi (F)) \n- locking/ww_mutex: Simplify use_ww_ctx \u0026 ww_ctx handling (Waiman Long) \n- thermal/core: Add NULL pointer check before using cooling device stats (Manaf Meethalavalappu Pallikunhi) \n- ASoC: rt5659: Update MCLK rate in set_sysclk() (Sameer Pujar) \n- staging: comedi: cb_pcidas64: fix request_irq() warn (Tong Zhang) \n- staging: comedi: cb_pcidas: fix request_irq() warn (Tong Zhang) \n- scsi: qla2xxx: Fix broken #endif placement (Alexey Dobriyan) \n- scsi: st: Fix a use after free in st_open() (Lv Yunlong) \n- vhost: Fix vhost_vq_reset() (Laurent Vivier) \n- powerpc: Force inlining of cpu_has_feature() to avoid build failure (Christophe Leroy) \n- NFSD: fix error handling in NFSv4.0 callbacks (Olga Kornievskaia) \n- ASoC: cs42l42: Always wait at least 3ms after reset (Lucas Tanure) \n- ASoC: cs42l42: Fix mixer volume control (Lucas Tanure) \n- ASoC: cs42l42: Fix channel width support (Lucas Tanure) \n- ASoC: cs42l42: Fix Bitclock polarity inversion (Lucas Tanure) \n- ASoC: es8316: Simplify adc_pga_gain_tlv table (Hans de Goede) \n- ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (Benjamin Rood) \n- ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (Hans de Goede) \n- ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (Hans de Goede) \n- iomap: Fix negative assignment to unsigned sis-\u003epages in iomap_swapfile_activate (Ritesh Harjani) \n- rpc: fix NULL dereference on kmalloc failure (J. Bruce Fields) \n- fs: nfsd: fix kconfig dependency warning for NFSD_V4 (Julian Braha) \n- ext4: fix bh ref count on error paths (Zhaolong Zhang) \n- ext4: shrink race window in ext4_should_retry_alloc() (Eric Whitney) \n- module: harden ELF info handling (Frank van der Linden) \n- module: avoid *goto*s in module_sig_check() (Sergey Shtylyov) \n- module: merge repetitive strings in module_sig_check() (Sergey Shtylyov) \n- modsign: print module name along with error message (Jessica Yu) \n- ipv6: weaken the v4mapped source check (Jakub Kicinski) \n- selinux: vsock: Set SID for socket returned by accept() (David Brazdil) \n- LTS tag: v5.4.109 (Jack Vogel) \n- xen-blkback: dont leak persistent grants from xen_blkbk_map() (Jan Beulich) \n- can: peak_usb: Revert can: peak_usb: add forgotten supported devices (Marc Kleine-Budde) \n- ext4: add reclaim checks to xattr code (Jan Kara) \n- mac80211: fix double free in ibss_leave (Markus Theil) \n- net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() (Eric Dumazet) \n- net: dsa: b53: VLAN filtering is global to all users (Florian Fainelli) \n- can: dev: Move device back to init netns on owning netns delete (Martin Willi) \n- x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (Isaku Yamahata) \n- locking/mutex: Fix non debug version of mutex_lock_io_nested() (Thomas Gleixner) \n- scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() (Jia-Ju Bai) \n- scsi: qedi: Fix error return code of qedi_alloc_global_queues() (Jia-Ju Bai) \n- scsi: Revert qla2xxx: Make sure that aborted commands are freed (Bart Van Assche) \n- block: recalculate segment count for multi-segment discards correctly (David Jeffery) \n- perf auxtrace: Fix auxtrace queue conflict (Adrian Hunter) \n- ACPI: scan: Use unique number for instance_no (Andy Shevchenko) \n- ACPI: scan: Rearrange memory allocation in acpi_device_add() (Rafael J. Wysocki) \n- Revert netfilter: x_tables: Update remaining dereference to RCU (Mark Tomlinson) \n- Revert netfilter: x_tables: Switch synchronization to RCU (Mark Tomlinson) \n- bpf: Dont do bpf_cgroup_storage_set() for kuprobe/tp programs (Sasha Levin) \n- RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (Potnuri Bharat Teja) \n- PM: EM: postpone creating the debugfs dir till fs_initcall (Lukasz Luba) \n- net/mlx5e: Fix error path for ethtool set-priv-flag (Aya Levin) \n- PM: runtime: Defer suspending suppliers (Rafael J. Wysocki) \n- arm64: kdump: update ppos when reading elfcorehdr (Pavel Tatashin) \n- drm/msm: fix shutdown hook in case GPU components failed to bind (Dmitry Baryshkov) \n- libbpf: Fix BTF dump of pointer-to-array-of-struct (Jean-Philippe Brucker) \n- selftests: forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate value (Hangbin Liu) \n- net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes (Corentin Labbe) \n- r8152: limit the RX buffer size of RTL8153A for USB 2.0 (Hayes Wang) \n- net: cdc-phonet: fix data-interface release on probe failure (Johan Hovold) \n- octeontx2-af: fix infinite loop in unmapping NPC counter (Hariprasad Kelam) \n- octeontx2-af: Fix irq free in rvu teardown (Geetha sowjanya) \n- libbpf: Use SOCK_CLOEXEC when opening the netlink socket (Kumar Kartikeya Dwivedi) \n- nfp: flower: fix pre_tun mask id allocation (Louis Peens) \n- mac80211: fix rate mask reset (Johannes Berg) \n- can: m_can: m_can_rx_peripheral(): fix RX being blocked by errors (Torin Cooper-Bennun) \n- can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (Torin Cooper-Bennun) \n- can: c_can: move runtime PM enable/disable to c_can_platform (Tong Zhang) \n- can: c_can_pci: c_can_pci_remove(): fix use-after-free (Tong Zhang) \n- can: kvaser_pciefd: Always disable bus load reporting (Jimmy Assarsson) \n- can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (Angelo Dureghello) \n- can: peak_usb: add forgotten supported devices (Stephane Grosjean) \n- tcp: relookup sock for RST+ACK packets handled by obsolete req sock (Alexander Ovechkin) \n- netfilter: ctnetlink: fix dump of the expect mask attribute (Florian Westphal) \n- selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (Hangbin Liu) \n- ftgmac100: Restart MAC HW once (Dylan Hung) \n- net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (Lv Yunlong) \n- e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (Dinghao Liu) \n- e1000e: add rtnl_lock() to e1000_reset_task (Vitaly Lifshits) \n- igc: Fix Supported Pause Frame Link Setting (Muhammad Husaini Zulkifli) \n- igc: Fix Pause Frame Advertising (Muhammad Husaini Zulkifli) \n- net: dsa: bcm_sf2: Qualify phydev-\u003edev_flags based on port (Florian Fainelli) \n- net: sched: validate stab values (Eric Dumazet) \n- macvlan: macvlan_count_rx() needs to be aware of preemption (Eric Dumazet) \n- ipv6: fix suspecious RCU usage warning (Wei Wang) \n- net/mlx5e: Dont match on Geneve options in case option masks are all zero (Maor Dickman) \n- libbpf: Fix INSTALL flag order (Georgi Valkov) \n- veth: Store queue_mapping independently of XDP prog presence (Maciej Fijalkowski) \n- bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (Grygorii Strashko) \n- dm verity: fix DM_VERITY_OPTS_MAX value (JeongHyeon Lee) \n- integrity: double check iint_cache was initialized (Mimi Zohar) \n- ARM: dts: at91-sama5d27_som1: fix phy address to 7 (Claudiu Beznea) \n- arm64: dts: ls1043a: mark crypto engine dma coherent (Horia Geanta) \n- arm64: dts: ls1012a: mark crypto engine dma coherent (Horia Geanta) \n- arm64: dts: ls1046a: mark crypto engine dma coherent (Horia Geanta) \n- ACPI: video: Add missing callback back for Sony VPCEH3U1E (Chris Chiu) \n- gcov: fix clang-11+ support (Nick Desaulniers) \n- kasan: fix per-page tags for non-page_alloc pages (Andrey Konovalov) \n- squashfs: fix xattr id and id lookup sanity checks (Phillip Lougher) \n- squashfs: fix inode lookup sanity checks (Sean Nyekjaer) \n- platform/x86: intel-vbtn: Stop reporting SW_DOCK events (Hans de Goede) \n- netsec: restore phy power state after controller reset (Mian Yousaf Kaukab) \n- ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign (Sergei Trofimovich) \n- ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls (Sergei Trofimovich) \n- block: Suppress uevent for hidden device when removed (Daniel Wagner) \n- nfs: we dont support removing system.nfs4_acl (J. Bruce Fields) \n- nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a (Dmitry Monakhov) \n- nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (Hannes Reinecke) \n- nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (Hannes Reinecke) \n- drm/radeon: fix AGP dependency (Christian Konig) \n- drm/amdgpu: fb BO should be ttm_bo_type_device (Nirmoy Das) \n- drm/amd/display: Revert dram_clock_change_latency for DCN2.1 (Sung Lee) \n- regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck (satya priya) \n- u64_stats,lockdep: Fix u64_stats_init() vs lockdep (Peter Zijlstra) \n- habanalabs: Call put_pid() when releasing control device (Tomer Tayar) \n- sparc64: Fix opcode filtering in handling of no fault loads (Rob Gardner) \n- irqchip/ingenic: Add support for the JZ4760 (Paul Cercueil) \n- cifs: change noisy error message to FYI (Paulo Alcantara) \n- atm: idt77252: fix null-ptr-dereference (Tong Zhang) \n- atm: uPD98402: fix incorrect allocation (Tong Zhang) \n- net: davicom: Use platform_get_irq_optional() (Paul Cercueil) \n- net: wan: fix error return code of uhdlc_init() (Jia-Ju Bai) \n- net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() (Jia-Ju Bai) \n- NFS: Correct size calculation for create reply length (Frank Sorenson) \n- nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default (Timo Rothenpieler) \n- gpiolib: acpi: Add missing IRQF_ONESHOT (Yang Li) \n- cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev (Sudeep Holla) \n- cifs: ask for more credit on async read/write code paths (Aurelien Aptel) \n- gianfar: fix jumbo packets+napi+rx overrun crash (Michael Braun) \n- sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count (Denis Efremov) \n- net: intel: iavf: fix error return code of iavf_init_get_resources() (Jia-Ju Bai) \n- net: tehuti: fix error return code in bdx_probe() (Jia-Ju Bai) \n- ixgbe: Fix memleak in ixgbe_configure_clsu32 (Dinghao Liu) \n- ALSA: hda: ignore invalid NHLT table (Mark Pearson) \n- Revert r8152: adjust the settings about MAC clock speed down for RTL8153 (Hayes Wang) \n- atm: lanai: dont run lanai_dev_close if not open (Tong Zhang) \n- atm: eni: dont release is never initialized (Tong Zhang) \n- powerpc/4xx: Fix build errors from mfdcr() (Michael Ellerman) \n- net: fec: ptp: avoid register access when ipg clock is disabled (Heiko Thiery) \n- hugetlbfs: hugetlb_fault_mutex_hash() cleanup (Mike Kravetz) \n- LTS tag: v5.4.108 (Jack Vogel) \n- cifs: Fix preauth hash corruption (Vincent Whitchurch) \n- x86/apic/of: Fix CPU devicetree-node lookups (Johan Hovold) \n- genirq: Disable interrupts for force threaded handlers (Thomas Gleixner) \n- firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (Lv Yunlong) \n- efi: use 32-bit alignment for efi_guid_t literals (Ard Biesheuvel) \n- ext4: fix potential error in ext4_do_update_inode (Shijie Luo) \n- ext4: do not try to set xattr into ea_inode if value is empty (zhangyi (F)) \n- ext4: find old entry again if failed to rename whiteout (zhangyi (F)) \n- x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (Oleg Nesterov) \n- x86: Move TS_COMPAT back to asm/thread_info.h (Oleg Nesterov) \n- kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (Oleg Nesterov) \n- x86/ioapic: Ignore IRQ2 again (Thomas Gleixner) \n- PCI: rpadlpar: Fix potential drc_name corruption in store functions (Tyrel Datwyler) \n- counter: stm32-timer-cnt: fix ceiling write max value (Fabrice Gasnier) \n- iio: hid-sensor-temperature: Fix issues of timestamp channel (Ye Xiang) \n- iio: hid-sensor-prox: Fix scale not correct issue (Ye Xiang) \n- iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (Ye Xiang) \n- iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (Wilfried Wessner) \n- iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (Dinghao Liu) \n- iio: adis16400: Fix an error code in adis16400_initial_setup() (Dan Carpenter) \n- iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (Jonathan Albrieux) \n- iio:adc:stm32-adc: Add HAS_IOMEM dependency (Jonathan Cameron) \n- usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (Badhri Jagan Sridharan) \n- usb: gadget: configfs: Fix KASAN use-after-free (Jim Lin) \n- USB: replace hardcode maximum usb string length by definition (Macpaul Lin) \n- usbip: Fix incorrect double assignment to udc-\u003eud.tcp_rx (Colin Ian King) \n- usb-storage: Add quirk to defeat Kindles automatic unload (Alan Stern) \n- nvme-rdma: fix possible hang when failing to set io queues (Sagi Grimberg) \n- counter: stm32-timer-cnt: Report count function when SLAVE_MODE_DISABLED (William Breathitt Gray) \n- scsi: myrs: Fix a double free in myrs_cleanup() (Lv Yunlong) \n- scsi: lpfc: Fix some error codes in debugfs (Dan Carpenter) \n- riscv: Correct SPARSEMEM configuration (Kefeng Wang) \nfor empty SUBLEVEL or PATCHLEVEL again (Masahiro Yamada) \n- net/qrtr: fix __netdev_alloc_skb call (Pavel Skripkin) \n- sunrpc: fix refcount leak for rpc auth modules (Daniel Kobras) \n- vfio: IOMMU_API should be selected (Jason Gunthorpe) \n- svcrdma: disable timeouts on rdma backchannel (Timo Rothenpieler) \n- NFSD: Repair misuse of sv_lock in 5.10.16-rt30. (Joe Korty) \n- nfsd: Dont keep looking up unhashed files in the nfsd file cache (Trond Myklebust) \n- nvmet: dont check iosqes,iocqes for discovery controllers (Sagi Grimberg) \n- nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU (Sagi Grimberg) \n- nvme-tcp: fix possible hang when failing to set io queues (Sagi Grimberg) \n- nvme: fix Write Zeroes limitations (Christoph Hellwig) \n- afs: Stop listxattr() from listing afs.* attributes (David Howells) \n- ASoC: simple-card-utils: Do not handle device clock (Sameer Pujar) \n- ASoC: SOF: intel: fix wrong poll bits in dsp power down (Pan Xiuli) \n- ASoC: SOF: Intel: unregister DMIC device on probe error (Pierre-Louis Bossart) \n- ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (Alexander Shiyan) \n- btrfs: fix slab cache flags for free space tree bitmap (David Sterba) \n- ARM: 9044/1: vfp: use undef hook for VFP support detection (Ard Biesheuvel) \n- ARM: 9030/1: entry: omit FP emulation for UND exceptions taken in kernel mode (Ard Biesheuvel) \n- s390/vtime: fix increased steal time accounting (Gerald Schaefer) \n- Revert PM: runtime: Update device status before letting suppliers suspend (Rafael J. Wysocki) \n- ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (Xiaoliang Yu) \n- ALSA: hda: generic: Fix the micmute led init state (Hui Wang) \n- ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (Xiaoliang Yu) \n- ALSA: dice: fix null pointer dereference when node is disconnected (Takashi Sakamoto) \n- ASoC: ak5558: Add MODULE_DEVICE_TABLE (Shengjiu Wang) \n- ASoC: ak4458: Add MODULE_DEVICE_TABLE (Shengjiu Wang) \n- LTS tag: v5.4.107 (Jack Vogel) \n- net: dsa: b53: Support setting learning on port (Florian Fainelli) \n- net: dsa: tag_mtk: fix 802.1ad VLAN egress (DENG Qingfang) \n- crypto: x86/aes-ni-xts - use direct calls to and 4-way stride (Ard Biesheuvel) \n- crypto: aesni - Use TEST %reg,%reg instead of CMP /u03/ksharma/errata_processing/work/el8/db_8.ELSA-2021-9362,%reg (Uros Bizjak) \n- crypto: x86 - Regularize glue function prototypes (Kees Cook) \n- drm/i915/gvt: Fix vfio_edid issue for BXT/APL (Colin Xu) \n- drm/i915/gvt: Fix port number for BDW on EDID region setup (Colin Xu) \n- drm/i915/gvt: Fix virtual display setup for BXT/APL (Colin Xu) \n- drm/i915/gvt: Fix mmio handler break on BXT/APL. (Colin Xu) \n- drm/i915/gvt: Set SNOOP for PAT3 on BXT/APL to workaround GPU BB hang (Colin Xu) \n- btrfs: scrub: Dont check free space before marking a block group RO (Qu Wenruo) \n- bpf: Fix off-by-one for area size in creating mask to left (Piotr Krysiuk) \n- bpf: Prohibit alu ops for pointer types not defining ptr_limit (Piotr Krysiuk) \n- KVM: arm64: nvhe: Save the SPE context early (Suzuki K Poulose) \n- LTS tag: v5.4.106 (Jack Vogel) \n- xen/events: avoid handling the same event on two cpus at the same time (Juergen Gross) \n- xen/events: dont unmask an event channel when an eoi is pending (Juergen Gross) \n- xen/events: reset affinity of 2-level event when tearing it down (Juergen Gross) \n- KVM: arm64: Reject VM creation when the default IPA size is unsupported (Marc Zyngier) \n- KVM: arm64: Ensure I-cache isolation between vcpus of a same VM (Marc Zyngier) \n- KVM: arm64: Fix exclusive limit for IPA size (Marc Zyngier) \n- x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 (Josh Poimboeuf) \n- binfmt_misc: fix possible deadlock in bm_register_write (Lior Ribak) \n- powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (Naveen N. Rao) \n- sched/membarrier: fix missing local execution of ipi_sync_rq_state() (Mathieu Desnoyers) \n- zram: fix return value on writeback_store (Minchan Kim) \n- include/linux/sched/mm.h: use rcu_dereference in in_vfork() (Matthew Wilcox (Oracle)) \n- stop_machine: mark helpers __always_inline (Arnd Bergmann) \n- hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() (Anna-Maria Behnsen) \n- arm64: mm: use a 48-bit ID map when possible on 52-bit VA builds (Ard Biesheuvel) \n- configfs: fix a use-after-free in __configfs_open_file (Daiyue Zhang) \n- block: rsxx: fix error return code of rsxx_pci_probe() (Jia-Ju Bai) \n- NFSv4.2: fix return value of _nfs4_get_security_label() (Ondrej Mosnacek) \n- NFS: Dont gratuitously clear the inode cache when lookup failed (Trond Myklebust) \n- NFS: Dont revalidate the directory permissions on a lookup failure (Trond Myklebust) \n- SUNRPC: Set memalloc_nofs_save() for sync tasks (Benjamin Coddington) \n- arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (Anshuman Khandual) \n- sh_eth: fix TRSCER mask for R7S72100 (Sergey Shtylyov) \n- staging: comedi: pcl818: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: pcl711: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: me4000: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: dmm32at: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: das800: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: das6402: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: adv_pci1710: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: addi_apci_1500: Fix endian problem for command sample (Ian Abbott) \n- staging: comedi: addi_apci_1032: Fix endian problem for COS sample (Ian Abbott) \n- staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan (Lee Gibson) \n- staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd (Lee Gibson) \n- staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() (Dan Carpenter) \n- staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() (Dan Carpenter) \n- staging: rtl8712: unterminated string leads to read overflow (Dan Carpenter) \n- staging: rtl8188eu: prevent -\u003essid overflow in rtw_wx_set_scan() (Dan Carpenter) \n- staging: rtl8192u: fix -\u003essid overflow in r8192_wx_set_scan() (Dan Carpenter) \n- misc: fastrpc: restrict user apps from sending kernel RPC messages (Dmitry Baryshkov) {CVE-2019-2308}\n- misc/pvpanic: Export module FDT device table (Shile Zhang) \n- usbip: fix vudc usbip_sockfd_store races leading to gpf (Shuah Khan) \n- usbip: fix vhci_hcd attach_store() races leading to gpf (Shuah Khan) \n- usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (Shuah Khan) \n- usbip: fix vudc to check for stream socket (Shuah Khan) \n- usbip: fix vhci_hcd to check for stream socket (Shuah Khan) \n- usbip: fix stub_dev to check for stream socket (Shuah Khan) \n- USB: serial: cp210x: add some more GE USB IDs (Sebastian Reichel) \n- USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (Karan Singhal) \n- USB: serial: ch341: add new Product ID (Niv Sardi) \n- USB: serial: io_edgeport: fix memory leak in edge_startup (Pavel Skripkin) \n- xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (Mathias Nyman) \n- usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (Forest Crossman) \n- xhci: Improve detection of device initiated wake signal. (Mathias Nyman) \n- usb: xhci: do not perform Soft Retry for some xHCI hosts (Stanislaw Gruszka) \n- usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (Yoshihiro Shimoda) \n- USB: usblp: fix a hang in poll() if disconnected (Pete Zaitcev) \n- usb: dwc3: qcom: Honor wakeup enabled/disabled state (Matthias Kaehlcke) \n- usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement (Serge Semin) \n- usb: gadget: f_uac1: stop playback on function disable (Ruslan Bilovol) \n- usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (Ruslan Bilovol) \n- USB: gadget: u_ether: Fix a configfs return code (Dan Carpenter) \n- Goodix Fingerprint device is not a modem (Yorick de Wid) \n- mmc: cqhci: Fix random crash when remove mmc module/card (Frank Li) \n- mmc: core: Fix partition switch time for eMMC (Adrian Hunter) \n- software node: Fix node registration (Heikki Krogerus) \n- s390/dasd: fix hanging IO request during DASD driver unbind (Stefan Haberland) \n- s390/dasd: fix hanging DASD driver unbind (Stefan Haberland) \n- arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (Andrey Konovalov) \n- Revert 95ebabde382c (capabilities: Dont allow writing ambiguous v3 file capabilities) (Eric W. Biederman) \n- ALSA: usb-audio: Apply the control quirk to Plantronics headsets (Takashi Iwai) \n- ALSA: usb-audio: Fix cannot get freq eq errors on Dell AE515 sound bar (Takashi Iwai) \n- ALSA: hda: Avoid spurious unsol event handling during S3/S4 (Takashi Iwai) \n- ALSA: hda: Flush pending unsolicited events before suspend (Takashi Iwai) \n- ALSA: hda: Drop the BATCH workaround for AMD controllers (Takashi Iwai) \n- ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support (Simeon Simeonoff) \n- ALSA: hda/hdmi: Cancel pending works before suspend (Takashi Iwai) \n- ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk (John Ernberg) \n- scsi: target: core: Prevent underflow for service actions (Aleksandr Miloserdov) \n- scsi: target: core: Add cmd length set before cmd complete (Aleksandr Miloserdov) \n- scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling (Mike Christie) \n- sysctl.c: fix underflow value setting risk in vm_table (Lin Feng) \n- s390/smp: __smp_rescan_cpus() - move cpumask away from stack (Heiko Carstens) \n- i40e: Fix memory leak in i40e_probe (Keita Suzuki) \n- PCI: Fix pci_register_io_range() memory leak (Geert Uytterhoeven) \n- kbuild: clamp SUBLEVEL to 255 (Sasha Levin) \n- PCI: mediatek: Add missing of_node_put() to fix reference leak (Krzysztof Wilczynski) \n- PCI: xgene-msi: Fix race in installing chained irq handler (Martin Kaiser) \n- Input: applespi - dont wait for responses to commands indefinitely. (Ronald Tschalar) \n- sparc64: Use arch_validate_flags() to validate ADI flag (Khalid Aziz) \n- sparc32: Limit memblock allocation to low memory (Andreas Larsson) \n- iommu/amd: Fix performance counter initialization (Suravee Suthikulpanit) \n- powerpc/64: Fix stack trace not displaying final frame (Michael Ellerman) \n- HID: logitech-dj: add support for the new lightspeed connection iteration (Filipe Lains) \n- powerpc/perf: Record counter overflow always if SAMPLE_IP is unset (Athira Rajeev) \n- powerpc: improve handling of unrecoverable system reset (Nicholas Piggin) \n- spi: stm32: make spurious and overrun interrupts visible (Alain Volmat) \n- powerpc/pci: Add ppc_md.discover_phbs() (Oliver OHalloran) \n- Platform: OLPC: Fix probe error handling (Lubomir Rintel) \n- mmc: mediatek: fix race condition between msdc_request_timeout and irq (Chaotian Jing) \n- mmc: mxs-mmc: Fix a resource leak in an error handling path in mxs_mmc_probe() (Christophe JAILLET) \n- udf: fix silent AED tagLocation corruption (Steven J. Magnani) \n- i2c: rcar: optimize cacheline to minimize HW race condition (Wolfram Sang) \n- i2c: rcar: faster irq code to minimize HW race condition (Wolfram Sang) \n- net: phy: fix save wrong speed and duplex problem if autoneg is on (Guangbin Huang) \n- net: enetc: initialize RFS/RSS memories for unused ports too (Vladimir Oltean) \n- net: hns3: fix error mask definition of flow director (Jian Shen) \n- media: rc: compile rc-cec.c into rc-core (Hans Verkuil) \n- media: v4l: vsp1: Fix bru null pointer access (Biju Das) \n- media: v4l: vsp1: Fix uif null pointer access (Biju Das) \n- media: usbtv: Fix deadlock on suspend (Maxim Mikityanskiy) \n- sh_eth: fix TRSCER mask for R7S9210 (Sergey Shtylyov) \n- qxl: Fix uninitialised struct field head.surface_id (Colin Ian King) \n- s390/crypto: return -EFAULT if copy_to_user() fails (Wang Qing) \n- s390/cio: return -EFAULT if copy_to_user() fails (Eric Farman) \n- drm: meson_drv add shutdown function (Artem Lapkin) \n- drm/shmem-helper: Dont remove the offset in vm_area_struct pgoff (Neil Roberts) \n- drm/shmem-helper: Check for purged buffers in fault handler (Neil Roberts) \n- drm/compat: Clear bounce structures (Daniel Vetter) \n- bnxt_en: reliably allocate IRQ table on reset to avoid crash (Edwin Peer) \n- s390/cio: return -EFAULT if copy_to_user() fails again (Wang Qing) \n- net: hns3: fix bug when calculating the TCAM table info (Jian Shen) \n- net: hns3: fix query vlan mask value error for flow director (Jian Shen) \n- perf traceevent: Ensure read cmdlines are null terminated. (Ian Rogers) \n- selftests: forwarding: Fix race condition in mirror installation (Danielle Ratson) \n- net: stmmac: fix watchdog timeout during suspend/resume stress test (Joakim Zhang) \n- net: stmmac: stop each tx channel independently (Joakim Zhang) \n- ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (Antony Antony) \n- net: qrtr: fix error return code of qrtr_sendmsg() (Jia-Ju Bai) \n- net: davicom: Fix regulator not turned off on driver removal (Paul Cercueil) \n- net: davicom: Fix regulator not turned off on failed probe (Paul Cercueil) \n- net: lapbether: Remove netif_start_queue / netif_stop_queue (Xie He) \n- netdevsim: init u64 stats for 32bit hardware (Hillf Danton) \n- net: usb: qmi_wwan: allow qmimux add/del with master up (Daniele Palmas) \n- net: sched: avoid duplicates in classes dump (Maximilian Heyne) \n- nexthop: Do not flush blackhole nexthops when loopback goes down (Ido Schimmel) \n- net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 (Ong Boon Leong) \n- net/mlx4_en: update moderation when config reset (Kevin(Yudong) Yang) \n- net: enetc: dont overwrite the RSS indirection table when initializing (Vladimir Oltean) \n- Revert mm, slub: consider rest of partial list if acquire_slab() fails (Linus Torvalds) \n- cifs: return proper error code in statfs(2) (Paulo Alcantara) \n- mount: fix mounting of detached mounts onto targets that reside on shared mounts (Christian Brauner) \n- powerpc/603: Fix protection of user pages mapped with PROT_NONE (Christophe Leroy) \n- mt76: dma: do not report truncated frames to mac80211 (Lorenzo Bianconi) \n- ibmvnic: always store valid MAC address (Jiri Wiesner) \n- samples, bpf: Add missing munmap in xdpsock (Maciej Fijalkowski) \n- selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (Yauheni Kaliuta) \n- selftests/bpf: No need to drop the packet when there is no geneve opt (Hangbin Liu) \n- netfilter: x_tables: gpf inside xt_find_revision() (Vasily Averin) \n- netfilter: nf_nat: undo erroneous tcp edemux lookup (Florian Westphal) \n- tcp: add sanity tests to TCP_QUEUE_SEQ (Eric Dumazet) \n- can: tcan4x5x: tcan4x5x_init(): fix initialization - clear MRAM before entering Normal Mode (Torin Cooper-Bennun) \n- can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (Joakim Zhang) \n- can: flexcan: enable RX FIFO after FRZ/HALT valid (Joakim Zhang) \n- can: flexcan: assert FRZ bit in flexcan_chip_freeze() (Joakim Zhang) \n- can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (Oleksij Rempel) \n- sh_eth: fix TRSCER mask for SH771x (Sergey Shtylyov) \n- net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 (Balazs Nemeth) \n- net: check if protocol extracted by virtio_net_hdr_set_proto is correct (Balazs Nemeth) \n- net: Fix gro aggregation for udp encaps with zero csum (Daniel Borkmann) \n- ath9k: fix transmitting to stations in dynamic SMPS mode (Felix Fietkau) \n- ethernet: alx: fix order of calls on resume (Jakub Kicinski) \n- powerpc/pseries: Dont enforce MSI affinity with kdump (Greg Kurz) \n- uapi: nfnetlink_cthelper.h: fix userspace compilation error (Dmitry V. Levin) \n- LTS tag: v5.4.105 (Jack Vogel) \n- nvme-pci: add quirks for Lexar 256GB SSD (Pascal Terjan) \n- nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST. (Julian Einwag) \n- HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (Hans de Goede) \n- mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (Jisheng Zhang) \n- drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (AngeloGioacchino Del Regno) \n- misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (Aswath Govindraju) \n- PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (Bjorn Helgaas) \n- ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (Chris Chiu) \n- ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (Jasper St. Pierre) \n- media: cx23885: add more quirks for reset DMA on some AMD IOMMU (Daniel Lee Kruse) \n- HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (Ethan Warth) \n- platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (Hans de Goede) \n- platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (Hans de Goede) \n- platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (Hans de Goede) \n- platform/x86: acer-wmi: Add new force_caps module parameter (Hans de Goede) \n- platform/x86: acer-wmi: Cleanup accelerometer device handling (Hans de Goede) \n- platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (Hans de Goede) \n- mwifiex: pcie: skip cancel_work_sync() on reset failure path (Tsuchiya Yuto) \n- iommu/amd: Fix sleeping in atomic in increase_address_space() (Andrey Ryabinin) \n- ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (Hans de Goede) \n- dm table: fix zoned iterate_devices based device capability checks (Jeffle Xu) \n- dm table: fix DAX iterate_devices based device capability checks (Jeffle Xu) \n- dm table: fix iterate_devices based device capability checks (Jeffle Xu) \n- net: dsa: add GRO support via gro_cells (Alexander Lobakin) \n- LTS tag: v5.4.104 (Jack Vogel) \n- r8169: fix resuming from suspend on RTL8105e if machine runs on battery (Heiner Kallweit) \n- rsxx: Return -EFAULT if copy_to_user() fails (Dan Carpenter) \n- ftrace: Have recordmcount use w8 to read relp-\u003er_info in arm64_is_fake_mcount (Chen Jun) \n- ALSA: hda: intel-nhlt: verify config type (Pierre-Louis Bossart) \n- IB/mlx5: Add missing error code (YueHaibing) \n- RDMA/rxe: Fix missing kconfig dependency on CRYPTO (Julian Braha) \n- ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (Colin Ian King) \n- usbip: tools: fix build error for multiple definition (Antonio Borneo) \n- crypto - shash: reduce minimum alignment of shash_desc structure (Ard Biesheuvel) \n- arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (Timothy E Baldwin) \n- drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (Kevin Wang) \n- dm verity: fix FEC for RS roots unaligned to block size (Milan Broz) \n- dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size (Mikulas Patocka) \n- PM: runtime: Update device status before letting suppliers suspend (Rafael J. Wysocki) \n- btrfs: fix warning when creating a directory with smack enabled (Filipe Manana) \n- btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors (Nikolay Borisov) \n- btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata (Nikolay Borisov) \n- btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl (Dan Carpenter) \n- btrfs: fix raid6 qstripe kmap (Ira Weiny) \n- btrfs: raid56: simplify tracking of Q stripe presence (David Sterba) \n- tpm, tpm_tis: Decorate tpm_get_timeouts() with request_locality() (Jarkko Sakkinen) \n- tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality() (Lukasz Majczak) \n- LTS tag: v5.4.103 (Jack Vogel) \n- ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board (Takashi Iwai) \n- ALSA: hda/realtek: Add quirk for Intel NUC 10 (Werner Sembach) \n- ALSA: hda/realtek: Add quirk for Clevo NH55RZQ (Eckhart Mohr) \n- media: v4l: ioctl: Fix memory leak in video_usercopy (Sakari Ailus) \n- swap: fix swapfile read/write offset (Jens Axboe) \n- zsmalloc: account the number of compacted pages correctly (Rokudo Yan) \n- xen-netback: respect gnttab_map_refs()s return value (Jan Beulich) \n- Xen/gnttab: handle p2m update errors on a per-slot basis (Jan Beulich) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (Hans de Goede) \n- sched/features: Fix hrtick reprogramming (Juri Lelli) \n- parisc: Bump 64-bit IRQ stack size to 64 KB (John David Anglin) \n- perf/x86/kvm: Add Cascade Lake Xeon steppings to isolation_ucodes[] (Jim Mattson) \n- btrfs: fix error handling in commit_fs_roots (Josef Bacik) \n- ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (Hans de Goede) \n- nvme-tcp: add clean action for failed reconnection (Chao Leng) \n- nvme-rdma: add clean action for failed reconnection (Chao Leng) \n- nvme-core: add cancel tagset helpers (Chao Leng) \n- f2fs: fix to set/clear I_LINKABLE under i_lock (Chao Yu) \n- f2fs: handle unallocated section and zone on pinned/atgc (Jaegeuk Kim) \n- media: uvcvideo: Allow entities with no pads (Ricardo Ribalda) \n- drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (Nicholas Kazlauskas) \n- PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (Nirmoy Das) \n- drm/amdgpu: Add check to prevent IH overflow (Defang Bo) \n- crypto: tcrypt - avoid signed overflow in byte count (Ard Biesheuvel) \n- drm/hisilicon: Fix use-after-free (Tian Tao) \n- brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (Hans de Goede) \n- brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (Hans de Goede) \n- staging: bcm2835-audio: Replace unsafe strcpy() with strscpy() (Juerg Haefliger) \n- staging: most: sound: add sanity check for function argument (Christian Gromm) \n- Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (Gopal Tiwari) \n- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (Fangrui Song) \n- ath10k: fix wmi mgmt tx queue full due to race condition (Miaoqing Pan) \n- pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() (Di Zhu) \n- Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (Claire Chang) \n- wlcore: Fix command execute failure 19 for wl12xx (Tony Lindgren) \n- vt/consolemap: do font sum unsigned (Jiri Slaby) \n- x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk (Heiner Kallweit) \n- staging: fwserial: Fix error handling in fwserial_create (Dinghao Liu) \n- rsi: Move card interrupt handling to RX thread (Marek Vasut) \n- rsi: Fix TX EAPOL packet handling against iwlwifi AP (Marek Vasut) \n- drm/virtio: use kvmalloc for large allocations (Sergey Senozhatsky) \n- MIPS: Drop 32-bit asm string functions (Paul Burton) \n- dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/ (Geert Uytterhoeven) \n- dt-bindings: ethernet-controller: fix fixed-link specification (Russell King) \n- net: fix dev_ifsioc_locked() race condition (Cong Wang) \n- net: ag71xx: remove unnecessary MTU reservation (DENG Qingfang) \n- net: bridge: use switchdev for port flags set through sysfs too (Vladimir Oltean) \n- mm/hugetlb.c: fix unnecessary address expansion of pmd sharing (Li Xinhai) \n- nbd: handle device refs for DESTROY_ON_DISCONNECT properly (Josef Bacik) \n- net: fix up truesize of cloned skb in skb_prepare_for_shift() (Marco Elver) \n- smackfs: restrict bytes count in smackfs write functions (Sabyrzhan Tasbolatov) \n- net/af_iucv: remove WARN_ONCE on malformed RX packets (Alexander Egorenkov) \n- xfs: Fix assert failure in xfs_setattr_size() (Yumei Huang) \n- media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (Hans Verkuil) \n- erofs: fix shift-out-of-bounds of blkszbits (Gao Xiang) \n- media: mceusb: sanity check for prescaler value (Sean Young) \n- udlfb: Fix memory leak in dlfb_usb_probe (Zqiang) \n- JFS: more checks for invalid superblock (Randy Dunlap) \n- MIPS: VDSO: Use CLANG_FLAGS instead of filtering out --target= (Nathan Chancellor) \n- arm64 module: set plt* section addresses to 0x0 (Shaoying Xu) \n- nvme-pci: fix error unwind in nvme_map_data (Christoph Hellwig) \n- nvme-pci: refactor nvme_unmap_data (Christoph Hellwig) \n- Input: elantech - fix protocol errors for some trackpoints in SMBus mode (jingle.wu) \n- net: usb: qmi_wwan: support ZTE P685M modem (Lech Perczak) \n- LTS tag: v5.4.102 (Jack Vogel) \n- ARM: dts: aspeed: Add LCLK to lpc-snoop (John Wang) \n- net: qrtr: Fix memory leak in qrtr_tun_open (Takeshi Misawa) \n- dm era: Update in-core bitset after committing the metadata (Nikos Tsironis) \n- net: sched: fix police ext initialization (Vlad Buslov) \n- net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending (Jason A. Donenfeld) \n- ipv6: silence compilation warning for non-IPV6 builds (Leon Romanovsky) \n- ipv6: icmp6: avoid indirect call for icmpv6_send() (Eric Dumazet) \n- xfrm: interface: use icmp_ndo_send helper (Jason A. Donenfeld) \n- sunvnet: use icmp_ndo_send helper (Jason A. Donenfeld) \n- gtp: use icmp_ndo_send helper (Jason A. Donenfeld) \n- icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n (Jason A. Donenfeld) \n- icmp: introduce helper for natd source address in network device context (Jason A. Donenfeld) \n- drm/i915: Reject 446-480MHz HDMI clock on GLK (Ville Syrjala) \n- dm era: only resize metadata in preresume (Nikos Tsironis) \n- dm era: Reinitialize bitset cache before digesting a new writeset (Nikos Tsironis) \n- dm era: Use correct value size in equality function of writeset tree (Nikos Tsironis) \n- dm era: Fix bitset memory leaks (Nikos Tsironis) \n- dm era: Verify the data block size hasnt changed (Nikos Tsironis) \n- dm era: Recover committed writeset after crash (Nikos Tsironis) \n- dm writecache: fix writing beyond end of underlying device when shrinking (Mikulas Patocka) \n- dm: fix deadlock when swapping to encrypted device (Mikulas Patocka) \n- gfs2: Recursive gfs2_quota_hold in gfs2_iomap_end (Andreas Gruenbacher) \n- gfs2: Dont skip dlm unlock if glock has an lvb (Bob Peterson) \n- spi: spi-synquacer: fix set_cs handling (Masahisa Kojima) \n- sparc32: fix a user-triggerable oops in clear_user() (Al Viro) \n- f2fs: fix out-of-repair __setattr_copy() (Chao Yu) \n- um: mm: check more comprehensively for stub changes (Johannes Berg) \n- virtio/s390: implement virtio-ccw revision 2 correctly (Cornelia Huck) \n- s390/vtime: fix inline assembly clobber list (Heiko Carstens) \n- cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available (Chen Yu) \n- printk: fix deadlock when kernel panic (Muchun Song) \n- gpio: pcf857x: Fix missing first interrupt (Maxim Kiselev) \n- spmi: spmi-pmic-arb: Fix hw_irq overflow (Subbaraman Narayanamurthy) \n- powerpc/32s: Add missing call to kuep_lock on syscall entry (Christophe Leroy) \n- mmc: sdhci-esdhc-imx: fix kernel panic when remove module (Frank Li) \n- module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols (Fangrui Song) \n- media: smipcie: fix interrupt handling and IR timeout (Sean Young) \n- arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 (Suzuki K Poulose) \n- hugetlb: fix copy_huge_page_from_user contig page struct assumption (Mike Kravetz) \n- hugetlb: fix update_and_free_page contig page struct assumption (Mike Kravetz) \n- x86: fix seq_file iteration for pat/memtype.c (NeilBrown) \n- seq_file: document how per-entry resources are managed. (NeilBrown) \n- fs/affs: release old buffer head on error path (Pan Bian) \n- mtd: spi-nor: hisi-sfc: Put child node np on error path (Pan Bian) \n- mtd: spi-nor: core: Add erase size check for erase command initialization (Takahiro Kuwano) \n- mtd: spi-nor: core: Fix erase type discovery for overlaid region (Takahiro Kuwano) \n- mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region (Takahiro Kuwano) \n- mtd: spi-nor: sfdp: Fix last erase region marking (Takahiro Kuwano) \n- watchdog: mei_wdt: request stop on unregister (Alexander Usyskin) \n- watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ (Sai Prakash Ranjan) \n- arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing (He Zhe) \n- arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (qiuguorui1) \n- floppy: reintroduce O_NDELAY fix (Jiri Kosina) \n- rcu/nocb: Perform deferred wake up before last idles need_resched() check (Frederic Weisbecker) \n- rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (Frederic Weisbecker) \n- powerpc/prom: Fix ibm,arch-vec-5-platform-support scan (Cedric Le Goater) \n- x86/reboot: Force all cpus to exit VMX root if VMX is supported (Sean Christopherson) \n- x86/virt: Eat faults on VMXOFF in reboot flows (Sean Christopherson) \n- media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (Pavel Machek) \n- staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table (Martin Kaiser) \n- staging: gdm724x: Fix DMA from stack (Amey Narkhede) \n- staging/mt7621-dma: mtk-hsdma.c-\u003ehsdma-mt7621.c (Ilya Lipnitskiy) \n- dts64: mt7622: fix slow sd card access (Frank Wunderlich) \n- pstore: Fix typo in compression option name (Jiri Bohac) \n- drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue (Sabyrzhan Tasbolatov) \n- misc: rtsx: init of rts522a add OCP power off when no card is present (Ricky Wu) \n- seccomp: Add missing return in non-void function (Paul Cercueil) \n- crypto: sun4i-ss - initialize need_fallback (Corentin Labbe) \n- crypto: sun4i-ss - handle BigEndian for cipher (Corentin Labbe) \n- crypto: sun4i-ss - checking sg length is not sufficient (Corentin Labbe) \n- crypto: aesni - prevent misaligned buffers on the stack (Ard Biesheuvel) \n- crypto: arm64/sha - add missing module aliases (Ard Biesheuvel) \n- btrfs: fix extent buffer leak on failure to copy root (Filipe Manana) \n- btrfs: splice remaining dirty_bgs onto the transaction dirty bg list (Josef Bacik) \n- btrfs: fix reloc root leak with 0 ref reloc roots on recovery (Josef Bacik) \n- btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (Josef Bacik) \n- KEYS: trusted: Fix migratable=1 failing (Jarkko Sakkinen) \n- tpm_tis: Clean up locality release (James Bottomley) \n- tpm_tis: Fix check_locality for correct locality acquisition (James Bottomley) \n- erofs: initialized fields can only be observed after bit is set (Gao Xiang) \n- drm/sched: Cancel and flush all outstanding jobs before finish. (Andrey Grodzovsky) \n- drm/nouveau/kms: handle mDP connectors (Karol Herbst) \n- drm/amdgpu: Set reference clock to 100Mhz on Renoir (v2) (Alex Deucher) \n- drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1 (Rodrigo Siqueira) \n- bcache: Move journal work to new flush wq (Kai Krakow) \n- bcache: Give btree_io_wq correct semantics again (Kai Krakow) \n- Revert bcache: Kill btree_io_wq (Kai Krakow) \n- ALSA: hda/realtek: modify EAPD in the ALC886 (PeiSen Hou) \n- ALSA: hda: Add another CometLake-H PCI ID (Kai Vehmanen) \n- USB: serial: mos7720: fix error code in mos7720_write() (Dan Carpenter) \n- USB: serial: mos7840: fix error code in mos7840_write() (Dan Carpenter) \n- USB: serial: ftdi_sio: fix FTX sub-integer prescaler (Johan Hovold) \n- usb: dwc3: gadget: Fix dep-\u003einterval for fullspeed interrupt (Thinh Nguyen) \n- usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 (Thinh Nguyen) \n- usb: musb: Fix runtime PM race in musb_queue_resume_work (Paul Cercueil) \n- USB: serial: option: update interface mapping for ZTE P685M (Lech Perczak) \n- media: mceusb: Fix potential out-of-bounds shift (James Reynolds) \n- Input: i8042 - add ASUS Zenbook Flip to noselftest list (Marcos Paulo de Souza) \n- Input: joydev - prevent potential read overflow in ioctl (Dan Carpenter) \n- Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (Olivier Crete) \n- Input: raydium_ts_i2c - do not send zero length (jeffrey.lin) \n- HID: wacom: Ignore attempts to overwrite the touch_max value from HID (Jason Gerecke) \n- HID: logitech-dj: add support for keyboard events in eQUAD step 4 Gaming (Filipe Lains) \n- ACPI: configfs: add missing check after configfs_register_default_group() (Qinglang Miao) \n- ACPI: property: Fix fwnode string properties matching (Rafael J. Wysocki) \n- blk-settings: align max_sectors on logical_block_size boundary (Mikulas Patocka) \n- scsi: bnx2fc: Fix Kconfig warning \u0026 CNIC build errors (Randy Dunlap) \n- mm/rmap: fix potential pte_unmap on an not mapped pte (Miaohe Lin) \n- i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (Maxime Ripard) \n- arm64: Add missing ISB after invalidating TLB in __primary_switch (Marc Zyngier) \n- r8169: fix jumbo packet handling on RTL8168e (Heiner Kallweit) \n- mm/compaction: fix misbehaviors of fast_find_migrateblock() (Wonhyuk Yang) \n- mm/hugetlb: fix potential double free in hugetlb_register_node() error path (Miaohe Lin) \n- mm/memory.c: fix potential pte_unmap_unlock pte error (Miaohe Lin) \n- ocfs2: fix a use after free on error (Dan Carpenter) \n- vxlan: move debug check after netdev unregister (Taehee Yoo) \n- net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (Chuhong Yuan) \n- vfio/type1: Use follow_pte() (Alex Williamson) \n- i40e: Fix add TC filter for IPv6 (Mateusz Palczewski) \n- i40e: Fix VFs not created (Sylwester Dziedziuch) \n- i40e: Fix addition of RX filters after enabling FW LLDP agent (Mateusz Palczewski) \n- i40e: Fix overwriting flow control settings during driver loading (Mateusz Palczewski) \n- i40e: Add zero-initialization of AQ command structures (Mateusz Palczewski) \n- i40e: Fix flow for IPv6 next header (extension header) (Slawomir Laba) \n- regmap: sdw: use _no_pm functions in regmap_read/write (Bard Liao) \n- nvmem: core: skip child nodes not matching binding (Ahmad Fatoum) \n- nvmem: core: Fix a resource leak on error in nvmem_add_cells_from_of() (Dan Carpenter) \n- ext4: fix potential htree index checksum corruption (Theodore Tso) \n- vfio/iommu_type1: Fix some sanity checks in detach group (Keqian Zhu) \n- drm/msm/mdp5: Fix wait-for-commit for cmd panels (Iskren Chernev) \n- drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (Konrad Dybcio) \n- mei: hbm: call mei_set_devstate() on hbm stop response (Alexander Usyskin) \n- PCI: Align checking of syscall user config accessors (Heiner Kallweit) \n- VMCI: Use set_page_dirty_lock() when unregistering guest memory (Jorgen Hansen) \n- pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (Simon South) \n- soundwire: cadence: fix ACK/NAK handling (Pierre-Louis Bossart) \n- misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (Aswath Govindraju) \n- phy: rockchip-emmc: emmc_phy_init() always return 0 (Chris Ruehl) \n- misc: eeprom_93xx46: Fix module alias to enable module autoprobe (Aswath Govindraju) \n- sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set (Randy Dunlap) \n- Input: elo - fix an error code in elo_connect() (Dan Carpenter) \n- perf test: Fix unaligned access in sample parsing test (Namhyung Kim) \n- perf intel-pt: Fix premature IPC (Adrian Hunter) \n- perf intel-pt: Fix missing CYC processing in PSB (Adrian Hunter) \n- Input: sur40 - fix an error code in sur40_probe() (Dan Carpenter) \n- RDMA/hns: Fixes missing error code of CMDQ (Lang Cheng) \n- nfsd: register pernet ops last, unregister first (J. Bruce Fields) \n- clk: aspeed: Fix APLL calculate formula from ast2600-A2 (Ryan Chen) \n- regulator: qcom-rpmh: fix pm8009 ldo7 (Jonathan Marek) \n- spi: pxa2xx: Fix the controller numbering for Wildcat Point (Andy Shevchenko) \n- RDMA/hns: Fix type of sq_signal_bits (Weihang Li) \n- RDMA/siw: Fix calculation of tx_valid_cpus size (Kamal Heib) \n- RDMA/hns: Fixed wrong judgments in the goto branch (Wenpeng Liang) \n- clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (AngeloGioacchino Del Regno) \n- powerpc/8xx: Fix software emulation interrupt (Christophe Leroy) \n- powerpc/pseries/dlpar: handle ibm, configure-connector delay status (Nathan Lynch) \n- mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (Dan Carpenter) \n- spi: stm32: properly handle 0 byte transfer (Alain Volmat) \n- RDMA/rxe: Correct skb on loopback path (Bob Pearson) \n- RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (Bob Pearson) \n- RDMA/rxe: Fix coding error in rxe_recv.c (Bob Pearson) \n- perf vendor events arm64: Fix Ampere eMag event typo (John Garry) \n- perf tools: Fix DSO filtering when not finding a map for a sampled address (Arnaldo Carvalho de Melo) \n- tracepoint: Do not fail unregistering a probe due to memory failure (Steven Rostedt (VMware)) \n- IB/cm: Avoid a loop when device has 255 ports (Parav Pandit) \n- IB/mlx5: Return appropriate error code instead of ENOMEM (Parav Pandit) \n- amba: Fix resource leak for drivers without .remove (Uwe Kleine-Konig) \n- i2c: qcom-geni: Store DMA mapping data in geni_i2c_dev struct (Roja Rani Yarubandi) \n- ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores (Vladimir Murzin) \n- mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (Takeshi Saito) \n- mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (Christophe JAILLET) \n- mmc: sdhci-sprd: Fix some resource leaks in the remove function (Christophe JAILLET) \n- powerpc/47x: Disable 256k page size (Christophe Leroy) \n- KVM: PPC: Make the VMX instruction emulation routines static (Cedric Le Goater) \n- IB/umad: Return EPOLLERR in case of when device disassociated (Shay Drory) \n- IB/umad: Return EIO in case of when device disassociated (Shay Drory) \n- objtool: Fix .cold section suffix check for newer versions of GCC (Josh Poimboeuf) \n- objtool: Fix error handling for STD/CLD warnings (Josh Poimboeuf) \n- auxdisplay: ht16k33: Fix refresh rate handling (Geert Uytterhoeven) \n- isofs: release buffer head before return (Pan Bian) \n- regulator: core: Avoid debugfs: Directory ... already present! error (Hans de Goede) \n- regulator: s5m8767: Drop regulators OF node reference (Krzysztof Kozlowski) \n- spi: atmel: Put allocated master before return (Pan Bian) \n- regulator: s5m8767: Fix reference count leak (Pan Bian) \n- certs: Fix blacklist flag type confusion (David Howells) \n- regulator: axp20x: Fix reference cout leak (Pan Bian) \n- clk: sunxi-ng: h6: Fix clock divider range on some clocks (Andre Przywara) \n- RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (Yishai Hadas) \n- clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined (Tom Rix) \n- clocksource/drivers/ixp4xx: Select TIMER_OF when needed (Arnd Bergmann) \n- rtc: s5m: select REGMAP_I2C (Bartosz Golaszewski) \n- power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (Claudiu Beznea) \n- of/fdt: Make sure no-map does not remove already reserved regions (Nicolas Boichat) \n- fdt: Properly handle no-map field in the memory region (KarimAllah Ahmed) \n- mfd: bd9571mwv: Use devm_mfd_add_devices() (Yoshihiro Shimoda) \n- dmaengine: hsu: disable spurious interrupt (Ferry Toth) \n- dmaengine: owl-dma: Fix a resource leak in the remove function (Christophe JAILLET) \n- dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (Christophe JAILLET) \n- dmaengine: fsldma: Fix a resource leak in the remove function (Christophe JAILLET) \n- RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (Bernard Metzler) \n- HID: core: detect and skip invalid inputs to snto32() (Randy Dunlap) \n- clk: sunxi-ng: h6: Fix CEC clock (Andre Przywara) \n- spi: cadence-quadspi: Abort read if dummy cycles required are too many (Pratyush Yadav) \n- i2c: iproc: handle master read request (Rayagonda Kokatanur) \n- i2c: iproc: update slave isr mask (ISR_MASK_SLAVE) (Rayagonda Kokatanur) \n- i2c: iproc: handle only slave interrupts which are enabled (Rayagonda Kokatanur) \n- quota: Fix memory leak when handling corrupted quota file (Jan Kara) \n- selftests/powerpc: Make the test check in eeh-basic.sh posix compliant (Po-Hsu Lin) \n- clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (Martin Blumenstingl) \n- clk: meson: clk-pll: make ret a signed integer (Martin Blumenstingl) \n- clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (Martin Blumenstingl) \n- HSI: Fix PM usage counter unbalance in ssi_hw_init (Zhang Qilong) \n- capabilities: Dont allow writing ambiguous v3 file capabilities (Eric W. Biederman) \n- ubifs: Fix error return code in alloc_wbufs() (Wang ShaoBo) \n- ubifs: Fix memleak in ubifs_init_authentication (Dinghao Liu) \n- jffs2: fix use after free in jffs2_sum_write_data() (Tom Rix) \n- fs/jfs: fix potential integer overflow on shift of a int (Colin Ian King) \n- ASoC: simple-card-utils: Fix device module clock (Sameer Pujar) \n- ima: Free IMA measurement buffer after kexec syscall (Lakshmi Ramasubramanian) \n- ima: Free IMA measurement buffer on error (Lakshmi Ramasubramanian) \n- crypto: ecdh_helper - Ensure len \u003e= secret.len in decode_key() (Daniele Alessandrelli) \n- hwrng: timeriomem - Fix cooldown period calculation (Jan Henrik Weinstock) \n- btrfs: clarify error returns values in __load_free_space_cache (Zhihao Cheng) \n- ASoC: SOF: debug: Fix a potential issue on string buffer termination (Hui Wang) \n- Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (Andrea Parri (Microsoft)) \n- f2fs: fix a wrong condition in __submit_bio (Dehe Gu) \n- drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() (Dan Carpenter) \n- f2fs: fix to avoid inconsistent quota data (Yi Chen) \n- mtd: parsers: afs: Fix freeing the part name memory in failure (Manivannan Sadhasivam) \n- ASoC: cpcap: fix microphone timeslot mask (Sebastian Reichel) \n- ata: ahci_brcm: Add back regulators management (Florian Fainelli) \n- crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (Christophe Leroy) \n- mtd: parser: imagetag: fix error codes in bcm963xx_parse_imagetag_partitions() (Dan Carpenter) \n- sched/eas: Dont update misfit status if the task is pinned (Qais Yousef) \n- media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values (Laurent Pinchart) \n- media: pxa_camera: declare variable when DEBUG is defined (Tom Rix) \n- media: cx25821: Fix a bug when reallocating some dma memory (Christophe JAILLET) \n- media: qm1d1c0042: fix error return code in qm1d1c0042_init() (Luo Meng) \n- media: lmedm04: Fix misuse of comma (Joe Perches) \n- media: software_node: Fix refcounts in software_node_get_next_child() (Daniel Scally) \n- drm/amd/display: Fix HDMI deep color output for DCE 6-11. (Mario Kleiner) \n- drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction. (Mario Kleiner) \n- bsg: free the request before return error code (Pan Bian) \n- MIPS: properly stop .eh_frame generation (Alexander Lobakin) \n- drm/sun4i: tcon: fix inverted DCLK polarity (Giulio Benetti) \n- crypto: bcm - Rename struct device_private to bcm_device_private (Jiri Olsa) \n- evm: Fix memleak in init_desc (Dinghao Liu) \n- ASoC: cs42l56: fix up error handling in probe (Dan Carpenter) \n- media: aspeed: fix error return code in aspeed_video_setup_video() (Zhang Changzhong) \n- media: tm6000: Fix memleak in tm6000_start_stream (Dinghao Liu) \n- media: media/pci: Fix memleak in empress_init (Dinghao Liu) \n- media: em28xx: Fix use-after-free in em28xx_alloc_urbs (Dinghao Liu) \n- media: vsp1: Fix an error handling path in the probe function (Christophe JAILLET) \n- media: camss: missing error code in msm_video_register() (Dan Carpenter) \n- media: imx: Fix csc/scaler unregister (Ezequiel Garcia) \n- media: imx: Unregister csc/scaler only if registered (Ezequiel Garcia) \n- media: i2c: ov5670: Fix PIXEL_RATE minimum value (Jacopo Mondi) \n- MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 (Nathan Chancellor) \n- MIPS: c-r4k: Fix section mismatch for loongson2_sc_init (Nathan Chancellor) \n- drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (Chenyang Li) \n- crypto: arm64/aes-ce - really hide slower algos when faster ones are enabled (Ard Biesheuvel) \n- crypto: sun4i-ss - fix kmap usage (Corentin Labbe) \n- crypto: sun4i-ss - linearize buffers content must be kept (Corentin Labbe) \n- drm/fb-helper: Add missed unlocks in setcmap_legacy() (Chuhong Yuan) \n- gma500: clean up error handling in init (Dan Carpenter) \n- drm/gma500: Fix error return code in psb_driver_load() (Jialin Zhang) \n- fbdev: aty: SPARC64 requires FB_ATY_CT (Randy Dunlap) \n- net: mvneta: Remove per-cpu queue mapping for Armada 3700 (Maxime Chevallier) \n- net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP (Shyam Sundar S K) \n- net: amd-xgbe: Reset link when the link never comes back (Shyam Sundar S K) \n- net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning (Shyam Sundar S K) \n- net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout (Shyam Sundar S K) \n- ibmvnic: skip send_request_unmap for timeout reset (Lijun Pan) \n- ibmvnic: add memory barrier to protect long term buffer (Lijun Pan) \n- b43: N-PHY: Fix the update of coef for the PHY revision \u003e= 3case (Colin Ian King) \n- cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (Ayush Sawal) \n- net: axienet: Handle deferred probe on clock properly (Robert Hancock) \n- tcp: fix SO_RCVLOWAT related hangs under mem pressure (Eric Dumazet) \n- bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx (Jesper Dangaard Brouer) \n- mac80211: fix potential overflow when multiplying to u32 integers (Colin Ian King) \n- xen/netback: fix spurious event detection for common event case (Juergen Gross) \n- bnxt_en: reverse order of TX disable and carrier off (Edwin Peer) \n- ibmvnic: Set to CLOSED state even on error (Sukadev Bhattiprolu) \n- ath9k: fix data bus crash when setting nf_override via debugfs (Linus Lussing) \n- bpf_lru_list: Read double-checked variable once without lock (Marco Elver) \n- soc: aspeed: snoop: Add clock control logic (Jae Hyun Yoo) \n- ARM: s3c: fix fiq for clang IAS (Arnd Bergmann) \n- arm64: dts: msm8916: Fix reserved and rfsa nodes unit address (Vincent Knecht) \n- Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (Jupeng Zhong) \n- arm64: dts: armada-3720-turris-mox: rename u-boot mtd partition to a53-firmware (Marek Behun) \n- ARM: dts: armada388-helios4: assign pinctrl to each fan (Rosen Penev) \n- ARM: dts: armada388-helios4: assign pinctrl to LEDs (Rosen Penev) \n- staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (Chen-Yu Tsai) \n- usb: dwc2: Make trimming xfer length a debug message (Guenter Roeck) \n- usb: dwc2: Abort transaction after errors with unknown reason (Guenter Roeck) \n- usb: dwc2: Do not update data length if it is 0 on inbound transfers (Guenter Roeck) \n- ARM: dts: Configure missing thermal interrupt for 4430 (Tony Lindgren) \n- memory: ti-aemif: Drop child node when jumping out loop (Pan Bian) \n- Bluetooth: Put HCI device if inquiry procedure interrupts (Pan Bian) \n- Bluetooth: drop HCI device reference before return (Pan Bian) \n- usb: gadget: u_audio: Free requests only after callback (Jack Pham) \n- ACPICA: Fix exception code class checks (Maximilian Luz) \n- cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in -\u003eremove() (Christophe JAILLET) \n- cpufreq: brcmstb-avs-cpufreq: Free resources in error path (Christophe JAILLET) \n- arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz (Andre Przywara) \n- arm64: dts: allwinner: H6: Allow up to 150 MHz MMC bus frequency (Andre Przywara) \n- arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card (Andre Przywara) \n- arm64: dts: allwinner: H6: properly connect USB PHY to port 0 (Andre Przywara) \n- arm64: dts: allwinner: A64: properly connect USB PHY to port 0 (Andre Przywara) \n- bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (Andrii Nakryiko) \n- bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h (Andrii Nakryiko) \n- memory: mtk-smi: Fix PM usage counter unbalance in mtk_smi ops (Zhang Qilong) \n- arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso (Krzysztof Kozlowski) \n- arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Spring (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Monk (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 (Krzysztof Kozlowski) \n- Bluetooth: Fix initializing response id after clearing struct (Christopher William Snowhill) \n- Bluetooth: hci_uart: Fix a race for write_work scheduling (Claire Chang) \n- Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (Christophe JAILLET) \n- ath10k: Fix error handling in case of CE pipe init failure (Rakesh Pillai) \n- random: fix the RNDRESEEDCRNG ioctl (Eric Biggers) \n- MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section (Alexander Lobakin) \n- ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (Takashi Iwai) \n- bfq: Avoid false bfq queue merging (Jan Kara) \n- virt: vbox: Do not use wait_event_interruptible when called from kernel context (Hans de Goede) \n- PCI: Decline to resize resources if boot config must be preserved (Ard Biesheuvel) \n- PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (Ansuel Smith) \n- kdb: Make memory allocations more robust (Sumit Garg) \n- debugfs: do not attempt to create a new file before the filesystem is initalized (Greg Kroah-Hartman) \n- debugfs: be more robust at handling improper input in debugfs_lookup() (Greg Kroah-Hartman) \n- vmlinux.lds.h: add DWARF v5 sections (Nick Desaulniers) \n- x86/mce: Add Xeon Sapphire Rapids to list of CPUs that support PPIN (Tony Luck) [Orabug: 32978709] \n- x86/mce: Add Xeon Icelake to list of CPUs that support PPIN (Tony Luck) [Orabug: 32978709] \n- ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() (Rafael J. Wysocki) [Orabug: 32977864] \n- ACPI: tables: x86: Reserve memory occupied by ACPI tables (Rafael J. Wysocki) [Orabug: 32977864] \n- uek-rpm: update kABI lists for a new symbol (Saeed Mirzamohammadi) [Orabug: 32977531] \n- x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing (Thomas Gleixner) [Orabug: 32969739] \n- bluetooth: eliminate the potential race condition when removing the HCI controller (Lin Ma) [Orabug: 32912033] {CVE-2021-32399}", + "Platform": [ + "Oracle Linux 7", + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-9362.html", + "ID": "ELSA-2021-9362" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-23133.html", + "ID": "CVE-2021-23133" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2021-33034.html", + "ID": "CVE-2021-33034" + } + ], + "Criteria": { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-tools is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools-libs is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-tools-libs is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "perf is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "perf is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "python-perf is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "python-perf is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-tools is earlier than 0:5.4.17-2102.203.5.el7uek" + }, + { + "Comment": "kernel-uek-tools is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 7 is installed" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-debug is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-debug-devel is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-debug-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-devel is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-devel is signed with the Oracle Linux 8 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "kernel-uek-doc is earlier than 0:5.4.17-2102.203.5.el8uek" + }, + { + "Comment": "kernel-uek-doc is signed with the Oracle Linux 8 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + } + ], + "Criterions": null + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-23133.html", + "ID": "CVE-2021-23133" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2021-33034.html", + "ID": "CVE-2021-33034" + } + ] + } \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index 38c9ff35..2361a1a7 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -43,6 +43,11 @@ type AffectedPackage struct { } type Advisory struct { - FixedVersion string `json:",omitempty"` - Cves []string + Entries []Entry `json:",omitempty"` +} + +// Entry holds the unique advisory information per package flavor +type Entry struct { + FixedVersion string `json:",omitempty"` + VendorIDs []string `json:",omitempty"` } From f4bb50ae0ed247424422c6e36ad5007e73edc122 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Thu, 9 Jun 2022 10:15:04 -0400 Subject: [PATCH 04/16] PR review feedback - Simplify data structures - Reduce loops - Refactor out functions - Cleanup syntax --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 154 +++++++++++-------------- pkg/vulnsrc/oracle-oval/types.go | 6 + 2 files changed, 76 insertions(+), 84 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 10e80cd0..7d316017 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -84,12 +84,8 @@ func (vs VulnSrc) save(ovals []OracleOVAL) error { } func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { - advisories := make(map[string]map[string]map[string]Advisory) - for _, platform := range targetPlatforms { - advisories[platform] = make(map[string]map[string]Advisory) - } - - vulnerabilityDetails := make(map[string]types.VulnerabilityDetail) + advisories := map[bucket]Advisory{} + vulnerabilityDetails := map[string]types.VulnerabilityDetail{} for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] @@ -97,9 +93,13 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { var vulnIDs []string for _, cve := range oval.Cves { vulnIDs = append(vulnIDs, cve.ID) + + vulnerabilityDetails[cve.ID] = mergeVulnerabilityDetails(vulnerabilityDetails[cve.ID], oval, []string{elsaID, cve.ID}) } if len(vulnIDs) == 0 { vulnIDs = append(vulnIDs, elsaID) + + vulnerabilityDetails[elsaID] = mergeVulnerabilityDetails(vulnerabilityDetails[elsaID], oval, []string{elsaID}) } affectedPkgs := walkOracle(oval.Criteria, "", []AffectedPackage{}) @@ -117,78 +117,15 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return xerrors.Errorf("failed to put data source: %w", err) } - platformAdvisories := advisories[platformName] - - packageAdvisories, exists := platformAdvisories[affectedPkg.Package.Name] - if !exists { - packageAdvisories = make(map[string]Advisory) - platformAdvisories[affectedPkg.Package.Name] = packageAdvisories - } - for _, vulnID := range vulnIDs { - cveAdvisory, cveAdvisoryExists := packageAdvisories[vulnID] - if !cveAdvisoryExists { - cveAdvisory = Advisory{ - Entries: []Entry{}, - } - } - - found := false - for i, entry := range cveAdvisory.Entries { - entryFlavor := getFlavor(entry.FixedVersion) - affectedFlavor := getFlavor(affectedPkg.Package.FixedVersion) - - if entryFlavor == affectedFlavor { - found = true - // This fixed version is newer than the previously found fixed version - if version.NewVersion(entry.FixedVersion).Compare(version.NewVersion(affectedPkg.Package.FixedVersion)) < 0 { - cveAdvisory.Entries[i].FixedVersion = affectedPkg.Package.FixedVersion - } - - // Add the ELSA ID to the vendor ID list - if !ustrings.InSlice(elsaID, entry.VendorIDs) { - cveAdvisory.Entries[i].VendorIDs = append(entry.VendorIDs, elsaID) - } - } - } - - if !found { - cveAdvisory.Entries = append(cveAdvisory.Entries, Entry{ - FixedVersion: affectedPkg.Package.FixedVersion, - VendorIDs: []string{elsaID}, - }) + bkt := bucket{ + platform: platformName, + vulnID: vulnID, + pkgName: affectedPkg.Package.Name, } - - packageAdvisories[vulnID] = cveAdvisory + advisories[bkt] = mergeEntries(advisories[bkt], affectedPkg, elsaID) } } - - // Collect vulnerability details - references and severity - // A CVE can be present in multiple ELSAs. Collect all the applicable references as we process them, later when done we'll insert - // the references. - for _, vulnID := range vulnIDs { - convertedSeverity := severityFromThreat(oval.Severity) - - vulDetails, found := vulnerabilityDetails[vulnID] - if !found { - vulDetails = types.VulnerabilityDetail{ - References: []string{}, - Severity: convertedSeverity, - } - } - - // If multple ELSAs for the same CVE have differing severities, use the highest one - if convertedSeverity > vulDetails.Severity { - vulDetails.Severity = convertedSeverity - } - - for _, ref := range oval.References { - if referencesFromContains(ref.URI, []string{elsaID, vulnID}) && !ustrings.InSlice(ref.URI, vulDetails.References) { - vulDetails.References = append(vulDetails.References, ref.URI) - } - } - vulnerabilityDetails[vulnID] = vulDetails - } } // Now that we've processed all the reports, we can save the vulnerability and advisory information @@ -202,18 +139,13 @@ func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { } } - for platformName, cveEntries := range advisories { - for packageName, packageEntry := range cveEntries { - for cveId, advisory := range packageEntry { - if err := vs.dbc.PutAdvisoryDetail(tx, cveId, packageName, []string{platformName}, advisory); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) - } - } + for bkt, advisory := range advisories { + if err := vs.dbc.PutAdvisoryDetail(tx, bkt.vulnID, bkt.pkgName, []string{bkt.platform}, advisory); err != nil { + return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) } } return nil - } func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) { @@ -283,6 +215,59 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa return pkgs } +func mergeVulnerabilityDetails(detail types.VulnerabilityDetail, oval OracleOVAL, vulnIDs []string) types.VulnerabilityDetail { + // Collect vulnerability details - references and severity + // A CVE can be present in multiple ELSAs. Collect all the applicable references as we process them, later when done we'll insert + // the references. + convertedSeverity := severityFromThreat(oval.Severity) + + // If multiple ELSAs for the same CVE have differing severities, use the highest one + if convertedSeverity > detail.Severity { + detail.Severity = convertedSeverity + } + + for _, ref := range oval.References { + if referencesFromContains(ref.URI, vulnIDs) && !ustrings.InSlice(ref.URI, detail.References) { + detail.References = append(detail.References, ref.URI) + } + } + + return detail +} + +func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisory { + found := false + for i, entry := range advisory.Entries { + entryFlavor := getFlavor(entry.FixedVersion) + affectedFlavor := getFlavor(pkg.Package.FixedVersion) + + if entryFlavor == affectedFlavor { + found = true + // This fixed version is newer than the previously found fixed version + if version.NewVersion(entry.FixedVersion).LessThan(version.NewVersion(pkg.Package.FixedVersion)) { + advisory.Entries[i].FixedVersion = pkg.Package.FixedVersion + } + + // Add the ELSA ID to the vendor ID list + if !ustrings.InSlice(elsaID, entry.VendorIDs) { + advisory.Entries[i].VendorIDs = append(entry.VendorIDs, elsaID) + } + + break + } + } + + if !found { + entry := Entry{ + FixedVersion: pkg.Package.FixedVersion, + VendorIDs: []string{elsaID}, + } + advisory.Entries = append(advisory.Entries, entry) + } + + return advisory +} + func referencesFromContains(source string, matches []string) bool { for _, m := range matches { if strings.Contains(source, m) { @@ -297,10 +282,11 @@ func referencesFromContains(source string, matches []string) bool { // - FIPS validated // - ksplice userspace. there can be "ksplice1" and "ksplice2" func getFlavor(version string) string { - if strings.HasSuffix(strings.ToLower(version), "_fips") { + version = strings.ToLower(version) + if strings.HasSuffix(version, "_fips") { return "fips" } else { - subs := strings.Split(strings.ToLower(version), ".") + subs := strings.Split(version, ".") for _, s := range subs { if strings.HasPrefix(s, "ksplice") { return s diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index 2361a1a7..e594de52 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -1,5 +1,11 @@ package oracleoval +type bucket struct { + platform string + vulnID string + pkgName string +} + type OracleOVAL struct { Title string Description string From 63e40552c42357144a324821c64a1d292dc65a03 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Thu, 9 Jun 2022 14:19:18 -0400 Subject: [PATCH 05/16] Fix ksplice handling ksplice1 and ksplice2 are not different flavors. ksplice2 is a second revision to the userspace ksplice support code. X.ksplice2 > X.ksplice1 --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 21 +++--- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 43 +++++++++++ .../oval/oracle/2021/ELSA-2021-9280.json | 74 +++++++++++++++++++ .../oval/oracle/2021/ELSA-2021-9344.json | 74 +++++++++++++++++++ pkg/vulnsrc/oracle-oval/types.go | 8 ++ 5 files changed, 210 insertions(+), 10 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9280.json create mode 100644 pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9344.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 7d316017..174e9dca 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -236,10 +236,11 @@ func mergeVulnerabilityDetails(detail types.VulnerabilityDetail, oval OracleOVAL } func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisory { + affectedFlavor := GetPackageFlavor(pkg.Package.FixedVersion) + found := false for i, entry := range advisory.Entries { - entryFlavor := getFlavor(entry.FixedVersion) - affectedFlavor := getFlavor(pkg.Package.FixedVersion) + entryFlavor := GetPackageFlavor(entry.FixedVersion) if entryFlavor == affectedFlavor { found = true @@ -277,22 +278,22 @@ func referencesFromContains(source string, matches []string) bool { return false } -// Determine the "flavor" of the package: -// - "normal" -// - FIPS validated -// - ksplice userspace. there can be "ksplice1" and "ksplice2" -func getFlavor(version string) string { +// GetPackageFlavor Determine the package "flavor" based on its version string +// - normal +// - FIPS validated +// - ksplice userspace +func GetPackageFlavor(version string) PackageFlavor { version = strings.ToLower(version) if strings.HasSuffix(version, "_fips") { - return "fips" + return PackageFlavorFips } else { subs := strings.Split(version, ".") for _, s := range subs { if strings.HasPrefix(s, "ksplice") { - return s + return PackageFlavorKsplice } } - return "" + return PackageFlavorNormal } } diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 92161287..481585c1 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -1286,6 +1286,49 @@ func TestVulnSrc_Update(t *testing.T) { }, }, }, + { + name: "multiple ksplice builds", + dir: filepath.Join("testdata", "ksplice"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 8"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, + Value: Advisory{ + Entries: []Entry{ + { + FixedVersion: "2:2.28-151.0.1.ksplice2.el8", + VendorIDs: []string{ + "ELSA-2021-9280", + "ELSA-2021-9344", + }, + }, + }, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2016-10228", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + References: []string{ + "https://linux.oracle.com/errata/ELSA-2021-9280.html", + "https://linux.oracle.com/cve/CVE-2016-10228.html", + "https://linux.oracle.com/errata/ELSA-2021-9344.html", + }, + Severity: types.SeverityHigh, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2016-10228"}, + Value: map[string]interface{}{}, + }, + }, + }, { name: "sad path (dir doesn't exist)", dir: filepath.Join("testdata", "badPath"), diff --git a/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9280.json b/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9280.json new file mode 100644 index 00000000..f97642b0 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9280.json @@ -0,0 +1,74 @@ +{ + "Title": "ELSA-2021-9280: glibc security update (IMPORTANT)", + "Description": "[2.28-151.0.1.el8_4]\n- merge RH patches for ol8-u4 release\nReview-exception: Patch merge\n- Provide glibc.pthread.mutex_spin_count tunable for pthread adaptive\n- spin mutex\nOrabug: 27982358.\nReviewed-by: Qing Zhao \u003cqing.zhao@oracle.com\u003e\n- add Ampere emag to tunable cpu list (Patrick McGehearty)\n- add optimized memset for emag\n- add an ASIMD variant of strlen for falkor\n- Orabug: 2700101.\n- Modify glibc-ora28849085.patch so it works with RHCK kernels.\n- Orabug: 28849085.\n- Make _IO_funlockfile match __funlockfile and _IO_flockfile match __flockfile\n- Both should test\n- if (stream-\u003e_flags \u0026 _IO_USER_LOCK) == 0)\n- _IO_lock_lock (*stream-\u003e_lock);\n- OraBug: 28481550.\nReviewed-by: Qing Zhao \u003cqing.zhao@oracle.com\u003e\n\n[2.28-153]\n- Support SEM_STAT_ANY via semctl. Return EINVAL for unknown commands to semctl,\n msgctl, and shmctl. (#1912670)\n\n[2.28-151]\n- CVE-2019-9169: Fix buffer overread in regexec.c (#1685400).\n\n[2.28-150]\n- Rebuild glibc to update security markup metadata (#1931305)\n\n[2.28-149]\n- Fix NSS files and compat service upgrade defect (#1927040).\n\n[2.28-148]\n- CVE-2021-3326: iconv assertion failure in ISO-2022-JP-3 decoding (#1924919)\n\n[2.28-147]\n- x86-64: Fix FMA4 math routine selection after bug 1817513 (#1918115)\n\n[2.28-146]\n- CVE-2019-25013:Fix buffer overrun in EUC-KR conversion module (#1912544)\n\n[2.28-145]\n- Update glibc-hwcaps fix from upstream (#1817513)\n\n[2.28-144]\n- Support running libc.so.6 as a main program in more cases (#1882466)\n\n[2.28-142]\n- Add glibc-hwcaps support (#1817513)\n- Implement DT_AUDIT support (#1871385)\n\n[2.28-141]\n- Update Intel CET support (#1855790)\n\n[2.28-140]\n- Fix calling lazily-bound SVE-using functions on AArch64 (#1893662)\n\n[2.28-139]\n- CVE-2016-10228, CVE-2020-27618: Fix infinite loops in iconv (#1704868,\n\n[2.28-138]\n- Avoid comments after %endif in the RPM spec file (#1894340)\n\n[2.28-137]\n- x86: Further memcpy optimizations for AMD Zen (#1880670)\n\n[2.28-136]\n- Allow __getauxval in testsuite check (#1856398)\n\n[2.28-135]\n- Use -moutline-atomics for aarch64 (#1856398)\n\n[2.28-134]\n- resolv: Handle DNS transaction ID collisions (#1868106)\n\n[2.28-133]\n- x86: Update auto-tuning of memcpy non-temporal threshold (#1880670)\n\n[2.28-132]\n- Fix fgetsgent_r data corruption bug (#1871397)\n\n[2.28-131]\n- Improve IBM zSeries (s390x) Performance (#1871395)\n\n[2.28-130]\n- Fix avx2 strncmp offset compare condition check (#1871394)\n- Add strncmp and strcmp testcases for page boundary\n\n[2.28-129]\n- Improve IBM POWER9 architecture performance (#1871387)\n\n[2.28-128]\n- Enable glibc for POWER10 (#1845098)", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-9280.html", + "ID": "ELSA-2021-9280" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2016-10228.html", + "ID": "CVE-2016-10228" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "glibc is earlier than 2:2.28-151.0.1.ksplice1.el8" + }, + { + "Comment": "glibc is signed with the Oracle Linux 8 key" + }, + { + "Comment": "glibc is ksplice-based" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2016-10228.html", + "ID": "CVE-2016-10228" + } + ] +} \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9344.json b/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9344.json new file mode 100644 index 00000000..0856b653 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/ksplice/vuln-list/oval/oracle/2021/ELSA-2021-9344.json @@ -0,0 +1,74 @@ +{ + "Title": "ELSA-2021-9344: glibc security update (IMPORTANT)", + "Description": "", + "Platform": [ + "Oracle Linux 8" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2021-9344.html", + "ID": "ELSA-2021-9344" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2016-10228.html", + "ID": "CVE-2016-10228" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "glibc is earlier than 2:2.28-151.0.1.ksplice2.el8" + }, + { + "Comment": "glibc is signed with the Oracle Linux 8 key" + }, + { + "Comment": "glibc is ksplice-based" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 8 is installed" + } + ] + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2016-10228.html", + "ID": "CVE-2016-10228" + } + ] +} \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index e594de52..70a4e8e4 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -57,3 +57,11 @@ type Entry struct { FixedVersion string `json:",omitempty"` VendorIDs []string `json:",omitempty"` } + +type PackageFlavor int + +const ( + PackageFlavorNormal PackageFlavor = iota + PackageFlavorFips + PackageFlavorKsplice +) From 3c13c83a030be9928b268f91dff7a8f30b977008 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Fri, 10 Jun 2022 07:32:08 -0400 Subject: [PATCH 06/16] Return advisory from loop rather than breaking --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 174e9dca..ecff16e4 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -238,12 +238,10 @@ func mergeVulnerabilityDetails(detail types.VulnerabilityDetail, oval OracleOVAL func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisory { affectedFlavor := GetPackageFlavor(pkg.Package.FixedVersion) - found := false for i, entry := range advisory.Entries { entryFlavor := GetPackageFlavor(entry.FixedVersion) if entryFlavor == affectedFlavor { - found = true // This fixed version is newer than the previously found fixed version if version.NewVersion(entry.FixedVersion).LessThan(version.NewVersion(pkg.Package.FixedVersion)) { advisory.Entries[i].FixedVersion = pkg.Package.FixedVersion @@ -254,17 +252,15 @@ func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisor advisory.Entries[i].VendorIDs = append(entry.VendorIDs, elsaID) } - break + return advisory } } - if !found { - entry := Entry{ - FixedVersion: pkg.Package.FixedVersion, - VendorIDs: []string{elsaID}, - } - advisory.Entries = append(advisory.Entries, entry) + entry := Entry{ + FixedVersion: pkg.Package.FixedVersion, + VendorIDs: []string{elsaID}, } + advisory.Entries = append(advisory.Entries, entry) return advisory } From c46983e242e7906f1733ef57f915b388ebf3f822 Mon Sep 17 00:00:00 2001 From: Ben Foster Date: Wed, 22 Jun 2022 10:38:38 -0400 Subject: [PATCH 07/16] Save normal version in FixedVersion for backwards compatibility --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 7 ++ pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 83 +++++++++++++++++++++ pkg/vulnsrc/oracle-oval/types.go | 2 + 3 files changed, 92 insertions(+) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index ecff16e4..72a579ea 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -238,6 +238,13 @@ func mergeVulnerabilityDetails(detail types.VulnerabilityDetail, oval OracleOVAL func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisory { affectedFlavor := GetPackageFlavor(pkg.Package.FixedVersion) + // Persist the normal flavor package version in FixedVersion for backwards compatibility. + // Eventually could be removed + if affectedFlavor == PackageFlavorNormal && + version.NewVersion(advisory.FixedVersion).LessThan(version.NewVersion(pkg.Package.FixedVersion)) { + advisory.FixedVersion = pkg.Package.FixedVersion + } + for i, entry := range advisory.Entries { entryFlavor := GetPackageFlavor(entry.FixedVersion) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 481585c1..24e68760 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -39,6 +39,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, Value: Advisory{ + FixedVersion: "30:9.3.3-8.el5", Entries: []Entry{ { FixedVersion: "30:9.3.3-8.el5", @@ -50,6 +51,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, Value: Advisory{ + FixedVersion: "30:9.3.3-8.el5", Entries: []Entry{ { FixedVersion: "30:9.3.3-8.el5", @@ -61,6 +63,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, Value: Advisory{ + FixedVersion: "30:9.3.3-8.el5", Entries: []Entry{ { FixedVersion: "30:9.3.3-8.el5", @@ -72,6 +75,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, Value: Advisory{ + FixedVersion: "30:9.3.3-8.el5", Entries: []Entry{ { FixedVersion: "30:9.3.3-8.el5", @@ -134,6 +138,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -145,6 +150,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -157,6 +163,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -168,6 +175,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -180,6 +188,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -191,6 +200,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -203,6 +213,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -214,6 +225,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -226,6 +238,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -237,6 +250,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -249,6 +263,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -260,6 +275,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el6uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el6uek", @@ -272,6 +288,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -283,6 +300,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -295,6 +313,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -306,6 +325,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -318,6 +338,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -329,6 +350,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -341,6 +363,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -352,6 +375,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -364,6 +388,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -375,6 +400,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -387,6 +413,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -398,6 +425,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, Value: Advisory{ + FixedVersion: "4.1.12-124.24.3.el7uek", Entries: []Entry{ { FixedVersion: "4.1.12-124.24.3.el7uek", @@ -453,6 +481,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -468,6 +497,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -483,6 +513,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -499,6 +530,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -510,6 +542,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -521,6 +554,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -533,6 +567,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -548,6 +583,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -563,6 +599,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-c++"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -579,6 +616,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-dane"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -594,6 +632,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-dane"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -609,6 +648,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-dane"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -625,6 +665,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-devel"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -640,6 +681,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-devel"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -655,6 +697,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-devel"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -671,6 +714,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-utils"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -686,6 +730,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-utils"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -701,6 +746,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-utils"}, Value: Advisory{ + FixedVersion: "3.6.16-4.el8", Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", @@ -717,6 +763,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle-devel"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -728,6 +775,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle-devel"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -739,6 +787,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle-devel"}, Value: Advisory{ + FixedVersion: "3.4.1-7.el8", Entries: []Entry{ { FixedVersion: "3.4.1-7.el8", @@ -812,6 +861,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -823,6 +873,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -834,6 +885,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -846,6 +898,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -857,6 +910,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -868,6 +922,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -880,6 +935,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -891,6 +947,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -902,6 +959,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -914,6 +972,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -925,6 +984,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -936,6 +996,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -948,6 +1009,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -959,6 +1021,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -970,6 +1033,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -982,6 +1046,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-tools"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -993,6 +1058,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-tools"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el7uek", @@ -1004,6 +1070,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-tools"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el7uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el7uek", @@ -1016,6 +1083,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1027,6 +1095,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1038,6 +1107,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el8uek", @@ -1050,6 +1120,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1061,6 +1132,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1072,6 +1144,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el8uek", @@ -1084,6 +1157,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1095,6 +1169,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1106,6 +1181,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el8uek", @@ -1118,6 +1194,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1129,6 +1206,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1140,6 +1218,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-devel"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el8uek", @@ -1152,6 +1231,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1163,6 +1243,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.203.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.203.5.el8uek", @@ -1174,6 +1255,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-doc"}, Value: Advisory{ + FixedVersion: "5.4.17-2102.202.5.el8uek", Entries: []Entry{ { FixedVersion: "5.4.17-2102.202.5.el8uek", @@ -1243,6 +1325,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, Value: Advisory{ + FixedVersion: "9.3.3-8.el5", Entries: []Entry{ { FixedVersion: "9.3.3-8.el5", diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index 70a4e8e4..4204fbf4 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -50,6 +50,8 @@ type AffectedPackage struct { type Advisory struct { Entries []Entry `json:",omitempty"` + // Backwards compatibility. Eventually could be removed + FixedVersion string `json:",omitempty"` } // Entry holds the unique advisory information per package flavor From 54b2c0b0fafdbe9e3a180402bac26a650375ac09 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 12:27:50 +0600 Subject: [PATCH 08/16] refactor: fix issues after rebase + use types.Advisories --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 356 ++++++++++++++----------- pkg/vulnsrc/oracle-oval/types.go | 35 +-- 2 files changed, 210 insertions(+), 181 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index d65beca7..4d3f9dd8 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -6,17 +6,19 @@ import ( "io" "log" "path/filepath" + "slices" "strings" + version "github.com/knqyf263/go-rpm-version" + "github.com/samber/lo" bolt "go.etcd.io/bbolt" + "golang.org/x/exp/maps" + "golang.org/x/xerrors" "github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" - ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" - version "github.com/knqyf263/go-rpm-version" - "golang.org/x/xerrors" ) var ( @@ -32,23 +34,53 @@ var ( } ) +type PutInput struct { + VulnID string // CVE-ID or ELSA-ID + Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description + Advisories map[Package]types.Advisories // pkg => advisories + OVALs []OracleOVAL // for extensibility, not used in trivy-db +} + +type DB interface { + db.Operation + Put(*bolt.Tx, PutInput) error + Get(release, pkgName string) ([]types.Advisory, error) +} + type VulnSrc struct { - dbc db.Operation + DB // Those who want to customize Trivy DB can override put/get methods. +} + +type Oracle struct { + db.Operation } -func NewVulnSrc() VulnSrc { - return VulnSrc{ - dbc: db.Config{}, +func NewVulnSrc() *VulnSrc { + return &VulnSrc{ + DB: &Oracle{Operation: db.Config{}}, } } -func (vs VulnSrc) Name() types.SourceID { +func (vs *VulnSrc) Name() types.SourceID { return source.ID } -func (vs VulnSrc) Update(dir string) error { +func (vs *VulnSrc) Update(dir string) error { rootDir := filepath.Join(dir, "vuln-list", oracleDir) + ovals, err := vs.parse(rootDir) + if err != nil { + return err + } + if err = vs.put(ovals); err != nil { + return xerrors.Errorf("error in Oracle Linux OVAL save: %w", err) + } + + return nil +} +// Parse parses all the advisories from Alma Linux. +// It is exported for those who want to customize trivy-db. +func (vs *VulnSrc) parse(rootDir string) ([]OracleOVAL, error) { var ovals []OracleOVAL err := utils.FileWalk(rootDir, func(r io.Reader, path string) error { var oval OracleOVAL @@ -59,20 +91,16 @@ func (vs VulnSrc) Update(dir string) error { return nil }) if err != nil { - return xerrors.Errorf("error in Oracle Linux OVAL walk: %w", err) - } - - if err = vs.save(ovals); err != nil { - return xerrors.Errorf("error in Oracle Linux OVAL save: %w", err) + return nil, xerrors.Errorf("error in Oracle Linux OVAL walk: %w", err) } - return nil + return ovals, nil } -func (vs VulnSrc) save(ovals []OracleOVAL) error { +func (vs *VulnSrc) put(ovals []OracleOVAL) error { log.Println("Saving Oracle Linux OVAL") - err := vs.dbc.BatchUpdate(func(tx *bolt.Tx) error { + err := vs.BatchUpdate(func(tx *bolt.Tx) error { return vs.commit(tx, ovals) }) if err != nil { @@ -83,113 +111,198 @@ func (vs VulnSrc) save(ovals []OracleOVAL) error { } -func (vs VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { - advisories := map[bucket]Advisory{} - vulnerabilityDetails := map[string]types.VulnerabilityDetail{} - +func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { + // CVE -> PutInput + putInputs := make(map[string]PutInput) for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] var vulnIDs []string for _, cve := range oval.Cves { vulnIDs = append(vulnIDs, cve.ID) - - vulnerabilityDetails[cve.ID] = mergeVulnerabilityDetails(vulnerabilityDetails[cve.ID], oval, []string{elsaID, cve.ID}) } if len(vulnIDs) == 0 { vulnIDs = append(vulnIDs, elsaID) - - vulnerabilityDetails[elsaID] = mergeVulnerabilityDetails(vulnerabilityDetails[elsaID], oval, []string{elsaID}) } - affectedPkgs := walkOracle(oval.Criteria, "", []AffectedPackage{}) + advisories := map[Package]types.Advisories{} + affectedPkgs := walkOracle(oval.Criteria, "", "", []AffectedPackage{}) for _, affectedPkg := range affectedPkgs { if affectedPkg.Package.Name == "" { continue } - platformName := fmt.Sprintf(platformFormat, affectedPkg.OSVer) - if !ustrings.InSlice(platformName, targetPlatforms) { + platformName := affectedPkg.Package.PlatformName() + if !slices.Contains(targetPlatforms, platformName) { continue } - if err := vs.dbc.PutDataSource(tx, platformName, source); err != nil { + if err := vs.PutDataSource(tx, platformName, source); err != nil { return xerrors.Errorf("failed to put data source: %w", err) } - for _, vulnID := range vulnIDs { - bkt := bucket{ - platform: platformName, - vulnID: vulnID, - pkgName: affectedPkg.Package.Name, - } - advisories[bkt] = mergeEntries(advisories[bkt], affectedPkg, elsaID) + advs := types.Advisories{ + Entries: []types.Advisory{ + { + FixedVersion: affectedPkg.FixedVersion, + }, + }, + } + if savedAdvs, ok := advisories[affectedPkg.Package]; ok { + advs.Entries = append(advs.Entries, savedAdvs.Entries...) } + advisories[affectedPkg.Package] = advs + } - } - // Now that we've processed all the reports, we can save the vulnerability and advisory information - for vulnID, details := range vulnerabilityDetails { - if err := vs.dbc.PutVulnerabilityID(tx, vulnID); err != nil { - return xerrors.Errorf("failed to save the vulnerability ID: %w", err) + var references []string + for _, ref := range oval.References { + references = append(references, ref.URI) } - if err := vs.dbc.PutVulnerabilityDetail(tx, vulnID, source.ID, details); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) + for _, vulnID := range vulnIDs { + vuln := types.VulnerabilityDetail{ + Description: oval.Description, + References: referencesFromContains(references, []string{elsaID, vulnID}), + Title: oval.Title, + Severity: severityFromThreat(oval.Severity), + } + + input := PutInput{ + VulnID: vulnID, + Vuln: vuln, + Advisories: maps.Clone(advisories), + OVALs: []OracleOVAL{oval}, + } + + if savedInput, ok := putInputs[input.VulnID]; ok { + input.OVALs = append(input.OVALs, savedInput.OVALs...) + + for inputPkg, inputAdvs := range input.Advisories { + if savedPkgAdvs, pkgFound := savedInput.Advisories[inputPkg]; pkgFound { + inputAdvs.Entries = append(savedPkgAdvs.Entries, inputAdvs.Entries...) + } + savedInput.Advisories[inputPkg] = inputAdvs + } + input.Advisories = savedInput.Advisories + } + putInputs[input.VulnID] = input } } - for bkt, advisory := range advisories { - if err := vs.dbc.PutAdvisoryDetail(tx, bkt.vulnID, bkt.pkgName, []string{bkt.platform}, advisory); err != nil { - return xerrors.Errorf("failed to save Oracle Linux OVAL: %w", err) + for _, input := range putInputs { + for pkg, advs := range input.Advisories { + input.Advisories[pkg] = resolveAdvisoriesEntries(advs) + } + + err := vs.Put(tx, input) + if err != nil { + return xerrors.Errorf("db put error: %w", err) } } return nil } -func (vs VulnSrc) Get(release string, pkgName string) ([]types.Advisory, error) { - bucket := fmt.Sprintf(platformFormat, release) - rawAdvisories, err := vs.dbc.ForEachAdvisory([]string{bucket}, pkgName) - if err != nil { - return nil, xerrors.Errorf("unable to iterate advisories: %w", err) +// resolveAdvisoriesEntries removes entries with the same fixedVersion. +// Additionally, it only selects the latest fixedVersion for each flavor. +func resolveAdvisoriesEntries(advisories types.Advisories) types.Advisories { + fixedVersions := lo.Map(advisories.Entries, func(entry types.Advisory, _ int) string { + return entry.FixedVersion + }) + fixedVer, resolvedVers := resolveVersions(fixedVersions) + entries := lo.Map(resolvedVers, func(ver string, _ int) types.Advisory { + return types.Advisory{ + FixedVersion: ver, + } + }) + return types.Advisories{ + FixedVersion: fixedVer, + Entries: entries, } +} - var advisories []types.Advisory - for vulnID, v := range rawAdvisories { - if len(v.Content) == 0 { - continue +// resolveVersions removes duplicates and returns normal flavor + only one version for each flavor. +func resolveVersions(vers []string) (string, []string) { + vers = lo.Uniq(vers) + + fixedVers := make(map[PkgFlavor]string) + for _, ver := range vers { + flavor := PackageFlavor(ver) + if savedVer, ok := fixedVers[flavor]; ok { + v := version.NewVersion(ver) + sv := version.NewVersion(savedVer) + if v.LessThan(sv) { + ver = savedVer + } } + fixedVers[flavor] = ver + } - var adv Advisory - if err = json.Unmarshal(v.Content, &adv); err != nil { - return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) - } + versions := lo.Values(fixedVers) + slices.Sort(versions) - for _, entry := range adv.Entries { - advisory := types.Advisory{ - FixedVersion: entry.FixedVersion, - VulnerabilityID: vulnID, - VendorIDs: entry.VendorIDs, - } + fixedVersion := fixedVers[NormalPackageFlavor] - if v.Source != (types.DataSource{}) { - advisory.DataSource = &types.DataSource{ - ID: v.Source.ID, - Name: v.Source.Name, - URL: v.Source.URL, - } - } + return fixedVersion, versions +} + +type PkgFlavor string - advisories = append(advisories, advisory) +const ( + NormalPackageFlavor PkgFlavor = "normal" + FipsPackageFlavor PkgFlavor = "fips" + KsplicePackageFlavor PkgFlavor = "ksplice" +) + +// PackageFlavor determinants the package "flavor" based on its version string +// - normal +// - FIPS validated +// - ksplice userspace +func PackageFlavor(version string) PkgFlavor { + version = strings.ToLower(version) + if strings.HasSuffix(version, "_fips") { + return FipsPackageFlavor + } + + subs := strings.Split(version, ".") + for _, s := range subs { + if strings.HasPrefix(s, "ksplice") { + return KsplicePackageFlavor } + } + return NormalPackageFlavor +} + +func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { + if err := o.PutVulnerabilityDetail(tx, input.VulnID, source.ID, input.Vuln); err != nil { + return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) + } + // for optimization + if err := o.PutVulnerabilityID(tx, input.VulnID); err != nil { + return xerrors.Errorf("failed to save %s: %w", input.VulnID, err) } + for pkg, advisory := range input.Advisories { + platformName := pkg.PlatformName() + if err := o.PutAdvisoryDetail(tx, input.VulnID, pkg.Name, []string{platformName}, advisory); err != nil { + return xerrors.Errorf("failed to save Oracle Linux advisory: %w", err) + } + } + return nil +} + +func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { + bucket := fmt.Sprintf(platformFormat, release) + advisories, err := o.GetAdvisories(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("failed to get Oracle Linux advisories: %w", err) + } return advisories, nil } -func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPackage { +func walkOracle(cri Criteria, osVer, arch string, pkgs []AffectedPackage) []AffectedPackage { for _, c := range cri.Criterions { if strings.HasPrefix(c.Comment, "Oracle Linux ") && strings.HasSuffix(c.Comment, " is installed") { @@ -201,103 +314,34 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa } pkgs = append(pkgs, AffectedPackage{ - OSVer: osVer, Package: Package{ - Name: ss[0], - FixedVersion: version.NewVersion(ss[1]).String(), + Name: ss[0], + OSVer: osVer, }, + FixedVersion: version.NewVersion(ss[1]).String(), }) } for _, c := range cri.Criterias { - pkgs = walkOracle(c, osVer, pkgs) + pkgs = walkOracle(c, osVer, arch, pkgs) } return pkgs } -func mergeVulnerabilityDetails(detail types.VulnerabilityDetail, oval OracleOVAL, vulnIDs []string) types.VulnerabilityDetail { - // Collect vulnerability details - references and severity - // A CVE can be present in multiple ELSAs. Collect all the applicable references as we process them, later when done we'll insert - // the references. - convertedSeverity := severityFromThreat(oval.Severity) - - // If multiple ELSAs for the same CVE have differing severities, use the highest one - if convertedSeverity > detail.Severity { - detail.Severity = convertedSeverity - } - - for _, ref := range oval.References { - if referencesFromContains(ref.URI, vulnIDs) && !ustrings.InSlice(ref.URI, detail.References) { - detail.References = append(detail.References, ref.URI) - } - } - - return detail -} - -func mergeEntries(advisory Advisory, pkg AffectedPackage, elsaID string) Advisory { - affectedFlavor := GetPackageFlavor(pkg.Package.FixedVersion) - - // Persist the normal flavor package version in FixedVersion for backwards compatibility. - // Eventually could be removed - if affectedFlavor == PackageFlavorNormal && - version.NewVersion(advisory.FixedVersion).LessThan(version.NewVersion(pkg.Package.FixedVersion)) { - advisory.FixedVersion = pkg.Package.FixedVersion - } - - for i, entry := range advisory.Entries { - entryFlavor := GetPackageFlavor(entry.FixedVersion) - - if entryFlavor == affectedFlavor { - // This fixed version is newer than the previously found fixed version - if version.NewVersion(entry.FixedVersion).LessThan(version.NewVersion(pkg.Package.FixedVersion)) { - advisory.Entries[i].FixedVersion = pkg.Package.FixedVersion +func referencesFromContains(sources []string, matches []string) []string { + var references []string + for _, s := range sources { + for _, m := range matches { + if strings.Contains(s, m) { + references = append(references, s) } - - // Add the ELSA ID to the vendor ID list - if !ustrings.InSlice(elsaID, entry.VendorIDs) { - advisory.Entries[i].VendorIDs = append(entry.VendorIDs, elsaID) - } - - return advisory } } - entry := Entry{ - FixedVersion: pkg.Package.FixedVersion, - VendorIDs: []string{elsaID}, - } - advisory.Entries = append(advisory.Entries, entry) - - return advisory -} + references = lo.Uniq(references) + slices.Sort(references) -func referencesFromContains(source string, matches []string) bool { - for _, m := range matches { - if strings.Contains(source, m) { - return true - } - } - return false -} - -// GetPackageFlavor Determine the package "flavor" based on its version string -// - normal -// - FIPS validated -// - ksplice userspace -func GetPackageFlavor(version string) PackageFlavor { - version = strings.ToLower(version) - if strings.HasSuffix(version, "_fips") { - return PackageFlavorFips - } else { - subs := strings.Split(version, ".") - for _, s := range subs { - if strings.HasPrefix(s, "ksplice") { - return PackageFlavorKsplice - } - } - return PackageFlavorNormal - } + return references } func severityFromThreat(sev string) types.Severity { diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index 4204fbf4..5e3fb1b8 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -1,10 +1,6 @@ package oracleoval -type bucket struct { - platform string - vulnID string - pkgName string -} +import "fmt" type OracleOVAL struct { Title string @@ -14,6 +10,7 @@ type OracleOVAL struct { Criteria Criteria Severity string Cves []Cve + IssuedDate Date `json:"issued,omitempty"` } type Reference struct { @@ -39,31 +36,19 @@ type Criterion struct { } type Package struct { - Name string - FixedVersion string + Name string + OSVer string } type AffectedPackage struct { - Package Package - OSVer string + Package Package + FixedVersion string } -type Advisory struct { - Entries []Entry `json:",omitempty"` - // Backwards compatibility. Eventually could be removed - FixedVersion string `json:",omitempty"` +type Date struct { + Date string `json:"date"` } -// Entry holds the unique advisory information per package flavor -type Entry struct { - FixedVersion string `json:",omitempty"` - VendorIDs []string `json:",omitempty"` +func (p *Package) PlatformName() string { + return fmt.Sprintf(platformFormat, p.OSVer) } - -type PackageFlavor int - -const ( - PackageFlavorNormal PackageFlavor = iota - PackageFlavorFips - PackageFlavorKsplice -) From 377b227082b93469e4b2aed140e0b159f66f7e99 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 12:27:57 +0600 Subject: [PATCH 09/16] test: fix tests --- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 1201 ++--------------- .../oval/oracle/2021/ELSA-2021-9362.json | 2 +- 2 files changed, 108 insertions(+), 1095 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 24e68760..7d935c29 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -5,11 +5,10 @@ import ( "path/filepath" "testing" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" - "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" - "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" ) func TestMain(m *testing.M) { @@ -38,48 +37,44 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "30:9.3.3-8.el5", - VendorIDs: []string{"ELSA-2007-0057"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "30:9.3.3-8.el5", - VendorIDs: []string{"ELSA-2007-0057"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "30:9.3.3-8.el5", - VendorIDs: []string{"ELSA-2007-0057"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "30:9.3.3-8.el5", - VendorIDs: []string{"ELSA-2007-0057"}, }, }, }, @@ -87,9 +82,11 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-2007-0493", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", + Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ - "http://linux.oracle.com/errata/ELSA-2007-0057.html", "http://linux.oracle.com/cve/CVE-2007-0493.html", + "http://linux.oracle.com/errata/ELSA-2007-0057.html", }, Severity: types.SeverityMedium, }, @@ -97,9 +94,11 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-2007-0494", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", + Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ - "http://linux.oracle.com/errata/ELSA-2007-0057.html", "http://linux.oracle.com/cve/CVE-2007-0494.html", + "http://linux.oracle.com/errata/ELSA-2007-0057.html", }, Severity: types.SeverityMedium, }, @@ -134,313 +133,102 @@ func TestVulnSrc_Update(t *testing.T) { URL: "https://linux.oracle.com/security/oval/", }, }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, - { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el6uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ - { - FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, - { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, - { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "4.1.12-124.24.3.el7uek", - VendorIDs: []string{"ELSA-2019-4510"}, }, }, }, }, - { Key: []string{"vulnerability-detail", "CVE-2018-1094", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2019-4510: Unbreakable Enterprise kernel security update (IMPORTANT)", + Description: "[4.1.12-124.24.3]\n- ext4: update i_disksize when new eof exceeds it (Shan Hai) [Orabug: 28940828] \n- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28940828] \n- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28940828] \n- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (Hui Peng) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Replace probing flag with active refcount (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Avoid nested autoresume calls (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: update inline int ext4_has_metadata_csum(struct super_block *sb) (John Donnelly) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: always initialize the crc32c checksum driver (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094} {CVE-2018-1094}\n- Revert 'bnxt_en: Reduce default rings on multi-port cards.' (Brian Maly) [Orabug: 28687746] \n- mlx4_core: Disable P_Key Violation Traps (Hakon Bugge) [Orabug: 27693633] \n- rds: RDS connection does not reconnect after CQ access violation error (Venkat Venkatsubra) [Orabug: 28733324]\n\n[4.1.12-124.24.2]\n- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 28069548] \n- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded (Mihai Carabas) [Orabug: 28069548] \n- KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548] \n- KVM: x86: pass host_initiated to functions that read MSRs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug: 28069548] \n- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (Radim Krcmar) [Orabug: 28069548] \n- ocfs2: dont clear bh uptodate for block read (Junxiao Bi) [Orabug: 28762940] \n- ocfs2: clear journal dirty flag after shutdown journal (Junxiao Bi) [Orabug: 28924775] \n- ocfs2: fix panic due to unrecovered local alloc (Junxiao Bi) [Orabug: 28924775] \n- net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 28947481] \n- x86/speculation: Always disable IBRS in disable_ibrs_and_friends() (Alejandro Jimenez) [Orabug: 29139710]", References: []string{ - "https://linux.oracle.com/errata/ELSA-2019-4510.html", "https://linux.oracle.com/cve/CVE-2018-1094.html", + "https://linux.oracle.com/errata/ELSA-2019-4510.html", }, Severity: types.SeverityHigh, }, @@ -448,9 +236,11 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-2018-19824", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2019-4510: Unbreakable Enterprise kernel security update (IMPORTANT)", + Description: "[4.1.12-124.24.3]\n- ext4: update i_disksize when new eof exceeds it (Shan Hai) [Orabug: 28940828] \n- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28940828] \n- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28940828] \n- ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c (Hui Peng) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Replace probing flag with active refcount (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ALSA: usb-audio: Avoid nested autoresume calls (Takashi Iwai) [Orabug: 29042981] {CVE-2018-19824}\n- ext4: validate that metadata blocks do not overlap superblock (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: update inline int ext4_has_metadata_csum(struct super_block *sb) (John Donnelly) [Orabug: 29114440] {CVE-2018-1094}\n- ext4: always initialize the crc32c checksum driver (Theodore Ts'o) [Orabug: 29114440] {CVE-2018-1094} {CVE-2018-1094}\n- Revert 'bnxt_en: Reduce default rings on multi-port cards.' (Brian Maly) [Orabug: 28687746] \n- mlx4_core: Disable P_Key Violation Traps (Hakon Bugge) [Orabug: 27693633] \n- rds: RDS connection does not reconnect after CQ access violation error (Venkat Venkatsubra) [Orabug: 28733324]\n\n[4.1.12-124.24.2]\n- KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 28069548] \n- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL - reloaded (Mihai Carabas) [Orabug: 28069548] \n- KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548] \n- KVM: x86: pass host_initiated to functions that read MSRs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini) [Orabug: 28069548] \n- KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini) [Orabug: 28069548] \n- KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug: 28069548] \n- KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC (Radim Krcmar) [Orabug: 28069548] \n- ocfs2: dont clear bh uptodate for block read (Junxiao Bi) [Orabug: 28762940] \n- ocfs2: clear journal dirty flag after shutdown journal (Junxiao Bi) [Orabug: 28924775] \n- ocfs2: fix panic due to unrecovered local alloc (Junxiao Bi) [Orabug: 28924775] \n- net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 28947481] \n- x86/speculation: Always disable IBRS in disable_ibrs_and_friends() (Alejandro Jimenez) [Orabug: 29139710]", References: []string{ - "https://linux.oracle.com/errata/ELSA-2019-4510.html", "https://linux.oracle.com/cve/CVE-2018-19824.html", + "https://linux.oracle.com/errata/ELSA-2019-4510.html", }, Severity: types.SeverityHigh, }, @@ -480,375 +270,104 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, + Entries: []types.Advisory{ { FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ { FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, }, }, }, }, - { Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, }, }, }, }, { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle"}, - Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ - { - FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, + Key: []string{"vulnerability-detail", "CVE-2021-20232", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2022-9221: gnutls security update (MODERATE)", + Description: "[3.6.16-4.0.1_fips]\n- Allow RSA keygen with modulus sizes bigger than 3072 bits and validate the seed length\n as defined in FIPS 186-4 section B.3.2 [Orabug: 33200526]\n- Allow bigger known RSA modulus sizes when calling\n rsa_generate_fips186_4_keypair directly [Orabug: 33200526]\n- Change Epoch from 1 to 10\n\n[3.6.16-4]\n- p11tool: Document ID reuse behavior when importing certs (#1776250)\n\n[3.6.16-3]\n- Treat SHA-1 signed CA in the trusted set differently (#1965445)\n\n[3.6.16-2]\n- Filter certificate_types in TLS 1.2 CR based on signature algorithms (#1942216)\n\n[3.6.16-1]\n- Update to upstream 3.6.16 release (#1956783)\n- Fix potential use-after-free in key_share handling (#1927597)\n- Fix potential use-after-free in pre_shared_key handling (#1927593)\n- Stop gnutls-serv relying on AI_ADDRCONFIG to decide listening address (#1908334)\n- Fix cert expiration issue in tests (#1908110)\n\n[3.6.14-10]\n- Port fixes for potential miscalculation in ecdsa_verify (#1942931)\n\n[3.6.14-9]\n- Revert the previous change", + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-20232.html", + "https://linux.oracle.com/errata/ELSA-2022-9221.html", }, + Severity: types.SeverityMedium, }, }, { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle"}, - Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ - { - FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - }, + Key: []string{"vulnerability-id", "CVE-2021-20232"}, + Value: map[string]interface{}{}, + }, + }, + }, + { + name: "happy path multiple ELSAs", + dir: filepath.Join("testdata", "multi-elsas"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 8"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", }, }, { - Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-c++"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek"}, + Value: types.Advisories{ + FixedVersion: "5.4.17-2102.203.5.el7uek", + Entries: []types.Advisory{ { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, + FixedVersion: "5.4.17-2102.203.5.el7uek", }, }, }, }, { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-c++"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, + Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek"}, + Value: types.Advisories{ + FixedVersion: "5.4.17-2102.203.5.el8uek", + Entries: []types.Advisory{ { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, + FixedVersion: "5.4.17-2102.203.5.el8uek", }, }, }, }, { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-c++"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, + Key: []string{"vulnerability-detail", "CVE-2021-23133", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2021-9362: Unbreakable Enterprise kernel security update (IMPORTANT)", + Description: "[5.4.17-2102.203.5]\n- rds/ib: move rds_ib_clear_irq_miss() to .h ...", + References: []string{ + "https://linux.oracle.com/cve/CVE-2021-23133.html", + "https://linux.oracle.com/errata/ELSA-2021-9362.html", }, + Severity: types.SeverityHigh, }, }, - { - Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-dane"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, + Key: []string{"vulnerability-id", "CVE-2021-23133"}, + Value: map[string]interface{}{}, }, - { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-dane"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-dane"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-devel"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-devel"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-devel"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "gnutls-utils"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "gnutls-utils"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "gnutls-utils"}, - Value: Advisory{ - FixedVersion: "3.6.16-4.el8", - Entries: []Entry{ - { - FixedVersion: "3.6.16-4.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - { - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - VendorIDs: []string{"ELSA-2022-9221"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-20232", "Oracle Linux 8", "nettle-devel"}, - Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ - { - FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-3580", "Oracle Linux 8", "nettle-devel"}, - Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ - { - FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-20231", "Oracle Linux 8", "nettle-devel"}, - Value: Advisory{ - FixedVersion: "3.4.1-7.el8", - Entries: []Entry{ - { - FixedVersion: "3.4.1-7.el8", - VendorIDs: []string{"ELSA-2021-4451"}, - }, - }, - }, - }, - - { - Key: []string{"vulnerability-detail", "CVE-2021-20232", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-4451.html", - "https://linux.oracle.com/cve/CVE-2021-20232.html", - "https://linux.oracle.com/errata/ELSA-2022-9221.html", - }, - Severity: types.SeverityMedium, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2021-3580", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-4451.html", - "https://linux.oracle.com/cve/CVE-2021-3580.html", - "https://linux.oracle.com/errata/ELSA-2022-9221.html", - }, - Severity: types.SeverityMedium, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2021-20231", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-4451.html", - "https://linux.oracle.com/cve/CVE-2021-20231.html", - "https://linux.oracle.com/errata/ELSA-2022-9221.html", - }, - Severity: types.SeverityMedium, - }, - }, - - { - Key: []string{"vulnerability-id", "CVE-2021-20232"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2021-3580"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2021-20231"}, - Value: map[string]interface{}{}, - }, - }, - }, - { - name: "happy path multiple ELSAs", - dir: filepath.Join("testdata", "multi-elsas"), - wantValues: []vulnsrctest.WantValues{ + }, + }, + { + name: "multiple ksplice builds", + dir: filepath.Join("testdata", "ksplice"), + wantValues: []vulnsrctest.WantValues{ { Key: []string{"data-source", "Oracle Linux 8"}, Value: types.DataSource{ @@ -857,455 +376,29 @@ func TestVulnSrc_Update(t *testing.T) { URL: "https://linux.oracle.com/security/oval/", }, }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 7", "kernel-uek-tools"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 7", "kernel-uek-tools"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el7uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 7", "kernel-uek-tools"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el7uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el7uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-debug-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-devel"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.202.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306"}, - }, - }, - }, - }, - - { - Key: []string{"advisory-detail", "CVE-2021-23133", "Oracle Linux 8", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306", "ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-33034", "Oracle Linux 8", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.203.5.el8uek", - Entries: []Entry{ - { - FixedVersion: "5.4.17-2102.203.5.el8uek", - VendorIDs: []string{"ELSA-2021-9362"}, - }, - }, - }, - }, - { - Key: []string{"advisory-detail", "CVE-2020-36310", "Oracle Linux 8", "kernel-uek-doc"}, - Value: Advisory{ - FixedVersion: "5.4.17-2102.202.5.el8uek", - Entries: []Entry{ + Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, + Value: types.Advisories{ + Entries: []types.Advisory{ { - FixedVersion: "5.4.17-2102.202.5.el8uek", - VendorIDs: []string{"ELSA-2021-9306"}, + FixedVersion: "2:2.28-151.0.1.ksplice2.el8", }, }, }, }, - - { - Key: []string{"vulnerability-detail", "CVE-2021-33034", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-9362.html", - "https://linux.oracle.com/cve/CVE-2021-33034.html", - }, - Severity: types.SeverityHigh, - }, - }, { - Key: []string{"vulnerability-detail", "CVE-2020-36310", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-9306.html", - "https://linux.oracle.com/cve/CVE-2020-36310.html", - }, - Severity: types.SeverityHigh, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2021-23133", "oracle-oval"}, + Key: []string{"vulnerability-detail", "CVE-2016-10228", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2021-9344: glibc security update (IMPORTANT)", References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-9306.html", - "https://linux.oracle.com/cve/CVE-2021-23133.html", - "https://linux.oracle.com/errata/ELSA-2021-9362.html", + "https://linux.oracle.com/cve/CVE-2016-10228.html", + "https://linux.oracle.com/errata/ELSA-2021-9344.html", }, Severity: types.SeverityHigh, }, }, { - Key: []string{"vulnerability-id", "CVE-2021-23133"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2021-33034"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2020-36310"}, + Key: []string{"vulnerability-id", "CVE-2016-10228"}, Value: map[string]interface{}{}, }, }, @@ -1324,12 +417,11 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, - Value: Advisory{ + Value: types.Advisories{ FixedVersion: "9.3.3-8.el5", - Entries: []Entry{ + Entries: []types.Advisory{ { FixedVersion: "9.3.3-8.el5", - VendorIDs: []string{"ELSA-2007-0057"}, }, }, }, @@ -1337,6 +429,8 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "ELSA-2007-0057", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", + Description: "[0:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", References: []string{ "http://linux.oracle.com/errata/ELSA-2007-0057.html", }, @@ -1356,9 +450,11 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"vulnerability-detail", "CVE-0001-0001", "oracle-oval"}, Value: types.VulnerabilityDetail{ + Title: "ELSA-0001-0001: Moderate: empty security update (N/A)", + Description: "empty description", References: []string{ - "http://linux.oracle.com/errata/ELSA-0001-0001.html", "http://linux.oracle.com/cve/CVE-0001-0001.html", + "http://linux.oracle.com/errata/ELSA-0001-0001.html", }, Severity: types.SeverityUnknown, }, @@ -1369,49 +465,6 @@ func TestVulnSrc_Update(t *testing.T) { }, }, }, - { - name: "multiple ksplice builds", - dir: filepath.Join("testdata", "ksplice"), - wantValues: []vulnsrctest.WantValues{ - { - Key: []string{"data-source", "Oracle Linux 8"}, - Value: types.DataSource{ - ID: vulnerability.OracleOVAL, - Name: "Oracle Linux OVAL definitions", - URL: "https://linux.oracle.com/security/oval/", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, - Value: Advisory{ - Entries: []Entry{ - { - FixedVersion: "2:2.28-151.0.1.ksplice2.el8", - VendorIDs: []string{ - "ELSA-2021-9280", - "ELSA-2021-9344", - }, - }, - }, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2016-10228", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - References: []string{ - "https://linux.oracle.com/errata/ELSA-2021-9280.html", - "https://linux.oracle.com/cve/CVE-2016-10228.html", - "https://linux.oracle.com/errata/ELSA-2021-9344.html", - }, - Severity: types.SeverityHigh, - }, - }, - { - Key: []string{"vulnerability-id", "CVE-2016-10228"}, - Value: map[string]interface{}{}, - }, - }, - }, { name: "sad path (dir doesn't exist)", dir: filepath.Join("testdata", "badPath"), @@ -1453,7 +506,6 @@ func TestVulnSrc_Get(t *testing.T) { { VulnerabilityID: "ELSA-2019-1145", FixedVersion: "32:9.11.4-17.P2.el8_0", - VendorIDs: []string{"ELSA-2019-1145"}, }, }, }, @@ -1471,45 +523,6 @@ func TestVulnSrc_Get(t *testing.T) { pkgName: "bind", wantErr: "failed to unmarshal advisory JSON", }, - { - name: "multi-flavors", - fixtures: []string{"testdata/fixtures/multiple-elsas.yaml"}, - version: "8", - pkgName: "gnutls", - want: []types.Advisory{ - { - VulnerabilityID: "CVE-2021-20231", - VendorIDs: []string{"ELSA-2021-4451"}, - FixedVersion: "3.6.16-4.el8", - }, - { - VulnerabilityID: "CVE-2021-20232", - VendorIDs: []string{"ELSA-2021-4451"}, - FixedVersion: "3.6.16-4.el8", - }, - { - VulnerabilityID: "CVE-2021-3580", - VendorIDs: []string{"ELSA-2021-4451"}, - FixedVersion: "3.6.16-4.el8", - }, - - { - VulnerabilityID: "CVE-2021-20231", - VendorIDs: []string{"ELSA-2022-9221"}, - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - }, - { - VulnerabilityID: "CVE-2021-20232", - VendorIDs: []string{"ELSA-2022-9221"}, - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - }, - { - VulnerabilityID: "CVE-2021-3580", - VendorIDs: []string{"ELSA-2022-9221"}, - FixedVersion: "10:3.6.16-4.0.1.el8_fips", - }, - }, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json index 6550b199..f7170d7a 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-elsas/vuln-list/oval/oracle/2021/ELSA-2021-9362.json @@ -1,6 +1,6 @@ { "Title": "ELSA-2021-9362: Unbreakable Enterprise kernel security update (IMPORTANT)", - "Description": "[5.4.17-2102.203.5]\n- rds/ib: move rds_ib_clear_irq_miss() to .h file (Manjunath Patil) [Orabug: 33044344]\n\n[5.4.17-2102.203.4]\n- rds/ib: recover rds connection from interrupt loss scenario (Manjunath Patil) [Orabug: 32974199] \n- Revert Allow mce to reset instead of panic on UE (William Roche) [Orabug: 32820275] \n- bpf: Fix masking negation logic upon negative dst register (Daniel Borkmann) [Orabug: 32911990] {CVE-2021-31829}\n- rds/ib: handle posted ACK during connection shutdown (Manjunath Patil) [Orabug: 32863585] \n- rds/ib: reap tx completions during connection shutdown (Manjunath Patil) [Orabug: 32863585]\n\n[5.4.17-2102.203.3]\n- ksplice: use -fno-reorder-functions -fno-section-anchors (Vegard Nossum) [Orabug: 32908850] \n- ksplice: fixup for -ffunction-sections -fdata-sections (Vegard Nossum) [Orabug: 32908850] \n- xfs: fix xlog_finish_defer_ops (Wengang Wang) [Orabug: 32982353] \n- scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (Quinn Tran) [Orabug: 32989005] \n- blk-mq: fix blk_mq_all_tag_iter (Ming Lei) [Orabug: 32957629] \n- blk-mq: split out a __blk_mq_get_driver_tag helper (Christoph Hellwig) [Orabug: 32957629] \n- blk-mq: drain I/O when all CPUs in a hctx are offline (Ming Lei) [Orabug: 32957629] \n- blk-mq: add blk_mq_all_tag_iter (Ming Lei) [Orabug: 32957629] \n- Bluetooth: verify AMP hci_chan before amp_destroy (Archie Pusaka) [Orabug: 32912099] {CVE-2021-33034}\n- perf/x86/intel/uncore: Fix a kernel WARNING triggered by maxcpus=1 (Kan Liang) [Orabug: 32925098] \n- net: sched: fix tx action reschedule issue with stopped queue (Yunsheng Lin) [Orabug: 32911885] \n- net: sched: fix tx action rescheduling issue during deactivation (Yunsheng Lin) [Orabug: 32911885] \n- net: sched: fix packet stuck problem for lockless qdisc (Yunsheng Lin) [Orabug: 32911885] \n- scsi: bnx2fc: Return failure if io_req is already in ABTS processing (Gulam Mohamed) [Orabug: 32999623]\n\n[5.4.17-2102.203.2]\n- LTS tag: v5.4.114 (Jack Vogel) \n- net: phy: marvell: fix detection of PHY on Topaz switches (Pali Rohar) \n- ARM: 9071/1: uprobes: Dont hook on thumb instructions (Fredrik Strupe) \n- r8169: dont advertise pause in jumbo mode (Heiner Kallweit) \n- r8169: tweak max read request size for newer chips also in jumbo mtu mode (Heiner Kallweit) \n- r8169: improve rtl_jumbo_config (Heiner Kallweit) \n- r8169: fix performance regression related to PCIe max read request size (Heiner Kallweit) \n- r8169: simplify setting PCI_EXP_DEVCTL_NOSNOOP_EN (Heiner Kallweit) \n- r8169: remove fiddling with the PCIe max read request size (Heiner Kallweit) \n- arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems (Andre Przywara) \n- ARM: footbridge: fix PCI interrupt mapping (Russell King) \n- gro: ensure frag0 meets IP header alignment (Eric Dumazet) \n- ibmvnic: remove duplicate napi_schedule call in open function (Lijun Pan) \n- ibmvnic: remove duplicate napi_schedule call in do_reset function (Lijun Pan) \n- ibmvnic: avoid calling napi_disable() twice (Lijun Pan) \n- i40e: fix the panic when running bpf in xdpdrv mode (Jason Xing) \n- net: ip6_tunnel: Unregister catch-all devices (Hristo Venev) \n- net: sit: Unregister catch-all devices (Hristo Venev) \n- net: davicom: Fix regulator not turned off on failed probe (Christophe JAILLET) \n- netfilter: nft_limit: avoid possible divide error in nft_limit_init (Eric Dumazet) \n- net: macb: fix the restore of cmp registers (Claudiu Beznea) \n- netfilter: arp_tables: add pre_exit hook for table unregister (Florian Westphal) \n- netfilter: bridge: add pre_exit hooks for ebtable unregistration (Florian Westphal) \n- libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (Vaibhav Jain) \n- netfilter: conntrack: do not print icmpv6 as unknown via /proc (Pablo Neira Ayuso) \n- scsi: libsas: Reset num_scatter if libata marks qc as NODATA (Jolly Shah) \n- riscv: Fix spelling mistake SPARSEMEM to SPARSMEM (Kefeng Wang) \n- vfio/pci: Add missing range check in vfio_pci_mmap (Christian A. Ehrhardt) \n- arm64: alternatives: Move length validation in alternative_{insn, endif} (Nathan Chancellor) \n- arm64: fix inline asm in load_unaligned_zeropad() (Peter Collingbourne) \n- readdir: make sure to verify directory entry for legacy interfaces too (Linus Torvalds) \n- dm verity fec: fix misaligned RS roots IO (Jaegeuk Kim) \n- HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (Ping Cheng) \n- Input: i8042 - fix Pegatron C15B ID entry (Arnd Bergmann) \n- Input: s6sy761 - fix coordinate read bit shift (Caleb Connolly) \n- virt_wifi: Return micros for BSS TSF values (A. Cody Schuffelen) \n- mac80211: clear sta-\u003efast_rx when STA removed from 4-addr VLAN (Seevalamuthu Mariappan) \n- pcnet32: Use pci_resource_len to validate PCI resource (Guenter Roeck) \n- net: ieee802154: forbid monitor for add llsec seclevel (Alexander Aring) \n- net: ieee802154: stop dump llsec seclevels for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec devkey (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec devkey (Alexander Aring) \n- net: ieee802154: stop dump llsec devkeys for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec dev (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec dev (Alexander Aring) \n- net: ieee802154: stop dump llsec devs for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec key (Alexander Aring) \n- net: ieee802154: forbid monitor for add llsec key (Alexander Aring) \n- net: ieee802154: stop dump llsec keys for monitors (Alexander Aring) \n- scsi: scsi_transport_srp: Dont block target in SRP_PORT_LOST state (Martin Wilck) \n- ASoC: fsl_esai: Fix TDM slot setup for I2S mode (Alexander Shiyan) \n- drm/msm: Fix a5xx/a6xx timestamps (Rob Clark) \n- ARM: omap1: fix building with clang IAS (Arnd Bergmann) \n- ARM: keystone: fix integer overflow warning (Arnd Bergmann) \n- neighbour: Disregard DEAD dst in neigh_update (Tong Zhu) \n- ASoC: max98373: Added 30ms turn on/off time delay (Ryan Lee) \n- arc: kernel: Return -EFAULT if copy_to_user() fails (Wang Qing) \n- lockdep: Add a missing initialization hint to the INFO: Trying to register non-static key message (Tetsuo Handa) \n- ARM: dts: Fix moving mmc devices with aliases for omap4 \u0026 5 (Tony Lindgren) \n- ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race (Tony Lindgren) \n- dmaengine: dw: Make it dependent to HAS_IOMEM (Andy Shevchenko) \n- gpio: sysfs: Obey valid_mask (Matti Vaittinen) \n- Input: nspire-keypad - enable interrupts only when opened (Fabian Vogt) \n- net/sctp: fix race condition in sctp_destroy_sock (Or Cohen) {CVE-2021-23133}\n- scsi: qla2xxx: Fix stuck login session using prli_pend_timer (Quinn Tran) \n- scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (Shyam Sundar) \n- scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (Quinn Tran) \n- scsi: qla2xxx: Dual FCP-NVMe target port support (Michael Hernandez) \n- Revert scsi: qla2xxx: Fix stuck login session using prli_pend_timer (Sasha Levin) \n- Revert scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure (Sasha Levin) \n- LTS tag: v5.4.113 (Jack Vogel) \n- xen/events: fix setting irq affinity (Juergen Gross) \n- perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches (Arnaldo Carvalho de Melo) \n- perf tools: Use %zd for size_t printf formats on 32-bit (Chris Wilson) \n- perf tools: Use - driver core: Fix locking bug in deferred_probe_timeout_work_func() (Saravana Kannan) \n- netfilter: x_tables: fix compat match/target pad out-of-bound write (Florian Westphal) \n- block: dont ignore REQ_NOWAIT for direct IO (Pavel Begunkov) \n- riscv,entry: fix misaligned base for excp_vect_table (Zihao Yu) \n- idr test suite: Create anchor before launching throbber (Matthew Wilcox (Oracle)) \n- idr test suite: Take RCU read lock in idr_find_test_1 (Matthew Wilcox (Oracle)) \n- radix tree test suite: Register the main thread with the RCU library (Matthew Wilcox (Oracle)) \n- block: only update parent bi_status when bio fail (Yufen Yu) \n- drm/tegra: dc: Dont set PLL clock to 0Hz (Dmitry Osipenko) \n- gfs2: report already frozen/thawed errors (Bob Peterson) \n- drm/imx: imx-ldb: fix out of bounds array access warning (Arnd Bergmann) \n- KVM: arm64: Disable guest access to trace filter controls (Suzuki K Poulose) \n- KVM: arm64: Hide system instruction access to Trace registers (Suzuki K Poulose) \n- interconnect: core: fix error return code of icc_link_destroy() (Jia-Ju Bai) \n- LTS tag: v5.4.112 (Jack Vogel) \n- Revert cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb-\u003eprepath. (Greg Kroah-Hartman) \n- net: ieee802154: stop dump llsec params for monitors (Alexander Aring) \n- net: ieee802154: forbid monitor for del llsec seclevel (Alexander Aring) \n- net: ieee802154: forbid monitor for set llsec params (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec devkey (Alexander Aring) \n- net: ieee802154: fix nl802154 add llsec key (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec dev (Alexander Aring) \n- net: ieee802154: fix nl802154 del llsec key (Alexander Aring) \n- net: ieee802154: nl-mac: fix check on panid (Alexander Aring) \n- net: mac802154: Fix general protection fault (Pavel Skripkin) \n- drivers: net: fix memory leak in peak_usb_create_dev (Pavel Skripkin) \n- drivers: net: fix memory leak in atusb_probe (Pavel Skripkin) \n- net: tun: set tun-\u003edev-\u003eaddr_len during TUNSETLINK processing (Phillip Potter) \n- cfg80211: remove WARN_ON() in cfg80211_sme_connect (Du Cheng) \n- net: sched: bump refcount for new action in ACT replace mode (Kumar Kartikeya Dwivedi) \n- dt-bindings: net: ethernet-controller: fix typo in NVMEM (Rafal Milecki) \n- clk: socfpga: fix iomem pointer cast on 64-bit (Krzysztof Kozlowski) \n- RDMA/addr: Be strict with gid size (Leon Romanovsky) \n- RDMA/cxgb4: check for ipv6 address properly while destroying listener (Potnuri Bharat Teja) \n- net/mlx5: Fix PBMC register mapping (Aya Levin) \n- net/mlx5: Fix placement of log_max_flow_counter (Raed Salem) \n- net: hns3: clear VF down state bit before request link status (Guangbin Huang) \n- openvswitch: fix send of uninitialized stack memory in ct limit reply (Ilya Maximets) \n- net: openvswitch: conntrack: simplify the return expression of ovs_ct_limit_get_default_limit() (Zheng Yongjun) \n- perf inject: Fix repipe usage (Adrian Hunter) \n- s390/cpcmd: fix inline assembly register clobbering (Alexander Gordeev) \n- workqueue: Move the position of debug_work_activate() in __queue_work() (Zqiang) \n- clk: fix invalid usage of list cursor in unregister (Lukasz Bartosik) \n- clk: fix invalid usage of list cursor in register (Lukasz Bartosik) \n- net: macb: restore cmp registers on resume path (Claudiu Beznea) \n- scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs (Can Guo) \n- scsi: ufs: core: Fix task management request completion timeout (Can Guo) \n- scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs (Bart Van Assche) \n- scsi: ufs: Avoid busy-waiting by eliminating tag conflicts (Bart Van Assche) \n- scsi: ufs: Fix irq return code (Venkat Gopalakrishnan) \n- net: udp: Add support for getsockopt(..., ..., UDP_GRO, ..., ...); (Norman Maurer) \n- drm/msm: Set drvdata to NULL when msm_drm_init() fails (Stephen Boyd) \n- i40e: Fix display statistics for veb_tc (Eryk Rybak) \n- soc/fsl: qbman: fix conflicting alignment attributes (Arnd Bergmann) \n- net/mlx5: Dont request more than supported EQs (Daniel Jurgens) \n- net/mlx5e: Fix ethtool indication of connector type (Aya Levin) \n- ASoC: sunxi: sun4i-codec: fill ASoC card owner (Bastian Germann) \n- net: phy: broadcom: Only advertise EEE for supported modes (Florian Fainelli) \n- nfp: flower: ignore duplicate merge hints from FW (Yinjun Zhang) \n- net/ncsi: Avoid channel_monitor hrtimer deadlock (Milton Miller) \n- ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces (Stefan Riedmueller) \n- net:tipc: Fix a double free in tipc_sk_mcast_rcv (Lv Yunlong) \n- cxgb4: avoid collecting SGE_QBASE regs during traffic (Rahul Lakkireddy) \n- gianfar: Handle error code at MAC address change (Claudiu Manoil) \n- can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE (Oliver Hartkopp) \n- arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0 (Oliver Stabler) \n- sch_red: fix off-by-one checks in red_check_params() (Eric Dumazet) \n- amd-xgbe: Update DMA coherency values (Shyam Sundar S K) \n- hostfs: fix memory handling in follow_link() (Al Viro) \n- hostfs: Use kasprintf() instead of fixed buffer formatting (Andy Shevchenko) \n- i40e: Fix kernel oops when i40e driver removes VFs (Eryk Rybak) \n- i40e: Added Asym_Pause to supported link modes (Mateusz Palczewski) \n- xfrm: Fix NULL pointer dereference on policy lookup (Steffen Klassert) \n- ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (Shengjiu Wang) \n- ASoC: SOF: Intel: HDA: fix core status verification (Guennadi Liakhovetski) \n- ASoC: SOF: Intel: hda: remove unnecessary parentheses (Payal Kshirsagar) \n- esp: delete NETIF_F_SCTP_CRC bit from features for esp offload (Xin Long) \n- net: xfrm: Localize sequence counter per network namespace (Ahmed S. Darwish) \n- regulator: bd9571mwv: Fix AVS and DVFS voltage range (Geert Uytterhoeven) \n- xfrm: interface: fix ipv4 pmtu check to honor ip header df (Eyal Birger) \n- net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits (Martin Blumenstingl) \n- net: dsa: lantiq_gswip: Dont use PHY auto polling (Martin Blumenstingl) \n- virtio_net: Add XDP meta data support (Yuya Kusakabe) \n- i2c: turn recovery error on init to debug (Wolfram Sang) \n- usbip: synchronize event handler with sysfs code paths (Shuah Khan) \n- usbip: vudc synchronize sysfs code paths (Shuah Khan) \n- usbip: stub-dev synchronize sysfs code paths (Shuah Khan) \n- usbip: add sysfs_lock to synchronize sysfs code paths (Shuah Khan) \n- net: let skb_orphan_partial wake-up waiters. (Paolo Abeni) \n- net-ipv6: bugfix - raw \u0026 sctp - switch to ipv6_can_nonlocal_bind() (Maciej zenczykowski) \n- net: hsr: Reset MAC header for Tx path (Kurt Kanzenbach) \n- mac80211: fix TXQ AC confusion (Johannes Berg) \n- net: sched: sch_teql: fix null-pointer dereference (Pavel Tikhomirov) \n- i40e: Fix sparse error: vsi-\u003enetdev could be null (Arkadiusz Kubalewski) \n- i40e: Fix sparse warning: missing error code err (Arkadiusz Kubalewski) \n- net: ensure mac header is set in virtio_net_hdr_to_skb() (Eric Dumazet) \n- bpf, sockmap: Fix sk-\u003eprot unhash op reset (John Fastabend) \n- ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (Lv Yunlong) \n- net: hso: fix null-ptr-deref during tty device unregistration (Anirudh Rayabharam) \n- ice: Cleanup fltr list in case of allocation issues (Robert Malz) \n- ice: Fix for dereference of NULL pointer (Jacek Bulatek) \n- ice: Increase control queue timeout (Fabio Pricoco) \n- batman-adv: initialize struct batadv_tvlv_tt_vlan_data-\u003ereserved field (Tetsuo Handa) \n- ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin (Marek Behun) \n- parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers (Gao Xiang) \n- parisc: parisc-agp requires SBA IOMMU driver (Helge Deller) \n- fs: direct-io: fix missing sdio-\u003eboundary (Jack Qiu) \n- nds32: flush_dcache_page: use page_mapping_file to avoid races with swapoff (Mike Rapoport) \n- ia64: fix user_stack_pointer() for ptrace() (Sergei Trofimovich) \n- gcov: re-fix clang-11+ support (Nick Desaulniers) \n- drm/i915: Fix invalid access to ACPI _DSM objects (Takashi Iwai) \n- net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock (Martin Blumenstingl) \n- net: ipv6: check for validity before dereferencing cfg-\u003efc_nlinfo.nlh (Muhammad Usama Anjum) \n- xen/evtchn: Change irq_info lock to raw_spinlock_t (Luca Fancellu) \n- nfc: Avoid endless loops caused by repeated llcp_sock_connect() (Xiaoming Ni) \n- nfc: fix memory leak in llcp_sock_connect() (Xiaoming Ni) {CVE-2020-25672}\n- nfc: fix refcount leak in llcp_sock_connect() (Xiaoming Ni) {CVE-2020-25671}\n- nfc: fix refcount leak in llcp_sock_bind() (Xiaoming Ni) {CVE-2020-25670}\n- ASoC: intel: atom: Stop advertising non working S24LE support (Hans de Goede) \n- ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (Takashi Iwai) \n- ALSA: aloop: Fix initialization of controls (Jonas Holmberg) \n- counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register (Fabrice Gasnier) \n- LTS tag: v5.4.111 (Jack Vogel) \n- init/Kconfig: make COMPILE_TEST depend on HAS_IOMEM (Masahiro Yamada) \n- init/Kconfig: make COMPILE_TEST depend on !S390 (Heiko Carstens) \n- nvme-mpath: replace direct_make_request with generic_make_request (Sagi Grimberg) \n- bpf, x86: Validate computation of branch displacements for x86-32 (Piotr Krysiuk) \n- cifs: Silently ignore unknown oplock break handle (Vincent Whitchurch) \n- cifs: revalidate mapping when we open files for SMB1 POSIX (Ronnie Sahlberg) \n- ia64: fix format strings for err_inject (Sergei Trofimovich) \n- ia64: mca: allocate early mca with GFP_ATOMIC (Sergei Trofimovich) \n- scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (Martin Wilck) \n- x86/build: Turn off -fcf-protection for realmode targets (Arnd Bergmann) \n- platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (Esteve Varela Colominas) \n- netfilter: conntrack: Fix gre tunneling over ipv6 (Ludovic Senecaux) \n- drm/msm: Ratelimit invalid-fence message (Rob Clark) \n- drm/msm/adreno: a5xx_power: Dont apply A540 lm_setup to other GPUs (Konrad Dybcio) \n- mac80211: choose first enabled channel for monitor (Karthikeyan Kathirvel) \n- mISDN: fix crash in fritzpci (Tong Zhang) \n- net: pxa168_eth: Fix a potential data race in pxa168_eth_remove (Pavel Andrianov) \n- net/mlx5e: Enforce minimum value check for ICOSQ size (Tariq Toukan) \n- bpf, x86: Use kvmalloc_array instead kmalloc_array in bpf_jit_comp (Yonghong Song) \n- platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (Alban Bedel) \n- bus: ti-sysc: Fix warning on unbind if reset is not deasserted (Tony Lindgren) \n- ARM: dts: am33xx: add aliases for mmc interfaces (Mans Rullgard) \n- LTS tag: v5.4.110 (Jack Vogel) \n- drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (Du Cheng) \n- staging: rtl8192e: Change state information from u16 to u8 (Atul Gopinathan) \n- staging: rtl8192e: Fix incorrect source in memcpy() (Atul Gopinathan) \n- usb: dwc2: Prevent core suspend when port connection flag is 0 (Artur Petrosyan) \n- usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. (Artur Petrosyan) \n- usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference (Tong Zhang) \n- USB: cdc-acm: fix use-after-free after probe failure (Johan Hovold) \n- USB: cdc-acm: fix double free on probe failure (Johan Hovold) \n- USB: cdc-acm: downgrade message to debug (Oliver Neukum) \n- USB: cdc-acm: untangle a circular dependency between callback and softint (Oliver Neukum) \n- cdc-acm: fix BREAK rx code path adding necessary calls (Oliver Neukum) \n- usb: xhci-mtk: fix broken streams issue on 0.96 xHCI (Chunfeng Yun) \n- usb: musb: Fix suspend with devices connected for a64 (Tony Lindgren) \n- USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (Vincent Palatin) \n- usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (Shuah Khan) \n- firewire: nosy: Fix a use-after-free bug in nosy_ioctl() (Zheyu Ma) \n- extcon: Fix error handling in extcon_dev_register (Dinghao Liu) \n- extcon: Add stubs for extcon_register_notifier_all() functions (Krzysztof Kozlowski) \n- pinctrl: rockchip: fix restore error in resume (Wang Panzhenzhuan) \n- vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends (Jason Gunthorpe) \n- reiserfs: update reiserfs_xattrs_initialized() condition (Tetsuo Handa) \n- drm/amdgpu: check alignment on CPU page for bo map (Xi Ruoyao) \n- drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (Nirmoy Das) \n- mm: fix race by making init_zero_pfn() early_initcall (Ilya Lipnitskiy) \n- tracing: Fix stack trace event size (Steven Rostedt (VMware)) \n- PM: runtime: Fix ordering in pm_runtime_get_suppliers() (Adrian Hunter) \n- PM: runtime: Fix race getting/putting suppliers at probe (Adrian Hunter) \n- xtensa: move coprocessor_flush to the .text section (Max Filippov) \n- ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook (Hui Wang) \n- ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (Hui Wang) \n- ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks (Takashi Iwai) \n- ALSA: hda: Re-add dropped snd_poewr_change_state() calls (Takashi Iwai) \n- ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (Ikjoon Jang) \n- bpf: Remove MTU check in __bpf_skb_max_len (Jesper Dangaard Brouer) \n- net: wan/lmc: unregister device when no matching device is found (Tong Zhang) \n- appletalk: Fix skb allocation size in loopback case (Doug Brown) \n- net: ethernet: aquantia: Handle error cleanup of start on open (Nathan Rossi) \n- ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (Shuah Khan) \n- brcmfmac: clear EAP/association status bits on linkdown events (Luca Pesce) \n- can: tcan4x5x: fix max register value (Sasha Levin) \n- net: introduce CAN specific pointer in the struct net_device (Oleksij Rempel) \n- can: dev: move driver related infrastructure into separate subdir (Marc Kleine-Budde) \n- flow_dissector: fix TTL and TOS dissection on IPv4 fragments (Davide Caratti) \n- net: mvpp2: fix interrupt mask/unmask skip condition (Sasha Levin) \n- ext4: do not iput inode under running transaction in ext4_rename() (zhangyi (F)) \n- locking/ww_mutex: Simplify use_ww_ctx \u0026 ww_ctx handling (Waiman Long) \n- thermal/core: Add NULL pointer check before using cooling device stats (Manaf Meethalavalappu Pallikunhi) \n- ASoC: rt5659: Update MCLK rate in set_sysclk() (Sameer Pujar) \n- staging: comedi: cb_pcidas64: fix request_irq() warn (Tong Zhang) \n- staging: comedi: cb_pcidas: fix request_irq() warn (Tong Zhang) \n- scsi: qla2xxx: Fix broken #endif placement (Alexey Dobriyan) \n- scsi: st: Fix a use after free in st_open() (Lv Yunlong) \n- vhost: Fix vhost_vq_reset() (Laurent Vivier) \n- powerpc: Force inlining of cpu_has_feature() to avoid build failure (Christophe Leroy) \n- NFSD: fix error handling in NFSv4.0 callbacks (Olga Kornievskaia) \n- ASoC: cs42l42: Always wait at least 3ms after reset (Lucas Tanure) \n- ASoC: cs42l42: Fix mixer volume control (Lucas Tanure) \n- ASoC: cs42l42: Fix channel width support (Lucas Tanure) \n- ASoC: cs42l42: Fix Bitclock polarity inversion (Lucas Tanure) \n- ASoC: es8316: Simplify adc_pga_gain_tlv table (Hans de Goede) \n- ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (Benjamin Rood) \n- ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (Hans de Goede) \n- ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (Hans de Goede) \n- iomap: Fix negative assignment to unsigned sis-\u003epages in iomap_swapfile_activate (Ritesh Harjani) \n- rpc: fix NULL dereference on kmalloc failure (J. Bruce Fields) \n- fs: nfsd: fix kconfig dependency warning for NFSD_V4 (Julian Braha) \n- ext4: fix bh ref count on error paths (Zhaolong Zhang) \n- ext4: shrink race window in ext4_should_retry_alloc() (Eric Whitney) \n- module: harden ELF info handling (Frank van der Linden) \n- module: avoid *goto*s in module_sig_check() (Sergey Shtylyov) \n- module: merge repetitive strings in module_sig_check() (Sergey Shtylyov) \n- modsign: print module name along with error message (Jessica Yu) \n- ipv6: weaken the v4mapped source check (Jakub Kicinski) \n- selinux: vsock: Set SID for socket returned by accept() (David Brazdil) \n- LTS tag: v5.4.109 (Jack Vogel) \n- xen-blkback: dont leak persistent grants from xen_blkbk_map() (Jan Beulich) \n- can: peak_usb: Revert can: peak_usb: add forgotten supported devices (Marc Kleine-Budde) \n- ext4: add reclaim checks to xattr code (Jan Kara) \n- mac80211: fix double free in ibss_leave (Markus Theil) \n- net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() (Eric Dumazet) \n- net: dsa: b53: VLAN filtering is global to all users (Florian Fainelli) \n- can: dev: Move device back to init netns on owning netns delete (Martin Willi) \n- x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (Isaku Yamahata) \n- locking/mutex: Fix non debug version of mutex_lock_io_nested() (Thomas Gleixner) \n- scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() (Jia-Ju Bai) \n- scsi: qedi: Fix error return code of qedi_alloc_global_queues() (Jia-Ju Bai) \n- scsi: Revert qla2xxx: Make sure that aborted commands are freed (Bart Van Assche) \n- block: recalculate segment count for multi-segment discards correctly (David Jeffery) \n- perf auxtrace: Fix auxtrace queue conflict (Adrian Hunter) \n- ACPI: scan: Use unique number for instance_no (Andy Shevchenko) \n- ACPI: scan: Rearrange memory allocation in acpi_device_add() (Rafael J. Wysocki) \n- Revert netfilter: x_tables: Update remaining dereference to RCU (Mark Tomlinson) \n- Revert netfilter: x_tables: Switch synchronization to RCU (Mark Tomlinson) \n- bpf: Dont do bpf_cgroup_storage_set() for kuprobe/tp programs (Sasha Levin) \n- RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (Potnuri Bharat Teja) \n- PM: EM: postpone creating the debugfs dir till fs_initcall (Lukasz Luba) \n- net/mlx5e: Fix error path for ethtool set-priv-flag (Aya Levin) \n- PM: runtime: Defer suspending suppliers (Rafael J. Wysocki) \n- arm64: kdump: update ppos when reading elfcorehdr (Pavel Tatashin) \n- drm/msm: fix shutdown hook in case GPU components failed to bind (Dmitry Baryshkov) \n- libbpf: Fix BTF dump of pointer-to-array-of-struct (Jean-Philippe Brucker) \n- selftests: forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate value (Hangbin Liu) \n- net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes (Corentin Labbe) \n- r8152: limit the RX buffer size of RTL8153A for USB 2.0 (Hayes Wang) \n- net: cdc-phonet: fix data-interface release on probe failure (Johan Hovold) \n- octeontx2-af: fix infinite loop in unmapping NPC counter (Hariprasad Kelam) \n- octeontx2-af: Fix irq free in rvu teardown (Geetha sowjanya) \n- libbpf: Use SOCK_CLOEXEC when opening the netlink socket (Kumar Kartikeya Dwivedi) \n- nfp: flower: fix pre_tun mask id allocation (Louis Peens) \n- mac80211: fix rate mask reset (Johannes Berg) \n- can: m_can: m_can_rx_peripheral(): fix RX being blocked by errors (Torin Cooper-Bennun) \n- can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (Torin Cooper-Bennun) \n- can: c_can: move runtime PM enable/disable to c_can_platform (Tong Zhang) \n- can: c_can_pci: c_can_pci_remove(): fix use-after-free (Tong Zhang) \n- can: kvaser_pciefd: Always disable bus load reporting (Jimmy Assarsson) \n- can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (Angelo Dureghello) \n- can: peak_usb: add forgotten supported devices (Stephane Grosjean) \n- tcp: relookup sock for RST+ACK packets handled by obsolete req sock (Alexander Ovechkin) \n- netfilter: ctnetlink: fix dump of the expect mask attribute (Florian Westphal) \n- selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (Hangbin Liu) \n- ftgmac100: Restart MAC HW once (Dylan Hung) \n- net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (Lv Yunlong) \n- e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (Dinghao Liu) \n- e1000e: add rtnl_lock() to e1000_reset_task (Vitaly Lifshits) \n- igc: Fix Supported Pause Frame Link Setting (Muhammad Husaini Zulkifli) \n- igc: Fix Pause Frame Advertising (Muhammad Husaini Zulkifli) \n- net: dsa: bcm_sf2: Qualify phydev-\u003edev_flags based on port (Florian Fainelli) \n- net: sched: validate stab values (Eric Dumazet) \n- macvlan: macvlan_count_rx() needs to be aware of preemption (Eric Dumazet) \n- ipv6: fix suspecious RCU usage warning (Wei Wang) \n- net/mlx5e: Dont match on Geneve options in case option masks are all zero (Maor Dickman) \n- libbpf: Fix INSTALL flag order (Georgi Valkov) \n- veth: Store queue_mapping independently of XDP prog presence (Maciej Fijalkowski) \n- bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (Grygorii Strashko) \n- dm verity: fix DM_VERITY_OPTS_MAX value (JeongHyeon Lee) \n- integrity: double check iint_cache was initialized (Mimi Zohar) \n- ARM: dts: at91-sama5d27_som1: fix phy address to 7 (Claudiu Beznea) \n- arm64: dts: ls1043a: mark crypto engine dma coherent (Horia Geanta) \n- arm64: dts: ls1012a: mark crypto engine dma coherent (Horia Geanta) \n- arm64: dts: ls1046a: mark crypto engine dma coherent (Horia Geanta) \n- ACPI: video: Add missing callback back for Sony VPCEH3U1E (Chris Chiu) \n- gcov: fix clang-11+ support (Nick Desaulniers) \n- kasan: fix per-page tags for non-page_alloc pages (Andrey Konovalov) \n- squashfs: fix xattr id and id lookup sanity checks (Phillip Lougher) \n- squashfs: fix inode lookup sanity checks (Sean Nyekjaer) \n- platform/x86: intel-vbtn: Stop reporting SW_DOCK events (Hans de Goede) \n- netsec: restore phy power state after controller reset (Mian Yousaf Kaukab) \n- ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign (Sergei Trofimovich) \n- ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls (Sergei Trofimovich) \n- block: Suppress uevent for hidden device when removed (Daniel Wagner) \n- nfs: we dont support removing system.nfs4_acl (J. Bruce Fields) \n- nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a (Dmitry Monakhov) \n- nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (Hannes Reinecke) \n- nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (Hannes Reinecke) \n- drm/radeon: fix AGP dependency (Christian Konig) \n- drm/amdgpu: fb BO should be ttm_bo_type_device (Nirmoy Das) \n- drm/amd/display: Revert dram_clock_change_latency for DCN2.1 (Sung Lee) \n- regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck (satya priya) \n- u64_stats,lockdep: Fix u64_stats_init() vs lockdep (Peter Zijlstra) \n- habanalabs: Call put_pid() when releasing control device (Tomer Tayar) \n- sparc64: Fix opcode filtering in handling of no fault loads (Rob Gardner) \n- irqchip/ingenic: Add support for the JZ4760 (Paul Cercueil) \n- cifs: change noisy error message to FYI (Paulo Alcantara) \n- atm: idt77252: fix null-ptr-dereference (Tong Zhang) \n- atm: uPD98402: fix incorrect allocation (Tong Zhang) \n- net: davicom: Use platform_get_irq_optional() (Paul Cercueil) \n- net: wan: fix error return code of uhdlc_init() (Jia-Ju Bai) \n- net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() (Jia-Ju Bai) \n- NFS: Correct size calculation for create reply length (Frank Sorenson) \n- nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default (Timo Rothenpieler) \n- gpiolib: acpi: Add missing IRQF_ONESHOT (Yang Li) \n- cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev (Sudeep Holla) \n- cifs: ask for more credit on async read/write code paths (Aurelien Aptel) \n- gianfar: fix jumbo packets+napi+rx overrun crash (Michael Braun) \n- sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count (Denis Efremov) \n- net: intel: iavf: fix error return code of iavf_init_get_resources() (Jia-Ju Bai) \n- net: tehuti: fix error return code in bdx_probe() (Jia-Ju Bai) \n- ixgbe: Fix memleak in ixgbe_configure_clsu32 (Dinghao Liu) \n- ALSA: hda: ignore invalid NHLT table (Mark Pearson) \n- Revert r8152: adjust the settings about MAC clock speed down for RTL8153 (Hayes Wang) \n- atm: lanai: dont run lanai_dev_close if not open (Tong Zhang) \n- atm: eni: dont release is never initialized (Tong Zhang) \n- powerpc/4xx: Fix build errors from mfdcr() (Michael Ellerman) \n- net: fec: ptp: avoid register access when ipg clock is disabled (Heiko Thiery) \n- hugetlbfs: hugetlb_fault_mutex_hash() cleanup (Mike Kravetz) \n- LTS tag: v5.4.108 (Jack Vogel) \n- cifs: Fix preauth hash corruption (Vincent Whitchurch) \n- x86/apic/of: Fix CPU devicetree-node lookups (Johan Hovold) \n- genirq: Disable interrupts for force threaded handlers (Thomas Gleixner) \n- firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (Lv Yunlong) \n- efi: use 32-bit alignment for efi_guid_t literals (Ard Biesheuvel) \n- ext4: fix potential error in ext4_do_update_inode (Shijie Luo) \n- ext4: do not try to set xattr into ea_inode if value is empty (zhangyi (F)) \n- ext4: find old entry again if failed to rename whiteout (zhangyi (F)) \n- x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (Oleg Nesterov) \n- x86: Move TS_COMPAT back to asm/thread_info.h (Oleg Nesterov) \n- kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (Oleg Nesterov) \n- x86/ioapic: Ignore IRQ2 again (Thomas Gleixner) \n- PCI: rpadlpar: Fix potential drc_name corruption in store functions (Tyrel Datwyler) \n- counter: stm32-timer-cnt: fix ceiling write max value (Fabrice Gasnier) \n- iio: hid-sensor-temperature: Fix issues of timestamp channel (Ye Xiang) \n- iio: hid-sensor-prox: Fix scale not correct issue (Ye Xiang) \n- iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (Ye Xiang) \n- iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (Wilfried Wessner) \n- iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (Dinghao Liu) \n- iio: adis16400: Fix an error code in adis16400_initial_setup() (Dan Carpenter) \n- iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (Jonathan Albrieux) \n- iio:adc:stm32-adc: Add HAS_IOMEM dependency (Jonathan Cameron) \n- usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (Badhri Jagan Sridharan) \n- usb: gadget: configfs: Fix KASAN use-after-free (Jim Lin) \n- USB: replace hardcode maximum usb string length by definition (Macpaul Lin) \n- usbip: Fix incorrect double assignment to udc-\u003eud.tcp_rx (Colin Ian King) \n- usb-storage: Add quirk to defeat Kindles automatic unload (Alan Stern) \n- nvme-rdma: fix possible hang when failing to set io queues (Sagi Grimberg) \n- counter: stm32-timer-cnt: Report count function when SLAVE_MODE_DISABLED (William Breathitt Gray) \n- scsi: myrs: Fix a double free in myrs_cleanup() (Lv Yunlong) \n- scsi: lpfc: Fix some error codes in debugfs (Dan Carpenter) \n- riscv: Correct SPARSEMEM configuration (Kefeng Wang) \nfor empty SUBLEVEL or PATCHLEVEL again (Masahiro Yamada) \n- net/qrtr: fix __netdev_alloc_skb call (Pavel Skripkin) \n- sunrpc: fix refcount leak for rpc auth modules (Daniel Kobras) \n- vfio: IOMMU_API should be selected (Jason Gunthorpe) \n- svcrdma: disable timeouts on rdma backchannel (Timo Rothenpieler) \n- NFSD: Repair misuse of sv_lock in 5.10.16-rt30. (Joe Korty) \n- nfsd: Dont keep looking up unhashed files in the nfsd file cache (Trond Myklebust) \n- nvmet: dont check iosqes,iocqes for discovery controllers (Sagi Grimberg) \n- nvme-tcp: fix a NULL deref when receiving a 0-length r2t PDU (Sagi Grimberg) \n- nvme-tcp: fix possible hang when failing to set io queues (Sagi Grimberg) \n- nvme: fix Write Zeroes limitations (Christoph Hellwig) \n- afs: Stop listxattr() from listing afs.* attributes (David Howells) \n- ASoC: simple-card-utils: Do not handle device clock (Sameer Pujar) \n- ASoC: SOF: intel: fix wrong poll bits in dsp power down (Pan Xiuli) \n- ASoC: SOF: Intel: unregister DMIC device on probe error (Pierre-Louis Bossart) \n- ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (Alexander Shiyan) \n- btrfs: fix slab cache flags for free space tree bitmap (David Sterba) \n- ARM: 9044/1: vfp: use undef hook for VFP support detection (Ard Biesheuvel) \n- ARM: 9030/1: entry: omit FP emulation for UND exceptions taken in kernel mode (Ard Biesheuvel) \n- s390/vtime: fix increased steal time accounting (Gerald Schaefer) \n- Revert PM: runtime: Update device status before letting suppliers suspend (Rafael J. Wysocki) \n- ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (Xiaoliang Yu) \n- ALSA: hda: generic: Fix the micmute led init state (Hui Wang) \n- ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (Xiaoliang Yu) \n- ALSA: dice: fix null pointer dereference when node is disconnected (Takashi Sakamoto) \n- ASoC: ak5558: Add MODULE_DEVICE_TABLE (Shengjiu Wang) \n- ASoC: ak4458: Add MODULE_DEVICE_TABLE (Shengjiu Wang) \n- LTS tag: v5.4.107 (Jack Vogel) \n- net: dsa: b53: Support setting learning on port (Florian Fainelli) \n- net: dsa: tag_mtk: fix 802.1ad VLAN egress (DENG Qingfang) \n- crypto: x86/aes-ni-xts - use direct calls to and 4-way stride (Ard Biesheuvel) \n- crypto: aesni - Use TEST %reg,%reg instead of CMP /u03/ksharma/errata_processing/work/el8/db_8.ELSA-2021-9362,%reg (Uros Bizjak) \n- crypto: x86 - Regularize glue function prototypes (Kees Cook) \n- drm/i915/gvt: Fix vfio_edid issue for BXT/APL (Colin Xu) \n- drm/i915/gvt: Fix port number for BDW on EDID region setup (Colin Xu) \n- drm/i915/gvt: Fix virtual display setup for BXT/APL (Colin Xu) \n- drm/i915/gvt: Fix mmio handler break on BXT/APL. (Colin Xu) \n- drm/i915/gvt: Set SNOOP for PAT3 on BXT/APL to workaround GPU BB hang (Colin Xu) \n- btrfs: scrub: Dont check free space before marking a block group RO (Qu Wenruo) \n- bpf: Fix off-by-one for area size in creating mask to left (Piotr Krysiuk) \n- bpf: Prohibit alu ops for pointer types not defining ptr_limit (Piotr Krysiuk) \n- KVM: arm64: nvhe: Save the SPE context early (Suzuki K Poulose) \n- LTS tag: v5.4.106 (Jack Vogel) \n- xen/events: avoid handling the same event on two cpus at the same time (Juergen Gross) \n- xen/events: dont unmask an event channel when an eoi is pending (Juergen Gross) \n- xen/events: reset affinity of 2-level event when tearing it down (Juergen Gross) \n- KVM: arm64: Reject VM creation when the default IPA size is unsupported (Marc Zyngier) \n- KVM: arm64: Ensure I-cache isolation between vcpus of a same VM (Marc Zyngier) \n- KVM: arm64: Fix exclusive limit for IPA size (Marc Zyngier) \n- x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 (Josh Poimboeuf) \n- binfmt_misc: fix possible deadlock in bm_register_write (Lior Ribak) \n- powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (Naveen N. Rao) \n- sched/membarrier: fix missing local execution of ipi_sync_rq_state() (Mathieu Desnoyers) \n- zram: fix return value on writeback_store (Minchan Kim) \n- include/linux/sched/mm.h: use rcu_dereference in in_vfork() (Matthew Wilcox (Oracle)) \n- stop_machine: mark helpers __always_inline (Arnd Bergmann) \n- hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() (Anna-Maria Behnsen) \n- arm64: mm: use a 48-bit ID map when possible on 52-bit VA builds (Ard Biesheuvel) \n- configfs: fix a use-after-free in __configfs_open_file (Daiyue Zhang) \n- block: rsxx: fix error return code of rsxx_pci_probe() (Jia-Ju Bai) \n- NFSv4.2: fix return value of _nfs4_get_security_label() (Ondrej Mosnacek) \n- NFS: Dont gratuitously clear the inode cache when lookup failed (Trond Myklebust) \n- NFS: Dont revalidate the directory permissions on a lookup failure (Trond Myklebust) \n- SUNRPC: Set memalloc_nofs_save() for sync tasks (Benjamin Coddington) \n- arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (Anshuman Khandual) \n- sh_eth: fix TRSCER mask for R7S72100 (Sergey Shtylyov) \n- staging: comedi: pcl818: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: pcl711: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: me4000: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: dmm32at: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: das800: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: das6402: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: adv_pci1710: Fix endian problem for AI command data (Ian Abbott) \n- staging: comedi: addi_apci_1500: Fix endian problem for command sample (Ian Abbott) \n- staging: comedi: addi_apci_1032: Fix endian problem for COS sample (Ian Abbott) \n- staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan (Lee Gibson) \n- staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd (Lee Gibson) \n- staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() (Dan Carpenter) \n- staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() (Dan Carpenter) \n- staging: rtl8712: unterminated string leads to read overflow (Dan Carpenter) \n- staging: rtl8188eu: prevent -\u003essid overflow in rtw_wx_set_scan() (Dan Carpenter) \n- staging: rtl8192u: fix -\u003essid overflow in r8192_wx_set_scan() (Dan Carpenter) \n- misc: fastrpc: restrict user apps from sending kernel RPC messages (Dmitry Baryshkov) {CVE-2019-2308}\n- misc/pvpanic: Export module FDT device table (Shile Zhang) \n- usbip: fix vudc usbip_sockfd_store races leading to gpf (Shuah Khan) \n- usbip: fix vhci_hcd attach_store() races leading to gpf (Shuah Khan) \n- usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (Shuah Khan) \n- usbip: fix vudc to check for stream socket (Shuah Khan) \n- usbip: fix vhci_hcd to check for stream socket (Shuah Khan) \n- usbip: fix stub_dev to check for stream socket (Shuah Khan) \n- USB: serial: cp210x: add some more GE USB IDs (Sebastian Reichel) \n- USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (Karan Singhal) \n- USB: serial: ch341: add new Product ID (Niv Sardi) \n- USB: serial: io_edgeport: fix memory leak in edge_startup (Pavel Skripkin) \n- xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (Mathias Nyman) \n- usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (Forest Crossman) \n- xhci: Improve detection of device initiated wake signal. (Mathias Nyman) \n- usb: xhci: do not perform Soft Retry for some xHCI hosts (Stanislaw Gruszka) \n- usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (Yoshihiro Shimoda) \n- USB: usblp: fix a hang in poll() if disconnected (Pete Zaitcev) \n- usb: dwc3: qcom: Honor wakeup enabled/disabled state (Matthias Kaehlcke) \n- usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement (Serge Semin) \n- usb: gadget: f_uac1: stop playback on function disable (Ruslan Bilovol) \n- usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (Ruslan Bilovol) \n- USB: gadget: u_ether: Fix a configfs return code (Dan Carpenter) \n- Goodix Fingerprint device is not a modem (Yorick de Wid) \n- mmc: cqhci: Fix random crash when remove mmc module/card (Frank Li) \n- mmc: core: Fix partition switch time for eMMC (Adrian Hunter) \n- software node: Fix node registration (Heikki Krogerus) \n- s390/dasd: fix hanging IO request during DASD driver unbind (Stefan Haberland) \n- s390/dasd: fix hanging DASD driver unbind (Stefan Haberland) \n- arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (Andrey Konovalov) \n- Revert 95ebabde382c (capabilities: Dont allow writing ambiguous v3 file capabilities) (Eric W. Biederman) \n- ALSA: usb-audio: Apply the control quirk to Plantronics headsets (Takashi Iwai) \n- ALSA: usb-audio: Fix cannot get freq eq errors on Dell AE515 sound bar (Takashi Iwai) \n- ALSA: hda: Avoid spurious unsol event handling during S3/S4 (Takashi Iwai) \n- ALSA: hda: Flush pending unsolicited events before suspend (Takashi Iwai) \n- ALSA: hda: Drop the BATCH workaround for AMD controllers (Takashi Iwai) \n- ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support (Simeon Simeonoff) \n- ALSA: hda/hdmi: Cancel pending works before suspend (Takashi Iwai) \n- ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk (John Ernberg) \n- scsi: target: core: Prevent underflow for service actions (Aleksandr Miloserdov) \n- scsi: target: core: Add cmd length set before cmd complete (Aleksandr Miloserdov) \n- scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling (Mike Christie) \n- sysctl.c: fix underflow value setting risk in vm_table (Lin Feng) \n- s390/smp: __smp_rescan_cpus() - move cpumask away from stack (Heiko Carstens) \n- i40e: Fix memory leak in i40e_probe (Keita Suzuki) \n- PCI: Fix pci_register_io_range() memory leak (Geert Uytterhoeven) \n- kbuild: clamp SUBLEVEL to 255 (Sasha Levin) \n- PCI: mediatek: Add missing of_node_put() to fix reference leak (Krzysztof Wilczynski) \n- PCI: xgene-msi: Fix race in installing chained irq handler (Martin Kaiser) \n- Input: applespi - dont wait for responses to commands indefinitely. (Ronald Tschalar) \n- sparc64: Use arch_validate_flags() to validate ADI flag (Khalid Aziz) \n- sparc32: Limit memblock allocation to low memory (Andreas Larsson) \n- iommu/amd: Fix performance counter initialization (Suravee Suthikulpanit) \n- powerpc/64: Fix stack trace not displaying final frame (Michael Ellerman) \n- HID: logitech-dj: add support for the new lightspeed connection iteration (Filipe Lains) \n- powerpc/perf: Record counter overflow always if SAMPLE_IP is unset (Athira Rajeev) \n- powerpc: improve handling of unrecoverable system reset (Nicholas Piggin) \n- spi: stm32: make spurious and overrun interrupts visible (Alain Volmat) \n- powerpc/pci: Add ppc_md.discover_phbs() (Oliver OHalloran) \n- Platform: OLPC: Fix probe error handling (Lubomir Rintel) \n- mmc: mediatek: fix race condition between msdc_request_timeout and irq (Chaotian Jing) \n- mmc: mxs-mmc: Fix a resource leak in an error handling path in mxs_mmc_probe() (Christophe JAILLET) \n- udf: fix silent AED tagLocation corruption (Steven J. Magnani) \n- i2c: rcar: optimize cacheline to minimize HW race condition (Wolfram Sang) \n- i2c: rcar: faster irq code to minimize HW race condition (Wolfram Sang) \n- net: phy: fix save wrong speed and duplex problem if autoneg is on (Guangbin Huang) \n- net: enetc: initialize RFS/RSS memories for unused ports too (Vladimir Oltean) \n- net: hns3: fix error mask definition of flow director (Jian Shen) \n- media: rc: compile rc-cec.c into rc-core (Hans Verkuil) \n- media: v4l: vsp1: Fix bru null pointer access (Biju Das) \n- media: v4l: vsp1: Fix uif null pointer access (Biju Das) \n- media: usbtv: Fix deadlock on suspend (Maxim Mikityanskiy) \n- sh_eth: fix TRSCER mask for R7S9210 (Sergey Shtylyov) \n- qxl: Fix uninitialised struct field head.surface_id (Colin Ian King) \n- s390/crypto: return -EFAULT if copy_to_user() fails (Wang Qing) \n- s390/cio: return -EFAULT if copy_to_user() fails (Eric Farman) \n- drm: meson_drv add shutdown function (Artem Lapkin) \n- drm/shmem-helper: Dont remove the offset in vm_area_struct pgoff (Neil Roberts) \n- drm/shmem-helper: Check for purged buffers in fault handler (Neil Roberts) \n- drm/compat: Clear bounce structures (Daniel Vetter) \n- bnxt_en: reliably allocate IRQ table on reset to avoid crash (Edwin Peer) \n- s390/cio: return -EFAULT if copy_to_user() fails again (Wang Qing) \n- net: hns3: fix bug when calculating the TCAM table info (Jian Shen) \n- net: hns3: fix query vlan mask value error for flow director (Jian Shen) \n- perf traceevent: Ensure read cmdlines are null terminated. (Ian Rogers) \n- selftests: forwarding: Fix race condition in mirror installation (Danielle Ratson) \n- net: stmmac: fix watchdog timeout during suspend/resume stress test (Joakim Zhang) \n- net: stmmac: stop each tx channel independently (Joakim Zhang) \n- ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (Antony Antony) \n- net: qrtr: fix error return code of qrtr_sendmsg() (Jia-Ju Bai) \n- net: davicom: Fix regulator not turned off on driver removal (Paul Cercueil) \n- net: davicom: Fix regulator not turned off on failed probe (Paul Cercueil) \n- net: lapbether: Remove netif_start_queue / netif_stop_queue (Xie He) \n- netdevsim: init u64 stats for 32bit hardware (Hillf Danton) \n- net: usb: qmi_wwan: allow qmimux add/del with master up (Daniele Palmas) \n- net: sched: avoid duplicates in classes dump (Maximilian Heyne) \n- nexthop: Do not flush blackhole nexthops when loopback goes down (Ido Schimmel) \n- net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 (Ong Boon Leong) \n- net/mlx4_en: update moderation when config reset (Kevin(Yudong) Yang) \n- net: enetc: dont overwrite the RSS indirection table when initializing (Vladimir Oltean) \n- Revert mm, slub: consider rest of partial list if acquire_slab() fails (Linus Torvalds) \n- cifs: return proper error code in statfs(2) (Paulo Alcantara) \n- mount: fix mounting of detached mounts onto targets that reside on shared mounts (Christian Brauner) \n- powerpc/603: Fix protection of user pages mapped with PROT_NONE (Christophe Leroy) \n- mt76: dma: do not report truncated frames to mac80211 (Lorenzo Bianconi) \n- ibmvnic: always store valid MAC address (Jiri Wiesner) \n- samples, bpf: Add missing munmap in xdpsock (Maciej Fijalkowski) \n- selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (Yauheni Kaliuta) \n- selftests/bpf: No need to drop the packet when there is no geneve opt (Hangbin Liu) \n- netfilter: x_tables: gpf inside xt_find_revision() (Vasily Averin) \n- netfilter: nf_nat: undo erroneous tcp edemux lookup (Florian Westphal) \n- tcp: add sanity tests to TCP_QUEUE_SEQ (Eric Dumazet) \n- can: tcan4x5x: tcan4x5x_init(): fix initialization - clear MRAM before entering Normal Mode (Torin Cooper-Bennun) \n- can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (Joakim Zhang) \n- can: flexcan: enable RX FIFO after FRZ/HALT valid (Joakim Zhang) \n- can: flexcan: assert FRZ bit in flexcan_chip_freeze() (Joakim Zhang) \n- can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (Oleksij Rempel) \n- sh_eth: fix TRSCER mask for SH771x (Sergey Shtylyov) \n- net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 (Balazs Nemeth) \n- net: check if protocol extracted by virtio_net_hdr_set_proto is correct (Balazs Nemeth) \n- net: Fix gro aggregation for udp encaps with zero csum (Daniel Borkmann) \n- ath9k: fix transmitting to stations in dynamic SMPS mode (Felix Fietkau) \n- ethernet: alx: fix order of calls on resume (Jakub Kicinski) \n- powerpc/pseries: Dont enforce MSI affinity with kdump (Greg Kurz) \n- uapi: nfnetlink_cthelper.h: fix userspace compilation error (Dmitry V. Levin) \n- LTS tag: v5.4.105 (Jack Vogel) \n- nvme-pci: add quirks for Lexar 256GB SSD (Pascal Terjan) \n- nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST. (Julian Einwag) \n- HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (Hans de Goede) \n- mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (Jisheng Zhang) \n- drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (AngeloGioacchino Del Regno) \n- misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (Aswath Govindraju) \n- PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (Bjorn Helgaas) \n- ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (Chris Chiu) \n- ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (Jasper St. Pierre) \n- media: cx23885: add more quirks for reset DMA on some AMD IOMMU (Daniel Lee Kruse) \n- HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (Ethan Warth) \n- platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (Hans de Goede) \n- platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (Hans de Goede) \n- platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (Hans de Goede) \n- platform/x86: acer-wmi: Add new force_caps module parameter (Hans de Goede) \n- platform/x86: acer-wmi: Cleanup accelerometer device handling (Hans de Goede) \n- platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (Hans de Goede) \n- mwifiex: pcie: skip cancel_work_sync() on reset failure path (Tsuchiya Yuto) \n- iommu/amd: Fix sleeping in atomic in increase_address_space() (Andrey Ryabinin) \n- ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (Hans de Goede) \n- dm table: fix zoned iterate_devices based device capability checks (Jeffle Xu) \n- dm table: fix DAX iterate_devices based device capability checks (Jeffle Xu) \n- dm table: fix iterate_devices based device capability checks (Jeffle Xu) \n- net: dsa: add GRO support via gro_cells (Alexander Lobakin) \n- LTS tag: v5.4.104 (Jack Vogel) \n- r8169: fix resuming from suspend on RTL8105e if machine runs on battery (Heiner Kallweit) \n- rsxx: Return -EFAULT if copy_to_user() fails (Dan Carpenter) \n- ftrace: Have recordmcount use w8 to read relp-\u003er_info in arm64_is_fake_mcount (Chen Jun) \n- ALSA: hda: intel-nhlt: verify config type (Pierre-Louis Bossart) \n- IB/mlx5: Add missing error code (YueHaibing) \n- RDMA/rxe: Fix missing kconfig dependency on CRYPTO (Julian Braha) \n- ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits (Colin Ian King) \n- usbip: tools: fix build error for multiple definition (Antonio Borneo) \n- crypto - shash: reduce minimum alignment of shash_desc structure (Ard Biesheuvel) \n- arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (Timothy E Baldwin) \n- drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (Kevin Wang) \n- dm verity: fix FEC for RS roots unaligned to block size (Milan Broz) \n- dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size (Mikulas Patocka) \n- PM: runtime: Update device status before letting suppliers suspend (Rafael J. Wysocki) \n- btrfs: fix warning when creating a directory with smack enabled (Filipe Manana) \n- btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors (Nikolay Borisov) \n- btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata (Nikolay Borisov) \n- btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl (Dan Carpenter) \n- btrfs: fix raid6 qstripe kmap (Ira Weiny) \n- btrfs: raid56: simplify tracking of Q stripe presence (David Sterba) \n- tpm, tpm_tis: Decorate tpm_get_timeouts() with request_locality() (Jarkko Sakkinen) \n- tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality() (Lukasz Majczak) \n- LTS tag: v5.4.103 (Jack Vogel) \n- ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board (Takashi Iwai) \n- ALSA: hda/realtek: Add quirk for Intel NUC 10 (Werner Sembach) \n- ALSA: hda/realtek: Add quirk for Clevo NH55RZQ (Eckhart Mohr) \n- media: v4l: ioctl: Fix memory leak in video_usercopy (Sakari Ailus) \n- swap: fix swapfile read/write offset (Jens Axboe) \n- zsmalloc: account the number of compacted pages correctly (Rokudo Yan) \n- xen-netback: respect gnttab_map_refs()s return value (Jan Beulich) \n- Xen/gnttab: handle p2m update errors on a per-slot basis (Jan Beulich) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (Hans de Goede) \n- ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (Hans de Goede) \n- sched/features: Fix hrtick reprogramming (Juri Lelli) \n- parisc: Bump 64-bit IRQ stack size to 64 KB (John David Anglin) \n- perf/x86/kvm: Add Cascade Lake Xeon steppings to isolation_ucodes[] (Jim Mattson) \n- btrfs: fix error handling in commit_fs_roots (Josef Bacik) \n- ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (Hans de Goede) \n- nvme-tcp: add clean action for failed reconnection (Chao Leng) \n- nvme-rdma: add clean action for failed reconnection (Chao Leng) \n- nvme-core: add cancel tagset helpers (Chao Leng) \n- f2fs: fix to set/clear I_LINKABLE under i_lock (Chao Yu) \n- f2fs: handle unallocated section and zone on pinned/atgc (Jaegeuk Kim) \n- media: uvcvideo: Allow entities with no pads (Ricardo Ribalda) \n- drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (Nicholas Kazlauskas) \n- PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (Nirmoy Das) \n- drm/amdgpu: Add check to prevent IH overflow (Defang Bo) \n- crypto: tcrypt - avoid signed overflow in byte count (Ard Biesheuvel) \n- drm/hisilicon: Fix use-after-free (Tian Tao) \n- brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (Hans de Goede) \n- brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (Hans de Goede) \n- staging: bcm2835-audio: Replace unsafe strcpy() with strscpy() (Juerg Haefliger) \n- staging: most: sound: add sanity check for function argument (Christian Gromm) \n- Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (Gopal Tiwari) \n- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (Fangrui Song) \n- ath10k: fix wmi mgmt tx queue full due to race condition (Miaoqing Pan) \n- pktgen: fix misuse of BUG_ON() in pktgen_thread_worker() (Di Zhu) \n- Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (Claire Chang) \n- wlcore: Fix command execute failure 19 for wl12xx (Tony Lindgren) \n- vt/consolemap: do font sum unsigned (Jiri Slaby) \n- x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk (Heiner Kallweit) \n- staging: fwserial: Fix error handling in fwserial_create (Dinghao Liu) \n- rsi: Move card interrupt handling to RX thread (Marek Vasut) \n- rsi: Fix TX EAPOL packet handling against iwlwifi AP (Marek Vasut) \n- drm/virtio: use kvmalloc for large allocations (Sergey Senozhatsky) \n- MIPS: Drop 32-bit asm string functions (Paul Burton) \n- dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/ (Geert Uytterhoeven) \n- dt-bindings: ethernet-controller: fix fixed-link specification (Russell King) \n- net: fix dev_ifsioc_locked() race condition (Cong Wang) \n- net: ag71xx: remove unnecessary MTU reservation (DENG Qingfang) \n- net: bridge: use switchdev for port flags set through sysfs too (Vladimir Oltean) \n- mm/hugetlb.c: fix unnecessary address expansion of pmd sharing (Li Xinhai) \n- nbd: handle device refs for DESTROY_ON_DISCONNECT properly (Josef Bacik) \n- net: fix up truesize of cloned skb in skb_prepare_for_shift() (Marco Elver) \n- smackfs: restrict bytes count in smackfs write functions (Sabyrzhan Tasbolatov) \n- net/af_iucv: remove WARN_ONCE on malformed RX packets (Alexander Egorenkov) \n- xfs: Fix assert failure in xfs_setattr_size() (Yumei Huang) \n- media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (Hans Verkuil) \n- erofs: fix shift-out-of-bounds of blkszbits (Gao Xiang) \n- media: mceusb: sanity check for prescaler value (Sean Young) \n- udlfb: Fix memory leak in dlfb_usb_probe (Zqiang) \n- JFS: more checks for invalid superblock (Randy Dunlap) \n- MIPS: VDSO: Use CLANG_FLAGS instead of filtering out --target= (Nathan Chancellor) \n- arm64 module: set plt* section addresses to 0x0 (Shaoying Xu) \n- nvme-pci: fix error unwind in nvme_map_data (Christoph Hellwig) \n- nvme-pci: refactor nvme_unmap_data (Christoph Hellwig) \n- Input: elantech - fix protocol errors for some trackpoints in SMBus mode (jingle.wu) \n- net: usb: qmi_wwan: support ZTE P685M modem (Lech Perczak) \n- LTS tag: v5.4.102 (Jack Vogel) \n- ARM: dts: aspeed: Add LCLK to lpc-snoop (John Wang) \n- net: qrtr: Fix memory leak in qrtr_tun_open (Takeshi Misawa) \n- dm era: Update in-core bitset after committing the metadata (Nikos Tsironis) \n- net: sched: fix police ext initialization (Vlad Buslov) \n- net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending (Jason A. Donenfeld) \n- ipv6: silence compilation warning for non-IPV6 builds (Leon Romanovsky) \n- ipv6: icmp6: avoid indirect call for icmpv6_send() (Eric Dumazet) \n- xfrm: interface: use icmp_ndo_send helper (Jason A. Donenfeld) \n- sunvnet: use icmp_ndo_send helper (Jason A. Donenfeld) \n- gtp: use icmp_ndo_send helper (Jason A. Donenfeld) \n- icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n (Jason A. Donenfeld) \n- icmp: introduce helper for natd source address in network device context (Jason A. Donenfeld) \n- drm/i915: Reject 446-480MHz HDMI clock on GLK (Ville Syrjala) \n- dm era: only resize metadata in preresume (Nikos Tsironis) \n- dm era: Reinitialize bitset cache before digesting a new writeset (Nikos Tsironis) \n- dm era: Use correct value size in equality function of writeset tree (Nikos Tsironis) \n- dm era: Fix bitset memory leaks (Nikos Tsironis) \n- dm era: Verify the data block size hasnt changed (Nikos Tsironis) \n- dm era: Recover committed writeset after crash (Nikos Tsironis) \n- dm writecache: fix writing beyond end of underlying device when shrinking (Mikulas Patocka) \n- dm: fix deadlock when swapping to encrypted device (Mikulas Patocka) \n- gfs2: Recursive gfs2_quota_hold in gfs2_iomap_end (Andreas Gruenbacher) \n- gfs2: Dont skip dlm unlock if glock has an lvb (Bob Peterson) \n- spi: spi-synquacer: fix set_cs handling (Masahisa Kojima) \n- sparc32: fix a user-triggerable oops in clear_user() (Al Viro) \n- f2fs: fix out-of-repair __setattr_copy() (Chao Yu) \n- um: mm: check more comprehensively for stub changes (Johannes Berg) \n- virtio/s390: implement virtio-ccw revision 2 correctly (Cornelia Huck) \n- s390/vtime: fix inline assembly clobber list (Heiko Carstens) \n- cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available (Chen Yu) \n- printk: fix deadlock when kernel panic (Muchun Song) \n- gpio: pcf857x: Fix missing first interrupt (Maxim Kiselev) \n- spmi: spmi-pmic-arb: Fix hw_irq overflow (Subbaraman Narayanamurthy) \n- powerpc/32s: Add missing call to kuep_lock on syscall entry (Christophe Leroy) \n- mmc: sdhci-esdhc-imx: fix kernel panic when remove module (Frank Li) \n- module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols (Fangrui Song) \n- media: smipcie: fix interrupt handling and IR timeout (Sean Young) \n- arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 (Suzuki K Poulose) \n- hugetlb: fix copy_huge_page_from_user contig page struct assumption (Mike Kravetz) \n- hugetlb: fix update_and_free_page contig page struct assumption (Mike Kravetz) \n- x86: fix seq_file iteration for pat/memtype.c (NeilBrown) \n- seq_file: document how per-entry resources are managed. (NeilBrown) \n- fs/affs: release old buffer head on error path (Pan Bian) \n- mtd: spi-nor: hisi-sfc: Put child node np on error path (Pan Bian) \n- mtd: spi-nor: core: Add erase size check for erase command initialization (Takahiro Kuwano) \n- mtd: spi-nor: core: Fix erase type discovery for overlaid region (Takahiro Kuwano) \n- mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region (Takahiro Kuwano) \n- mtd: spi-nor: sfdp: Fix last erase region marking (Takahiro Kuwano) \n- watchdog: mei_wdt: request stop on unregister (Alexander Usyskin) \n- watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ (Sai Prakash Ranjan) \n- arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing (He Zhe) \n- arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (qiuguorui1) \n- floppy: reintroduce O_NDELAY fix (Jiri Kosina) \n- rcu/nocb: Perform deferred wake up before last idles need_resched() check (Frederic Weisbecker) \n- rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (Frederic Weisbecker) \n- powerpc/prom: Fix ibm,arch-vec-5-platform-support scan (Cedric Le Goater) \n- x86/reboot: Force all cpus to exit VMX root if VMX is supported (Sean Christopherson) \n- x86/virt: Eat faults on VMXOFF in reboot flows (Sean Christopherson) \n- media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (Pavel Machek) \n- staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table (Martin Kaiser) \n- staging: gdm724x: Fix DMA from stack (Amey Narkhede) \n- staging/mt7621-dma: mtk-hsdma.c-\u003ehsdma-mt7621.c (Ilya Lipnitskiy) \n- dts64: mt7622: fix slow sd card access (Frank Wunderlich) \n- pstore: Fix typo in compression option name (Jiri Bohac) \n- drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue (Sabyrzhan Tasbolatov) \n- misc: rtsx: init of rts522a add OCP power off when no card is present (Ricky Wu) \n- seccomp: Add missing return in non-void function (Paul Cercueil) \n- crypto: sun4i-ss - initialize need_fallback (Corentin Labbe) \n- crypto: sun4i-ss - handle BigEndian for cipher (Corentin Labbe) \n- crypto: sun4i-ss - checking sg length is not sufficient (Corentin Labbe) \n- crypto: aesni - prevent misaligned buffers on the stack (Ard Biesheuvel) \n- crypto: arm64/sha - add missing module aliases (Ard Biesheuvel) \n- btrfs: fix extent buffer leak on failure to copy root (Filipe Manana) \n- btrfs: splice remaining dirty_bgs onto the transaction dirty bg list (Josef Bacik) \n- btrfs: fix reloc root leak with 0 ref reloc roots on recovery (Josef Bacik) \n- btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (Josef Bacik) \n- KEYS: trusted: Fix migratable=1 failing (Jarkko Sakkinen) \n- tpm_tis: Clean up locality release (James Bottomley) \n- tpm_tis: Fix check_locality for correct locality acquisition (James Bottomley) \n- erofs: initialized fields can only be observed after bit is set (Gao Xiang) \n- drm/sched: Cancel and flush all outstanding jobs before finish. (Andrey Grodzovsky) \n- drm/nouveau/kms: handle mDP connectors (Karol Herbst) \n- drm/amdgpu: Set reference clock to 100Mhz on Renoir (v2) (Alex Deucher) \n- drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1 (Rodrigo Siqueira) \n- bcache: Move journal work to new flush wq (Kai Krakow) \n- bcache: Give btree_io_wq correct semantics again (Kai Krakow) \n- Revert bcache: Kill btree_io_wq (Kai Krakow) \n- ALSA: hda/realtek: modify EAPD in the ALC886 (PeiSen Hou) \n- ALSA: hda: Add another CometLake-H PCI ID (Kai Vehmanen) \n- USB: serial: mos7720: fix error code in mos7720_write() (Dan Carpenter) \n- USB: serial: mos7840: fix error code in mos7840_write() (Dan Carpenter) \n- USB: serial: ftdi_sio: fix FTX sub-integer prescaler (Johan Hovold) \n- usb: dwc3: gadget: Fix dep-\u003einterval for fullspeed interrupt (Thinh Nguyen) \n- usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 (Thinh Nguyen) \n- usb: musb: Fix runtime PM race in musb_queue_resume_work (Paul Cercueil) \n- USB: serial: option: update interface mapping for ZTE P685M (Lech Perczak) \n- media: mceusb: Fix potential out-of-bounds shift (James Reynolds) \n- Input: i8042 - add ASUS Zenbook Flip to noselftest list (Marcos Paulo de Souza) \n- Input: joydev - prevent potential read overflow in ioctl (Dan Carpenter) \n- Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S (Olivier Crete) \n- Input: raydium_ts_i2c - do not send zero length (jeffrey.lin) \n- HID: wacom: Ignore attempts to overwrite the touch_max value from HID (Jason Gerecke) \n- HID: logitech-dj: add support for keyboard events in eQUAD step 4 Gaming (Filipe Lains) \n- ACPI: configfs: add missing check after configfs_register_default_group() (Qinglang Miao) \n- ACPI: property: Fix fwnode string properties matching (Rafael J. Wysocki) \n- blk-settings: align max_sectors on logical_block_size boundary (Mikulas Patocka) \n- scsi: bnx2fc: Fix Kconfig warning \u0026 CNIC build errors (Randy Dunlap) \n- mm/rmap: fix potential pte_unmap on an not mapped pte (Miaohe Lin) \n- i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (Maxime Ripard) \n- arm64: Add missing ISB after invalidating TLB in __primary_switch (Marc Zyngier) \n- r8169: fix jumbo packet handling on RTL8168e (Heiner Kallweit) \n- mm/compaction: fix misbehaviors of fast_find_migrateblock() (Wonhyuk Yang) \n- mm/hugetlb: fix potential double free in hugetlb_register_node() error path (Miaohe Lin) \n- mm/memory.c: fix potential pte_unmap_unlock pte error (Miaohe Lin) \n- ocfs2: fix a use after free on error (Dan Carpenter) \n- vxlan: move debug check after netdev unregister (Taehee Yoo) \n- net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (Chuhong Yuan) \n- vfio/type1: Use follow_pte() (Alex Williamson) \n- i40e: Fix add TC filter for IPv6 (Mateusz Palczewski) \n- i40e: Fix VFs not created (Sylwester Dziedziuch) \n- i40e: Fix addition of RX filters after enabling FW LLDP agent (Mateusz Palczewski) \n- i40e: Fix overwriting flow control settings during driver loading (Mateusz Palczewski) \n- i40e: Add zero-initialization of AQ command structures (Mateusz Palczewski) \n- i40e: Fix flow for IPv6 next header (extension header) (Slawomir Laba) \n- regmap: sdw: use _no_pm functions in regmap_read/write (Bard Liao) \n- nvmem: core: skip child nodes not matching binding (Ahmad Fatoum) \n- nvmem: core: Fix a resource leak on error in nvmem_add_cells_from_of() (Dan Carpenter) \n- ext4: fix potential htree index checksum corruption (Theodore Tso) \n- vfio/iommu_type1: Fix some sanity checks in detach group (Keqian Zhu) \n- drm/msm/mdp5: Fix wait-for-commit for cmd panels (Iskren Chernev) \n- drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) (Konrad Dybcio) \n- mei: hbm: call mei_set_devstate() on hbm stop response (Alexander Usyskin) \n- PCI: Align checking of syscall user config accessors (Heiner Kallweit) \n- VMCI: Use set_page_dirty_lock() when unregistering guest memory (Jorgen Hansen) \n- pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() (Simon South) \n- soundwire: cadence: fix ACK/NAK handling (Pierre-Louis Bossart) \n- misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (Aswath Govindraju) \n- phy: rockchip-emmc: emmc_phy_init() always return 0 (Chris Ruehl) \n- misc: eeprom_93xx46: Fix module alias to enable module autoprobe (Aswath Govindraju) \n- sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set (Randy Dunlap) \n- Input: elo - fix an error code in elo_connect() (Dan Carpenter) \n- perf test: Fix unaligned access in sample parsing test (Namhyung Kim) \n- perf intel-pt: Fix premature IPC (Adrian Hunter) \n- perf intel-pt: Fix missing CYC processing in PSB (Adrian Hunter) \n- Input: sur40 - fix an error code in sur40_probe() (Dan Carpenter) \n- RDMA/hns: Fixes missing error code of CMDQ (Lang Cheng) \n- nfsd: register pernet ops last, unregister first (J. Bruce Fields) \n- clk: aspeed: Fix APLL calculate formula from ast2600-A2 (Ryan Chen) \n- regulator: qcom-rpmh: fix pm8009 ldo7 (Jonathan Marek) \n- spi: pxa2xx: Fix the controller numbering for Wildcat Point (Andy Shevchenko) \n- RDMA/hns: Fix type of sq_signal_bits (Weihang Li) \n- RDMA/siw: Fix calculation of tx_valid_cpus size (Kamal Heib) \n- RDMA/hns: Fixed wrong judgments in the goto branch (Wenpeng Liang) \n- clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (AngeloGioacchino Del Regno) \n- powerpc/8xx: Fix software emulation interrupt (Christophe Leroy) \n- powerpc/pseries/dlpar: handle ibm, configure-connector delay status (Nathan Lynch) \n- mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (Dan Carpenter) \n- spi: stm32: properly handle 0 byte transfer (Alain Volmat) \n- RDMA/rxe: Correct skb on loopback path (Bob Pearson) \n- RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (Bob Pearson) \n- RDMA/rxe: Fix coding error in rxe_recv.c (Bob Pearson) \n- perf vendor events arm64: Fix Ampere eMag event typo (John Garry) \n- perf tools: Fix DSO filtering when not finding a map for a sampled address (Arnaldo Carvalho de Melo) \n- tracepoint: Do not fail unregistering a probe due to memory failure (Steven Rostedt (VMware)) \n- IB/cm: Avoid a loop when device has 255 ports (Parav Pandit) \n- IB/mlx5: Return appropriate error code instead of ENOMEM (Parav Pandit) \n- amba: Fix resource leak for drivers without .remove (Uwe Kleine-Konig) \n- i2c: qcom-geni: Store DMA mapping data in geni_i2c_dev struct (Roja Rani Yarubandi) \n- ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores (Vladimir Murzin) \n- mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (Takeshi Saito) \n- mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (Christophe JAILLET) \n- mmc: sdhci-sprd: Fix some resource leaks in the remove function (Christophe JAILLET) \n- powerpc/47x: Disable 256k page size (Christophe Leroy) \n- KVM: PPC: Make the VMX instruction emulation routines static (Cedric Le Goater) \n- IB/umad: Return EPOLLERR in case of when device disassociated (Shay Drory) \n- IB/umad: Return EIO in case of when device disassociated (Shay Drory) \n- objtool: Fix .cold section suffix check for newer versions of GCC (Josh Poimboeuf) \n- objtool: Fix error handling for STD/CLD warnings (Josh Poimboeuf) \n- auxdisplay: ht16k33: Fix refresh rate handling (Geert Uytterhoeven) \n- isofs: release buffer head before return (Pan Bian) \n- regulator: core: Avoid debugfs: Directory ... already present! error (Hans de Goede) \n- regulator: s5m8767: Drop regulators OF node reference (Krzysztof Kozlowski) \n- spi: atmel: Put allocated master before return (Pan Bian) \n- regulator: s5m8767: Fix reference count leak (Pan Bian) \n- certs: Fix blacklist flag type confusion (David Howells) \n- regulator: axp20x: Fix reference cout leak (Pan Bian) \n- clk: sunxi-ng: h6: Fix clock divider range on some clocks (Andre Przywara) \n- RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (Yishai Hadas) \n- clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined (Tom Rix) \n- clocksource/drivers/ixp4xx: Select TIMER_OF when needed (Arnd Bergmann) \n- rtc: s5m: select REGMAP_I2C (Bartosz Golaszewski) \n- power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (Claudiu Beznea) \n- of/fdt: Make sure no-map does not remove already reserved regions (Nicolas Boichat) \n- fdt: Properly handle no-map field in the memory region (KarimAllah Ahmed) \n- mfd: bd9571mwv: Use devm_mfd_add_devices() (Yoshihiro Shimoda) \n- dmaengine: hsu: disable spurious interrupt (Ferry Toth) \n- dmaengine: owl-dma: Fix a resource leak in the remove function (Christophe JAILLET) \n- dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (Christophe JAILLET) \n- dmaengine: fsldma: Fix a resource leak in the remove function (Christophe JAILLET) \n- RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (Bernard Metzler) \n- HID: core: detect and skip invalid inputs to snto32() (Randy Dunlap) \n- clk: sunxi-ng: h6: Fix CEC clock (Andre Przywara) \n- spi: cadence-quadspi: Abort read if dummy cycles required are too many (Pratyush Yadav) \n- i2c: iproc: handle master read request (Rayagonda Kokatanur) \n- i2c: iproc: update slave isr mask (ISR_MASK_SLAVE) (Rayagonda Kokatanur) \n- i2c: iproc: handle only slave interrupts which are enabled (Rayagonda Kokatanur) \n- quota: Fix memory leak when handling corrupted quota file (Jan Kara) \n- selftests/powerpc: Make the test check in eeh-basic.sh posix compliant (Po-Hsu Lin) \n- clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (Martin Blumenstingl) \n- clk: meson: clk-pll: make ret a signed integer (Martin Blumenstingl) \n- clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (Martin Blumenstingl) \n- HSI: Fix PM usage counter unbalance in ssi_hw_init (Zhang Qilong) \n- capabilities: Dont allow writing ambiguous v3 file capabilities (Eric W. Biederman) \n- ubifs: Fix error return code in alloc_wbufs() (Wang ShaoBo) \n- ubifs: Fix memleak in ubifs_init_authentication (Dinghao Liu) \n- jffs2: fix use after free in jffs2_sum_write_data() (Tom Rix) \n- fs/jfs: fix potential integer overflow on shift of a int (Colin Ian King) \n- ASoC: simple-card-utils: Fix device module clock (Sameer Pujar) \n- ima: Free IMA measurement buffer after kexec syscall (Lakshmi Ramasubramanian) \n- ima: Free IMA measurement buffer on error (Lakshmi Ramasubramanian) \n- crypto: ecdh_helper - Ensure len \u003e= secret.len in decode_key() (Daniele Alessandrelli) \n- hwrng: timeriomem - Fix cooldown period calculation (Jan Henrik Weinstock) \n- btrfs: clarify error returns values in __load_free_space_cache (Zhihao Cheng) \n- ASoC: SOF: debug: Fix a potential issue on string buffer termination (Hui Wang) \n- Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (Andrea Parri (Microsoft)) \n- f2fs: fix a wrong condition in __submit_bio (Dehe Gu) \n- drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() (Dan Carpenter) \n- f2fs: fix to avoid inconsistent quota data (Yi Chen) \n- mtd: parsers: afs: Fix freeing the part name memory in failure (Manivannan Sadhasivam) \n- ASoC: cpcap: fix microphone timeslot mask (Sebastian Reichel) \n- ata: ahci_brcm: Add back regulators management (Florian Fainelli) \n- crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (Christophe Leroy) \n- mtd: parser: imagetag: fix error codes in bcm963xx_parse_imagetag_partitions() (Dan Carpenter) \n- sched/eas: Dont update misfit status if the task is pinned (Qais Yousef) \n- media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values (Laurent Pinchart) \n- media: pxa_camera: declare variable when DEBUG is defined (Tom Rix) \n- media: cx25821: Fix a bug when reallocating some dma memory (Christophe JAILLET) \n- media: qm1d1c0042: fix error return code in qm1d1c0042_init() (Luo Meng) \n- media: lmedm04: Fix misuse of comma (Joe Perches) \n- media: software_node: Fix refcounts in software_node_get_next_child() (Daniel Scally) \n- drm/amd/display: Fix HDMI deep color output for DCE 6-11. (Mario Kleiner) \n- drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction. (Mario Kleiner) \n- bsg: free the request before return error code (Pan Bian) \n- MIPS: properly stop .eh_frame generation (Alexander Lobakin) \n- drm/sun4i: tcon: fix inverted DCLK polarity (Giulio Benetti) \n- crypto: bcm - Rename struct device_private to bcm_device_private (Jiri Olsa) \n- evm: Fix memleak in init_desc (Dinghao Liu) \n- ASoC: cs42l56: fix up error handling in probe (Dan Carpenter) \n- media: aspeed: fix error return code in aspeed_video_setup_video() (Zhang Changzhong) \n- media: tm6000: Fix memleak in tm6000_start_stream (Dinghao Liu) \n- media: media/pci: Fix memleak in empress_init (Dinghao Liu) \n- media: em28xx: Fix use-after-free in em28xx_alloc_urbs (Dinghao Liu) \n- media: vsp1: Fix an error handling path in the probe function (Christophe JAILLET) \n- media: camss: missing error code in msm_video_register() (Dan Carpenter) \n- media: imx: Fix csc/scaler unregister (Ezequiel Garcia) \n- media: imx: Unregister csc/scaler only if registered (Ezequiel Garcia) \n- media: i2c: ov5670: Fix PIXEL_RATE minimum value (Jacopo Mondi) \n- MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 (Nathan Chancellor) \n- MIPS: c-r4k: Fix section mismatch for loongson2_sc_init (Nathan Chancellor) \n- drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (Chenyang Li) \n- crypto: arm64/aes-ce - really hide slower algos when faster ones are enabled (Ard Biesheuvel) \n- crypto: sun4i-ss - fix kmap usage (Corentin Labbe) \n- crypto: sun4i-ss - linearize buffers content must be kept (Corentin Labbe) \n- drm/fb-helper: Add missed unlocks in setcmap_legacy() (Chuhong Yuan) \n- gma500: clean up error handling in init (Dan Carpenter) \n- drm/gma500: Fix error return code in psb_driver_load() (Jialin Zhang) \n- fbdev: aty: SPARC64 requires FB_ATY_CT (Randy Dunlap) \n- net: mvneta: Remove per-cpu queue mapping for Armada 3700 (Maxime Chevallier) \n- net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP (Shyam Sundar S K) \n- net: amd-xgbe: Reset link when the link never comes back (Shyam Sundar S K) \n- net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning (Shyam Sundar S K) \n- net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout (Shyam Sundar S K) \n- ibmvnic: skip send_request_unmap for timeout reset (Lijun Pan) \n- ibmvnic: add memory barrier to protect long term buffer (Lijun Pan) \n- b43: N-PHY: Fix the update of coef for the PHY revision \u003e= 3case (Colin Ian King) \n- cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (Ayush Sawal) \n- net: axienet: Handle deferred probe on clock properly (Robert Hancock) \n- tcp: fix SO_RCVLOWAT related hangs under mem pressure (Eric Dumazet) \n- bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx (Jesper Dangaard Brouer) \n- mac80211: fix potential overflow when multiplying to u32 integers (Colin Ian King) \n- xen/netback: fix spurious event detection for common event case (Juergen Gross) \n- bnxt_en: reverse order of TX disable and carrier off (Edwin Peer) \n- ibmvnic: Set to CLOSED state even on error (Sukadev Bhattiprolu) \n- ath9k: fix data bus crash when setting nf_override via debugfs (Linus Lussing) \n- bpf_lru_list: Read double-checked variable once without lock (Marco Elver) \n- soc: aspeed: snoop: Add clock control logic (Jae Hyun Yoo) \n- ARM: s3c: fix fiq for clang IAS (Arnd Bergmann) \n- arm64: dts: msm8916: Fix reserved and rfsa nodes unit address (Vincent Knecht) \n- Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (Jupeng Zhong) \n- arm64: dts: armada-3720-turris-mox: rename u-boot mtd partition to a53-firmware (Marek Behun) \n- ARM: dts: armada388-helios4: assign pinctrl to each fan (Rosen Penev) \n- ARM: dts: armada388-helios4: assign pinctrl to LEDs (Rosen Penev) \n- staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (Chen-Yu Tsai) \n- usb: dwc2: Make trimming xfer length a debug message (Guenter Roeck) \n- usb: dwc2: Abort transaction after errors with unknown reason (Guenter Roeck) \n- usb: dwc2: Do not update data length if it is 0 on inbound transfers (Guenter Roeck) \n- ARM: dts: Configure missing thermal interrupt for 4430 (Tony Lindgren) \n- memory: ti-aemif: Drop child node when jumping out loop (Pan Bian) \n- Bluetooth: Put HCI device if inquiry procedure interrupts (Pan Bian) \n- Bluetooth: drop HCI device reference before return (Pan Bian) \n- usb: gadget: u_audio: Free requests only after callback (Jack Pham) \n- ACPICA: Fix exception code class checks (Maximilian Luz) \n- cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in -\u003eremove() (Christophe JAILLET) \n- cpufreq: brcmstb-avs-cpufreq: Free resources in error path (Christophe JAILLET) \n- arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz (Andre Przywara) \n- arm64: dts: allwinner: H6: Allow up to 150 MHz MMC bus frequency (Andre Przywara) \n- arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card (Andre Przywara) \n- arm64: dts: allwinner: H6: properly connect USB PHY to port 0 (Andre Przywara) \n- arm64: dts: allwinner: A64: properly connect USB PHY to port 0 (Andre Przywara) \n- bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (Andrii Nakryiko) \n- bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h (Andrii Nakryiko) \n- memory: mtk-smi: Fix PM usage counter unbalance in mtk_smi ops (Zhang Qilong) \n- arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso (Krzysztof Kozlowski) \n- arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Spring (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Monk (Krzysztof Kozlowski) \n- ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 (Krzysztof Kozlowski) \n- Bluetooth: Fix initializing response id after clearing struct (Christopher William Snowhill) \n- Bluetooth: hci_uart: Fix a race for write_work scheduling (Claire Chang) \n- Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (Christophe JAILLET) \n- ath10k: Fix error handling in case of CE pipe init failure (Rakesh Pillai) \n- random: fix the RNDRESEEDCRNG ioctl (Eric Biggers) \n- MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section (Alexander Lobakin) \n- ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (Takashi Iwai) \n- bfq: Avoid false bfq queue merging (Jan Kara) \n- virt: vbox: Do not use wait_event_interruptible when called from kernel context (Hans de Goede) \n- PCI: Decline to resize resources if boot config must be preserved (Ard Biesheuvel) \n- PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 (Ansuel Smith) \n- kdb: Make memory allocations more robust (Sumit Garg) \n- debugfs: do not attempt to create a new file before the filesystem is initalized (Greg Kroah-Hartman) \n- debugfs: be more robust at handling improper input in debugfs_lookup() (Greg Kroah-Hartman) \n- vmlinux.lds.h: add DWARF v5 sections (Nick Desaulniers) \n- x86/mce: Add Xeon Sapphire Rapids to list of CPUs that support PPIN (Tony Luck) [Orabug: 32978709] \n- x86/mce: Add Xeon Icelake to list of CPUs that support PPIN (Tony Luck) [Orabug: 32978709] \n- ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() (Rafael J. Wysocki) [Orabug: 32977864] \n- ACPI: tables: x86: Reserve memory occupied by ACPI tables (Rafael J. Wysocki) [Orabug: 32977864] \n- uek-rpm: update kABI lists for a new symbol (Saeed Mirzamohammadi) [Orabug: 32977531] \n- x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing (Thomas Gleixner) [Orabug: 32969739] \n- bluetooth: eliminate the potential race condition when removing the HCI controller (Lin Ma) [Orabug: 32912033] {CVE-2021-32399}", + "Description": "[5.4.17-2102.203.5]\n- rds/ib: move rds_ib_clear_irq_miss() to .h ...", "Platform": [ "Oracle Linux 7", "Oracle Linux 8" From d6c0edd48f933a65f696712eaf7a4287425cc6ca Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 12:30:23 +0600 Subject: [PATCH 10/16] refactor: --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 4d3f9dd8..e2d12043 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -126,7 +126,7 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { } advisories := map[Package]types.Advisories{} - affectedPkgs := walkOracle(oval.Criteria, "", "", []AffectedPackage{}) + affectedPkgs := walkOracle(oval.Criteria, "", []AffectedPackage{}) for _, affectedPkg := range affectedPkgs { if affectedPkg.Package.Name == "" { continue @@ -302,7 +302,7 @@ func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { return advisories, nil } -func walkOracle(cri Criteria, osVer, arch string, pkgs []AffectedPackage) []AffectedPackage { +func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPackage { for _, c := range cri.Criterions { if strings.HasPrefix(c.Comment, "Oracle Linux ") && strings.HasSuffix(c.Comment, " is installed") { @@ -323,7 +323,7 @@ func walkOracle(cri Criteria, osVer, arch string, pkgs []AffectedPackage) []Affe } for _, c := range cri.Criterias { - pkgs = walkOracle(c, osVer, arch, pkgs) + pkgs = walkOracle(c, osVer, pkgs) } return pkgs } From 695da90df40bb995f982172f997d0348229bc868 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 15:31:19 +0600 Subject: [PATCH 11/16] fix: update Get function --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 30 ++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index e2d12043..afe782f5 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -295,10 +295,36 @@ func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { bucket := fmt.Sprintf(platformFormat, release) - advisories, err := o.GetAdvisories(bucket, pkgName) + rawAdvisories, err := o.ForEachAdvisory([]string{bucket}, pkgName) if err != nil { - return nil, xerrors.Errorf("failed to get Oracle Linux advisories: %w", err) + return nil, xerrors.Errorf("unable to iterate advisories: %w", err) } + var advisories []types.Advisory + for vulnID, v := range rawAdvisories { + var adv types.Advisories + if err = json.Unmarshal(v.Content, &adv); err != nil { + return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) + } + + // For backward compatibility + // The old trivy-db has no entries, but has fixed versions and custom fields. + if len(adv.Entries) == 0 { + advisories = append(advisories, types.Advisory{ + VulnerabilityID: vulnID, + FixedVersion: adv.FixedVersion, + DataSource: &v.Source, + Custom: adv.Custom, + }) + continue + } + + for _, entry := range adv.Entries { + entry.VulnerabilityID = vulnID + entry.DataSource = &v.Source + advisories = append(advisories, entry) + } + } + return advisories, nil } From cd9870867e373a1630840afb5c71018b51119435 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 15:31:37 +0600 Subject: [PATCH 12/16] test: update/add tests --- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 50 ++++++++++++++++++- .../testdata/fixtures/data-source.yaml | 7 +++ .../oracle-oval/testdata/fixtures/happy.yaml | 3 +- .../testdata/fixtures/multiple-elsas.yaml | 32 ------------ .../testdata/fixtures/multiple-versions.yaml | 10 ++++ .../oracle-oval/testdata/fixtures/old.yaml | 7 +++ pkg/vulnsrctest/vulnsrctest.go | 2 +- 7 files changed, 75 insertions(+), 36 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml delete mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-versions.yaml create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 7d935c29..edfb76e6 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -499,13 +499,61 @@ func TestVulnSrc_Get(t *testing.T) { }{ { name: "happy path", - fixtures: []string{"testdata/fixtures/happy.yaml"}, + fixtures: []string{"testdata/fixtures/happy.yaml", "testdata/fixtures/data-source.yaml"}, + version: "8", + pkgName: "bind", + want: []types.Advisory{ + { + VulnerabilityID: "ELSA-2019-1145", + FixedVersion: "32:9.11.4-17.P2.el8_0", + DataSource: &types.DataSource{ + ID: "oracle-oval", + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + }, + { + name: "happy path. Multiple versions for one CVE", + fixtures: []string{"testdata/fixtures/multiple-versions.yaml", "testdata/fixtures/data-source.yaml"}, + version: "8", + pkgName: "gnutls", + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2021-20232", + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + DataSource: &types.DataSource{ + ID: "oracle-oval", + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + { + VulnerabilityID: "CVE-2021-20232", + FixedVersion: "3.6.16-4.el8", + DataSource: &types.DataSource{ + ID: "oracle-oval", + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + }, + { + name: "happy path. Old trivy-db", + fixtures: []string{"testdata/fixtures/old.yaml", "testdata/fixtures/data-source.yaml"}, version: "8", pkgName: "bind", want: []types.Advisory{ { VulnerabilityID: "ELSA-2019-1145", FixedVersion: "32:9.11.4-17.P2.el8_0", + DataSource: &types.DataSource{ + ID: "oracle-oval", + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, }, }, }, diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml new file mode 100644 index 00000000..7eef13b6 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml @@ -0,0 +1,7 @@ +- bucket: data-source + pairs: + - key: Oracle Linux 8 + value: + ID: "oracle-oval" + Name: "Oracle Linux OVAL definitions" + URL: "https://linux.oracle.com/security/oval/" \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index 2ce57002..8ab7b195 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -4,7 +4,6 @@ pairs: - key: ELSA-2019-1145 value: + FixedVersion: "32:9.11.4-17.P2.el8_0" Entries: - FixedVersion: "32:9.11.4-17.P2.el8_0" - VendorIDs: - - ELSA-2019-1145 diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml deleted file mode 100644 index e92f0ae8..00000000 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-elsas.yaml +++ /dev/null @@ -1,32 +0,0 @@ -- bucket: Oracle Linux 8 - pairs: - - bucket: gnutls - pairs: - - key: CVE-2021-20232 - value: - Entries: - - FixedVersion: "3.6.16-4.el8" - VendorIDs: - - ELSA-2021-4451 - - FixedVersion: "10:3.6.16-4.0.1.el8_fips" - VendorIDs: - - ELSA-2022-9221 - - key: CVE-2021-3580 - value: - Entries: - - FixedVersion: "3.6.16-4.el8" - VendorIDs: - - ELSA-2021-4451 - - FixedVersion: "10:3.6.16-4.0.1.el8_fips" - VendorIDs: - - ELSA-2022-9221 - - key: CVE-2021-20231 - value: - Entries: - - FixedVersion: "3.6.16-4.el8" - VendorIDs: - - ELSA-2021-4451 - - FixedVersion: "10:3.6.16-4.0.1.el8_fips" - VendorIDs: - - ELSA-2022-9221 - \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-versions.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-versions.yaml new file mode 100644 index 00000000..5418a539 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/multiple-versions.yaml @@ -0,0 +1,10 @@ +- bucket: Oracle Linux 8 + pairs: + - bucket: gnutls + pairs: + - key: CVE-2021-20232 + value: + FixedVersion: "3.6.16-4.el8" + Entries: + - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + - FixedVersion: "3.6.16-4.el8" diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml new file mode 100644 index 00000000..05fb8b16 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml @@ -0,0 +1,7 @@ +- bucket: Oracle Linux 8 + pairs: + - bucket: bind + pairs: + - key: ELSA-2019-1145 + value: + FixedVersion: "32:9.11.4-17.P2.el8_0" diff --git a/pkg/vulnsrctest/vulnsrctest.go b/pkg/vulnsrctest/vulnsrctest.go index 949ed446..405ddd9d 100644 --- a/pkg/vulnsrctest/vulnsrctest.go +++ b/pkg/vulnsrctest/vulnsrctest.go @@ -87,5 +87,5 @@ func TestGet(t *testing.T, vulnsrc Getter, args TestGetArgs) { }) assert.NoError(t, err) - assert.ElementsMatch(t, args.WantValues, got) + assert.Equal(t, args.WantValues, got) } From ed3cdbf030cb259c99262dae52b4f17ddcf409b1 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Sat, 2 Nov 2024 16:00:20 +0600 Subject: [PATCH 13/16] refactor: split `ksplice1` and `ksplice2` --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 18 ++++++++++++------ pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 3 +++ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index afe782f5..1139096a 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -250,15 +250,17 @@ func resolveVersions(vers []string) (string, []string) { type PkgFlavor string const ( - NormalPackageFlavor PkgFlavor = "normal" - FipsPackageFlavor PkgFlavor = "fips" - KsplicePackageFlavor PkgFlavor = "ksplice" + NormalPackageFlavor PkgFlavor = "normal" + FipsPackageFlavor PkgFlavor = "fips" + Ksplice1PackageFlavor PkgFlavor = "ksplice1" + Ksplice2PackageFlavor PkgFlavor = "ksplice2" ) // PackageFlavor determinants the package "flavor" based on its version string // - normal // - FIPS validated -// - ksplice userspace +// - ksplice1 userspace +// - ksplice2 userspace func PackageFlavor(version string) PkgFlavor { version = strings.ToLower(version) if strings.HasSuffix(version, "_fips") { @@ -267,8 +269,12 @@ func PackageFlavor(version string) PkgFlavor { subs := strings.Split(version, ".") for _, s := range subs { - if strings.HasPrefix(s, "ksplice") { - return KsplicePackageFlavor + if strings.HasPrefix(s, "ksplice1") { + return Ksplice1PackageFlavor + } + + if strings.HasPrefix(s, "ksplice2") { + return Ksplice2PackageFlavor } } return NormalPackageFlavor diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index edfb76e6..360cf3e8 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -380,6 +380,9 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, Value: types.Advisories{ Entries: []types.Advisory{ + { + FixedVersion: "2:2.28-151.0.1.ksplice1.el8", + }, { FixedVersion: "2:2.28-151.0.1.ksplice2.el8", }, From a135499d61b191053c033a5dc22ef2dd24e244b5 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 5 Nov 2024 10:46:14 +0600 Subject: [PATCH 14/16] Revert "refactor: split `ksplice1` and `ksplice2`" This reverts commit ed3cdbf030cb259c99262dae52b4f17ddcf409b1. --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 18 ++++++------------ pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 3 --- 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 1139096a..afe782f5 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -250,17 +250,15 @@ func resolveVersions(vers []string) (string, []string) { type PkgFlavor string const ( - NormalPackageFlavor PkgFlavor = "normal" - FipsPackageFlavor PkgFlavor = "fips" - Ksplice1PackageFlavor PkgFlavor = "ksplice1" - Ksplice2PackageFlavor PkgFlavor = "ksplice2" + NormalPackageFlavor PkgFlavor = "normal" + FipsPackageFlavor PkgFlavor = "fips" + KsplicePackageFlavor PkgFlavor = "ksplice" ) // PackageFlavor determinants the package "flavor" based on its version string // - normal // - FIPS validated -// - ksplice1 userspace -// - ksplice2 userspace +// - ksplice userspace func PackageFlavor(version string) PkgFlavor { version = strings.ToLower(version) if strings.HasSuffix(version, "_fips") { @@ -269,12 +267,8 @@ func PackageFlavor(version string) PkgFlavor { subs := strings.Split(version, ".") for _, s := range subs { - if strings.HasPrefix(s, "ksplice1") { - return Ksplice1PackageFlavor - } - - if strings.HasPrefix(s, "ksplice2") { - return Ksplice2PackageFlavor + if strings.HasPrefix(s, "ksplice") { + return KsplicePackageFlavor } } return NormalPackageFlavor diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 360cf3e8..edfb76e6 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -380,9 +380,6 @@ func TestVulnSrc_Update(t *testing.T) { Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, Value: types.Advisories{ Entries: []types.Advisory{ - { - FixedVersion: "2:2.28-151.0.1.ksplice1.el8", - }, { FixedVersion: "2:2.28-151.0.1.ksplice2.el8", }, From cb14132c0558fc680363299730dd9638e47bea84 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 19 Nov 2024 14:10:37 +0600 Subject: [PATCH 15/16] refactor: use `ksplice1`/`fips` if normal flavor doesn't exist --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index afe782f5..8b174d5b 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -242,7 +242,11 @@ func resolveVersions(vers []string) (string, []string) { versions := lo.Values(fixedVers) slices.Sort(versions) - fixedVersion := fixedVers[NormalPackageFlavor] + fixedVersion, ok := fixedVers[NormalPackageFlavor] + // To keep the previous logic - use the ksplice/fips version if the normal flavor doesn't exist. + if !ok { + fixedVersion = versions[0] + } return fixedVersion, versions } @@ -306,7 +310,7 @@ func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) } - // For backward compatibility + // For backward compatibility (This code can be deleted after Dec 19th, 2024) // The old trivy-db has no entries, but has fixed versions and custom fields. if len(adv.Entries) == 0 { advisories = append(advisories, types.Advisory{ From 6557f9c2ab9d980ee29709211f143aa551c0c949 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 19 Nov 2024 14:13:22 +0600 Subject: [PATCH 16/16] test: fix test --- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index edfb76e6..7017c40a 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -379,6 +379,7 @@ func TestVulnSrc_Update(t *testing.T) { { Key: []string{"advisory-detail", "CVE-2016-10228", "Oracle Linux 8", "glibc"}, Value: types.Advisories{ + FixedVersion: "2:2.28-151.0.1.ksplice2.el8", Entries: []types.Advisory{ { FixedVersion: "2:2.28-151.0.1.ksplice2.el8",