[4.18.0-425.19.2.el8_7.OL8] - Update Oracle Linux certificates - Disable signing for aarch64 - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list [Orabug: 29539237] - Update x509.genkey [Orabug: 24817676] - Conflict with shim-ia32 and shim-x64 ;lt;= 15.3-1.0.3 - Remove upstream reference during boot [Orabug: 34750652] [4.18.0-425.19.2.el8_7.gf5e8] - ovl: fail on invalid uid/gid mapping at copy up [2165341 2165342] {CVE-2023-0386} [4.18.0-425.19.1.el8_7] - s390/dasd: fix no record found for raw_track_access [2167776 2161270] - locking/rwsem: Disable preemption in all down_read* and up_read code paths [2170939 2162139] - locking/rwsem: Prevent non-first waiter from spinning in down_write slowpath [2170939 2162139] - locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter [2170939 2162139] - locking/rwsem: Always try to wake waiters in out_nolock path [2170939 2162139] - locking/rwsem: No need to check for handoff bit if wait queue empty [2170939 2162139] - locking/rwsem: Make handoff bit handling more consistent [2170939 2162139] - locking/rwsem: Disable preemption while trying for rwsem lock [2170939 2162139] - locking/rwsem: Conditionally wake waiters in reader/writer slowpaths [2170939 2162139] [2170939 2162139] - locking/rwsem: Optimize down_read_trylock under highly contended case [2170939 2162139] - locking/rwsem: Fix comments about reader optimistic lock stealing conditions [2170939 2162139] - locking/rwsem: Disable preemption for spinning region [2170939 2162139] - locking: Remove rcu_read_{,un}lock for preempt_{dis,en}able [2170939 2162139] - watchdog: fix UAF in reboot notifier handling in watchdog core code [2139770 2131308] - netfilter: nf_conntrack_irc: Tighten matching on DCC message [2139770 2131308] - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF [2163400 2163401] {CVE-2023-0266} - net/mlx5e: Fix enabling sriov while tc nic rules are offloaded [2167647 2112925] - net/mlx5: E-Switch, pair only capable devices [2167647 2112925] - net/mlx5: Fix mlx5_get_next_dev peer device matching [2167647 2112925] - net/mlx5: Lag, filter non compatible devices [2167647 2112925] [4.18.0-425.18.1.el8_7] - futex: Resend potentially swallowed owner death notification [2170054 2161526] [4.18.0-425.17.1.el8_7] - net: mana: Add rmb after checking owner bits [2173103 2139462] - net: mana: Add support of XDP_REDIRECT action [2173103 2139462] - net: mana: Add the Linux MANA PF driver [2173103 2139462] - ice: fix lost multicast packets in promisc mode [2172550 2138215] [4.18.0-425.16.1.el8_7] - ipv6: fix panic when fib_lookup_arg-;gt;result is fib6_info [2167602 2140599] - ceph: blocklist the kclient when receiving corrupted snap trace [2168896 2162414] - ceph: move mount state enum to super.h [2168896 2162414] - s390/kexec: fix ipl report address for kdump [2166296 2161328] - mm, compaction: fix fast_isolate_around to stay within boundaries [2170576 2149309] - scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM [2170228 2150659] - netfilter: conntrack: handle tcp challenge acks during connection reuse [2165587 2158726] [4.18.0-425.15.1.el8_7] - net/mlx5e: Fix use-after-free when reverting termination table [2167640 2112927] - net/mlx5: Do not query pci info while pci disabled [2167645 2129249] - x86/fpu: Fix copy_xstate_to_uabi to copy init states correctly [2168384 2122850] - x86/fpu: Exclude dynamic states from init_fpstate [2168384 2122850] - x86/fpu: Fix the init_fpstate size check with the actual size [2168384 2122850] - x86/fpu: Configure init_fpstate attributes orderly [2168384 2122850] - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation [2168384 2122850] - net/mlx5: E-Switch, properly handle ingress tagged packets on VST [2166665 2096109] - cpuhotplug: Fix KABI breakage [2162763 2156529] [4.18.0-425.14.1.el8_7] - ACPI: processor idle: Practically limit Dummy wait workaround to old Intel systems [2142170 2130653] - KVM: x86: nSVM: implement nested LBR virtualization [2166362 2155149] - KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running [2166362 2155149] - kvm: x86: SVM: use vmcb* instead of svm-;gt;vmcb where it makes sense [2166362 2155149] - KVM: x86: nSVM: implement nested VMLOAD/VMSAVE [2166362 2155149] - IB/iser: Fix login with authentication [2161750 2120676] - act_mirred: use the backlog for nested calls to mirred ingress [2164648 2131339] {CVE-2022-4269} - net/sched: act_mirred: better wording on protection against excessive stack growth [2164648 2131339] {CVE-2022-4269} - redhat/configs: Set CONFIG_X86_AMD_PSTATE to "m" [2151275 2145246] - KVM: x86: smm: preserve interrupt shadow in SMRAM [2166368 2097144] - KVM: x86: SVM: don"t save SVM state to SMRAM when VM is not long mode capable [2166368 2097144] - KVM: x86: SVM: use smram structs [2166368 2097144] - KVM: svm: drop explicit return value of kvm_vcpu_map [2166368 2097144] - KVM: x86: smm: use smram struct for 64 bit smram load/restore [2166368 2097144] - KVM: x86: smm: use smram struct for 32 bit smram load/restore [2166368 2097144] - KVM: x86: smm: use smram structs in the common code [2166368 2097144] - KVM: x86: smm: add structs for KVM"s smram layout [2166368 2097144] - KVM: x86: smm: check for failures on smm entry [2166368 2097144] - KVM: x86: do not go through ctxt-;gt;ops when emulating rsm [2166368 2097144] - KVM: x86: move SMM exit to a new file [2166368 2097144] - KVM: x86: move SMM entry to a new file [2166368 2097144] - KVM: x86: start moving SMM-related functions to new files [2166368 2097144] - bug: introduce ASSERT_STRUCT_OFFSET [2166368 2097144] - KVM: x86: Rename and expose helper to detect if INIT/SIPI are allowed [2166368 2097144] - KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format [2166368 2097144] - KVM: x86: emulator: update the emulation mode after CR0 write [2166368 2097144] - KVM: x86: emulator: update the emulation mode after rsm [2166368 2097144] - KVM: x86: emulator: introduce emulator_recalc_and_set_mode [2166368 2097144] - KVM: x86: emulator: em_sysexit should update ctxt-;gt;mode [2166368 2097144] - KVM: x86: Bug the VM if the emulator accesses a non-existent GPR [2166368 2097144] - \KVM: x86: Reduce the number of emulator GPRs to "8" for 32-bit KVM [2166368 2097144] - KVM: x86: Use 16-bit fields to track dirty/valid emulator GPRs [2166368 2097144] - KVM: x86: Omit VCPU_REGS_RIP from emulator"s _regs array [2166368 2097144] - \KVM: x86: Harden _regs accesses to guard against buggy input [2166368 2097144] - KVM: x86: Grab regs_dirty in local "unsigned long" [2166368 2097144] - proc: proc_skip_spaces shouldn"t think it is working on C strings [2152571 2152572] {CVE-2022-4378} - proc: avoid integer type confusion in get_proc_long [2152571 2152572] {CVE-2022-4378}