Linux v5.1.16
This commit is contained in:
Jeremy Cline
parent
cd57c4f398
commit
623d64c6af
3 changed files with 71 additions and 2 deletions
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 15
|
||||
%define stable_update 16
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -623,6 +623,9 @@ Patch542: 0001-platform-x86-asus-wmi-Only-Tell-EC-the-OS-will-handl.patch
|
|||
Patch544: drm-panel-orientation-quirks.patch
|
||||
Patch545: efi-bgrt-acpi6.2-support.patch
|
||||
|
||||
# Accepted upstream; rhbz 1724357
|
||||
Patch546: netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1861,6 +1864,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jul 03 2019 Jeremy Cline <jcline@redhat.com> - 5.1.16-200
|
||||
- Linux v5.1.16
|
||||
- Fix an issue with deleting singular conntrack entries (rhbz 1724357)
|
||||
|
||||
* Tue Jun 25 2019 Jeremy Cline <jcline@redhat.com> - 5.1.15-200
|
||||
- Linux v5.1.15
|
||||
- Fixes CVE-2019-12817 (rhbz 1720616 1723697)
|
||||
|
|
|
|||
62
netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
Normal file
62
netfilter-ctnetlink-Fix-regression-in-conntrack-entry.patch
Normal file
|
|
@ -0,0 +1,62 @@
|
|||
From e7600865db32b69deb0109b8254244dca592adcf Mon Sep 17 00:00:00 2001
|
||||
From: Felix Kaechele <felix@kaechele.ca>
|
||||
Date: Tue, 25 Jun 2019 16:48:59 -0400
|
||||
Subject: [PATCH] netfilter: ctnetlink: Fix regression in conntrack entry
|
||||
deletion
|
||||
|
||||
Commit f8e608982022 ("netfilter: ctnetlink: Resolve conntrack
|
||||
L3-protocol flush regression") introduced a regression in which deletion
|
||||
of conntrack entries would fail because the L3 protocol information
|
||||
is replaced by AF_UNSPEC. As a result the search for the entry to be
|
||||
deleted would turn up empty due to the tuple used to perform the search
|
||||
is now different from the tuple used to initially set up the entry.
|
||||
|
||||
For flushing the conntrack table we do however want to keep the option
|
||||
for nfgenmsg->version to have a non-zero value to allow for newer
|
||||
user-space tools to request treatment under the new behavior. With that
|
||||
it is possible to independently flush tables for a defined L3 protocol.
|
||||
This was introduced with the enhancements in in commit 59c08c69c278
|
||||
("netfilter: ctnetlink: Support L3 protocol-filter on flush").
|
||||
|
||||
Older user-space tools will retain the behavior of flushing all tables
|
||||
regardless of defined L3 protocol.
|
||||
|
||||
Fixes: f8e608982022 ("netfilter: ctnetlink: Resolve conntrack L3-protocol flush regression")
|
||||
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nf_conntrack_netlink.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
|
||||
index 7db79c1b8084..1b77444d5b52 100644
|
||||
--- a/net/netfilter/nf_conntrack_netlink.c
|
||||
+++ b/net/netfilter/nf_conntrack_netlink.c
|
||||
@@ -1256,7 +1256,6 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
|
||||
struct nf_conntrack_tuple tuple;
|
||||
struct nf_conn *ct;
|
||||
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
||||
- u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
|
||||
struct nf_conntrack_zone zone;
|
||||
int err;
|
||||
|
||||
@@ -1266,11 +1265,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
|
||||
|
||||
if (cda[CTA_TUPLE_ORIG])
|
||||
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
|
||||
- u3, &zone);
|
||||
+ nfmsg->nfgen_family, &zone);
|
||||
else if (cda[CTA_TUPLE_REPLY])
|
||||
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
|
||||
- u3, &zone);
|
||||
+ nfmsg->nfgen_family, &zone);
|
||||
else {
|
||||
+ u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
|
||||
+
|
||||
return ctnetlink_flush_conntrack(net, cda,
|
||||
NETLINK_CB(skb).portid,
|
||||
nlmsg_report(nlh), u3);
|
||||
--
|
||||
2.21.0
|
||||
|
||||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236
|
||||
SHA512 (patch-5.1.15.xz) = 0b2e4436644da2699cf6fdfb38d80dd7156fac74c1d99bec718f74171fb91815e3de1d08b892effc0ae39080c90b569a2bd30c1c4665c6b3a156cbb8e4c2ba61
|
||||
SHA512 (patch-5.1.16.xz) = 4e5a2946c4db9f5be24332eee217fddf8f0a8ce13935fad8936de02c97a0549185f931709b185cd289756011551f6876c14db751c522b0f6c4215b7d47b231be
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue