An update for kernel is now available for openEuler-24.03-LTS Security Advisory openeuler-release@openeuler.org openEuler release SIG openEuler-HotPatchSA-2024-1036 Final 1.0 1.0 2024-10-21 Initial 2024-10-21 2024-10-21 openEuler HotPatchSA Tool V1.0 2024-10-21 kernel security update An update for kernel is now available for openEuler-24.03-LTS The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.(CVE-2024-46845) An update for kernel is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-HotPatchSA-2024-1036 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-46845 https://nvd.nist.gov/vuln/detail/CVE-2024-46845 openEuler-24.03-LTS kernel-6.6.0-28.0.0.34.oe2403-ACC-1-1.src.rpm patch-kernel-6.6.0-28.0.0.34.oe2403-ACC-1-1.x86_64.rpm patch-kernel-6.6.0-28.0.0.34.oe2403-ACC-1-1.aarch64.rpm In the Linux kernel, the following vulnerability has been resolved:tracing/timerlat: Only clear timer if a kthread existsThe timerlat tracer can use user space threads to check for osnoise andtimer latency. If the program using this is killed via a SIGTERM, thethreads are shutdown one at a time and another tracing instance can startup resetting the threads before they are fully closed. That causes thehrtimer assigned to the kthread to be shutdown and freed twice when thedying thread finally closes the file descriptors, causing a use-after-freebug.Only cancel the hrtimer if the associated thread is still around. Also addthe interface_lock around the resetting of the tlat_var->kthread.Note, this is just a quick fix that can be backported to stable. A realfix is to have a better synchronization between the shutdown of oldthreads and the starting of new ones. 2024-10-21 CVE-2024-46845 openEuler-24.03-LTS High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2024-10-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-HotPatchSA-2024-1036