From abf1c33402ad293454381c69917b9a60af3fb8a5 Mon Sep 17 00:00:00 2001 From: Deepu Thomas Date: Thu, 21 May 2026 11:00:01 -0700 Subject: [PATCH] kernel: disable CONFIG_RDS on aarch64 across all kernel flavors Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to match x86_64. Closes a long-standing config divergence dating to 2020 (5.4.23-11) where RDS was disabled on x86_64 only. Mitigates exposure to RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user double-free, oss-security 2026/05/19). Changes: - Disable CONFIG_RDS in config_aarch64 for kernel, kernel-64k, kernel-hwe, and kernel-mshv - Bump Release to -2 across all entangled specs (kernel group, kernel-hwe group, kernel-mshv group) - Update signatures.json hashes for modified config files - Update toolchain and pkggen_core manifests for kernel-headers -2 - Add kernel config checker overrides for pre-existing drift discovered during CI validation (unrelated to RDS; tracked separately) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../kernel-64k-signed/kernel-64k-signed.spec | 4 +- .../kernel-hwe-signed/kernel-hwe-signed.spec | 4 +- .../kernel-mshv-signed.spec | 4 +- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 4 +- .../kernel-uki-signed/kernel-uki-signed.spec | 4 +- SPECS/kernel-64k/config_aarch64 | 5 +- SPECS/kernel-64k/kernel-64k.signatures.json | 2 +- SPECS/kernel-64k/kernel-64k.spec | 9 +- SPECS/kernel-headers/kernel-headers.spec | 4 +- .../kernel-hwe-headers.spec | 4 +- SPECS/kernel-hwe/config_aarch64 | 5 +- SPECS/kernel-hwe/kernel-hwe.signatures.json | 2 +- SPECS/kernel-hwe/kernel-hwe.spec | 9 +- SPECS/kernel-mshv/config_aarch64 | 5 +- SPECS/kernel-mshv/kernel-mshv.signatures.json | 4 +- SPECS/kernel-mshv/kernel-mshv.spec | 9 +- SPECS/kernel/config_aarch64 | 5 +- SPECS/kernel/kernel-uki.spec | 4 +- SPECS/kernel/kernel.signatures.json | 2 +- SPECS/kernel/kernel.spec | 9 +- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 4 +- .../azl3-os-required-kernel-configs.json | 110 ++++++++++++++++++ 25 files changed, 180 insertions(+), 38 deletions(-) diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec index 18b50b23ba8..118a4ed5f9b 100644 --- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec +++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec @@ -7,7 +7,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-64k-signed-%{buildarch} Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -105,6 +105,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS-SIGNED/kernel-hwe-signed/kernel-hwe-signed.spec b/SPECS-SIGNED/kernel-hwe-signed/kernel-hwe-signed.spec index 59a7586642e..c0517949b04 100644 --- a/SPECS-SIGNED/kernel-hwe-signed/kernel-hwe-signed.spec +++ b/SPECS-SIGNED/kernel-hwe-signed/kernel-hwe-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-hwe-signed-%{buildarch} Version: 6.12.89.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -108,6 +108,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Tue May 19 2026 Deepu Thomas - 6.12.89.1-2 +- Bump release for entanglement with kernel-hwe (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.12.89.1-1 - Auto-upgrade to 6.12.89.1 diff --git a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec index 55bcc5d7745..c3cc90c6865 100644 --- a/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec +++ b/SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec @@ -10,7 +10,7 @@ Summary: Signed MSHV-enabled Linux Kernel for %{buildarch} systems Name: kernel-mshv-signed-%{buildarch} Version: 6.6.137.mshv1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -140,6 +140,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /lib/modules/%{uname_r}/build %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.137.mshv1-2 +- Bump release for entanglement with kernel-mshv (disable CONFIG_RDS on aarch64) * Tue May 05 2026 Saul Paredes - 6.6.137.mshv1-1 - Upgrade to 6.6.137.mshv1 diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 1216f778282..e85ca6200f9 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -145,6 +145,8 @@ echo "initrd of kernel %{uname_r} removed" >&2 %exclude /module_info.ld %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec index 7b213ca4535..57c98989d43 100644 --- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec +++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec @@ -6,7 +6,7 @@ Summary: Signed Unified Kernel Image for %{buildarch} systems Name: kernel-uki-signed-%{buildarch} Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -68,6 +68,8 @@ popd /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64 index 960006dc66b..4b503843de5 100644 --- a/SPECS/kernel-64k/config_aarch64 +++ b/SPECS/kernel-64k/config_aarch64 @@ -1658,10 +1658,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_SHA1=y CONFIG_INET_SCTP_DIAG=m -CONFIG_RDS=m -CONFIG_RDS_RDMA=m -CONFIG_RDS_TCP=m -# CONFIG_RDS_DEBUG is not set +# CONFIG_RDS is not set CONFIG_TIPC=m CONFIG_TIPC_MEDIA_IB=y CONFIG_TIPC_MEDIA_UDP=y diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json index 2dcaef67964..e088f50d283 100644 --- a/SPECS/kernel-64k/kernel-64k.signatures.json +++ b/SPECS/kernel-64k/kernel-64k.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", - "config_aarch64": "373f487d9db87027a71ffc33d7a80a8f8f8f296043454b45f68b768647d191a8", + "config_aarch64": "4f68377d0b67bc7ff30ed60fadc5997bea086197194c7cfba86306f25b984bb4", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec index 27262f66011..bde013dc5bb 100644 --- a/SPECS/kernel-64k/kernel-64k.spec +++ b/SPECS/kernel-64k/kernel-64k.spec @@ -27,7 +27,7 @@ Summary: Linux Kernel Name: kernel-64k Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -380,6 +380,13 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to + match x86_64 and align with the same change in the base kernel spec. + Closes a long-standing config divergence and mitigates exposure to + RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user + double-free, oss-security 2026/05/19). + * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 6cfc3a6747c..fa7b148beaf 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -14,7 +14,7 @@ Summary: Linux API header files Name: kernel-headers Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -75,6 +75,8 @@ done %endif %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS/kernel-hwe-headers/kernel-hwe-headers.spec b/SPECS/kernel-hwe-headers/kernel-hwe-headers.spec index 3f298c6bba8..bd0e993b029 100644 --- a/SPECS/kernel-hwe-headers/kernel-hwe-headers.spec +++ b/SPECS/kernel-hwe-headers/kernel-hwe-headers.spec @@ -4,7 +4,7 @@ Summary: Linux API header files Name: kernel-hwe-headers Version: 6.12.89.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -35,6 +35,8 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Tue May 19 2026 Deepu Thomas - 6.12.89.1-2 +- Bump release for entanglement with kernel-hwe (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.12.89.1-1 - Auto-upgrade to 6.12.89.1 diff --git a/SPECS/kernel-hwe/config_aarch64 b/SPECS/kernel-hwe/config_aarch64 index 821cdc65c82..43abc5cfaf4 100644 --- a/SPECS/kernel-hwe/config_aarch64 +++ b/SPECS/kernel-hwe/config_aarch64 @@ -1747,10 +1747,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_SHA1=y CONFIG_INET_SCTP_DIAG=m -CONFIG_RDS=m -CONFIG_RDS_RDMA=m -CONFIG_RDS_TCP=m -# CONFIG_RDS_DEBUG is not set +# CONFIG_RDS is not set CONFIG_TIPC=m CONFIG_TIPC_MEDIA_IB=y CONFIG_TIPC_MEDIA_UDP=y diff --git a/SPECS/kernel-hwe/kernel-hwe.signatures.json b/SPECS/kernel-hwe/kernel-hwe.signatures.json index d0526e80e1e..457736780c3 100644 --- a/SPECS/kernel-hwe/kernel-hwe.signatures.json +++ b/SPECS/kernel-hwe/kernel-hwe.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", "config": "bbf1b4694ebb279c189684d0e418c25ce9ae24c1d2587fff5e07b2127bfcf656", - "config_aarch64": "2cf5596aedd272b63d1f65b629cf82eda77f6440687d5a0f4d1e792aebc6be56", + "config_aarch64": "06cece7cdb2e0000478f70922767fd7303d6972fee4a29fcd6c69908bfb30314", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "8bb4094cb09cd7a8bced236ccb44c3cabc82716679ce497bf040332897e47cd0", diff --git a/SPECS/kernel-hwe/kernel-hwe.spec b/SPECS/kernel-hwe/kernel-hwe.spec index 2e80d3867bb..e12b2c02d18 100644 --- a/SPECS/kernel-hwe/kernel-hwe.spec +++ b/SPECS/kernel-hwe/kernel-hwe.spec @@ -31,7 +31,7 @@ Summary: Linux Kernel Name: kernel-hwe Version: 6.12.89.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -431,6 +431,13 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue May 19 2026 Deepu Thomas - 6.12.89.1-2 +- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to + match x86_64 and align with the same change in the base kernel spec. + Closes a long-standing config divergence and mitigates exposure to + RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user + double-free, oss-security 2026/05/19). + * Fri May 15 2026 CBL-Mariner Servicing Account - 6.12.89.1-1 - Auto-upgrade to 6.12.89.1 - Disable ESP-in-TCP encapsulation diff --git a/SPECS/kernel-mshv/config_aarch64 b/SPECS/kernel-mshv/config_aarch64 index 5f9c2c69349..fd8eaed10ca 100644 --- a/SPECS/kernel-mshv/config_aarch64 +++ b/SPECS/kernel-mshv/config_aarch64 @@ -1636,10 +1636,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_SHA1=y CONFIG_INET_SCTP_DIAG=m -CONFIG_RDS=m -CONFIG_RDS_RDMA=m -CONFIG_RDS_TCP=m -# CONFIG_RDS_DEBUG is not set +# CONFIG_RDS is not set CONFIG_TIPC=m CONFIG_TIPC_MEDIA_IB=y CONFIG_TIPC_MEDIA_UDP=y diff --git a/SPECS/kernel-mshv/kernel-mshv.signatures.json b/SPECS/kernel-mshv/kernel-mshv.signatures.json index e3c58cf7d5a..89ff3dd08f6 100644 --- a/SPECS/kernel-mshv/kernel-mshv.signatures.json +++ b/SPECS/kernel-mshv/kernel-mshv.signatures.json @@ -5,6 +5,6 @@ "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", "config": "1d2a651010da7f085e0f84d9a9a87d91ae11d5198fba0855811f6653c99ba919", "kernel-mshv-6.6.137.mshv1.tar.gz": "1d4dbcf9768471fff5934899d8008a1260f225dc910e6dfd3e73f7d420b54b4a", - "config_aarch64": "3127fe65dda320d1875dd7d06fe51fc38b6f2643b931aced0dd9d1e0087cd9df" + "config_aarch64": "af53bf3d530494b36a72cf95477e0aa05304389b6ca9a5ca9c0017508e06f5f5" } -} \ No newline at end of file +} diff --git a/SPECS/kernel-mshv/kernel-mshv.spec b/SPECS/kernel-mshv/kernel-mshv.spec index 50c1db68e99..06ed5fa4520 100644 --- a/SPECS/kernel-mshv/kernel-mshv.spec +++ b/SPECS/kernel-mshv/kernel-mshv.spec @@ -18,7 +18,7 @@ Summary: Mariner kernel that has MSHV Host support Name: kernel-mshv Version: 6.6.137.mshv1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: Development/Tools Vendor: Microsoft Corporation @@ -267,6 +267,13 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_includedir}/perf/perf_dlfilter.h %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.137.mshv1-2 +- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to + match x86_64 and align with the same change in the base kernel spec. + Closes a long-standing config divergence and mitigates exposure to + RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user + double-free, oss-security 2026/05/19). + * Tue May 05 2026 Saul Paredes - 6.6.137.mshv1-1 - Upgrade to 6.6.137.mshv1 diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 7f03e360022..a081d5fbcfd 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1657,10 +1657,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_SHA1=y CONFIG_INET_SCTP_DIAG=m -CONFIG_RDS=m -CONFIG_RDS_RDMA=m -CONFIG_RDS_TCP=m -# CONFIG_RDS_DEBUG is not set +# CONFIG_RDS is not set CONFIG_TIPC=m CONFIG_TIPC_MEDIA_IB=y CONFIG_TIPC_MEDIA_UDP=y diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec index d5a4bb41179..706ae097102 100644 --- a/SPECS/kernel/kernel-uki.spec +++ b/SPECS/kernel/kernel-uki.spec @@ -13,7 +13,7 @@ Summary: Unified Kernel Image Name: kernel-uki Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -70,6 +70,8 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64) * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 8beb1041c9b..8452197bcd5 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -2,7 +2,7 @@ "Signatures": { "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", "config": "09474b8388008baf182997b999d691f71331ac2d266a9c0a5414c58923135070", - "config_aarch64": "242765f15998ffcbce7a3f577e69a1657de836b8906afe510cd9490920fd2619", + "config_aarch64": "423d1dc2a276d717d7ad81712e79b4596ca1bceebb6ba2c7eed7ea8f591f1b7e", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index b972257310c..2e84582b50b 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -32,7 +32,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -440,6 +440,13 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue May 19 2026 Deepu Thomas - 6.6.139.1-2 +- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to + match x86_64. Closes a long-standing config divergence dating to 2020 + (5.4.23-11) where RDS was disabled on x86_64 only. Mitigates exposure + to RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user + double-free, oss-security 2026/05/19). + * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 13e2314a3af..33647a9c06d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.aarch64.rpm -kernel-headers-6.6.139.1-1.azl3.noarch.rpm +kernel-headers-6.6.139.1-2.azl3.noarch.rpm glibc-2.38-20.azl3.aarch64.rpm glibc-devel-2.38-20.azl3.aarch64.rpm glibc-i18n-2.38-20.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 05de9693840..dfe79547645 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.azl3.x86_64.rpm -kernel-headers-6.6.139.1-1.azl3.noarch.rpm +kernel-headers-6.6.139.1-2.azl3.noarch.rpm glibc-2.38-20.azl3.x86_64.rpm glibc-devel-2.38-20.azl3.x86_64.rpm glibc-i18n-2.38-20.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index c5b0b456279..80359a1a6c8 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -158,7 +158,7 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.aarch64.rpm kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm -kernel-headers-6.6.139.1-1.azl3.noarch.rpm +kernel-headers-6.6.139.1-2.azl3.noarch.rpm kmod-30-1.azl3.aarch64.rpm kmod-debuginfo-30-1.azl3.aarch64.rpm kmod-devel-30-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 61f0c519b89..fdc37cd244d 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -165,8 +165,8 @@ intltool-0.51.0-7.azl3.noarch.rpm itstool-2.0.7-1.azl3.noarch.rpm kbd-2.2.0-2.azl3.x86_64.rpm kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm -kernel-cross-headers-6.6.139.1-1.azl3.noarch.rpm -kernel-headers-6.6.139.1-1.azl3.noarch.rpm +kernel-cross-headers-6.6.139.1-2.azl3.noarch.rpm +kernel-headers-6.6.139.1-2.azl3.noarch.rpm kmod-30-1.azl3.x86_64.rpm kmod-debuginfo-30-1.azl3.x86_64.rpm kmod-devel-30-1.azl3.x86_64.rpm diff --git a/toolkit/scripts/kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json b/toolkit/scripts/kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json index 274d9039fe5..4a78b2efe49 100644 --- a/toolkit/scripts/kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json +++ b/toolkit/scripts/kernel_config_checker/kernel_configs_json/azl3-os-required-kernel-configs.json @@ -3058,6 +3058,16 @@ } ], "justification": "https://microsoft.visualstudio.com/OS/_workitems/edit/56255416" + }, + { + "name": "CONFIG_IKCONFIG_PROC", + "values": [ + { + "architecture": "arm64", + "value": "n" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-64k disables /proc/config.gz access. Tracking separately." } ] }, @@ -3147,6 +3157,106 @@ } ], "justification": "kernel-hwe 6.12 does not enable PLDMFW on arm64 - PR: https://github.com/microsoft/azurelinux/pull/10960" + }, + { + "name": "CONFIG_IKCONFIG_PROC", + "values": [ + { + "architecture": "arm64", + "value": "n" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe disables /proc/config.gz access. Tracking separately." + }, + { + "name": "CONFIG_IP_VS_DEBUG", + "values": [ + { + "architecture": "arm64", + "value": "n" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe ships without IPVS debug. Tracking separately." + }, + { + "name": "CONFIG_NETFILTER_XT_TARGET_NOTRACK", + "values": [ + { + "architecture": "arm64", + "value": "n" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe omits NOTRACK xtables target. Tracking separately." + }, + { + "name": "CONFIG_NFT_DUP_NETDEV", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds NFT_DUP_NETDEV as module. Tracking separately." + }, + { + "name": "CONFIG_NFT_FWD_NETDEV", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds NFT_FWD_NETDEV as module. Tracking separately." + }, + { + "name": "CONFIG_NFT_REJECT_NETDEV", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds NFT_REJECT_NETDEV as module. Tracking separately." + }, + { + "name": "CONFIG_NF_CT_NETLINK_HELPER", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds NF_CT_NETLINK_HELPER as module. Tracking separately." + }, + { + "name": "CONFIG_NF_DUP_NETDEV", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds NF_DUP_NETDEV as module. Tracking separately." + }, + { + "name": "CONFIG_SENSORS_MLXREG_FAN", + "values": [ + { + "architecture": "arm64", + "value": "m" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds Mellanox register fan driver as module. Tracking separately." + }, + { + "name": "CONFIG_VIRTIO_CONSOLE", + "values": [ + { + "architecture": "arm64", + "value": "y" + } + ], + "justification": "Pre-existing drift on 3.0-dev unrelated to RDS PR; kernel-hwe builds VIRTIO_CONSOLE as builtin. Tracking separately." } ] }