microsoft · dethoma · May 21, 2026
@@ -7,7 +7,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-64k-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -105,6 +105,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-hwe-signed-%{buildarch}
 Version:        6.12.89.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -108,6 +108,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.12.89.1-2
+- Bump release for entanglement with kernel-hwe (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.12.89.1-1
 - Auto-upgrade to 6.12.89.1
 

@@ -10,7 +10,7 @@
 Summary:        Signed MSHV-enabled Linux Kernel for %{buildarch} systems
 Name:           kernel-mshv-signed-%{buildarch}
 Version:        6.6.137.mshv1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -140,6 +140,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /lib/modules/%{uname_r}/build
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.137.mshv1-2
+- Bump release for entanglement with kernel-mshv (disable CONFIG_RDS on aarch64)
 * Tue May 05 2026 Saul Paredes <saulparedes@microsoft.com> - 6.6.137.mshv1-1
 - Upgrade to 6.6.137.mshv1
 

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,8 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,8 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -1658,10 +1658,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_INET_SCTP_DIAG=m
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
+# CONFIG_RDS is not set
 CONFIG_TIPC=m
 CONFIG_TIPC_MEDIA_IB=y
 CONFIG_TIPC_MEDIA_UDP=y

@@ -1,7 +1,7 @@
 {
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
-    "config_aarch64": "373f487d9db87027a71ffc33d7a80a8f8f8f296043454b45f68b768647d191a8",
+    "config_aarch64": "4f68377d0b67bc7ff30ed60fadc5997bea086197194c7cfba86306f25b984bb4",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",

@@ -27,7 +27,7 @@
 Summary:        Linux Kernel
 Name:           kernel-64k
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -380,6 +380,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to
+  match x86_64 and align with the same change in the base kernel spec.
+  Closes a long-standing config divergence and mitigates exposure to
+  RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user
+  double-free, oss-security 2026/05/19).
+
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,8 @@ done
 %endif
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -4,7 +4,7 @@
 Summary:        Linux API header files
 Name:           kernel-hwe-headers
 Version:        6.12.89.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,8 @@ cp -rv usr/include/* /%{buildroot}%{_includedir}
 %{_includedir}/*
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.12.89.1-2
+- Bump release for entanglement with kernel-hwe (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.12.89.1-1
 - Auto-upgrade to 6.12.89.1
 

@@ -1747,10 +1747,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_INET_SCTP_DIAG=m
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
+# CONFIG_RDS is not set
 CONFIG_TIPC=m
 CONFIG_TIPC_MEDIA_IB=y
 CONFIG_TIPC_MEDIA_UDP=y

@@ -2,7 +2,7 @@
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
     "config": "bbf1b4694ebb279c189684d0e418c25ce9ae24c1d2587fff5e07b2127bfcf656",
-    "config_aarch64": "2cf5596aedd272b63d1f65b629cf82eda77f6440687d5a0f4d1e792aebc6be56",
+    "config_aarch64": "06cece7cdb2e0000478f70922767fd7303d6972fee4a29fcd6c69908bfb30314",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "8bb4094cb09cd7a8bced236ccb44c3cabc82716679ce497bf040332897e47cd0",

@@ -31,7 +31,7 @@
 Summary:        Linux Kernel
 Name:           kernel-hwe
 Version:        6.12.89.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -431,6 +431,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.12.89.1-2
+- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to
+  match x86_64 and align with the same change in the base kernel spec.
+  Closes a long-standing config divergence and mitigates exposure to
+  RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user
+  double-free, oss-security 2026/05/19).
+
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.12.89.1-1
 - Auto-upgrade to 6.12.89.1
 - Disable ESP-in-TCP encapsulation

@@ -1636,10 +1636,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_INET_SCTP_DIAG=m
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
+# CONFIG_RDS is not set
 CONFIG_TIPC=m
 CONFIG_TIPC_MEDIA_IB=y
 CONFIG_TIPC_MEDIA_UDP=y

@@ -5,6 +5,6 @@
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
     "config": "1d2a651010da7f085e0f84d9a9a87d91ae11d5198fba0855811f6653c99ba919",
     "kernel-mshv-6.6.137.mshv1.tar.gz": "1d4dbcf9768471fff5934899d8008a1260f225dc910e6dfd3e73f7d420b54b4a",
-    "config_aarch64": "3127fe65dda320d1875dd7d06fe51fc38b6f2643b931aced0dd9d1e0087cd9df"
+    "config_aarch64": "af53bf3d530494b36a72cf95477e0aa05304389b6ca9a5ca9c0017508e06f5f5"
   }
-}
+}
@@ -18,7 +18,7 @@
 Summary:        Mariner kernel that has MSHV Host support
 Name:           kernel-mshv
 Version:        6.6.137.mshv1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Group:          Development/Tools
 Vendor:         Microsoft Corporation
@@ -267,6 +267,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_includedir}/perf/perf_dlfilter.h
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.137.mshv1-2
+- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to
+  match x86_64 and align with the same change in the base kernel spec.
+  Closes a long-standing config divergence and mitigates exposure to
+  RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user
+  double-free, oss-security 2026/05/19).
+
 * Tue May 05 2026 Saul Paredes <saulparedes@microsoft.com> - 6.6.137.mshv1-1
 - Upgrade to 6.6.137.mshv1
 

@@ -1657,10 +1657,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_INET_SCTP_DIAG=m
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
+# CONFIG_RDS is not set
 CONFIG_TIPC=m
 CONFIG_TIPC_MEDIA_IB=y
 CONFIG_TIPC_MEDIA_UDP=y

@@ -13,7 +13,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -70,6 +70,8 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Bump release for entanglement with kernel (disable CONFIG_RDS on aarch64)
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -2,7 +2,7 @@
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
     "config": "09474b8388008baf182997b999d691f71331ac2d266a9c0a5414c58923135070",
-    "config_aarch64": "242765f15998ffcbce7a3f577e69a1657de836b8906afe510cd9490920fd2619",
+    "config_aarch64": "423d1dc2a276d717d7ad81712e79b4596ca1bceebb6ba2c7eed7ea8f591f1b7e",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",

@@ -32,7 +32,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -440,6 +440,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to
+  match x86_64. Closes a long-standing config divergence dating to 2020
+  (5.4.23-11) where RDS was disabled on x86_64 only. Mitigates exposure
+  to RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user
+  double-free, oss-security 2026/05/19).
+
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 glibc-2.38-20.azl3.aarch64.rpm
 glibc-devel-2.38-20.azl3.aarch64.rpm
 glibc-i18n-2.38-20.azl3.aarch64.rpm

@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 glibc-2.38-20.azl3.x86_64.rpm
 glibc-devel-2.38-20.azl3.x86_64.rpm
 glibc-i18n-2.38-20.azl3.x86_64.rpm

@@ -158,7 +158,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm

@@ -165,8 +165,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.139.1-1.azl3.noarch.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-cross-headers-6.6.139.1-2.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm