diff --git a/.gitignore b/.gitignore
index 05645ed..b4b9901 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
-SOURCES/linux-3.10.0-123.4.2.el7.tar.xz
+SOURCES/linux-3.10.0-123.4.4.el7.tar.xz
+SOURCES/rheldup3.x509
+SOURCES/rhelkpatch1.x509
diff --git a/.kernel.metadata b/.kernel.metadata
index e44a841..a59ecff 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1 +1,3 @@
-d6e63d7b0606ce8083a93fc84e624fa675d0ef9a SOURCES/linux-3.10.0-123.4.2.el7.tar.xz
+ea88307597ba3e603982b64c29e23f5f8bb513fe SOURCES/linux-3.10.0-123.4.4.el7.tar.xz
+95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
+d90885108d225a234a5a9d054fc80893a5bd54d0 SOURCES/rhelkpatch1.x509
diff --git a/SOURCES/Makefile.common b/SOURCES/Makefile.common
index 5974232..03afd2c 100644
--- a/SOURCES/Makefile.common
+++ b/SOURCES/Makefile.common
@@ -9,7 +9,7 @@ RPMVERSION:=3.10.0
# marker is git tag which we base off of for exporting patches
MARKER:=v3.10
PREBUILD:=
-BUILD:=123.4.2
+BUILD:=123.4.4
DIST:=.el7
SPECFILE:=kernel.spec
RPM:=$(REDHAT)/rpm
diff --git a/SOURCES/centos-kpatch.x509 b/SOURCES/centos-kpatch.x509
deleted file mode 100644
index ca57a43..0000000
Binary files a/SOURCES/centos-kpatch.x509 and /dev/null differ
diff --git a/SOURCES/centos-ldup.x509 b/SOURCES/centos-ldup.x509
deleted file mode 100644
index 9c65dd3..0000000
Binary files a/SOURCES/centos-ldup.x509 and /dev/null differ
diff --git a/SOURCES/centos.cer b/SOURCES/centos.cer
deleted file mode 100644
index 00a5580..0000000
Binary files a/SOURCES/centos.cer and /dev/null differ
diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch
deleted file mode 100644
index 8ef4557..0000000
--- a/SOURCES/debrand-rh_taint.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 69c0d42cfa26515196896dea086857c2caccb6eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 10:05:12 -0500
-Subject: [PATCH] branding patch for rh_taint
-
----
- kernel/rh_taint.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/kernel/rh_taint.c b/kernel/rh_taint.c
-index 59a74b0..0708e15 100644
---- a/kernel/rh_taint.c
-+++ b/kernel/rh_taint.c
-@@ -8,7 +8,7 @@
- void mark_hardware_unsupported(const char *msg)
- {
- /* Print one single message */
-- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://hardware.redhat.com for certified hardware.\n", msg);
-+ pr_crit("Warning: %s - this hardware has not undergone upstream testing. Please consult http://wiki.centos.org/FAQ for more information\n", msg);
- }
- EXPORT_SYMBOL(mark_hardware_unsupported);
-
---
-1.8.3.1
-
diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch
deleted file mode 100644
index 9d2e08b..0000000
--- a/SOURCES/debrand-single-cpu.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 66185f5c6f881847776702e3a7956c504400f4f2 Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Thu, 19 Jun 2014 09:53:13 -0500
-Subject: [PATCH] branding patch for single-cpu systems
-
----
- arch/x86/kernel/setup.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index b289118..9d25982 100644
---- a/arch/x86/kernel/setup.c
-+++ b/arch/x86/kernel/setup.c
-@@ -846,7 +846,7 @@ static void rh_check_supported(void)
- if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
- !x86_hyper && !cpu_has_hypervisor && !is_kdump_kernel()) {
- pr_crit("Detected single cpu native boot.\n");
-- pr_crit("Important: In Red Hat Enterprise Linux 7, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
-+ pr_crit("Important: In CentOS 7, single threaded, single CPU 64-bit physical systems are unsupported. Please see http://wiki.centos.org/FAQ for more information");
- }
-
- /* The RHEL7 kernel does not support this hardware. The kernel will
---
-1.8.3.1
-
diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer
new file mode 100644
index 0000000..4ff8b79
Binary files /dev/null and b/SOURCES/secureboot.cer differ
diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/SOURCES/securebootca.cer differ
diff --git a/SOURCES/x509.genkey b/SOURCES/x509.genkey
index d98f8fe..b1bbe38 100644
--- a/SOURCES/x509.genkey
+++ b/SOURCES/x509.genkey
@@ -5,9 +5,9 @@ prompt = no
x509_extensions = myexts
[ req_distinguished_name ]
-O = CentOS
-CN = CentOS Linux kernel signing key
-emailAddress = security@centos.org
+O = Red Hat
+CN = Red Hat Enterprise Linux kernel signing key
+emailAddress = secalert@redhat.com
[ myexts ]
basicConstraints=critical,CA:FALSE
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 2f6eb03..4251879 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -11,7 +11,7 @@ Summary: The Linux kernel
%global released_kernel 1
%define rpmversion 3.10.0
-%define pkgrelease 123.4.2.el7
+%define pkgrelease 123.4.4.el7
%define pkg_release %{pkgrelease}%{?buildid}
@@ -338,9 +338,10 @@ Source10: sign-modules
%define modsign_cmd %{SOURCE10}
Source11: x509.genkey
Source12: extra_certificates
-Source13: centos.cer
-Source15: centos-ldup.x509
-Source16: centos-kpatch.x509
+Source13: securebootca.cer
+Source14: secureboot.cer
+Source15: rheldup3.x509
+Source16: rhelkpatch1.x509
Source18: check-kabi
@@ -366,10 +367,6 @@ Source72: kernel-%{version}-s390x-kdump.config
Source2000: cpupower.service
Source2001: cpupower.config
-# branding patches
-Patch1001: debrand-single-cpu.patch
-Patch1002: debrand-rh_taint.patch
-
# empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch
@@ -524,11 +521,11 @@ This package provides debug information for package kernel-tools.
%endif # with_tools
%package -n kernel-abi-whitelists
-Summary: The CentOS Linux kernel ABI symbol whitelists
+Summary: The Red Hat Enterprise Linux kernel ABI symbol whitelists
Group: System Environment/Kernel
AutoReqProv: no
%description -n kernel-abi-whitelists
-The kABI package contains information pertaining to the CentOS
+The kABI package contains information pertaining to the Red Hat Enterprise
Linux kernel ABI, including lists of kernel symbols that are needed by
external Linux kernel modules, and a yum plugin to aid enforcement.
@@ -671,11 +668,6 @@ cd linux-%{KVRA}
# Drop some necessary files from the source dir into the buildroot
cp $RPM_SOURCE_DIR/kernel-%{version}-*.config .
-# CentOS Branding Modification
-ApplyOptionalPatch debrand-rh_taint.patch
-ApplyOptionalPatch debrand-single-cpu.patch
-# End of CentOS Modification
-
ApplyOptionalPatch linux-kernel-test.patch
# Any further pre-build tree manipulations happen here.
@@ -827,7 +819,7 @@ BuildKernel() {
fi
# EFI SecureBoot signing, x86_64-only
%ifarch x86_64
- %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE13}
+ %pesign -s -i $KernelImage -o $KernelImage.signed -a %{SOURCE13} -c %{SOURCE14} -n redhatsecureboot301
mv $KernelImage.signed $KernelImage
%endif
$CopyKernel $KernelImage $RPM_BUILD_ROOT/%{image_install_path}/$InstallName-$KernelVer
@@ -1482,11 +1474,11 @@ fi
%kernel_variant_files %{with_kdump} kdump
%changelog
-* Tue Jun 27 2014 Karanbir Singh <kbsingh@centos.org> [3.10.0-123.4.2.el7.centos]
-- Patch in CentOS SecureBoot certs
-- Add in debranding changes
-- Add in CentOS kdump and driver update certs
-- Modifications to remove Red Hat from spec file
+* Wed Jul 16 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.4.4.el7]
+- [net] l2tp_ppp: fail when socket option level is not SOL_PPPOL2TP (Petr Matousek) [1119465 1119466] {CVE-2014-4943}
+
+* Thu Jul 10 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.4.3.el7]
+- [x86] ptrace: force IRET path after a ptrace_stop() (Oleg Nesterov) [1115934 1115935] {CVE-2014-4699}
* Thu Jun 05 2014 Phillip Lougher <plougher@redhat.com> [3.10.0-123.4.2.el7]
- [fs] aio: fix plug memory disclosure and fix reqs_active accounting backport (Jeff Moyer) [1094604 1094605] {CVE-2014-0206}