[ALSA-2024:5101] Important: kernel security update

Hello all.
Has anyone updated their alma linux 8.10 kernel to version 4.18.0-553.16.1.el8_10.x86_64 with regards to the advisory here: ALSA-2024:5101

Here is the issue I am dealing with, and would appreciate some help:
$ sudo dnf update
AlmaLinux 8 - BaseOS 12 kB/s | 3.8 kB 00:00
AlmaLinux 8 - AppStream 22 kB/s | 4.1 kB 00:00
AlmaLinux 8 - Extras 22 kB/s | 3.8 kB 00:00
Dependencies resolved.
Nothing to do.
Complete!

$ uname -r
4.18.0-425.19.2.el8_7.x86_64

$ sudo rpm -qa kernel*
kernel-tools-libs-4.18.0-425.19.2.el8_7.x86_64
kernel-tools-4.18.0-425.19.2.el8_7.x86_64
kernel-core-4.18.0-425.19.2.el8_7.x86_64
kernel-4.18.0-425.19.2.el8_7.x86_64
kernel-modules-4.18.0-425.19.2.el8_7.x86_64

I downloaded the updated kernel version to /tmp, but having dependency hell:

dnf install kernel-*
Last metadata expiration check: 0:05:55 ago on Mon 26 Aug 2024 01:57:40 PM UTC.
Error:
Problem 1: problem with installed package shim-x64-15.6-1.el8.alma.x86_64

  • package kernel-core-4.18.0-553.16.1.el8_10.x86_64 conflicts with shim-x64 <= 15.6-1.el8.alma provided by shim-x64-15.6-1.el8.alma.x86_64
  • conflicting requests
    Problem 2: problem with installed package grub2-efi-x64-1:2.02-142.el8_7.3.alma.x86_64
  • package grub2-efi-x64-1:2.02-142.el8_7.3.alma.x86_64 requires /boot/efi/EFI/almalinux/shimx64.efi, but none of the providers can be installed
  • package grub2-efi-x64-1:2.02-142.el8.alma.x86_64 requires /boot/efi/EFI/almalinux/shimx64.efi, but none of the providers can be installed
  • package grub2-efi-x64-1:2.02-142.el8_7.1.alma.x86_64 requires /boot/efi/EFI/almalinux/shimx64.efi, but none of the providers can be installed
  • package kernel-core-4.18.0-553.16.1.el8_10.x86_64 conflicts with shim-x64 <= 15.6-1.el8.alma provided by shim-x64-15.6-1.el8.alma.x86_64
  • package kernel-4.18.0-553.16.1.el8_10.x86_64 requires kernel-core-uname-r = 4.18.0-553.16.1.el8_10.x86_64, but none of the providers can be installed
  • conflicting requests

$ sudo rpm -qa shim*
shim-x64-15.6-1.el8.alma.x86_64

Why did you download some packages, rather than let dnf download all necessary packages from online repositories?

The latest version of shim-x64 is 15.8-4.el8_9.alma.2. The kernel is signed with something that the shim has to verify on Secure Boot mode. Old shim cannot verify new kernel.

Do not “cherry pick” packages that you upgrade. Upgrade all that offer updates.

Thank you for your response.

As you could see from my first post, dnf update does not list any update to be applied.

Is there a particular repo that has this updated kernel?

It should be in the baseos. Try clearing cache:

sudo dnf --enablerepo=* clean all

Already done that. Not in the baseos as far as I can tell

I have a machine that sees package ‘kernel’ in the baseos repo:

# dnf -q --disablerepo=* --enablerepo=baseos list kernel
Installed Packages
kernel.x86_64           4.18.0-553.8.1.el8_10             @baseos
Available Packages
kernel.x86_64           4.18.0-553.16.1.el8_10            baseos

That repo has a mirror “near” me:

# dnf -q repoinfo baseos
Repo-id            : baseos
Repo-name          : AlmaLinux 8 - BaseOS
Repo-status        : enabled
Repo-revision      : 1724699407
Repo-updated       : Mon 26 Aug 2024 10:10:07 PM EEST
Repo-pkgs          : 2,257
Repo-available-pkgs: 2,252
Repo-size          : 3.7 G
Repo-mirrors       : https://mirrors.almalinux.org/mirrorlist/8/baseos
Repo-baseurl       : http://www.nic.funet.fi/pub/mirrors/almalinux.org/8.10/BaseOS/x86_64/os/
                   : (9 more)
Repo-expire        : 172,800 second(s) (last: Tue 27 Aug 2024 09:35:27 AM
                   : EEST)
Repo-filename      : /etc/yum.repos.d/almalinux.repo

How is your repoinfo?

dnf -q --disablerepo=* --enablerepo=baseos list kernel
Installed Packages
kernel.x86_64 4.18.0-425.19.2.el8_7 @System

dnf -q repoinfo baseos

Repo-id : baseos
Repo-name : AlmaLinux 8 - BaseOS
Repo-status : enabled
Repo-revision : 1683289336
Repo-updated : Fri 05 May 2023 12:22:16 PM UTC
Repo-pkgs : 2,278
Repo-available-pkgs: 2,276
Repo-size : 3.1 G
Repo-baseurl : Index of /8.7/BaseOS/x86_64/os/
Repo-expire : 172,800 second(s) (last: Tue 27 Aug 2024 01:23:33 PM UTC)
Repo-filename : /etc/yum.repos.d/almalinux.repo
Total packages: 2,278

cat /etc/*release

AlmaLinux release 8.10 Beta (Cerulean Leopard)
AlmaLinux release 8.10 Beta (Cerulean Leopard)
NAME=“AlmaLinux”
VERSION=“8.10 (Cerulean Leopard)”
ID=“almalinux”
ID_LIKE=“rhel centos fedora”
VERSION_ID=“8.10”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“AlmaLinux 8.10 Beta (Cerulean Leopard)”
ANSI_COLOR=“0;34”
LOGO=“fedora-logo-icon”
CPE_NAME=“cpe:/o:almalinux:almalinux:8::baseos”
HOME_URL=“https ://almalinux.org/”
DOCUMENTATION_URL=“https://wiki.almalinux.org/
BUG_REPORT_URL=“https://bugs.almalinux.org/

ALMALINUX_MANTISBT_PROJECT=“AlmaLinux-8”
ALMALINUX_MANTISBT_PROJECT_VERSION=“8.10”
REDHAT_SUPPORT_PRODUCT=“AlmaLinux”
REDHAT_SUPPORT_PRODUCT_VERSION=“8.10 Beta”
AlmaLinux release 8.10 Beta (Cerulean Leopard)
AlmaLinux release 8.10 Beta (Cerulean Leopard)

That does not point to repo of AlmaLinux 8. It points to archived content of 8.7 in the vault.

$ head /etc/yum.repos.d/almalinux.repo
# almalinux.repo

[baseos]
name=AlmaLinux $releasever - BaseOS
mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
# baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
enabled = 1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux
fastestmirror=1

Note that mirrorlist is the preferred way to find a repo and commented (unused) baseurl is different from yours.

Thank you. That has been very helpful