Article ID: 111398, created on Jun 6, 2011, last review on Apr 17, 2012

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides
                   a number of stability fixes.
Issue date:        2011-06-08
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          'bugfix' 'stability' 'ip6tables'

--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 kernel
version 2.6.18-028stab091.2.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Obtaining New Kernel
4. Installing New Kernel
5. Required RPMs
6. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new
kernel based on the Red Hat 5.6 kernel (2.6.18-238.12.1.el5). The updated
kernel includes a set of stability fixes. The updated x86_64 kernel also
includes support for 32-bit ip6tables tools.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

This update contains fixes for the following issues:

* The timer in a Container may sometimes be 300 seconds fast. (PCLIN-29182)

* On a Hardware Node running a 64-bit host operating system, Containers with
  32-bit guest operating systems cannot use ip6tables. (PCLIN-29237)

The updated kernel also includes fixes for the following RHEL 5.6 issues:

* A flaw in the dccp_rcv_state_process() function could allow a remote
  attacker to cause a denial of service, even when the socket was already
  closed. (CVE-2011-1093, Important)

* Multiple buffer overflow flaws were found in the Linux kernel's
  Management Module Support for Message Passing Technology (MPT) based
  controllers. A local, unprivileged user could use these flaws to cause a
  denial of service, an information leak, or escalate their privileges.
  (CVE-2011-1494, CVE-2011-1495, Important)

* A missing validation of a null-terminated string data structure element
  in the bnep_sock_ioctl() function could allow a local user to cause an
  information leak or a denial of service. (CVE-2011-1079, Moderate)

* A Missing error, checking the way page tables were handled in the Xen
  hypervisor implementation, could allow a privileged guest user to cause the
  host, and the guests, to lock up. (CVE-2011-1166, Moderate)

* A flaw was found in the way the Xen hypervisor implementation checked for
  the upper boundary when getting a new event channel port. A privileged
  guest user could use this flaw to cause a denial of service or escalate
  their privileges. (CVE-2011-1763, Moderate)

* The start_code and end_code values in "/proc/[pid]/stat" were not
  protected. In certain scenarios, this flaw could be used to defeat Address
  Space Layout Randomization (ASLR). (CVE-2011-0726, Low)

* A missing initialization flaw in the sco_sock_getsockopt() function could
  allow a local, unprivileged user to cause an information leak.
  (CVE-2011-1078, Low)

* A missing validation of a null-terminated string data structure element
  in the do_replace() function could allow a local user who has the
  CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1080, Low)

* A buffer overflow flaw in the DEC Alpha OSF partition implementation in
  the Linux kernel could allow a local attacker to cause an information leak
  by mounting a disk that contains specially-crafted partition tables.
 (CVE-2011-1163, Low)

* Missing validations of null-terminated string data structure elements in
  the do_replace(), compat_do_replace(), do_ipt_get_ctl(), do_ip6t_get_ctl(),
  and do_arpt_get_ctl() functions could allow a local user who has the
  CAP_NET_ADMIN capability to cause an information leak. (CVE-2011-1170,
  CVE-2011-1171, CVE-2011-1172, Low)

* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT)
  implementation could allow a local attacker to cause a denial of service
  by mounting a disk that contains specially-crafted partition tables.
  (CVE-2011-1577, Low)

--------------------------------------------------------------------------------

3. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

4. INSTALLING NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab091.2.i686.rpm \
vzmodules-2.6.18-028stab091.2.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO boot loader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

5. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab091.2.i686.rpm
   vzmodules-2.6.18-028stab091.2.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab091.2.i686.rpm
   vzmodules-ent-2.6.18-028stab091.2.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab091.2.i686.rpm
   vzmodules-PAE-2.6.18-028stab091.2.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab091.2.x86_64.rpm
   vzmodules-2.6.18-028stab091.2.x86_64.rpm

--------------------------------------------------------------------------------

6. References

https://rhn.redhat.com/errata/RHSA-2011-0833.html
https://www.redhat.com/security/data/cve/CVE-2011-0726.html
https://www.redhat.com/security/data/cve/CVE-2011-1078.html
https://www.redhat.com/security/data/cve/CVE-2011-1079.html
https://www.redhat.com/security/data/cve/CVE-2011-1080.html
https://www.redhat.com/security/data/cve/CVE-2011-1093.html
https://www.redhat.com/security/data/cve/CVE-2011-1163.html
https://www.redhat.com/security/data/cve/CVE-2011-1166.html
https://www.redhat.com/security/data/cve/CVE-2011-1170.html
https://www.redhat.com/security/data/cve/CVE-2011-1171.html
https://www.redhat.com/security/data/cve/CVE-2011-1172.html
https://www.redhat.com/security/data/cve/CVE-2011-1494.html
https://www.redhat.com/security/data/cve/CVE-2011-1495.html
https://www.redhat.com/security/data/cve/CVE-2011-1577.html
https://www.redhat.com/security/data/cve/CVE-2011-1763.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF