Article ID: 111718, created on Jul 25, 2011, last review on May 10, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides an
                   update with security and stability fixes.
Issue date:        2011-07-25
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          'bugfixing' 'stability' 'security'

--------------------------------------------------------------------------------

This document provides information on the new Parallels Virtuozzo Containers 4.0
kernel, version 2.6.18-028stab092.1.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Update Description
3. Obtaining The New Kernel
4. Installing The New Kernel
5. Required RPMs
6. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Virtuozzo Containers 4.0 kernel provides a
new kernel based on the Red Hat 5.6 kernel (2.6.18-238.19.1.el5). The updated
kernel includes a number of security and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

This update contains fixes for the following issues:

* On a Hardware Node running a 64-bit host operating system, Containers with
  32-bit guest operating systems could fail to load some ip6tables rules.
  (PCLIN-29237)

* The "quotacheck" utility could fail to work inside a Container based
  on a modern OS template. (OpenVZ bug #1904)

* A kernel panic could occur if a Container was started before the "ipv6"
  module was loaded. (PCLIN-29142)


This update also contains fixes for the following security issues:

* An integer overflow flaw in ib_uverbs_poll_cq() could allow a local,
  unprivileged user to cause a denial of service or escalate their
  privileges. (CVE-2010-4649, Important)

* A race condition in the way new InfiniBand connections were set up could
  allow a remote user to cause a denial of service.
  (CVE-2011-0695, Important)

* A flaw in the Stream Control Transmission Protocol (SCTP) implementation
  could allow a remote attacker to cause a denial of service if the sysctl
  "net.sctp.addip_enable" variable was turned on (it is off by default).
  (CVE-2011-1573, Important)

* Flaws in the AGPGART driver implementation when handling certain IOCTL
  commands could allow a local, unprivileged user to cause a denial of
  service or escalate their privileges.
  (CVE-2011-1745, CVE-2011-2022, Important)

* An integer overflow flaw in agp_allocate_memory() could allow a local,
  unprivileged user to cause a denial of service or escalate their
  privileges. (CVE-2011-1746, Important)

* A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)
  packets. An attacker on the local network could trigger this flaw by
  sending specially-crafted packets to a target system, possibly causing a
  denial of service. (CVE-2011-1576, Moderate)

* An integer signedness error in next_pidmap() could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)

* A flaw in the way the Xen hypervisor implementation handled CPUID
  instruction emulation during virtual machine exits could allow an
  unprivileged guest user to crash a guest. This only affects systems that
  have an Intel x86 processor with the Intel VT-x extension enabled.
  (CVE-2011-1936, Moderate)

* A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
  cause a denial of service (infinite loop). (CVE-2011-2213, Moderate)

* A missing initialization flaw in the XFS file system implementation
  could lead to an information leak. (CVE-2011-0711, Low)

* A flaw in ib_uverbs_poll_cq() could allow a local, unprivileged user to
  cause an information leak. (CVE-2011-1044, Low)

* A missing validation check was found in the signals implementation. A
  local, unprivileged user could use this flaw to send signals via the
  sigqueueinfo system call, with the si_code set to SI_TKILL and with spoofed
  process and user IDs, to other processes.
  Note: This flaw does not allow existing permission checks to be bypassed;
  signals can only be sent if your privileges allow you to already do so.
  (CVE-2011-1182, Low)

* A heap overflow flaw in the EFI GUID Partition Table (GPT) implementation
  could allow a local attacker to cause a denial of service by mounting a
  disk containing specially-crafted partition tables. (CVE-2011-1776, Low)

* Structure padding in two structures in the Bluetooth implementation
  was not initialized properly before being copied to user-space, possibly
  allowing local, unprivileged users to leak kernel stack memory to
  user-space. (CVE-2011-2492, Low)

--------------------------------------------------------------------------------

3. OBTAINING THE NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

4. INSTALLING THE NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab092.1.i686.rpm \
vzmodules-2.6.18-028stab092.1.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

5. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab092.1.i686.rpm
   vzmodules-2.6.18-028stab092.1.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab092.1.i686.rpm
   vzmodules-ent-2.6.18-028stab092.1.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab092.1.i686.rpm
   vzmodules-PAE-2.6.18-028stab092.1.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab092.1.x86_64.rpm
   vzmodules-2.6.18-028stab092.1.x86_64.rpm

--------------------------------------------------------------------------------

6. REFERENCES

https://rhn.redhat.com/errata/RHSA-2011-0927.html
https://www.redhat.com/security/data/cve/CVE-2010-4649.html
https://www.redhat.com/security/data/cve/CVE-2011-0695.html
https://www.redhat.com/security/data/cve/CVE-2011-0711.html
https://www.redhat.com/security/data/cve/CVE-2011-1044.html
https://www.redhat.com/security/data/cve/CVE-2011-1182.html
https://www.redhat.com/security/data/cve/CVE-2011-1573.html
https://www.redhat.com/security/data/cve/CVE-2011-1576.html
https://www.redhat.com/security/data/cve/CVE-2011-1593.html
https://www.redhat.com/security/data/cve/CVE-2011-1745.html
https://www.redhat.com/security/data/cve/CVE-2011-1746.html
https://www.redhat.com/security/data/cve/CVE-2011-1776.html
https://www.redhat.com/security/data/cve/CVE-2011-1936.html
https://www.redhat.com/security/data/cve/CVE-2011-2022.html
https://www.redhat.com/security/data/cve/CVE-2011-2213.html
https://www.redhat.com/security/data/cve/CVE-2011-2492.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF