Article ID: 112426, created on Sep 30, 2011, last review on May 3, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.7

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.7 kernel provides an
                   update with security and stability fixes.
Issue date:        2011-09-30
Product:           Parallels Virtuozzo Containers 4.7
Keywords:          'bugfixing' 'stability' 'security'

--------------------------------------------------------------------------------

This document provides information on the new Parallels Virtuozzo Containers 4.7
kernel, version 2.6.32-042stab037.1.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Update Description
3. Obtaining a New Kernel
4. Required RPMs
5. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Virtuozzo Containers 4.7 kernel provides a
new kernel based on the Red Hat 6.1 kernel (2.6.32-131.12.1.el6). The updated
kernel includes a number of security and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

This update contains fixes for the following issues:

* Synchronization on the ext4 sync() code has been enhanced; the
  sync_filesystem() warning is not shown any more. (PCLIN-29754)

* A read operation from /proc/self/mountinfo in a Container could return
  garbage data. (PCLIN-29979)

* I/O statistics shown when disk activity is low has been enhanced.

* The error path of a kernel thread start has been fixed to avoid possible
  kernel panics that might occur when users were stopping their Containers.
  (PCLIN-30007)

* Suspending or restoring a Container where one or more processes were using
  huge pages could cause a kernel panic. (PCLIN-29999, OVZ# 1959)

* A Hardware Node could get a soft lockup on a Container restore operation
  due to a bug in the asynchronous I/O context restore code. (OVZ# 1962)

* An NFS server running in a Container could cause a kernel panic due
  to a number of bugs. (PCLIN-30002, PCLIN-30024)

* An NFS server running in a Container could lead to an infinite loop in some
  kernel threads, for example, in kthreadd, khelper, and nfsiod.
  (PCLIN-30104)

* The modification time was not updated for memory-mapped files. (PCLIN-30015)

* The OOM algorithm has been improved to skip tasks frozen by the checkpointing
  mechanism to free memory on the Node more efficiently. (PCLIN-30026)

* The Container's 'directory cache shrinking' algorithm has been enhanced to
  work more efficiently when a Container is experiencing a local memory
  pressure.  Besides, VZFS magic file dentries are now shrunk last of all to
  provide better performance. (PCLIN-29410)

* A livelock could occur in the memory reclaimer code when a
  Container was experiencing a heavy memory pressure and had a lot of small
  objects in its memory. (PCLIN-29877)

* A Node could hang due to a possible deadlock in the scheduler code.
  (PSBM-9276, OVZ# 1954)

* The kernel bug "BUG: Bad page state in process ..." has been fixed.
  (PCLIN-29919, OVZ# 1843)

* "vzquota" has been disabled for the Hardware Node itself. This
  fixes the problem when messages similar to the following are added to logs:
  "BUG: Quota files for 0 are broken: no quota engine running". (PCLIN-30004)

* Running the 'vzcache' utility could make the kernel produce assert messages
  similar to the following:
  "WARNING: at ...fs/vefs/file.c:1119 vefs_cache_private...". (PCLIN-30005)

* A new interface for the PMC-Sierra's SRC based controller family has been
  added to the aacraid driver. (PCLIN-30060)

* A kernel BUG could be triggered on 32-bit systems due to a bug in the CFQ I/O
  scheduler. (OVZ# 1964)

* The issue with disabling the Hardware Node connection tracking functionality
  using the "ip_conntrack_disable_ve0" option of the "nf_conntrack" kernel
  module been fixed. (PCLIN-29539)
  Note: Unlike Parallels Virtuozzo Containers 4.6, in version 4.7, the
        connection tracking functionality for the Hardware Node is enabled
        by default.

* It was impossible to access Parallels Power Panel if the last octet in
  the Container IP address was greater than 239. (PCLIN-30069)

* A kernel deadlock could occur in asynchronous I/O code if the Node
  had the "O_DIRECT" feature enabled. This feature is managed by the
  "fs.odirect_enable" sysct and is disabled by default. (PCLIN-29989)


This update also contains fixes for the following security issues:

* Flaw in the client-side NLM implementation could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-2491, Important)

* Integer underflow in the Bluetooth implementation could allow a remote
  attacker to cause a denial of service or escalate their privileges by sending
  a specially-crafted request to a target system via Bluetooth.
  (CVE-2011-2497, Important)

* Buffer overflows in the netlink-based wireless configuration interface
  implementation could allow a local user, who has the CAP_NET_ADMIN
  capability, to cause a denial of service or escalate their privileges on
  systems that have an active wireless interface. (CVE-2011-2517, Important)

* Flaw in the way the maximum file offset was handled for ext4 file systems
  could allow a local, unprivileged user to cause a denial of service.
  (CVE-2011-2695, Important)

* Flaw allowed napi_reuse_skb() to be called on VLAN packets. An attacker
  on the local network could use this flaw to send crafted packets to a target,
  possibly causing a denial of service. (CVE-2011-1576, Moderate)

* Integer signedness error in next_pidmap() could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-1593, Moderate)

* The race condition in the memory merging support (KSM) could allow a local,
  unprivileged user to cause a denial of service. KSM is off by default, but on
  systems running VDSM, or on KVM hosts, it is likely turned on by the
  ksm/ksmtuned services. (CVE-2011-2183, Moderate)

* Flaw in inet_diag_bc_audit() could allow a local, unprivileged user to
  cause a denial of service. (CVE-2011-2213, Moderate)

* Flaw in the way space was allocated in the Global File System 2 (GFS2)
  implementation. If the file system was almost full, and a local, unprivileged
  user made an fallocate() request, it could result in a denial of service.
  Setting quotas to prevent users from using all available disk space would
  prevent exploitation of this flaw. (CVE-2011-2689, Moderate)

* Local, unprivileged users could send signals via the sigqueueinfo system
  call, with si_code set to SI_TKILL and with spoofed process and user IDs, to
  other processes. This flaw does not allow existing permission checks to be
  bypassed; signals can only be sent if your privileges allow you to already do
  so. (CVE-2011-1182, Low)

* Heap overflow in the EFI GUID Partition Table (GPT) implementation could
  allow a local attacker to cause a denial of service by mounting a disk
  containing crafted partition tables. (CVE-2011-1776, Low)

* Structure padding in two structures in the Bluetooth implementation was
  not initialized properly before being copied to user-space, possibly allowing
  local, unprivileged users to leak kernel stack memory to user-space.
  (CVE-2011-2492, Low)

* /proc/[PID]/io is world-readable by default. Previously, these files
  could be read without any further restrictions. A local, unprivileged user
  could read these files, belonging to other, possibly privileged processes to
  gather confidential information, such as the length of a password used in a
  process. (CVE-2011-2495, Low)

--------------------------------------------------------------------------------

3. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.7 distribution set.

--------------------------------------------------------------------------------

4. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 packages:

   vzkernel-2.6.32-042stab037.1.i686.rpm
   vzmodules-2.6.32-042stab037.1.i686.rpm

x86_64 packages:

   vzkernel-2.6.32-042stab037.1.x86_64.rpm
   vzmodules-2.6.32-042stab037.1.x86_64.rpm

--------------------------------------------------------------------------------

5. REFERENCES

https://rhn.redhat.com/errata/RHSA-2011-1189.html
https://www.redhat.com/security/data/cve/CVE-2011-1182.html
https://www.redhat.com/security/data/cve/CVE-2011-1576.html
https://www.redhat.com/security/data/cve/CVE-2011-1593.html
https://www.redhat.com/security/data/cve/CVE-2011-1776.html
https://www.redhat.com/security/data/cve/CVE-2011-2183.html
https://www.redhat.com/security/data/cve/CVE-2011-2213.html
https://www.redhat.com/security/data/cve/CVE-2011-2491.html
https://www.redhat.com/security/data/cve/CVE-2011-2492.html
https://www.redhat.com/security/data/cve/CVE-2011-2495.html
https://www.redhat.com/security/data/cve/CVE-2011-2497.html
https://www.redhat.com/security/data/cve/CVE-2011-2517.html
https://www.redhat.com/security/data/cve/CVE-2011-2689.html
https://www.redhat.com/security/data/cve/CVE-2011-2695.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

0c05f0c76fec3dd785e9feafce1099a9 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF