Article ID: 112896, created on Nov 25, 2011, last review on May 11, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.6

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.6 kernel provides an
                   update with security and stability fixes.
Issue date:        2011-11-25
Product:           Parallels Virtuozzo Containers 4.6
Keywords:          'bugfixing' 'stability' 'security'

--------------------------------------------------------------------------------

This document provides information on the new Parallels Virtuozzo Containers 4.6
kernel, version 2.6.18-028stab095.1.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Update Description
3. Obtaining New Kernel
4. Installing New Kernel
5. Required RPMs
6. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Virtuozzo Containers 4.6 kernel provides a
new kernel based on the Red Hat 5.7 kernel (2.6.18-274.7.1.el5). The updated
kernel includes a number of security and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

This update contains fixes for the following issues:

* Creating an Acronis-based backup on a Node with a resized (shrunk) /vz
  partition could lead to a kernel panic. (PCLIN-29707)

* After migrating a Container using the online migration type, the logging of
  messages (syslog) in the Container could get broken for unprivileged users
  if the Container was running the 'udev' manager. (PCLIN-30135)


This update also contains fixes for the following security issues:

* The maximum file offset handling for ext4 file systems could allow a
  local, unprivileged user to cause a denial of service. (CVE-2011-2695,
  Important)

* IPv6 fragment identification value generation could allow a remote
  attacker to disrupt a target system's networking, preventing legitimate users
  from accessing its services. (CVE-2011-2699, Important)

* A malicious CIFS (Common Internet File System) server could send a
  specially-crafted response to a directory read request that would result in a
  denial of service or privilege escalation on a system that has a CIFS share
  mounted. (CVE-2011-3191, Important)

* A local attacker could use mount.ecryptfs_private to mount (and then
  access) a directory they would otherwise not have access to. Note: To correct
  this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed.
  (CVE-2011-1833, Moderate)

* A flaw in the taskstats subsystem could allow a local, unprivileged user
  to cause excessive CPU time and memory use. (CVE-2011-2484, Moderate)

* Mapping expansion handling could allow a local, unprivileged user to
  cause a denial of service. (CVE-2011-2496, Moderate)

* GRO (Generic Receive Offload) fields could be left in an inconsistent
  state. An attacker on the local network could use this flaw to cause a denial
  of service. GRO is enabled by default in all network drivers that support it.
  (CVE-2011-2723, Moderate)

* RHSA-2011:1065 introduced a regression in the Ethernet bridge
  implementation. If a system had an interface in a bridge, and an attacker on
  the local network could send packets to that interface, they could cause a
  denial of service on that system. Xen hypervisor and KVM (Kernel-based
  Virtual Machine) hosts often deploy bridge interfaces. (CVE-2011-2942,
  Moderate)

* A flaw in the Xen hypervisor IOMMU error handling implementation could
  allow a privileged guest user, within a guest operating system that has
  direct control of a PCI device, to cause performance degradation on the host
  and possibly cause it to hang. (CVE-2011-3131, Moderate)

* IPv4 and IPv6 protocol sequence number and fragment ID generation could
  allow a man-in-the-middle attacker to inject packets and possibly hijack
  connections. Protocol sequence number and fragment IDs are now more random.
  (CVE-2011-3188, Moderate)

* A flaw in the kernel's clock implementation could allow a local,
  unprivileged user to cause a denial of service. (CVE-2011-3209, Moderate)

* Non-member VLAN (virtual LAN) packet handling for interfaces in
  promiscuous mode and also using the be2net driver could allow an attacker on
  the local network to cause a denial of service. (CVE-2011-3347, Moderate)

* A flaw in the auerswald USB driver could allow a local, unprivileged user
  to cause a denial of service or escalate their privileges by inserting a
  specially-crafted USB device. (CVE-2009-4067, Low)

* A flaw in the Trusted Platform Module (TPM) implementation could allow a
  local, unprivileged user to leak information to user space. (CVE-2011-1160,
  Low)

* A local, unprivileged user could possibly mount a CIFS share that
  requires authentication without knowing the correct password if the mount was
  already mounted by another local user. (CVE-2011-1585, Low)


--------------------------------------------------------------------------------

3. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.6 distribution set.

--------------------------------------------------------------------------------

4. INSTALLING NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab095.1.i686.rpm \
vzmodules-2.6.18-028stab095.1.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

5. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab095.1.i686.rpm
   vzmodules-2.6.18-028stab095.1.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab095.1.i686.rpm
   vzmodules-ent-2.6.18-028stab095.1.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab095.1.i686.rpm
   vzmodules-PAE-2.6.18-028stab095.1.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab095.1.x86_64.rpm
   vzmodules-2.6.18-028stab095.1.x86_64.rpm

--------------------------------------------------------------------------------

6. REFERENCES

https://rhn.redhat.com/errata/RHSA-2011-1386.html
https://www.redhat.com/security/data/cve/CVE-2009-4067.html
https://www.redhat.com/security/data/cve/CVE-2011-1160.html
https://www.redhat.com/security/data/cve/CVE-2011-1585.html
https://www.redhat.com/security/data/cve/CVE-2011-1833.html
https://www.redhat.com/security/data/cve/CVE-2011-2484.html
https://www.redhat.com/security/data/cve/CVE-2011-2496.html
https://www.redhat.com/security/data/cve/CVE-2011-2695.html
https://www.redhat.com/security/data/cve/CVE-2011-2699.html
https://www.redhat.com/security/data/cve/CVE-2011-2723.html
https://www.redhat.com/security/data/cve/CVE-2011-2942.html
https://www.redhat.com/security/data/cve/CVE-2011-3131.html
https://www.redhat.com/security/data/cve/CVE-2011-3188.html
https://www.redhat.com/security/data/cve/CVE-2011-3191.html
https://www.redhat.com/security/data/cve/CVE-2011-3209.html
https://www.redhat.com/security/data/cve/CVE-2011-3347.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

36627b12981f68a16405a79233409a5e d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF