Article ID: 115686, created on Mar 11, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.7
-----------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.7 kernel provides an update with security fixes.
Product:           Parallels Virtuozzo Containers 4.7
Keywords:          "bugfix" "security"

-----------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.7 kernel, version 2.6.32-042stab075.2.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Obtaining New Kernel
4. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.7 kernel provides a new
kernel based on the Red Hat Enterprise Linux 6.3 kernel (2.6.32-279.22.1.el6).
The updated kernel includes a number of security fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

This update contains fixes for the following issues:

* A race condition was found in the way asynchronous I/O and fallocate()
interacted when using the ext4 file system. A local, unprivileged user
could use this flaw to expose random data from an extent whose data blocks
have not yet been written, and thus contain data from a deleted file. (CVE-2012-4508)

* A flaw was found in the way the vhost kernel module handled descriptors
that spanned multiple regions. A privileged guest user in a KVM guest could
use this flaw to crash the host or, potentially, escalate their privileges
on the host. (CVE-2013-0311)

* It was found that the default SCSI command filter does not accommodate
commands that overlap across device classes. A privileged guest user could
potentially use this flaw to write arbitrary data to an LUN that is
passed-through as read-only. (CVE-2012-4542)

* A flaw was found in the way the xen_failsafe_callback() function in the
Linux kernel handled the failed iret (interrupt return) instruction
notification from the Xen hypervisor. An unprivileged user in a 32-bit
para-virtualized guest could use this flaw to crash the guest. (CVE-2013-0190)

* A flaw was found in the way pmd_present() interacted with PROT_NONE
memory ranges when transparent hugepages were in use. A local, unprivileged
user could use this flaw to crash the system. (CVE-2013-0309)

* A flaw was found in the way CIPSO (Common IP Security Option) IP options
were validated when set from user mode. A local user able to set CIPSO IP
options on the socket could use this flaw to crash the system. (CVE-2013-0310)

--------------------------------------------------------------------------------

3. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.7 distribution set.

--------------------------------------------------------------------------------

4. REFERENCES

https://rhn.redhat.com/errata/RHSA-2013-0496.html

https://www.redhat.com/security/data/cve/CVE-2012-4508.html
https://www.redhat.com/security/data/cve/CVE-2012-4542.html
https://www.redhat.com/security/data/cve/CVE-2013-0190.html
https://www.redhat.com/security/data/cve/CVE-2013-0309.html
https://www.redhat.com/security/data/cve/CVE-2013-0310.html
https://www.redhat.com/security/data/cve/CVE-2013-0311.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2013 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

0c05f0c76fec3dd785e9feafce1099a9 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb

Email subscription for changes to this article
Save as PDF