Article ID: 115868, created on Mar 29, 2013, last review on Apr 12, 2013

  • Applies to:
  • Virtuozzo containers for Linux 4.7
Synopsis:          New Parallels Virtuozzo Containers 4.7 kernel provides an update with performance and stability fixes.
Product:           Parallels Virtuozzo Containers 4.7
Keywords:          "bugfix" "stability" "security"


This document provides information on the new Virtuozzo Containers 4.7 kernel, version 2.6.32-042stab076.5.


1. About This Release
2. Updates Description
3. Obtaining New Kernel
4. References



The current update for the Virtuozzo Containers 4.7 kernel provides a new
kernel based on the Red Hat Enterprise Linux 6.3 kernel (2.6.32-279.22.1.el6).
The updated kernel includes a number of security and stability fixes.



This update contains fixes for the following issues:

* A flaw was found in the way the xen_iret() function in the Linux kernel
  used the DS (the CPU's Data Segment) register. A local unprivileged user in
  a 32-bit para-virtualized Xen hypervisor guest could use this flaw to crash
  the guest or, potentially, escalate their privileges. (CVE-2013-0228, Important)

* A flaw was found in the way file permission checks for the
  "/dev/cpu/[x]/msr" files were performed in restricted root environments
  (for example, when using a capability-based security model). A local user
  with the ability to write to these files could use this flaw to escalate
  their privileges to kernel level, for example, by writing to the
  SYSENTER_EIP_MSR register. (CVE-2013-0268, Important)

* The unbalanced locking on write operations in the NFS server code
  could cause random memory corruptions. (Part of the fix for OVZ 2506)

* A forgotten socket write lock that occurred if rpc_task exits early could
  cause file operations on an NFS volume to hang. (PCLIN-31604)

* A possible use-after-free of the mempolicy object on a tmpfs filesystem
  remount has been eliminated. Previously, this could result in unpredictable
  system behavior. (PSBM-18650)

* A 64-bit child process of a 32-bit parent process inside a Container would report
  i686 architecture after online migration of the Container to another
  Hardware Node. (PSBM-18085)

* The effective cpulimit restriction applied to a Container/VM could be
  stricter than expected under certain circumstances in a NUMA Node. (PSBM-17399)



You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.7 distribution set.



Copyright (c) 1999-2013 Parallels Holdings, Ltd. and its affiliates. All rights

0c05f0c76fec3dd785e9feafce1099a9 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb

Email subscription for changes to this article
Save as PDF