Article ID: 115869, created on Mar 29, 2013, last review on Mar 29, 2013

  • Applies to:
  • Virtuozzo hypervisor 5.0
Synopsis:          New Parallels Server Bare Metal 5.0 kernel provides
                   an update with security and stability fixes.
Product:           Parallels Server Bare Metal 5.0
Keywords:          'bugfix' stability' 'security'


This document provides information on the new Parallels Server Bare Metal 5.0
kernel, version 2.6.32-042stab076.5.


1. About This Release
2. Updates Description
3. Obtaining New Kernel
4. References



The current update for the Parallels Server Bare Metal 5.0 kernel provides a
new kernel based on the Red Hat Enterprise Linux 6.3 kernel
(2.6.32-279.22.1.el6).  The updated kernel includes a number of security
and stability fixes.



This update contains fixes for the following issues:

* A flaw was found in the way the xen_iret() function in the Linux kernel
  used the DS (the CPU's Data Segment) register. A local unprivileged user in
  a 32-bit para-virtualized Xen hypervisor guest could use this flaw to crash
  the guest or, potentially, escalate their privileges.
  (CVE-2013-0228, Important)

* A flaw was found in the way file permission checks for the
  "/dev/cpu/[x]/msr" files were performed in restricted root environments
  (for example, when using a capability-based security model). A local user
  with the ability to write to these files could use this flaw to escalate
  their privileges to kernel level, for example, by writing to the
  SYSENTER_EIP_MSR register. (CVE-2013-0268, Important)

* The unbalanced locking on write operations in NFS server code
  could cause random memory corruptions. (part of the fix for OVZ 2506)

* A forgotten socket write lock in case rpc_task exists early could
  cause file operations on a NFS volume to hang. (PCLIN-31604)

* A possible use-after-free of the mempolicy object on a tmpfs filesystem
  remount had been eliminated. Previously this could result in
  an unpredictable system behavior. (PSBM-18650)

* A 64-bit child process of a 32-bit parent process inside a Container reported
  i686 architecture after online migration of the Container to another
  Hardware Node. (PSBM-18085)

* The effective cpulimit restriction applied to a Container/VM could be
  more strict than expected under certain circumstances in a NUMA Node.



You can download and install this kernel update using the vzup2date utility
included in the Parallels Server Bare Metal 5.0 distribution set.



Copyright (c) 1999-2013 Parallels Holdings, Ltd. and its affiliates. All rights

c662da62f00df94fd77ba7a2c9eff4b4 2897d76d56d2010f4e3a28f864d69223 a26b38f94253cdfbf1028d72cf3a498b

Email subscription for changes to this article
Save as PDF