Article ID: 5268, created on May 20, 2008, last review on May 6, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Resolution

--------------------------------------------------------------------------------
Synopsis: New Parallels Virtuozzo Containers 4.0 kernel provides
security updates and some other important fixes.
Issue date: 2008-05-15
Product: Parallels Virtuozzo Containers 4.0
Keywords: security updates, stability fixes
--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab053.14.

(c) Parallels, 2008. All rights reserved.

--------------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-53.1.19.EL5). The updated kernel includes
a number of security updates and important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel has been re-based on the
2.6.18-53.1.19.EL5 Red Hat kernel providing fixes for the following security
vulnerabilities:

- The absence of a protection mechanism when attempting to access a
critical section of code has been found in the Linux kernel open file
descriptors control mechanism - fcntl. This may allow a local unprivileged
user to simultaneously execute the code, which would otherwise be protected
against parallel execution. Besides, a race condition when handling locks
in the Linux kernel fcntl functionality may allow a process belonging to
a local unprivileged user to gain a reordered access to the descriptor
table (CVE-2008-1669).

- The absence of a protection mechanism when attempting to access a
critical section of code and a race condition have been found in the
Linux kernel file system event notifier - dnotify. This may allow a
local unprivileged user to get inconsistent data or to send arbitrary
signals to arbitrary system processes (CVE-2008-1375).

- When accessing kernel memory locations, certain Linux kernel drivers
used to register a fault handler do not perform the required range checks.
A local unprivileged user can use this flaw to gain read or write access to
arbitrary kernel memory or even cause a kernel crash (CVE-2008-0007).

- A flaw has been found in the handling of zombie processes. A local user can
create processes that may not be properly reaped, thus, causing a denial of
service (CVE-2006-6921).

Besides, the new Virtuozzo Containers 4.0 kernel includes the following
improvements:

- The 3w-9xxx driver has been updated to the 2.26.08.003 version
and now provides support for 3ware SAS 9690SA RAID controllers.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #100727: added support for 3ware SAS 9690SA RAID controllers

- #75822: fixed some issues causing Containers stopping failure with the
following error message: "unregister_netdevice: waiting for lo to
become free"

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can get this kernel update in one of the following ways:

- You can download the update from ftp://downloads.swsoft.com.
If you do not have an ftp account, please contact pavel@parallels.com.

- You can download and install the update by using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab053.14.i686.rpm \
vzmodules-2.6.18-028stab053.14.i686.rpm
Preparing... ################################# [100%]
1:vzkernel ################################# [50%]
2:vzmodules ################################# [100%]

Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
all the kernels previously installed on your system may be removed from
the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
loaded by default. If you use the LILO bootloader, please do not forget to
execute the 'lilo' command to write the changes to the boot sector:

# lilo
Added Virtuozzo2 *
Added Virtuozzo1
Added linux
Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor installed on your Hardware Node, the
following RPM packages are included in the kernel update:

x86 kernels:

- SMP:
vzkernel-2.6.18-028stab053.14.i686.rpm
vzmodules-2.6.18-028stab053.14.i686.rpm

- Enterprise:
vzkernel-ent-2.6.18-028stab053.14.i686.rpm
vzmodules-ent-2.6.18-028stab053.14.i686.rpm

- Enterprise with the 4GB split feature disabled:
vzkernel-PAE-2.6.18-028stab053.14.i686.rpm
vzmodules-PAE-2.6.18-028stab053.14.i686.rpm


x86_64 kernels:

- SMP:
vzkernel-2.6.18-028stab053.14.x86_64.rpm
vzmodules-2.6.18-028stab053.14.x86_64.rpm

ia64 kernel:
vzkernel-2.6.18-028stab053.14.ia64.rpm
vzmodules-2.6.18-028stab053.14.ia64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

- https://rhn.redhat.com/errata/RHSA-2008-0233.html

- https://rhn.redhat.com/errata/RHSA-2008-0154.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1669

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1375

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0007

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6921

35c16f1fded8e42577cb3df16429c57a e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF