Article ID: 5966, created on Jan 16, 2009, last review on May 9, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Resolution

----------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a
                   number of security updates and some other important fixes.
Issue date:        2009-01-15
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          security updates, stability fixes
-----------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab060.2.

(c) Parallels, 2009. All rights reserved.

-----------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-92.1.18.el5). The updated kernel includes
a number of security updates and some important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-92.1.18.el5 and 2.6.18-92.1.22.el5 Red Hat kernels):

  - Tavis Ormandy reported missing boundary checks in the Virtual Dynamic
    Shared Objects (vDSO) implementation. This could allow a local unprivileged
    user to cause a denial of service or escalate privileges. (CVE-2008-3527,
    Important)

  - The do_truncate() and generic_file_splice_write() functions did not clear
    the setuid and setgid bits. This could allow a local unprivileged user to
    obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833,
    Important)

  - A flaw was found in the Linux kernel splice implementation. This could
    cause a local denial of service if a certain failure occurred in the
    add_to_page_cache_lru() function. (CVE-2008-4302, Important)

  - A flaw was found in the Linux kernel when running on AMD64 systems.
    During a context switch, EFLAGS might be neither saved nor restored. This
    could allow a local unprivileged user to cause a denial of service.
    (CVE-2006-5755, Low)

  - A flaw was found in the Linux kernel virtual memory implementation. This
    could allow a local unprivileged user to cause a denial of service.
    (CVE-2008-2372, Low)

  - An integer overflow was discovered in the Linux kernel Datagram
    Congestion Control Protocol (DCCP) implementation. This could allow a
    remote attacker to cause a denial of service. (CVE-2008-3276, Low)

  - Olaf Kirch reported a flaw in the i915 kernel driver. This flaw might
    lead to a local privilege escalation.
    Note: The flaw affects only systems based on the Intel G33 and newer
    Express Chipsets. (CVE-2008-3831, Important)

  - Miklos Szeredi reported a missing check for files opened with O_APPEND in
    sys_splice(). This could allow a local unprivileged user to bypass the
    append-only file restrictions. (CVE-2008-4554, Important)

  - A flaw was found in the "ipip" module virtualization. Network packets of
    certain types could cause a kernel panic.


The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
issues:

  - [CPT]: The process of restoring a Container might fail if the Container had
    the ext2 or ext3 filesystem mounted from inside this Container.

  - [CPT]: A kernel crash could happen due to an incorrect handling of iterative
    migration errors.

  - [CPT]: kmemzise could leak if certain errors occurred when checkpointing a
    Container with the overmounted /dev/null directory.

  - A kernel crash could happen when the LTSP client tried to use the audio
    device.


The new Virtuozzo Containers 4.0 kernel also includes the following
improvements:

  - Swapping inside a Container has been partially virtualized. This simplifies
    the process of installing software that requires the swap partition to be
    present, for example, Oracle 11.
    Note: This functionality requires support from userspace tools.

  - In the bridged mode, the network performance between Containers and between
    a Container and the Hardware Node has been significantly improved.

  - If VZQUOTA is enabled, a warning now appears when attempting to export the
    /vz subdirectories over NFS.

  - /proc/mounts inside a Container has been changed to report "/dev/vzfs" as
    a device for the root partition instead of just "vzfs". This allows "autofs"
    to work properly in Containers based on modern templates (including RHEL5).

  - Audit capabilities handling has been reworked to make D-BUS operate inside
    a Container.
    Note: The AUDIT subsystem itself is still disabled inside a Container.


We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #266316: Kernel panics in the "ipip" code while accessing uninitialized
           structures.

- #131737: [CPT]: prohibit checkpointing if a Container contains the ext2/ext3
           filesystem mounted inside it because restoring such a Container
           is impossible at the moment.

- #128474: [CPT]: improper length modifier in iterative migration error reports.

- #130958: [CPT]: kmemsize leaks when checkpointing the overmounted /dev/null
           device.

- #132768: A kernel panic occurs due to a non-virtualized pid use in pi_futex 
           code.

- #115800: Oracle 11 requires swap information inside a Container.

- #129292: Slow network performance in Containers that work in bridged mode.

- #121508: The "utimensat" syscall returns -EFAULT.

- #126782: "autofs" does not create the top directory automatically inside
           RHEL5-based Containers.

- #117448: D-BUS does not work inside a Container.


The following OpenVZ bugs have been fixed:

-  #972: Compilation errors when the CONFIG_SECCOMP option is enabled.

- #1027: Missing register_cpu_notifier() function is required to build some
         third party drivers under OpenVZ kernel.

- #1086: Subdirectories of /vz cannot be exported over NFS.

- #1048: Compilation fails if CONFIG_UBC_DEBUG_KMEM is enabled.

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install the kernel update by using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab060.2.i686.rpm \
vzmodules-2.6.18-028stab060.2.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab060.2.i686.rpm
   vzmodules-2.6.18-028stab060.2.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab060.2.i686.rpm
   vzmodules-ent-2.6.18-028stab060.2.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab060.2.i686.rpm
   vzmodules-PAE-2.6.18-028stab060.2.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab060.2.x86_64.rpm
   vzmodules-2.6.18-028stab060.2.x86_64.rpm

ia64 kernel:
   vzkernel-2.6.18-028stab060.2.ia64.rpm
   vzmodules-2.6.18-028stab060.2.ia64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

- https://rhn.redhat.com/errata/RHSA-2008-0957.html

- https://rhn.redhat.com/errata/RHSA-2008-1017.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3527

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3833

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4302

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5755

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2372

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3276

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3831

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4554

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF