Article ID: 6305, created on May 7, 2009, last review on May 11, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Resolution

----------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a
                   number of important stability fixes and security updates.
Issue date:        2009-05-05
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          'stability fixes' 'security updates'

----------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 
kernel, version 2.6.18-028stab062.3.

1999-2009 Parallels Holdings, Ltd. and its affiliates. All rights reserved.

----------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-128.1.1.el5). The updated kernel includes
a number of important security updates and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the 2.6.18-128.el5
and 2.6.18-128.1.1.el5 Red Hat kernels):

- A flaw could occur when handling heavy network traffic on an SMP system with
  many cores. An attacker could send a large amount of network traffic, thus
  creating a denial of service.
  (CVE-2008-5713, Important)

- A memory leak could occur in keyctl handling. A local user could use this flaw
  to deplete kernel memory, eventually leading to a denial of service.
  (CVE-2009-0031, Important)

- When fput() was called to close a socket, the __scm_destroy() function in
  Linux kernel could make indirect recursive calls to itself. This could,
  potentially, lead to a denial of service issue.
  (CVE-2008-5029, Important)

- A race condition was found in the Linux kernel "inotify" watch removal and
  umount implementation. This could allow a local, unprivileged user to cause
  a privilege escalation or a denial of service.
  (CVE-2008-5182, Important)

- A flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local
  unprivileged user could use the flaw to listen on the same socket more than
  once, possibly causing a denial of service.
  (CVE-2008-5079, Important)

- Local users could cause a denial of service ("soft lockup" and process loss
  via a large number of sendmsg function calls, which is not blocked during
  AF_UNIX garbage collection and triggers an OOM condition.
  (CVE-2008-5300, Important)


The updated Parallels Virtuozzo Containers 4.0 kernel includes fixes for the
following issues:

- An application using a futex may hang if it was started on a Hardware Node
  running the 32-bit Enterprise kernel.

- Some hardware NFS servers can generate inode numbers within a full 32-bit
  range. In this case mounting a Container private area that resides on NFS
  may fail. This problem was resolved for 64-bit kernels. On Hardware Nodes
  with 32-bit kernels, the Container template and private areas must reside
  on the same superblock.

- Migrating a Container from a Hardware Node having the SLM mode disabled to
  a Node where this mode is enabled may fail.

- Checkpointing a Container may fail if a particular process opens
  /proc// and the process with this  dies afterwards.  - If the migration process fails in the stage of restoring a shared memory   segment, the operation cannot be stopped and rolled back.  - Stopping Containers having NFS mounts inside may lead to a Hardware Node   hang-up or crash.  - Due to a race condition, a crash may occur when using netconsole.  - A leak may occur when adding a second Ethernet device to the bridge.  - In '/vz over GFS' configurations, the creating template cache process may   either lead to a bug or sleep in D-state forever.  - An unexpected panic may occur when TCP Low Priority Congestion control   module (tcp_lp) is loaded on the Hardware Node  - Connecting to the ftp daemon running inside a Container may lead to a panic on   the Hardware Node.  - A failure may occur when performing the LTP read02 test case.   The new Virtuozzo Containers 4.0 kernel also includes the following improvements:  - New system calls for 'Fedora 10'-based Containers were added.  - A number of NFS improvements from the mainstream were backported.  - GFS was updated from version 0.1.23-5.el5_2.2 to 0.1.31_3.el5.  - The DRBD driver was updated to version 8.3.0.  We highly recommend that all Parallels Virtuozzo Containers 4.0 users update their kernel to the latest version. --------------------------------------------------------------------------------  3. BUGS FIXED  The following bugs from the previous release have been fixed in the new Virtuozzo Containers 4.0 kernel:  - #131067: Add system calls for 'Fedora 10'-based Containers.  - #128997: futex_atomic_op_inuser() for 4GB-split kernels takes the down_read            semaphore twice.  - #270318: Use real inode numbers.  - #266929: Impossible to migrate a Container from a non-SLM to an SLM Node.  - #116787: Restart local_kernel_thread in case of -ERESTARTNOINTR.  - #268163: Stop the migration if shm restoration failed.  - #423262: __rpc_execute() should hold ve_struct when stopping a Container with            NFS inside.  - #270470: Abort NFS in Container's init do_exit() code before waiting for            processes exit.  - #270851: clnt and serv should hold ve_struct reference.  - #271690: Stopping a Container with NFS inside may stick due to sleeping with            sb_lock.  - #424458: rpciod deadlock: include NFS improvements from mainstream.   #423245  - #423216: Upgrade GFS from version 0.1.23-5.el5_2.2 to 0.1.31_3.el5.   #425431  - #119814: read02 failure must be fixed.  - #266567: Fix a race between the poll_napi and net_rx_actions.   The following OpenVZ bugs have been fixed:  - #1047: Fix the checkpoint/restore procedure if a process keeps open fd to          /proc//.  - #1145: Don't leak the master device on brctl addif.  - #1134: The kernel hangs suddenly in tcp_lp_rtt_sample().  - #1147: Kernel panic when connecting to ftp daemon inside a Container.  --------------------------------------------------------------------------------  4. OBTAINING NEW KERNEL  You can download and install the kernel update by using the vzup2date utility included in the Parallels Virtuozzo Containers 4.0 distribution set.  --------------------------------------------------------------------------------  5. INSTALLING NEW KERNEL  To install the update, you should perform the following operations:  I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.  # rpm -ivh vzkernel-2.6.18-028stab062.3.i686.rpm \ vzmodules-2.6.18-028stab062.3.i686.rpm Preparing...                ################################# [100%]     1:vzkernel               ################################# [50%]     2:vzmodules              ################################# [100%]      Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,     all the kernels previously installed on your system may be removed from     the Hardware Node.  II. You can adjust your boot loader configuration file to have the new kernel     loaded by default. If you use the LILO bootloader, please do not forget to     execute the 'lilo' command to write the changes to the boot sector:       # lilo      Added Virtuozzo2 *      Added Virtuozzo1      Added linux      Added linux-up  III. Reboot your computer with the "shutdown -r now" command to boot the new      kernel.  --------------------------------------------------------------------------------  6. REQUIRED RPMS  Depending on the kind of processor on your Hardware Node, the following RPM packages are included in the kernel update:  x86 kernels:  - SMP:    vzkernel-2.6.18-028stab062.3.i686.rpm    vzmodules-2.6.18-028stab062.3.i686.rpm  - Enterprise:    vzkernel-ent-2.6.18-028stab062.3.i686.rpm    vzmodules-ent-2.6.18-028stab062.3.i686.rpm  - Enterprise with the 4GB split feature disabled:    vzkernel-PAE-2.6.18-028stab062.3.i686.rpm    vzmodules-PAE-2.6.18-028stab062.3.i686.rpm   x86_64 kernels:  - SMP:    vzkernel-2.6.18-028stab062.3.x86_64.rpm    vzmodules-2.6.18-028stab062.3.x86_64.rpm  ia64 kernel:    vzkernel-2.6.18-028stab062.3.ia64.rpm    vzmodules-2.6.18-028stab062.3.ia64.rpm   --------------------------------------------------------------------------------  7. REFERENCE LIST  https://rhn.redhat.com/errata/RHSA-2009-0225.html  https://rhn.redhat.com/errata/RHSA-2009-0264.html  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5713  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0031  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5029  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5182  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300 

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF