Article ID: 6739, created on Oct 2, 2009, last review on May 8, 2014

  • Applies to:
  • Virtuozzo for Linux 3.x

Release notes

--------------------------------------------------------------------------------
Synopsis:         New Virtuozzo 3.0 kernel provides security updates, driver
                           updates, and some other important fixes.
Issue date:       2009-09-21
Product:            Virtuozzo 3.0
Keywords:        security updates, driver update, stability fixes
--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo 3.0 kernel, version
2.6.9-023stab051.2.

© 1999-2009 Parallels Holdings, Ltd. and its affiliates. All rights reserved.

--------------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo 3.0 kernel provides a new kernel based on
the Red Hat 4 kernel (2.6.9-89.0.9.EL). The updated kernel includes a
number of security updates, driver updates, and important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo 3.0 kernel includes fixes for the following security
vulnerabilities fixed in the 2.6.9-67.0.22.EL to 2.6.9-89.0.9.EL Red Hat
kernels:

- NULL pointer access due to missing checks for terminal validity.
  (CVE-2008-2812, Moderate)

- A security flaw was found in the Linux kernel Universal Disk Format file
  system. (CVE-2006-4145, Low)

- A flaw was found in the Linux kernel Direct-IO implementation. This could
  allow a local unprivileged user to cause a denial of service.
  (CVE-2007-6716, Important)

- The do_truncate() and generic_file_splice_write() functions did not clear
  the setuid and setgid bits. This could have allowed a local unprivileged
  user to obtain access to privileged information.
  (CVE-2008-4210, Important)

- A potential denial of service attack was discovered in the Linux kernel
  PWC USB video driver. A local unprivileged user could have used this flaw to
  bring the kernel USB subsystem into the busy-waiting state.
  (CVE-2007-5093, Low)

- The ext2 and ext3 file systems code failed to properly handle corrupted data
  structures, leading to a possible local denial of service issue when read or
  write operations were performed.
  (CVE-2008-3528, Low)

- The sendmsg() function in the Linux kernel did not block during UNIX socket
  garbage collection. This could, potentially, lead to a local denial of
  service.
  (CVE-2008-5300, Important)

- A deficiency was found in the Linux kernel virtual file system (VFS)
  implementation. This could allow a local, unprivileged user to make a series
  of file creations within deleted directories, possibly causing a denial of
  service.
  (CVE-2008-3275, Moderate)

- A memory leak was found in keyctl handling. A local, unprivileged user could
  use this flaw to deplete kernel memory, eventually leading to a denial of
  service.
  (CVE-2009-0031, Important)

- A deficiency was found in the Remote BIOS Update (RBU) driver for Dell
  systems. This could allow a local, unprivileged user to cause a denial of
  service by reading zero bytes from the image_type or packet_size file in
  "/sys/devices/platform/dell_rbu/".
  (CVE-2009-0322, Important)

- A deficiency was found in the libATA implementation. This could,
  potentially, lead to a denial of service.
  Note: by default, "/dev/sg*" devices are accessible only to the root user.
  (CVE-2008-5700, Low)

- A logic error was found in the do_setlk() function of the Linux kernel
  Network File System (NFS) implementation. If a signal interrupted a lock
  request, the local POSIX lock was incorrectly created. This could cause
  a denial of service on the NFS server if a file descriptor was closed before
  its corresponding lock request returned.
  (CVE-2008-4307, Important)

- A deficiency was found in the Linux kernel system call auditing
  implementation on 64-bit systems. This could allow a local, unprivileged
  user to circumvent a system call audit configuration, if that configuration
  filtered based on the "syscall" number or arguments.
  (CVE-2009-0834, Important)

- Chris Evans reported a deficiency in the Linux kernel signals
  implementation. The clone() system call permits the caller to indicate the
  signal it wants to receive when its child exits. When clone() is called with
  the CLONE_PARENT flag, it permits the caller to clone a new child that
  shares the same parent as itself, enabling the indicated signal to be sent
  to the caller's parent (instead of the caller), even if the caller's parent
  has different real and effective user IDs. This could lead to a denial of
  service of the parent.
  (CVE-2009-0028, Moderate)

- The sock_getsockopt() function in the Linux kernel did not properly
  initialize a data structure that can be directly returned to user-space when
  the getsockopt() function is called with SO_BSDCOMPAT optname set.  This
  flaw could possibly lead to memory disclosure.
  (CVE-2009-0676, Moderate)

- The exit_notify() function in the Linux kernel did not properly reset the
  exit signal if a process executed a set user ID (setuid) application before
  exiting. This could allow a local, unprivileged user to elevate their
  privileges.
  (CVE-2009-1337, Important)

- The Linux kernel implementation of the Network File System (NFS) did not
  properly initialize the file name limit in the nfs_server data structure.
  This flaw could possibly lead to a denial of service on a client mounting
  an NFS share.
  (CVE-2009-1336, Moderate)

- A flaw was found in the Intel PRO/1000 network driver in the Linux kernel.
  Frames with sizes near the MTU of an interface may be split across multiple
  hardware receive descriptors. Receipt of such a frame could leak through
  a validation check, leading to a corruption of the length check. A remote
  attacker could use this flaw to send a specially crafted packet that would
  cause a denial of service.
  (CVE-2009-1385, Important)

- The Linux kernel Network File System daemon (nfsd) implementation did not
  drop the CAP_MKNOD capability when handling requests from local,
  unprivileged users. This flaw could possibly lead to an information leak or
  privilege escalation.
  (CVE-2009-1072, Moderate)

- Frank Filz reported the NFSv4 client was missing a file permission check for
  the execute bit in some situations. This could allow local, unprivileged
  users to run non-executable files on NFSv4 mounted file systems.
  (CVE-2009-1630, Moderate)

- A flaw was found in the AGPGART driver. The agp_generic_alloc_page()
  and agp_generic_alloc_pages() functions did not zero out the memory
  pages they allocate, which may later be available to user-space
  processes. This flaw could possibly lead to an information leak.
  (CVE-2009-1192, Low)

- Michael Tokarev reported a flaw in the Realtek r8169 Ethernet driver in the
  Linux kernel. This driver allowed interfaces using this driver to receive
  frames larger than what could be handled. This could lead to a remote denial
  of service or code execution.
  (CVE-2009-1389, Important)

- A buffer overflow flaw was found in the CIFSTCon() function of the Linux
  kernel Common Internet File System (CIFS) implementation. When mounting
  a CIFS share, a malicious server could send an overly long string to the
  client, possibly leading to a denial of service or privilege escalation on
  the client mounting the CIFS share.
  (CVE-2009-1439, Important)

- Several flaws were found in the way the Linux kernel CIFS implementation
  handles Unicode strings. CIFS clients convert Unicode strings sent by
  a server to their local character sets and then write those strings into
  memory. If a malicious server sent a long enough string, it could write past
  the end of the target memory region and corrupt other memory areas, possibly
  leading to a denial of service or privilege escalation on the client
  mounting the CIFS share.
  (CVE-2009-1633, Important)

- A flaw was found in the SOCKOPS_WRAP macro in the Linux kernel. This macro
  did not initialize the sendpage operation in the proto_ops structure
  correctly. A local, unprivileged user could use this flaw to cause a local
  denial of service or escalate their privileges.
  (CVE-2009-2692, Important)

- A flaw was found in the udp_sendmsg() implementation in the Linux kernel
  when using the MSG_MORE flag on UDP sockets. A local, unprivileged user
  could use this flaw to cause a local denial of service or escalate their
  privileges.
  (CVE-2009-2698, Important)


The updated Virtuozzo 3.0 kernel includes fixes for the following issues:

- A kernel crash may occur during the online migration if the Container
  being migrated is under a high network load.

- False positive warnings about unregistering network devices may appear
  due to a too small timeout value.

- The NMI watchdog may cause a kernel panic while reporting about a detected
  NMI lockup.

- A flaw in the file precharging mechanism may cause the "numfile" and
  "kmemsize" usage growth, which may lead to the Container resources
  exceeding. In particular, the "named" process could trigger such a growth
  under certain circumstances.


We highly recommend that all Virtuozzo 3.0 users update their kernel to the
latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo 3.0 kernel:

- #130913: [CPT]: a kernel panic during online migration under a high network
           load.

- #130929: The timeout for waiting netdevices to become free should be
           increased.

- #116629: NMI watchdog does not show statistics for all CPUs when an NMI
           lockup is detected.

- #441258: Incorrect uncharge of pre-charged files may occur if these files
           are closed not in the same thread where they were opened.


--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install the kernel update by using the vzup2date utility
included in the Virtuozzo 3.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-smp-2.6.9-023stab051.2.i686.rpm \
vzmodules-smp-2.6.9-023stab051.2.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel-smp           ################################# [50%]
    2:vzmodules-smp          ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab051.2.i686.rpm
   vzmodules-2.6.9-023stab051.2.i686.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab051.2.i686.rpm
   vzmodules-smp-2.6.9-023stab051.2.i686.rpm

- Enterprise:
   vzkernel-enterprise-2.6.9-023stab051.2.i686.rpm
   vzmodules-enterprise-2.6.9-023stab051.2.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-entnosplit-2.6.9-023stab051.2.i686.rpm
   vzmodules-entnosplit-2.6.9-023stab051.2.i686.rpm


x86_64 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab051.2.x86_64.rpm
   vzmodules-2.6.9-023stab051.2.x86_64.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab051.2.x86_64.rpm
   vzmodules-smp-2.6.9-023stab051.2.x86_64.rpm

ia64 kernel:
   vzkernel-2.6.9-023stab051.2.ia64.rpm
   vzmodules-2.6.9-023stab051.2.ia64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

https://rhn.redhat.com/errata/RHSA-2008-0607.html
https://rhn.redhat.com/errata/RHSA-2008-0665.html
https://rhn.redhat.com/errata/RHSA-2008-0972.html
https://rhn.redhat.com/errata/RHSA-2009-0014.html
https://rhn.redhat.com/errata/RHSA-2009-0331.html
https://rhn.redhat.com/errata/RHSA-2009-0459.html
https://rhn.redhat.com/errata/RHSA-2009-1024.html
https://rhn.redhat.com/errata/RHSA-2009-1132.html
https://rhn.redhat.com/errata/RHSA-2009-1211.html
https://rhn.redhat.com/errata/RHSA-2009-1223.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698

9b9439294978ca011521bd467a069524 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF