Article ID: 7986, created on Jan 20, 2010, last review on May 7, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides a
                            number of important stability fixes, security and driver
                            updates.
Issue date:       01-22-2010
Product:           Parallels Virtuozzo Containers 4.0
Keywords:        "stability fixes" "security updates" "driver updates"

--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab067.4.

© 1999-2010 Parallels, Inc. All rights reserved.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the Red Hat 5 kernel (2.6.18-164.10.1.el5). The updated kernel includes
a number of important security and driver updates and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-164.6.1.el5 - 2.6.18-164.10.1.el5 Red Hat kernels):

- A flaw was found in the IPv6 Extension Header (EH) handling implementation in
  the Linux kernel. The skb->dst data structure was not properly validated in
  the ipv6_hop_jumbo() function. This could possibly lead to a remote denial of
  service. (CVE-2007-4567, Important)

- A flaw was found in each of the following Intel PRO/1000 Linux drivers in the
  Linux kernel: e1000 and e1000e. A remote attacker using packets larger than
  the MTU could bypass the existing fragment check, resulting in partial,
  invalid frames being passed to the network stack. These flaws could also
  possibly be used to trigger a remote denial of service. (CVE-2009-4536,
  CVE-2009-4538, Important)

- A flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel.
  Receiving overly long frames with network cards supported by this driver
  could possibly result in a remote denial of service. (CVE-2009-4537,
  Important)

- NULL pointer dereference flaws were found in the r128 driver. Checks to test
  if the Concurrent Command Engine state was initialized were missing in private
  IOCTL functions. An attacker could use these flaws to cause a local denial of
  service or escalate their privileges. (CVE-2009-3620, Important)

- A NULL pointer dereference flaw was found in the NFSv4 implementation. Several
  NFSv4 file locking functions failed to check whether a file had been opened on
  the server before performing locking operations on it. A local user on a
  system with an NFSv4 share mounted could possibly use this flaw to cause a
  denial of service or escalate their privileges. (CVE-2009-3726, Important)

- A flaw was found in tcf_fill_node(). A certain data structure in this function
  was not initialized properly before being copied to user space. This could
  lead to an information leak. (CVE-2009-3612, Moderate)

- Unix_stream_connect() did not check if a UNIX domain socket was in the
  shutdown state. This could lead to a deadlock. A local, unprivileged user
  could use this flaw to cause a denial of service. (CVE-2009-3621, Moderate)

- A flaw was found in the NFSv4 implementation. The kernel would do an
  unnecessary permission check after creating a file. This check would usually
  fail and leave the file with the permission bits set to random values. Note:
  This is a server-side only issue. (CVE-2009-3286, Important)

- A NULL pointer dereference flaw was found in each of the following functions
  in the Linux kernel: pipe_read_open(), pipe_write_open(), and
  pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could
  be released by other processes before it is used to update the pipe's reader
  and writer counters. This could lead to a local denial of service or
  privilege escalation. (CVE-2009-3547, Important)

- A flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel.
  pci_unmap_single() presented a memory leak that could lead to IOMMU space
  exhaustion and a system crash. An attacker on the local network could abuse
  this flaw by using jumbo frames for large amounts of network traffic.
  (CVE-2009-3613, Important)

- Missing initialization flaws were found in the Linux kernel. Padding of data in
  several core network structures was not initialized properly before being
  sent to the user space. These flaws could lead to information leaks.
  (CVE-2009-3228, Moderate)


The updated Parallels Virtuozzo Containers 4.0 kernel includes fixes for the
following issues:

- A Hardware Node may hang due to a bug in the on-demand emergency route
  cache-flushing code. The following messages are written to the log file
  before the Node hangs:
  "Route hash chain too long!"
  "Adjust your secret_interval!"

- After upgrading to a new kernel, the values of entries in the /proc/diskstats
  file may be set to zero, which breaks the disk activity statistics on
  the Node.

- A kernel panic may occur on an attempt to mount a corrupted partition 
  if the "ReiserFS'" module is loaded.

- A license may not work on Hardware Nodes with network cards that support the
  Generic Receive Offload feature (GRO).

- A kernel bug may occur due to a timer list corruption if several Containers
  are using NFS mounts at the same time.

- A kernel panic may occur when deleting an audit rule from the Hardware Node.

- A kernel panic may occur on the Destination Node during the online migration
  of a Container with a TUN device.

The new Virtuozzo Containers 4.0 kernel also includes the following
improvement:

- The load-balancing mechanism in the Parallels Containers fair scheduler has
  been improved, especially the distribution of CPU time in systems with
  multiple CPUs and a small number of processes.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.
--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #460026: A Hardware Node hangs after emergency route cache-flushing.

- #459765: Diskstat counters are set to zero after upgrading.

- #459411: A kernel crash may occur on an attempt to mount a corrupted partition
           if the "reiserfs" module is loaded.

- #460219: The "/prov/vz/hwid" file is empty.

- #460636: There is a bug in the timer list triggered by NFS inside several Containers.

- #462061: A kernel panic may occur during the online migration of a Container
           with a TUN device.

- #455277: Scheduler fairness improvements are needed.


The following OpenVZ bugs have been fixed:

- #1373: Diskstats counters are frozen at zero.

- #1375: NFS mounts inside Containers may lead to a kernel panic.

- #1351: Kernel panic may occur after executing "auditctl -D."

- #1371: New DRBD is not compatible with old connector API.

- #1378: A Hardware Node hangs after emergency route cache flushing.


--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install this kernel update using the "vzup2date" utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab067.4.i686.rpm \
vzmodules-2.6.18-028stab067.4.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels that were previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the "lilo" command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab067.4.i686.rpm
   vzmodules-2.6.18-028stab067.4.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab067.4.i686.rpm
   vzmodules-ent-2.6.18-028stab067.4.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab067.4.i686.rpm
   vzmodules-PAE-2.6.18-028stab067.4.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab067.4.x86_64.rpm
   vzmodules-2.6.18-028stab067.4.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

https://rhn.redhat.com/errata/RHSA-2010-0019.html
https://rhn.redhat.com/errata/RHSA-2009-1670.html
https://rhn.redhat.com/errata/RHSA-2009-1548.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3612
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3228
 

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF