Article ID: 8215, created on Mar 17, 2010, last review on Apr 17, 2012

  • Applies to:
  • Virtuozzo hypervisor 4.0 for Mac Bare Metal

Release notes

--------------------------------------------------------------------------------
Synopsis: New Parallels Server 4.0 Bare Metal kernel provides a number of important stability fixes and security updates.
Issue date: 2010-02-12
Product: Parallels Server 4.0 Bare Metal
Keywords: 'stability fixes' 'security updates' 'Containers'

--------------------------------------------------------------------------------

This document provides information on the new Parallels Server 4.0 Bare Metal
kernel, version 2.6.18-028stab068.3.

? 1999-2010 Parallels, Inc. All rights reserved.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Server 4.0 Bare Metal kernel provides a new
kernel based on the Red Hat 5 kernel (2.6.18-164.11.1.el5). The updated kernel
includes a number of important security and stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Parallels Server 4.0 Bare Metal kernel includes fixes for the
following security vulnerabilities (including those that were fixed in the
2.6.18-164.11.1.el5 Red Hat kernel):

- An array index error was found in the gdth driver. A local user could send a
specially crafted IOCTL request that would cause a denial of service or,
possibly, privilege escalation. (CVE-2009-3080, Important)

- A flaw was found in the FUSE implementation. When a system is low on memory,
fuse_put_request() could dereference an invalid pointer, possibly leading to
a local denial of service or privilege escalation.
(CVE-2009-4021, Important)

- Tavis Ormandy discovered a deficiency in the fasync_helper() implementation.
This could allow a local, unprivileged user to leverage a use-after-free of
locked, asynchronous file descriptors to cause a denial of service or
privilege escalation. (CVE-2009-4141, Important)

- The Parallels Virtuozzo Containers team reported that the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an attacker was
able to cause a large enough number of collisions in the routing hash table
(via specially crafted packets) for the emergency route flush to trigger, a
deadlock could occur. Secondly, if the kernel routing cache was disabled, an
uninitialized pointer would be left behind after a route lookup, leading to a
kernel panic. (CVE-2009-4272, Important)

- The RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to prior to the process crashing, could
use this flaw to append data to the dumped core file. This issue only affects
systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value
is 0). (CVE-2006-6304, Moderate)

The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable
set to 2, the core file will not be recorded if the file already exists.
For example, core files will not be overwritten on subsequent crashes of
processes whose core files map to the same name.

- An information leak was found in the Linux kernel. On AMD64 systems, 32-bit
processes could access and read certain 64-bit registers by temporarily
switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)

- The RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support
in the qla2xxx driver, resulting in two new sysfs pseudo files,
"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".
These two files were world-writable by default, allowing a local user to
change SCSI host attributes. This flaw only affects systems using the qla2xxx
driver and NPIV capable hardware. (CVE-2009-3556, Moderate)

- Permission issues were found in the megaraid_sas driver. The "dbg_lvl" and
"poll_mode_io" files on the sysfs file system ("/sys/") had world-writable
permissions. This could allow local, unprivileged users to change the
behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate)

- A NULL pointer dereference flaw was found in the firewire-ohci driver used
for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with
access to /dev/fw* files could issue certain IOCTL calls, causing a denial of
service or privilege escalation. The FireWire modules are blacklisted by
default, and if enabled, only root has access to the files noted above by
default. (CVE-2009-4138, Moderate)

- A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS
file system implementation. This could lead to a denial of service if a user
browsed a specially crafted HFS file system, for example, by running "ls".
(CVE-2009-4020, Low)

The updated Parallels Server 4.0 Bare Metal kernel also includes fixes for
the following issues:

- A kernel panic may occur while reading "/proc/bc/0/ioprio_queues" because
some disk drivers do not create kernel objects correctly.

- A kernel panic may occur if a network interface registered on the Hardware
Node and "moved" inside a Container is unregistered inside the Container.

- A network device may leak on stopping a Container due to positive refcounters.
The leak is accomplished by the following messages:
"unregister_netdevice: waiting for eth0.125=ffff8101608ad000 to become free.
Usage count = 1 ve=0".

- "vztop" on a Hardware Node shows in the "#C" column the last used virtual CPU
instead of the last physical one.

- When launched inside a Container, OpenVPN may fail to change the tx queue
length and display the following warning: "Note: Cannot set tx queue length
on tun0: Operation not permitted (errno=1)".
Note: Despite the warning, OpenVPN works properly inside the Container.

- "vmstat" may report an incorrect number of running processes inside a
Container (for example, "4294967295").

The new Parallels Server 4.0 Bare Metal kernel also includes the following
improvement:

- The signalfd() syscall has been backported to the kernel to provide better
support for Containers based on templates of modern Linux distributions (in
particular, Ubuntu 9.10).

We highly recommend that all Parallels Server 4.0 Bare Metal users update
their kernel to the latest version.
--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Parallels Server 4.0 Bare Metal kernel:

- #443066: A kernel panic may occur while reading "/proc/bc/0/ioprio_queues".

- #463901: A kernel panic may occur while unregistering a VLAN device inside
a Container if the device was registered on the Hardware Node.

- #464097: Network devices leakage may occur.

- #440208: Last physical CPU must be shown by "vztop" in the "#C" column.

- #457318: OpenVPN fails to change tx queue length on tun0 inside a Container.

- #112738: The number of running processes may be reported incorrectly inside
a Container.

The following OpenVZ bug has been fixed:

- #1415: signalfd() syscall support is required by modern distributions.

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Server 4.0 Bare Metal distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and modules.

# rpm -ivh vzkernel-2.6.18-028stab068.3.i686.rpm \
vzmodules-2.6.18-028stab068.3.i686.rpm \
parallels-kmod-4.0.5612.535050-1.2.6.18_028stab068.3.x86_64.rpm
Preparing... ################################# [100%]
1:vzkernel ################################# [50%]
2:vzmodules ################################# [100%]
3:parallels-kmod ################################# [100%]

Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
all the kernels previously installed on your system may be removed from
the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
loaded by default.

III. Reboot your computer with the "shutdown -r now" command to boot the new
kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

vzkernel-2.6.18-028stab068.3.x86_64.rpm
vzmodules-2.6.18-028stab068.3.x86_64.rpm
parallels-kmod-4.0.5612.535050-1.2.6.18_028stab068.3.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

https://rhn.redhat.com/errata/RHSA-2010-0046.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4020

a26b38f94253cdfbf1028d72cf3a498b 0fe456bdc1f41aefe37dd2554a60437e 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF