Article ID: 8336, created on Mar 30, 2010, last review on May 3, 2014

  • Applies to:
  • Virtuozzo containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:         New Parallels Virtuozzo Containers 4.0 kernel provides a
                           number of important stability fixes, security updates as
                           well as introduces a new feature.
Issue date:       2010-03-25
Product:            Parallels Virtuozzo Containers 4.0
Keywords:        'stability fixes' 'security updates' 'BSD process accounting'

--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo Containers 4.0 kernel,
version 2.6.18-028stab068.9.

© 1999-2010 Parallels, Inc. All rights reserved.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo Containers 4.0 kernel provides a new kernel
based on the new Red Hat 5 kernel (2.6.18-164.15.1.el5). The updated kernel
includes a number of important security and stability fixes from the Red Hat
one. The kernel also adds support for the BSD process accounting (also referred
to as pacct).

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo Containers 4.0 kernel includes fixes for the following
security vulnerabilities (including those that were fixed in the
2.6.18-164.15.1.el5 Red Hat kernel):

- A NULL pointer dereference flaw was found in the sctp_rcv_ootb() function
  in the Linux kernel Stream Control Transmission Protocol (SCTP)
  implementation. A remote attacker could send a specially crafted SCTP
  packet to a target system, resulting in a denial of service.
  (CVE-2010-0008, Important)

- A missing boundary check was found in the do_move_pages() function in
  the memory migration functionality in the Linux kernel. A local user could
  use this flaw to cause a local denial of service or an information leak.
  (CVE-2010-0415, Important)

- A NULL pointer dereference flaw was found in the ip6_dst_lookup_tail()
  function in the Linux kernel. An attacker on the local network could
  trigger this flaw by sending IPv6 traffic to a target system, leading to a
  system crash (kernel OOPS) if dst->neighbour is NULL on the target system
  when receiving an IPv6 packet. (CVE-2010-0437, Important)

- A NULL pointer dereference flaw was found in the ext4 file system code in
  the Linux kernel. A local attacker could use this flaw to trigger a local
  denial of service by mounting a specially-crafted, journal-less ext4 file
  system, if that file system forced an EROFS error.
  (CVE-2009-4308, Moderate)

- An information leak was found in the print_fatal_signal() implementation
  in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to
  1 (the default value is 0), memory that is reachable by the kernel could be
  leaked to user-space. This issue could also result in a system crash. Note
  that this flaw only affected the i386 architecture.
  (CVE-2010-0003, Moderate)

- Missing capability checks were found in the ebtables implementation, used
  for creating an Ethernet bridge firewall. This could allow a local,
  unprivileged user to bypass intended capability restrictions and modify
  ebtables rules.
  (CVE-2010-0007, Low)

The updated Parallels Virtuozzo Containers 4.0 kernel also includes fixes for
the following issues:

- A bug prevented Wake on LAN (WoL) from being enabled on certain Intel
  hardware (BZ#543449).

- A race issue was discovered in the Journaling Block Device. (BZ#553132)

- Programs that were compiled on x86 and that called sched_rr_get_interval()
  were silently corrupted when run on 64-bit systems. (BZ#557684)

- The RHSA-2010:0019 update introduced a regression, preventing WoL from
  working for network devices using the e1000e driver. (BZ#559335)

- Adding a bonding interface in mode balance-alb to a bridge did not have
  any effect. (BZ#560588)

- Some KVM (Kernel-based Virtual Machine) guests experienced slow performance
  (and possibly a crash) after suspend/resume. (BZ#560640)

- On some systems, VF cannot be enabled in dom0. (BZ#560665)

- On systems with certain network cards, a system crash occurred after
  enabling GRO. (BZ#561417)

- For x86 KVM guests with pvclock enabled, the boot clocks were registered
  twice, possibly causing KVM to write data to a random memory area during
  the guest's life. (BZ#561454)

- Serious performance degradation for 32-bit applications, that map (mmap)
  thousands of small files, could occur when run on a 64-bit system. (BZ#562746)

- Improved kexec/kdump handling. Previously, on some systems under heavy
  load, kexec/kdump was not functional. (BZ#562772)

- dom0 was unable to boot when using the Xen hypervisor on a system with a
  large number of logical CPUs. (BZ#562777)

- A fix for a bug that could potentially cause file system corruption.
  (BZ#564281)

- A bug caused infrequent cluster issues for users of GFS2. (BZ#564288)

- gfs2_delete_inode failed on read-only file systems. (BZ#564290)

This update also includes fixes for the following Virtuozzo issues:

- A bug in ipv4 routing code could cause a network device leak.

- An online migration may fail when processes use shared memory areas
  that are not page-aligned.

- A Hardware Node may deadlock when generating a problem report.

The new kernel provides the ability to use the BSD process accounting
feature inside Containers. The user can keep control over this feature
using the accton, acctoff, and dump-acct tools.

We highly recommend that all Parallels Virtuozzo Containers 4.0 users update
their kernel to the latest version.
--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Virtuozzo Containers 4.0 kernel:

- #464371: NMI is triggered when generating a problem report.

- #429980: Migration fails if shared memory areas are not page-aligned.

- #470406: unregister_netdevice: waiting for venet0

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab068.9.i686.rpm \
vzmodules-2.6.18-028stab068.9.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab068.9.i686.rpm
   vzmodules-2.6.18-028stab068.9.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab068.9.i686.rpm
   vzmodules-ent-2.6.18-028stab068.9.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab068.9.i686.rpm
   vzmodules-PAE-2.6.18-028stab068.9.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab068.9.x86_64.rpm
   vzmodules-2.6.18-028stab068.9.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

https://rhn.redhat.com/errata/RHSA-2010-0147.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437

35c16f1fded8e42577cb3df16429c57a d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF