Article ID: 8556, created on May 26, 2010, last review on May 3, 2014

  • Applies to:
  • Virtuozzo for Linux 3.x

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Virtuozzo 3.0 kernel provides security updates, driver
                            updates, and some other important fixes.
Issue date:        2010-05-28
Product:             Virtuozzo 3.0
Keywords:         security updates, driver update, stability fixes
--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo 3.0 kernel, version
2.6.9-023stab052.4.

Copyright © 1999-2010 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.

--------------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo 3.0 kernel provides a new kernel based on
the Red Hat 4 kernel (2.6.9-89.0.23.EL). The updated kernel includes a
number of security updates, driver updates, and important stability fixes.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo 3.0 kernel includes fixes for the following security
vulnerabilities fixed in the 2.6.9-89.0.11.EL to 2.6.9-89.0.23.EL Red Hat
kernels:

* The ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags were not cleared when a
  setuid or setgid program was executed. A local, unprivileged user could use
  this flaw to bypass the mmap_min_addr protection mechanism and perform a
  NULL pointer dereference attack, or bypass the Address Space Layout
  Randomization (ASLR) security feature. (CVE-2009-1895, Important)

* It was discovered that, when executing a new process, the clear_child_tid
  pointer in the Linux kernel is not cleared. If this pointer points to a
  writable portion of the memory of the new program, the kernel could corrupt
  four bytes of memory, possibly leading to a local denial of service or
  privilege escalation. (CVE-2009-2848, Important)

* Solar Designer reported a missing capability check in the z90crypt driver
  in the Linux kernel. This missing check could allow a local user with an
  effective user ID (euid) of 0 to bypass intended capability restrictions.
  (CVE-2009-1883, Moderate)

* A flaw was found in the way the do_sigaltstack() function in the Linux
  kernel copies the stack_t structure to user-space. On 64-bit machines, this
  flaw could lead to a four-byte information leak. (CVE-2009-2847, Moderate)

* Multiple, missing initialization flaws were found in the Linux kernel.
  Padding data in several core network structures was not initialized properly
  before being sent to user-space. These flaws could lead to information
  leaks. (CVE-2005-4881, CVE-2009-3228, Moderate)

* A NULL pointer dereference flaw was found in each of the following
  functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and
  pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could
  be released by other processes before it is used to update the pipe's reader
  and writer counters. This could lead to a local denial of service or
  privilege escalation. (CVE-2009-3547, Important)

* A flaw was found in the Realtek r8169 Ethernet driver in the Linux
  kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU
  space exhaustion and a system crash. An attacker on the local network could
  trigger this flaw by using jumbo frames for large amounts of network
  traffic.  (CVE-2009-3613, Important)

* NULL pointer dereference flaws were found in the r128 driver in the Linux
  kernel. Checks to test if the Concurrent Command Engine state was
  initialized were missing in private IOCTL functions. An attacker could use
  these flaws to cause a local denial of service or escalate their privileges.
  (CVE-2009-3620, Important)

* An information leak was found in the Linux kernel. On AMD64 systems,
  32-bit processes could access and read certain 64-bit registers by
  temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)

* The unix_stream_connect() function in the Linux kernel did not check if a
  UNIX domain socket was in the shutdown state. This could lead to a deadlock.
  A local, unprivileged user could use this flaw to cause a denial of service.
  (CVE-2009-3621, Moderate)

* A flaw was found in each of the following Intel PRO/1000 Linux drivers in
  the Linux kernel: e1000 and e1000e. A remote attacker using packets larger
  than the MTU could bypass the existing fragment check, resulting in partial,
  invalid frames being passed to the network stack. These flaws could also
  possibly be used to trigger a remote denial of service.  (CVE-2009-4536,
  CVE-2009-4538, Important)

* A flaw was found in the Realtek r8169 Ethernet driver in the Linux
  kernel. Receiving overly-long frames with network cards supported by this
  driver could possibly result in a remote denial of service. (CVE-2009-4537,
  Important)

* An array index error was found in the gdth driver in the Linux kernel. A
  local user could send a specially-crafted IOCTL request that would cause a
  denial of service or, possibly, privilege escalation. (CVE-2009-3080,
  Important)

* A flaw was found in the collect_rx_frame() function in the HiSax ISDN
  driver (hfc_usb) in the Linux kernel. An attacker could use this flaw to
  send a specially-crafted HDLC packet that could trigger a buffer out of
  bounds, possibly resulting in a denial of service. (CVE-2009-4005,
  Important)

* Permission issues were found in the megaraid_sas driver (for SAS-based
  RAID controllers) in the Linux kernel. The "dbg_lvl" and "poll_mode_io"
  files on the sysfs file system ("/sys/") had world-writable permissions.
  This could allow local, unprivileged users to change the behavior of the
  driver. (CVE-2009-3889, CVE-2009-3939, Moderate)

* A buffer overflow flaw was found in the hfs_bnode_read() function in the
  HFS file system implementation in the Linux kernel. This could lead to a
  denial of service if a user browsed a specially-crafted HFS file system, for
  example, by running "ls". (CVE-2009-4020, Low)

* A NULL pointer dereference flaw was found in the sctp_rcv_ootb() function
  in the Linux kernel Stream Control Transmission Protocol (SCTP)
  implementation. A remote attacker could send a specially-crafted SCTP packet
  to a target system, resulting in a denial of service.  (CVE-2010-0008,
  Important)

* A NULL pointer dereference flaw was found in the Linux kernel. During a
  core dump, the kernel did not check if the Virtual Dynamically-linked Shared
  Object page was accessible. On Intel 64 and AMD64 systems, a local,
  unprivileged user could use this flaw to cause a kernel panic by running a
  crafted 32-bit application. (CVE-2009-4271, Important)

* An information leak was found in the print_fatal_signal() implementation
  in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to 1
  (the default value is 0), memory that is reachable by the kernel could be
  leaked to user-space. This issue could also result in a system crash. Note
  that this flaw only affected the i386 architecture. (CVE-2010-0003,
  Moderate)

* On AMD64 systems, it was discovered that the kernel did not ensure the
  ELF interpreter was available before making a call to the SET_PERSONALITY
  macro. A local attacker could use this flaw to cause a denial of service by
  running a 32-bit application that attempts to execute a 64-bit application.
  (CVE-2010-0307, Moderate)

* Missing capability checks were found in the ebtables implementation, used
  for creating an Ethernet bridge firewall. This could allow a local,
  unprivileged user to bypass intended capability restrictions and
  modify ebtables rules. (CVE-2010-0007, Low)


The updated Virtuozzo 3.0 kernel also includes a fix for the following issue:

- /proc/user_beancounters may report false-positive kernel memory leaks,
  showing non-zero values in the 'held' column even when Containers are
  stopped.


We highly recommend that all Virtuozzo 3.0 users update their kernel to the
latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bug from the previous release has been fixed in the new
Virtuozzo 3.0 kernel:

- #473324: 'kmemsize' leak is reported by /proc/user_beancounters.

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install the kernel update by using the vzup2date utility
included in the Virtuozzo 3.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-smp-2.6.9-023stab052.4.i686.rpm \
vzmodules-smp-2.6.9-023stab052.4.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel-smp           ################################# [50%]
    2:vzmodules-smp          ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab052.4.i686.rpm
   vzmodules-2.6.9-023stab052.4.i686.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab052.4.i686.rpm
   vzmodules-smp-2.6.9-023stab052.4.i686.rpm

- Enterprise:
   vzkernel-enterprise-2.6.9-023stab052.4.i686.rpm
   vzmodules-enterprise-2.6.9-023stab052.4.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-entnosplit-2.6.9-023stab052.4.i686.rpm
   vzmodules-entnosplit-2.6.9-023stab052.4.i686.rpm


x86_64 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab052.4.x86_64.rpm
   vzmodules-2.6.9-023stab052.4.x86_64.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab052.4.x86_64.rpm
   vzmodules-smp-2.6.9-023stab052.4.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

https://rhn.redhat.com/errata/RHSA-2009-1438.html
https://rhn.redhat.com/errata/RHSA-2009-1522.html
https://rhn.redhat.com/errata/RHSA-2009-1541.html
https://rhn.redhat.com/errata/RHSA-2009-1671.html
https://rhn.redhat.com/errata/RHSA-2010-0020.html
https://rhn.redhat.com/errata/RHSA-2010-0076.html
https://rhn.redhat.com/errata/RHSA-2010-0146.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007

9b9439294978ca011521bd467a069524 d02f9caf3e11b191a38179103495106f e8e50b42231236b82df27684e7ec0beb 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF