Article ID: 8626, created on Jun 24, 2010, last review on Apr 25, 2014

  • Applies to:
  • Virtuozzo hypervisor 4.0 for Mac Bare Metal

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Server for Mac 4.0 Bare Metal Edition kernel
                           provides a number of important stability fixes, security
                           updates as well as introduces a new feature.
Issue date:       2010-05-27
Product:            Parallels Server for Mac 4.0 Bare Metal Edition
Keywords:        'stability fixes' 'security updates' 'BSD process accounting'
                           'IO scheduler' 'NFSd virtualization' 'bridges virtualization'

--------------------------------------------------------------------------------

This document provides information on the new Parallels Server for Mac 4.0 Bare
Metal Edition kernel, version 2.6.18-028stab069.6.

©  1999-2010 Parallels, Inc. All rights reserved.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Server for Mac 4.0 Bare Metal Edition
kernel provides a new kernel based on the new Red Hat 5 kernel
(2.6.18-194.3.1.el5). The updated kernel includes a number of important
security and stability fixes from the Red Hat one. The kernel also adds support
for the BSD process accounting (also referred to as pacct) and NFSd and bridges
in Containers and provides some improvements in the IO scheduler implementation.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Parallels Server for Mac 4.0 Bare Metal Edition kernel includes
fixes for the following security vulnerabilities (including those that were
fixed in the 2.6.18-194.3.1.el5 Red Hat kernel):

- A race condition was found in the mac80211 implementation, a framework
  used for writing drivers for wireless devices. An attacker could trigger
  this flaw by sending a Delete Block ACK (DELBA) packet to a target system,
  resulting in a remote denial of service.
  Note: This issue only affected users on 802.11n networks, and that also use
  the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important)

- A flaw was found in the gfs2_lock() implementation. The GFS2 locking code
  could skip the lock operation for files that have the S_ISGID bit
  (set-group-ID on execution) in their mode set. A local, unprivileged user
  on a system that has a GFS2 file system mounted could use this flaw to
  cause a kernel panic. (CVE-2010-0727, Moderate)

- A divide-by-zero flaw was found in the ext4 file system code. A local
  attacker could use this flaw to cause a denial of service by mounting a
  specially-crafted ext4 file system. (CVE-2009-4307, Low)

- A flaw was found in the Unidirectional Lightweight Encapsulation (ULE)
  implementation. A remote attacker could send a specially-crafted ISO
  MPEG-2 Transport Stream (TS) frame to a target system, resulting in an
  infinite loop (denial of service). (CVE-2010-1086, Important)

- On AMD64 systems, it was discovered that the kernel did not ensure the
  ELF interpreter was available before making a call to the SET_PERSONALITY
  macro. A local attacker could use this flaw to cause a denial of service by
  running a 32-bit application that attempts to execute a 64-bit application.
  (CVE-2010-0307, Moderate)

- A flaw was found in the kernel connector implementation. A local,
  unprivileged user could trigger this flaw by sending an arbitrary number
  of notification requests using specially-crafted netlink messages,
  resulting in a denial of service. (CVE-2010-0410, Moderate)

- A divide-by-zero flaw was found in the azx_position_ok() function in the
  driver for Intel High Definition Audio, snd-hda-intel. A local,
  unprivileged user could trigger this flaw to cause a kernel crash (denial
  of service). (CVE-2010-1085, Moderate)

- A NULL pointer dereference flaw was found in the sctp_rcv_ootb() function
  in the Linux kernel Stream Control Transmission Protocol (SCTP)
  implementation. A remote attacker could send a specially crafted SCTP
  packet to a target system, resulting in a denial of service.
  (CVE-2010-0008, Important)

- A missing boundary check was found in the do_move_pages() function in
  the memory migration functionality in the Linux kernel. A local user could
  use this flaw to cause a local denial of service or an information leak.
  (CVE-2010-0415, Important)

- A NULL pointer dereference flaw was found in the ip6_dst_lookup_tail()
  function in the Linux kernel. An attacker on the local network could
  trigger this flaw by sending IPv6 traffic to a target system, leading to a
  system crash (kernel OOPS) if dst->neighbour is NULL on the target system
  when receiving an IPv6 packet. (CVE-2010-0437, Important)

- A NULL pointer dereference flaw was found in the ext4 file system code in
  the Linux kernel. A local attacker could use this flaw to trigger a local
  denial of service by mounting a specially-crafted, journal-less ext4 file
  system, if that file system forced an EROFS error.
  (CVE-2009-4308, Moderate)

- An information leak was found in the print_fatal_signal() implementation
  in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to
  1 (the default value is 0), memory that is reachable by the kernel could be
  leaked to user-space. This issue could also result in a system crash. Note
  that this flaw only affected the i386 architecture.
  (CVE-2010-0003, Moderate)

- Missing capability checks were found in the ebtables implementation, used
  for creating an Ethernet bridge firewall. This could allow a local,
  unprivileged user to bypass intended capability restrictions and modify
  ebtables rules.
  (CVE-2010-0007, Low)

The updated Parallels Server for Mac 4.0 Bare Metal Edition kernel also includes fixes for
the following issues:

- The fnic driver flushed the Rx queue instead of the Tx queue after fabric
  login. This could cause crashes in some cases. (BZ#580829)

- On some systems, "kernel unaligned access" warnings were logged to the dmesg
  log. (BZ#580832)

- The error "Northbridge Error, node 1, core: -1 K8 ECC error" could occur on
  systems using the amd64_edac driver. (BZ#580836)

- In rare circumstances, when using kdump and booting a kernel with
  "crashkernel=128M@16M", the kdump kernel did not boot after a crash.
  (BZ#580838)

- TLB page table entry flushing was done incorrectly on IBM System z,
  possibly causing crashes, subtle data inconsistency, or other issues.
  (BZ#580839)

- iSCSI failover times were slower than in Red Hat Enterprise Linux 5.3.
  (BZ#580840)

- Fixed the floating point state corruption after a signal. (BZ#580841)

- In certain circumstances, under heavy load, certain network interface
  cards using the bnx2 driver and configured to use MSI-X, could stop
  processing interrupts, and then network connectivity would cease.
  (BZ#587799)

- cnic parts resets could cause a deadlock when the bnx2 device was
  enslaved in a bonding device and that device had an associated VLAN.
  (BZ#581148)

- AMD Magny-Cours systems panicked when booting a 32-bit kernel.
  (BZ#580846)

- A bug prevented Wake on LAN (WoL) from being enabled on certain Intel
  hardware (BZ#543449).

- A race issue was discovered in the Journaling Block Device. (BZ#553132)

- Programs that were compiled on x86 and that called sched_rr_get_interval()
  were silently corrupted when run on 64-bit systems. (BZ#557684)

- The RHSA-2010:0019 update introduced a regression, preventing WoL from
  working for network devices using the e1000e driver. (BZ#559335)

- Adding a bonding interface in mode balance-alb to a bridge did not have
  any effect. (BZ#560588)

- On some systems, VF cannot be enabled in dom0. (BZ#560665)

- On systems with certain network cards, a system crash occurred after
  enabling GRO. (BZ#561417)

- Serious performance degradation for 32-bit applications, that map (mmap)
  thousands of small files, could occur when run on a 64-bit system. (BZ#562746)

- Improved kexec/kdump handling. Previously, on some systems under heavy
  load, kexec/kdump was not functional. (BZ#562772)

- dom0 was unable to boot when using the Xen hypervisor on a system with a
  large number of logical CPUs. (BZ#562777)

- A fix for a bug that could potentially cause file system corruption.
  (BZ#564281)

- A bug caused infrequent cluster issues for users of GFS2. (BZ#564288)

- gfs2_delete_inode failed on read-only file systems. (BZ#564290)

This update also includes fixes for the following Parallels Server 4.0 Bare
Metal issues:

- IO scheduler should be improved to show a better fairness and performance
  in certain circumstances.

- Posix CPU timers could stop working after migration.

- The IPv6 netfilter ULOG rule could save the information in logs on the
  Hardware Node instead of saving it inside Containers.

- A bug in ipv4 routing code could cause a network device leak.

- An online migration may fail when processes use shared memory areas
  that are not page-aligned.

- A Hardware Node may deadlock when generating a problem report.

The new kernel also introduces the following features:

- The ability to use kernel NFS servers inside Containers. To allow a Container
  to host an NFS server, you need to turn on the "nfsd" feature with the vzctl
  utility.

- The ability to create and manage bridge devices inside Containers.

- The ability to use the BSD process accounting feature inside Containers. The
  user can keep control over this feature using the accton, acctoff, and
  dump-acct tools.

We highly recommend that all Parallels Server for Mac 4.0 Bare Metal Edition
users update their kernel to the latest version.
--------------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the new
Parallels Server for Mac 4.0 Bare Metal Edition kernel:

- #469043: Unsynced VZFS inode's mode after updating ACL attributes.

- #469152: Adding veth interfaces screws up udevsettle.

- #469576: ip6tables rule logs are saved at the Hardware Node level.

- #473302: Bonding in 802.3ad mode does not work with kernels > 64.7.

- #474699: ITIMER_VIRTUAL & ITIMER_PROF timers stop work after migration.

- #457443: Errors after changing the CPU affinity for migration threads.

- #465930: Failed backups with ATI may leave Containers in "locked" state.

- #464371: NMI is triggered when generating a problem report.

- #429980: Migration fails if shared memory areas are not page-aligned.

- #470406: unregister_netdevice: waiting for venet0

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Server for Mac 4.0 Bare Metal Edition distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Parallels Server 4.0
Bare Metal modules.

# rpm -ivh vzkernel-2.6.18-028stab069.6.i686.rpm \
vzmodules-2.6.18-028stab069.6.i686.rpm \
parallels-kmod-4.0.5648.553410-1.2.6.18_028stab069.6.x86_64.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]
    3:parallels-kmod         ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default.

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

   vzkernel-2.6.18-028stab069.6.x86_64.rpm
   vzmodules-2.6.18-028stab069.6.x86_64.rpm
   parallels-kmod-4.0.5648.553410-1.2.6.18_028stab069.6.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

https://rhn.redhat.com/errata/RHSA-2010-0147.html
https://rhn.redhat.com/errata/RHSA-2010-398.html
https://rhn.redhat.com/errata/RHSA-2010-178.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0727
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0307
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1085

a26b38f94253cdfbf1028d72cf3a498b 0fe456bdc1f41aefe37dd2554a60437e 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF