Search

Language:  
Search for:

Available article translations:

CU-2.6.18-028stab098.1 Parallels Virtuozzo Containers for Linux 4.0 kernel update

APPLIES TO:
  • Parallels Virtuozzo Containers for Linux 4.0

Release notes

--------------------------------------------------------------------------------
Synopsis:          New Parallels Virtuozzo Containers 4.0 kernel provides an
                   update with security and stability fixes.
Issue date:        02-22-2012
Product:           Parallels Virtuozzo Containers 4.0
Keywords:          "bugfixing" "stability" "security"

--------------------------------------------------------------------------------

This document provides information on the new Parallels Virtuozzo Containers 4.0
kernel, version 2.6.18-028stab098.1.

--------------------------------------------------------------------------------
TABLE OF CONTENTS

1. About This Release
2. Update Description
3. Obtaining New Kernel
4. Installing New Kernel
5. Required RPMs
6. References

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Parallels Virtuozzo Containers 4.0 kernel provides a
new kernel based on the Red Hat 5.7 kernel (2.6.18-275.18.1.el5). The updated
kernel includes a number of security and stability fixes.

--------------------------------------------------------------------------------

2. UPDATE DESCRIPTION

This update contains fixes for the following issues:

- After an online migration of a Container from a 32-bit Node to a 64-bit one,
  the Container could get stuck if "vdso" was enabled on the source Node. The
  "vdso" feature is disabled by default. (PCLIN-30423)

- A kernel panic in the icmp_send() function could occur due to a possible stack
  corruption in bridge code. (OVZ bug# 2047)

- A kernel panic could occur if a Container was allowed to use the functionality
  of the "xt_connlimit" module while denied access to the "ip_conntrack" module.
  (OVZ bug# 2136)

- Under certain conditions, a kernel panic could occur when processing the
  network traffic in bridged mode. (OVZ bug# 2125)


This update also contains fixes for the following security issues:

* Using PCI passthrough without interrupt remapping support allowed Xen
  hypervisor guests to generate MSI interrupts and thus potentially inject
  traps. A privileged guest user could use this flaw to crash the host or
  possibly escalate their privileges on the host. The fix for this issue can
  prevent PCI passthrough from working and guests from starting. Refer to Red Hat
  Bugzilla bug 715555 for details. (CVE-2011-1898, Important)

* A flaw was found in the way CIFS (Common Internet File System) shared
  with DFS how referrals at their root were handled. An attacker on the local
  network who was able to deploy a malicious CIFS server could create a CIFS
  network share that, when mounted, would cause the client's system to crash.
  (CVE-2011-3363, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's
  key management facility handled user-defined key types. A local, unprivileged
  user could use the keyctl utility to cause a denial of service.
  (CVE-2011-4110, Moderate)

* A flaw in the way memory-containing, security-related data was handled in
  tpm_read() could allow a local, unprivileged user to read the results of a
  previously run TPM command. (CVE-2011-1162, Low)

* A NULL pointer dereference flaw was found in the Linux kernel's HFS file
  system implementation. A local attacker could use this flaw to cause a denial
  of service by mounting a disk containing a specially-crafted HFS file
  system with a corrupted MDB extent record. (CVE-2011-2203, Low)

* The I/O statistics from the taskstats subsystem could be read without
  any restrictions. A local, unprivileged user could use this flaw to gather
  confidential information, such as the length of a password used in a process.
  (CVE-2011-2494, Low)

* A buffer overflow flaw was found in the way the Linux kernel's XFS file
  system implementation handled links with overly long path names. A local,
  unprivileged user could use this flaw to cause a denial of service or
  escalate their privileges by mounting a specially-crafted disk.
  (CVE-2011-4077, Important)

* The fix for CVE-2011-2482 provided by RHSA-2011:1212 introduced a
  regression: on systems that do not have Security-Enhanced Linux (SELinux) in
  Enforcing mode, a socket lock race could occur between sctp_rcv() and
  sctp_accept(). A remote attacker could use this flaw to cause a denial of
  service. By default, SELinux runs in Enforcing mode on Red Hat Enterprise
  Linux 5. (CVE-2011-4348, Important)

* The proc file system could allow a local, unprivileged user to obtain
  sensitive information or possibly cause integrity issues. (CVE-2011-1020,
  Moderate)

* A missing validation flaw was found in the Linux kernel's m_stop()
  implementation. A local, unprivileged user could use this flaw to trigger a
  denial of service. (CVE-2011-3637, Moderate)

* A flaw was found in the Linux kernel's Journaling Block Device (JBD).
  A local attacker could use this flaw to crash the system by mounting a
  specially-crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate)

* A flaw was found in the Linux kernel's encode_share_access()
  implementation. A local, unprivileged user could use this flaw to trigger a
  denial of service by creating a regular file on an NFSv4 (Network File System
  version 4) file system via mknod(). (CVE-2011-4324, Moderate)

* A flaw was found in the Linux kernel's NFS implementation. A local,
  unprivileged user could use this flaw to cause a denial of service.
  (CVE-2011-4325, Moderate)

* A missing boundary check was found in the Linux kernel's HFS file system
  implementation. A local attacker could use this flaw to cause a denial of
  service or escalate their privileges by mounting a specially-crafted disk.
  (CVE-2011-4330, Moderate)

* Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes
  resulted in the requests being passed to the underlying block device. If a
  privileged user only had access to a single partition or LVM volume, they
  could use this flaw to bypass those restrictions and gain read and write
  access (and be able to issue other SCSI commands) to the entire block device.
  Refer to Red Hat Knowledgebase article DOC-67874, linked to in the
  References, for further details about this issue. (CVE-2011-4127, Important)

* A flaw was found in the way the Linux kernel handled robust list pointers
  of user-space held futexes across exec() calls. A local, unprivileged user
  could use this flaw to cause a denial of service or, eventually, escalate
  their privileges. (CVE-2012-0028, Important)

* A flaw was found in the Linux kernel in the way splitting two extents in
  ext4_ext_convert_to_initialized() worked. A local, unprivileged user with the
  ability to mount and unmount ext4 file systems could use this flaw to cause a
  denial of service. (CVE-2011-3638, Moderate)

* A flaw was found in the way the Linux kernel's journal_unmap_buffer()
  function handled buffer head states. On systems that have an ext4 file system
  with a journal mounted, a local, unprivileged user could use this flaw to
  cause a denial of service. (CVE-2011-4086, Moderate)

* A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query()
  function. An attacker able to send certain IGMP (Internet Group Management
  Protocol) packets to a target system could use this flaw to cause a denial of
  service. (CVE-2012-0207, Moderate)

--------------------------------------------------------------------------------

3. OBTAINING NEW KERNEL

You can download and install this kernel update using the vzup2date utility
included in the Parallels Virtuozzo Containers 4.0 distribution set.

--------------------------------------------------------------------------------

4. INSTALLING NEW KERNEL

To install the update, do the following:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-2.6.18-028stab098.1.i686.rpm \
vzmodules-2.6.18-028stab098.1.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel               ################################# [50%]
    2:vzmodules              ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the "lilo" command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

5. REQUIRED RPMS

Depending on the processor installed on the Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- SMP:
   vzkernel-2.6.18-028stab098.1.i686.rpm
   vzmodules-2.6.18-028stab098.1.i686.rpm

- Enterprise:
   vzkernel-ent-2.6.18-028stab098.1.i686.rpm
   vzmodules-ent-2.6.18-028stab098.1.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-PAE-2.6.18-028stab098.1.i686.rpm
   vzmodules-PAE-2.6.18-028stab098.1.i686.rpm


x86_64 kernels:

- SMP:
   vzkernel-2.6.18-028stab098.1.x86_64.rpm
   vzmodules-2.6.18-028stab098.1.x86_64.rpm

--------------------------------------------------------------------------------

6. REFERENCES

https://rhn.redhat.com/errata/RHSA-2011-1479.html
https://www.redhat.com/security/data/cve/CVE-2011-1162.html
https://www.redhat.com/security/data/cve/CVE-2011-1898.html
https://www.redhat.com/security/data/cve/CVE-2011-2203.html
https://www.redhat.com/security/data/cve/CVE-2011-2494.html
https://www.redhat.com/security/data/cve/CVE-2011-3363.html
https://www.redhat.com/security/data/cve/CVE-2011-4110.html

https://rhn.redhat.com/errata/RHSA-2012-0007.html
https://www.redhat.com/security/data/cve/CVE-2011-1020.html
https://www.redhat.com/security/data/cve/CVE-2011-3637.html
https://www.redhat.com/security/data/cve/CVE-2011-4077.html
https://www.redhat.com/security/data/cve/CVE-2011-4132.html
https://www.redhat.com/security/data/cve/CVE-2011-4324.html
https://www.redhat.com/security/data/cve/CVE-2011-4325.html
https://www.redhat.com/security/data/cve/CVE-2011-4330.html
https://www.redhat.com/security/data/cve/CVE-2011-4348.html

https://rhn.redhat.com/errata/RHSA-2012-0107.html
https://www.redhat.com/security/data/cve/CVE-2011-3638.html
https://www.redhat.com/security/data/cve/CVE-2011-4086.html
https://www.redhat.com/security/data/cve/CVE-2011-4127.html
https://www.redhat.com/security/data/cve/CVE-2012-0028.html
https://www.redhat.com/security/data/cve/CVE-2012-0207.html

--------------------------------------------------------------------------------
Copyright (c) 1999-2012 Parallels Holdings, Ltd. and its affiliates. All rights
reserved.



909d99074e442b52ce54cc7b31cf065d eb0ea3b827d18de2329b6477e24c1d59 9bccb04d0396d587d8123e5e12b4740e 2897d76d56d2010f4e3a28f864d69223

FEEDBACK
Was this article helpful?
Tell us how we may improve it.
Yes No
 
 
 
 
 
 
Desktop Virtualization
- Parallels Desktop 8 for Mac
- Parallels Transporter
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac Enterprise Edition
- Parallels Management-Mac for Microsoft SCCM
Server Virtualization
- Parallels Cloud Server
- Parallels Containers for Windows 6.0 Beta
- Parallels Virtuozzo Containers
Automation
- Parallels Automation
- Parallels Automation for Cloud Infrastructure
- Parallels Business Automation Standard
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
- Web Presence Builder
- Parallels Plesk Automation
- Parallels Small Business Panel
- Value-added Services for Hosters
- Parallels Partner Storefront
Services & Resources
- Cloud Acceleration Services
- Professional Services
- Support Services
- Training & Certification