Parallels Virtualization and Automation Software

RESOLUTION

------------------------------------------------------------------------
Synopsis: New Virtuozzo 3.0 kernel provides an important security fix
for the x86_64 architecture and several driver updates.
Issue date: 2007-10-01
Product: Virtuozzo 3.0
Keywords: security, driver update
------------------------------------------------------------------------

This document provides information on the new Virtuozzo 3.0 kernel,
version 2.6.9-023stab044.11.

(c) SWsoft, 2007. All rights reserved.

------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo 3.0 kernel provides an important
security fix for the x86_64 architecture, several driver updates, and
a number of other fixes.

------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo 3.0 kernel includes the fix for the following
security vulnerability:

- [x86_64]: A flaw was found in the IA32 system call emulation
provided on AMD64 and Intel 64 platforms. An improperly validated
64-bit value could be stored in the %RAX register, which could
trigger an out-of-bounds system call table access. An untrusted
local user could exploit this flaw to run code in the kernel
(i.e. a root privilege escalation) (CVE-2007-4573).


The updated Virtuozzo 3.0 kernel includes the fix for the following
issue:

- Incorrect and confusing messages about the Virtuozzo license alleged
expiration (the VEs are not stopped).


The updated Virtuozzo 3.0 kernel includes several updated drivers:

- Areca RAID Controller driver
(arcmsr driver 1.20.0X.14 version, memory leak fix)

- RealTek RTL8169s/8110s Gigabit Ethernet driver
(r8169 driver 2.2LK-NAPI version, new devices support)


Besides, the new Virtuozzo 3.0 kernel includes the following improvements:

- The kernel has been rebased on the 2.6.9-55.0.2.EL4 Red Hat kernel.

- The support for RAID Level 6 has been added.


We highly recommend that all Virtuozzo 3.0 users update their kernel
to the latest version.

------------------------------------------------------------------------

3. BUGS FIXED

The following bugs from the previous release have been fixed in the
new Virtuozzo 3.0 kernel:

- #92166: [x86_64]: Zero extend all registers after ptrace in 32bit entry
path (CVE-2007-4573).

- #83557: A race between parallel readings from /proc/vz/hwid, which can
lead to a wrong hwid detection.

- #87569: Memory leaks in 'arcmsr' driver when using Areca CLI monitoring
utility.

- #19950: The support for Realtek RTL8111/8168B PCI Express Gigabit Ethernet
controller should be added.

- #87220: The support for RAID Level 6 should be added.


The following OpenVZ bug has been fixed:

- #632: Per-user/group disk quota doesn't work inside a VE.

------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can get this kernel update in one of the following ways:

- You can download the update from ftp://downloads.swsoft.com.
If you do not have an ftp account, please contact pavel@swsoft.com.

- You can download and install the update by using the vzup2date
utility included in the Virtuozzo 3.0 distribution set.

------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, you should perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and
Virtuozzo modules.

# rpm -ivh vzkernel-smp-2.6.9-023stab044.11.i686.rpm \
vzmodules-smp-2.6.9-023stab044.11.i686.rpm
Preparing... ################################# [100%]
1:vzkernel-smp ################################# [50%]
2:vzmodules-smp ################################# [100%]

Please DO NOT USE the "rpm -Uhv" command to install the kernel.
Otherwise, all the kernels previously installed on your system
may be removed from the Hardware Node.

II. You can adjust your boot loader configuration file to have the
new kernel loaded by default. If you use the LILO bootloader,
please do not forget to execute the 'lilo' command to write
the changes to the boot sector:

# lilo
Added Virtuozzo2 *
Added Virtuozzo1
Added linux
Added linux-up

III. Reboot your computer with the "shutdown -r now" command to
boot the new kernel.

------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware
Node, the following RPM packages are included in the kernel update:

x86 kernels:

- Uniprocessor:
vzkernel-2.6.9-023stab044.11.i686.rpm
vzmodules-2.6.9-023stab044.11.i686.rpm

- SMP:
vzkernel-smp-2.6.9-023stab044.11.i686.rpm
vzmodules-smp-2.6.9-023stab044.11.i686.rpm

- Enterprise:
vzkernel-enterprise-2.6.9-023stab044.11.i686.rpm
vzmodules-enterprise-2.6.9-023stab044.11.i686.rpm

- Enterprise with the 4GB split feature disabled:
vzkernel-entnosplit-2.6.9-023stab044.11.i686.rpm
vzmodules-entnosplit-2.6.9-023stab044.11.i686.rpm


x86_64 kernels:

- Uniprocessor:
vzkernel-2.6.9-023stab044.11.x86_64.rpm
vzmodules-2.6.9-023stab044.11.x86_64.rpm

- SMP:
vzkernel-smp-2.6.9-023stab044.11.x86_64.rpm
vzmodules-smp-2.6.9-023stab044.11.x86_64.rpm

ia64 kernel:
vzkernel-2.6.9-023stab044.11.ia64.rpm
vzmodules-2.6.9-023stab044.11.ia64.rpm

------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

- https://rhn.redhat.com/errata/RHSA-2007-0937.html

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4573