Parallels

Release notes

--------------------------------------------------------------------------------
Synopsis:         New Virtuozzo 3.0 kernel provides a fix for an important
                           security vulnerability.
Issue date:       2009-11-06
Product:            Virtuozzo 3.0
Keywords:        security updates
--------------------------------------------------------------------------------

This document provides information on the new Virtuozzo 3.0 kernel, version
2.6.9-023stab051.3.

© 1999-2009 Parallels Holdings, Ltd. and its affiliates. All rights reserved.

--------------------------------------------------------------------------------

TABLE OF CONTENTS

1. About This Release
2. Updates Description
3. Bugs Fixed
4. Obtaining New Kernel
5. Installing New Kernel
6. Required RPMs
7. Reference List

--------------------------------------------------------------------------------

1. ABOUT THIS RELEASE

The current update for the Virtuozzo 3.0 kernel provides a fix for an important
security vulnerability.

--------------------------------------------------------------------------------

2. UPDATES DESCRIPTION

The updated Virtuozzo 3.0 kernel includes a fix for the following security
vulnerability fixed in the 2.6.9-89.0.16.EL Red Hat kernel:

- A NULL pointer dereference flaw was found in each of the following functions
  in the Linux kernel: pipe_read_open(), pipe_write_open(), and
  pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could
  be released by other processes before it is used to update the pipe's reader
  and writer counters. This could lead to a local denial of service or
  privilege escalation. (CVE-2009-3547, Important)


We highly recommend that all Virtuozzo 3.0 users update their kernel to the
latest version.

--------------------------------------------------------------------------------

3. BUGS FIXED

The following bug from the previous release has been fixed in the new
Virtuozzo 3.0 kernel:

- #456381: A kernel panic due to a NULL pointer dereference in pipe_rdwr_open()
           (CVE-2009-3547)


The following OpenVZ bug has been fixed:

- #1358: "OpenVZ 2.6.18-x"-based kernels are vulnerable to CVE-2009-3547.

--------------------------------------------------------------------------------

4. OBTAINING NEW KERNEL

You can download and install the kernel update by using the vzup2date utility
included in the Virtuozzo 3.0 distribution set.

--------------------------------------------------------------------------------

5. INSTALLING NEW KERNEL

To install the update, perform the following operations:

I. Use the "rpm -ihv" command to install the new kernel and Virtuozzo modules.

# rpm -ivh vzkernel-smp-2.6.9-023stab051.3.i686.rpm \
vzmodules-smp-2.6.9-023stab051.3.i686.rpm
Preparing...                ################################# [100%]
    1:vzkernel-smp           ################################# [50%]
    2:vzmodules-smp          ################################# [100%]

    Please DO NOT USE the "rpm -Uhv" command to install the kernel. Otherwise,
    all the kernels previously installed on your system may be removed from
    the Hardware Node.

II. You can adjust your boot loader configuration file to have the new kernel
    loaded by default. If you use the LILO bootloader, please do not forget to
    execute the 'lilo' command to write the changes to the boot sector:

     # lilo
     Added Virtuozzo2 *
     Added Virtuozzo1
     Added linux
     Added linux-up

III. Reboot your computer with the "shutdown -r now" command to boot the new
     kernel.

--------------------------------------------------------------------------------

6. REQUIRED RPMS

Depending on the kind of processor on your Hardware Node, the following RPM
packages are included in the kernel update:

x86 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab051.3.i686.rpm
   vzmodules-2.6.9-023stab051.3.i686.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab051.3.i686.rpm
   vzmodules-smp-2.6.9-023stab051.3.i686.rpm

- Enterprise:
   vzkernel-enterprise-2.6.9-023stab051.3.i686.rpm
   vzmodules-enterprise-2.6.9-023stab051.3.i686.rpm

- Enterprise with the 4GB split feature disabled:
   vzkernel-entnosplit-2.6.9-023stab051.3.i686.rpm
   vzmodules-entnosplit-2.6.9-023stab051.3.i686.rpm


x86_64 kernels:

- Uniprocessor:
   vzkernel-2.6.9-023stab051.3.x86_64.rpm
   vzmodules-2.6.9-023stab051.3.x86_64.rpm

- SMP:
   vzkernel-smp-2.6.9-023stab051.3.x86_64.rpm
   vzmodules-smp-2.6.9-023stab051.3.x86_64.rpm

--------------------------------------------------------------------------------

7. REFERENCE LIST

The following references have been used in this document:

https://rhn.redhat.com/errata/RHSA-2009-1541.html

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3547