Download/kernel/rhel4/023stab048.4/changes

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search

Changes

  • Rebase to newer RHEL4 kernel (2.6.9-67.0.20.EL)
  • Security updates, driver updates, stability fixes

Configs

Update description

The updated kernel includes fixes for the following security vulnerabilities, which were fixed in the 2.6.9-67.0.1.EL to 2.6.9-67.0.20.EL Red Hat kernels:

  • A flaw was found in the handling of IEEE 802.11 frames, which affected several wireless LAN modules. In certain situations, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network, causing a denial of service (kernel crash). (CVE-2007-4997, Important)
  • A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important)
  • A flaw was found in the virtual filesystem (VFS). A local unprivileged user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important)
  • A flaw was found in the implementation of ptrace. A local unprivileged user could trigger this flaw and possibly cause a denial of service (system hang). (CVE-2007-5500, Important)
  • A flaw was found in the way the Red Hat Enterprise Linux 4 kernel handled page faults when a CPU used the NUMA method for accessing memory on Itanium architectures. A local unprivileged user could trigger this flaw and cause a denial of service (system panic). (CVE-2007-4130, Important)
  • A possible NULL pointer dereference was found in the chrp_show_cpuinfo function when using the PowerPC architecture. This might allow a local unprivileged user to cause a denial of service (crash). (CVE-2007-6694, Moderate)
  • A flaw was found in the way core dump files were created. If a local user could get a root-owned process to dump a core file into a directory, which the user had write access to, they could gain read access to that core file. This could potentially grant unauthorized access to sensitive information. (CVE-2007-6206, Moderate)
  • Two buffer overflow flaws were found in the Linux kernel ISDN subsystem. A local unprivileged user could use these flaws to cause a denial of service. (CVE-2007-6063, CVE-2007-6151, Moderate)
  • A buffer overflow flaw was found in the CIFS virtual file system. A remote authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate)
  • The absence of a protection mechanism when attempting to access a critical section of code was found in the Linux kernel open file descriptors control mechanism, fcntl. This could allow a local unprivileged user to simultaneously execute the code that would otherwise be protected against parallel execution. Additionally, a race condition during the handling of locks in the Linux kernel fcntl functionality might allow a process belonging to a local unprivileged user to gain re-ordered access to the descriptor table. (CVE-2008-1669, Important)
  • On AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash). (CVE-2008-1615, Important)
  • The absence of a protection mechanism when attempting to access a critical section of code, as well as a race condition, were found in the Linux kernel file system event notifier, dnotify. This could allow a local unprivileged user to make data inconsistent or to send arbitrary signals to arbitrary system processes. (CVE-2008-1375, Important)
  • When accessing kernel memory locations, certain Linux kernel drivers registering a fault handler did not perform the required range checks. A local unprivileged user could use this flaw to gain read or write access to arbitrary kernel memory, or possibly cause a kernel crash. (CVE-2008-0007, Important)
  • The possibility of a kernel crash was found in the Linux kernel IPsec protocol implementation, due to improper handling of fragmented ESP packets. When an attacker controlling an intermediate router fragmented these packets into very small pieces, it would cause a kernel crash on the receiving node during packet reassembly. (CVE-2007-6282, Important)
  • A flaw in the MOXA serial driver could allow a local unprivileged user to perform privileged operations, such as replacing firmware. (CVE-2005-0504, Important)
  • A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important)
  • Alexey Dobriyan discovered a race condition in the Linux kernel process-tracing system call, ptrace. A local unprivileged user could use this flaw to cause a denial of service (kernel hang). (CVE-2008-2365, Important)
  • Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary that would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important)
  • It was discovered that the Linux kernel handled string operations in the opposite way to the GNU Compiler Collection (GCC). This could allow a local unprivileged user to cause memory corruption. (CVE-2008-1367, Low)

The updated kernel includes fixes for the following issues:

  • A kernel crash might happen due to a bug in CIFS code. The crash ended with the following message: "CIFS VFS: close with pending writes".
  • A kernel crash might occur due to a race during a UDP socket release.
  • [CPT]: A kernel crash might happen during an online migration if the container being migrated contained a process that had a big file (>2Gb) opened for write only and that file had been already deleted from the filesystem.
  • There could appear processes consuming 100% of the CPU if the "tcpsndbuf" limit were exceeded. The processes broke busy loops if a signal was sent to them, for example, if there was an attempt to strace the process.
  • Stopping a container might fail due to positive refcounters on a network device (with the following warnings: "unregister_netdevice: waiting for lo to become free. Usage count = 7"). This might render the Hardware Node unreachable via ssh until the reboot.
  • /proc/stat reported the non-virtualized btime (boot time), which sometimes confused the tools that used that value to calculate process times.
  • The "sys.ipv4.conf.default" sysctl did not have any affect inside a container.
  • The traffic accounting statistics could not be reset without a Hardware Node restart.
  • The load average statistics got broken after setting the number of vCPUs available to the container.

The updated kernel includes a number of updated drivers:

  • MegaRAID driver for SAS-based RAID controllers (megaraid_sas driver 00.00.03.18-rh1 version)
  • 3ware 9000 Storage Controller driver (3w-9xxx driver 2.26.07.003 version, in particular, support for 3Ware 9690SA Controller has been added)

Besides, the new kernel includes the following improvements:

  • The kernel has been re-based on the 2.6.9-67.0.20.EL Red Hat kernel.
  • [CPT]: The support for SYSV message queues has been added to the checkpointing code. Previous kernels denied the online migration of a container if any of its processes used SYSV message queues. The error message was the following: "CPT ERR: ... :SYSV msgqueues are not supported". In particular, this enhancement allows the online migration of those containers that run the IBM DB2 software.
  • An empty /proc/devices file has been added to a VE to avoid /sbin/MAKEDEV's warning: "can't read /proc/devices".
  • An out of socket memory warning has been enhanced to report the ID of the container that produced this warning.
  • A warning about the time wait bucket table overflow has been enhanced to report the ID of the container that produced this warning.

Bugs fixed

The following bugs from the previous release have been fixed in the new kernel:

  • #114500: The megaraid_sas driver should be updated to avoid "Rejecting I/O to offline device" messages on controllers with new firmware.
  • #100727: Support for 3ware 9690SA Controller should be added.
  • #114887: /proc/stat reports non-virtualized btime
  • #114847: /sbin/MAKEDEV: warning: can't read /proc/devices.
  • #113087: Network device leak if refcount remains positive for too long.
  • #99542: [CPT]: temporary files should be created with O_LARGEFILE flag during checkpointing and restore process.
  • #112170: Possible double free for UDP socket.
  • #112103: An endless loop is possible while waiting for TCPSNDBUF memory if timeout is not specified.
  • #111468: A memory leak in venet_acct_set_base() leads to inability to reset traffic network statistics.
  • #96405: A kernel panic in cifs_write().
  • #92414: Support for SYSV message queues online migration should be added.

The following OpenVZ bugs have been fixed:

  • #828: /proc/stat reports non-virtualized btime
  • #826: Sysctl "sys.ipv4.conf.default" does not work inside a container.
  • #760: A warning "Out of socket memory" should print the ID of the container that triggers it.
  • #767: A warning "TCP: time wait bucket table overflow" should print the ID of the container that triggers it.
  • #732: Loadavg statistics should be merged when removing a vCPU from a container.

References

The following references have been used in this document: