Critical product security update: Virtuozzo 6.0 Update 12 Hotfix 3 (6.0.12-3670)¶

1. Overview¶

The new packages for Virtuozzo 6.0.12 introducing security fixes as well as stability and usability bug fixes.

2. Security Fixes¶

• [Critical] A flaw found in the way prl-vzvncserver parsed terminal escape sequences that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to execute arbitrary code as host root. (PSBM-58281)

• [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by exploiting the way it handled overlapping memory areas. (PSBM-58282)

• [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by executing a specially crafted command to overwrite a small memory region of the prl-vzvncserver process. (PSBM-58280)

• [Moderate] A flaw was found in prl-vzvncserver that could allow a remote attacker authenticated with the VNC password or a user logged in to a container as root to crash prl-vzvncserver by executing a specially crafted command to cause allocation of a huge amount of memory. (PSBM-58099)

3. Bug Fixes¶

• Unable to install OS templates from RPM on Virtuozzo 6 nodes. (PSBM-59994)

• Attempts to perform certain operations on containers via prlctl (e.g., switching offline management) could fail. (PSBM-58505)

• Linux VMs with UEFI could not start after restore due to incorrectly generated NVRAM. (PSBM-52430)

4. Installing the Update¶

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-005.json.