Important kernel security update: Virtuozzo ReadyKernel patch 89.2 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2. Security Fixes¶

• [Important] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Use-after-free in __blk_drain_queue() function. It was found that a use-after-free condition could be triggered in the block device subsystem while the outstanding command queue was drained. A patient local attacker can use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2018-20856)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] tun: potential kernel crash when TUNSETIFF ioctl operation is used for a device with an invalid name. (CVE-2018-7191)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Certain operations with iptables in a container may crash the kernel. (PSBM-98522)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] A container that tries to mount NFS shares may cause the whole system to hang in certain conditions. (PSBM-98297)

3. Bug Fixes¶

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-957.12.2.vz7.96.21] sunrpc: kernel crash in svcauth_unix_set_client(). (PSBM-97738)

• [3.10.0-957.12.2.vz7.96.21] Base ploop images containing holes could become larger than needed after merge. (PSBM-98313)

4. Installing the Update¶

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://bugzilla.redhat.com/show_bug.cgi?id=1716328

• https://bugzilla.redhat.com/show_bug.cgi?id=1738705

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-89.2-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-081.json.