Kernel security update: Virtuozzo ReadyKernel patch 98.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-02-21

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-015

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure Platform 3.5). NOTE: No more patches are planned for the kernel 3.10.0-862.9.1.vz7.63.3, support for which ends with this update.

2. Security Fixes

  • [Moderate] [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] xfs: potential denial of service caused by missing unlock operation in xfs_setattr_nonsize(). It was discovered that xfs_setattr_nonsize() would not unlock ‘ILOCK’ lock if the user or group were out of their disk quota. As a result, any subsequent operation, which needed to take ‘ILOCK’, would get stuck, leading to a denial of service. (CVE-2019-15538)

3. Bug Fixes

  • [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ploop: holes in raw ploop images were handled incorrectly. (PSBM-101189)

  • [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] nf_tables: kernel crash in nft_rbtree_lookup(). (PSBM-101492)

  • [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ve: make it easier to analyze removal of system libraries in the containers. (PSBM-101595)

4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.