Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285998 - openvz-sources version bump to fix CVEs and other issues
Summary: openvz-sources version bump to fix CVEs and other issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-22 18:34 UTC by Jeff Mitchell
Modified: 2009-09-22 23:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch with updated ebuild and patches as described. (ovz-64.7.patch,37.43 KB, patch)
2009-09-22 18:39 UTC, Jeff Mitchell
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Mitchell 2009-09-22 18:34:56 UTC
Marking as critical due to multiple unpatched CVEs and potential unpatched kernel panics.

OpenVZ has had two releases since the current one in portage, which fix a large number of CVEs:

http://wiki.openvz.org/Download/kernel/rhel5/028stab064.4
http://wiki.openvz.org/Download/kernel/rhel5/028stab064.7

I would recommend that a new ebuild be pushed (which I will attach to this bug report momentarily).

In addition, the diff contains three patches, which you can keep or discard as you wish (but which we will be using in Funtoo).

The first, a syscall fix, is a fix from February that fixes issues running i386/i486 32-bit code on an amd64 kernel with newer glibc. The OpenVZ folks have been made aware of the problem (http://bugzilla.openvz.org/show_bug.cgi?id=1336) and are going to integrate it at some point, but this provides the fix until then. This affects running i386/i486 32-bit guests on an amd64 kernel...see also http://bugs.gentoo.org/show_bug.cgi?id=279260.

The second patch fixes a problem with bridges...explanation:

"This simple patch prevents a bridge from getting a new MAC when you add a new device to the bridge. The bridge will keep using the MAC of the first added child interface.

For bridges with assigned IPs, this is important to prevent stale ARP caches and delayed network communications. It does not appear to have any adverse affects at all. If you remove the first interface, only then will it switch to a new MAC. The current behavior is to change the MAC whenever a new device is added. For virtual bridges, this is not optimal behavior."

Finally, the third patch is one that was recommended to be applied by OpenVZ developers to fix compilation when using CIFS (see http://bugzilla.openvz.org/show_bug.cgi?id=1337 which links to http://bugzilla.openvz.org/show_bug.cgi?id=1279).

Reproducible: Always
Comment 1 Jeff Mitchell 2009-09-22 18:39:00 UTC
Created attachment 204959 [details, diff]
Patch with updated ebuild and patches as described.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2009-09-22 20:19:20 UTC
Thank you for report Jeff. But we already dropped 2.6.18 kernels from the tree. Is here anything left for us to do?
Comment 3 Jeff Mitchell 2009-09-22 20:52:31 UTC
You hadn't when I wrote this. But I'll repeat my comment from bug 279260:

The RHEL/OpenVZ-patch 2.6.18 kernel is the only supported OpenVZ kernel by
upstream, and the only one supporting resource limits. Dropping it from the
tree would be a large mistake for OpenVZ-on-Gentoo users.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2009-09-22 23:57:42 UTC
Jeff, updated kernel is in the tree.

And follow up bug 279260. Fell free to report new version bumps or whatever patches you want. Since you use this kernel more I believe you here more )

Anyway this bug is fixed since it affects ~arch.