Virtuozzo Advisory Archive

July 23, 2021 Virtuozzo International GmbH

Vordergasse 59

8200 Schaffhausen

Switzerland

Tel: + 41 52 632 0411

Fax: + 41 52 672 2010 https://virtuozzo.com

This product is protected by United States and international copyright laws. The product’s underlying technology, patents, and trademarks are listed at .

Microsoft, Windows, Windows Server, Windows NT, Windows Vista, and MS-DOS are registered trademarks of Microsoft Corporation.

Apple, Mac, the Mac logo, Mac OS, iPad, iPhone, iPod touch, FaceTime HD camera and iSight are trademarks of Apple Inc., registered in the US and other countries.

Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective owners. Contents

1. Virtuozzo Hybrid Infrastructure ...... 1 1.1 Virtuozzo Hybrid Infrastructure 4.6 Hotfix 2 (4.6.0-213) ...... 1 1.1.1 1. Overview ...... 1 1.1.2 2. Bug Fixes ...... 1 1.1.3 3. Installing the Update ...... 2 1.2 Virtuozzo Hybrid Infrastructure 4.6 Hotfix 1 (4.6.0-209) ...... 2 1.2.1 1. Overview ...... 2 1.2.2 2. Bug Fixes ...... 2 1.2.3 3. Installing the Update ...... 2 1.3 Virtuozzo Hybrid Infrastructure 4.6 (4.6.0-208) ...... 3 1.3.1 1. Overview ...... 3 1.3.2 2. New Features ...... 3 1.3.3 3. Important Notes ...... 5 1.3.4 4. Bug Fixes ...... 5 1.3.5 5. Known Issues ...... 6 1.3.6 6. Installing the Update ...... 6 1.4 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 3 (4.5.1-42) ...... 6 1.4.1 1. Overview ...... 6 1.4.2 2. Bug Fixes ...... 7 1.4.3 3. Installing the Update ...... 7 1.5 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 2 (4.5.1-34) ...... 7 1.5.1 1. Overview ...... 8 1.5.2 2. Bug Fixes ...... 8 1.5.3 3. Installing the Update ...... 8 1.6 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 1 (4.5.1-31) ...... 8 1.6.1 1. Overview ...... 9

i 1.6.2 2. Bug Fixes ...... 9 1.6.3 3. Installing the Update ...... 9 1.7 Virtuozzo Hybrid Infrastructure 4.5 Update 1 (4.5.1-23) ...... 9 1.7.1 1. Overview ...... 9 1.7.2 2. New Features ...... 10 1.7.3 3. Bug Fixes ...... 10 1.7.4 4. Installing the Update ...... 10 1.8 Virtuozzo Hybrid Infrastructure 4.5 Hotfix 1 (4.5.0-289) ...... 11 1.8.1 1. Overview ...... 11 1.8.2 2. Bug Fixes ...... 11 1.8.3 3. Installing the Update ...... 11 1.9 Virtuozzo Hybrid Infrastructure 4.5 (4.5.0-284) ...... 11 1.9.1 1. Overview ...... 12 1.9.2 2. New Features ...... 12 1.9.3 3. Important Notes ...... 13 1.9.4 4. Bug Fixes ...... 14 1.9.5 5. Known Issues ...... 15 1.9.6 6. Installing the Update ...... 16 1.10 [Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid In- frastructure 4.0 Update 1.2 (4.0.1-49) ...... 16 1.10.1 1. Overview ...... 16 1.10.2 2. Bug Fixes ...... 17 1.10.3 3. Installing the Update ...... 17 1.11 Virtuozzo Hybrid Infrastructure 4.0 Update 1.1 (4.0.1-48) ...... 17 1.11.1 1. Overview ...... 17 1.11.2 2. Bug Fixes ...... 17 1.11.3 3. Installing the Update ...... 18 1.12 Product update: Virtuozzo Hybrid Infrastructure 4.0 Update 1 ...... 18 1.12.1 1. Overview ...... 18 1.12.2 2. New Features ...... 18 1.12.3 3. Bug Fixes ...... 18 1.12.4 4. Installing the Update ...... 19 1.13 Product release: Virtuozzo Hybrid Infrastructure 4.0 Hotfix 1 (4.0.0-741) ...... 20 1.13.1 1. Overview ...... 20 1.13.2 2. Bug Fixes ...... 20

ii 1.13.3 3. Installing the Update ...... 20 1.14 Product release: Virtuozzo Hybrid Infrastructure 4.0 (4.0.0-734) ...... 20 1.14.1 1. Overview ...... 21 1.14.2 2. New Features ...... 21 1.14.3 3. Bug Fixes ...... 23 1.14.4 4. Known Issues ...... 25 1.14.5 5. Installing the Update ...... 25 1.15 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 5.1 (3.5.5-41) ...... 26 1.15.1 1. Overview ...... 26 1.15.2 2. Bug Fixes ...... 26 1.15.3 3. Installing the Update ...... 26 1.16 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 5 (3.5.5-26) ...... 26 1.16.1 1. Overview ...... 27 1.16.2 2. New Features ...... 27 1.16.3 3. Bug Fixes ...... 27 1.16.4 4. Installing the Update ...... 27 1.17 Product release: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 3 (3.0.5-72) ...... 27 1.17.1 1. Overview ...... 28 1.17.2 2. Bug Fixes ...... 28 1.17.3 3. Installing the Update ...... 28 1.18 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 4 (3.5.4-24) ...... 28 1.18.1 1. Overview ...... 28 1.18.2 2. New Features ...... 28 1.18.3 3. Bug Fixes ...... 29 1.18.4 4. Installing the Update ...... 29 1.19 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 3 Hotfix 2 (3.5.3-25) ...... 29 1.19.1 1. Overview ...... 30 1.19.2 2. Bug Fixes ...... 30 1.19.3 3. Installing the Update ...... 30 1.20 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 3 (3.5.3-18) ...... 30 1.20.1 1. Overview ...... 30 1.20.2 2. Bug Fixes ...... 31 1.20.3 3. Installing the Update ...... 31 1.21 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 Hotfix 2 (3.5.2-39) ...... 31 1.21.1 1. Overview ...... 32

iii 1.21.2 2. Bug Fixes ...... 32 1.21.3 3. Installing the Update ...... 32 1.22 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 Hotfix 1 (3.5.2-35) ...... 32 1.22.1 1. Overview ...... 33 1.22.2 2. Bug Fixes ...... 33 1.22.3 3. Installing the Update ...... 33 1.23 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 (3.5.2-34) ...... 33 1.23.1 1. Overview ...... 33 1.23.2 2. New Features ...... 34 1.23.3 3. Bug Fixes ...... 34 1.23.4 4. Installing the Update ...... 34 1.24 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 1 Hotfix 1 (3.5.1-45) ...... 35 1.24.1 1. Overview ...... 35 1.24.2 2. Bug Fixes ...... 35 1.24.3 3. Installing the Update ...... 35 1.25 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 1 (3.5.1-43) ...... 35 1.25.1 1. Overview ...... 36 1.25.2 2. New Features ...... 36 1.25.3 3. Bug Fixes ...... 36 1.25.4 4. Installing the Update ...... 37 1.26 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 2 (3.0.5-69) ...... 37 1.26.1 1. Overview ...... 37 1.26.2 2. Bug Fixes ...... 37 1.26.3 3. Installing the Update ...... 38 1.27 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 1 (3.0.5-64) ...... 38 1.27.1 1. Overview ...... 38 1.27.2 2. Bug Fixes ...... 38 1.27.3 3. Installing the Update ...... 38 1.28 Product update: Virtuozzo Hybrid Infrastructure 3.5 Hotfix 1 (3.5.0-812) ...... 39 1.28.1 1. Overview ...... 39 1.28.2 2. Bug Fixes ...... 39 1.28.3 3. Installing the Update ...... 39 1.29 Product release: Virtuozzo Hybrid Infrastructure 3.5 (formerly Virtuozzo Infrastructure Plat- form 3.5) ...... 40 1.29.1 1. Overview ...... 40

iv 1.29.2 2. New Features ...... 40 1.29.3 3. Bug Fixes ...... 41 1.29.4 4. Known Issues ...... 43 1.29.5 5. Obtaining the Release ...... 43 1.30 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 (3.0.5-62) ...... 44 1.30.1 1. Overview ...... 44 1.30.2 2. Bug Fixes ...... 44 1.30.3 3. Installing the Update ...... 44 1.31 Product update: Virtuozzo Infrastructure Platform 3.0 Update 4 (3.0.4-63) ...... 44 1.31.1 1. Overview ...... 45 1.31.2 2. Bug Fixes ...... 45 1.31.3 3. Installing the Update ...... 45 1.32 Product update: Virtuozzo Infrastructure Platform 3.0 Update 3.1 (3.0.3-27) ...... 45 1.32.1 1. Overview ...... 46 1.32.2 2. Bug Fixes ...... 46 1.32.3 3. Installing the Update ...... 46 1.33 Product update: Virtuozzo Infrastructure Platform 2.5 Update 12 (2.5.0-1703) ...... 46 1.33.1 1. Overview ...... 46 1.33.2 2. Bug Fixes ...... 46 1.33.3 3. Installing the Update ...... 47 1.34 Product update: Virtuozzo Infrastructure Platform 3.0 Update 3 (3.0.3-16) ...... 47 1.34.1 1. Overview ...... 47 1.34.2 2. Bug Fixes ...... 47 1.34.3 3. Installing the Update ...... 48 1.35 Product update: Virtuozzo Infrastructure Platform 2.5 Update 11 (2.5.0-1694) ...... 48 1.35.1 1. Overview ...... 48 1.35.2 2. Bug Fixes ...... 48 1.35.3 3. Installing the Update ...... 48 1.36 Product update: Virtuozzo Infrastructure Platform 3.0 Update 2 (3.0.2-46) ...... 49 1.36.1 1. Overview ...... 49 1.36.2 2. New Features ...... 49 1.36.3 3. Bug Fixes ...... 49 1.36.4 4. Installing the Update ...... 49 1.37 Product update: Virtuozzo Infrastructure Platform 2.5 Update 10 (2.5.0-1691) ...... 50 1.37.1 1. Overview ...... 50

v 1.37.2 2. Bug Fixes ...... 50 1.37.3 3. Installing the Update ...... 50 1.38 Product update: Virtuozzo Infrastructure Platform 3.0 Update 1.1 (3.0.1-59) ...... 51 1.38.1 1. Overview ...... 51 1.38.2 2. Bug Fixes ...... 51 1.38.3 3. Installing the Update ...... 51 1.39 Product update: Virtuozzo Infrastructure Platform 3.0 Update 1 (3.0.1-55) ...... 51 1.39.1 1. Overview ...... 52 1.39.2 2. New Features ...... 52 1.39.3 3. Bug Fixes ...... 52 1.39.4 4. Installing the Update ...... 52 1.40 Product update: Virtuozzo Infrastructure Platform 2.5 Update 9 (2.5.0-1682) ...... 53 1.40.1 1. Overview ...... 53 1.40.2 2. Bug Fixes ...... 53 1.40.3 3. Installing the Update ...... 53 1.41 Product release: Virtuozzo Infrastructure Platform 3.0 ...... 53 1.41.1 1. Overview ...... 54 1.41.2 2. New Features ...... 54 1.41.3 3. Bug Fixes ...... 55 1.41.4 4. Known Issues ...... 56 1.41.5 5. Installing the Update ...... 58 1.42 Product update: Virtuozzo Infrastructure Platform 2.5 Update 8 (2.5.0-1680) ...... 58 1.42.1 1. Overview ...... 58 1.42.2 2. Bug Fixes ...... 58 1.42.3 3. Installing the Update ...... 59 1.43 Product update: Virtuozzo Infrastructure Platform 2.5 Update 7 (2.5.0-1650) ...... 59 1.43.1 1. Overview ...... 59 1.43.2 2. Security Fixes ...... 59 1.43.3 3. Bug Fixes ...... 59 1.43.4 4. Installing the Update ...... 60 1.43.5 5. References ...... 60 1.44 Product update: Virtuozzo Infrastructure Platform 2.5 Update 6 (2.5.0-1642) ...... 60 1.44.1 1. Overview ...... 60 1.44.2 2. Bug Fixes ...... 60 1.44.3 3. Installing the Update ...... 61

vi 1.45 Product update: Virtuozzo Infrastructure Platform 2.5 Update 5 (2.5.0-1639) ...... 61 1.45.1 1. Overview ...... 61 1.45.2 2. New Features ...... 62 1.45.3 3. Bug Fixes ...... 62 1.45.4 4. Installing the Update ...... 62 1.46 Product update: Virtuozzo Infrastructure Platform 2.5 Update 4 (2.5.0-1617) ...... 63 1.46.1 1. Overview ...... 63 1.46.2 2. Bug Fixes ...... 63 1.46.3 3. Installing the Update ...... 63 1.47 Product update: Virtuozzo Infrastructure Platform 2.5 Update 3 (2.5.0-1605) ...... 63 1.47.1 1. Overview ...... 64 1.47.2 2. Bug Fixes ...... 64 1.47.3 3. Installing the Update ...... 64 1.48 Product update: Virtuozzo Infrastructure Platform 2.5 Update 2 (2.5.0-1600) ...... 64 1.48.1 1. Overview ...... 65 1.48.2 2. Bug Fixes ...... 65 1.48.3 3. Installing the Update ...... 65 1.49 Product update: Virtuozzo Infrastructure Platform 2.5 Update 1 (2.5.0-1599) ...... 65 1.49.1 1. Overview ...... 65 1.49.2 2. Bug Fixes ...... 66 1.49.3 3. Installing the Update ...... 66 1.50 Product release: Virtuozzo Infrastructure Platform 2.5 ...... 66 1.50.1 1. Overview ...... 66 1.50.2 2. New Features ...... 66 1.50.3 3. Bug Fixes ...... 68 1.50.4 4. Known Issues ...... 68 1.51 Kernel security update: Virtuozzo ReadyKernel patch 70.0 for Virtuozzo Infrastructure Plat- form 2.5 ...... 70 1.51.1 1. Overview ...... 70 1.51.2 2. Security Fixes ...... 71 1.51.3 3. Bug Fixes ...... 71 1.51.4 4. Installing the Update ...... 71 1.51.5 5. References ...... 71

2. Virtuozzo Hybrid Server ...... 72

vii 2.1 [Important] [Security] Virtuozzo ReadyKernel patch 130.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5, 4.6 ...... 72 2.1.1 1. Overview ...... 72 2.1.2 2. Security Fixes ...... 73 2.1.3 3. Installing the Update ...... 73 2.1.4 4. References ...... 73 2.2 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 4 (7.5.1-739) ...... 73 2.2.1 1. Overview ...... 74 2.2.2 2. Bug Fixes ...... 74 2.2.3 3. Installing the Update ...... 74 2.3 Virtuozzo ReadyKernel patch 129.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5, 4.6 ...... 74 2.3.1 1. Overview ...... 75 2.3.2 2. Bug Fixes ...... 75 2.3.3 3. Installing the Update ...... 75 2.3.4 4. References ...... 75 2.4 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 3 (7.5.1-737) ...... 76 2.4.1 1. Overview ...... 76 2.4.2 2. Bug Fixes ...... 76 2.4.3 3. Installing the Update ...... 76 2.5 Virtuozzo ReadyKernel patch 128.1 for Virtuozzo Hybrid Server 7.5 ...... 76 2.5.1 1. Overview ...... 77 2.5.2 2. Bug Fixes ...... 77 2.5.3 3. Installing the Update ...... 77 2.5.4 4. References ...... 77 2.6 Virtuozzo ReadyKernel patch 128.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5 ...... 78 2.6.1 1. Overview ...... 78 2.6.2 2. Bug Fixes ...... 78 2.6.3 3. Installing the Update ...... 78 2.6.4 4. References ...... 79 2.7 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 2 (7.5.1-736) ...... 79 2.7.1 1. Overview ...... 79 2.7.2 2. Bug Fixes ...... 79 2.7.3 3. Installing the Update ...... 80

viii 2.8 [Security] Virtuozzo ReadyKernel patch 127.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5 ...... 80 2.8.1 1. Overview ...... 80 2.8.2 2. Security Fixes ...... 80 2.8.3 3. Bug Fixes ...... 81 2.8.4 4. Installing the Update ...... 81 2.8.5 5. References ...... 81 2.9 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 1 (7.5.1-734) ...... 81 2.9.1 1. Overview ...... 82 2.9.2 2. New Features ...... 82 2.9.3 3. Bug Fixes ...... 82 2.9.4 4. Installing the Update ...... 82 2.10 Virtuozzo Hybrid Server 7.5 Update 1 (7.5.1-730) ...... 82 2.10.1 1. Overview ...... 83 2.10.2 2. New Features ...... 83 2.10.3 3. Bug Fixes ...... 84 2.10.4 4. Installing the Update ...... 84 2.11 [Security] Virtuozzo ReadyKernel patch 126.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5 ...... 85 2.11.1 1. Overview ...... 85 2.11.2 2. Security Fixes ...... 85 2.11.3 3. Bug Fixes ...... 85 2.11.4 4. Installing the Update ...... 86 2.11.5 5. References ...... 86 2.12 [Important] [Security] Virtuozzo ReadyKernel patch 125.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 86 2.12.1 1. Overview ...... 87 2.12.2 2. Security Fixes ...... 87 2.12.3 3. Installing the Update ...... 87 2.12.4 4. References ...... 87 2.13 Virtuozzo ReadyKernel patch 124.1 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastruc- ture Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 88 2.13.1 1. Overview ...... 88 2.13.2 2. Installing the Update ...... 89 2.13.3 3. References ...... 89

ix 2.14 [Security] Virtuozzo ReadyKernel patch 124.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 90 2.14.1 1. Overview ...... 90 2.14.2 2. Security Fixes ...... 90 2.14.3 3. Bug Fixes ...... 91 2.14.4 4. Installing the Update ...... 91 2.14.5 5. References ...... 91 2.15 Virtuozzo ReadyKernel patch 123.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastruc- ture Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 92 2.15.1 1. Overview ...... 92 2.15.2 2. Bug Fixes ...... 92 2.15.3 3. Installing the Update ...... 92 2.15.4 4. References ...... 93 2.16 Virtuozzo Hybrid Server 7.5 Hotfix 3 (7.5.0-610) ...... 93 2.16.1 1. Overview ...... 93 2.16.2 2. Bug Fixes ...... 93 2.16.3 3. Installing the Update ...... 94 2.17 Virtuozzo Hybrid Server 7.5 Hotfix 2 (7.5.0-605) ...... 94 2.17.1 1. Overview ...... 94 2.17.2 2. New Features ...... 94 2.17.3 3. Bug Fixes ...... 94 2.17.4 4. Installing the Update ...... 95 2.18 [Important] [Security] Virtuozzo ReadyKernel patch 122.0 for Virtuozzo Hybrid Server 7.0, Vir- tuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 95 2.18.1 1. Overview ...... 95 2.18.2 2. Security Fixes ...... 96 2.18.3 3. Installing the Update ...... 96 2.18.4 4. References ...... 96 2.19 [Important] [Security] Virtuozzo ReadyKernel patch 122.0 for Virtuozzo Hybrid Server 7.5 ... 97 2.19.1 1. Overview ...... 97 2.19.2 2. Security Fixes ...... 97 2.19.3 3. Bug Fixes ...... 97 2.19.4 4. Installing the Update ...... 98 2.19.5 5. References ...... 98

x 2.20 [Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid Server 7.x and Virtuozzo 6 ...... 98 2.20.1 1. Overview ...... 98 2.20.2 2. Security Fixes ...... 98 2.20.3 3. Installing the Update ...... 99 2.20.4 4. References ...... 99 2.21 Kernel update: Virtuozzo ReadyKernel patch 121.5 for Virtuozzo Hybrid Server 7.5 ...... 99 2.21.1 1. Overview ...... 99 2.21.2 2. Bug Fixes ...... 100 2.21.3 3. Installing the Update ...... 100 2.21.4 4. References ...... 100 2.22 Kernel security update: Virtuozzo ReadyKernel patch 121.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ..... 100 2.22.1 1. Overview ...... 101 2.22.2 2. Security Fixes ...... 101 2.22.3 3. Installing the Update ...... 101 2.22.4 4. References ...... 101 2.23 Product update: Virtuozzo Hybrid Server 7.5 Hotfix 1 (7.5.0-589) ...... 102 2.23.1 1. Overview ...... 102 2.23.2 2. Bug Fixes ...... 102 2.23.3 3. Installing the Update ...... 102 2.24 Kernel update: Virtuozzo ReadyKernel patch 120.0 for Virtuozzo Hybrid Server 7.0 and Vir- tuozzo Hybrid Infrastructure 3.5, 4.0 ...... 102 2.24.1 1. Overview ...... 103 2.24.2 2. Bug Fixes ...... 103 2.24.3 3. Installing the Update ...... 103 2.24.4 4. References ...... 103 2.25 Kernel update: Virtuozzo ReadyKernel patch 119.5 for Virtuozzo Hybrid Server 7.5 ...... 103 2.25.1 1. Overview ...... 104 2.25.2 2. Bug Fixes ...... 104 2.25.3 3. Installing the Update ...... 104 2.25.4 4. References ...... 104 2.26 Product update: Virtuozzo Hybrid Server 7.5 (7.5.0-586) ...... 104 2.26.1 1. Overview ...... 105 2.26.2 2. Security Fixes ...... 105

xi 2.26.3 3. New Features ...... 105 2.26.4 4. Bug Fixes ...... 107 2.26.5 5. Installing the Update ...... 108 2.27 Kernel update: Virtuozzo ReadyKernel patch 119.5 for Virtuozzo Hybrid Server 7.0 and Vir- tuozzo Hybrid Infrastructure 4.0 ...... 108 2.27.1 1. Overview ...... 108 2.27.2 2. Bug Fixes ...... 108 2.27.3 3. Installing the Update ...... 109 2.27.4 4. References ...... 109 2.28 Kernel update: Virtuozzo ReadyKernel patch 119.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5 ...... 109 2.28.1 1. Overview ...... 109 2.28.2 2. Bug Fixes ...... 110 2.28.3 3. Installing the Update ...... 110 2.28.4 4. References ...... 110 2.29 Kernel update: Virtuozzo ReadyKernel patch 118.1 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 ...... 110 2.29.1 1. Overview ...... 111 2.29.2 2. Bug Fixes ...... 111 2.29.3 3. Installing the Update ...... 111 2.29.4 4. References ...... 111 2.30 Important kernel security update: Virtuozzo ReadyKernel patch 117.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0 112 2.30.1 1. Overview ...... 112 2.30.2 2. Security Fixes ...... 112 2.30.3 3. Bug Fixes ...... 113 2.30.4 4. Installing the Update ...... 113 2.30.5 5. References ...... 114 2.31 Kernel security update: Virtuozzo ReadyKernel patch 116.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5 ...... 114 2.31.1 1. Overview ...... 115 2.31.2 2. Security Fixes ...... 115 2.31.3 3. Installing the Update ...... 115 2.31.4 4. References ...... 115

xii 2.32 Kernel security update: Virtuozzo ReadyKernel patch 115.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5 ...... 116 2.32.1 1. Overview ...... 116 2.32.2 2. Security Fixes ...... 117 2.32.3 3. Bug Fixes ...... 117 2.32.4 4. Installing the Update ...... 117 2.32.5 5. References ...... 117 2.33 Kernel update: Virtuozzo ReadyKernel patch 114.2 for Virtuozzo Hybrid Server 7.0 ...... 118 2.33.1 1. Overview ...... 118 2.33.2 2. Bug Fixes ...... 118 2.33.3 3. Installing the Update ...... 119 2.33.4 4. References ...... 119 2.34 Product update: Virtuozzo Hybrid Server 7.0 Update 14 Hotfix 2 (7.0.14-258) ...... 119 2.34.1 1. Overview ...... 119 2.34.2 2. Security Fixes ...... 119 2.34.3 3. Bug Fixes ...... 120 2.34.4 4. Installing the Update ...... 120 2.34.5 5. References ...... 120 2.35 Kernel security update: Virtuozzo ReadyKernel patch 113.10 for Virtuozzo Hybrid Server 7.0 . 121 2.35.1 1. Overview ...... 121 2.35.2 2. Security Fixes ...... 121 2.35.3 3. Bug Fixes ...... 121 2.35.4 4. Installing the Update ...... 122 2.35.5 5. References ...... 122 2.36 Kernel security update: Virtuozzo ReadyKernel patch 113.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 122 2.36.1 1. Overview ...... 122 2.36.2 2. Security Fixes ...... 123 2.36.3 3. Bug Fixes ...... 123 2.36.4 4. Installing the Update ...... 123 2.36.5 5. References ...... 123 2.37 Product update: Virtuozzo 6.0 Update 12 Hotfix 53 (6.0.12-3760) ...... 124 2.37.1 1. Overview ...... 124 2.37.2 2. Bug Fixes ...... 124 2.37.3 3. Installing the Update ...... 124

xiii 2.38 Kernel update: Virtuozzo ReadyKernel patch 112.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5 ...... 124 2.38.1 1. Overview ...... 125 2.38.2 2. Bug Fixes ...... 125 2.38.3 3. Installing the Update ...... 125 2.38.4 4. References ...... 125 2.39 Kernel update: Virtuozzo ReadyKernel patch 111.0 for Virtuozzo Hybrid Server 7.0 ...... 126 2.39.1 1. Overview ...... 126 2.39.2 2. Bug Fixes ...... 126 2.39.3 3. Installing the Update ...... 126 2.39.4 4. References ...... 126 2.40 Product update: Virtuozzo Hybrid Server 7.0 Update 14 Hotfix 1 (7.0.14-257) ...... 127 2.40.1 1. Overview ...... 127 2.40.2 2. Bug Fixes ...... 127 2.40.3 3. Installing the Update ...... 127 2.41 Important kernel security update: Virtuozzo ReadyKernel patch 110.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, Virtuozzo Hybrid Infrastructure 3.5 ... 128 2.41.1 1. Overview ...... 128 2.41.2 2. Security Fixes ...... 128 2.41.3 3. Bug Fixes ...... 129 2.41.4 4. Installing the Update ...... 129 2.41.5 5. References ...... 129 2.42 Kernel security update: Virtuozzo ReadyKernel patch 109.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5 ...... 130 2.42.1 1. Overview ...... 130 2.42.2 2. Security Fixes ...... 130 2.42.3 3. Bug Fixes ...... 131 2.42.4 4. Installing the Update ...... 131 2.42.5 5. References ...... 131 2.43 Important kernel security update: New kernel 2.6.32-042stab145.3; Virtuozzo 6.0 Update 12 Hotfix 52 (6.0.12-3759) ...... 132 2.43.1 1. Overview ...... 132 2.43.2 2. Security Fixes ...... 132 2.43.3 3. Bug Fixes ...... 132 2.43.4 4. Installing the Update ...... 132

xiv 2.43.5 5. References ...... 133 2.44 Important kernel security update: New kernel 2.6.32-042stab145.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 133 2.44.1 1. Overview ...... 133 2.44.2 2. Security Fixes ...... 134 2.44.3 3. Bug Fixes ...... 134 2.44.4 4. Installing the Update ...... 134 2.44.5 5. References ...... 134 2.45 Product update: Virtuozzo Hybrid Server 7.0 Update 14 (7.0.14-249) ...... 134 2.45.1 1. Overview ...... 135 2.45.2 2. New Features ...... 135 2.45.3 3. Bug Fixes ...... 135 2.45.4 4. Installing the Update ...... 136 2.46 Kernel update: Virtuozzo ReadyKernel patch 108.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, Virtuozzo Hybrid Infrastructure 3.5 ...... 136 2.46.1 1. Overview ...... 136 2.46.2 2. Bug Fixes ...... 137 2.46.3 3. Installing the Update ...... 137 2.46.4 4. References ...... 137 2.47 Kernel update: Virtuozzo ReadyKernel patch 107.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 138 2.47.1 1. Overview ...... 138 2.47.2 2. Bug Fixes ...... 138 2.47.3 3. Installing the Update ...... 139 2.47.4 4. References ...... 139 2.48 Kernel security update: Virtuozzo ReadyKernel patch 106.0 for Virtuozzo 7.0, Virtuozzo Infras- tructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 139 2.48.1 1. Overview ...... 140 2.48.2 2. Security Fixes ...... 140 2.48.3 3. Bug Fixes ...... 140 2.48.4 4. Installing the Update ...... 140 2.48.5 5. References ...... 140 2.49 Important kernel security update: New kernel 2.6.32-042stab144.1; Virtuozzo 6.0 Update 12 Hotfix 51 (6.0.12-3757) ...... 141 2.49.1 1. Overview ...... 141

xv 2.49.2 2. Security Fixes ...... 141 2.49.3 3. Bug Fixes ...... 142 2.49.4 4. Installing the Update ...... 142 2.49.5 5. References ...... 142 2.50 Important kernel security update: New kernel 2.6.32-042stab144.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 143 2.50.1 1. Overview ...... 143 2.50.2 2. Security Fixes ...... 143 2.50.3 3. Bug Fixes ...... 144 2.50.4 4. Installing the Update ...... 144 2.50.5 5. References ...... 144 2.51 Kernel update: Virtuozzo ReadyKernel patch 105.1 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 145 2.51.1 1. Overview ...... 145 2.51.2 2. Bug Fixes ...... 146 2.51.3 3. Installing the Update ...... 146 2.51.4 4. References ...... 146 2.52 Kernel update: Virtuozzo ReadyKernel patch 104.1 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 147 2.52.1 1. Overview ...... 147 2.52.2 2. Bug Fixes ...... 147 2.52.3 3. Installing the Update ...... 148 2.52.4 4. References ...... 148 2.53 Product update: Virtuozzo 7.0 Update 13 Hotfix 3 (7.0.13-306) ...... 148 2.53.1 1. Overview ...... 148 2.53.2 2. Bug Fixes ...... 149 2.53.3 3. Installing the Update ...... 149 2.54 Product update: Virtuozzo 7.0 Update 13 Hotfix 2 (7.0.13-305) ...... 149 2.54.1 1. Overview ...... 149 2.54.2 2. Bug Fixes ...... 149 2.54.3 3. Installing the Update ...... 150 2.55 Kernel update: Virtuozzo ReadyKernel patch 103.0 for Virtuozzo 7.0 and Virtuozzo Hybrid In- frastructure 3.5 ...... 150 2.55.1 1. Overview ...... 150 2.55.2 2. Bug Fixes ...... 150

xvi 2.55.3 3. Installing the Update ...... 151 2.55.4 4. References ...... 151 2.56 Kernel update: Virtuozzo ReadyKernel patch 102.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 151 2.56.1 1. Overview ...... 151 2.56.2 2. Bug Fixes ...... 152 2.56.3 3. Installing the Update ...... 152 2.56.4 4. References ...... 152 2.57 Product update: Virtuozzo 7.0 Update 13 Hotfix 1 (7.0.13-302) ...... 153 2.57.1 1. Overview ...... 153 2.57.2 2. Bug Fixes ...... 153 2.57.3 3. Installing the Update ...... 153 2.58 Product update: Virtuozzo 7.0 Update 13 (7.0.13-298) ...... 154 2.58.1 1. Overview ...... 154 2.58.2 2. New Features ...... 154 2.58.3 3. Bug Fixes ...... 154 2.58.4 4. Installing the Update ...... 155 2.59 Kernel update: Virtuozzo ReadyKernel patch 101.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 2.5, 3.0 ...... 156 2.59.1 1. Overview ...... 156 2.59.2 2. Bug Fixes ...... 156 2.59.3 3. Installing the Update ...... 156 2.59.4 4. References ...... 156 2.60 Kernel update: Virtuozzo ReadyKernel patch 100.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 157 2.60.1 1. Overview ...... 157 2.60.2 2. Bug Fixes ...... 157 2.60.3 3. Installing the Update ...... 158 2.60.4 4. References ...... 158 2.61 Kernel security update: Virtuozzo ReadyKernel patch 98.0 for Virtuozzo 7.0, Virtuozzo Infras- tructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 158 2.61.1 1. Overview ...... 158 2.61.2 2. Security Fixes ...... 159 2.61.3 3. Bug Fixes ...... 159 2.61.4 4. Installing the Update ...... 159

xvii 2.61.5 5. References ...... 159 2.62 Product update: Virtuozzo 7.0 Update 12 Hotfix 3 (7.0.12-361) ...... 160 2.62.1 1. Overview ...... 160 2.62.2 2. Bug Fixes ...... 160 2.62.3 3. Installing the Update ...... 160 2.63 Important kernel security update: Virtuozzo ReadyKernel patch 97.0 for Virtuozzo 7.0, Vir- tuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 161 2.63.1 1. Overview ...... 161 2.63.2 2. Security Fixes ...... 161 2.63.3 3. Bug Fixes ...... 162 2.63.4 4. Installing the Update ...... 162 2.63.5 5. References ...... 162 2.64 Product update: Virtuozzo 7.0 Update 12 Hotfix 2 (7.0.12-354) ...... 163 2.64.1 1. Overview ...... 163 2.64.2 2. Bug Fixes ...... 163 2.64.3 3. Installing the Update ...... 163 2.65 Important kernel security update: New kernel 2.6.32-042stab142.1; Virtuozzo 6.0 Update 12 Hotfix 50 (6.0.12-3755) ...... 163 2.65.1 1. Overview ...... 164 2.65.2 2. Security Fixes ...... 164 2.65.3 3. Bug Fixes ...... 164 2.65.4 4. Installing the Update ...... 164 2.66 Important kernel security update: New kernel 2.6.32-042stab142.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 165 2.66.1 1. Overview ...... 165 2.66.2 2. Security Fixes ...... 165 2.66.3 3. Bug Fixes ...... 165 2.66.4 4. Installing the Update ...... 165 2.67 Kernel update: Virtuozzo ReadyKernel patch 96.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 3.0 and Virtuozzo Hybrid Infrastructure 3.5 ...... 166 2.67.1 1. Overview ...... 166 2.67.2 2. Bug Fixes ...... 166 2.67.3 3. Installing the Update ...... 167 2.67.4 4. References ...... 167

xviii 2.68 Kernel update: Virtuozzo ReadyKernel patch 95.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 2.5 ...... 167 2.68.1 1. Overview ...... 167 2.68.2 2. Bug Fixes ...... 167 2.68.3 3. Installing the Update ...... 168 2.68.4 4. References ...... 168 2.69 Kernel update: Virtuozzo ReadyKernel patch 95.1 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 3.0 ...... 168 2.69.1 1. Overview ...... 168 2.69.2 2. Bug Fixes ...... 168 2.69.3 3. Installing the Update ...... 169 2.69.4 4. References ...... 169 2.70 Kernel update: Virtuozzo ReadyKernel patch 95.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 2.5 ...... 169 2.70.1 1. Overview ...... 170 2.70.2 2. Bug Fixes ...... 170 2.70.3 3. Installing the Update ...... 170 2.70.4 4. References ...... 170 2.71 Kernel update: Virtuozzo ReadyKernel patch 94.2 for Virtuozzo 7.0 ...... 171 2.71.1 1. Overview ...... 171 2.71.2 2. Bug Fixes ...... 171 2.71.3 3. Installing the Update ...... 171 2.71.4 4. References ...... 171 2.72 Kernel update: Virtuozzo ReadyKernel patch 94.1 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 2.5, 3.0 ...... 172 2.72.1 1. Overview ...... 172 2.72.2 2. Bug Fixes ...... 172 2.72.3 3. Installing the Update ...... 172 2.72.4 4. References ...... 172 2.73 Kernel update: Virtuozzo ReadyKernel patch 94.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 3.0 ...... 173 2.73.1 1. Overview ...... 173 2.73.2 2. Bug Fixes ...... 173 2.73.3 3. Installing the Update ...... 174 2.73.4 4. References ...... 174

xix 2.74 Product update: Virtuozzo 7.0 Update 12 Hotfix 1 (7.0.12-338) ...... 174 2.74.1 1. Overview ...... 174 2.74.2 2. Bug Fixes ...... 175 2.74.3 3. Installing the Update ...... 175 2.75 Kernel update: Virtuozzo ReadyKernel patch 93.0 for Virtuozzo 7.0 ...... 175 2.75.1 1. Overview ...... 175 2.75.2 2. Bug Fixes ...... 175 2.75.3 3. Installing the Update ...... 176 2.75.4 4. References ...... 176 2.76 Important product security update: Virtuozzo 6.0 Update 12 Hotfix 49 (6.0.12-3754) ...... 176 2.76.1 1. Overview ...... 176 2.76.2 2. Security Fixes ...... 176 2.76.3 3. Bug Fixes ...... 177 2.76.4 4. Installing the Update ...... 177 2.77 Product update: Virtuozzo 7.0 Update 12 (7.0.12-328) ...... 177 2.77.1 1. Overview ...... 177 2.77.2 2. New Features ...... 177 2.77.3 3. Bug Fixes ...... 178 2.77.4 4. Installing the Update ...... 178 2.78 Kernel update: Virtuozzo ReadyKernel patch 92.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 2.5, 3.0 ...... 179 2.78.1 1. Overview ...... 179 2.78.2 2. Bug Fixes ...... 179 2.78.3 3. Installing the Update ...... 180 2.78.4 4. References ...... 180 2.79 Important kernel security update: New kernel 2.6.32-042stab141.3; Virtuozzo 6.0 Update 12 Hotfix 48 (6.0.12-3753) ...... 180 2.79.1 1. Overview ...... 181 2.79.2 2. Security Fixes ...... 181 2.79.3 3. Installing the Update ...... 181 2.80 Important kernel security update: New kernel 2.6.32-042stab141.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 181 2.80.1 1. Overview ...... 182 2.80.2 2. Security Fixes ...... 182 2.80.3 3. Installing the Update ...... 182

xx 2.81 Important kernel security update: Virtuozzo ReadyKernel patch 91.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0 ...... 183 2.81.1 1. Overview ...... 183 2.81.2 2. Security Fixes ...... 183 2.81.3 3. Installing the Update ...... 184 2.81.4 4. References ...... 184 2.82 Important kernel security update: Virtuozzo ReadyKernel patch 90.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0 ...... 184 2.82.1 1. Overview ...... 185 2.82.2 2. Security Fixes ...... 185 2.82.3 3. Installing the Update ...... 185 2.82.4 4. References ...... 185 2.83 Product update: Virtuozzo 6.0 Update 12 Hotfix 47 (6.0.12-3751) ...... 186 2.83.1 1. Overview ...... 186 2.83.2 2. Bug Fixes ...... 186 2.83.3 3. Installing the Update ...... 187 2.84 Important kernel security update: Virtuozzo ReadyKernel patch 89.2 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0 ...... 187 2.84.1 1. Overview ...... 187 2.84.2 2. Security Fixes ...... 187 2.84.3 3. Bug Fixes ...... 188 2.84.4 4. Installing the Update ...... 188 2.84.5 5. References ...... 188 2.85 Kernel update: New kernel 2.6.32-042stab140.4; Virtuozzo 6.0 Update 12 Hotfix 46 (6.0.12-3750)189 2.85.1 1. Overview ...... 189 2.85.2 2. Bug Fixes ...... 189 2.85.3 3. Installing the Update ...... 190 2.86 Kernel update: New kernel 2.6.32-042stab140.4 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 190 2.86.1 1. Overview ...... 190 2.86.2 2. Bug Fixes ...... 190 2.86.3 3. Installing the Update ...... 191 2.87 Kernel security update: Virtuozzo ReadyKernel patch 88.1 for Virtuozzo 7.0 and Virtuozzo In- frastructure Platform 2.5, 3.0 ...... 191 2.87.1 1. Overview ...... 191

xxi 2.87.2 2. Security Fixes ...... 191 2.87.3 3. Bug Fixes ...... 192 2.87.4 4. Installing the Update ...... 192 2.87.5 5. References ...... 192 2.88 Product update: Virtuozzo 7.0 Update 11 Hotfix 2 (7.0.11-304) ...... 193 2.88.1 1. Overview ...... 193 2.88.2 2. Bug Fixes ...... 193 2.88.3 3. Installing the Update ...... 193 2.89 Kernel security update: Virtuozzo ReadyKernel patch 88.0 for Virtuozzo 7.0.7 ...... 194 2.89.1 1. Overview ...... 194 2.89.2 2. Security Fixes ...... 194 2.89.3 3. Bug Fixes ...... 194 2.89.4 4. Installing the Update ...... 194 2.89.5 5. References ...... 195 2.90 Important kernel security update: Virtuozzo ReadyKernel patch 87.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0 ...... 195 2.90.1 1. Overview ...... 195 2.90.2 2. Security Fixes ...... 195 2.90.3 3. Installing the Update ...... 196 2.90.4 4. References ...... 196 2.91 Kernel update: Virtuozzo ReadyKernel patch 86.0 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 3.0 ...... 196 2.91.1 1. Overview ...... 197 2.91.2 2. Bug Fixes ...... 197 2.91.3 3. Installing the Update ...... 197 2.91.4 4. References ...... 197 2.92 Kernel update: Virtuozzo ReadyKernel patch 85.1 for Virtuozzo 7.0 and Virtuozzo Infrastruc- ture Platform 3.0 ...... 197 2.92.1 1. Overview ...... 198 2.92.2 2. Bug Fixes ...... 198 2.92.3 3. Installing the Update ...... 198 2.92.4 4. References ...... 198 2.93 Important kernel security update: Virtuozzo ReadyKernel patch 85.0 for Virtuozzo 7.0.7 to 7.0.10 HF1 and Virtuozzo Infrastructure Platform 2.5 ...... 198 2.93.1 1. Overview ...... 199

xxii 2.93.2 2. Security Fixes ...... 199 2.93.3 3. Bug Fixes ...... 199 2.93.4 4. Installing the Update ...... 200 2.93.5 5. References ...... 200 2.94 Important kernel security update: New kernel 2.6.32-042stab140.1; Virtuozzo 6.0 Update 12 Hotfix 45 (6.0.12-3747) ...... 200 2.94.1 1. Overview ...... 201 2.94.2 2. Security Fixes ...... 201 2.94.3 3. Bug Fixes ...... 202 2.94.4 4. Installing the Update ...... 202 2.94.5 5. References ...... 202 2.95 Important kernel security update: New kernel 2.6.32-042stab140.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 202 2.95.1 1. Overview ...... 203 2.95.2 2. Security Fixes ...... 203 2.95.3 3. Bug Fixes ...... 204 2.95.4 4. Installing the Update ...... 204 2.95.5 5. References ...... 204 2.96 Product update: Virtuozzo 7.0 Update 11 Hotfix 1 (7.0.11-303) ...... 204 2.96.1 1. Overview ...... 205 2.96.2 2. New Features ...... 205 2.96.3 3. Installing the Update ...... 205 2.97 Kernel security update: Virtuozzo ReadyKernel patch 85.0 for Virtuozzo 7.0 and Virtuozzo In- frastructure Platform 3.0 ...... 205 2.97.1 1. Overview ...... 205 2.97.2 2. Security Fixes ...... 206 2.97.3 3. Bug Fixes ...... 206 2.97.4 4. Installing the Update ...... 206 2.97.5 5. References ...... 206 2.98 Product update: Virtuozzo 6.0 Update 12 Hotfix 44 (6.0.12-3746) ...... 206 2.98.1 1. Overview ...... 207 2.98.2 2. Security Fixes ...... 207 2.98.3 3. Installing the Update ...... 207 2.99 Kernel update: Virtuozzo ReadyKernel patch 84.1 for Virtuozzo 7.0.11 ...... 207 2.99.1 1. Overview ...... 207

xxiii 2.99.2 2. Bug Fixes ...... 208 2.99.3 3. Installing the Update ...... 208 2.99.4 4. References ...... 208 2.100 Product update: Virtuozzo 7.0 Update 11 (7.0.11-293) ...... 208 2.100.1 1. Overview ...... 209 2.100.2 2. New Features ...... 209 2.100.3 3. Bug Fixes ...... 210 2.100.4 4. Installing the Update ...... 210 2.101 Kernel update: Virtuozzo ReadyKernel patch 84.0 for all supported Virtuozzo 7.0 and Virtuozzo Infrastructure Platform kernels ...... 211 2.101.1 1. Overview ...... 211 2.101.2 2. Bug Fixes ...... 211 2.101.3 3. Installing the Update ...... 211 2.101.4 4. References ...... 211 2.102 Kernel update: Virtuozzo ReadyKernel patch 83.0 for all supported Virtuozzo 7.0 and Virtuozzo Infrastructure Platform kernels ...... 212 2.102.1 1. Overview ...... 212 2.102.2 2. Bug Fixes ...... 212 2.102.3 3. Installing the Update ...... 213 2.102.4 4. References ...... 213 2.103 Kernel update: Virtuozzo ReadyKernel patch 82.2 for Virtuozzo 7.0.8 HF1 and 7.0.10 HF1 ... 214 2.103.1 1. Overview ...... 214 2.103.2 2. Bug Fixes ...... 214 2.103.3 3. Installing the Update ...... 214 2.103.4 4. References ...... 215 2.104 Important kernel security update: New kernel 2.6.32-042stab139.1; Virtuozzo 6.0 Update 12 Hotfix 43 (6.0.12-3743) ...... 215 2.104.1 1. Overview ...... 215 2.104.2 2. Security Fixes ...... 215 2.104.3 3. Installing the Update ...... 216 2.104.4 4. References ...... 216 2.105 Important kernel security update: New kernel 2.6.32-042stab139.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 216 2.105.1 1. Overview ...... 217 2.105.2 2. Security Fixes ...... 217

xxiv 2.105.3 3. Installing the Update ...... 217 2.105.4 4. References ...... 218 2.106 Important kernel security update: Virtuozzo ReadyKernel patch 82.0 for all supported Vir- tuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5 kernels ...... 218 2.106.1 1. Overview ...... 218 2.106.2 2. Security Fixes ...... 219 2.106.3 3. Installing the Update ...... 219 2.106.4 4. References ...... 219 2.107 Kernel update: Virtuozzo ReadyKernel patch 81.0 for Virtuozzo 7.0.9 to 7.0.10 HF1 as well as Virtuozzo Infrastructure Platform 2.5 ...... 220 2.107.1 1. Overview ...... 220 2.107.2 2. Bug Fixes ...... 220 2.107.3 3. Installing the Update ...... 221 2.107.4 4. References ...... 221 2.108 Virtuozzo ReadyKernel patch 81.0 for Virtuozzo 7.0.6 HF3 to 7.0.9 as well as Virtuozzo Infras- tructure Platform 2.5 ...... 221 2.108.1 1. Overview ...... 221 2.108.2 2. Bug Fixes ...... 222 2.108.3 3. Installing the Update ...... 222 2.108.4 4. References ...... 222 2.109 Product update: Virtuozzo 6.0 Update 12 Hotfix 42 (6.0.12-3742) ...... 222 2.109.1 1. Overview ...... 223 2.109.2 2. Bug Fixes ...... 223 2.109.3 3. Installing the Update ...... 223 2.110 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.7 to 7.0.8 223 2.110.1 1. Overview ...... 223 2.110.2 2. Security Fixes ...... 224 2.110.3 3. Bug Fixes ...... 224 2.110.4 4. Installing the Update ...... 225 2.110.5 5. References ...... 225 2.111 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.6 and 7.0.6 HF3 ...... 225 2.111.1 1. Overview ...... 225 2.111.2 2. Security Fixes ...... 226 2.111.3 3. Bug Fixes ...... 226

xxv 2.111.4 4. Installing the Update ...... 226 2.111.5 5. References ...... 226 2.112 Kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 10 HF1 .. 227 2.112.1 1. Overview ...... 227 2.112.2 2. Security Fixes ...... 227 2.112.3 3. Bug Fixes ...... 227 2.112.4 4. Installing the Update ...... 228 2.112.5 5. References ...... 228 2.113 Kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 10 ..... 228 2.113.1 1. Overview ...... 229 2.113.2 2. Security Fixes ...... 229 2.113.3 3. Bug Fixes ...... 229 2.113.4 4. Installing the Update ...... 229 2.113.5 5. References ...... 229 2.114 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5 ...... 230 2.114.1 1. Overview ...... 230 2.114.2 2. Security Fixes ...... 230 2.114.3 3. Bug Fixes ...... 231 2.114.4 4. Installing the Update ...... 231 2.114.5 5. References ...... 231 2.115 Product update: Virtuozzo 6.0 Update 12 Hotfix 41 (6.0.12-3741) ...... 232 2.115.1 1. Overview ...... 232 2.115.2 2. Security Fixes ...... 232 2.115.3 3. Bug Fixes ...... 232 2.115.4 4. Installing the Update ...... 232 2.115.5 5. References ...... 233 2.116 Product update: Virtuozzo 7.0 Update 10 Hotfix 1 (7.0.10-320) ...... 233 2.116.1 1. Overview ...... 233 2.116.2 2. Security Fixes ...... 233 2.116.3 3. Bug Fixes ...... 234 2.116.4 4. Installing the Update ...... 234 2.116.5 5. References ...... 234 2.117 Kernel update: Virtuozzo ReadyKernel patch 79.0 for Virtuozzo 7.0 Update 10 ...... 234 2.117.1 1. Overview ...... 235

xxvi 2.117.2 2. Bug Fixes ...... 235 2.117.3 3. Installing the Update ...... 235 2.117.4 4. References ...... 235 2.118 Important kernel security update: New kernel 2.6.32-042stab138.1; Virtuozzo 6.0 Update 12 Hotfix 40 (6.0.12-3739) ...... 235 2.118.1 1. Overview ...... 236 2.118.2 2. Security Fixes ...... 236 2.118.3 3. Installing the Update ...... 237 2.118.4 4. References ...... 237 2.119 Important kernel security update: New kernel 2.6.32-042stab138.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 237 2.119.1 1. Overview ...... 237 2.119.2 2. Security Fixes ...... 238 2.119.3 3. Installing the Update ...... 238 2.119.4 4. References ...... 239 2.120 Kernel update: Virtuozzo ReadyKernel patch 78.0 for Virtuozzo 7.0 Updates 9, 10 and Virtuozzo Infrastructure Platform 2.5 ...... 239 2.120.1 1. Overview ...... 239 2.120.2 2. Bug Fixes ...... 240 2.120.3 3. Installing the Update ...... 240 2.120.4 4. References ...... 240 2.121 Important kernel security update: New kernel 2.6.32-042stab137.1; Virtuozzo 6.0 Update 12 Hotfix 39 (6.0.12-3738) ...... 240 2.121.1 1. Overview ...... 241 2.121.2 2. Security Fixes ...... 241 2.121.3 3. Bug Fixes ...... 241 2.121.4 4. Installing the Update ...... 241 2.121.5 5. References ...... 241 2.122 Important kernel security update: New kernel 2.6.32-042stab137.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 242 2.122.1 1. Overview ...... 242 2.122.2 2. Security Fixes ...... 242 2.122.3 3. Bug Fixes ...... 242 2.122.4 4. Installing the Update ...... 242 2.122.5 5. References ...... 243

xxvii 2.123 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0.7 HF2 to 7.0.8 HF1 ..... 243 2.123.1 1. Overview ...... 243 2.123.2 2. Bug Fixes ...... 243 2.123.3 3. Installing the Update ...... 244 2.123.4 4. References ...... 244 2.124 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0.7 ...... 244 2.124.1 1. Overview ...... 244 2.124.2 2. Bug Fixes ...... 245 2.124.3 3. Installing the Update ...... 245 2.124.4 4. References ...... 245 2.125 Kernel update: Virtuozzo ReadyKernel patch 77.0 for Virtuozzo 7.0.6 and 7.0.6 HF3 ...... 245 2.125.1 1. Overview ...... 246 2.125.2 2. Bug Fixes ...... 246 2.125.3 3. Installing the Update ...... 246 2.125.4 4. References ...... 246 2.126 Product update: Virtuozzo 7.0 Update 10 (7.0.10-315) ...... 246 2.126.1 1. Overview ...... 247 2.126.2 2. New Features ...... 247 2.126.3 3. Bug Fixes ...... 247 2.126.4 4. Installing the Update ...... 248 2.127 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5 ...... 248 2.127.1 1. Overview ...... 248 2.127.2 2. Bug Fixes ...... 248 2.127.3 3. Installing the Update ...... 249 2.127.4 4. References ...... 249 2.128 Kernel update: Virtuozzo ReadyKernel patch 76.0 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5 ...... 249 2.128.1 1. Overview ...... 250 2.128.2 2. Bug Fixes ...... 250 2.128.3 3. Installing the Update ...... 250 2.128.4 4. References ...... 250 2.129 Kernel update: Virtuozzo ReadyKernel patch 75.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5 ...... 250 2.129.1 1. Overview ...... 251

xxviii 2.129.2 2. Bug Fixes ...... 251 2.129.3 3. Installing the Update ...... 251 2.129.4 4. References ...... 251 2.130 Product update: Virtuozzo 7.0 Update 9 Hotfix 2 (7.0.9-547) ...... 252 2.130.1 1. Overview ...... 252 2.130.2 2. Bug Fixes ...... 252 2.130.3 3. Installing the Update ...... 252 2.131 Product update: Virtuozzo 6.0 Update 12 Hotfix 38 (6.0.12-3737) ...... 253 2.131.1 1. Overview ...... 253 2.131.2 2. Bug Fixes ...... 253 2.131.3 3. Installing the Update ...... 253 2.132 Kernel update: Virtuozzo ReadyKernel patch 74.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5 ...... 253 2.132.1 1. Overview ...... 254 2.132.2 2. Bug Fixes ...... 254 2.132.3 3. Installing the Update ...... 254 2.132.4 4. References ...... 254 2.133 Product update: Virtuozzo 7.0 Update 9 Hotfix 1 (7.0.9-539) ...... 255 2.133.1 1. Overview ...... 255 2.133.2 2. Bug Fixes ...... 255 2.133.3 3. Installing the Update ...... 255 2.134 Product update: Virtuozzo 7.0 Update 9 (7.0.9-534) ...... 256 2.134.1 1. Overview ...... 256 2.134.2 2. Security Fixes ...... 256 2.134.3 3. New Features ...... 256 2.134.4 4. Bug Fixes ...... 257 2.134.5 5. Installing the Update ...... 258 2.135 Kernel update: New kernel 2.6.32-042stab136.1; Virtuozzo 6.0 Update 12 Hotfix 37 (6.0.12-3736)258 2.135.1 1. Overview ...... 259 2.135.2 2. Bug Fixes ...... 259 2.135.3 3. Installing the Update ...... 259 2.135.4 4. References ...... 259 2.136 Kernel update: New kernel 2.6.32-042stab136.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 259 2.136.1 1. Overview ...... 260

xxix 2.136.2 2. Bug Fixes ...... 260 2.136.3 3. Installing the Update ...... 260 2.136.4 4. References ...... 260 2.137 Kernel update: Virtuozzo ReadyKernel patch 73.1 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5 ...... 261 2.137.1 1. Overview ...... 261 2.137.2 2. Bug Fixes ...... 261 2.137.3 3. Installing the Update ...... 261 2.137.4 4. References ...... 261 2.138 Kernel update: Virtuozzo ReadyKernel patch 72.1 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5 ...... 262 2.138.1 1. Overview ...... 262 2.138.2 2. Bug Fixes ...... 263 2.138.3 3. Installing the Update ...... 263 2.138.4 4. References ...... 263 2.139 Important kernel security update: Virtuozzo ReadyKernel patch 72.0 for all supported Vir- tuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5 ...... 263 2.139.1 1. Overview ...... 264 2.139.2 2. Security Fixes ...... 264 2.139.3 3. Installing the Update ...... 264 2.139.4 4. References ...... 264 2.140 Product update: Virtuozzo 6.0 Update 12 Hotfix 36 (6.0.12-3734) ...... 265 2.140.1 1. Overview ...... 265 2.140.2 2. Bug Fixes ...... 265 2.140.3 3. Installing the Update ...... 265 2.141 Kernel security update: Virtuozzo ReadyKernel patch 71.0 for Virtuozzo 7.0.6 to 7.0.8 HF1 and Virtuozzo Infrastructure Platform 2.5 ...... 266 2.141.1 1. Overview ...... 266 2.141.2 2. Security Fixes ...... 266 2.141.3 3. Bug Fixes ...... 266 2.141.4 4. Installing the Update ...... 267 2.141.5 5. References ...... 267 2.142 Kernel update: Virtuozzo ReadyKernel patch 71.0 for Virtuozzo 7.0.5 ...... 267 2.142.1 1. Overview ...... 268 2.142.2 2. Bug Fixes ...... 268

xxx 2.142.3 3. Installing the Update ...... 268 2.142.4 4. References ...... 268 2.143 Kernel security update: Virtuozzo ReadyKernel patch 70.1 for Virtuozzo 7.0.6 to 7.0.7 HF3 ... 268 2.143.1 1. Overview ...... 269 2.143.2 2. Security Fixes ...... 269 2.143.3 3. Bug Fixes ...... 269 2.143.4 4. Installing the Update ...... 269 2.143.5 5. References ...... 269 2.144 Kernel security update: Virtuozzo ReadyKernel patch 70.1 for Virtuozzo 7.0.4 HF3 and 7.0.5 . 270 2.144.1 1. Overview ...... 270 2.144.2 2. Security Fixes ...... 270 2.144.3 3. Bug Fixes ...... 270 2.144.4 4. Installing the Update ...... 271 2.144.5 5. References ...... 271 2.145 Kernel security update: Virtuozzo ReadyKernel patch 70.0 for Virtuozzo 7.0.8 and 7.0.8 HF1 . 271 2.145.1 1. Overview ...... 271 2.145.2 2. Security Fixes ...... 271 2.145.3 3. Bug Fixes ...... 272 2.145.4 4. Installing the Update ...... 272 2.145.5 5. References ...... 272 2.146 Important kernel security update: Virtuozzo ReadyKernel patch 69.0 for Virtuozzo 7.0.4 HF3 to 7.0.8 HF1 ...... 272 2.146.1 1. Overview ...... 272 2.146.2 2. Security Fixes ...... 273 2.146.3 3. Installing the Update ...... 273 2.146.4 4. References ...... 273 2.147 Important kernel security update: Virtuozzo ReadyKernel patch 68.2 for Virtuozzo 7.0.4 HF3 to 7.0.8 HF1 ...... 274 2.147.1 1. Overview ...... 274 2.147.2 2. Security Fixes ...... 274 2.147.3 3. Installing the Update ...... 274 2.147.4 4. References ...... 274 2.148 Important kernel security update: New kernel 2.6.32-042stab134.8 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 275 2.148.1 1. Overview ...... 275

xxxi 2.148.2 2. Security Fixes ...... 275 2.148.3 3. Installing the Update ...... 276 2.148.4 4. References ...... 276 2.149 Important kernel security update: New kernel 2.6.32-042stab134.8; Virtuozzo 6.0 Update 12 Hotfix 35 (6.0.12-3729) ...... 276 2.149.1 1. Overview ...... 276 2.149.2 2. Security Fixes ...... 276 2.149.3 3. Installing the Update ...... 277 2.149.4 4. References ...... 277 2.150 Kernel security update: Virtuozzo ReadyKernel patch 67.0 for Virtuozzo 7.0.8 and 7.0.8 HF1 . 277 2.150.1 1. Overview ...... 277 2.150.2 2. Security Fixes ...... 277 2.150.3 3. Bug Fixes ...... 278 2.150.4 4. Installing the Update ...... 278 2.150.5 5. References ...... 278 2.151 Kernel update: Virtuozzo ReadyKernel patch 67.0 for Virtuozzo 7.0.4 HF3 to 7.0.7 HF3 ..... 278 2.151.1 1. Overview ...... 279 2.151.2 2. Bug Fixes ...... 279 2.151.3 3. Installing the Update ...... 279 2.151.4 4. References ...... 279 2.152 Kernel update: New kernel 2.6.32-042stab134.7; Virtuozzo 6.0 Update 12 Hotfix 34 (6.0.12-3728)280 2.152.1 1. Overview ...... 280 2.152.2 2. Bug Fixes ...... 280 2.152.3 3. Installing the Update ...... 280 2.152.4 4. References ...... 281 2.153 Kernel update: New kernel 2.6.32-042stab134.7 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 281 2.153.1 1. Overview ...... 281 2.153.2 2. Bug Fixes ...... 281 2.153.3 3. Installing the Update ...... 282 2.153.4 4. References ...... 282 2.154 Kernel update: Virtuozzo ReadyKernel patch 66.0 for Virtuozzo 7.0.4 to 7.0.8 HF1 ...... 282 2.154.1 1. Overview ...... 282 2.154.2 2. Bug Fixes ...... 282 2.154.3 3. Installing the Update ...... 283

xxxii 2.154.4 4. References ...... 283 2.155 Important kernel security update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.7 HF3 to 7.0.8 HF1 ...... 283 2.155.1 1. Overview ...... 284 2.155.2 2. Security Fixes ...... 284 2.155.3 3. Bug Fixes ...... 284 2.155.4 4. Installing the Update ...... 284 2.155.5 5. References ...... 284 2.156 Kernel update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.6 to 7.0.7 HF2 ...... 285 2.156.1 1. Overview ...... 285 2.156.2 2. Bug Fixes ...... 285 2.156.3 3. Installing the Update ...... 285 2.156.4 4. References ...... 286 2.157 Kernel update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.4 to 7.0.5 ...... 286 2.157.1 1. Overview ...... 286 2.157.2 2. Bug Fixes ...... 286 2.157.3 3. Installing the Update ...... 287 2.157.4 4. References ...... 287 2.158 Important kernel security update: CVE-2018-18559; Virtuozzo ReadyKernel patch 64.0 for Vir- tuozzo 7.0.4 to 7.0.8 HF1 ...... 287 2.158.1 1. Overview ...... 287 2.158.2 2. Security Fixes ...... 287 2.158.3 3. Installing the Update ...... 288 2.158.4 4. References ...... 288 2.159 Kernel update: Virtuozzo ReadyKernel patch 63.0 for Virtuozzo 7.0.4 to 7.0.8 HF1 ...... 288 2.159.1 1. Overview ...... 289 2.159.2 2. Bug Fixes ...... 289 2.159.3 3. Installing the Update ...... 289 2.159.4 4. References ...... 289 2.160 Important kernel security update: CVE-2018-5391 and other issues; new kernel 2.6.32- 042stab134.3; Virtuozzo 6.0 Update 12 Hotfix 33 (6.0.12-3724) ...... 290 2.160.1 1. Overview ...... 290 2.160.2 2. Security Fixes ...... 290 2.160.3 3. Bug Fixes ...... 291 2.160.4 4. Installing the Update ...... 291

xxxiii 2.160.5 5. References ...... 291 2.161 Important kernel security update: CVE-2018-5391 and other issues; new kernel 2.6.32- 042stab134.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 292 2.161.1 1. Overview ...... 292 2.161.2 2. Security Fixes ...... 292 2.161.3 3. Bug Fixes ...... 293 2.161.4 4. Installing the Update ...... 293 2.161.5 5. References ...... 293 2.162 Important kernel security update: Virtuozzo ReadyKernel patch 62.2 for Virtuozzo 7.0.4 and 7.0.8 HF1 ...... 294 2.162.1 1. Overview ...... 294 2.162.2 2. Security Fixes ...... 294 2.162.3 3. Bug Fixes ...... 294 2.162.4 4. Installing the Update ...... 295 2.162.5 5. References ...... 295 2.163 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.8 HF1 ...... 295 2.163.1 1. Overview ...... 296 2.163.2 2. Bug Fixes ...... 296 2.163.3 3. Installing the Update ...... 296 2.163.4 4. References ...... 296 2.164 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.7 to 7.0.8 ...... 296 2.164.1 1. Overview ...... 297 2.164.2 2. Bug Fixes ...... 297 2.164.3 3. Installing the Update ...... 297 2.164.4 4. References ...... 297 2.165 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.4 to 7.0.7 ...... 297 2.165.1 1. Overview ...... 298 2.165.2 2. Bug Fixes ...... 298 2.165.3 3. Installing the Update ...... 298 2.165.4 4. References ...... 298 2.166 Product update: Virtuozzo 7.0 Update 8 Hotfix 2 (7.0.8-514) ...... 299 2.166.1 1. Overview ...... 299 2.166.2 2. Bug Fixes ...... 299 2.166.3 3. Installing the Update ...... 299

xxxiv 2.167 Important kernel security update: CVE-2018-3620 and other issues; new kernel 3.10.0- 862.11.6.vz7.64.7; Virtuozzo 7.0 Update 8 Hotfix 1 (7.0.8-507) ...... 300 2.167.1 1. Overview ...... 300 2.167.2 2. Security Fixes ...... 300 2.167.3 3. Bug Fixes ...... 301 2.167.4 4. Installing the Update ...... 302 2.167.5 5. References ...... 302 2.168 Kernel update: New kernel 2.6.32-042stab133.2; Virtuozzo 6.0 Update 12 Hotfix 32 (6.0.12-3719)302 2.168.1 1. Overview ...... 303 2.168.2 2. Bug Fixes ...... 303 2.168.3 3. Installing the Update ...... 303 2.169 Kernel update: New kernel 2.6.32-042stab133.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 303 2.169.1 1. Overview ...... 304 2.169.2 2. Bug Fixes ...... 304 2.169.3 3. Installing the Update ...... 304 2.170 Product update: Virtuozzo 6.0 Update 12 Hotfix 31 (6.0.12-3717) ...... 304 2.170.1 1. Overview ...... 304 2.170.2 2. Bug Fixes ...... 305 2.170.3 3. Installing the Update ...... 305 2.171 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.8 ...... 305 2.171.1 1. Overview ...... 305 2.171.2 2. Bug Fixes ...... 305 2.171.3 3. Installing the Update ...... 306 2.171.4 4. References ...... 306 2.172 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.7 to 7.0.7 HF3 ...... 306 2.172.1 1. Overview ...... 306 2.172.2 2. Bug Fixes ...... 306 2.172.3 3. Installing the Update ...... 307 2.172.4 4. References ...... 307 2.173 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.4 to 7.0.6 HF3 ...... 307 2.173.1 1. Overview ...... 307 2.173.2 2. Bug Fixes ...... 308 2.173.3 3. Installing the Update ...... 308 2.173.4 4. References ...... 308

xxxv 2.174 Kernel update: Virtuozzo ReadyKernel patch 58.0 for Virtuozzo 7.0.8 ...... 308 2.174.1 1. Overview ...... 309 2.174.2 2. Bug Fixes ...... 309 2.174.3 3. Installing the Update ...... 309 2.174.4 4. References ...... 309 2.175 Important kernel security update: CVE-2018-3620 and other issues; new kernel 2.6.32- 042stab133.1; Virtuozzo 6.0 Update 12 Hotfix 30 (6.0.12-3713) ...... 309 2.175.1 1. Overview ...... 310 2.175.2 2. Security Fixes ...... 310 2.175.3 3. Bug Fixes ...... 311 2.175.4 4. Installing the Update ...... 311 2.175.5 5. References ...... 311 2.176 Important kernel security update: CVE-2018-3620 and other issues; new kernel 2.6.32- 042stab133.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 312 2.176.1 1. Overview ...... 312 2.176.2 2. Security Fixes ...... 313 2.176.3 3. Bug Fixes ...... 314 2.176.4 4. Installing the Update ...... 314 2.176.5 5. References ...... 314 2.177 Kernel update: Virtuozzo ReadyKernel patch 57.0 for Virtuozzo 7.0.7 to 7.0.8 ...... 315 2.177.1 1. Overview ...... 315 2.177.2 2. Bug Fixes ...... 315 2.177.3 3. Installing the Update ...... 316 2.177.4 4. References ...... 316 2.178 Important kernel security update: CVE-2017-18344; Virtuozzo ReadyKernel patch 56.0 for Vir- tuozzo 7.0.8 ...... 316 2.178.1 1. Overview ...... 316 2.178.2 2. Security Fixes ...... 317 2.178.3 3. Installing the Update ...... 317 2.178.4 4. References ...... 317 2.179 Product update: Virtuozzo 7.0 Update 8 (7.0.8-486) ...... 317 2.179.1 1. Overview ...... 317 2.179.2 2. New Features ...... 318 2.179.3 3. Bug Fixes ...... 318 2.179.4 4. Installing the Update ...... 319

xxxvi 2.180 Important kernel security update: CVE-2017-18344; Virtuozzo ReadyKernel patch 56.0 for all supported Virtuozzo 7.0 kernels ...... 319 2.180.1 1. Overview ...... 319 2.180.2 2. Security Fixes ...... 319 2.180.3 3. Installing the Update ...... 320 2.180.4 4. References ...... 320 2.181 Important kernel security update: CVE-2018-13405 and other; Virtuozzo ReadyKernel patch 55.0 for all supported Virtuozzo 7.0 kernels ...... 320 2.181.1 1. Overview ...... 321 2.181.2 2. Security Fixes ...... 321 2.181.3 3. Bug Fixes ...... 321 2.181.4 4. Installing the Update ...... 321 2.181.5 5. References ...... 322 2.182 Important kernel security update: CVE-2018-3639 (x86 AMD) and other issues; new kernel 2.6.32-042stab132.1; Virtuozzo 6.0 Update 12 Hotfix 29 (6.0.12-3710) ...... 322 2.182.1 1. Overview ...... 322 2.182.2 2. Security Fixes ...... 323 2.182.3 3. Installing the Update ...... 323 2.182.4 4. References ...... 324 2.183 Important kernel security update: CVE-2018-3639 (x86 AMD) and other issues; new kernel 2.6.32-042stab132.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 324 2.183.1 1. Overview ...... 324 2.183.2 2. Security Fixes ...... 325 2.183.3 3. Installing the Update ...... 325 2.183.4 4. References ...... 326 2.184 Kernel security update: Virtuozzo ReadyKernel patch 54.0 for Virtuozzo 7.0.7 HF2 and 7.0.7 HF3326 2.184.1 1. Overview ...... 326 2.184.2 2. Security Fixes ...... 326 2.184.3 3. Bug Fixes ...... 327 2.184.4 4. Installing the Update ...... 327 2.184.5 5. References ...... 327 2.185 Kernel security update: Virtuozzo ReadyKernel patch 54.0 for Virtuozzo 7.0.4 to 7.0.7 (excl. hotfixes) ...... 327 2.185.1 1. Overview ...... 328 2.185.2 2. Security Fixes ...... 328

xxxvii 2.185.3 3. Bug Fixes ...... 328 2.185.4 4. Installing the Update ...... 328 2.185.5 5. References ...... 328 2.186 Product update: Virtuozzo 7.0 Update 7 Hotfix 4 (7.0.7-474) ...... 329 2.186.1 1. Overview ...... 329 2.186.2 2. New Features ...... 329 2.186.3 3. Installing the Update ...... 329 2.187 Kernel update: Virtuozzo ReadyKernel patch 53.0 for Virtuozzo 7.0.5 to 7.0.7 HF3 ...... 329 2.187.1 1. Overview ...... 330 2.187.2 2. Bug Fixes ...... 330 2.187.3 3. Installing the Update ...... 330 2.187.4 4. References ...... 330 2.188 Kernel update: Virtuozzo ReadyKernel patch 53.0 for Virtuozzo 7.0.3 to 7.0.4 HF3 ...... 331 2.188.1 1. Overview ...... 331 2.188.2 2. Bug Fixes ...... 331 2.188.3 3. Installing the Update ...... 331 2.188.4 4. References ...... 331 2.189 Important kernel security update: CVE-2018-10675 and other issues; new kernel 2.6.32- 042stab131.1; Virtuozzo 6.0 Update 12 Hotfix 28 (6.0.12-3709) ...... 332 2.189.1 1. Overview ...... 332 2.189.2 2. Security Fixes ...... 332 2.189.3 3. Bug Fixes ...... 334 2.189.4 4. Installing the Update ...... 334 2.189.5 5. References ...... 334 2.190 Important kernel security update: CVE-2018-10675 and other issues; new kernel 2.6.32- 042stab131.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 335 2.190.1 1. Overview ...... 335 2.190.2 2. Security Fixes ...... 335 2.190.3 3. Bug Fixes ...... 337 2.190.4 4. Installing the Update ...... 337 2.190.5 5. References ...... 337 2.191 Product update: Virtuozzo 6.0 Update 12 Hotfix 27 (6.0.12-3708) ...... 338 2.191.1 1. Overview ...... 338 2.191.2 2. Bug Fixes ...... 338 2.191.3 3. Installing the Update ...... 338

xxxviii 2.192 Kernel security update: CVE-2018-1130 and other; Virtuozzo ReadyKernel patch 52.0 for Vir- tuozzo 7.0.7 HF3 ...... 338 2.192.1 1. Overview ...... 339 2.192.2 2. Security Fixes ...... 339 2.192.3 3. Bug Fixes ...... 340 2.192.4 4. Installing the Update ...... 340 2.192.5 5. References ...... 340 2.193 Important product update: Virtuozzo 7.0 Update 7 Hotfix 3 (7.0.7-461) ...... 341 2.193.1 1. Overview ...... 341 2.193.2 2. Security Fixes ...... 341 2.193.3 3. Bug Fixes ...... 342 2.193.4 4. Installing the Update ...... 342 2.193.5 5. References ...... 342 2.194 Kernel security update: CVE-2018-5803; Virtuozzo ReadyKernel patch 52.0 for Virtuozzo 7.0.6 HF3, 7.0.7, and 7.0.7 HF2 ...... 343 2.194.1 1. Overview ...... 343 2.194.2 2. Security Fixes ...... 343 2.194.3 3. Bug Fixes ...... 343 2.194.4 4. Installing the Update ...... 343 2.194.5 5. References ...... 344 2.195 Kernel security update: CVE-2018-5803; Virtuozzo ReadyKernel patch 52.0 for Virtuozzo 7.0.3, 7.0.4, 7.0.4 HF3, 7.0.5, and 7.0.6 ...... 344 2.195.1 1. Overview ...... 344 2.195.2 2. Security Fixes ...... 344 2.195.3 3. Installing the Update ...... 345 2.195.4 4. References ...... 345 2.196 Important product update: Fixes for CVE-2018-3639 and CVE-2018-1087 in virtual machines; Virtuozzo 6.0 Update 12 Hotfix 26 (6.0.12-3707) ...... 345 2.196.1 1. Overview ...... 346 2.196.2 2. Security Fixes ...... 346 2.196.3 3. Installing the Update ...... 346 2.196.4 4. References ...... 346 2.197 Important kernel security update: CVE-2018-3639; new kernel 2.6.32-042stab130.1; Virtuozzo 6.0 Update 12 Hotfix 25 (6.0.12-3705) ...... 347 2.197.1 1. Overview ...... 347

xxxix 2.197.2 2. Security Fixes ...... 347 2.197.3 3. Bug Fixes ...... 348 2.197.4 4. Installing the Update ...... 348 2.197.5 5. References ...... 348 2.198 Important kernel security update: CVE-2018-3639; new kernel 2.6.32-042stab130.1 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 348 2.198.1 1. Overview ...... 349 2.198.2 2. Security Fixes ...... 349 2.198.3 3. Bug Fixes ...... 349 2.198.4 4. Installing the Update ...... 349 2.198.5 5. References ...... 350 2.199 Tools update: Virtuozzo 6.0 Update 12 Hotfix 24 (6.0.12-3704) ...... 350 2.199.1 1. Overview ...... 350 2.199.2 2. Bug Fixes ...... 350 2.199.3 3. Installing the Update ...... 350 2.200 Important kernel security update: CVE-2018-1087 and other; Virtuozzo ReadyKernel patch 51.1 for Virtuozzo 7.0.3 to 7.0.7 HF2 ...... 351 2.200.1 1. Overview ...... 351 2.200.2 2. Security Fixes ...... 351 2.200.3 3. Installing the Update ...... 351 2.200.4 4. References ...... 352 2.201 Important kernel security update: CVE-2017-5754 and other; new kernel 2.6.32-042stab129.1, Virtuozzo 6.0 Update 12 Hotfix 23 (6.0.12-3703) ...... 352 2.201.1 1. Overview ...... 353 2.201.2 2. Security Fixes ...... 353 2.201.3 3. Bug Fixes ...... 354 2.201.4 4. Installing the Update ...... 354 2.201.5 5. References ...... 354 2.202 Important kernel security update: CVE-2017-5754 and other; new kernel 2.6.32-042stab129.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 355 2.202.1 1. Overview ...... 355 2.202.2 2. Security Fixes ...... 355 2.202.3 3. Bug Fixes ...... 357 2.202.4 4. Installing the Update ...... 357 2.202.5 5. References ...... 357

xl 2.203 Kernel update: Virtuozzo ReadyKernel patch 50.0 for Virtuozzo 7.0.3 to 7.0.7 HF2 ...... 357 2.203.1 1. Overview ...... 358 2.203.2 2. Bug Fixes ...... 358 2.203.3 3. Installing the Update ...... 358 2.203.4 4. References ...... 358 2.204 Kernel security update: Virtuozzo ReadyKernel patch 49.1 for Virtuozzo 7.0.4 and 7.0.4 HF3 . 359 2.204.1 1. Overview ...... 359 2.204.2 2. Security Fixes ...... 359 2.204.3 3. Bug Fixes ...... 360 2.204.4 4. Installing the Update ...... 360 2.204.5 5. References ...... 360 2.205 Kernel security update: Virtuozzo ReadyKernel patch 49.0 for Virtuozzo 7.0.7 and 7.0.7 HF2 . 361 2.205.1 1. Overview ...... 361 2.205.2 2. Security Fixes ...... 361 2.205.3 3. Bug Fixes ...... 362 2.205.4 4. Installing the Update ...... 362 2.205.5 5. References ...... 362 2.206 Kernel security update: Virtuozzo ReadyKernel patch 49.0 for Virtuozzo 7.0.1, 7.0.3, 7.0.5, 7.0.6, and 7.0.6 HF3 ...... 363 2.206.1 1. Overview ...... 363 2.206.2 2. Security Fixes ...... 363 2.206.3 3. Bug Fixes ...... 364 2.206.4 4. Installing the Update ...... 364 2.206.5 5. References ...... 364 2.207 Kernel update: new kernel 3.10.0-693.21.1.vz7.46.7, Virtuozzo 7.0 Update 7 Hotfix 2 (7.0.7-453) 365 2.207.1 1. Overview ...... 365 2.207.2 2. Bug Fixes ...... 365 2.207.3 3. Installing the Update ...... 366 2.208 Kernel update: Virtuozzo ReadyKernel patch 48.1 for Virtuozzo 7.0.1 to 7.0.5 ...... 366 2.208.1 1. Overview ...... 366 2.208.2 2. Bug Fixes ...... 366 2.208.3 3. Installing the Update ...... 367 2.208.4 4. References ...... 367 2.209 Product update: Virtuozzo 7.0 Update 7 Hotfix 1 (7.0.7-445) ...... 367 2.209.1 1. Overview ...... 367

xli 2.209.2 2. Bug Fixes ...... 368 2.209.3 3. Installing the Update ...... 368 2.210 Kernel update: Virtuozzo ReadyKernel patch 48.0 for Virtuozzo 7.0.6 and 7.0.6 HF3 ...... 368 2.210.1 1. Overview ...... 369 2.210.2 2. Bug Fixes ...... 369 2.210.3 3. Installing the Update ...... 369 2.210.4 4. References ...... 369 2.211 Kernel update: Virtuozzo ReadyKernel patch 48.0 for Virtuozzo 7.0.7 ...... 369 2.211.1 1. Overview ...... 370 2.211.2 2. Bug Fixes ...... 370 2.211.3 3. Installing the Update ...... 370 2.211.4 4. References ...... 370 2.212 Kernel security update: CVE-2017-18017 and other; new kernel 2.6.32-042stab128.2, Virtuozzo 6.0 Update 12 Hotfix 22 (6.0.12-3701) ...... 371 2.212.1 1. Overview ...... 371 2.212.2 2. Security Fixes ...... 371 2.212.3 3. Bug Fixes ...... 372 2.212.4 4. Installing the Update ...... 372 2.212.5 5. References ...... 372 2.213 Kernel security update: CVE-2017-18017 and other; new kernel 2.6.32-042stab128.2 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 372 2.213.1 1. Overview ...... 373 2.213.2 2. Security Fixes ...... 373 2.213.3 3. Bug Fixes ...... 373 2.213.4 4. Installing the Update ...... 374 2.213.5 5. References ...... 374 2.214 Important kernel security update: CVE-2018-1068; Virtuozzo ReadyKernel patch 47.0 for Vir- tuozzo 7.0.7 ...... 374 2.214.1 1. Overview ...... 374 2.214.2 2. Security Fixes ...... 375 2.214.3 3. Bug Fixes ...... 375 2.214.4 4. Installing the Update ...... 375 2.214.5 5. References ...... 375 2.215 Important kernel security update: CVE-2018-1068; Virtuozzo ReadyKernel patch 47.0 for Vir- tuozzo 7.0.1 to 7.0.6 HF3 ...... 375

xlii 2.215.1 1. Overview ...... 376 2.215.2 2. Security Fixes ...... 376 2.215.3 3. Installing the Update ...... 376 2.215.4 4. References ...... 376 2.216 Product update: Virtuozzo 7.0 Update 7 (7.0.7-423) ...... 377 2.216.1 1. Overview ...... 377 2.216.2 2. New Features ...... 377 2.216.3 3. Bug Fixes ...... 378 2.216.4 4. Installing the Update ...... 379 2.217 Kernel update: Virtuozzo ReadyKernel patch 46.0 for Virtuozzo 7.0.5, 7.0.6, and 7.0.6 HF3 ... 379 2.217.1 1. Overview ...... 379 2.217.2 2. Bug Fixes ...... 379 2.217.3 3. Installing the Update ...... 379 2.217.4 4. References ...... 380 2.218 Kernel update: Virtuozzo ReadyKernel patch 45.0 for Virtuozzo 7.0.5, 7.0.6, and 7.0.6 HF3 ... 380 2.218.1 1. Overview ...... 380 2.218.2 2. Bug Fixes ...... 381 2.218.3 3. Installing the Update ...... 381 2.218.4 4. References ...... 381 2.219 Kernel update: Virtuozzo ReadyKernel patch 44.0 for Virtuozzo 7.0.6 and 7.0.6 HF3 ...... 381 2.219.1 1. Overview ...... 381 2.219.2 2. Bug Fixes ...... 382 2.219.3 3. Installing the Update ...... 382 2.219.4 4. References ...... 382 2.220 Kernel update: Virtuozzo ReadyKernel patch 44.0 for Virtuozzo 7.0.4 and 7.0.4 HF3, and 7.0.5 382 2.220.1 1. Overview ...... 383 2.220.2 2. Bug Fixes ...... 383 2.220.3 3. Installing the Update ...... 383 2.220.4 4. References ...... 383 2.221 Kernel update: Virtuozzo ReadyKernel patch 44.0 for Virtuozzo 7.0.1 and 7.0.3 ...... 384 2.221.1 1. Overview ...... 384 2.221.2 2. Bug Fixes ...... 384 2.221.3 3. Installing the Update ...... 384 2.221.4 4. References ...... 384

xliii 2.222 Kernel security update: CVE-2018-5344 and other; Virtuozzo ReadyKernel patch 43.0 for Vir- tuozzo 7.0.x ...... 385 2.222.1 1. Overview ...... 385 2.222.2 2. Security Fixes ...... 385 2.222.3 3. Bug Fixes ...... 385 2.222.4 4. Installing the Update ...... 386 2.222.5 5. References ...... 386 2.223 Important product update: Fixes for Meltdown and Spectre exploits in virtual machines; Vir- tuozzo 6.0 Update 12 Hotfix 21 (6.0.12-3698) ...... 386 2.223.1 1. Overview ...... 387 2.223.2 2. Security Fixes ...... 387 2.223.3 3. Bug Fixes ...... 387 2.223.4 4. Installing the Update ...... 388 2.223.5 5. References ...... 388 2.224 Kernel security update: CVE-2017-18017; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.4, 7.0.4 HF3, 7.0.5, 7.0.6, and 7.0.6 HF3 ...... 388 2.224.1 1. Overview ...... 389 2.224.2 2. Security Fixes ...... 389 2.224.3 3. Installing the Update ...... 389 2.224.4 4. References ...... 389 2.225 Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 390 2.225.1 1. Overview ...... 390 2.225.2 2. Security Fixes ...... 390 2.225.3 3. Bug Fixes ...... 391 2.225.4 4. Installing the Update ...... 391 2.225.5 5. References ...... 391 2.226 Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 3.10.0- 693.11.6.vz7.40.4, Virtuozzo 7.0 Update 6 Hotfix 3 (7.0.6-710) ...... 392 2.226.1 1. Overview ...... 392 2.226.2 2. Security Fixes ...... 392 2.226.3 3. Installing the Update ...... 393 2.226.4 4. References ...... 393 2.227 Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32- 042stab127.2, Virtuozzo 6.0 Update 12 Hotfix 20 (6.0.12-3690) ...... 394

xliv 2.227.1 1. Overview ...... 394 2.227.2 2. Security Fixes ...... 394 2.227.3 3. Bug Fixes ...... 395 2.227.4 4. Installing the Update ...... 395 2.227.5 5. References ...... 395 2.228 Important kernel security update: Fixes for Meltdown and Spectre exploits; new kernel 2.6.32- 042stab127.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 396 2.228.1 1. Overview ...... 396 2.228.2 2. Security Fixes ...... 396 2.228.3 3. Bug Fixes ...... 397 2.228.4 4. Installing the Update ...... 397 2.228.5 5. References ...... 397 2.229 Kernel security update: Virtuozzo ReadyKernel patch 41.1 for Virtuozzo 7.0.4, 7.0.4 HF3, 7.0.5, and 7.0.6 ...... 398 2.229.1 1. Overview ...... 398 2.229.2 2. Security Fixes ...... 398 2.229.3 3. Bug Fixes ...... 398 2.229.4 4. Installing the Update ...... 399 2.229.5 5. References ...... 399 2.230 Product update: Virtuozzo 7.0 Update 6 Hotfix 2 (7.0.6-695) ...... 399 2.230.1 1. Overview ...... 399 2.230.2 2. New Features ...... 399 2.230.3 3. Bug Fixes ...... 400 2.230.4 4. Installing the Update ...... 400 2.231 Important kernel security update: Virtuozzo ReadyKernel patch 40.0 for Virtuozzo 7.0.6 .... 400 2.231.1 1. Overview ...... 401 2.231.2 2. Security Fixes ...... 401 2.231.3 3. Bug Fixes ...... 401 2.231.4 4. Installing the Update ...... 401 2.231.5 5. References ...... 401 2.232 Important kernel security update: Virtuozzo ReadyKernel patch 40.0 for Virtuozzo 7.0.5 .... 402 2.232.1 1. Overview ...... 402 2.232.2 2. Security Fixes ...... 402 2.232.3 3. Bug Fixes ...... 402 2.232.4 4. Installing the Update ...... 402

xlv 2.232.5 5. References ...... 403 2.233 Important kernel security update: Virtuozzo ReadyKernel patch 40.0 for Virtuozzo 7.0.4 and 7.0.4 HF3 ...... 403 2.233.1 1. Overview ...... 403 2.233.2 2. Security Fixes ...... 403 2.233.3 3. Bug Fixes ...... 403 2.233.4 4. Installing the Update ...... 404 2.233.5 5. References ...... 404 2.234 Important kernel security update: CVE-2017-8824 and other; new kernel 2.6.32-042stab126.2, Virtuozzo 6.0 Update 12 Hotfix 19 (6.0.12-3689) ...... 404 2.234.1 1. Overview ...... 404 2.234.2 2. Security Fixes ...... 404 2.234.3 3. Installing the Update ...... 405 2.234.4 4. References ...... 405 2.235 Important kernel security update: CVE-2017-8824 and other; new kernel 2.6.32-042stab126.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 405 2.235.1 1. Overview ...... 406 2.235.2 2. Security Fixes ...... 406 2.235.3 3. Installing the Update ...... 406 2.235.4 4. References ...... 406 2.236 Product update: Virtuozzo Storage 2.3 (2.3.0-91) ...... 406 2.236.1 1. Overview ...... 407 2.236.2 2. New Features ...... 407 2.236.3 3. Installing the Update ...... 408 2.237 Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.6 ...... 408 2.237.1 1. Overview ...... 409 2.237.2 2. Security Fixes ...... 409 2.237.3 3. Bug Fixes ...... 409 2.237.4 4. Installing the Update ...... 410 2.237.5 5. References ...... 410 2.238 Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.5 ...... 410 2.238.1 1. Overview ...... 410 2.238.2 2. Security Fixes ...... 411

xlvi 2.238.3 3. Bug Fixes ...... 411 2.238.4 4. Installing the Update ...... 411 2.238.5 5. References ...... 412 2.239 Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.2 for Virtuozzo 7.0.4 and 7.0.4 HF3 ...... 412 2.239.1 1. Overview ...... 412 2.239.2 2. Security Fixes ...... 413 2.239.3 3. Bug Fixes ...... 413 2.239.4 4. Installing the Update ...... 413 2.239.5 5. References ...... 413 2.240 Product update: Virtuozzo 7.0 Update 6 Hotfix 1 (7.0.6-678) ...... 414 2.240.1 1. Overview ...... 414 2.240.2 2. Bug Fixes ...... 414 2.240.3 3. Installing the Update ...... 414 2.241 Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1, Virtuozzo 6.0 Up- date 12 Hotfix 18 (6.0.12-3688) ...... 415 2.241.1 1. Overview ...... 415 2.241.2 2. Security Fixes ...... 415 2.241.3 3. Bug Fixes ...... 415 2.241.4 4. Installing the Update ...... 416 2.241.5 5. References ...... 416 2.242 Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1 for Virtuozzo Con- tainers for Linux 4.7, Server Bare Metal 5.0 ...... 416 2.242.1 1. Overview ...... 416 2.242.2 2. Security Fixes ...... 417 2.242.3 3. Bug Fixes ...... 417 2.242.4 4. Installing the Update ...... 417 2.242.5 5. References ...... 417 2.243 Kernel update: Virtuozzo ReadyKernel patch 38.0 for Virtuozzo 7.0.3, 7.0.4, 7.0.4 HF3, and 7.0.5 418 2.243.1 1. Overview ...... 418 2.243.2 2. Bug Fixes ...... 418 2.243.3 3. Installing the Update ...... 418 2.243.4 4. References ...... 418 2.244 Product update: Virtuozzo 7.0 Update 6 (7.0.6-635) ...... 419 2.244.1 1. Overview ...... 419

xlvii 2.244.2 2. Security Fixes ...... 419 2.244.3 3. New Features ...... 419 2.244.4 4. Bug Fixes ...... 420 2.244.5 5. Installing the Update ...... 422 2.245 Kernel security update: CVE-2017-12193; Virtuozzo ReadyKernel patch 37.1 for Virtuozzo 7.0.5 422 2.245.1 1. Overview ...... 422 2.245.2 2. Security Fixes ...... 423 2.245.3 3. Bug Fixes ...... 423 2.245.4 4. Installing the Update ...... 423 2.245.5 5. References ...... 423 2.246 Kernel security update: CVE-2017-12193; Virtuozzo ReadyKernel patch 37.1 for Virtuozzo 7.0.0, 7.0.1, 7.0.3, 7.0.4, and 7.0.4 HF3 ...... 424 2.246.1 1. Overview ...... 424 2.246.2 2. Security Fixes ...... 424 2.246.3 3. Bug Fixes ...... 424 2.246.4 4. Installing the Update ...... 425 2.246.5 5. References ...... 425 2.247 Important kernel security update: CVE-2017-15649; Virtuozzo ReadyKernel patch 36.1 for Vir- tuozzo 7.0.4, 7.0.4 HF3, and 7.0.5 ...... 425 2.247.1 1. Overview ...... 425 2.247.2 2. Security Fixes ...... 426 2.247.3 3. Bug Fixes ...... 426 2.247.4 4. Installing the Update ...... 426 2.247.5 5. References ...... 426 2.248 Important kernel security update: CVE-2017-15649; Virtuozzo ReadyKernel patch 36.1 for Vir- tuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 426 2.248.1 1. Overview ...... 427 2.248.2 2. Security Fixes ...... 427 2.248.3 3. Installing the Update ...... 427 2.248.4 4. References ...... 427 2.249 Important kernel security update: CVE-2017-12188 and other; Virtuozzo ReadyKernel patch 35.2 for Virtuozzo 7.0.4, 7.0.4 HF3, and 7.0.5 ...... 428 2.249.1 1. Overview ...... 428 2.249.2 2. Security Fixes ...... 428 2.249.3 3. Bug Fixes ...... 429

xlviii 2.249.4 4. Installing the Update ...... 429 2.249.5 5. References ...... 429 2.250 Kernel security update: CVE-2016-8399 and other; Virtuozzo ReadyKernel patch 35.2 for Vir- tuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 429 2.250.1 1. Overview ...... 430 2.250.2 2. Security Fixes ...... 430 2.250.3 3. Bug Fixes ...... 430 2.250.4 4. Installing the Update ...... 431 2.250.5 5. References ...... 431 2.251 Kernel security update: CVE-2017-15274; new kernel 2.6.32-042stab125.5, Virtuozzo 6.0 Up- date 12 Hotfix 17 (6.0.12-3687) ...... 431 2.251.1 1. Overview ...... 431 2.251.2 2. Security Fixes ...... 432 2.251.3 3. Bug Fixes ...... 432 2.251.4 4. Installing the Update ...... 432 2.251.5 5. References ...... 432 2.252 Kernel security update: CVE-2017-15274; new kernel 2.6.32-042stab125.5 for Virtuozzo Con- tainers for Linux 4.7, Server Bare Metal 5.0 ...... 432 2.252.1 1. Overview ...... 433 2.252.2 2. Security Fixes ...... 433 2.252.3 3. Bug Fixes ...... 433 2.252.4 4. Installing the Update ...... 433 2.252.5 5. References ...... 433 2.253 Kernel security update: CVE-2017-15274; Virtuozzo ReadyKernel patch 34.0 for Virtuozzo 7.0.x 434 2.253.1 1. Overview ...... 434 2.253.2 2. Security Fixes ...... 434 2.253.3 3. Installing the Update ...... 434 2.253.4 4. References ...... 434 2.254 Product update: Virtuozzo 7.0 Update 5 Hotfix 4 (7.0.5-656) ...... 435 2.254.1 1. Overview ...... 435 2.254.2 2. Bug Fixes ...... 435 2.254.3 3. Installing the Update ...... 436 2.255 Kernel security update: Virtuozzo ReadyKernel patch 33.1 for Virtuozzo 7.0.x ...... 436 2.255.1 1. Overview ...... 436 2.255.2 2. Security Fixes ...... 436

xlix 2.255.3 3. Bug Fixes ...... 437 2.255.4 4. Installing the Update ...... 437 2.255.5 5. References ...... 437 2.256 Important kernel security update: CVE-2017-1000253; new kernel 2.6.32-042stab125.3, Vir- tuozzo 6.0 Update 12 Hotfix 16 (6.0.12-3686) ...... 437 2.256.1 1. Overview ...... 438 2.256.2 2. Security Fixes ...... 438 2.256.3 3. Installing the Update ...... 438 2.256.4 4. References ...... 438 2.257 Important kernel security update: CVE-2017-1000253; new kernel 2.6.32-042stab125.3 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 438 2.257.1 1. Overview ...... 439 2.257.2 2. Security Fixes ...... 439 2.257.3 3. Installing the Update ...... 439 2.257.4 4. References ...... 439 2.258 Important kernel security update: CVE-2017-1000253; new kernel 2.6.18-028stab122.4 for Vir- tuozzo Containers for Linux 4.6 ...... 440 2.258.1 1. Overview ...... 440 2.258.2 2. Security Fixes ...... 440 2.258.3 3. Installing the Update ...... 440 2.258.4 4. References ...... 440 2.259 Product update: Virtuozzo 7.0 Update 5 Hotfix 3 (7.0.5-646) ...... 441 2.259.1 1. Overview ...... 441 2.259.2 2. Security Fixes ...... 441 2.259.3 3. New Features ...... 441 2.259.4 4. Bug Fixes ...... 442 2.259.5 5. Installing the Update ...... 442 2.259.6 6. References ...... 442 2.260 Important kernel security update: CVE-2017-1000253; Virtuozzo ReadyKernel patch 32.1 for Virtuozzo 7.0.x ...... 442 2.260.1 1. Overview ...... 442 2.260.2 2. Security Fixes ...... 443 2.260.3 3. Installing the Update ...... 443 2.260.4 4. References ...... 443

l 2.261 Important kernel security update: CVE-2017-1000251 and other; new kernel 2.6.32- 042stab125.1, Virtuozzo 6.0 Update 12 Hotfix 15 (6.0.12-3684) ...... 444 2.261.1 1. Overview ...... 444 2.261.2 2. Security Fixes ...... 444 2.261.3 3. Installing the Update ...... 445 2.261.4 4. References ...... 445 2.262 Important kernel security update: CVE-2017-1000251 and other; new kernel 2.6.32- 042stab125.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 445 2.262.1 1. Overview ...... 445 2.262.2 2. Security Fixes ...... 446 2.262.3 3. Installing the Update ...... 446 2.262.4 4. References ...... 446 2.263 Important kernel security update: CVE-2017-14489 and other; Virtuozzo ReadyKernel patch 31.1 for Virtuozzo 7.0.1, 7.0.3, 7.0.4, 7.0.4 HF3, 7.0.5 ...... 447 2.263.1 1. Overview ...... 447 2.263.2 2. Security Fixes ...... 447 2.263.3 3. Installing the Update ...... 448 2.263.4 4. References ...... 448 2.264 Important kernel security update: CVE-2017-14489 and other; Virtuozzo ReadyKernel patch 31.1 for Virtuozzo 7.0.0 ...... 448 2.264.1 1. Overview ...... 448 2.264.2 2. Security Fixes ...... 449 2.264.3 3. Installing the Update ...... 449 2.264.4 4. References ...... 449 2.265 Product update: Virtuozzo 7.0 Update 5 Hotfix 2 (7.0.5-642) ...... 449 2.265.1 1. Overview ...... 449 2.265.2 2. Bug Fixes ...... 450 2.265.3 3. Installing the Update ...... 450 2.266 Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Vir- tuozzo 7.0.5 ...... 450 2.266.1 1. Overview ...... 450 2.266.2 2. Security Fixes ...... 451 2.266.3 3. Bug Fixes ...... 451 2.266.4 4. Installing the Update ...... 451 2.266.5 5. References ...... 451

li 2.267 Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Vir- tuozzo 7.0.4 and 7.0.4 HF3 ...... 452 2.267.1 1. Overview ...... 452 2.267.2 2. Security Fixes ...... 452 2.267.3 3. Bug Fixes ...... 453 2.267.4 4. Installing the Update ...... 453 2.267.5 5. References ...... 453 2.268 Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Vir- tuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 453 2.268.1 1. Overview ...... 454 2.268.2 2. Security Fixes ...... 454 2.268.3 3. Bug Fixes ...... 454 2.268.4 4. Installing the Update ...... 454 2.268.5 5. References ...... 454 2.269 Important kernel security update: CVE-2017-7542 and other; new kernel 2.6.32-042stab124.2, Virtuozzo 6.0 Update 12 Hotfix 14 (6.0.12-3683) ...... 455 2.269.1 1. Overview ...... 455 2.269.2 2. Security Fixes ...... 455 2.269.3 3. Bug Fixes ...... 456 2.269.4 4. Installing the Update ...... 457 2.269.5 5. References ...... 457 2.270 Important kernel security update: CVE-2017-7542 and other; new kernel 2.6.32-042stab124.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 457 2.270.1 1. Overview ...... 458 2.270.2 2. Security Fixes ...... 458 2.270.3 3. Bug Fixes ...... 459 2.270.4 4. Installing the Update ...... 459 2.270.5 5. References ...... 459 2.271 Product update: Virtuozzo 7.0 Update 5 Hotfix 1 (7.0.5-631) ...... 460 2.271.1 1. Overview ...... 460 2.271.2 2. New Features ...... 460 2.271.3 3. Bug Fixes ...... 460 2.271.4 4. Installing the Update ...... 461 2.272 Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.1 for Virtuozzo 7.0.5 ...... 461

lii 2.272.1 1. Overview ...... 461 2.272.2 2. Security Fixes ...... 462 2.272.3 3. Bug Fixes ...... 462 2.272.4 4. Installing the Update ...... 462 2.272.5 5. References ...... 462 2.273 Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.4 and 7.0.4 HF3 ...... 463 2.273.1 1. Overview ...... 463 2.273.2 2. Security Fixes ...... 463 2.273.3 3. Bug Fixes ...... 464 2.273.4 4. Installing the Update ...... 464 2.273.5 5. References ...... 464 2.274 Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 464 2.274.1 1. Overview ...... 465 2.274.2 2. Security Fixes ...... 465 2.274.3 3. Bug Fixes ...... 465 2.274.4 4. Installing the Update ...... 465 2.274.5 5. References ...... 465 2.275 Kernel security update: CVE-2017-7533; Virtuozzo ReadyKernel patch 28.0 for Virtuozzo 7.0.x 466 2.275.1 1. Overview ...... 466 2.275.2 2. Security Fixes ...... 466 2.275.3 3. Installing the Update ...... 466 2.275.4 4. References ...... 467 2.276 Kernel security update: CVE-2017-7542 and other; Virtuozzo ReadyKernel patch 27.0 for Vir- tuozzo 7.0.5 ...... 467 2.276.1 1. Overview ...... 467 2.276.2 2. Security Fixes ...... 468 2.276.3 3. Bug Fixes ...... 468 2.276.4 4. Installing the Update ...... 468 2.276.5 5. References ...... 468 2.277 Kernel security update: CVE-2017-11600 and other; Virtuozzo ReadyKernel patch 27.0 for Vir- tuozzo 7.0.4 and 7.0.4 HF3 ...... 469 2.277.1 1. Overview ...... 469 2.277.2 2. Security Fixes ...... 469

liii 2.277.3 3. Bug Fixes ...... 470 2.277.4 4. Installing the Update ...... 470 2.277.5 5. References ...... 470 2.278 Kernel security update: CVE-2017-11600 and other; Virtuozzo ReadyKernel patch 27.2 for Vir- tuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 470 2.278.1 1. Overview ...... 471 2.278.2 2. Security Fixes ...... 471 2.278.3 3. Bug Fixes ...... 471 2.278.4 4. Installing the Update ...... 471 2.278.5 5. References ...... 472 2.279 Product update: Virtuozzo 7.0 Update 5 (7.0.5-593) ...... 472 2.279.1 1. Overview ...... 472 2.279.2 2. Security Fixes ...... 472 2.279.3 3. New Features ...... 473 2.279.4 4. Bug Fixes ...... 475 2.279.5 5. Installing the Update ...... 476 2.280 Kernel security update: CVE-2017-11176 and other; Virtuozzo ReadyKernel patch 26.1 for Vir- tuozzo 7.0.x ...... 476 2.280.1 1. Overview ...... 476 2.280.2 2. Security Fixes ...... 477 2.280.3 3. Bug Fixes ...... 477 2.280.4 4. Installing the Update ...... 477 2.280.5 5. References ...... 477 2.281 Important kernel security update: CVE-2017-8797 and other; Virtuozzo ReadyKernel patch 25.0 for Virtuozzo 7.0.4 and 7.0.4 HF3 ...... 478 2.281.1 1. Overview ...... 478 2.281.2 2. Security Fixes ...... 478 2.281.3 3. Installing the Update ...... 479 2.281.4 4. References ...... 479 2.282 Important kernel security update: CVE-2017-8797 and other; Virtuozzo ReadyKernel patch 25.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3 ...... 479 2.282.1 1. Overview ...... 480 2.282.2 2. Security Fixes ...... 480 2.282.3 3. Installing the Update ...... 480 2.282.4 4. References ...... 480

liv 2.283 Important kernel security update: updated fix for CVE-2017-1000364; new kernel 2.6.32- 042stab123.9, Virtuozzo 6.0 Update 12 Hotfix 13 (6.0.12-3681) ...... 481 2.283.1 1. Overview ...... 481 2.283.2 2. Security Fixes ...... 481 2.283.3 3. Installing the Update ...... 481 2.283.4 4. References ...... 481 2.284 Important kernel security update: updated fix for CVE-2017-1000364; new kernel 2.6.32- 042stab123.9 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 482 2.284.1 1. Overview ...... 482 2.284.2 2. Security Fixes ...... 482 2.284.3 3. Installing the Update ...... 482 2.284.4 4. References ...... 482 2.285 Important kernel security update: CVE-2017-1000364; new kernel 2.6.18-028stab122.3 for Vir- tuozzo Containers for Linux 4.6 ...... 483 2.285.1 1. Overview ...... 483 2.285.2 2. Security Fixes ...... 483 2.285.3 3. Installing the Update ...... 484 2.285.4 4. References ...... 484 2.286 Kernel security update: Virtuozzo ReadyKernel patch 24.0 for Virtuozzo 7.0.4 HF3 ...... 484 2.286.1 1. Overview ...... 484 2.286.2 2. Security Fixes ...... 484 2.286.3 3. Bug Fixes ...... 485 2.286.4 4. Installing the Update ...... 485 2.286.5 5. References ...... 485 2.287 Kernel security update: Virtuozzo ReadyKernel patch 24.0 for Virtuozzo 7.0.4 ...... 485 2.287.1 1. Overview ...... 485 2.287.2 2. Security Fixes ...... 486 2.287.3 3. Installing the Update ...... 486 2.287.4 4. References ...... 486 2.288 Important kernel security update: CVE-2017-1000364; Virtuozzo 7.0 Update 4 Hotfix 3 (7.0.4- 1107) ...... 486 2.288.1 1. Overview ...... 486 2.288.2 2. Security Fixes ...... 487 2.288.3 3. Installing the Update ...... 487 2.288.4 4. References ...... 487

lv 2.289 Important kernel security update: CVE-2017-1000364; new kernel 2.6.32-042stab123.8, Vir- tuozzo 6.0 Update 12 Hotfix 12 (6.0.12-3680) ...... 487 2.289.1 1. Overview ...... 488 2.289.2 2. Security Fixes ...... 488 2.289.3 3. Installing the Update ...... 488 2.289.4 4. References ...... 488 2.290 Important kernel security update: CVE-2017-1000364; new kernel 2.6.32-042stab123.8 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 488 2.290.1 1. Overview ...... 489 2.290.2 2. Security Fixes ...... 489 2.290.3 3. Installing the Update ...... 489 2.290.4 4. References ...... 489 2.291 Kernel security update: Virtuozzo ReadyKernel patch 23.0 for Virtuozzo 7.0.4 ...... 490 2.291.1 1. Overview ...... 490 2.291.2 2. Security Fixes ...... 490 2.291.3 3. Bug Fixes ...... 490 2.291.4 4. Installing the Update ...... 490 2.291.5 5. References ...... 491 2.292 Kernel security update: Virtuozzo ReadyKernel patch 23.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3 491 2.292.1 1. Overview ...... 491 2.292.2 2. Security Fixes ...... 491 2.292.3 3. Bug Fixes ...... 491 2.292.4 4. Installing the Update ...... 492 2.292.5 5. References ...... 492 2.293 Kernel update: new kernel 2.6.32-042stab123.6, Virtuozzo 6.0 Update 12 Hotfix 11 (6.0.12-3678)492 2.293.1 1. Overview ...... 492 2.293.2 2. Bug Fixes ...... 492 2.293.3 3. Installing the Update ...... 493 2.294 Kernel update: new kernel 2.6.32-042stab123.6 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 493 2.294.1 1. Overview ...... 493 2.294.2 2. Bug Fixes ...... 493 2.294.3 3. Installing the Update ...... 493 2.295 Kernel update: new kernel 2.6.18-028stab122.2 for Virtuozzo Containers for Linux 4.6 ..... 494 2.295.1 1. Overview ...... 494

lvi 2.295.2 2. Bug Fixes ...... 494 2.295.3 3. Installing the Update ...... 494 2.296 Product update: Virtuozzo 7.0 Update 4 Hotfix 2 (7.0.4-1101) ...... 494 2.296.1 1. Overview ...... 495 2.296.2 2. Bug Fixes ...... 495 2.296.3 3. Installing the Update ...... 495 2.297 Kernel security update: CVE-2017-9077 and other; new kernel 2.6.32-042stab123.4, Virtuozzo 6.0 Update 12 Hotfix 10 (6.0.12-3677) ...... 495 2.297.1 1. Overview ...... 495 2.297.2 2. Security Fixes ...... 496 2.297.3 3. Bug Fixes ...... 497 2.297.4 4. Installing the Update ...... 497 2.297.5 5. References ...... 497 2.298 Kernel security update: CVE-2017-9077 and other; new kernel 2.6.32-042stab123.4 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 497 2.298.1 1. Overview ...... 498 2.298.2 2. Security Fixes ...... 498 2.298.3 3. Bug Fixes ...... 499 2.298.4 4. Installing the Update ...... 499 2.298.5 5. References ...... 499 2.299 Kernel security update: CVE-2017-9077 and other; Virtuozzo ReadyKernel patch 22.0 for Vir- tuozzo 7.0.4 ...... 499 2.299.1 1. Overview ...... 500 2.299.2 2. Security Fixes ...... 500 2.299.3 3. Bug Fixes ...... 501 2.299.4 4. Installing the Update ...... 501 2.299.5 5. References ...... 501 2.300 Kernel security update: CVE-2017-9077 and other; Virtuozzo ReadyKernel patch 22.0 for Vir- tuozzo 7.0.3 ...... 501 2.300.1 1. Overview ...... 502 2.300.2 2. Security Fixes ...... 502 2.300.3 3. Installing the Update ...... 503 2.300.4 4. References ...... 503 2.301 Kernel security update: CVE-2017-9077 and other; Virtuozzo ReadyKernel patch 22.0 for Vir- tuozzo 7.0.1 ...... 503

lvii 2.301.1 1. Overview ...... 503 2.301.2 2. Security Fixes ...... 504 2.301.3 3. Installing the Update ...... 505 2.301.4 4. References ...... 505 2.302 Important kernel security update: CVE-2017-7645 and other; Virtuozzo ReadyKernel patch 22.0 for Virtuozzo 7.0.0 ...... 505 2.302.1 1. Overview ...... 505 2.302.2 2. Security Fixes ...... 506 2.302.3 3. Installing the Update ...... 507 2.302.4 4. References ...... 507 2.303 Product update: Virtuozzo 7.0 Update 4 Hotfix 1 (7.0.4-1091) ...... 508 2.303.1 1. Overview ...... 508 2.303.2 2. Bug Fixes ...... 508 2.303.3 3. Installing the Update ...... 508 2.304 Important kernel security update: CVE-2017-7645 and other; Virtuozzo ReadyKernel patch 21.0 for Virtuozzo 7.0.x ...... 509 2.304.1 1. Overview ...... 509 2.304.2 2. Security Fixes ...... 509 2.304.3 3. Installing the Update ...... 510 2.304.4 4. References ...... 510 2.305 Kernel security update: CVE-2017-7645 and other; new kernel 2.6.32-042stab123.3, Virtuozzo 6.0 Update 12 Hotfix 9 (6.0.12-3676) ...... 510 2.305.1 1. Overview ...... 510 2.305.2 2. Security Fixes ...... 511 2.305.3 3. Bug Fixes ...... 511 2.305.4 4. Installing the Update ...... 511 2.305.5 5. References ...... 511 2.306 Kernel security update: CVE-2017-7645 and other; new kernel 2.6.32-042stab123.3 for Vir- tuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 512 2.306.1 1. Overview ...... 512 2.306.2 2. Security Fixes ...... 512 2.306.3 3. Bug Fixes ...... 512 2.306.4 4. Installing the Update ...... 513 2.306.5 5. References ...... 513 2.307 Product update: Virtuozzo 7.0 Update 4 (7.0.4-1025) ...... 513

lviii 2.307.1 1. Overview ...... 513 2.307.2 2. Security Fixes ...... 513 2.307.3 3. New Features ...... 514 2.307.4 4. Bug Fixes ...... 515 2.307.5 5. Installing the Update ...... 515 2.308 Kernel security update: CVE-2017-5970 and other; Virtuozzo ReadyKernel patch 20.0 for Vir- tuozzo 7.0.x ...... 516 2.308.1 1. Overview ...... 516 2.308.2 2. Security Fixes ...... 516 2.308.3 3. Installing the Update ...... 517 2.308.4 4. References ...... 517 2.309 Kernel security update: CVE-2017-7472; new kernel 2.6.32-042stab123.2, Virtuozzo 6.0 Update 12 Hotfix 8 (6.0.12-3765) ...... 517 2.309.1 1. Overview ...... 517 2.309.2 2. Security Fixes ...... 518 2.309.3 3. Bug Fixes ...... 518 2.309.4 4. Installing the Update ...... 518 2.309.5 5. References ...... 518 2.310 Kernel security update: CVE-2017-7472; new kernel 2.6.32-042stab123.2 for Virtuozzo Con- tainers for Linux 4.7, Server Bare Metal 5.0 ...... 518 2.310.1 1. Overview ...... 519 2.310.2 2. Security Fixes ...... 519 2.310.3 3. Bug Fixes ...... 519 2.310.4 4. Installing the Update ...... 519 2.310.5 5. References ...... 519 2.311 Kernel security update: CVE-2017-7472 and other; Virtuozzo ReadyKernel patch 19.1 for Vir- tuozzo 7.0.x ...... 520 2.311.1 1. Overview ...... 520 2.311.2 2. Security Fixes ...... 520 2.311.3 3. Installing the Update ...... 521 2.311.4 4. References ...... 521 2.312 Important kernel security update: Virtuozzo ReadyKernel patch 18.0 for kernels 3.10.0- 327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0- 327.36.1.vz7.20.18 (Virtuozzo 7.0.3) ...... 521 2.312.1 1. Overview ...... 522

lix 2.312.2 2. Security Fixes ...... 522 2.312.3 3. Bug Fixes ...... 522 2.312.4 4. Installing the Update ...... 522 2.312.5 5. References ...... 522 2.313 Kernel security update: Virtuozzo ReadyKernel patch 17.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Vir- tuozzo 7.0.3) ...... 523 2.313.1 1. Overview ...... 523 2.313.2 2. Security Fixes ...... 523 2.313.3 3. Installing the Update ...... 523 2.313.4 4. References ...... 523 2.314 Important kernel security update: Virtuozzo ReadyKernel patch 16.0 for kernels 3.10.0- 327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0- 327.36.1.vz7.20.18 (Virtuozzo 7.0.3) ...... 524 2.314.1 1. Overview ...... 524 2.314.2 2. Security Fixes ...... 524 2.314.3 3. Installing the Update ...... 525 2.314.4 4. References ...... 525 2.315 Kernel security update: new kernel 2.6.32-042stab123.1, Virtuozzo 6.0 Update 12 Hotfix 7 (6.0.12-3674) ...... 525 2.315.1 1. Overview ...... 525 2.315.2 2. Security Fixes ...... 526 2.315.3 3. Bug Fixes ...... 527 2.315.4 4. Installing the Update ...... 527 2.315.5 5. References ...... 527 2.316 Kernel security update: new kernel 2.6.32-042stab123.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0 ...... 528 2.316.1 1. Overview ...... 528 2.316.2 2. Security Fixes ...... 529 2.316.3 3. Installing the Update ...... 530 2.316.4 4. References ...... 530 2.317 Product update: Virtuozzo 7.0 Update 3 Hotfix 3 (7.0.3-641) ...... 531 2.317.1 1. Overview ...... 531 2.317.2 2. New Features ...... 531 2.317.3 3. Bug Fixes ...... 531

lx 2.317.4 4. Installing the Update ...... 532 2.318 Kernel security update: Virtuozzo ReadyKernel patch 15.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Vir- tuozzo 7.0.3) ...... 532 2.318.1 1. Overview ...... 532 2.318.2 2. Security Fixes ...... 532 2.318.3 3. Installing the Update ...... 533 2.318.4 4. References ...... 533 2.319 Kernel security update: new kernel 2.6.32-042stab120.20, Virtuozzo 6.0 Update 12 Hotfix 6 (6.0.12-3673) ...... 533 2.319.1 1. Overview ...... 533 2.319.2 2. Security Fixes ...... 534 2.319.3 3. Installing the Update ...... 534 2.319.4 4. References ...... 534 2.320 Product security update: Virtuozzo 7.0 Update 3 Hotfix 2 (7.0.3-640) ...... 534 2.320.1 1. Overview ...... 534 2.320.2 2. Security Fixes ...... 535 2.320.3 3. Installing the Update ...... 535 2.321 Important kernel security update: Virtuozzo ReadyKernel patch 14.0 for kernels 3.10.0- 327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0- 327.36.1.vz7.20.18 (Virtuozzo 7.0.3) ...... 535 2.321.1 1. Overview ...... 535 2.321.2 2. Security Fixes ...... 536 2.321.3 3. Installing the Update ...... 536 2.321.4 4. References ...... 536 2.322 Important kernel security update: new kernel 2.6.18-028stab122.1 for Virtuozzo Containers for Linux 4.6 ...... 537 2.322.1 1. Overview ...... 537 2.322.2 2. Security Fixes ...... 537 2.322.3 3. Installing the Update ...... 538 2.322.4 4. References ...... 538 2.323 Critical product security update: Virtuozzo 7.0 Update 3 Hotfix 1 (7.0.3-639) ...... 538 2.323.1 1. Overview ...... 538 2.323.2 2. Security Fixes ...... 538 2.323.3 3. New Features ...... 539

lxi 2.323.4 4. Bug Fixes ...... 539 2.323.5 5. Installing the Update ...... 540 2.324 Product update: Virtuozzo 6.0 Update 12 Hotfix 5 (6.0.12-3672) ...... 540 2.324.1 1. Overview ...... 541 2.324.2 2. Bug Fixes ...... 541 2.324.3 3. Installing the Update ...... 541 2.325 Important kernel security update: Virtuozzo ReadyKernel patch 13.0 for kernels 3.10.0- 327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0- 327.36.1.vz7.20.18 (Virtuozzo 7.0.3) ...... 541 2.325.1 1. Overview ...... 542 2.325.2 2. Security Fixes ...... 542 2.325.3 3. Installing the Update ...... 542 2.325.4 4. References ...... 542 2.326 Product security update: Virtuozzo 6.0 Update 12 Hotfix 4 (6.0.12-3671) ...... 542 2.326.1 1. Overview ...... 543 2.326.2 2. Security Fixes ...... 543 2.326.3 3. Bug Fixes ...... 543 2.326.4 4. Installing the Update ...... 543 2.327 Kernel security update: Virtuozzo ReadyKernel patch 12.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Vir- tuozzo 7.0.3) ...... 544 2.327.1 1. Overview ...... 544 2.327.2 2. Security Fixes ...... 544 2.327.3 3. Installing the Update ...... 544 2.327.4 4. References ...... 544 2.328 Kernel security update: Virtuozzo ReadyKernel patch 11.0 for kernel 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3) ...... 545 2.328.1 1. Overview ...... 545 2.328.2 2. Security Fixes ...... 545 2.328.3 3. Bug Fixes ...... 546 2.328.4 4. Installing the Update ...... 546 2.328.5 5. References ...... 546 2.329 Kernel security update: Virtuozzo ReadyKernel patch 11.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0) and 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1) ...... 546 2.329.1 1. Overview ...... 547

lxii 2.329.2 2. Security Fixes ...... 547 2.329.3 3. Bug Fixes ...... 547 2.329.4 4. Installing the Update ...... 547 2.329.5 5. References ...... 547 2.330 Critical product security update: Virtuozzo 6.0 Update 12 Hotfix 3 (6.0.12-3670) ...... 548 2.330.1 1. Overview ...... 548 2.330.2 2. Security Fixes ...... 548 2.330.3 3. Bug Fixes ...... 549 2.330.4 4. Installing the Update ...... 549 2.331 Kernel security update: Virtuozzo ReadyKernel patch 10.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Vir- tuozzo 7.0.3) ...... 549 2.331.1 1. Overview ...... 549 2.331.2 2. Security Fixes ...... 550 2.331.3 3. Installing the Update ...... 550 2.331.4 4. References ...... 550 2.332 Product security update: Virtuozzo 6.0 Update 12 Hotfix 2 (6.0.12-3658) ...... 550 2.332.1 1. Overview ...... 551 2.332.2 2. Security Fixes ...... 551 2.332.3 3. Installing the Update ...... 551 2.333 Kernel update: Virtuozzo ReadyKernel patch 9.0 for kernel 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1) ...... 551 2.333.1 1. Update Overview ...... 551 2.333.2 2. Bug Fixes ...... 552 2.333.3 3. Installing the Update ...... 552 2.333.4 4. References ...... 552 2.334 Important kernel security and product update: vulnerability fix for CVE-2015-8539, new kernel 2.6.32-042stab120.18; Virtuozzo 6.0 Update 12 Hotfix 1 (6.0.12-3656) ...... 552 2.334.1 1. Overview ...... 552 2.334.2 2. Security Fixes ...... 553 2.334.3 3. Bug Fixes ...... 553 2.334.4 4. Installing the Update ...... 553 2.334.5 5. References ...... 553

3. Virtuozzo Linux ...... 554 3.1 Virtuozzo Linux 8.4 ...... 554

lxiii 3.1.1 1. Overview ...... 554 3.1.2 2. New Features ...... 554 3.1.3 3. Bug Fixes ...... 555 3.1.4 4. Installing ...... 555 3.1.5 5. Upgrading ...... 555 3.1.6 6. Providing Feedback ...... 555

4. Virtuozzo Automator ...... 556 4.1 Virtuozzo Automator 7.0 Update 2 Hotfix 13 (VA MN: 7.0.2-674) ...... 556 4.1.1 1. Overview ...... 556 4.1.2 2. Bug Fixes ...... 556 4.1.3 3. Installing the Update ...... 557 4.2 Virtuozzo Automator 7.0 Update 2 Hotfix 12 (VA MN: 7.0.2-670, VA Agent: 7.0.2-398) ...... 557 4.2.1 1. Overview ...... 557 4.2.2 2. New Features ...... 557 4.2.3 3. Bug Fixes ...... 557 4.2.4 4. Installing the Update ...... 558 4.3 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 11 (VA MN: 7.0.2-649, VA Agent: 7.0.2-372) ...... 558 4.3.1 1. Overview ...... 558 4.3.2 2. Bug Fixes ...... 559 4.3.3 3. Installing the Update ...... 559 4.4 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 10 (VA MN: 7.0.2-647, VA Agent: 7.0.2-367) ...... 559 4.4.1 1. Overview ...... 559 4.4.2 2. Bug Fixes ...... 559 4.4.3 3. Installing the Update ...... 560 4.5 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 9 (VA MN: 7.0.2-645, VA Agent: 7.0.2- 364) ...... 560 4.5.1 1. Overview ...... 560 4.5.2 2. Bug Fixes ...... 560 4.5.3 3. Installing the Update ...... 561 4.6 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 8 (VA MN: 7.0.2-623, VA Agent: 7.0.2- 341) ...... 561 4.6.1 1. Overview ...... 561 4.6.2 2. Bug Fixes ...... 561

lxiv 4.6.3 3. Installing the Update ...... 561 4.7 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 7 (VA MN: 7.0.2-617, VA Agent: 7.0.2- 329) ...... 562 4.7.1 1. Overview ...... 562 4.7.2 2. Bug Fixes ...... 562 4.7.3 3. Installing the Update ...... 562 4.8 Critical product update: Virtuozzo Automator 7.0 Update 2 Hotfix 6 (VA MN: 7.0.2-612, VA Agent: 7.0.2-326) ...... 563 4.8.1 1. Overview ...... 563 4.8.2 2. Security Fixes ...... 563 4.8.3 3. Bug Fixes ...... 563 4.8.4 4. Installing the Update ...... 564 4.9 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 5 (VA MN: 7.0.2-597, VA Agent: 7.0.2- 320) ...... 564 4.9.1 1. Overview ...... 564 4.9.2 2. New Features ...... 564 4.9.3 3. Bug Fixes ...... 564 4.9.4 4. Installing the Update ...... 565 4.10 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 4 (VA MN: 7.0.2-545, VA Agent: 7.0.2- 278) ...... 565 4.10.1 1. Overview ...... 565 4.10.2 2. New Features ...... 565 4.10.3 3. Bug Fixes ...... 566 4.10.4 4. Installing the Update ...... 566 4.11 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 3 (VA MN: 7.0.2-510, VA Agent: 7.0.2- 258) ...... 567 4.11.1 1. Overview ...... 567 4.11.2 2. New Features ...... 567 4.11.3 3. Bug Fixes ...... 567 4.11.4 4. Installing the Update ...... 568 4.12 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 2 (VA MN: 7.0.2-403, VA Agent: 7.0.2- 189) ...... 568 4.12.1 1. Overview ...... 569 4.12.2 2. Bug Fixes ...... 569 4.12.3 3. Installing the Update ...... 569

lxv 4.13 Important product security update: Virtuozzo Automator 6.1 Update 2 Hotfix 5 (VA MN: 6.0- 3266, VA Agent: 6.0-3266) ...... 569 4.13.1 1. Overview ...... 570 4.13.2 2. Security Fixes ...... 570 4.13.3 3. Installing the Update ...... 570 4.14 Product update: Virtuozzo Automator 7.0 Update 2 Hotfix 1 (VA MN: 7.0.2-344, VA Agent: 7.0.2- 152) ...... 570 4.14.1 1. Overview ...... 570 4.14.2 2. Security Fixes ...... 571 4.14.3 3. Bug Fixes ...... 571 4.14.4 4. Installing the Update ...... 571 4.15 Product update: Virtuozzo Automator 7.0 Update 2 (VA MN: 7.0.2-266, VA Agent: 7.0.2-115) . 572 4.15.1 1. Overview ...... 572 4.15.2 2. New Features ...... 572 4.15.3 3. Bug Fixes ...... 572 4.15.4 4. Installing the Update ...... 573 4.16 Product update: Virtuozzo Automator 7 Update 1 Hotfix 2 (7.0.1-740) ...... 573 4.16.1 1. Overview ...... 574 4.16.2 2. Bug Fixes ...... 574 4.16.3 3. Installing the Update ...... 574 4.17 Product update: Virtuozzo Automator 7 Update 1 Hotfix 1 ...... 574 4.17.1 1. Overview ...... 574 4.17.2 2. Bug Fixes ...... 575 4.17.3 3. Installing the Update ...... 575 4.18 Product security update: Virtuozzo Automator 6.1 Update 2 Hotfix 4 (VA Agent: 6.0-3264) ... 575 4.18.1 1. Overview ...... 575 4.18.2 2. Security Fixes ...... 576 4.18.3 3. New Features ...... 576 4.18.4 4. Bug Fixes ...... 576 4.18.5 5. Installing the Update ...... 576 4.19 Product update: Virtuozzo Automator 7 Update 1 (VA MN: 7.0.1-728, VA Agent: 7.0.1-430) .. 576 4.19.1 1. Overview ...... 577 4.19.2 2. New Features ...... 577 4.19.3 3. Bug Fixes ...... 577 4.19.4 4. Installing the Update ...... 578

lxvi 5. Virtuozzo PowerPanel ...... 579 5.1 [Important] [Security] Virtuozzo PowerPanel Update 1 Hotfix 2 (7.0.4-47) ...... 579 5.1.1 1. Overview ...... 579 5.1.2 2. Security Fixes ...... 579 5.1.3 3. New Features ...... 580 5.1.4 4. Installing the Update ...... 580 5.2 Product update: Virtuozzo PowerPanel Update 1 Hotfix 1 (7.0.4-39) ...... 580 5.2.1 1. Overview ...... 580 5.2.2 2. Bug Fixes ...... 580 5.2.3 3. Installing the Update ...... 581 5.3 Product update: Virtuozzo PowerPanel Update 1 (7.0.4-30) ...... 581 5.3.1 1. Overview ...... 581 5.3.2 2. New Features ...... 581 5.3.3 3. Bug Fixes ...... 582 5.3.4 4. Known Limitations ...... 582 5.3.5 5. Installing the Update ...... 582 5.4 Product update: Virtuozzo PowerPanel RTM Hotfix 8 (7.0.3-151) ...... 582 5.4.1 1. Overview ...... 583 5.4.2 2. Security Fixes ...... 583 5.4.3 3. New Features ...... 583 5.4.4 4. Bug Fixes ...... 583 5.4.5 5. Installing the Update ...... 583 5.5 Product update: Virtuozzo PowerPanel RTM Hotfix 7 (7.0.3-145) ...... 584 5.5.1 1. Overview ...... 584 5.5.2 2. Bug Fixes ...... 584 5.5.3 3. Installing the Update ...... 584 5.6 Product update: Virtuozzo PowerPanel RTM Hotfix 6 (7.0.3-137) ...... 584 5.6.1 1. Overview ...... 585 5.6.2 2. Bug Fixes ...... 585 5.6.3 3. Installing the Update ...... 585 5.7 Product update: Virtuozzo PowerPanel RTM Hotfix 5 (7.0.3-133) ...... 585 5.7.1 1. Overview ...... 585 5.7.2 2. Bug Fixes ...... 586 5.7.3 3. Installing the Update ...... 586 5.8 Product update: Virtuozzo PowerPanel RTM Hotfix 4 (7.0.1-422) ...... 586

lxvii 5.8.1 1. Overview ...... 586 5.8.2 2. New Features ...... 586 5.8.3 3. Bug Fixes ...... 587 5.8.4 4. Installing the Update ...... 587 5.9 Important product update: Virtuozzo PowerPanel RTM Hotfix 3 (7.0.1-415) ...... 587 5.9.1 1. Overview ...... 587 5.9.2 2. Security Fixes ...... 587 5.9.3 3. New Features ...... 588 5.9.4 4. Bug Fixes ...... 588 5.9.5 5. Installing the Update ...... 588 5.9.6 6. References ...... 588 5.10 Product update: Virtuozzo PowerPanel RTM Hotfix 2 (7.0.1-354) ...... 589 5.10.1 1. Overview ...... 589 5.10.2 2. Bug Fixes ...... 589 5.10.3 3. Installing the Update ...... 589 5.11 Important product security update: Virtuozzo PowerPanel RTM Hotfix 1 (7.0.1-346) ...... 590 5.11.1 1. Overview ...... 590 5.11.2 2. Security Fixes ...... 590 5.11.3 3. Bug Fixes ...... 590 5.11.4 4. Installing the Update ...... 591

lxviii CHAPTER 1 Virtuozzo Hybrid Infrastructure

Release announcements for this product are available as an RSS feed.

1.1 Virtuozzo Hybrid Infrastructure 4.6 Hotfix 2 (4.6.0-213)

Issue date: 2021-07-05

Applies to: Virtuozzo Hybrid Infrastructure 4.6

Virtuozzo Advisory ID: VZA-2021-035

1.1.1 1. Overview

This update provides stability fixes for the storage, Backup Gateway and object storage services.

1.1.2 2. Bug Fixes

• A stability fix for the storage service. (VSTOR-44694)

• A stability fix for the Backup Gateway service. (VSTOR-44859)

• Complete multipart upload requests might fail for uploads with more than 9900 parts. (VSTOR-44677)

• abgw-setting.service is in the failed state. (VSTOR-44601)

1 Chapter 1. Virtuozzo Hybrid Infrastructure

1.1.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update. However, if you experience the VSTOR-44694 issue, reboot upgraded nodes manually, one at a time.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-035.json.

1.2 Virtuozzo Hybrid Infrastructure 4.6 Hotfix 1 (4.6.0-209)

Issue date: 2021-06-24

Applies to: Virtuozzo Hybrid Infrastructure 4.6

Virtuozzo Advisory ID: VZA-2021-033

1.2.1 1. Overview

This update provides stability fixes for the storage services.

1.2.2 2. Bug Fixes

• It is not possible to open some files in the storage. (VSTOR-44388)

• A stability improvement for the storage service. (VSTOR-44346)

1.2.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update. If, however, you experience the issue described in VSTOR-44388, reboot upgraded nodes manually, one at a time.

The JSON file with the list of new and updated packages is available at

2 Chapter 1. Virtuozzo Hybrid Infrastructure

https://docs.virtuozzo.com/vza/VZA-2021-033.json.

1.3 Virtuozzo Hybrid Infrastructure 4.6 (4.6.0-208)

Issue date: 2021-06-09

Applies to: Virtuozzo Hybrid Infrastructure 4.6

Virtuozzo Advisory ID: VZA-2021-029

1.3.1 1. Overview

In this release, Virtuozzo Hybrid Infrastructure provides a wide range of new features that enhance service providers’ operability. The improvements cover compute services, object storage, monitoring, security, localization, and the user interface. Additionally, this release delivers stability improvements and addresses the issues found in previous releases.

1.3.2 2. New Features

• [Compute] Placement improvements:

• Soft mode for placements. The new mode allows you to schedule a virtual machine on a node that is assigned at least the same placements as the virtual machine. Together with the hard mode, this mode increases flexibility of placing virtual machines on compute nodes.

• Placements for flavors. Now, placements can be assigned not only to images, but also to flavors. Image placements allow you to distribute virtual machines according to image properties, such as a guest operating system. Placements assigned to flavors, in their turn, help to distribute virtual machines according to hardware capabilities, such as a high-frequency CPU model. In this release, you can assign a placement to a flavor in the command-line interface.

• [Compute] Support for Kubernetes version 1.19. The new version can be used to create and manage Kubernetes clusters.

• [Compute] Online extension of virtual machine volumes. Volume extension is enabled for running virtual machines.

3 Chapter 1. Virtuozzo Hybrid Infrastructure

• [Compute] Soft anti-affinity policy for placing Kubernetes instances. Instances with Kubernetes services will be distributed across different nodes in the compute cluster by default. If there are notenough compute nodes, some instances can be placed on the same node.

• [Compute] Multiple IP addresses per VM network interface. Now, it is possible to set multiple IP addresses for a virtual machine’s network interface.

• [Compute] Custom branding per domain. Personal branding theme, which is displayed in the self-service panel, can be configured for each domain separately.

• [Object storage] Object storage classes. It is now possible to use up to four different storage classes for applications with specific performance and redundancy requirements. In this release, management of storage classes is available only in the command-line interface.

• [Object storage] Object storage stability improvements. The integrity of object storage metadata is ensured by automatic built-in metadata backups.

• [Object storage] Object storage accounts. Each S3 user can now have multiple accounts, which are isolated containers for S3 user buckers with defined usage limits.

• [Monitoring and alerting] Advanced core and object storage monitoring. Added more metrics and alerts for core and object storage to the integrated Prometheus monitoring system, to monitor storage parameters centrally, as well as detect and fix issues faster.

• [Security] Embedded firewall rules for outbound connections. Configurable outbound firewall rules help to secure your nodes and ensure that they can reach only allowed external resources. In this release, management of outbound firewall rules is available only in the command-line interface.

• [User interface] New screens for node disks and network interfaces. Improved user experience with disks and network interfaces of infrastructure nodes. Introduced new properties for disks and network interfaces. Added two new dashboards for disks, to display current usage and read/write latency.

• [Updates] Improved update speed. In future releases, large clusters can be updated up to three times faster due to enhanced maintenance mode for storage components and more efficient virtual machine migration.

• [Localization] Turkish language localization for the admin and self-service panels.

4 Chapter 1. Virtuozzo Hybrid Infrastructure

1.3.3 3. Important Notes

• Kubernetes version 1.15 is deprecated. Use the currently supported version 1.19 to plan your containerized environments.

• Kubernetes version 1.18 will be deprecated in future releases. Use the currently supported version 1.19 to plan your containerized environments.

• For object storage, the minimum TLS protocol version is changed to TLS 1.2, to comply with PCI DSS requirements.

1.3.4 4. Bug Fixes

• Unable to release a cluster node due to a conflicting task. (VSTOR-43708)

• An incorrect confirmation message is displayed when releasing a node from the S3 cluster. (VSTOR-43528)

• A Kubernetes cluster might have a coreDNS deployment with 0 replicas. (VSTOR-43267)

• Cannot create a security group for load balancers while deploying a Kubernetes cluster. (VSTOR-43204)

• Unable to remove a VM volume in the reserved or attaching state. (VSTOR-43154)

• An OVS bridge is created on a new compute node when the “VM public” traffic type is assigned toits VLAN interface. (VSTOR-43088)

• Prometheus is started on every cluster node. (VSTOR-42712)

• Connectivity checks fail with bond interfaces. (VSTOR-41925)

• A network interface with no IP address can be assigned the “VM backups” traffic type. (VSTOR-40922)

• Proxied requests between certain nodes fail with a timeout. (VSTOR-40334)

• A VMDK image is not converted to the QCOW2 format while uploading in the admin panel. (VSTOR-39535)

• Change the policy for Kubernetes and load balancer virtual machines in the HA mode from anti-affinity to soft anti-affinity. (VSTOR-30671)

• Improvements for management node HA. (VSTOR-43646, VSTOR-43178, VSTOR-42564)

• Update improvements. (VSTOR-43180, VSTOR-38763)

5 Chapter 1. Virtuozzo Hybrid Infrastructure

1.3.5 5. Known Issues

• No error is displayed in the self-service panel if the compute cluster has not enough resources to create a Kubernetes cluster. (VSTOR-43174)

• An error message is not shown after a failed VM live migration. (VSTOR-39553)

• Unable to delete large volume snapshots. (VSTOR-41372)

• An SSD disk is not recognized if it is managed by specific disk controllers. (VSTOR-36155)

• Cannot cancel a file upload in the user interface of an S3 bucket. (VSTOR-22390)

1.3.6 6. Installing the Update

You can upgrade Virtuozzo Hybrid Infrastructure 4.5 to 4.6 in the SETTINGS > UPDATE section. A reboot is required to complete the upgrade. Upgraded nodes will be rebooted automatically, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-029.json.

1.4 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 3 (4.5.1-42)

Issue date: 2021-05-24

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-024

1.4.1 1. Overview

This update provides fixes for the storage and compute services.

6 Chapter 1. Virtuozzo Hybrid Infrastructure

1.4.2 2. Bug Fixes

• Load balancer members are not displayed in the self-service panel. (VSTOR-43250)

• A Kubernetes VM’s system disk may be out of space due to Podman logs. (VSTOR-43236)

• Increase a limit for remote console ports. (VSTOR-41499)

• A stability improvement for the storage service. (VSTOR-43393)

1.4.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section. A reboot is not required to complete the upgrade if you are upgrading from build 4.5.0-289. If you have an earlier version, upgraded nodes will be automatically rebooted, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-024.json.

1.5 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 2 (4.5.1-34)

Issue date: 2021-04-19

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-019

7 Chapter 1. Virtuozzo Hybrid Infrastructure

1.5.1 1. Overview

This update provides fixes for the admin and self-service panels.

1.5.2 2. Bug Fixes

• Unable to add a network interface to an existing VM in the self-service panel. (VSTOR-42074)

• Added a message about disabling security groups for a VM network interface. (VSTOR-42954)

• A system administrator cannot edit spoofing protection settings for a project in a non-default domain. (VSTOR-42688)

1.5.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section. A reboot is not required to complete the upgrade if you are upgrading from build 4.5.0-289. If you have an earlier version, upgraded nodes will be automatically rebooted, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-019.json.

1.6 Virtuozzo Hybrid Infrastructure 4.5 Update 1 Hotfix 1 (4.5.1-31)

Issue date: 2021-04-08

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-018

8 Chapter 1. Virtuozzo Hybrid Infrastructure

1.6.1 1. Overview

This update provides stability fixes for the Backup Gateway, block storage, storage and compute services.

1.6.2 2. Bug Fixes

• Fixes for Gnocchi-related issues after an HA event. (VSTOR-41817, VSTOR-41874)

• Stability and performance improvements. (VSTOR-42372, VSTOR-42297, VSTOR-42009, VSTOR-41982, VSTOR-41706, VSTOR-40814)

1.6.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to complete the upgrade if you are upgrading from the build 4.5.0-289. If you have an earlier version, upgraded nodes will be automatically rebooted, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-018.json.

1.7 Virtuozzo Hybrid Infrastructure 4.5 Update 1 (4.5.1-23)

Issue date: 2021-03-24

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-016

1.7.1 1. Overview

This update provides a new feature, as well as bug fixes and improvements.

9 Chapter 1. Virtuozzo Hybrid Infrastructure

1.7.2 2. New Features

• Extended the cipher configuration possibilities for Backup Gateway. (VSTOR-38415)

1.7.3 3. Bug Fixes

• Forcing an update may fail after the first attempt due to the already updated certificate management layout. (VSTOR-41271)

• Fixed IQN validation. (VSTOR-41577)

• The object storage services may not work in the SPLIT state. (VSTOR-41403)

• Increased the number of VNC ports per node from 100 to 180. (VSTOR-41204)

• Fixed the Backup Gateway re-registration procedure. (VSTOR-41047)

• Incorrect ownership of the Gnocchi directory. (VSTOR-40983)

• Non-standard characters in a file name may lead to problems with Backup Gateway data storedin Azure. (VSTOR-39824)

• Stability and performance improvements. (VSTOR-41578, VSTOR-41112, VSTOR-40914, VSTOR-41758, VSTOR-41661, VSTOR-41615, VSTOR-41482, VSTOR-41421, VSTOR-41104)

1.7.4 4. Installing the Update

You can install the update in the SETTINGS > UPDATE section. A reboot is not required to complete the upgrade if you are upgrading from the build 4.5.0-289. If you have an earlier version, upgraded nodes will be automatically rebooted, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-016.json.

10 Chapter 1. Virtuozzo Hybrid Infrastructure

1.8 Virtuozzo Hybrid Infrastructure 4.5 Hotfix 1 (4.5.0-289)

Issue date: 2021-03-09

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-013

1.8.1 1. Overview

This update provides stability fixes for storage services.

1.8.2 2. Bug Fixes

• Detaching a LUN from an SCST target may lead to soft lockup under certain circumstances. (VSTOR-41460)

• Stability improvements for the storage service. (VSTOR-41301, VSTOR-41172, VSTOR-41272)

1.8.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is required to complete the update. Updated nodes will be rebooted automatically, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-013.json.

1.9 Virtuozzo Hybrid Infrastructure 4.5 (4.5.0-284)

Issue date: 2021-02-15

11 Chapter 1. Virtuozzo Hybrid Infrastructure

Applies to: Virtuozzo Hybrid Infrastructure 4.5

Virtuozzo Advisory ID: VZA-2021-007

1.9.1 1. Overview

In this release, Virtuozzo Hybrid Infrastructure provides a wide range of new features that enhance the end-user experience and service providers’ interoperability. The improvements cover compute services, networking, storage core, monitoring, and the administrative user interface. Additionally, this release delivers stability improvements and addresses the issues found in previous releases.

1.9.2 2. New Features

• [Compute] Allowing domain administrators to manage projects. Domain administrators can now manage projects within the assigned domain. With this permission, domain administrators can perform operations with projects by using the OpenStack command-line tool.

• [Compute] Support for Kubernetes version 1.18. Kubernetes version 1.15 is no longer available in the self-service panel. Now, all management operations with Kubernetes clusters are supported for version 1.18.

• [Compute] Volume size statistics per storage policy. Usage statistics for volumes can be aggregated per storage policy.

• [Compute] Memory overcommitment. RAM overcommitment enables provisioning virtual machines with more RAM than the amount of physical RAM available on all compute nodes. The RAM overcommitment ratio is set for the entire compute cluster. This feature improves compute cluster efficiency for hybrid cloud disaster recovery.

• [Compute] Persistent SSL certificate. A custom SSL certificate used for secure communication witha highly available cluster will not be overwritten after changing the high availability configuration.

• [Compute] New balancing protocol for load balancers. Added support for the UDP protocol for load balancers in the self-service panel.

• [Compute] Security groups support. Cloud administrators can control incoming and outgoing traffic to virtual machines by assigning virtual machines to security groups. A security group is a set of firewall rules that are applied to virtual network adapters.

12 Chapter 1. Virtuozzo Hybrid Infrastructure

• [Networking] Inbound firewall rules for nodes. Cluster administrators are now able to filter incoming traffic on cluster nodes by using fully customizable access rules. Configuring inbound firewall ruleshelp prevent access from untrusted sources to the cluster. The rules applied on a specific network or traffic type can limit incoming traffic from single IP addresses and subnet ranges.

• [Storage core] Fencing of slow and pre-failed storage disks. Storage disks with low performance are now automatically detected and marked as slow. Slow disks are fenced from the cluster I/O, to avoid degrading cluster performance. After receiving an alert, cluster administrators can troubleshoot the hardware problem or replace the slow disk before its failure.

• [Monitoring and alerting] Fine-grained logging for virtual machines. Added more details to the system log. Now, it contains full log messages and audit log entries of operations with virtual machines.

• [UI] Node status online detection. Improved the internal mechanism to determine node availability. Nodes are now displayed in the admin panel in their current state without any delay. When a node status changes, an alert is generated and stored in the alert log.

• [Other enhancements] Worker groups support for Kubernetes cluster. Added Kubernetes worker groups that enable creating multiple worker nodes with different number of CPUs and amount of RAM for a single Kubernetes cluster. Workers with different flavors help meet system requirements of applications running in Kubernetes clusters.

1.9.3 3. Important Notes

• Kubernetes version 1.15 will be deprecated in future releases. Use the currently supported version 1.18 to plan your containerized environments.

• Fibre Channel bus adapters are no longer supported. We are discontinuing support of Fibre Channel as an option while creating iSCSI target groups.

• Legacy iSCSI targets (created in 2.4 and earlier versions) are deprecated. We are discontinuing support for TGTD-based iSCSI targets. Such targets are marked in the admin panel as legacy because they do not support the ALUA mode and their LUNs are not highly available. To enable high availability for them, detach a volume from an older target group and attach it to a newly created one.

• Erasure coding redundancy change. Changing the redundancy scheme is only possible for backup storage. If you have ever changed the encoding scheme for your backup storage cluster with the help of the technical support team, re-apply your redundancy settings in version 4.5 to ensure that all data was encoded.

13 Chapter 1. Virtuozzo Hybrid Infrastructure

1.9.4 4. Bug Fixes

• [Updates] Failed to complete an upgrade from version 3.5.5 due to an unsafe PostgreSQL restart. (VSTOR-39354)

• [Updates] A software update task may block recovering of other tasks. (VSTOR-39344)

• [Updates] Validation fails while upgrading a high availability cluster from version 4.0.0-734. (VSTOR-37858)

• [Compute service] Fixed an issue when the load balancer service runs using WSGI application. (VSTOR-37514)

• [Compute service] Failed to convert a VMDK image to the QCOW2 format while uploading via the admin panel. (VSTOR-39535)

• [Compute service] The load balancer service uses public endpoints instead of the internal ones. (VSTOR-37396)

• [Compute service] noVNC 1.1.0 does not provide a token in a request to websockify. (VSTOR-37855)

• [Compute service] The networking service crashed unexpectedly because the libvirt domain was running on a wrong node. (VSTOR-40363)

• [Compute service] The billing metering service upgrade fails if ‘gnocchi-storage-config’ is empty. (VSTOR-38060)

• [Compute service] PostgreSQL fails when the root partition has insufficient free space. (VSTOR-37898)

• [Compute service] Due to stale allocations, resource providers cannot be deleted. (VSTOR-37844)

• [Compute service] The billing metering service creates a large number of small files on the storage, thus affecting the MDS performance. (VSTOR-39003)

• [Compute service] The orchestration service uses a public keystone endpoint for internal communications. (VSTOR-37793)

• [Compute service] Trial license keys for six months and one year are reported as invalid. (VSTOR-37289)

• [Compute service] The number of subscriptions in the Redis server may become too large. (VSTOR-37487)

• [Compute service] The compute creation wizard does not check availability for load balancer and Kubernetes repositories. (VSTOR-33894)

14 Chapter 1. Virtuozzo Hybrid Infrastructure

• [Compute service] Load balancer creation fails if a VM without an IP address is added to the member list. (VSTOR-39489)

• [Compute service] The block storage service stops sending lock heartbeats after any connection issue. (VSTOR-37608)

• [Compute service] Cannot change the IP configuration of OVS bridge interfaces. (VSTOR-37399)

• [User interface] Impossible to resize more columns in the table components. (VSTOR-31985)

• [User interface] The management node does not return a clear backup status if high availability is enabled. (VSTOR-32254)

• [Installer] In the installation wizard, it is not possible to turn on the network time if it was turned off on the previous step. (VSTOR-30581)

• [Monitoring and alerting] During detection of a node availability, an incorrect schedule interval is used to calculate expiration date. (VSTOR-33502)

1.9.5 5. Known Issues

• The deployment of compute add-on services fails due to unset environment variables. (VSTOR-30850)

• A Kubernetes cluster cannot be created on a physical network without DHCP. (VSTOR-38799)

• The built-in keystone authorization does not work in Kubernetes. (VSTOR-32458)

• The soft anti-affinity policy for Kubernetes and load balancers VMs is used in the high availability mode. (VSTOR-30671)

• A placement cannot be selected after VM creation. (VSTOR-40292)

• An unclear error message in shown in the admin panel during compute cluster creation. (VSTOR-33893)

• No error message is shown when a live migration fails. (VSTOR-39553)

• An SSD disk is not recognized if it is managed by specific disk controllers. (VSTOR-36155)

• An automatic update during node installation can break checking for updates. (VSTOR-38763)

• An SNMP trap is not sent when a network interface is down. (VSTOR-32192)

15 Chapter 1. Virtuozzo Hybrid Infrastructure

1.9.6 6. Installing the Update

You can upgrade Virtuozzo Hybrid Infrastructure 4.0 to 4.5 in the SETTINGS > UPDATE section. A reboot is required to complete the upgrade. Upgraded nodes will be rebooted automatically, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-007.json.

1.10 [Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid Infrastructure 4.0 Update 1.2 (4.0.1-49)

Issue date: 2020-02-03

Applies to: Virtuozzo Hybrid Infrastructure 4.0

Virtuozzo Advisory ID: VZA-2021-005

1.10.1 1. Overview

This update provides a security fix.

16 Chapter 1. Virtuozzo Hybrid Infrastructure

1.10.2 2. Bug Fixes

• Fix for a vulnerability in sudo known as CVE-2021-3156. (VSTOR-40614)

1.10.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-005.json.

1.11 Virtuozzo Hybrid Infrastructure 4.0 Update 1.1 (4.0.1-48)

Issue date: 2020-01-27

Applies to: Virtuozzo Hybrid Infrastructure 4.0

Virtuozzo Advisory ID: VZA-2021-003

1.11.1 1. Overview

This update provides fixes for the Backup Gateway and compute services.

1.11.2 2. Bug Fixes

• A stability fix for Backup Gateway. (VSTOR-39857)

• Fix incorrect MTU on a flat network when different MTUs set on interfaces in the same network. (VSTOR-38770)

• Fix data collection after a graceful reboot of the current management node. (VSTOR-40118)

• Fix a compute networking issue when a floating IP gateway port has a public IP address. (VSTOR-40256)

17 Chapter 1. Virtuozzo Hybrid Infrastructure

1.11.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-003.json.

1.12 Product update: Virtuozzo Hybrid Infrastructure 4.0 Update 1

Issue date: 2020-12-17

Applies to: Virtuozzo Hybrid Infrastructure 4.0

Virtuozzo Advisory ID: VZA-2020-073

1.12.1 1. Overview

This update provides a new feature, as well as bug fixes and improvements.

1.12.2 2. New Features

• Network QoS policies support. (VSTOR-34627)

1.12.3 3. Bug Fixes

• A non-admin user is unable to create volumes from the command line. (VSTOR-38583)

• Enabled geo-replication on Backup Gateway with an S3 backend may result in a deadlock. (VSTOR-38785)

• The database replication alert is not cleared after the problem is gone. (VSTOR-38458)

• Cannot create a load balancer with an IP address from the allocation pool. (VSTOR-38330)

• Dashboards have empty data if an S3 node is offline. (VSTOR-38281)

18 Chapter 1. Virtuozzo Hybrid Infrastructure

• Setting a DNS name for the compute API may not work if the compute cluster was deployed on an older version of the product. (VSTOR-38242)

• Geo-replication stopped working unexpectedly. (VSTOR-38233)

• Unable to update to version 4.0 if a network with the “VM public” traffic type is not accessible from cluster nodes. (VSTOR-38217)

• A retry of the last node update to version 4.0 fails with the error: “Missing 1 required positional argument: ‘resume_required’”. (VSTOR-38091)

• A retry of an update to version 4.0 fails with the error: “NoneType object is not iterable.” (VSTOR-38016)

• A floating IP is not reachable when multiple routers are used for one network. (VSTOR-38006)

• A project list is not shown on the “Edit network access” screen in the Firefox browser. (VSTOR-37964)

• A remote console does not work if requested directly by using the Openstack commands. (VSTOR-36520)

• After a failed attempt to remove an old snapshot, the VM storage size is shown as zero and the VM is marked as failed in the admin panel. (VSTOR-37728)

• Open vSwitch bridge interfaces cannot be edited or deleted, even if they are no longer used in compute networking. (VSTOR-37632)

• After trying to manage load balancers via the admin panel or vinfra, the “Gateway Timeout” error appears due to stuck or long previous requests. (VSTOR-37619)

• The admin panel does not accept a license with an unlimited expiration date. (VSTOR-37436)

1.12.4 4. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-073.json.

19 Chapter 1. Virtuozzo Hybrid Infrastructure

1.13 Product release: Virtuozzo Hybrid Infrastructure 4.0 Hotfix 1 (4.0.0-741)

Issue date: 2020-11-05

Applies to: Virtuozzo Hybrid Infrastructure 4.0

Virtuozzo Advisory ID: VZA-2020-065

1.13.1 1. Overview

This update provides bug fixes and improvements.

1.13.2 2. Bug Fixes

• The stat command may report wrong size for files with erasure coding. (VSTOR-38028)

• Editing an NFS export could set a wrong SecType and prevent the export from being mounted. (VSTOR-37868)

• Stability improvements for the storage service. (VSTOR-38102, VSTOR-37639, VSTOR-37478)

1.13.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-065.json.

1.14 Product release: Virtuozzo Hybrid Infrastructure 4.0 (4.0.0-734)

Issue date: 2020-10-06

Applies to: Virtuozzo Hybrid Infrastructure 4.0

20 Chapter 1. Virtuozzo Hybrid Infrastructure

Virtuozzo Advisory ID: VZA-2020-063

1.14.1 1. Overview

In this release, Virtuozzo Hybrid Infrastructure provides a wide range of new features that enhance the end-user experience and service providers’ interoperability. The improvements cover networking, storage core, appliance, object storage, monitoring, performance charts, and localization. Additionally, this release delivers stability improvements and addresses the issues found in previous releases.

1.14.2 2. New Features

• [Compute] Rescue mode for virtual machines. Rescue mode provides a mechanism to access the virtual machine’s boot volume in case the virtual machine experiences boot problems.

• [Compute] Distributed virtual router. The virtual routing architecture has been changed from centric to distributed (across all compute nodes).

• [Compute] QoS policies for virtual machine volumes. The storage policy has been extended with additional parameters that define the IOPS and bandwidth limits of virtual machine volumes.

• [Compute] Paging for compute and common objects in the admin panel. Improved the admin panel performance for large numbers of virtual machines.

• [Compute] VLAN-based network management for virtual machines. Simplified the process of creating VLAN-based networks for virtual machines.

• [Compute] More supported guest operating systems. Added support for Debian 10, CentOS 8, and Ubuntu 20.04.x.

• [Integration] CloudBlue Connect. Service providers can now integrate with the CloudBlue Connect billing and provisioning system. Integration supports both the flat and pay-as-you-Go billing models.

• [Networking] Exclusive traffic type reassignment and cluster IP address change. It is now possible to change the configuration of exclusive traffic types or IP addresses in the cluster. This isneededwhen the node IP address has changed but network topology remains the same, or if the network subnet has changed. It is also possible now to reassign a service traffic type when a customer wants to relocate a service to another network (for example, move the “Storage” traffic type to a dedicated network).

• [Core storage] Node locations as failure domains. A failure domain defines a scope (a location) within

21 Chapter 1. Virtuozzo Hybrid Infrastructure

which services may go down together. Now nodes can be assigned to specific locations: rooms, rows, and racks. Locations provide redundancy among failure domains. This gives an additional, flexible way to service providers to utilize the available hardware more efficiently while delivering high availability.

• [Core storage] Improved latency and performance. Kernel and networking optimizations.

• Erasure coding is now available for running virtual machines.

• Erasure coding self-healing now has less impact on performance.

• The storage networking subsystem has been improved for lower I/O latencies and CPU consumption.

• RDMA performance and stability have been improved. RDMA is now a production-ready feature.

• [Object storage] S3 geo-replication improvements.

• Improved security for geo-replication (bucket ACLs).

• User-level and bucket-level customization of S3 geo-replication.

• [Object storage] S3 bucket access log. Now the records of requests to a bucket can be provided and stored in another bucket. In addition, end users can now enable the access log via Amazon S3 API and get detailed information about the objects in their buckets.

• [Monitoring and alerting] A dashboard for S3 performance and statistics charts. You can now monitor:

• Services, including S3 GW, NS, OS services availability, rate of operational requests, bandwidth, as well as GET and PUT latencies.

• Geo-replication, including service availability, error rates, replication backlog, queue depth, and bandwidth.

• [Monitoring and alerting] Dashboard for performance and statistics charts for NFS. You can now monitor the availability of NFS servers and services, usage, shares, exports, latency, IOPS, and bandwidth.

• [Localization] Chinese localization for the admin panel and documentation.

• [Localization] Japanese localization for the admin panel and documentation.

• [Other enhancements] Disabled pNFS. pNFS is now disabled by default and cannot be enabled for any forthcoming use cases.

22 Chapter 1. Virtuozzo Hybrid Infrastructure

1.14.3 3. Bug Fixes

• [Compute networking] After virtual router creation, the internal IP address goes down. (VSTOR-33859)

• [Compute service] The docker service has no log rotation. (VSTOR-32173)

• [Compute service] Floating IPs and virtual routers are not available after removing nodes from the compute cluster. (VSTOR-30506)

• [Compute service] The dashboard service may get stuck in a restart loop. (VSTOR-32120)

• [Compute service] Storage space usage in a project is calculated incorrectly for volumes with snapshots after their storage policy has been changed. (VSTOR-34054)

• [Compute service] Kubernetes cluster creation hangs if it cannot access the public Docker hub. (VSTOR-32238)

• [Compute service] The noVNC console sends duplicate keystrokes to Windows virtual machines. (VSTOR-30975)

• [Compute service] Unable to remove a load balancer while in the “deployment_failed” state. (VSTOR-35034)

• [Compute service] Cannot deploy the compute cluster after reassigning the “Internal management” traffic type. (VSTOR-33202)

• [Compute service] Load balancers are in the “error” state after the update to version 3.5.1. (VSTOR-32237)

• [Core storage] The archive server client crashes during reconnection. (VSTOR-33017)

• [Core storage] Links between a frontend chunk object and an internal journal file system object may be broken. (VSTOR-33577)

• [Core storage] Avoid unnecessary reconfiguration of allocated disks. (VSTOR-31951)

• [Core storage] Storage services deployed on the same disk generate an exception in logs. (VSTOR-32782)

• [Core storage] The same disk can be assigned twice in two parallel bulk assign tasks. (VSTOR-33012)

• [Core storage] After assigning roles to a node disk during the cluster creation and reassigning them afterwards, the node may appear as “Failed.” (VSTOR-30931)

• [Admin panel high availability] An unnoticed failure to replicate the management node database may

23 Chapter 1. Virtuozzo Hybrid Infrastructure

cause the compute metadata loss. (VSTOR-34723)

• [Backup storage] The Backup Gateway geo-replication command breaks compatibility. (VSTOR-34891)

• [Backup storage] The Backup Gateway utility does not correctly accept a password containing spaces from stdin. (VSTOR-32028)

• [Object storage] Unable to start replication of a bucket with a large number of objects. (VSTOR-27097)

• [Object storage] It is possible to remove the single node with the S3 configuration from the S3 cluster. (VSTOR-30376)

• [Object storage] The NFS remains active and running after the node has been released from an NFS cluster. (VSTOR-30622)

• [Updates] The upgrade from version 2.5 to 3.0 fails due to the installed GeoIP module. (VSTOR-31734)

• [Updates] Failed to download updates due to a newer version on the update server. (VSTOR-35014)

• [Updates] Under certain circumstances, downloading packages may fail. (VSTOR-33446)

• [Updates] After an update with enabled high availability, the admin panel may become unavailable. (VSTOR-26542)

• [Installer] During installation, the specified hostnames are converted to lowercase. (VSTOR-35352)

• [User interface] The problem report location is missing if there is no Internet connection. (VSTOR-34770)

• [User interface] Improve the text for the “Incorrect journaling settings” alert. (VSTOR-34387)

• [User interface] Email notifications sent via SMTP do not contain the cluster name. (VSTOR-32933)

• [User interface] Unable to interpret special symbols in passwords. (VSTOR-30216)

• [User interface] Several services are not configured to restart automatically. (VSTOR-20993)

• [User interface] The old product version is displayed after a successful update. (VSTOR-25662)

• [User interface] License capacity is shown as ”Total” in the physical space widget. (VSTOR-27237)

• [User interface] A 25 Gbit network card is reported as a 10 Gbit network card in the admin panel. (VSTOR-9422)

• [User interface] Redis stores superfluous failed task metadata. (VSTOR-36654)

• [User interface] NFS4 is not selected by default in the admin panel. (VSTOR-33809)

• [User interface] Network counters differ in the admin panel and inside a load balancer virtual machine.

24 Chapter 1. Virtuozzo Hybrid Infrastructure

(VSTOR-32756)

• [User interface] There is no “Security” field validation when saving email settings. (VSTOR-14465)

• [User interface] Check boxes are too bright on very light displays. (VSTOR-6694)

1.14.4 4. Known Issues

• [Core storage] The chunk service fails during a journal resize. (VSTOR-30111)

• [Core storage] Global Catalog in Acronis Cyber Backup does not reclaim the last chunks of RAID6 files. (VSTOR-34465)

• [User interface] The management node does not return a clear backup status if high availability is enabled. (VSTOR-32254)

• [User interface] The admin panel does not update the node status while the backend is busy. (VSTOR-35443)

• [User interface] Placements associated with images are displayed in the virtual machine creation wizard. (VSTOR-35900)

• [Installer] In the installation wizard, it is not possible to turn on the network time if it was turned off on the previous step. (VSTOR-30581)

1.14.5 5. Installing the Update

You can upgrade Virtuozzo Hybrid Infrastructure 3.5 to 4.0 in the SETTINGS > UPDATE section. A reboot is required to complete the upgrade. Upgraded nodes will be rebooted automatically, one at a time. During the reboot, the storage service and the admin panel may be unavailable on cluster configurations without the redundancy of services or data.

IMPORTANT: During the upgrade, custom public endpoints for the OpenStack API that use domain names instead of IP addresses will be replaced with the default values. This can lead to OpenStack API unavailability if these endpoints are used to connect third-party software or to manage the infrastructure. To make the endpoint configuration persistent after the upgrade, follow the instructions in Setting a DNS name for the compute API.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-063.json.

25 Chapter 1. Virtuozzo Hybrid Infrastructure

1.15 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 5.1 (3.5.5-41)

Issue date: 2020-10-06

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-062

1.15.1 1. Overview

This update provides bug fixes and improvements.

1.15.2 2. Bug Fixes

• Optimize the schedule of periodic tasks to minimize the number of false-positive “Node is offline” alerts. (VSTOR-36967)

• Under certain circumstances, load balancers may fail to create. (VSTOR-35658)

1.15.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-062.json.

1.16 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 5 (3.5.5-26)

Issue date: 2020-07-23

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-052

26 Chapter 1. Virtuozzo Hybrid Infrastructure

1.16.1 1. Overview

This update provides a new feature as well as improvements and bug fixes.

1.16.2 2. New Features

• Support for Ubuntu 20.04 as a guest operating system.

1.16.3 3. Bug Fixes

• After failed VM evacuations, resource allocations are duplicated. (VSTOR-34750)

• An update to a new major release may fail with the error “Updates to multiple product versions are available.” (VSTOR-30767)

• Stability and performance improvements. (VSTOR-35234, VSTOR-35001, VSTOR-34970, VSTOR-34836, VSTOR-34660, VSTOR-34636, VSTOR-34463, VSTOR-34322)

1.16.4 4. Installing the Update

Update 5 becomes available only after Update 4 is installed (Update 4 installation is mandatory and cannot be skipped). You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-052.json.

1.17 Product release: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 3 (3.0.5-72)

Issue date: 2020-06-26

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-047

27 Chapter 1. Virtuozzo Hybrid Infrastructure

1.17.1 1. Overview

This update provides a fix for the 3.0 to 3.5 upgrade procedure.

1.17.2 2. Bug Fixes

• Upgrade from version 3.0 to 3.5 may fail in some cases due to the absence of an internal product file. (VSTOR-34105)

1.17.3 3. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the source of this advisory is available at https://docs.virtuozzo.com/vza/VZA-2020-047.json.

1.18 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 4 (3.5.4-24)

Issue date: 2020-06-11

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-041

1.18.1 1. Overview

This update provides a new feature as well as bug fixes and improvements.

1.18.2 2. New Features

• Virtuozzo Infrastructure Platform has been renamed to Virtuozzo Hybrid Infrastructure. The change affects versions 3.5 and newer.

28 Chapter 1. Virtuozzo Hybrid Infrastructure

1.18.3 3. Bug Fixes

• Nodes may be shown as offline in admin panel after releasing a failed CS disk. (VSTOR-33730)

• False positive “Node is offline” alerts may appear. (VSTOR-33712)

• The update from version 3.0 to 3.5 may fail due to incorrect file permissions. (VSTOR-33672)

• With Nagios installed, the update from version 3.0 to 3.5 may fail due to a package conflict. (VSTOR-33634)

• A bond interface in the 802.3ad mode created during the installation does not start after boot. (VSTOR-31645)

• After VM migration, there can be no ARP announcement. (VSTOR-33727)

• Stability and performance improvements. (VSTOR-30676, VSTOR-33824, VSTOR-33775, VSTOR-33774, VSTOR-33756, VSTOR-33525, VSTOR-33471, VSTOR-33257, VSTOR-33236, VSTOR-33151, VSTOR-32992, VSTOR-32969, VSTOR-32968, VSTOR-32332)

1.18.4 4. Installing the Update

You can install the update in the SETTINGS > UPDATE section of the admin panel. A reboot is not required.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-041.json.

1.19 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 3 Hotfix 2 (3.5.3-25)

Issue date: 2020-05-25

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-039

29 Chapter 1. Virtuozzo Hybrid Infrastructure

1.19.1 1. Overview

This update provides a stability fix for the metadata service.

1.19.2 2. Bug Fixes

• Unreadable files may be created when using erasure coding during the upgrade from version 3.0to3.5. (VSTOR-32856)

1.19.3 3. Installing the Update

The update fixes the upgrade procedure from version 3.0 to 3.5. The issue is mitigated by upgrading tothis hotfix. Installing this hotfix on clusters already running version 3.5 has no effect. If your cluster isrunning version 3.5 and you experience this issue, please contact the technical support.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-039.json.

1.20 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 3 (3.5.3-18)

Issue date: 2020-04-29

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-033

1.20.1 1. Overview

This update provides bug fixes and improvements.

30 Chapter 1. Virtuozzo Hybrid Infrastructure

1.20.2 2. Bug Fixes

• Assigning tier 0 to a cache disk makes no effect. The disk does not receive the “journal_tier” parameter and can be used by storage disks of other tiers. (VSTOR-33034)

• S3 cluster creation fails with a timeout, because of a wrong DNS resolution from the admin panel. (VSTOR-33032)

• An update fails when a node cannot enter the maintenance mode, because its CS has an incorrect state. (VSTOR-32910)

• A drive is shown as “Failed” after an update to version 3.5.2 in Microsoft Azure. (VSTOR-32867)

• The Kubernetes cluster cannot be deployed if its VM is attached to a network without configured nameservers. (VSTOR-32767)

• The update from version 3.0.5 to 3.5.2 fails with a one-hour timeout. (VSTOR-32451)

• Kubernetes cluster creation fails after choosing a storage policy not added to project quotas. (VSTOR-31845)

• After assigning roles to a node disk during the cluster creation and reassigning them afterwards, the node may appear as “Failed”. (VSTOR-31053)

• Stability and performance improvements. (VSTOR-32517, VSTOR-32433, VSTOR-32423, VSTOR-29406, VSTOR-32970, VSTOR-32997)

1.20.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-033.json.

1.21 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 Hotfix 2 (3.5.2-39)

Issue date: 2020-04-16

31 Chapter 1. Virtuozzo Hybrid Infrastructure

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-030

1.21.1 1. Overview

This update provides a stability fix for the metadata service.

1.21.2 2. Bug Fixes

• Unreadable files may be created when using erasure coding during the upgrade from version 3.0to3.5. (VSTOR-32856)

1.21.3 3. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-030.json.

1.22 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 Hotfix 1 (3.5.2-35)

Issue date: 2020-04-09

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-027

32 Chapter 1. Virtuozzo Hybrid Infrastructure

1.22.1 1. Overview

This update provides a stability fix for the metadata service.

1.22.2 2. Bug Fixes

• The metadata service may restart after the upgrade from version 3.0 to 3.5. (VSTOR-30452)

1.22.3 3. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-027.json.

1.23 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 2 (3.5.2-34)

Issue date: 2020-03-31

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-022

1.23.1 1. Overview

This update provides new features as well as bug fixes and improvements.

33 Chapter 1. Virtuozzo Hybrid Infrastructure

1.23.2 2. New Features

• AMD EPYC CPU support.

• Possibility to customize the self-service panel title.

1.23.3 3. Bug Fixes

• Update from version 3.5.0 to 3.5.1 may get stuck in the “Updating” status. (VSTOR-31884, VSTOR-31885)

• The root partition on Kubernetes master nodes is not resized to the specified volume size. (VSTOR-31860)

• Kubernetes cluster creation may fail with “Failed to download Kubeconfig” error. (VSTOR-31670)

• Unable to update 3.5 clusters in Microsoft Azure (also affects clusters that have little space on the boot partition). (VSTOR-31218)

• Empty graphs after update from version 3.0.5 to 3.5.1. (VSTOR-31204)

• Cannot create a management node backup if tier 0 has no assigned disks. (VSTOR-31023)

• Failed to exit the maintenance mode because the window is blocked by a spinner. (VSTOR-32297)

• Impossible to bring down a bonded interface with a VLAN assigned to it. (VSTOR-31854)

• Wrong timezone of a new Kubernetes cluster. (VSTOR-31786)

• Stability and performance improvements. (VSTOR-31032, VSTOR-31650, VSTOR-31653, VSTOR-31874, VSTOR-32036, VSTOR-32108, VSTOR-32223)

1.23.4 4. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-022.json.

34 Chapter 1. Virtuozzo Hybrid Infrastructure

1.24 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 1 Hotfix 1 (3.5.1-45)

Issue date: 2020-03-03

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-018

1.24.1 1. Overview

This update provides an important bug fix for Backup Gateway.

1.24.2 2. Bug Fixes

• Backup Gateway may be unstable. (VSTOR-31604)

1.24.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-018.json.

1.25 Product release: Virtuozzo Hybrid Infrastructure 3.5 Update 1 (3.5.1-43)

Issue date: 2020-02-28

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-017

35 Chapter 1. Virtuozzo Hybrid Infrastructure

1.25.1 1. Overview

This update provides a new feature as well as fixes and improvements.

1.25.2 2. New Features

• Localized the admin and self-service panels into Chinese and Japanese.

1.25.3 3. Bug Fixes

• Unable to release node from cluster: ‘Unable to send message to any node in ABGW cluster’. (VSTOR-30003)

• No read/write data on dashboards if multipath is configured. (VSTOR-30135)

• Automatically restart abgw.service after the ‘Promote to primary cluster’ operation. (VSTOR-30179)

• NFS service may be in the ‘INACTIVE’ state. (VSTOR-30353)

• iSCSI LUNs can disconnect for short periods of time. (VSTOR-30459)

• Compute bridge interfaces can be missing after upgrade to version 3.5 from certain builds. (VSTOR-30535)

• yum gets unfinished transactions if docker container cannot be stopped forcibly. (VSTOR-30540)

• Backend may not connect to agent after upgrade to version 3.5 due to incorrect CN in client.crt. (VSTOR-30555)

• vstorage-nfs.service remains active and running after the node has been released from an NFS cluster. (VSTOR-30622)

• Unable to create a VM with a specified static IP on a public interface from the self-service panel. (VSTOR-31026)

• No reason for VM build failure shown if fixed IP address is already in use. (VSTOR-31088)

• Logging in to S3 console can fail with a ‘Network failure’ error when connecting via HTTP instead of HTTPS. (VSTOR-32214)

• Stability and performance improvements. (VSTOR-17040, VSTOR-27200, VSTOR-27947, VSTOR-27947,

36 Chapter 1. Virtuozzo Hybrid Infrastructure

VSTOR-28109, VSTOR-28109, VSTOR-29108, VSTOR-29359, VSTOR-29392, VSTOR-29393, VSTOR-29745, VSTOR-29841, VSTOR-29888, VSTOR-29924, VSTOR-29938, VSTOR-29952, VSTOR-29973, VSTOR-29988, VSTOR-29995, VSTOR-30083, VSTOR-30104, VSTOR-30106, VSTOR-30549, VSTOR-30575, VSTOR-30599, VSTOR-30887)

1.25.4 4. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is required to complete the update. Updated nodes will be rebooted automatically, one at a time. During the reboot, the storage service might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-017.json.

1.26 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 2 (3.0.5-69)

Issue date: 2020-02-21

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-016

1.26.1 1. Overview

This update enables upgrade to Virtuozzo Infrastructure Platform 3.5 and provides important system fixes.

1.26.2 2. Bug Fixes

• Several stability and performance improvements. (TTASK-31595, VSTOR-30463, VSTOR-30887)

37 Chapter 1. Virtuozzo Hybrid Infrastructure

1.26.3 3. Installing the Update

Update 5 will become available only after Update 4 is installed (Update 4 installation is mandatory and cannot be skipped). You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update. To get the update if you already have a previous Update 5 build installed, either wait up to a day until the next periodic check for updates or trigger the check manually with the ‘vinfra software-updates check-for-updates –wait’ command.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-015.json.

1.27 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 Hotfix 1 (3.0.5-64)

Issue date: 2020-01-29

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-009

1.27.1 1. Overview

This update provides stability fixes for the upgrade procedure to version 3.5.

1.27.2 2. Bug Fixes

• ‘Service disabled’ error after updating to version 3.5 under certain circumstances if management high availability is configured. (VSTOR-30561)

1.27.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

38 Chapter 1. Virtuozzo Hybrid Infrastructure

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-009.json.

1.28 Product update: Virtuozzo Hybrid Infrastructure 3.5 Hotfix 1 (3.5.0-812)

Issue date: 2020-01-28

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-008

1.28.1 1. Overview

This update provides stability fixes for the upgrade procedure.

1.28.2 2. Bug Fixes

• MDS could crash after the upgrade to version 3.5. (VSTOR-30463)

• Nodes could be marked as offline in the admin panel after a failed upgrade. (VSTOR-30541)

1.28.3 3. Installing the Update

You can update Virtuozzo Hybrid Infrastructure in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-008.json.

39 Chapter 1. Virtuozzo Hybrid Infrastructure

1.29 Product release: Virtuozzo Hybrid Infrastructure 3.5 (formerly Virtuozzo Infrastructure Platform 3.5)

Issue date: 2020-01-22

Applies to: Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-005

1.29.1 1. Overview

In this release, Virtuozzo Hybrid Infrastructure offers a wide range of new features that enhance the experience of users working with compute virtualization and software-defined networking functionalities. Additionally, the update delivers stability improvements and addresses bugs found in previous releases.

1.29.2 2. New Features

• Kubernetes as a service. With Kubernetes as a service, end users can easily deploy ready-to-use Kubernetes clusters with pre-integrated persistent storage and load balancing for their containerized applications in production. This feature is available in the self-service panel.

• Load balancing as a service. Load balancing as a service simplifies and automates load balancer deployment in highly available high-load cloud infrastructures. Load balancing is also enabled automatically for Kubernetes as a service. This feature is available in the self-service panel.

• VM placement rules. Placements allow administrators to group compute nodes by traits and place virtual machines on required nodes. Placements are offered as an additional service to end users inthe self-service panel. There are several use cases when this feature is essential:

• Efficient per-host licensing management (Windows Server or SQL Server licensing).

• Placing VMs according to hardware features they require.

• Placing tenants on dedicated nodes.

• Maintenance mode. Enables field technicians to perform maintenance operations on physical nodes while keeping workloads online. When a node enters the maintenance mode, the platform attempts to

40 Chapter 1. Virtuozzo Hybrid Infrastructure

migrate running workloads to other nodes with available resources.

• Non-disruptive rolling updates. Cluster updates or upgrades that require node reboots can now be performed without workload downtime.

• Automatic storage role assignment for replacement disks. It is now possible to automatically assign the storage role to replacement disks. When an administrator replaces a storage drive, it is formatted, assigned the storage role, and added to the cluster. This feature is disabled by default.

• Other enhancements:

• New erasure coding schemas for small clusters: 1+1 and 3+1. They offer redundancy against the failure of a single node.

• Compute resources usage metering per project.

• Grafana performance and statistics charts for the block storage service.

• Signature Version 4 support by the S3 service.

• Object locking API support by the S3 service.

• Signed URLs support by the S3 service.

• vinfra commands for the Backup Gateway service.

• Support for migration from VMware with virt-v2v.

• Backup Gateway presets for Cloudian and Wasabi.

• User interface localized into German, Brazil Portuguese, and Spanish.

1.29.3 3. Bug Fixes

• [Core Storage] Storage cluster names must not exceed 50 characters. (VSTOR-17902)

• [Core Storage] Improved RAM consumption and memory management for nodes with more than 100 drives. (VSTOR-23586)

• [Block Storage] The Active/Optimized path is normally chosen by the initiator (Explicit ALUA). If the initiator cannot do so (either does not support it or times out), the path is chosen by the storage itself (Implicit ALUA). (VSTOR-25145)

• [Compute Service] No information shown in Overview while a node is being added to an existing compute cluster. (VSTOR-15978)

41 Chapter 1. Virtuozzo Hybrid Infrastructure

• [Compute Networking] It is now possible to create bond and VLAN connections on network interfaces with the “VM public” traffic type. (VSTOR-6664)

• [High Availability for the Admin Panel] In some cases, a node could be treated as offline for a while after the HA cluster had been created. (VSTOR-16823)

• [High Availability for the Admin Panel] It is impossible to add a node to the HA cluster if one of the nodes included in HA cluster is offline. (VSTOR-10950, VSTOR-16716, VSTOR-17690)

• [High Availability for the Admin Panel] Improved retention policy for admin panel backups: one per day for the last week, one per week for the last 45 days. (VSTOR-26560)

• [High Availability for the Admin Panel] Improved management node HA for a faster reaction to disasters. (VSTOR-21012)

• [High Availability for the Admin Panel] Other high availability improvements. (VSTOR-10950, VSTOR-16716, VSTOR-17690, VSTOR-18730, VSTOR-21170)

• [Monitoring and Alerting] Physical space on the storage dashboard and compute overview might differ, because the compute overview also takes into account licensed space. (VSTOR-17297)

• [Networking] Networks renamed to a predefined network name (e.g., “Private” or “Public”) cannot be renamed again. (VSTOR-20281)

• [Networking] The maximum transmission unit (MTU) value set for network bonds cannot be modified from the admin panel. (VSTOR-22388)

• [Networking] DHCP settings do not apply to virtual machine’s second interface. (VSTOR-25575)

• [Object Storage] Support multiple object deletion in the S3 service. (VSTOR-27176)

• [Updates] Monitoring of storage services may get stuck in some cases during the update. (VSTOR-26431)

• [User Interface] Used space on software RAID volumes is incorrectly reported in the admin panel. (VSTOR-23861)

• [User Interface] ED25519 SSH keys are not supported. (VSTOR-26405)

• [User Interface] Trusted S3 self-signed certificate does not work for specified domain names butonly for subdomains. (VSTOR-23790)

42 Chapter 1. Virtuozzo Hybrid Infrastructure

1.29.4 4. Known Issues

• [Compute Service] There is no “crashed” state for virtual machines in the admin panel. Such VMs are displayed as “Paused” in CLI and as “ACTIVE” in the admin panel. (VSTOR-18054)

• [Compute Service] When two nodes are powered off at once, VMs from the second node arenot evacuated. (VSTOR-21316)

• [Compute Service] [VM] Shelve: There is no message about insufficient resources when the user clicks “Unshelve”. (VSTOR-20652)

• [Core Storage] Unable to release a disk with the role “MDS+cache” even if there is another disk with the same role on the same node. You need to release and re-join the node to free the unnecessary “MDS+cache” disk. (VSTOR-11567)

• [Monitoring and Alerting] Cannot reset zoom on disk performance charts. (VSTOR-13622)

• [Object Storage] The ostor-s3-admin list-all-buckets command reports wrong bucket sizes. (VSTOR-27096)

• [User Interface] Unable to hide the progress bar window while uploading an ISO image to VM images. (VSTOR-19970)

• [User Interface] Admin panel shows wrong statistics for the logical space used by VMs. (VSTOR-19699)

• [Virtual Machine Migration] There is no ‘Cancel migration’ operation when migrating virtual machines in the user interface and ‘vinfra’ command line interface. (VSTOR-19733, VSTOR-14487)

• [Virtual Machine Migration] No error thrown on a failed attempt to migrate a VM. (VSTOR-18053)

1.29.5 5. Obtaining the Release

You can upgrade Virtuozzo Infrastructure Platform 3.0 to Virtuozzo Hybrid Infrastructure 3.5 in the SETTINGS > UPDATE section. A reboot is required to complete the upgrade. Upgraded nodes will be rebooted automatically, one at a time. During the reboot, the storage service and the admin panel might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-005.json.

43 Chapter 1. Virtuozzo Hybrid Infrastructure

1.30 Product update: Virtuozzo Infrastructure Platform 3.0 Update 5 (3.0.5-62)

Issue date: 2020-01-22

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-004

1.30.1 1. Overview

This update enables upgrade to Virtuozzo Infrastructure Platform 3.5 and provides important system fixes.

1.30.2 2. Bug Fixes

• Several stability and performance improvements. (VSTOR-28132, VSTOR-29361)

1.30.3 3. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-004.json.

1.31 Product update: Virtuozzo Infrastructure Platform 3.0 Update 4 (3.0.4-63)

Issue date: 2019-11-21

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-087

44 Chapter 1. Virtuozzo Hybrid Infrastructure

1.31.1 1. Overview

This update provides bug fixes and improvements.

1.31.2 2. Bug Fixes

• [Update] Storage config files could be overwritten during the update. (VSTOR-26618, VSTOR-27446)

• [Storage] CS removal could get stuck in the “failed release” state. (VSTOR-26621)

• [S3] Could not delete big files on slow S3 storage. (VSTOR-26764, VSTOR-26832)

• [WebCP] Disks could temporarily get the “failed” status in the admin panel. (VSTOR-26922)

• [WebCP] Could not destroy the high availability cluster from the admin panel as a regular administrator. The default superadmin could still do it. (VSTOR-27077)

• [iSCSI] ESXi could mark iSCSI connection OFFLINE and reconnect to target infinitely. (VSTOR-27956)

• Stability and performance improvements. (VSTOR-26811, VSTOR-26998, VSTOR-27045, VSTOR-27062, VSTOR-27456, VSTOR-27507, VSTOR-27558, VSTOR-27575)

1.31.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-087.json.

1.32 Product update: Virtuozzo Infrastructure Platform 3.0 Update 3.1 (3.0.3-27)

Issue date: 2019-10-21

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-083

45 Chapter 1. Virtuozzo Hybrid Infrastructure

1.32.1 1. Overview

This update provides a stability fix.

1.32.2 2. Bug Fixes

• [ABGW] Fixes ABGW context leak. (VSTOR-27309)

1.32.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-083.json.

1.33 Product update: Virtuozzo Infrastructure Platform 2.5 Update 12 (2.5.0-1703)

Issue date: 2019-10-16

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-082

1.33.1 1. Overview

This update provides upgrade procedure improvements.

1.33.2 2. Bug Fixes

• Upgrade procedure improvements. (VSTOR-26450, VSTOR-26658, VSTOR-27059, VSTOR-27094, VSTOR-27154)

46 Chapter 1. Virtuozzo Hybrid Infrastructure

1.33.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-082.json.

1.34 Product update: Virtuozzo Infrastructure Platform 3.0 Update 3 (3.0.3-16)

Issue date: 2019-09-27

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-075

1.34.1 1. Overview

This update provides fixes and improvements.

1.34.2 2. Bug Fixes

• [SNMP] snmpd.conf should not be replaced after the update. (VSTOR-25522)

• [S3] Uploading a binary file could fail in some cases. (VSTOR-25600)

• [WebCP] Added support for ED25519 SSH keys. (VSTOR-26405)

• [Compute] Image registry could be outdated on some nodes in the high availability cluster. (VSTOR-26407)

• Stability and performance improvements. (VSTOR-25008, VSTOR-25237, VSTOR-25425, VSTOR-25441, VSTOR-25795, VSTOR-26471, VSTOR-26497, VSTOR-26290, VSTOR-26535)

47 Chapter 1. Virtuozzo Hybrid Infrastructure

1.34.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-075.json.

1.35 Product update: Virtuozzo Infrastructure Platform 2.5 Update 11 (2.5.0-1694)

Issue date: 2019-09-03

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-072

1.35.1 1. Overview

This update provides an improvement for the iSCSI upgrade procedure.

1.35.2 2. Bug Fixes

• [Upgrade] Improvement in the iSCSI upgrade procedure. (VSTOR-26254)

1.35.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-072.json.

48 Chapter 1. Virtuozzo Hybrid Infrastructure

1.36 Product update: Virtuozzo Infrastructure Platform 3.0 Update 2 (3.0.2-46)

Issue date: 2019-09-03

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-071

1.36.1 1. Overview

This update provides a new feature as well as fixes and improvements.

1.36.2 2. New Features

• Localized the admin and self-service panels into Spanish, Portugese and German.

1.36.3 3. Bug Fixes

• [Update] Decreased the free space required on the “/boot” partition from 200 MB to 150 MB. (VSTOR-26019)

• [Admin panel] Management node backup would fail if anaconda-ks.cfg was missing. (VSTOR-26041)

• Stability and performance improvements. (VSTOR-22134, VSTOR-25246, VSTOR-25553, VSTOR-25638, VSTOR-25684, VSTOR-25847, VSTOR-25885, VSTOR-26203, VSTOR-26211)

1.36.4 4. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-071.json.

49 Chapter 1. Virtuozzo Hybrid Infrastructure

1.37 Product update: Virtuozzo Infrastructure Platform 2.5 Update 10 (2.5.0-1691)

Issue date: 2019-08-28

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-070

1.37.1 1. Overview

This update provides fixes and improvements.

1.37.2 2. Bug Fixes

• [Upgrade] Improvements in iSCSI targets migration during upgrade. (VSTOR-22386, VSTOR-24775, VSTOR-25752)

• [Upgrade] Improved upgrade speed. (VSTOR-25072)

• [Upgrade] Unable to download upgrade as a user with the Administrator role (the default superadmin is not affected). (VSTOR-25784)

• [Upgrade] Added eligibility check for free space on boot and root partitions. (VSTOR-26018)

• [ABGW] ABGW could stop servicing connections even though it was running. (VSTOR-23107)

• [ABGW, Storage] Increased response timeout for MDS connections. (VSTOR-24831)

1.37.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-070.json.

50 Chapter 1. Virtuozzo Hybrid Infrastructure

1.38 Product update: Virtuozzo Infrastructure Platform 3.0 Update 1.1 (3.0.1-59)

Issue date: 2019-08-09

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-062

1.38.1 1. Overview

This update provides stability fixes.

1.38.2 2. Bug Fixes

• [ABGW] Acronis Backup Gateway could reject Acronis Backup Advanced certificates. (VSTOR-25491)

• [S3] NS services could fail to start. (VSTOR-25625)

1.38.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-062.json.

1.39 Product update: Virtuozzo Infrastructure Platform 3.0 Update 1 (3.0.1-55)

Issue date: 2019-07-31

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-061

51 Chapter 1. Virtuozzo Hybrid Infrastructure

1.39.1 1. Overview

This update provides a new feature as well as stability and usability fixes.

1.39.2 2. New Features

• Metering for compute resources per domain/project.

1.39.3 3. Bug Fixes

• Wrong details were reported for software RAID partitions. (VSTOR-23861)

• Log rotation could lead to agent restart. (VSTOR-24687)

• Network configuration was not rolled back after bond creation failure. (VSTOR-24814)

• Compute SSL certificate was not changed after enabling HA. (VSTOR-24917)

• Using snmpwalk on VSTORAGE-MIB objects could result in error “No Such Object available.” (VSTOR-25286)

• Stability and performance improvements. (VSTOR-18431, VSTOR-19269, VSTOR-20126, VSTOR-21378, VSTOR-22219, VSTOR-23219, VSTOR-23477, VSTOR-23598, VSTOR-23599, VSTOR-23614, VSTOR-23796, VSTOR-23796, VSTOR-23797, VSTOR-24258, VSTOR-24306, VSTOR-24383, VSTOR-24532, VSTOR-24548, VSTOR-24575, VSTOR-24575, VSTOR-24598, VSTOR-24682, VSTOR-24713, VSTOR-24741, VSTOR-24745, VSTOR-24781, VSTOR-24783, VSTOR-24814, VSTOR-24831, VSTOR-24861, VSTOR-24873, VSTOR-24889, VSTOR-24904, VSTOR-24909, VSTOR-24911, VSTOR-24943, VSTOR-24973, VSTOR-25010, VSTOR-25075, VSTOR-25197, VSTOR-25239, VSTOR-25267, VSTOR-25267)

1.39.4 4. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is required to complete the update if your cluster is running iSCSI services. Updated nodes need to be rebooted manually, one at a time. During the reboot, the storage service might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at

52 Chapter 1. Virtuozzo Hybrid Infrastructure

https://docs.virtuozzo.com/vza/VZA-2019-061.json.

1.40 Product update: Virtuozzo Infrastructure Platform 2.5 Update 9 (2.5.0-1682)

Issue date: 2019-07-11

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-056

1.40.1 1. Overview

This update introduces a stability fix.

1.40.2 2. Bug Fixes

• UI could remain locked if an update from previous versions of Virtuozzo Infrastructure Platform 2.5 failed. (VSTOR-24786)

1.40.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-056.json.

1.41 Product release: Virtuozzo Infrastructure Platform 3.0

Issue date: 2019-07-02

53 Chapter 1. Virtuozzo Hybrid Infrastructure

Applies to: Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-055

1.41.1 1. Overview

In this release, Virtuozzo Infrastructure Platform offers a wide range of new features that enhance the experience of users working with compute virtualization and software-defined networking functionalities. Additionally, the update delivers stability improvements and addresses bugs found in previous releases.

1.41.2 2. New Features

• [Compute Virtualization] Self-service panel. A separate, completely customizable interface allows end customers to manage their own compute resources.

• [Compute Virtualization] Tenant management. Service providers can now manage the projects and resource quotas of their end customers in the admin panel. Quotas for the following resources are supported: vCPUs, RAM, storage for volumes and snapshots (per storage policy), floating IP addresses.

• [Compute Virtualization] Application-consistent snapshots. Ability to create snapshots of virtual machine volumes compatible with Linux and Windows deployments.

• [Compute Virtualization] Virtual routers. Service providers can now configure flexible virtual networking environments. Includes support for virtual routers, Source Network Address Translation (SNAT) and static routing.

• [Compute Virtualization] Floating IP addresses. Self-service panel users can now expose their virtual machines on public networks.

• [Compute Virtualization] SSH keys. Self-service panel users can now enable secure access to their virtual machines.

• [Compute Virtualization] High availability for virtual machines. Automatic workload restoration in case of node failure.

• [Compute Virtualization] Initial customization of virtual machines. Initial guest OS customization with cloud-init scripts is now available when creating virtual machines.

• [Compute Virtualization] More guest operating systems. Added support for Microsoft Windows Server 2019 and Red Hat Enterprise Linux 8.

54 Chapter 1. Virtuozzo Hybrid Infrastructure

• [Compute Virtualization] Advanced memory management. Improved performance thanks to dynamic balancing of virtual machines between NUMA nodes on the host.

• [Compute Virtualization] Virtual machine shelving. End customers using the self-service panel can release vCPU/RAM resources in their projects. Virtuozzo partners can free up reserved vCPUs/RAM on their hosts.

• [Storage] Persistent reservations for iSCSI. Full functionality is enabled for Microsoft Hyper-V, VMware ESXi and Linux initiators.

• [Installer] Improved installer. The installation program has been overhauled for a better user experience.

• [UI and UX] Improved navigation for the compute service and settings.

• Other enhancements. Better overall stability and performance.

1.41.3 3. Bug Fixes

• In some cases, the DHCP address is not obtained by a virtual machine from a network that is not assigned to the adapter. (VSTOR-16839)

• “Network has undefined speed” alert is displayed for network interfaces with unplugged links. (VSTOR-17286)

• Need to manually clean browser cache and cookies after destroying the compute cluster. Otherwise the newly created compute cluster will have empty compute dashboard. (VSTOR-17752)

• User cannot release the master management node from the high availability configuration. (VSTOR-17852, VSTOR-18259)

• Unable to release a node from the compute cluster if it is included in the management node high availability configuration. Release the node from the management node high availability cluster first before releasing it from the compute cluster. (VSTOR-18299)

• Resetting network services might result in node reboot. (VSTOR-19962)

• Chunk service (CS) journals are not resized to fit caching SSD drive size and might be implicitly placed on the same disk with the CS itself. (VSTOR-20209)

• Caching the value of free space on the management node might lead to unsuccessful software update. (VSTOR-20279)

55 Chapter 1. Virtuozzo Hybrid Infrastructure

• Self-signed certificates for S3 are not valid for Google Chrome. (VSTOR-21670)

• After node reboot, the state of the target portal groups may be lost, preventing access to some of the LUNs. (VSTOR-22386)

• Network names shorter than three characters are not valid. (VSTOR-22389)

• Sometimes valid target names are not usable when creating iSCSI targets. (VSTOR-22407)

• Errors in chunk services alert collector might result in loss of results on subsequent alert collectors. (VSTOR-22891)

• iSCSI target daemon does not provide Prometheus support. (VSTOR-23545)

• Redis lock might not be deleted automatically, leading to inability to login to the backend. (VSTOR-24064)

1.41.4 4. Known Issues

• 25 Gbit network cards are shown as 10 Gbit ones in the admin panel. (VSTOR-9422)

• It is impossible to add a node to the HA cluster if one of the nodes included in HA cluster is offline. (VSTOR-10950, VSTOR-16716, VSTOR-17690)

• It is not possible to release a disk with the role “MDS+cache” on a node even if there is another disk with the “MDS+cache” role on the same node. You need to release and re-join the node to free the unnecessary “MDS+cache” disk. (VSTOR-11567)

• It is not possible to cancel virtual machine migration. (VSTOR-12379)

• In some cases, node failure may cause I/O to hang or cluster performance to degrade on iWARP cards. (VSTOR-12872)

• Cannot reset zoom on disk performance graphs. (VSTOR-13622)

• Need to manually refresh page after admin panel HA creation. (VSTOR-14800)

• Need to manually refresh page after flavor creation to update list of flavors on Compute > Flavors. (VSTOR-15252)

• No information shown in Overview while a node is being added to an existing compute cluster. (VSTOR-15978)

• In some cases, a node could be treated as “offline” for a while after creating the HA cluster.

56 Chapter 1. Virtuozzo Hybrid Infrastructure

(VSTOR-16823)

• Physical space on the storage dashboard and compute overview might differ, because the compute overview also takes into account licensed space. (VSTOR-17297)

• Storage clusters with names over 50 characters are not created correctly and fail. Storage cluster names must not exceed 50 characters. (VSTOR-17902)

• The admin panel allows migrating a virtual machine with a public NIC to a node that is not connected to the underlying public network. (VSTOR-17921)

• No error thrown on attempt to migrate a virtual machine to a node with insufficient RAM or a different CPU compared to the source node. The virtual machine shuts down and then starts again on the same node. (VSTOR-18053)

• There is no “crashed” state for virtual machines in the admin panel. Such VMs are displayed as “Paused” in CLI and as “ACTIVE” in the admin panel. (VSTOR-18054)

• No error message thrown when creating NFS cluster on a node without the “NFS” traffic type. (VSTOR-18068)

• Unable to change Compute Private/Compute API roles from a private to public network after deploying the compute cluster. (VSTOR-18491)

• If only one network, “Private”, is used in a cluster, need to uncheck “Admin panel” from the “Public” network before creating management panel HA. (VSTOR-18730, VSTOR-21170)

• Admin panel shows wrong statistics for the logical space used by VMs. (VSTOR-19699)

• It is not possible to hide the progress bar window while uploading an ISO image to the VM images. (VSTOR-19970)

• The maximum transmission unit (MTU) value set for network bonds cannot be modified from the admin panel. (VSTOR-22388)

• Used space on software RAIDs is incorrectly reported in the admin panel. (VSTOR-23861)

• Attempting to download selected files from the S3 bucket opens them in new browser tabs instead. Affects files of certain types, including PDF, JPG and PNG. (VSTOR-24244)

57 Chapter 1. Virtuozzo Hybrid Infrastructure

1.41.5 5. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is required to complete the update. Updated nodes will be rebooted automatically, one at a time. During the reboot, the storage service might be unavailable on cluster configurations without the redundancy of services or data.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-055.json.

1.42 Product update: Virtuozzo Infrastructure Platform 2.5 Update 8 (2.5.0-1680)

Issue date: 2019-07-02

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-054

1.42.1 1. Overview

This update enables upgrade to the new major version 3.0 and provides important system fixes.

1.42.2 2. Bug Fixes

• Journald could get stuck, waiting endlessly for “–verify” to complete and stalling services in an unresponsive state. (VSTOR-23308)

• Under certain circumstances, update from the admin panel could fail if systemd was being updated. (VSTOR-23898)

• Increase heartbeat expiration grace period to 10 seconds for shaman. (VSTOR-24144)

58 Chapter 1. Virtuozzo Hybrid Infrastructure

1.42.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot is not required to obtain this update.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-054.json.

1.43 Product update: Virtuozzo Infrastructure Platform 2.5 Update 7 (2.5.0-1650)

Issue date: 2019-05-22

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-041

1.43.1 1. Overview

This update mitigates the Microarchitectural Store Buffer Data (MDS) vulnerability and provides a performance bug fix.

1.43.2 2. Security Fixes

• [Important] The Microarchitectural Store Buffer Data (MDS) is a series of hardware vulnerabilities which allow speculative execution attacks on Intel processors. A malicious application or guest virtual machine can use this flaw to gain access to data stored in internal CPU buffers, bypassing security restrictions. For more details, visit the Virtuozzo Blog. (VSTOR-23200)

1.43.3 3. Bug Fixes

• Performance improvement comparing to previous updates. (VSTOR-22963)

59 Chapter 1. Virtuozzo Hybrid Infrastructure

1.43.4 4. Installing the Update

1.43.5 5. References

• https://access.redhat.com/security/vulnerabilities/mds

• https://www.virtuozzo.com/blog-review/details/blog/view/ virtuozzo-guidance-on-the-microarchitectural-store-buffer-data-mds-vulnerability.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-041.json.

1.44 Product update: Virtuozzo Infrastructure Platform 2.5 Update 6 (2.5.0-1642)

Issue date: 2019-05-01

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-034

1.44.1 1. Overview

This update provides stability and usability fixes.

1.44.2 2. Bug Fixes

• Command-line tools improvements. (VSTOR-9712, VSTOR-21601)

• Fixed possible crash of vstorage-target-monitor on shutdown. (VSTOR-21059)

60 Chapter 1. Virtuozzo Hybrid Infrastructure

• Automatic replication could stall in case some replicas were dirty while others were offline. (VSTOR-21075)

• Fixed recovery of SSL connections after network errors. (VSTOR-21899)

• Fixed a memory leak in MDS. (VSTOR-22074)

• Fixed possible incorrect behaviour during failover. (VSTOR-22635)

1.44.3 3. Installing the Update

You can update Virtuozzo Infrastructure Platform in the SETTINGS > UPDATE section of the admin panel. A reboot may or may not be required, depending on your product version and build:

• No reboot is required to update from Update 5 (build 1639).

• A manual reboot is required to update from Update 3 or 4 (builds 1601-1617).

• Automatic reboot will be performed on each node in succession to update from older versions (build 1600 and earlier).

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-034.json.

1.45 Product update: Virtuozzo Infrastructure Platform 2.5 Update 5 (2.5.0-1639)

Issue date: 2019-04-05

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-025

1.45.1 1. Overview

This update provides a new feature as well as stability and usability fixes.

61 Chapter 1. Virtuozzo Hybrid Infrastructure

1.45.2 2. New Features

• S3: Added support for GET Bucket V2 API.

1.45.3 3. Bug Fixes

• The same data path ID was assigned to VLAN interfaces in OVS bridges. (VSTOR-20558)

• Unable to update storage license. (VSTOR-20913)

• Under certain circumstances, accounting of S3 space usage was incorrect. (VSTOR-21089)

• Improved performance of requests to obtain information about CSes. (VSTOR-21354)

• High availability logs could occupy a lot of space. (VSTOR-21462)

• The xcopy operation did not work correctly when moving VMs between different datastore tiers placed on the same iSCSI target. (VSTOR-21518)

• Some graphs could be empty or not shown in the monitoring dashboard after a node crash. (VSTOR-21603)

• The automatic reporting tool could leave reports in ‘/var/tmp/report.tar.gz’. (VSTOR-21624)

• Custom firewall rules could disappear after a restart of the iptables service. (VSTOR-21674)

• Stability and performance improvements. (VSTOR-5197, VSTOR-18477, VSTOR-18658, VSTOR-20087, VSTOR-20304, VSTOR-20333, VSTOR-20757, VSTOR-21023, VSTOR-21089, VSTOR-21155, VSTOR-21199, VSTOR-21418, VSTOR-21493, VSTOR-21718, VSTOR-21730, VSTOR-21783, VSTOR-21812, VSTOR-21835, VSTOR-21844)

1.45.4 4. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-025.json.

62 Chapter 1. Virtuozzo Hybrid Infrastructure

1.46 Product update: Virtuozzo Infrastructure Platform 2.5 Update 4 (2.5.0-1617)

Issue date: 2019-03-14

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-022

1.46.1 1. Overview

This update provides stability and usability fixes.

1.46.2 2. Bug Fixes

• Blink button in the admin panel was not working in some cases. (VSTOR-14144, VSTOR-20526)

• Unable to create network bonds. (VSTOR-20197)

• Disk replacement occasionally does not allow to assign disk and fails with ‘service_params’. (VSTOR-20232)

• Bringing up network interfaces from the admin panel may result in an error. (VSTOR-20239)

• Other stability and performance improvements. (VSTOR-19284, VSTOR-19410, VSTOR-20370)

1.46.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file is available at https://docs.virtuozzo.com/vza/VZA-2019-022.json.

1.47 Product update: Virtuozzo Infrastructure Platform 2.5 Update 3 (2.5.0-1605)

Issue date: 2019-02-26

63 Chapter 1. Virtuozzo Hybrid Infrastructure

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-020

1.47.1 1. Overview

This update provides stability and usability fixes.

1.47.2 2. Bug Fixes

• With erasure coding, write operations are blocked after two or more nodes fail, even if the cluster has enough disks available. (VSTOR-19098)

• Unable to list buckets via CLI after bucket removal via API. (VSTOR-19326)

• vstorage-mount may occasionally hang with the message “task fuse-evloop:2710 blocked”. (VSTOR-19620)

• vstorage-target-monitor may occasionally fail with the error message “concurrent map writes”. (VSTOR-20626)

1.47.3 3. Installing the Update

The JSON file is available at https://docs.virtuozzo.com/vza/VZA-2019-020.json.

1.48 Product update: Virtuozzo Infrastructure Platform 2.5 Update 2 (2.5.0-1600)

Issue date: 2019-02-01

Applies to: Virtuozzo Infrastructure Platform 2.5

64 Chapter 1. Virtuozzo Hybrid Infrastructure

Virtuozzo Advisory ID: VZA-2019-019

1.48.1 1. Overview

This update provides a stability and usability fix.

1.48.2 2. Bug Fixes

• Some storage cluster archives may become unavailable after upgrade to version 2.5. (VSTOR-20151)

1.48.3 3. Installing the Update

The JSON file is available at https://docs.virtuozzo.com/vza/VZA-2019-019.json.

1.49 Product update: Virtuozzo Infrastructure Platform 2.5 Update 1 (2.5.0-1599)

Issue date: 2019-01-30

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-018

1.49.1 1. Overview

This update provides stability and usability fixes.

65 Chapter 1. Virtuozzo Hybrid Infrastructure

1.49.2 2. Bug Fixes

• Improved automatic firewall rules configuration. (VSTOR-19695, VSTOR-19857)

1.49.3 3. Installing the Update

The JSON file is available at https://docs.virtuozzo.com/vza/VZA-2019-018.json.

1.50 Product release: Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-01-15

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-017

1.50.1 1. Overview

This product is formerly known as Virtuozzo Storage. With this release, Virtuozzo Infrastructure Platform offers a wide range of new features for compute virtualization and software-defined networking, aswell enhancements and stability improvements. It also addresses issues found in the previous releases.

1.50.2 2. New Features

• Compute virtualization. Run virtual machines on Virtuozzo Infrastructure Platform nodes in the hyper-converged mode (storage and compute on same node) or the traditional way (storage and compute on separate nodes). Virtual machine management: run, resize, migrate, and open console to virtual machines. Private software-defined networking for virtual machines (VXLAN). Storage policies for

66 Chapter 1. Virtuozzo Hybrid Infrastructure

virtual machines. Easy-to-use data redundancy options for virtual machine volumes. Easy to configure high availability for compute service and virtual machines. Supported guest operation systems: CentOS 6, CentOS 7, RHEL 6, RHEL 7, Debian 9, Ubuntu 16.04, Ubuntu 18.04, Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019. Full Windows guest support with automatic installation of paravirtualization drivers (virtio) during installation from ISO.

• iSCSI targets get better performance and high availability via multi-path. The new iSCSI target subsystem and high availability engine reduce downtime by 2-4 times during node failures, making them barely noticeable for end-user applications. The subsystem uses Asymmetric Logical Unit Access (ALUA) in the Active-Passive mode.

• Fibre Channel support. Export block storage over Fibre Channel. Check Installation guide for the list of supported cards.

• RoCE and Infiniband RDMA support. Up to 25% better I/O latency and lower CPU utilization on InfiniBand, RoCE (RDMA over Converged Ethernet) and iWARP (Internet Wide-area RDMA Protocol).

• New comprehensive monitoring: Built-in monitoring with pre-configured Prometheus and Grafana. Grafana dashboards for nodes, disks, network, latency, performance, storage services. New charts with tooltips in the admin panel, including I/O latency charts, new physical and logical space charts. Zoomable charts on dashboards: from 30 minutes to 1 week. Virtual machines performance monitoring: CPU, RAM, disks and networking.

• Performance improvements for all-flash configurations. Get more IOPS with multi-threaded I/Oon all-flash clusters. New fast-path approach in the core of Virtuozzo Infrastructure Platform reduces latency and implements fast multi-threaded I/O handling in Linux kernel.

• New comprehensive command-line tool. Support for more operations. Unified output for all commands: as a text table, in JSON, and in XML.

• Built-in ReadyKernel eliminates system update downtime. Based on the kpatch technology, ReadyKernel is live patching of a running Linux kernel to apply kernel hotfixes and CVEs in seconds.

• New infrastructure networking. Simplifies cluster-wide traffic and firewall configuration. Traffictypes are easily assigned to cluster networks on a single screen which minimizes chances of misconfiguration. Also, new traffic types for Compute service and SNMP are added.

• UI and UX improvements: New navigation menu. New controls and fresh UI. Ability to send problem reports. Improved admin panel performance when listing resources of nodes with more than 250 local disks and 100 network interfaces.

67 Chapter 1. Virtuozzo Hybrid Infrastructure

• Single repository for all components. Easy and integrated cluster updates from the unified RPM repository.

• Other enhancements: New high availability engine significantly improves cluster reaction time to node failure for all services. New internal cluster DNS service that improves cluster services discovery. Better overall stability and performance.

1.50.3 3. Bug Fixes

• Improved S3 cluster creation. Automatic high availability management for object storage configuration service. (VSTOR-2948, VSTOR-8883)

• Persistent iSCSI Portal is used during configuration. (VSTOR-18256)

1.50.4 4. Known Issues

• High availability for iSCSI/FC does not work for iSCSI initiator in Windows 7, Windows 10 due to the lack of Active-Active mode and persistent reservations. (VSTOR-5621, VSTOR-18121)

• It is impossible to add a node to the management node high availability cluster if one of the nodes included in the management node high availability configuration is offline. The user needs to remove all nodes from the management node high availability cluster and recreate it from scratch. (VSTOR-10950, VSTOR-16716, VSTOR-17690)

• It is not possible to release the “MDS + cache” disk role without releasing all the corresponding disks to the cache or whole node release. (VSTOR-11567)

• It is not possible to cancel an ongoing migration. (VSTOR-12379)

• SPLA license may stop working with an error “bad request”, if the local time is set to a past value. (VSTOR-12495)

• In some cases, I/O may hang or cluster performance may degrade on iWARP cards in case of a node failure. (VSTOR-12872)

• The chart zoom on disk performance graphs on node screen can’t be reset to the initial state. (VSTOR-13622)

• S.M.A.R.T. alerts for system disks are not shown in the panel. (VSTOR-13811)

• Need to manually refresh admin panel web page after creating the management node high availability

68 Chapter 1. Virtuozzo Hybrid Infrastructure

configuration. (VSTOR-14800)

• Need to manually refresh browser page after flavor creation. (VSTOR-15252)

• Compute overview may not work during adding/releasing nodes in the compute cluster. (VSTOR-15978)

• No “System + Metadata” disk role in the advanced mode during storage cluster creation or joining nodes to a storage cluster. (VSTOR-16523)

• It is not possible to scale down virtual machine RAM, if the compute cluster has no free memory. (VSTOR-16644)

• In some cases, a node could be treated as “offline” for a while after creating the management nodehigh availability configuration. (VSTOR-16823)

• The DHCP address might not be obtained by a virtual machine from a network that not assigned to the adapter. (VSTOR-16839)

• “Network has undefined speed” alert is displayed for network interface with unplugged link. (VSTOR-17286)

• The storage dashboard and the compute overview may report different physical space values, because the compute overview also takes into account licensed space. (VSTOR-17297)

• Need to manually clean browser cache and cookies after destroying the compute cluster. Otherwise the newly created compute cluster will have empty compute dashboard. (VSTOR-17752)

• User cannot release the master management node from the management node high availability configuration. (VSTOR-17852, VSTOR-18259)

• Storage cluster name must be shorter than 50 characters. (VSTOR-17902)

• The admin panel does not prevent migration of a virtual machine with a public NIC to a node that is not connected to an underlying public network. (VSTOR-17921)

• It is not possible to use VLANs in virtual machines in the ‘private’ backnet. (VSTOR-17943)

• No error on attempt to migrate a virtual machine to a node with no free RAM. (VSTOR-18053)

• There is no “crashed” state for virtual machines. Such virtual machines are displayed as “ACTIVE” even though they are not operational anymore. (VSTOR-18054)

• Virtual Machine live migration to a node with a different CPU may fail without an error message. (VSTOR-18061)

• No error message when creating NFS cluster on a node without the ‘NFS’ traffic type. (VSTOR-18068)

69 Chapter 1. Virtuozzo Hybrid Infrastructure

• Installation from ISO is possible only with a US keyboard. This may result in issues with installations via IPMI with non-US locales. (VSTOR-18277)

• Unable to release a node from the compute cluster if it’s included in the management node high availability configuration. Release the node from the management node high availability first before releasing it from the compute cluster. (VSTOR-18299)

• User is unable to reassign the “Compute private” and “Compute API” traffic types to other networks after the compute cluster has been deployed. (VSTOR-18491)

• If only one, “Private”, network is used in a cluster, the user must unassign the “Admin panel” traffic type from the “Public” network before Management node high availability creation on top of only one (“Private”) network. (VSTOR-18730)

• In some cases it is needed to add “vstoradmin” user to “vstorage-user” group manually (“usermod -a -G vstorage-users vstoradmin; systemctl restart vstorage-ui-backend”) after adding new node to Management node high availability. (VSTOR-19274)

The JSON file is available at https://docs.virtuozzo.com/vza/VZA-2019-017.json.

1.51 Kernel security update: Virtuozzo ReadyKernel patch 70.0 for Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-01-24

Applies to: Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-002

1.51.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the Virtuozzo Infrastructure Platform kernel 3.10.0-862.20.2.vz7.73.24 (2.5).

70 Chapter 1. Virtuozzo Hybrid Infrastructure

1.51.2 2. Security Fixes

• [Moderate] A flaw was found in the implementation of ebtables in the Linux kernel. A local attackerina container could exploit it to consume large amounts of memory, eventually causing denial of service on the host. (PSBM-90803)

1.51.3 3. Bug Fixes

• Kernel crash (access out of bounds) in SyS_mincore(). (PSBM-90329)

1.51.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

1.51.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-70.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-002.json.

71 CHAPTER 2 Virtuozzo Hybrid Server

Release announcements for this product are available as an RSS feed.

2.1 [Important] [Security] Virtuozzo ReadyKernel patch 130.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5, 4.6

Issue date: 2021-07-22

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Infrastructure 4.5, Virtuozzo Hybrid Infrastructure 4.6, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-037

2.1.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7 and Virtuozzo Hybrid Infrastructure.

72 Chapter 2. Virtuozzo Hybrid Server

2.1.2 2. Security Fixes

• [Important] [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1160.21.1.vz7.174.13] size_t-to-int conversion vulnerability in the filesystem layer. It was discovered that the implementation of seq_file files inthe Linux kernel contained an error related to integer conversion (size_t to a signed integer). A local unprivileged attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2021-33909)

2.1.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.1.4 4. References

• https://www.openwall.com/lists/oss-security/2021/07/20/1

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-130.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-130.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-130.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-130.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-130.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-174.13-130.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-037.json.

2.2 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 4 (7.5.1-739)

Issue date: 2021-07-06

Applies to: Virtuozzo Hybrid Server 7.5

73 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2021-036

2.2.1 1. Overview

The Hotfix 4 for Virtuozzo Hybrid Server 7.5 Update 1 provides a stability and usability bugfix.

2.2.2 2. Bug Fixes

• Migrating a container from Virtuozzo 6 to Virtuozzo Hybrid Server 7 with the ‘–keep-src’ option could result in duplicate UUIDs in ‘prlctl list’ output on the destination node. (PSBM-130698)

2.2.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-036.json.

2.3 Virtuozzo ReadyKernel patch 129.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5, 4.6

Issue date: 2021-06-28

Virtuozzo Advisory ID: VZA-2021-034

74 Chapter 2. Virtuozzo Hybrid Server

2.3.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7 and Virtuozzo Hybrid Infrastructure.

2.3.2 2. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] e2fsck considered the file system corrupted in certain situations because ext4 created initialized extents beyond the end of file. (PSBM-130317)

• [3.10.0-1127.18.2.vz7.163.46 to 3.10.0-1160.21.1.vz7.174.13] After certain operations with detached mounts, attempts to mount anything could unexpectedly fail with error ‘No space left on device’. (PSBM-130509)

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1160.21.1.vz7.174.13] Network overlay ‘weave’ failed to create pairs of veth devices. It was discovered that ‘weave’ network overlay used with Kubernetes tried to create veth devices with MTU 65535 in certain cases. Such operations failed because the maximum allowed MTU was 1500. (PSBM-130575)

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1160.21.1.vz7.174.13] ceph: out-of-bounds accesses in dio_get_pagev_size() caused memory corruption. (PSBM-130693)

2.3.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.3.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-129.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-129.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-129.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-129.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-129.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-174.13-129.0-1.vl7/

75 Chapter 2. Virtuozzo Hybrid Server

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-034.json.

2.4 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 3 (7.5.1-737)

Issue date: 2021-06-22

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-032

2.4.1 1. Overview

The Hotfix 3 for Virtuozzo Hybrid Server 7.5 Update 1 provides a stability and usability bugfix.

2.4.2 2. Bug Fixes

• VM disk resize functionality could stop working for non-root users after upgrading to version 7.5.1. (PSBM-130586)

2.4.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-032.json.

2.5 Virtuozzo ReadyKernel patch 128.1 for Virtuozzo Hybrid Server 7.5

Issue date: 2021-05-31

76 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-027

2.5.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-1160.21.1.vz7.174.13 (Virtuozzo Hybrid Server 7.5 Update 1).

2.5.2 2. Bug Fixes

• sch_teql: kernel crash in teql_destroy(). (PSBM-128205)

• I/O operations could be significantly slower if ‘io_kaio’ rather than ‘io_direct’ I/O engine was usedby ploop. It was discovered that file preallocation was not requested by ploop with ‘io_kaio’ I/O engine. As a result, certain write operations to ploop devices could be significantly slower with ‘io_kaio’ than with ‘io_direct’ I/O engine. (PSBM-129303)

• ext4: timestamps could be updated in wrong inodes in certain cases, if the filesystem was mounted with ‘lazytime’ option. (PSBM-129374)

• ‘pcompact’ operation could trigger memory leaks when ‘io_kaio’ I/O engine was used by ploop. (PSBM-129412)

• netfilter: potential kernel crash in nft_rbtree_deactivate(). (PSBM-129500)

2.5.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.5.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-174.13-128.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-027.json.

77 Chapter 2. Virtuozzo Hybrid Server

2.6 Virtuozzo ReadyKernel patch 128.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5

Issue date: 2021-05-31

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Infrastructure 4.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-026

2.6.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo Hybrid Server 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13), 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14), 3.10.0-1127.8.2.vz7.158.8 (Virtuozzo Hybrid Infrastructure 4.0), 3.10.0-1127.18.2.vz7.163.46 (Virtuozzo Hybrid Server 7.5 and Virtuozzo Hybrid Infrastructure 4.5).

2.6.2 2. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] sch_teql: kernel crash in teql_destroy(). (PSBM-128205)

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] ext4: timestamps could be updated in wrong inodes in certain cases, if the filesystem was mounted with ‘lazytime’ option. (PSBM-129374)

• [3.10.0-1127.18.2.vz7.163.46] netfilter: potential kernel crash in nft_rbtree_deactivate(). (PSBM-129500)

2.6.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

78 Chapter 2. Virtuozzo Hybrid Server

2.6.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-128.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-128.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-128.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-128.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-128.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-026.json.

2.7 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 2 (7.5.1-736)

Issue date: 2021-05-28

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-025

2.7.1 1. Overview

The Hotfix 2 for Virtuozzo Hybrid Server 7.5 Update 1 provides a stability and usability bug fix. Allcustomers that use CloudBlue Cloud Infrastructure Automation with Virtuozzo Hybrid Server 7.5 and newer are strongly recommended to install the hotfix.

2.7.2 2. Bug Fixes

• [Cloud Infrastructure Automation] The basic firewall feature (fwfilter) did not work for virtual machines on Virtuozzo Hybrid Server 7.5. (PSBM-125586)

79 Chapter 2. Virtuozzo Hybrid Server

2.7.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-025.json.

2.8 [Security] Virtuozzo ReadyKernel patch 127.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5

Issue date: 2021-05-17

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Infrastructure 4.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-023

2.8.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7 and Virtuozzo Hybrid Infrastructure.

2.8.2 2. Security Fixes

• [Moderate] [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] netfilter: potential memory corruption in certain setsockopt() operations. It was discovered that an attacker could use a specially crafted sequence of system calls in a container to trigger a memory corruption in the implementation of setsockopt() in the netfilter subsystem. This could result in a kernel crash, or, potentially, couldallow the attacker to escalate their privileges. (PSBM-128140)

80 Chapter 2. Virtuozzo Hybrid Server

2.8.3 3. Bug Fixes

• [3.10.0-1127.18.2.vz7.163.46] ‘sit’ tunnels could not be created in the containers even if ‘sit:on’ was set in the features. (PSBM-127315)

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] Memory leaks could happen when network-related structures were created for a starting container. (PSBM-92950)

2.8.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.8.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-127.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-127.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-127.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-127.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-127.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-023.json.

2.9 Virtuozzo Hybrid Server 7.5 Update 1 Hotfix 1 (7.5.1-734)

Issue date: 2021-05-15

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-022

81 Chapter 2. Virtuozzo Hybrid Server

2.9.1 1. Overview

The Hotfix 1 for Virtuozzo Hybrid Server 7.5 Update 1 provides a new feature and a stability and usabilitybug fix.

2.9.2 2. New Features

• Backups can now be created on file systems without O_DIRECT support. (PSBM-129310)

2.9.3 3. Bug Fixes

• Version 1 ploop images (of virtual environments created in Virtuozzo 6 and earlier) could get corrupted after updating to Virtuozzo Hybrid Server 7.5.1. (PSBM-129299)

2.9.4 4. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-022.json.

2.10 Virtuozzo Hybrid Server 7.5 Update 1 (7.5.1-730)

Issue date: 2021-05-04

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-021

82 Chapter 2. Virtuozzo Hybrid Server

2.10.1 1. Overview

Virtuozzo Hybrid Server 7.5 Update 1 introduces new features and provides stability and usability bug fixes. It also introduces a new kernel 3.10.0-1160.21.1.vz7.174.13.

2.10.2 2. New Features

• New API calls to the Virtuozzo libvirt API. In particular, operations on running containers, network interfaces, as well as improved migration of virtual environments on Virtuozzo Storage. (PSBM-107278)

• Virtuozzo Linux 8 can now be used as a guest OS in virtual machines. (PSBM-124672)

• CentOS 8 containers can now be converted to Virtuozzo Linux 8 containers from the host. (PSBM-125549)

• nftables and iptables NAT can now work on the same node. (PSBM-123345)

• More alerts are now supported for Prometheus monitoring. (PSBM-107353)

• Docker v20 and newer is now supported inside containers. (PSBM-123630)

• Improved migration of virtual environments from Virtuozzo 6 to Virtuozzo Hybrid Server 7.5. (PSBM-122047)

• Smart updates. Nodes running Virtuozzo Hybrid Server 7.5 can now be joined to a Kubernetes cluster for centralized update management. (PSBM-99602)

• Improvements for the ‘ploop check’ tool. (PSBM-124721)

• Support for the io_kaio engine for ploop images on Virtuozzo Hybrid Server 7.5. (PSBM-107807)

• Support for the virtio socket device. (PSBM-125788)

• New triggers and metrics for Zabbix monitoring. (PSBM-128087)

• Better default values for the user.slice page cache limit to avoid high load on nodes. The upper limit for the user.slice page cache can now be configured. (PSBM-106301)

• Page cache is no longer polluted by machine backups performed using a temporary directory. (PSBM-124729, PSBM-125588, PSBM-126467, PSBM-128082)

• Support for remote authentication between dispatchers by means of RSA keys. (PSBM-126003)

• It is now possible to install Virtuozzo Hybrid Server on disks too small for the recommended swap

83 Chapter 2. Virtuozzo Hybrid Server

partition size. (PSBM-126174)

2.10.3 3. Bug Fixes

• Revert ibpb patch in libvirt. (PSBM-123539)

• firewalld not working in CentOS 8 containers. (PSBM-121318)

• Libvirt hangs when reading long iptable outputs. (PSBM-123565)

• Incorrect network traffic calculation. (PSBM-126938)

• High swapin/swapout (high si/so values) in some circumstances. (PSBM-123655)

• Ploop-balloon discard could get stuck on a ploop located on Virtuozzo Storage. (PSBM-125728)

• Node hang crash due to insufficient swap size. (PSBM-122663)

• CRIU migration could fail on old processors. (PSBM-127004)

• Restoring a container from snapshot could fail due to a CRIU error. (PSBM-123644)

• Other fixes (PSBM-128066, PSBM-127859, PSBM-127606, PSBM-127546, PSBM-127315, PSBM-127091, PSBM-127025, PSBM-127003, PSBM-126948, PSBM-126014, PSBM-125953, PSBM-125515, PSBM-125020, PSBM-124786, PSBM-124618, PSBM-124614, PSBM-124533, PSBM-124496, PSBM-123849, PSBM-123819, PSBM-123786, PSBM-123701, PSBM-123686, PSBM-123648, PSBM-123085, PSBM-123006, PSBM-122122, PSBM-122094, PSBM-122071, PSBM-121984, PSBM-121270, PSBM-120787, PSBM-107361, PSBM-106582, PSBM-102537, PSBM-98775)

2.10.4 4. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-021.json.

84 Chapter 2. Virtuozzo Hybrid Server

2.11 [Security] Virtuozzo ReadyKernel patch 126.0 for Virtuozzo Hybrid Server 7.0, 7.5 and Virtuozzo Hybrid Infrastructure 3.5, 4.0, 4.5

Issue date: 2021-04-20

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Infrastructure 4.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-020

2.11.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7 and Virtuozzo Hybrid Infrastructure.

2.11.2 2. Security Fixes

• [Moderate] [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] netfilter: potential memory corruption could happen when CLUSTERIP was used. It was discovered that an attacker could trigger kernel memory corruption from a container by using a specially crafted sequence of operations with CLUSTERIP-related netfilter rules. (PSBM-128405)

2.11.3 3. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] The kernel could crash in kmapset_hash() while stopping a container. (PSBM-127478)

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.18.2.vz7.163.46] Incorrect updates of page cache during certain operations with Virtuozzo Storage could lead to kernel crash. (VSTOR-42863)

85 Chapter 2. Virtuozzo Hybrid Server

2.11.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.11.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-126.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-126.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-126.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-126.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-126.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-020.json.

2.12 [Important] [Security] Virtuozzo ReadyKernel patch 125.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-04-05

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-017

86 Chapter 2. Virtuozzo Hybrid Server

2.12.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure. NOTE: No more ReadyKernel updates are planned for the kernel 3.10.0-957.12.2.vz7.96.21, support for which ends with this update.

2.12.2 2. Security Fixes

• [Important] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Heap buffer overflow in the iSCSI subsystem. It was discovered that the kernel did not check the size of certain iSCSI-related data structures when presenting them in sysfs. A local unprivileged attacker could exploit this (by sending a specially crafted netlink message) to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-27365)

• [Important] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Out-of-bounds read in the iSCSI subsystem. It was discovered that a local unprivileged attacker could use specially crafted netlink messages to trigger an out-of-bounds read in ‘scsi_transport_iscsi’ module. The kernel could crash as a result. (CVE-2021-27364)

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Unrestricted access to sessions and handles in the iSCSI subsystem. It was discovered that the kernel did not properly restrict access to iSCSI sessions and transport handles. A local unprivileged attacker could use this to end arbitrary iSCSI sessions (potentially causing a denial of service) or to expose locations of certain kernel structures. (CVE-2021-27363)

2.12.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.12.4 4. References

• https://bugzilla.redhat.com/show_bug.cgi?id=1930078

• https://bugzilla.redhat.com/show_bug.cgi?id=1930079

87 Chapter 2. Virtuozzo Hybrid Server

• https://bugzilla.redhat.com/show_bug.cgi?id=1930080

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-125.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-125.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-125.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-125.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-125.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-125.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-017.json.

2.13 Virtuozzo ReadyKernel patch 124.1 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-03-19

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-015

2.13.1 1. Overview

This update fixes an issue in the ReadyKernel patch v124.0 (PSBM-127243).

After the release of that version, it was found that it refused to load on certain customer nodes if UNIX domain sockets were used there to pass large amounts of data between processes. This was because the fix for CVE-2021-20265 (“Memory leak in the implementation of unix sockets”) needed to update kernel function unix_stream_read_generic() and that function was running almost all the time.

It is unsafe to patch currently running functions, so the ReadyKernel tools refused to load the update

88 Chapter 2. Virtuozzo Hybrid Server

(ReadyKernel updates are loaded and applied as a whole).

We have removed the offending patch in version 124.1. The remaining fixes from ReadyKernel patch v124.0 are still available in v124.1.

The patch applies to all supported kernels of Virtuozzo Hybrid Server, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.13.2 2. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.13.3 3. References

• https://access.redhat.com/security/cve/cve-2021-20265

• https://help.virtuozzo.com/s/article/VZA-2021-014

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-124.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-124.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-124.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-124.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-124.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-124.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-015.json.

89 Chapter 2. Virtuozzo Hybrid Server

2.14 [Security] Virtuozzo ReadyKernel patch 124.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-03-12

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-014

2.14.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.14.2 2. Security Fixes

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] ip_set: null pointer dereference in ip_set_utest(). It was discovered that an attacker could trigger a kernel crash (null pointer dereference) in ip_set_utest() by running a specially crafted sequence of system calls in a container. (PSBM-122965)

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] ip_set: kernel crash in ip_set_comment_free(). It was discovered that an attacker could trigger a kernel crash (general protection fault) in ip_set_comment_free() by running a specially crafted sequence of system calls in a container. (PSBM-123063)

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Memory leak in the implementation of unix sockets. It was discovered that the implementation of unix sockets did not free certain data structures if a signal was received while unix_stream_recvmsg() function was running. An unprivileged local attacker could exploit this memory leak to cause a denial of service. (CVE-2021-20265)

90 Chapter 2. Virtuozzo Hybrid Server

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] If a subdirectory of a file system was exported via NFS, an attacker could use READDIRPLUS operation to access other parts of that file system. (CVE-2021-3178)

2.14.3 3. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] xfrm subsystem of the Linux kernel could accept user-defined templates with invalid protocol numbers, which caused warnings in xfrm_state_fini(). (PSBM-123084)

• [3.10.0-1127.18.2.vz7.163.46] pcompact would not compact ploop files if the underlying disk partitions had unusual alignment. (PSBM-124496)

2.14.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.14.5 5. References

• https://access.redhat.com/security/cve/cve-2021-20265

• https://access.redhat.com/security/cve/cve-2021-3178

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-124.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-124.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-124.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-124.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-124.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-124.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-014.json.

91 Chapter 2. Virtuozzo Hybrid Server

2.15 Virtuozzo ReadyKernel patch 123.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-03-02

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-011

2.15.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.15.2 2. Bug Fixes

• [3.10.0-1127.18.2.vz7.163.46] The number of memory cgroups reached its limit because such cgroups were not deleted in certain cases. It was discovered that memory cgroups were not deleted in certain cases. Over time, the limit on the number of memory cgroups could be hit and new cgroups would not be created. As a result, containers could fail to start and would report ‘Cannot allocate memory’ errors, docker could fail to run in the containers too, etc. (PSBM-126014)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Virtual machines could not start in certain cases due to incorrect detection of CPU feature ‘IBPB’. (PSBM-126136)

2.15.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

92 Chapter 2. Virtuozzo Hybrid Server

2.15.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-123.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-123.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-123.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-123.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-123.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-123.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-011.json.

2.16 Virtuozzo Hybrid Server 7.5 Hotfix 3 (7.5.0-610)

Issue date: 2020-02-26

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-010

2.16.1 1. Overview

The Hotfix 3 for Virtuozzo Hybrid Server 7.5 provides stability and usability bugfixes.

2.16.2 2. Bug Fixes

• VM’s filesystem could remain frozen and non-working after backup. (PSBM-124766)

• EZ templates are now installed (and their post-install scripts are now run) in the order specified in vzpkg commands. (PSBM-125260)

• Unable to restore/attach a backup created using a temporary directory. (PSBM-125493)

93 Chapter 2. Virtuozzo Hybrid Server

• Firewall rules set in config.pvs could fail to work. (PSBM-125586)

• ‘prl_disk_tool resize’ did not work under non-root accounts. (PSBM-125605)

2.16.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-010.json.

2.17 Virtuozzo Hybrid Server 7.5 Hotfix 2 (7.5.0-605)

Issue date: 2020-02-16

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-009

2.17.1 1. Overview

The Hotfix 2 for Virtuozzo Hybrid Server 7.5 provides a new feature as well as stability and usability bugfixes.

2.17.2 2. New Features

• Virtuozzo Linux 8 is now available as a guest OS in Virtuozzo system containers.

2.17.3 3. Bug Fixes

• Ploop corruptions after updating to Virtuozzo Hybrid Server 7.5. (PSBM-124770)

• libvirt could hang while reading large output from iptables. (PSBM-124714)

• The ‘ploop’ utility did not allow to de-duplicate duplicated storage clusters. (PSBM-124411)

94 Chapter 2. Virtuozzo Hybrid Server

• libvirt could crash during qemu update. (PSBM-124713)

• The ‘virsh undefine’ command was broken for the Virtuozzo driver. (PSBM-124712)

• pdrs could be killed by SIGABRT. (PSBM-124716)

2.17.4 4. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-009.json.

2.18 [Important] [Security] Virtuozzo ReadyKernel patch 122.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-02-15

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-008

2.18.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo Hybrid Server 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo Hybrid Server 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13), 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14), 3.10.0-1127.8.2.vz7.158.8 (Virtuozzo Hybrid Infrastructure 4.0).

95 Chapter 2. Virtuozzo Hybrid Server

2.18.2 2. Security Fixes

• [Important] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.8.2.vz7.158.8] Incorrect locking in TTY subsystem could lead to use-after-free conditions and cause memory corruption. (CVE-2020-29661)

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.8.2.vz7.158.8] ‘Bad unlock balance’ error in ipmr_mfc_seq_stop(). It was discovered that the implementation of IPv6 multicast routing could try to access wrong data when a user tried to read certain files in /proc. An attacker could exploit that froma container to trigger ‘bad unlock balance’ error in ipmr_mfc_seq_stop(), followed by a kernel crash. (PSBM-122990)

• [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.8.2.vz7.158.8] Soft lockup in ext4_ext_find_extent(). It was discovered that certain ioctl operations in ext4 did not check their arguments properly. An attacker could exploit that from a container to trigger soft lockups in ext4_ext_find_extent() function, which could result in a denial of service. (PSBM-122991)

2.18.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.18.4 4. References

• https://access.redhat.com/security/cve/cve-2020-29661

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-122.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-122.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-122.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-122.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-122.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-008.json.

96 Chapter 2. Virtuozzo Hybrid Server

2.19 [Important] [Security] Virtuozzo ReadyKernel patch 122.0 for Virtuozzo Hybrid Server 7.5

Issue date: 2021-02-05

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-006

2.19.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernel 3.10.0-1127.18.2.vz7.163.46 (Virtuozzo Hybrid Server 7.5).

2.19.2 2. Security Fixes

• [Important] Incorrect locking in TTY subsystem could lead to use-after-free conditions and cause memory corruption. (CVE-2020-29661)

• [Moderate] ‘Bad unlock balance’ error in ipmr_mfc_seq_stop(). It was discovered that the implementation of IPv6 multicast routing could try to access wrong data when a user tried to read certain files in /proc. An attacker could exploit that from a container to trigger ‘bad unlock balance’ error in ipmr_mfc_seq_stop(), followed by a kernel crash. (PSBM-122990)

• [Moderate] Soft lockup in ext4_ext_find_extent(). It was discovered that certain ioctl operations inext4 did not check their arguments properly. An attacker could exploit that from a container to trigger soft lockups in ext4_ext_find_extent() function, which could result in a denial of service. (PSBM-122991)

2.19.3 3. Bug Fixes

• Userspace processes could crash with ‘double free or corruption’ errors due to a lost TLB flush in the kernel. (PSBM-124581)

97 Chapter 2. Virtuozzo Hybrid Server

2.19.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.19.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-122.0-1.vl7/

• https://access.redhat.com/security/cve/cve-2020-29661

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-006.json.

2.20 [Important] [Security] Fix for a vulnerability in sudo, CVE-2021-3156, for Virtuozzo Hybrid Server 7.x and Virtuozzo 6

Issue date: 2021-01-27

Applies to: Virtuozzo 6.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-004

2.20.1 1. Overview

The update fixes the vulnerability in sudo registered as CVE-2021-3156. The new sudo packages are available for Virtuozzo Hybrid Server 7.x and Virtuozzo 6.

2.20.2 2. Security Fixes

• [Important] A flaw was found in sudo. A heap-based buffer overflow was found in the waysudoparses command line arguments. This flaw is exploitable by any local user who can execute thesudo command (by default, any local user can execute sudo) without authentication. Successful exploitation

98 Chapter 2. Virtuozzo Hybrid Server

of this flaw could lead to privilege escalation. The highest threat from this vulnerability istodata confidentiality and integrity as well as system availability. (CVE-2021-3156)

2.20.3 3. Installing the Update

Install the update with ‘yum update’.

2.20.4 4. References

• https://access.redhat.com/security/cve/CVE-2021-3156

• http://repo.virtuozzo.com/vzlinux/6/x86_64/updates/Packages/s/sudo-1.8.6p3-29.vl6.4.x86_64.rpm

• http://repo.virtuozzo.com/vzlinux/7/x86_64/os/Packages/s/sudo-1.8.23-10.vl7.1.x86_64.rpm

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-004.json.

2.21 Kernel update: Virtuozzo ReadyKernel patch 121.5 for Virtuozzo Hybrid Server 7.5

Issue date: 2021-01-18

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2021-001

2.21.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernel 3.10.0-1127.18.2.vz7.163.46 (Virtuozzo Hybrid Server 7.5).

99 Chapter 2. Virtuozzo Hybrid Server

2.21.2 2. Bug Fixes

• fuse_kio_pcs: Potential kernel crash in fuse_map_resolve(). (VSTOR-39656)

2.21.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.21.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-121.5-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2021-001.json.

2.22 Kernel security update: Virtuozzo ReadyKernel patch 121.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2020-12-28

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-075

100 Chapter 2. Virtuozzo Hybrid Server

2.22.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure. NOTE: No more ReadyKernel updates are planned for the kernel 3.10.0-957.12.2.vz7.86.2, support for which ends with this update.

2.22.2 2. Security Fixes

• [Moderate] [3.10.0-957.12.2.vz7.86.2 to 3.10.0-1127.18.2.vz7.163.46] A specially crafted program running in a container could make certain processes on the host hang (denial of service). (PSBM-123043)

2.22.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.22.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-121.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-121.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-075.json.

101 Chapter 2. Virtuozzo Hybrid Server

2.23 Product update: Virtuozzo Hybrid Server 7.5 Hotfix 1 (7.5.0-589)

Issue date: 2020-12-08

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2020-072

2.23.1 1. Overview

The Hotfix 1 for Virtuozzo Hybrid Server 7.5 provides stability and usability bugfixes.

2.23.2 2. Bug Fixes

• Virtuozzo Storage trial licenses ending in 2021 could be reported as invalid. (PSBM-108125)

• Migrating a VM over Virtuozzo Storage could take a very long time. (PSBM-123396)

2.23.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-072.json.

2.24 Kernel update: Virtuozzo ReadyKernel patch 120.0 for Virtuozzo Hybrid Server 7.0 and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2020-12-03

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0

102 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2020-071

2.24.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo Hybrid Server 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13), 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14), 3.10.0-1127.8.2.vz7.158.8 (Virtuozzo Hybrid Infrastructure 4.0).

2.24.2 2. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1127.8.2.vz7.158.8] Kernel crash in mem_cgroup_from_cont() due to a race between memory reclaim and offlining of a cgroup. (PSBM-122653)

2.24.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.24.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-120.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-120.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-120.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-120.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-071.json.

2.25 Kernel update: Virtuozzo ReadyKernel patch 119.5 for Virtuozzo Hybrid Server 7.5

Issue date: 2020-12-03

103 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2020-070

2.25.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernel 3.10.0-1127.18.2.vz7.163.46 (Virtuozzo Hybrid Server 7.5).

2.25.2 2. Bug Fixes

• Kernel crash due to an incorrect BUG_ON() assertion in move_freepages(). (PSBM-123085)

2.25.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.25.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-163.46-119.5-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-070.json.

2.26 Product update: Virtuozzo Hybrid Server 7.5 (7.5.0-586)

Issue date: 2020-12-03

Applies to: Virtuozzo Hybrid Server 7.5

Virtuozzo Advisory ID: VZA-2020-069

104 Chapter 2. Virtuozzo Hybrid Server

2.26.1 1. Overview

Virtuozzo Hybrid Server 7.5 (formerly Update 15) introduces new features and provides a security fix as well as stability and usability bug fixes. It also introduces a new kernel 3.10.0-1127.18.2.vz7.163.46.

2.26.2 2. Security Fixes

• [Important] It was found that an unprivileged user could manage VMs located on Virtuozzo Storage. (PSBM-105768)

2.26.3 3. New Features

• The ability to create and manage Microsoft Windows containers on Microsoft Windows Server nodes from Virtuozzo Hybrid Server 7.5 nodes. For more details, see the User’s Guide. IMPORTANT: This feature is a technical preview. It is not yet ready for production. Please send your feedback to [email protected]. (PSBM-99610)

• Libvirt becomes the primary API for Virtuozzo Hybrid Server. Starting from version 7.5, libvirt is the primary virtualization API for managing both Virtuozzo virtual machines and containers. The custom API calls introduced by Virtuozzo are documented in the libvirt-docs package as well as online. (PSBM-99611)

• It is now possible to automatically update nodes running Virtuozzo Hybrid Server 7.5 and newer. For more details, see the User’s Guide. (PSBM-83273)

• Virtuozzo Hybrid Server 7.5 nodes and their virtual environments can now be monitored via Prometheus. The instructions to set up the nodes are published in the User’s Guide. (PSBM-104026)

• Virtuozzo Hybrid Server 7.5 nodes and their virtual environments can now be monitored via Zabbix. The instructions to set up the nodes are published in the User’s Guide. (PSBM-102872)

• Virtuozzo Hybrid Server 7.5 virtual machine backups are supported in Acronis Cyber Cloud 20.11. (PSBM-106279, PSBM-105010)

• Kubernetes can now run inside Virtuozzo containers. Containers running Docker and Kubernetes can now be migrated. The updated way to install Docker and Kubernetes in a Virtuozzo container is described in the User’s Guide. (PSBM-40110, PSBM-56161, PSBM-105035)

105 Chapter 2. Virtuozzo Hybrid Server

• Virtuozzo Storage has been significantly improved. (PSBM-106043, PSBM-107272)

• Kernel and networking optimizations reduce I/O latency and CPU consumption and improve performance. Random reads are now up to 1.5 times faster on replication.

• Erasure coding self-healing now has less impact on performance. Random writes are up to 2.5 times faster on erasure coding.

• Erasure coding is now available for running virtual machines.

• Memory management optimizations improve random I/O performance on cluster nodes without running containers or virtual machines. Nodes without virtualization now enjoy up to 3 times faster random writes and up to 1.5 times faster random reads.

• Certain mitigations of Intel CPU vulnerabilities are now automatically disabled on cluster nodes without running containers or virtual machines. This boosts random I/O by an extra 10%. NOTE: The disabled mitigations are enabled automatically as soon as a virtual environment starts. For more details, see the User’s Guide.

• The installer has been improved for easier configuration of Virtuozzo Storage clusters. See the Installation Guide for more details. The respective kickstart parameters have been added as well and described in the PXE Installation Guide. (PSBM-103904)

• A way to repair Virtuozzo containers has been added. See the User’s Guide for more details. (PSBM-105228)

• Backup locations can now be configured per virtual environment. The corresponding ‘–backup-path’ parameter for the ‘prlctl’ tool is documented in the User’s Guide. (PSBM-26841)

• A host directory can now be bindmounted into a running container without having to restart it. For more details, see the User’s Guide. (PSBM-105592)

• Now nft NAT rules can be used inside multiple containers in parallel. NOTE: iptables and nft NAT rules cannot work at the same time, be it on the host or inside containers. (PSBM-102908)

• Virtual machine snapshots are now created up to 10 times faster. Reverting to snapshots is faster by up to 30%. (PSBM-105710)

106 Chapter 2. Virtuozzo Hybrid Server

2.26.4 4. Bug Fixes

• qemu-kvm write performance could be slow during VM snapshot creation. (PSBM-101995)

• Containers could hang while trying to access offline NFS shares. (PSBM-99181)

• Wrong CPU features could be reported by libvirt, sometimes causing VMs to fail to boot. (PSBM-121810)

• Nodes with AMD EPYC CPUs could fail to boot after a microcode update. (PSBM-121681)

• Guarantees set for vstorage.slice/vstorage-services.slice could be reset after a short time. (PSBM-105038)

• Unable to recover the filesystem inside the ploop. (PSBM-104884)

• VM backup creation could fail due an issue with the libvirt thaw operation. (PSBM-107669)

• Unclear how to create VMs via libvirt XML templates. (PSBM-105213)

• A virtual environment filesystem could become read-only after being processed by pcompact. (PSBM-105850)

• Node could crash due to a kernel issue. (PSBM-98148, PSBM-104867)

• DKMS modules could fail to build due to incorrect build decision priority in the upstream code. (PSBM-106192)

• mmap could be twice slower in CentOS 8 containers compared to CentOS 7 ones. (PSBM-120968)

• Unable to resume a suspended container due to a CRIU issue related to the support for Unix socket bindmounts. (PSBM-52730)

• Node could crash due to a race condition. (PSBM-122653)

• Other fixes (PSBM-10773, PSBM-94394, PSBM-96948, PSBM-100293, PSBM-100999, PSBM-101983, PSBM-102847, PSBM-102977, PSBM-103428, PSBM-103638, PSBM-103727, PSBM-104343, PSBM-104369, PSBM-104393, PSBM-104398, PSBM-104442, PSBM-104729, PSBM-104734, PSBM-104749, PSBM-104819, PSBM-104826, PSBM-104855, PSBM-104922, PSBM-105237, PSBM-105479, PSBM-105520, PSBM-106065, PSBM-106109, PSBM-106220, PSBM-106355, PSBM-106384, PSBM-106495, PSBM-106536, PSBM-106556, PSBM-106785, PSBM-106920, PSBM-121008, PSBM-121043, PSBM-121246, PSBM-121566, PSBM-121833, PSBM-122035, PSBM-122319, PSBM-122655, PSBM-123272)

107 Chapter 2. Virtuozzo Hybrid Server

2.26.5 5. Installing the Update

Install the update with ‘yum update’, reboot the host, and switch to the new kernel. If you use Virtuozzo Storage, update hosts one at a time. The Virtuozzo Storage cluster must be healthy before and after each host is updated.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-069.json.

2.27 Kernel update: Virtuozzo ReadyKernel patch 119.5 for Virtuozzo Hybrid Server 7.0 and Virtuozzo Hybrid Infrastructure 4.0

Issue date: 2020-12-01

Applies to: Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-068

2.27.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14), 3.10.0-1127.8.2.vz7.158.8 (Virtuozzo Hybrid Infrastructure 4.0).

2.27.2 2. Bug Fixes

• [3.10.0-1127.8.2.vz7.151.14 to 3.10.0-1127.8.2.vz7.158.8] ploop: certain operations with large ploop images could lead to a division by zero in __map_extent_bmap(). (PSBM-122035)

• [3.10.0-1127.8.2.vz7.151.14 to 3.10.0-1127.8.2.vz7.158.8] Kernel crash due to an incorrect BUG_ON() assertion in move_freepages(). (PSBM-123085)

108 Chapter 2. Virtuozzo Hybrid Server

2.27.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.27.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-119.5-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-119.5-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-068.json.

2.28 Kernel update: Virtuozzo ReadyKernel patch 119.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-12-01

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-067

2.28.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-957.10.1.vz7.85.17 (Virtuozzo Hybrid Server 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo Hybrid Server 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo Hybrid Server 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo Hybrid Server 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13). NOTE: No more updates are planned for the kernel 3.10.0-957.10.1.vz7.85.17, support for which ends with this update.

109 Chapter 2. Virtuozzo Hybrid Server

2.28.2 2. Bug Fixes

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1062.12.1.vz7.131.10] ploop: certain operations with large ploop images could lead to a division by zero in __map_extent_bmap(). (PSBM-122035)

2.28.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.28.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-119.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-119.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-119.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-119.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-119.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-067.json.

2.29 Kernel update: Virtuozzo ReadyKernel patch 118.1 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2020-11-09

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-066

110 Chapter 2. Virtuozzo Hybrid Server

2.29.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.29.2 2. Bug Fixes

• [3.10.0-1127.8.2.vz7.151.14 to 3.10.0-1127.8.2.vz7.158.8] ‘ploop snapshot’ operation could hang in certain cases. (PSBM-121135)

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1127.8.2.vz7.158.8] Processes being killed by the OOM killer could continue consuming memory. If a process running in a container performed large allocations of kernel memory, this could hit the memory limit for the container and trigger the OOM killer. It was discovered, however, that the process being killed by it could continue consuming memory for some time. This could lead to out of memory conditions on the host. (PSBM-121523)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.8.2.vz7.158.8] ‘ploop grow’ operation could fail in certain cases if the ploop image file contained holes. (PSBM-121772)

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1127.8.2.vz7.158.8] nfsd: Potential kernel crash in nfs4_put_stid(). (PSBM-121833)

2.29.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.29.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-118.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-118.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-118.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-118.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-118.1-1.vl7/

111 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-118.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-118.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-066.json.

2.30 Important kernel security update: Virtuozzo ReadyKernel patch 117.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2020-10-09

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-064

2.30.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure. IMPORTANT: If bcache is used, manually unloading this or a newer ReadyKernel update while bcache is writing dirty data to the backing device may sometimes create a memory leak. Updating the ReadyKernel patch is not affected. To manually unload the patch, first disable caching temporarily or wait until the cache becomes clean.

2.30.2 2. Security Fixes

• [Important] [3.10.0-1127.8.2.vz7.158.8] The metadata validator in XFS may flag an inode with a valid extended attribute as corrupt. A failure of the file system metadata validator in XFS can cause aninode

112 Chapter 2. Virtuozzo Hybrid Server

with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. (CVE-2020-14385)

• [Moderate] [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1127.8.2.vz7.158.8] netfilter/ipset: excessive memory consumption leading to a denial of service. If was discovered that not all memory allocated for ipset-related data was properly accounted for. An attacker could exploit it from a container to consume lots of kernel memory, making the host system unusable (denial of service). (PSBM-108091)

• [Moderate] [3.10.0-1127.8.2.vz7.158.8] NFS v4: potential memory corruption on the client system when processing security attributes. It was discovered that a buffer overflow and memory corruption were possible if a system tried to mount an NFS v4 share where the files had security labels in the file attributes. An attacker would need to control the NFS server and make it send a specific series of responses to trigger the issue. The issue allows the attacker to crash the kernel on the client system or, potentially, escalate their privileges there. (CVE-2020-25212)

• [Moderate] [3.10.0-1127.8.2.vz7.158.8] netfilter: kernel crash due to a buffer overflow in ctnetlink_parse_tuple_filter(). It was discovered that a local attacker could pass a specially crafted configuration of conntrack to the kernel to cause a buffer overflow in ctnetlink_parse_tuple_filter() function. As a result, the kernel could crash. (CVE-2020-25211)

2.30.3 3. Bug Fixes

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1127.8.2.vz7.158.8] bcache: Potential kernel crash when using RAID1 as a backing device. (PSBM-106785)

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1127.8.2.vz7.158.8] ploop: Potential kernel crash or data corruption during backups due to racy operations with lockout data. (PSBM-108276)

2.30.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

113 Chapter 2. Virtuozzo Hybrid Server

2.30.5 5. References

• https://access.redhat.com/security/cve/cve-2020-14385

• https://access.redhat.com/security/cve/CVE-2020-25212

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25211

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-117.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-158.8-117.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-064.json.

2.31 Kernel security update: Virtuozzo ReadyKernel patch 116.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-09-18

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-061

114 Chapter 2. Virtuozzo Hybrid Server

2.31.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.31.2 2. Security Fixes

• [Moderate] [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] NFS v4: potential memory corruption on the client system when processing security attributes. It was discovered that a buffer overflow and memory corruption were possible if a system tried to mount an NFS v4 share wherethe files had security labels in the file attributes. An attacker would need to control the NFSserverand make it send a specific series of responses to trigger the issue. The issue allows the attacker tocrash the kernel on the client system or, potentially, escalate their privileges there. (CVE-2020-25212)

• [Moderate] [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] netfilter: kernel crash due toa buffer overflow in ctnetlink_parse_tuple_filter(). It was discovered that a local attacker couldpassa specially crafted configuration of conntrack to the kernel to cause a buffer overflowin ctnetlink_parse_tuple_filter() function. As a result, the kernel could crash. (CVE-2020-25211)

• [Moderate] [3.10.0-1127.8.2.vz7.151.14] The metadata validator in XFS may flag an inode with a valid extended attribute as corrupt. A failure of the file system metadata validator in XFS can cause aninode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. (CVE-2020-14385)

2.31.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.31.4 4. References

• https://access.redhat.com/security/cve/CVE-2020-14385

• https://access.redhat.com/security/cve/CVE-2020-25212

115 Chapter 2. Virtuozzo Hybrid Server

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25211

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-116.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-116.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-061.json.

2.32 Kernel security update: Virtuozzo ReadyKernel patch 115.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-09-08

Applies to: Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-060

2.32.1 1. Overview

116 Chapter 2. Virtuozzo Hybrid Server

2.32.2 2. Security Fixes

• [Moderate] [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] Potential kernel crash (use-after-free) in the implementation of usermode helpers. A race condition was discovered in the implementation of usermode helpers in the kernel. An attacker could exploit it from a container to cause a denial-of-service (kernel crash due to a use-after-free), or, potentially, to escalate their privileges in the system. (PSBM-107061)

• [Moderate] [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] nf_tables: kernel crash in nf_tables_getset(). It was discovered that the implementation of nf_tables did not properly validate certain parameters. An attacker could exploit this from a container to cause a kernel crash: NULL pointer dereference or a general protection fault in nf_tables_getset(). (PSBM-106408)

• [Moderate] [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] nfnetlink: potential kernel crash (skb_over_panic) in skb_put(). It was discovered that nfnetlink subsystem did not properly validate certain messages. An attacker could exploit this from a container to cause a kernel crash: skb_over_panic in skb_put(). (PSBM-106395)

2.32.3 3. Bug Fixes

• [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1062.4.2.vz7.116.7] nf_conntrack: potential kernel crash in nf_ct_gre_keymap_destroy(). (PSBM-106273)

2.32.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.32.5 5. References

• https://bugs.openvz.org/browse/OVZ-7224

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-115.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-115.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-115.0-1.vl7/

117 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-115.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-115.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-115.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-115.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-060.json.

2.33 Kernel update: Virtuozzo ReadyKernel patch 114.2 for Virtuozzo Hybrid Server 7.0

Issue date: 2020-08-24

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-059

2.33.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13), 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14).

2.33.2 2. Bug Fixes

• [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] Memory reclaim could become too slow leading to high LA on the nodes. The original fix for PSBM-99181 and related issues introduced a problem: management of shrinkers used to reclaim memory could become very inefficient in certain cases, causing higher load on the affected nodes. (PSBM-99181)

• [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] nf_conntrack: potential kernel crash in nf_ct_gre_keymap_destroy(). (PSBM-106273)

118 Chapter 2. Virtuozzo Hybrid Server

2.33.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.33.4 4. References

• https://bugs.openvz.org/browse/OVZ-7224

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-114.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-114.2-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-059.json.

2.34 Product update: Virtuozzo Hybrid Server 7.0 Update 14 Hotfix 2 (7.0.14-258)

Issue date: 2020-08-19

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-058

2.34.1 1. Overview

The Hotfix 2 for Virtuozzo Hybrid Server 7.0 Update 14 provides security, stability, and usability bugfixes.

2.34.2 2. Security Fixes

• [Moderate] Fixed multiple vulnerabilities in libvncserver by applying upstream fixes. (PSBM-106197, CVE-2019-20839, CVE-2019-20840, CVE-2020-14396, CVE-2020-14397, CVE-2020-14398, CVE-2020-14399, CVE-2020-14400, CVE-2020-14401, CVE-2020-14402, CVE-2020-14403, CVE-2020-14404, CVE-2020-14405)

119 Chapter 2. Virtuozzo Hybrid Server

2.34.3 3. Bug Fixes

• Files inside containers could become corrupted after live migration. (PSBM-105933)

• Mentioned in the documentation that C2V migration is not supported. (PSBM-106603)

2.34.4 4. Installing the Update

Install the update with ‘yum update’.

2.34.5 5. References

• https://access.redhat.com/security/cve/CVE-2019-20839

• https://access.redhat.com/security/cve/CVE-2019-20840

• https://access.redhat.com/security/cve/CVE-2020-14396

• https://access.redhat.com/security/cve/CVE-2020-14397

• https://access.redhat.com/security/cve/CVE-2020-14398

• https://access.redhat.com/security/cve/CVE-2020-14399

• https://access.redhat.com/security/cve/CVE-2020-14400

• https://access.redhat.com/security/cve/CVE-2020-14401

• https://access.redhat.com/security/cve/CVE-2020-14402

• https://access.redhat.com/security/cve/CVE-2020-14403

• https://access.redhat.com/security/cve/CVE-2020-14404

• https://access.redhat.com/security/cve/CVE-2020-14405

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-058.json.

120 Chapter 2. Virtuozzo Hybrid Server

2.35 Kernel security update: Virtuozzo ReadyKernel patch 113.10 for Virtuozzo Hybrid Server 7.0

Issue date: 2020-08-06

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-056

2.35.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo Hybrid Server 7.0.13), 3.10.0-1127.8.2.vz7.151.14 (Virtuozzo Hybrid Server 7.0.14).

2.35.2 2. Security Fixes

• [Moderate] [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] Possible use-after-free error due to a race condition in cdev_get(). It was discovered that use-after-free condition was possible in cdev_get() if multiple processes simultaneously accessed a character device in a certain way. A local attacker could potentially exploit this to crash the kernel. (CVE-2020-0305)

2.35.3 3. Bug Fixes

• [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] File system of a container becomes read-only, __ext4_handle_dirty_metadata() reports error 28. (PSBM-105850)

• [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] memcg: the limit on page cache (memory.cache.limit_in_bytes) could be exceeded significantly in certain cases. (PSBM-106384)

121 Chapter 2. Virtuozzo Hybrid Server

2.35.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.35.5 5. References

• https://access.redhat.com/security/cve/cve-2020-0305

• https://forum.openvz.org/index.php?t=msg&th=13635

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-113.10-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-113.10-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-056.json.

2.36 Kernel security update: Virtuozzo ReadyKernel patch 113.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-08-06

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-055

2.36.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-862.20.2.vz7.73.29 (Virtuozzo Hybrid Server 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo Hybrid Server 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo Hybrid Server 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo Hybrid Server 7.0.11 and Virtuozzo Infrastructure

122 Chapter 2. Virtuozzo Hybrid Server

Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo Hybrid Server 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5).

2.36.2 2. Security Fixes

• [Moderate] [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1062.4.2.vz7.116.7] Possible use-after-free error due to a race condition in cdev_get(). It was discovered that use-after-free condition was possible in cdev_get() if multiple processes simultaneously accessed a character device in a certain way. A local attacker could potentially exploit this to crash the kernel. (CVE-2020-0305)

2.36.3 3. Bug Fixes

• [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1062.4.2.vz7.116.7] File system of a container becomes read-only, __ext4_handle_dirty_metadata() reports error 28. (PSBM-105850)

2.36.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.36.5 5. References

• https://access.redhat.com/security/cve/cve-2020-0305

• https://forum.openvz.org/index.php?t=msg&th=13635

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-113.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-113.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-113.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-113.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-113.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-055.json.

123 Chapter 2. Virtuozzo Hybrid Server

2.37 Product update: Virtuozzo 6.0 Update 12 Hotfix 53 (6.0.12-3760)

Issue date: 2020-07-24

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2020-054

2.37.1 1. Overview

This update provides a stability fix.

2.37.2 2. Bug Fixes

• Disk space consumption could grow unconditionally during vzfs to ploop conversion. (PSBM-104691)

2.37.3 3. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-054.json.

2.38 Kernel update: Virtuozzo ReadyKernel patch 112.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-07-23

124 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-053

2.38.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2.38.2 2. Bug Fixes

• [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1127.8.2.vz7.151.14] memcg: kernel crash in memcg_destroy_kmem_caches() caused by unbalanced css_tryget/css_put operations. (PSBM-98148)

2.38.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.38.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-112.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-112.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-053.json.

125 Chapter 2. Virtuozzo Hybrid Server

2.39 Kernel update: Virtuozzo ReadyKernel patch 111.0 for Virtuozzo Hybrid Server 7.0

Issue date: 2020-07-17

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-051

2.39.1 1. Overview

2.39.2 2. Bug Fixes

• [3.10.0-1062.12.1.vz7.131.10 to 3.10.0-1127.8.2.vz7.151.14] Hard lockup and kernel crash caused by incorrect locking in calc_load_ve(). (PSBM-105237)

2.39.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.39.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-111.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-111.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-051.json.

126 Chapter 2. Virtuozzo Hybrid Server

2.40 Product update: Virtuozzo Hybrid Server 7.0 Update 14 Hotfix 1 (7.0.14-257)

Issue date: 2020-07-07

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-049

2.40.1 1. Overview

The Hotfix 1 for Virtuozzo Hybrid Server 7.0 Update 14 provides stability and usability bugfixes.

2.40.2 2. Bug Fixes

• Unable to live-migrate VMs with dirty bitmaps on Virtuozzo Storage. (PSBM-105022)

• CS journals to be placed on SSDs are now properly handled by the installer and in the Virtuozzo Storage admin panel. (PSBM-104631, PSBM-104632)

2.40.3 3. Installing the Update

Install the update with ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-049.json.

127 Chapter 2. Virtuozzo Hybrid Server

2.41 Important kernel security update: Virtuozzo ReadyKernel patch 110.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-06-20

Affected products: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-048

2.41.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure. NOTE: No more patches are planned for the kernel 3.10.0-862.20.2.vz7.73.24, support for which ends with this update.

2.41.2 2. Security Fixes

• [Important] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] netlabel: kernel crash (null pointer dereference) while processing a specially crafted CIPSO packet. A NULL pointer dereference was found in the implementation of SELinux. The issue occurs while importing the Commercial IP Security Option (CIPSO) protocol category bitmap into SELinux extensible bitmap. Parsing of a specially crafted CIPSO packet sent by a remote attacker could lead to a kernel crash (remote DoS). (CVE-2020-10711)

• [Moderate] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] af_packet: potential soft lockup in case of certain errors when using TPACKET_V3. It was found that if TPACKET_V3 was used and the kernel failed to obtain certain settings from a relevant network device, the retirement timer could be set incorrectly in the implementation AF_PACKET protocol. This could result in soft lockups and excessive CPU usage. (CVE-2019-20812)

128 Chapter 2. Virtuozzo Hybrid Server

• [Moderate] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] Core dumps of some processes could contain uninitialized kernel data. It was discovered that core dumps of userspace processes could contain copies of uninitialized kernel memory areas in certain cases. Although it is difficult for an attacker to control what data is in these areas, this issue, in theory, could be used to obtain sensitive information from the kernel. (CVE-2020-10732)

• [Moderate] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] crypto/authenc: kernel crash in crypto_ahash_setkey() when payload of a key is longer than 4 bytes and is not aligned. An out-of-bounds read was found in the implementation of IPsec cryptographic algorithms (‘authenc’ module). When payload of a key was longer than 4 bytes but was not properly aligned, crypto_authenc_extractkeys() function could try to read data from a wrong location. This could lead to a kernel crash in crypto_ahash_setkey(). (CVE-2020-10769)

2.41.3 3. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] ploop: kernel crash (division by zero) in purge_lru_warn(). (PSBM-104867)

2.41.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.41.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-20812

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10711

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10732

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10769

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-110.0-1.vl7/

129 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-110.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-110.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-048.json.

2.42 Kernel security update: Virtuozzo ReadyKernel patch 109.0 for Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-06-23

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Server 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-046

2.42.1 1. Overview

2.42.2 2. Security Fixes

• [Moderate] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] Denial of service by corrupting mountpoint reference counter. It was discovered that a race condition was possible between pivot_root() and put_mountpoint() operations. A local unprivileged attacker could exploit this to corrupt mountpoint reference counter and cause a denial of service (kernel crash). (CVE-2020-12114)

130 Chapter 2. Virtuozzo Hybrid Server

2.42.3 3. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1062.12.1.vz7.131.10] ext4: potential kernel crash in ext4_cross_rename(): certain error cases were not checked properly. (PSBM-104563)

• [3.10.0-1127.8.2.vz7.151.14] futex: potential system hang due to a missing unlock operation in the error path of futex_wait_requeue_pi(). (PSBM-104664)

2.42.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.42.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=1848652

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-109.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-151.14-109.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-046.json.

131 Chapter 2. Virtuozzo Hybrid Server

2.43 Important kernel security update: New kernel 2.6.32-042stab145.3; Virtuozzo 6.0 Update 12 Hotfix 52 (6.0.12-3759)

Issue date: 2020-06-22

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2020-045

2.43.1 1. Overview

This update provides a new kernel 2.6.32-042stab145.3 for Virtuozzo 6.0. It is based on the RHEL 6.10 kernel 2.6.32-754.30.2.el6 and inherits security and stability fixes from it. The new kernel also provides internal stability fixes.

2.43.2 2. Security Fixes

• [Moderate] hw: Special Register Buffer Data Sampling (SRBDS). (CVE-2020-0543)

2.43.3 3. Bug Fixes

• Host crashes in nf_nat_cleanup_conntrack() on container stop. (PSBM-104341, OVZ-6241, OVZ-6708)

• Stability fixes in ext4, cpt and vzsnap.

2.43.4 4. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. Install the update with “yum update”. Reboot the host and switch to the new kernel.

132 Chapter 2. Virtuozzo Hybrid Server

2.43.5 5. References

• https://access.redhat.com/errata/RHSA-2020:2430

• https://www.redhat.com/security/data/cve/CVE-2020-0543.html

• https://access.redhat.com/solutions/5142691

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-045.json.

2.44 Important kernel security update: New kernel 2.6.32-042stab145.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2020-06-22

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2020-044

2.44.1 1. Overview

This update provides a new kernel 2.6.32-042stab145.3 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. It is based on the RHEL 6.10 kernel 2.6.32-754.30.2.el6 and inherits security and stability fixes from it. The new kernel also provides internal stability fixes.

133 Chapter 2. Virtuozzo Hybrid Server

2.44.2 2. Security Fixes

• [Moderate] hw: Special Register Buffer Data Sampling (SRBDS). (CVE-2020-0543)

2.44.3 3. Bug Fixes

• Host crashes in nf_nat_cleanup_conntrack() on container stop. (PSBM-104341, OVZ-6241, OVZ-6708)

• Stability fixes in ext4, cpt and vzsnap.

2.44.4 4. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. Download and install the update using the vzup2date utility included in the distribution. Reboot the host and switch to the new kernel.

2.44.5 5. References

• https://access.redhat.com/errata/RHSA-2020:2430

• https://www.redhat.com/security/data/cve/CVE-2020-0543.html

• https://access.redhat.com/solutions/5142691

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-044.json.

2.45 Product update: Virtuozzo Hybrid Server 7.0 Update 14 (7.0.14-249)

Issue date: 2020-06-18

Applies to: Virtuozzo Hybrid Server 7.0

Virtuozzo Advisory ID: VZA-2020-043

134 Chapter 2. Virtuozzo Hybrid Server

2.45.1 1. Overview

The Update 14 for Virtuozzo Hybrid Server 7.0 introduces new features and provides stability and usability bug fixes. It also introduces a new kernel 3.10.0-1127.8.2.vz7.151.14.

2.45.2 2. New Features

• The Virtuozzo virtualization solution has been renamed to Virtuozzo Hybrid Server. The change affects versions 7.0 and newer.

• Integration with Acronis Backups. Agentless backup is now available for containers created in Virtuozzo Hybrid Server 7.

• SolusIO integration. Virtual machines running on Virtuozzo Hybrid Server 7 can now be managed by SolusIO. The current recommendations and known issues are listed in the Knowledge Base.

• Ubuntu 20.04 LTS guest OS support in both containers and virtual machines. Known issue: Snapshots and live migration do not work for containers with Ubuntu 20.04 LTS.

• Support for rolling back yum transactions with ‘yum history undo’.

• vzmigrate now uses AES256-GCM cipher by default if called directly.

2.45.3 3. Bug Fixes

• VM migration by a non-root user could fail. (PSBM-103700)

• Misconfiguring VZ_TOOLS_* variables could result in lots of leftover UBs. (PSBM-102841)

• Container migration could fail due to a CRIU issue: “Error: mnt: Mount has unreachable sharing. Try –enable-external-masters.” (PSBM-100080)

• VM migrated from Virtuozzo 6 to Virtuozzo Hybrid Server 7 could crash and enter paused state, because of improper uninstallation of old guest tools. (PSBM-102067)

• prlctl could hang on node due to issues with libvirtd autodump. (PSBM-103899)

• Restoration of a virtual environment from a remote backup using Virtuozzo Automator could fail. (PSBM-103849)

• Potential hard lockups in timer-related code: jiffies_lock could be held for a long time. (PSBM-102573)

135 Chapter 2. Virtuozzo Hybrid Server

• VA Agent could crash repeatedly, leaving lots of core dump files. (PSBM-102323)

• Changing the SID of a Windows Server 2019 VM causes multiple notifications about issues with default apps on the first opening of Settings. (PSBM-98743)

• Other fixes. (PSBM-101409, PSBM-101463, PSBM-102022, PSBM-102292, PSBM-102293, PSBM-102330, PSBM-102331, PSBM-102386, PSBM-102407, PSBM-102641, PSBM-102685, PSBM-102997, PSBM-103515, PSBM-104086, PSBM-104248, PSBM-104387, PSBM-91808, PSBM-99351)

2.45.4 4. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-043.json.

2.46 Kernel update: Virtuozzo ReadyKernel patch 108.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0, Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-06-15

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-042

2.46.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo 7.0, Virtuozzo Infrastructure Platform, Virtuozzo Hybrid Infrastructure.

136 Chapter 2. Virtuozzo Hybrid Server

2.46.2 2. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] ext4: use-after-free when unmounting a corrupted file system with files that have no links. (PSBM-104517)

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] cbt: potential endless loops in the error paths. (PSBM-104530)

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] futex: potential system hang due to a missing unlock operation in the error path of futex_wait_requeue_pi(). (PSBM-104664)

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] netfilter: potential memory corruption caused by a helper from nf_conntrack_h323 module. (PSBM-104727)

2.46.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.46.4 4. References

• https://bugzilla.kernel.org/show_bug.cgi?id=205433

• https://bugs.openvz.org/browse/OVZ-7188

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-108.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-108.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-042.json.

137 Chapter 2. Virtuozzo Hybrid Server

2.47 Kernel update: Virtuozzo ReadyKernel patch 107.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-06-01

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-040

2.47.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo 7.0.13).

2.47.2 2. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] memcg: kernel could crash when memory was uncharged from a cgroup while the cgroup was going offline. It was found that a race was possible between uncharging memory from a cgroup and making that cgroup offline. This could lead to premature destruction of the cgroup and could cause a kernel crash. (PSBM-103975)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] netlink: performance issues due to direct memory reclaim in netlink_dump() and netlink_trim(). (PSBM-104086)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] ext4: attempts to freeze the FS could hang in certain cases due to an unbalanced internal write counter. (PSBM-104342)

• [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1062.12.1.vz7.131.10] nf_conntrack: potential kernel crash in

138 Chapter 2. Virtuozzo Hybrid Server

netlink_has_listeners(). (PSBM-104387)

2.47.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.47.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-107.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-107.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-107.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-107.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-107.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-107.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-040.json.

2.48 Kernel security update: Virtuozzo ReadyKernel patch 106.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-05-21

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-038

139 Chapter 2. Virtuozzo Hybrid Server

2.48.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo 7.0 and Virtuozzo Infrastructure Platform, Virtuozzo Hybrid Infrastructure.

2.48.2 2. Security Fixes

• [Moderate] [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.4.2.vz7.116.7] Use-after-free read in napi_gro_frags(). A flaw was found in the implementation of GRO, which allows an attacker withlocal access to trigger a use-after-free read in napi_gro_frags() and, potentially, crash the system. (CVE-2020-10720)

2.48.3 3. Bug Fixes

• [3.10.0-957.10.1.vz7.85.17 to 3.10.0-1062.12.1.vz7.131.10] qxl: kernel crash in qxl_release_fence_buffer_objects(). (PSBM-102320)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] memcg: potential use-after-free in the implementation of uncharge operations. (PSBM-103864)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] packet: packet_sk_charge() could try to charge zero memory, leading to a use-after-free in memcg subsystem. (PSBM-104125)

2.48.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.48.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=1781204

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-106.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-106.0-1.vl7/

140 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-106.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-106.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-106.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-106.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-106.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-038.json.

2.49 Important kernel security update: New kernel 2.6.32-042stab144.1; Virtuozzo 6.0 Update 12 Hotfix 51 (6.0.12-3757)

Issue date: 2020-05-21

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2020-037

2.49.1 1. Overview

This update provides a new kernel 2.6.32-042stab144.1 for Virtuozzo 6.0. It is based on the RHEL 6.10 kernel 2.6.32-754.29.2.el6 and inherits security and stability fixes from it. The new kernel also provides internal security and stability fixes.

2.49.2 2. Security Fixes

• [Important] Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic. (CVE-2020-10711)

• [Important] kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

• [Important] kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c.

141 Chapter 2. Virtuozzo Hybrid Server

(CVE-2019-17133)

• [Moderate] kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c. (CVE-2020-11565)

• [Moderate] kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)

• [Moderate] kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol. (CVE-2019-17055)

• [Moderate] kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service. (CVE-2019-15916)

• [Low] kernel: offset2lib allows for the stack guard page to be jumped over. (CVE-2017-1000371)

2.49.3 3. Bug Fixes

• Do not force memory reclaim during per-netns memory allocation for conntrack hash table. (PSBM-102730)

2.49.4 4. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

2.49.5 5. References

• https://access.redhat.com/errata/RHSA-2020:0790

• https://access.redhat.com/errata/RHSA-2020:1524

• https://access.redhat.com/errata/RHSA-2020:2103

• https://www.redhat.com/security/data/cve/CVE-2017-1000371.html

• https://www.redhat.com/security/data/cve/CVE-2019-15916.html

• https://www.redhat.com/security/data/cve/CVE-2019-17055.html

• https://www.redhat.com/security/data/cve/CVE-2019-17133.html

142 Chapter 2. Virtuozzo Hybrid Server

• https://www.redhat.com/security/data/cve/CVE-2019-17666.html

• https://www.redhat.com/security/data/cve/CVE-2020-8648.html

• https://www.redhat.com/security/data/cve/CVE-2020-10711.html

• https://www.redhat.com/security/data/cve/CVE-2020-11565.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-037.json.

2.50 Important kernel security update: New kernel 2.6.32-042stab144.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2020-05-21

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2020-036

2.50.1 1. Overview

This update provides a new kernel 2.6.32-042stab144.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. It is based on the RHEL 6.10 kernel 2.6.32-754.29.2.el6 and inherits security and stability fixes from it. The new kernel also provides internal security and stability fixes.

2.50.2 2. Security Fixes

• [Important] Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic. (CVE-2020-10711)

• [Important] kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

• [Important] kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c. (CVE-2019-17133)

143 Chapter 2. Virtuozzo Hybrid Server

• [Moderate] kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c. (CVE-2020-11565)

• [Moderate] kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)

• [Moderate] kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol. (CVE-2019-17055)

• [Moderate] kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service. (CVE-2019-15916)

• [Low] kernel: offset2lib allows for the stack guard page to be jumped over. (CVE-2017-1000371)

2.50.3 3. Bug Fixes

• Do not force memory reclaim during per-netns memory allocation for conntrack hash table. (PSBM-102730)

2.50.4 4. Installing the Update

2.50.5 5. References

• https://access.redhat.com/errata/RHSA-2020:0790

• https://access.redhat.com/errata/RHSA-2020:1524

• https://access.redhat.com/errata/RHSA-2020:2103

• https://www.redhat.com/security/data/cve/CVE-2017-1000371.html

• https://www.redhat.com/security/data/cve/CVE-2019-15916.html

• https://www.redhat.com/security/data/cve/CVE-2019-17055.html

• https://www.redhat.com/security/data/cve/CVE-2019-17133.html

144 Chapter 2. Virtuozzo Hybrid Server

• https://www.redhat.com/security/data/cve/CVE-2019-17666.html

• https://www.redhat.com/security/data/cve/CVE-2020-8648.html

• https://www.redhat.com/security/data/cve/CVE-2020-10711.html

• https://www.redhat.com/security/data/cve/CVE-2020-11565.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-036.json.

2.51 Kernel update: Virtuozzo ReadyKernel patch 105.1 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-05-12

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-034

2.51.1 1. Overview

145 Chapter 2. Virtuozzo Hybrid Server

2.51.2 2. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.12.1.vz7.131.10] Slow memory allocations in nf_conntrack when a netns is created. When a new netns is created, high-order page allocations can happen in nf_ct_alloc_hashtable(). If memory is fragmented, such allocations can become very slow due to memory reclaim, etc. This, in turn, could result in significant slowdowns on the node. (PSBM-103518)

• [3.10.0-862.20.2.vz7.73.29 to 3.10.0-1062.12.1.vz7.131.10] i40iw: kernel complains about failed RTNL assertion in i40iw_addr_resolve_neigh(). (VSTOR-33397)

2.51.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.51.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-105.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-105.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-105.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-105.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-105.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-105.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-034.json.

146 Chapter 2. Virtuozzo Hybrid Server

2.52 Kernel update: Virtuozzo ReadyKernel patch 104.1 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-04-27

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-032

2.52.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo 7.0.13).

2.52.2 2. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] nfsd: memory corruption in nfsd4_lock(). (PSBM-102407)

• [3.10.0-1062.12.1.vz7.131.10] Potential hard lockups in timer-related code: jiffies_lock could be held for a long time. (PSBM-102573)

147 Chapter 2. Virtuozzo Hybrid Server

2.52.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.52.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-104.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-104.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-032.json.

2.53 Product update: Virtuozzo 7.0 Update 13 Hotfix 3 (7.0.13-306)

Issue date: 2020-04-24

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-031

2.53.1 1. Overview

The Hotfix 3 for Virtuozzo 7.0 Update 13 provides a stability and usability bugfix.

148 Chapter 2. Virtuozzo Hybrid Server

2.53.2 2. Bug Fixes

• Unreadable files may be created when using erasure coding during the upgrade from Update 12to13. Fix such files with the command ‘vstorage -c -A set-attr -p map-type=PLAIN’. (VSTOR-32856, VSTOR-32857)

2.53.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-031.json.

2.54 Product update: Virtuozzo 7.0 Update 13 Hotfix 2 (7.0.13-305)

Issue date: 2020-04-11

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-029

2.54.1 1. Overview

The Hotfix 2 for Virtuozzo 7.0 Update 13 provides stability and usability bugfixes.

2.54.2 2. Bug Fixes

• Ability to check and fix containers with broken BAT. (PSBM-102741)

• Under certain conditions, MDS could crash. (PSBM-102751)

149 Chapter 2. Virtuozzo Hybrid Server

2.54.3 3. Installing the Update

To update from Update 13, run ‘yum update’.

To update nodes in Virtuozzo Storage clusters from versions earlier than Update 13, do the following:

- Install the update on all nodes with ‘yum update’. Do not restart the nodes yet. - Wait until all MDS services are updated. Check the output of ‘vstorage -c stat’. All MDS services must have the ‘BUILD_VERSION’ 7.10. - Restart the updated nodes one at a time. The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-029.json.

2.55 Kernel update: Virtuozzo ReadyKernel patch 103.0 for Virtuozzo 7.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-04-10

Applies to: Virtuozzo 7.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-028

2.55.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with an enhancement. The patch applies to the kernels 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo 7.0.13).

2.55.2 2. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.7 to 3.10.0-1062.12.1.vz7.131.10] (enhancement) ploop: added interface to dump the cached BAT. It was discovered that containers could get a broken on-disk BAT but have healthy in-kernel data in certain cases. To detect and fix such conditions, the means to dump the cached BAT were implemented in ploop. Note that, to make use of this enhancement, version 7.0.187.4 or newer of the userspace ploop tools is needed. (PSBM-102848)

150 Chapter 2. Virtuozzo Hybrid Server

2.55.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.55.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-103.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-103.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-028.json.

2.56 Kernel update: Virtuozzo ReadyKernel patch 102.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-04-06

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-026

2.56.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and and Virtuozzo Hybrid Infrastructure 3.5), 3.10.0-1062.12.1.vz7.131.10 (Virtuozzo 7.0.13). NOTE: No more patches are planned for the kernel

151 Chapter 2. Virtuozzo Hybrid Server

3.10.0-862.11.6.vz7.64.7, support for which ends with this update.

2.56.2 2. Bug Fixes

• [3.10.0-862.11.6.vz7.64.7 to 3.10.0-1062.12.1.vz7.131.10] A container with NFS server could force other such containers to use the older NFSv4 client tracker, which slows down NFS mounts. (PSBM-102363)

• [3.10.0-1062.12.1.vz7.131.10] ext4: potential kernel crash (general protection fault) in ext4_free_blocks(). (PSBM-102478)

• [3.10.0-862.11.6.vz7.64.7 to 3.10.0-1062.12.1.vz7.131.10] netfilter: kernel crash in the implementation of nf_tables due to use-after-free in dynamic operations. (PSBM-102655)

• [3.10.0-862.11.6.vz7.64.7 to 3.10.0-1062.12.1.vz7.131.10] mpt2sas: scheduling while atomic in _scsih_io_done(). (VSTOR-32221)

2.56.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.56.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-102.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-131.10-102.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-026.json.

152 Chapter 2. Virtuozzo Hybrid Server

2.57 Product update: Virtuozzo 7.0 Update 13 Hotfix 1 (7.0.13-302)

Issue date: 2020-04-06

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-025

2.57.1 1. Overview

The Hotfix 1 for Virtuozzo 7.0 Update 13 provides stability and usability bugfixes.

2.57.2 2. Bug Fixes

• Unable to live-migrate container with splunk, sensu, ossec-hids tools running inside. (PSBM-101223, PSBM-102156)

• systemd 219-67.vl7.4 not working after the update. (PSBM-102472)

2.57.3 3. Installing the Update

To update from Update 13, run ‘yum update’.

To update nodes in Virtuozzo Storage clusters from versions earlier than Update 13, do the following:

153 Chapter 2. Virtuozzo Hybrid Server

2.58 Product update: Virtuozzo 7.0 Update 13 (7.0.13-298)

Issue date: 2020-03-31

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-023

2.58.1 1. Overview

The Update 13 for Virtuozzo 7.0 introduces new features and provides stability and usability bug fixes. It also introduces a new kernel 3.10.0-1062.12.1.vz7.131.10.

2.58.2 2. New Features

• Memory guarantees for host services. Default guarantees for the system and user memory slices help keep nodes accessible even if they are heavily overcommitted. Guarantees, as well as limits, can also be set manually by means of the ‘/etc/vz/vstorage-limits.conf’ configuration file.

• Improved Virtuozzo Storage performance. Also added an ability to tune Virtuozzo Storage journals for improved write and read performance on SSD. Enabled with the ‘-T ssd’ option during CS or journal creation.

• Ability to live-migrate containers running Oracle Database 11g Release 2 and Oracle Database 18c XE.

2.58.3 3. Bug Fixes

• ‘pstorage-target’ files are left over after successful migrations of VMs on Virtuozzo Storage from Virtuozzo Automator. (PSBM-95072)

• Container could hang while trying to get access to an offline NFS share. (PSBM-99181)

• Various disk-related operations on containers could fail on ‘ploop balloon discard’ due to e4defrag2 failures. (PSBM-100737)

• Live migration of Windows-based EFI VMs located on Virtuozzo Storage could fail with error “Unable to

154 Chapter 2. Virtuozzo Hybrid Server

execute QEMU command ‘cont’: Could not reopen file: Device or resource busy”. (PSBM-101520)

• Container could fail on start after migration and HDD size increase. (PSBM-101842)

• Container could fail to start due to ploop mount issues. (PSBM-101843)

• Container with certain applications and NFS mounts could fail to migrate due with a CRIU error “Error (criu/net.c:1587): net: Can’t restore link: -17”. (PSBM-102057)

• Container migration could fail due to a CRIU issue related to ipset migration. (PSBM-100083)

• Need to automatically remove inconsistent bitmaps during image checks. (PSBM-100110)

• Node could crash due to low serial console speed. (PSBM-100118)

• Node crash due to an issue with ‘nft_rbtree_lookup’. (PSBM-101492)

• Running pfcached.service could slow down a node with a lot of running containers. (PSBM-101530)

• Other fixes. (PSBM-99907, PSBM-99764, PSBM-99432, PSBM-99400, PSBM-97931, PSBM-96249, PSBM-90491, PSBM-78693, PSBM-102336, PSBM-101836, PSBM-101658, PSBM-101636, PSBM-101605, PSBM-101526, PSBM-101433, PSBM-101397, PSBM-101172, PSBM-101145, PSBM-101125, PSBM-101043, PSBM-100991, PSBM-100938, PSBM-100902, PSBM-100775, PSBM-100768, PSBM-100509, PSBM-100439)

2.58.4 4. Installing the Update

To update nodes that are not in Virtuozzo Storage clusters, install the update with ‘yum update’. Reboot the host and switch to the new kernel.

To update nodes in Virtuozzo Storage clusters, do the following:

155 Chapter 2. Virtuozzo Hybrid Server

2.59 Kernel update: Virtuozzo ReadyKernel patch 101.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2020-03-19

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-021

2.59.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.59.2 2. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-957.12.2.vz7.96.21] ext4: a race between online resizing and write operations could lead to kernel crashes or data corruption. (PSBM-101798)

2.59.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.59.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-101.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-101.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-101.0-1.vl7/

156 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-101.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-101.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-021.json.

2.60 Kernel update: Virtuozzo ReadyKernel patch 100.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-03-17

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-020

2.60.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5).

2.60.2 2. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ploop: potential corruption of the index during discard operation. A race condition was discovered in ploop, which could lead to corruption of the index during discard operations in certain cases. NOTE: It is not recommended to manually unload the ReadyKernel patch with the fix for this issue while any discard operations for ploop images arein progress: the ploop images could be corrupted as a result. Upgrading the patch is OK, only manual unloads and downgrades can be problematic. (PSBM-101823)

157 Chapter 2. Virtuozzo Hybrid Server

2.60.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.60.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-100.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-100.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-020.json.

2.61 Kernel security update: Virtuozzo ReadyKernel patch 98.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-02-21

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-015

2.61.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure Platform 3.5). NOTE: No

158 Chapter 2. Virtuozzo Hybrid Server

more patches are planned for the kernel 3.10.0-862.9.1.vz7.63.3, support for which ends with this update.

2.61.2 2. Security Fixes

• [Moderate] [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] xfs: potential denial of service caused by missing unlock operation in xfs_setattr_nonsize(). It was discovered that xfs_setattr_nonsize() would not unlock ‘ILOCK’ lock if the user or group were out of their disk quota. As a result, any subsequent operation, which needed to take ‘ILOCK’, would get stuck, leading to a denial of service. (CVE-2019-15538)

2.61.3 3. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ploop: holes in raw ploop images were handled incorrectly. (PSBM-101189)

• [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] nf_tables: kernel crash in nft_rbtree_lookup(). (PSBM-101492)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ve: make it easier to analyze removal of system libraries in the containers. (PSBM-101595)

2.61.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.61.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-98.0-1.vl7/

159 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-98.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-98.0-1.vl7/

• https://access.redhat.com/security/cve/cve-2019-15538

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-015.json.

2.62 Product update: Virtuozzo 7.0 Update 12 Hotfix 3 (7.0.12-361)

Issue date: 2020-02-13

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-014

2.62.1 1. Overview

The Hotfix 3 for Virtuozzo 7.0 Update 12 provides stability and usability bugfixes.

2.62.2 2. Bug Fixes

• Ploop can be corrupted on occasional cases after node reboot (repair image outgrows device size). (PSBM-100126)

• vzstat does not show actual IO and IOPS load and limits. (PSBM-101150)

• Ploop device gets corrupted in certain circumstances. (PSBM-101080, PSBM-101483)

2.62.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-014.json.

160 Chapter 2. Virtuozzo Hybrid Server

2.63 Important kernel security update: Virtuozzo ReadyKernel patch 97.0 for Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-02-10

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-013

2.63.1 1. Overview

2.63.2 2. Security Fixes

• [Important] [3.10.0-862.9.1.vz7.63.3 to 3.10.0-862.20.2.vz7.73.29] Use-after-free in fs/xfs/xfs_super.c. A flaw was found in the implementation of XFS filesystem where a key data structure (sb->s_fs_info) may not be de-allocated properly when the system is under memory pressure. This could allow a local attacker to create a use-after-free situation which can result in memory corruption or, potentially, privilege escalation. (CVE-2018-20976)

• [Moderate] [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] Kernel crash due to out-of-bounds memory accesses in process_vm_readv(). It was discovered that the implementation of process_vm_readv() system call could try to access memory outside of the structures it was processing in certain cases. A local unprivileged user could use this vulnerability to crash the system. (PSBM-94695)

161 Chapter 2. Virtuozzo Hybrid Server

2.63.3 3. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] Certain operations with an empty ploop image could lead to its unexpected growth. (PSBM-101143)

• [3.10.0-1062.4.2.vz7.116.7] quotaoff operation executed in a container could get stuck in Dstate. (PSBM-101159)

• [3.10.0-1062.4.2.vz7.116.7] Incomplete fix for PSBM-100575: reading of /proc/bc/resources line byline would never end. (PSBM-101249)

2.63.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.63.5 5. References

• https://access.redhat.com/security/cve/cve-2018-20976

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-97.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-97.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-013.json.

162 Chapter 2. Virtuozzo Hybrid Server

2.64 Product update: Virtuozzo 7.0 Update 12 Hotfix 2 (7.0.12-354)

Issue date: 2020-01-31

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2020-012

2.64.1 1. Overview

The Hotfix 2 for Virtuozzo 7.0 Update 12 provides stability and usability bugfixes.

2.64.2 2. Bug Fixes

• vzlicmonitor could incorrectly show license state as “GRACED”. (PSBM-98208)

• Unable to restore corrupted ploop images with ploop_defrag. (PSBM-99949)

• Ploop mount segfault on a big image with many holes. (PSBM-101024)

2.64.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-012.json.

2.65 Important kernel security update: New kernel 2.6.32-042stab142.1; Virtuozzo 6.0 Update 12 Hotfix 50 (6.0.12-3755)

Issue date: 2020-01-31

163 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2020-011

2.65.1 1. Overview

This update provides a new kernel 2.6.32-042stab142.1 for Virtuozzo 6.0. It is based on the RHEL 6.10 kernel 2.6.32-754.27.1.el6 and inherits security and stability fixes from it. The new kernel also provides internal stability fixes.

2.65.2 2. Security Fixes

• [Important] Kernel: KVM: OOB memory access via mmio ring buffer. This issue is not critical for Virtuozzo 6.0, as it does not use KVM. (CVE-2019-14821)

2.65.3 3. Bug Fixes

• vzfs-to-ploop conversion on running container could crash the host. (PSBM-99030, PSBM-100878)

• Container stop operation could hang. (PSBM-100203)

• Container restore operation could crash the host due to incorrect symbolic link processing. (OVZ-7147)

2.65.4 4. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-011.json.

164 Chapter 2. Virtuozzo Hybrid Server

2.66 Important kernel security update: New kernel 2.6.32-042stab142.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2020-01-31

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2020-010

2.66.1 1. Overview

This update provides a new kernel 2.6.32-042stab142.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. It is based on the RHEL 6.10 kernel 2.6.32-754.27.1.el6 and inherits security and stability fixes from it. The new kernel also provides internal stability fixes.

2.66.2 2. Security Fixes

• [Important] Kernel: KVM: OOB memory access via mmio ring buffer. This issue is not critical for Virtuozzo Containers for Linux 4.7 or Server Bare Metal 5.0, as these solutions do not use KVM. (CVE-2019-14821)

2.66.3 3. Bug Fixes

• vzfs-to-ploop conversion on running container could crash the host. (PSBM-99030, PSBM-100878)

• Container stop operation could hang. (PSBM-100203)

• Container restore operation could crash the host due to incorrect symbolic link processing. (OVZ-7147)

2.66.4 4. Installing the Update

165 Chapter 2. Virtuozzo Hybrid Server

switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-010.json.

2.67 Kernel update: Virtuozzo ReadyKernel patch 96.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0 and Virtuozzo Hybrid Infrastructure 3.5

Issue date: 2020-01-27

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0, Virtuozzo Hybrid Infrastructure 3.5

Virtuozzo Advisory ID: VZA-2020-006

2.67.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1 and Virtuozzo Hybrid Infrastructure 3.5).

2.67.2 2. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] memcg: memory corruption caused by writing beyond the end of shrinker_map structure. (PSBM-100509)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] ploop: kernel crashes when processing discard requests for ploop images in raw format. (PSBM-100739)

166 Chapter 2. Virtuozzo Hybrid Server

2.67.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.67.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-96.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-96.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-006.json.

2.68 Kernel update: Virtuozzo ReadyKernel patch 95.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2020-01-21

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2020-003

2.68.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernel 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5).

2.68.2 2. Bug Fixes

• scsi: printing lots of messages about rejected I/O causes a hard lockup and a kernel crash. (PSBM-100118)

• Potential kernel crash in __radix_tree_insert() when fscache is used for NFS mounts. (PSBM-100579)

167 Chapter 2. Virtuozzo Hybrid Server

2.68.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.68.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-95.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-003.json.

2.69 Kernel update: Virtuozzo ReadyKernel patch 95.1 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0

Issue date: 2020-01-14

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2020-002

2.69.1 1. Overview

2.69.2 2. Bug Fixes

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] scsi: printing lots of messages about rejected I/O causes a hard lockup and a kernel crash. (PSBM-100118)

• [3.10.0-1062.4.2.vz7.116.7] Reading of /proc/bc/resources line by line would never end: no end of file was reported. (PSBM-100575)

168 Chapter 2. Virtuozzo Hybrid Server

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] Potential kernel crash in __radix_tree_insert() when fscache is used for NFS mounts. (PSBM-100579)

• [3.10.0-1062.4.2.vz7.116.7] Kernel crash in shrink_slab() when trying to mount an image with a broken ext4 file system. (PSBM-100593)

• [3.10.0-1062.4.2.vz7.116.7] ixgbe: lots of warnings in the system log due to incorrect check for firmware errors. (PSBM-100722)

2.69.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.69.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-95.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-95.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-002.json.

2.70 Kernel update: Virtuozzo ReadyKernel patch 95.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2020-01-14

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2020-001

169 Chapter 2. Virtuozzo Hybrid Server

2.70.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1).

2.70.2 2. Bug Fixes

• [3.10.0-862.9.1.vz7.63.3 to 3.10.0-957.12.2.vz7.86.2] scsi: printing lots of messages about rejected I/O causes a hard lockup and a kernel crash. (PSBM-100118)

• [3.10.0-862.9.1.vz7.63.3 to 3.10.0-957.12.2.vz7.86.2] Potential kernel crash in __radix_tree_insert() when fscache is used for NFS mounts. (PSBM-100579)

2.70.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.70.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-95.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-95.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-95.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-95.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-95.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2020-001.json.

170 Chapter 2. Virtuozzo Hybrid Server

2.71 Kernel update: Virtuozzo ReadyKernel patch 94.2 for Virtuozzo 7.0

Issue date: 2019-12-26

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-100

2.71.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1). NOTE: No more patches are planned for the kernel 3.10.0-693.21.1.vz7.48.2, support for which ends with this update.

2.71.2 2. Bug Fixes

• [3.10.0-693.21.1.vz7.48.2 to 3.10.0-862.11.6.vz7.64.7] sunrpc: potential kernel crash in bc_svc_process(). (PSBM-99764)

2.71.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.71.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-94.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-94.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-94.2-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-100.json.

171 Chapter 2. Virtuozzo Hybrid Server

2.72 Kernel update: Virtuozzo ReadyKernel patch 94.1 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-12-26

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-099

2.72.1 1. Overview

2.72.2 2. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.4.2.vz7.116.7] sunrpc: potential kernel crash in bc_svc_process(). (PSBM-99764)

2.72.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.72.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-94.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-94.1-1.vl7/

172 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-94.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-94.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-94.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.6-94.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-94.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-099.json.

2.73 Kernel update: Virtuozzo ReadyKernel patch 94.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0

Issue date: 2019-12-24

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-098

2.73.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0), 3.10.0-1062.4.2.vz7.116.6 (Virtuozzo 7.0.12), 3.10.0-1062.4.2.vz7.116.7 (Virtuozzo 7.0.12 HF1).

2.73.2 2. Bug Fixes

• [3.10.0-1062.4.2.vz7.116.6 to 3.10.0-1062.4.2.vz7.116.7] Processes could get stuck in copy_net_ns() forever. (PSBM-96057)

• [3.10.0-1062.4.2.vz7.116.6 to 3.10.0-1062.4.2.vz7.116.7] kvm: potential system hang due to an error in mmu_shrink_scan(). (PSBM-96262)

• [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1062.4.2.vz7.116.7] A bug in ploop prevented recovery of corrupted

173 Chapter 2. Virtuozzo Hybrid Server

ploop images. (PSBM-100441)

• [3.10.0-1062.4.2.vz7.116.6 to 3.10.0-1062.4.2.vz7.116.7] The minimum amount of reserved free memory (vm.min_free_kbytes) was set too high by default. (VSTOR-29472)

2.73.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.73.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-94.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.6-94.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.7-94.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-098.json.

2.74 Product update: Virtuozzo 7.0 Update 12 Hotfix 1 (7.0.12-338)

Issue date: 2019-12-17

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-096

2.74.1 1. Overview

The Hotfix 1 for Virtuozzo 7.0 Update 12 provides stability and usability bug fixes. It also introducesanew kernel 3.10.0-1062.4.2.vz7.116.7.

174 Chapter 2. Virtuozzo Hybrid Server

2.74.2 2. Bug Fixes

• VMs with inconsistent bitmaps could not be migrated. (PSBM-100079, PSBM-100093)

• Kernel memory leak on VM stop operation has been fixed. (PSBM-100158)

2.74.3 3. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-096.json.

2.75 Kernel update: Virtuozzo ReadyKernel patch 93.0 for Virtuozzo 7.0

Issue date: 2019-12-11

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-094

2.75.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernel 3.10.0-1062.4.2.vz7.116.6 (Virtuozzo 7.0.12).

2.75.2 2. Bug Fixes

• Memory leak in kvm: kernel structures for a VM could remain after the VM was stopped. (PSBM-100158)

175 Chapter 2. Virtuozzo Hybrid Server

2.75.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.75.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-116.6-93.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-094.json.

2.76 Important product security update: Virtuozzo 6.0 Update 12 Hotfix 49 (6.0.12-3754)

Issue date: 2019-12-06

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-093

2.76.1 1. Overview

This update provides a security and a stability fix.

2.76.2 2. Security Fixes

• [Important] libVNCServer-0.9.10 contains a memory leak in VNC server code, which may allow an attacker to read stack memory. (CVE-2019-15681, PSBM-99817)

176 Chapter 2. Virtuozzo Hybrid Server

2.76.3 3. Bug Fixes

• prl_vzvncserver_app could generate 100% CPU core load, preventing access to VNC console. (PSBM-97140)

2.76.4 4. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-093.json.

2.77 Product update: Virtuozzo 7.0 Update 12 (7.0.12-328)

Issue date: 2019-12-03

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-091

2.77.1 1. Overview

The Update 12 for Virtuozzo 7.0 provides new features as well as stability and usability bug fixes. It also introduces a new kernel 3.10.0-1062.4.2.vz7.116.6.

2.77.2 2. New Features

• Backup via reversed delta. A VM with a write-intensive workload may write to its snapshot blocks faster than they are backed up, so writing is slowed down to the backup speed. To avoid this, you can set a local directory to store intermediate temporary VM images during backup. So when a VM changes its snapshot blocks that have not been yet backed up, a copy of them is created in this directory and the original can be rewritten without delay. Once the backup is complete, the temporary VM image is deleted.

177 Chapter 2. Virtuozzo Hybrid Server

• Support for CentOS 8 in containers and virtual machines.

2.77.3 3. Bug Fixes

• Unable to restore LUKS partition from backup if source image format is not specified. (PSBM-96303)

• A container with an NFS mount and ‘x-systemd-automount’ specified in fstab options could cause the node to hang if NFS server was inaccessible. (PSBM-98297)

• Periodical interface restart when VLAN with a bonding interface was created in the installer. (PSBM-98165)

• A container nfsd inside could crash the node during NFS-related operations. (PSBM-97738)

• Writeback lockups could result in node hangs. (PSBM-97743)

• Nodes running Virtuozzo Storage could overload and slow down significantly due to insufficient default pagecache limit. (PSBM-94761)

• Other fixes. (PSBM-73447, PSBM-83783, PSBM-94761, PSBM-95177, PSBM-95734, PSBM-95805, PSBM-96057, PSBM-96133, PSBM-96225, PSBM-96262, PSBM-96286, PSBM-96287, PSBM-96390, PSBM-96615, PSBM-96764, PSBM-96892, PSBM-96901, PSBM-96978, PSBM-97012, PSBM-97024, PSBM-97048, PSBM-97085, PSBM-97105, PSBM-97246, PSBM-97319, PSBM-97542, PSBM-97729, PSBM-97730, PSBM-97891, PSBM-97899, PSBM-97905, PSBM-97932, PSBM-98075, PSBM-98311, PSBM-98456, PSBM-98742, PSBM-98796, PSBM-98834, PSBM-99107, PSBM-99133, PSBM-99557, PSBM-99561)

2.77.4 4. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-091.json.

178 Chapter 2. Virtuozzo Hybrid Server

2.78 Kernel update: Virtuozzo ReadyKernel patch 92.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-11-22

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-090

2.78.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.78.2 2. Bug Fixes

• [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] Kernel crash in the implementation of epoll_ctl system call. (PSBM-99557)

• [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] Kernel crash in __generic_splice_read(). (PSBM-99561)

179 Chapter 2. Virtuozzo Hybrid Server

2.78.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.78.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-92.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-92.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-090.json.

2.79 Important kernel security update: New kernel 2.6.32-042stab141.3; Virtuozzo 6.0 Update 12 Hotfix 48 (6.0.12-3753)

Issue date: 2019-11-21

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-089

180 Chapter 2. Virtuozzo Hybrid Server

2.79.1 1. Overview

This update provides a new kernel 2.6.32-042stab141.3 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.24.3.el6. The new kernel inherits security fixes.

2.79.2 2. Security Fixes

• [Important] hw: Machine Check Error on Page Size Change (IFU) (CVE-2018-12207)

• [Important] hw: Intel GPU blitter manipulation can allow for arbitrary kernel memory write (CVE-2019-0155)

• [Important] Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

• [Important] Kernel: vhost-net: guest to host kernel escape during migration (CVE-2019-14835)

• [Moderate] hw: Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154)

• [Moderate] hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135)

2.79.3 3. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-089.json.

2.80 Important kernel security update: New kernel 2.6.32-042stab141.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-11-21

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2019-088

181 Chapter 2. Virtuozzo Hybrid Server

2.80.1 1. Overview

This update provides a new kernel 2.6.32-042stab141.3 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.24.3.el6. The new kernel inherits security fixes.

2.80.2 2. Security Fixes

• [Important] hw: Machine Check Error on Page Size Change (IFU) (CVE-2018-12207)

• [Important] hw: Intel GPU blitter manipulation can allow for arbitrary kernel memory write (CVE-2019-0155)

• [Important] Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

• [Important] Kernel: vhost-net: guest to host kernel escape during migration (CVE-2019-14835)

• [Moderate] hw: Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154)

• [Moderate] hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135)

2.80.3 3. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-088.json.

182 Chapter 2. Virtuozzo Hybrid Server

2.81 Important kernel security update: Virtuozzo ReadyKernel patch 91.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-11-13

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-086

2.81.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.81.2 2. Security Fixes

• [Important] [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] Potential kernel crash in __tcp_retransmit_skb(). It was discovered that a local unprivileged attacker could use a specially crafted sequence of system calls to trigger either a kernel crash in __tcp_retransmit_skb() or use-after-free conditions, which could result in privilege escalation. (CVE-2019-15239)

• [Important] [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] KVM: Out-of-bounds memory access via MMIO ring buffer. An issue was found in the implementation of the coalesced MMIOwrite operation in KVM. The indices used to access an MMIO ring buffer could be supplied by a user-space process in the host system. An attacker with access to /dev/kvm could use this flaw to trigger out-of-bounds memory access and crash the host kernel or, potentially, escalate their privileges. (CVE-2019-14821)

183 Chapter 2. Virtuozzo Hybrid Server

2.81.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.81.4 4. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14821

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15239

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-91.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-91.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-086.json.

2.82 Important kernel security update: Virtuozzo ReadyKernel patch 90.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-11-05

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-085

184 Chapter 2. Virtuozzo Hybrid Server

2.82.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0). NOTE: No more patches are planned for the kernel 3.10.0-693.21.1.vz7.46.7, support for which ends with this update.

2.82.2 2. Security Fixes

• [Important] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Page cache side channel attacks via mincore(). It was discovered that a local attacker could exploit mincore() system call to obtain information about memory pages of the running applications from the page cache even if the contents of these memory pages were not available to the attacker. (CVE-2019-5489)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] infiniband: use-after-free in ucma_leave_multicast(). It was found that ucma_leave_multicast() function from ‘rdma_ucm’ module could try to access a certain data structure after the structure had been freed. This allows an attacker to induce kernel memory corruption, leading to a system crash or other unspecified impact. (CVE-2018-14734)

2.82.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.82.4 4. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14734

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-5489

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-90.0-1.vl7/

185 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-90.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-085.json.

2.83 Product update: Virtuozzo 6.0 Update 12 Hotfix 47 (6.0.12-3751)

Issue date: 2019-10-30

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-084

2.83.1 1. Overview

This update provides a stability and usability fix.

2.83.2 2. Bug Fixes

• prl_backup_client could continue running even after prl_backup_server had exited. This could prevent further backups from being created. (PSBM-48818)

186 Chapter 2. Virtuozzo Hybrid Server

2.83.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-084.json.

2.84 Important kernel security update: Virtuozzo ReadyKernel patch 89.2 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-10-16

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-081

2.84.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.84.2 2. Security Fixes

• [Important] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Use-after-free in __blk_drain_queue() function. It was found that a use-after-free condition could be triggered in the block device subsystem while the outstanding command queue was drained. A patient local attacker

187 Chapter 2. Virtuozzo Hybrid Server

can use this flaw to crash the system or, potentially, to escalate their privileges. (CVE-2018-20856)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] tun: potential kernel crash when TUNSETIFF ioctl operation is used for a device with an invalid name. (CVE-2018-7191)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Certain operations with iptables in a container may crash the kernel. (PSBM-98522)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] A container that tries to mount NFS shares may cause the whole system to hang in certain conditions. (PSBM-98297)

2.84.3 3. Bug Fixes

• [3.10.0-862.20.2.vz7.73.24 to 3.10.0-957.12.2.vz7.96.21] sunrpc: kernel crash in svcauth_unix_set_client(). (PSBM-97738)

• [3.10.0-957.12.2.vz7.96.21] Base ploop images containing holes could become larger than needed after merge. (PSBM-98313)

2.84.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.84.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=1716328

• https://bugzilla.redhat.com/show_bug.cgi?id=1738705

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-89.2-1.vl7/

188 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-89.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-89.2-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-081.json.

2.85 Kernel update: New kernel 2.6.32-042stab140.4; Virtuozzo 6.0 Update 12 Hotfix 46 (6.0.12-3750)

Issue date: 2019-10-15

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-080

2.85.1 1. Overview

This update provides a new kernel 2.6.32-042stab140.4 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.18.2.el6. The new kernel includes stability and usability fixes.

2.85.2 2. Bug Fixes

• Kernel could crash with “BUG at net/ipv4/tcp_output.c” message in tcp_retransmit_skb(). (PSBM-97313)

• Firewalld failed to start in a CentOS 7.7 container due to a firewalld patch that changed how ‘nf_conntrack’ was loaded. This heuristic can be disabled per-host by using ‘sysctl kernel.ve_smnfct_enabled’. (PSBM-98041)

• Kernel could crash after failed migration or CPT restore with “BUG at kernel/cgroup.c” message in cgroup_rmdir(). (PSBM-98407, OVZ-6774, OVZ-6957, OVZ-7101)

189 Chapter 2. Virtuozzo Hybrid Server

2.85.3 3. Installing the Update

Install the update with ‘yum update’. Reboot the host and switch to the new kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-080.json.

2.86 Kernel update: New kernel 2.6.32-042stab140.4 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-10-15

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2019-079

2.86.1 1. Overview

This update provides a new kernel 2.6.32-042stab140.4 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.18.2.el6. The new kernel includes stability and usability fixes.

2.86.2 2. Bug Fixes

• Kernel could crash with “BUG at net/ipv4/tcp_output.c” message in tcp_retransmit_skb(). (PSBM-97313)

• Kernel could crash after failed migration or CPT restore with “BUG at kernel/cgroup.c” message in cgroup_rmdir(). (PSBM-98407, OVZ-6774, OVZ-6957, OVZ-7101)

190 Chapter 2. Virtuozzo Hybrid Server

2.86.3 3. Installing the Update

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-079.json.

2.87 Kernel security update: Virtuozzo ReadyKernel patch 88.1 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-10-02

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-078

2.87.1 1. Overview

2.87.2 2. Security Fixes

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.86.2] megaraid_sas: potential kernel crash due to a NULL pointer dereference in megasas_free_cmds(). A flaw was found in ‘megaraid_sas’ kernel module. NULL pointer dereference can occur in megasas_free_cmds() function due incorrect error

191 Chapter 2. Virtuozzo Hybrid Server

handling in megasas_alloc_cmds(). An attacker could exploit this to trigger a kernel crash. (CVE-2019-11810)

2.87.3 3. Bug Fixes

• [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Kernel complained about busy inodes after unmount of NFS shares and crashed in certain cases. (PSBM-95177)

• [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Data corruption in the EXT4 file system when truncating the extent index blocks. (PSBM-96719)

• [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] memcg: race condition between reparenting and kmem uncharging. It was discovered that a race condition was possible between kmem uncharging and mem_cgroup_reparent_charges(). A kernel warning would be triggered as a result. (PSBM-97012)

• [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Kernel crashed in down_read() when a FUSE file system was exported via NFS. (PSBM-97905)

2.87.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.87.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11810

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-88.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-88.1-1.vl7/

192 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-88.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-078.json.

2.88 Product update: Virtuozzo 7.0 Update 11 Hotfix 2 (7.0.11-304)

Issue date: 2019-10-01

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-077

2.88.1 1. Overview

The Hotfix 2 for Virtuozzo 7.0.11 fixes a usability issue.

2.88.2 2. Bug Fixes

• Firewalld failed to start in a CentOS 7.7 container due to a firewalld patch that changed how ‘nf_conntrack’ was loaded. (PSBM-98041)

2.88.3 3. Installing the Update

Install the update by running ‘yum update’. After that either restart the ‘vz’ service with ‘systemctl restart vz’ or reboot the node.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-077.json.

193 Chapter 2. Virtuozzo Hybrid Server

2.89 Kernel security update: Virtuozzo ReadyKernel patch 88.0 for Virtuozzo 7.0.7

Issue date: 2019-10-01

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-076

2.89.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernel 3.10.0-693.17.1.vz7.43.10 (Virtuozzo 7.0.7). NOTE: No more patches are planned for this kernel, support for which ends with this update.

2.89.2 2. Security Fixes

• [Moderate] megaraid_sas: potential kernel crash due to a NULL pointer dereference in megasas_free_cmds(). A flaw was found in ‘megaraid_sas’ kernel module. NULL pointer dereference can occur in megasas_free_cmds() function due incorrect error handling in megasas_alloc_cmds(). An attacker could exploit this to trigger a kernel crash. (CVE-2019-11810)

2.89.3 3. Bug Fixes

• memcg: race condition between reparenting and kmem uncharging. It was discovered that a race condition was possible between kmem uncharging and mem_cgroup_reparent_charges(). A kernel warning would be triggered as a result. (PSBM-97012)

2.89.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

194 Chapter 2. Virtuozzo Hybrid Server

2.89.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11810

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-88.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-076.json.

2.90 Important kernel security update: Virtuozzo ReadyKernel patch 87.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0

Issue date: 2019-09-23

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-074

2.90.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported kernels of Virtuozzo 7.0 and Virtuozzo Infrastructure Platform.

2.90.2 2. Security Fixes

• [Important] [3.10.0-693.17.1.vz7.43.10 to 3.10.0-957.12.2.vz7.96.21] vhost-net: guest to host kernel escape during migration. A buffer overflow vulnerability was found in the networking virtualization functionality (vhost-net) that could be abused during live migration of virtual machines. A privileged guest user may pass descriptors with invalid length to the host when live migration is underway to crash the host kernel or, potentially, escalate their privileges on the host. (CVE-2019-14835)

195 Chapter 2. Virtuozzo Hybrid Server

2.90.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.90.4 4. References

• https://access.redhat.com/security/vulnerabilities/kernel-vhost

• https://bugzilla.redhat.com/show_bug.cgi?id=1750727

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-87.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-87.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-074.json.

2.91 Kernel update: Virtuozzo ReadyKernel patch 86.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0

Issue date: 2019-09-23

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0

196 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-073

2.91.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernel 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.91.2 2. Bug Fixes

• Ploop image could grow over its limits in certain cases. (PSBM-97319)

2.91.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.91.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-86.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-073.json.

2.92 Kernel update: Virtuozzo ReadyKernel patch 85.1 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0

Issue date: 2019-08-22

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-069

197 Chapter 2. Virtuozzo Hybrid Server

2.92.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

2.92.2 2. Bug Fixes

• ploop: resize operation could fail due to an incorrect check in ploop1_allocate(). (PSBM-96919)

2.92.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.92.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-85.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-069.json.

2.93 Important kernel security update: Virtuozzo ReadyKernel patch 85.0 for Virtuozzo 7.0.7 to 7.0.10 HF1 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-08-20

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-068

198 Chapter 2. Virtuozzo Hybrid Server

2.93.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.17.1.vz7.43.10 (Virtuozzo 7.0.7), 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1).

2.93.2 2. Security Fixes

• [Important] tcp: integer overflow while processing SACK blocks allows remote denial of service. An integer overflow was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented. Each fragment is about TCP maximum segment size (MSS) bytes. To efficiently process SACK blocks, the Linux kernel merges multiple fragmented SKBs intoone, potentially overflowing the variable holding the number of segments. A remote attacker could usethis flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on aTCPconnection with small value of TCP MSS, resulting in a denial of service. (CVE-2019-11477)

• [Moderate] nfs: NULL pointer dereference due to an anomalized NFS message sequence. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer dereference byusing an invalid NFS sequence. This can panic the machine and deny access to the NFS server. Any outstanding disk writes to the NFS server will be lost. (CVE-2018-16871)

2.93.3 3. Bug Fixes

• vziolimit: kernel crash due to a division by zero in throttle_charge(). (PSBM-95815)

• kvm: potential system hang due to an error in mmu_shrink_scan(). (PSBM-96262)

• The warning in mem_cgroup_reparent_charges() was triggered too early and too often in certain cases. (PSBM-96533)

199 Chapter 2. Virtuozzo Hybrid Server

2.93.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.93.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16871

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11477

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-85.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-85.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-068.json.

2.94 Important kernel security update: New kernel 2.6.32-042stab140.1; Virtuozzo 6.0 Update 12 Hotfix 45 (6.0.12-3747)

Issue date: 2019-08-19

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-067

200 Chapter 2. Virtuozzo Hybrid Server

2.94.1 1. Overview

This update provides a new kernel 2.6.32-042stab140.1 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.18.2.el6. The new kernel inherits security fixes from the RHEL kernel and features internal fixes.

2.94.2 2. Security Fixes

• [Important] A new software page cache side channel attack scenario was discovered in operating systems that implement the very common ‘page cache’ caching mechanism. A malicious user/process could use ‘in memory’ page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel. (CVE-2019-5489)

• [Moderate] The Salsa20 encryption algorithm in the Linux kernel, before 4.14.8, does not correctly handle zero-length inputs. This allows a local attacker the ability to use the AF_ALG-based skcipher interface to cause a denial of service (uninitialized-memory free and kernel crash) or have an unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 are vulnerable. (CVE-2017-17805)

• [Moderate] An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task. (CVE-2018-17972)

• [Moderate] A Spectre gadget was found in the Linux kernel’s implementation of system interrupts. An attacker with local access could use this information to reveal private data through a Spectre like side channel. (CVE-2019-1125)

• [Moderate] A flaw was found in the Linux kernel, prior to version 5.0.7,in drivers/scsi/megaraid/megaraid_sas_base.c, where a NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds(). An attacker can crash the system if they were able to load the megaraid_sas kernel module and groom memory beforehand, leading to a denial of service (DoS), related to a use-after-free. (CVE-2019-11810, PSBM-94467)

201 Chapter 2. Virtuozzo Hybrid Server

2.94.3 3. Bug Fixes

• Under certain conditions, host can crash in posix_cpu_timer_del(). Kernels from 2.6.32-042stab109.5 are affected. (PSBM-96868)

2.94.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

2.94.5 5. References

• https://access.redhat.com/errata/RHSA-2019:2473

• https://access.redhat.com/errata/RHBA-2019:1651

• https://www.redhat.com/security/data/cve/CVE-2017-17805.html

• https://www.redhat.com/security/data/cve/CVE-2018-17972.html

• https://www.redhat.com/security/data/cve/CVE-2019-1125.html

• https://www.redhat.com/security/data/cve/CVE-2019-5489.html

• https://www.redhat.com/security/data/cve/CVE-2019-11810.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-067.json.

2.95 Important kernel security update: New kernel 2.6.32-042stab140.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-08-19

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2019-066

202 Chapter 2. Virtuozzo Hybrid Server

2.95.1 1. Overview

This update provides a new kernel 2.6.32-042stab140.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.18.2.el6. The new kernel inherits security fixes from the RHEL kernel and features internal fixes.

2.95.2 2. Security Fixes

203 Chapter 2. Virtuozzo Hybrid Server

2.95.3 3. Bug Fixes

• Under certain conditions, host can crash in posix_cpu_timer_del(). Kernels from 2.6.32-042stab109.5 are affected. (PSBM-96868)

2.95.4 4. Installing the Update

2.95.5 5. References

• https://access.redhat.com/errata/RHSA-2019:2473

• https://access.redhat.com/errata/RHBA-2019:1651

• https://www.redhat.com/security/data/cve/CVE-2017-17805.html

• https://www.redhat.com/security/data/cve/CVE-2018-17972.html

• https://www.redhat.com/security/data/cve/CVE-2019-1125.html

• https://www.redhat.com/security/data/cve/CVE-2019-5489.html

• https://www.redhat.com/security/data/cve/CVE-2019-11810.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-066.json.

2.96 Product update: Virtuozzo 7.0 Update 11 Hotfix 1 (7.0.11-303)

Issue date: 2019-08-14

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-065

204 Chapter 2. Virtuozzo Hybrid Server

2.96.1 1. Overview

The Hotfix 1 for Virtuozzo 7.0.11 adds a new feature.

2.96.2 2. New Features

• Ability to use Debian 10 as a guest operating system in both containers and virtual machines.

2.96.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-065.json.

2.97 Kernel security update: Virtuozzo ReadyKernel patch 85.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 3.0

Issue date: 2019-08-13

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-064

2.97.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).

205 Chapter 2. Virtuozzo Hybrid Server

2.97.2 2. Security Fixes

2.97.3 3. Bug Fixes

• vziolimit: kernel crash due to a division by zero in throttle_charge(). (PSBM-95815)

• kvm: potential system hang due to an error in mmu_shrink_scan(). (PSBM-96262)

• The warning in mem_cgroup_reparent_charges() was triggered too early and too often in certain cases. (PSBM-96533)

2.97.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.97.5 5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16871

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-85.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-064.json.

2.98 Product update: Virtuozzo 6.0 Update 12 Hotfix 44 (6.0.12-3746)

Issue date: 2019-08-09

Applies to: Virtuozzo 6.0

206 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-063

2.98.1 1. Overview

The Hotfix 44 for Virtuozzo 6.0.12 fixes a security issue.

2.98.2 2. Security Fixes

• [Critical] Fixed possible corruption of VM configuration after restoration from backup by means of third-party solutions. The built-in backup restoration tool ‘prlctl restore’ is not affected. User data inside restored VMs is not affected. (PSBM-96909)

2.98.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-063.json.

2.99 Kernel update: Virtuozzo ReadyKernel patch 84.1 for Virtuozzo 7.0.11

Issue date: 2019-07-31

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-060

2.99.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernel 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11).

207 Chapter 2. Virtuozzo Hybrid Server

2.99.2 2. Bug Fixes

• pcompact operation is much slower for the containers on Virtuozzo Storage than for the ones stored locally. (PSBM-95772)

• Processes could get stuck in copy_net_ns() forever. (PSBM-96057)

• Storage: certain errors in CS caused by power failures were not handled properly. It was discovered that if a file located on Virtuozzo Storage cluster was reopened, the kernel could reuse itsmappings without notifying MDS. As a result, if errors were then detected on a CS, for example, caused by power failures, the userspace components would be unable to handle them properly. (VSTOR-24004)

2.99.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.99.4 4. References

• readykernel-patch-96.21-84.1-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-060.json.

2.100 Product update: Virtuozzo 7.0 Update 11 (7.0.11-293)

Issue date: 2019-07-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-059

208 Chapter 2. Virtuozzo Hybrid Server

2.100.1 1. Overview

The Update 11 for Virtuozzo 7.0 provides new features as well as stability and usability bug fixes. It also introduces a new kernel 3.10.0-957.12.2.vz7.96.21.

2.100.2 2. New Features

• Experimental support for AMD EPYC processors.

• Reduced pagecache usage during backup operations.

• Ability to assign host USB devices to guests. You can now assign a USB device to a VM and it will be automatically connected to the VM when attached to the host or when the VM starts.

• Support of Secure Boot for virtual machines. Secure Boot ensures that only trusted software components signed by the Original Equipment Manufacturer (OEM) are loaded during the boot process. Secure Boot is supported in Virtuozzo 7 virtual machines running the following operating systems: Windows Server 2012 and newer, CentOS 7, Ubuntu 14.04 LTS and newer.

• Ability to convert VMWare VM images to Virtuozzo format with ‘virt-v2v’. For more information, see https://virtuozzosupport.force.com/s/article/000017245.

• A new way to authenticate in running virtual machines via guest tools for PowerPanel users.

• Ability to increase the size of virtual disks of running VMs. You can now use the command ‘prlctl set MyVM –device-set HDD –size SIZE –no-fs-resize’ to increase the size of running virtual machines’ disks.

• Real-time restore of backed up VMs. To make a VM available faster after restore, you can restore it live with the ‘prlctl restore MyVM –live’ command. The restored VM will be started right after the restore process is launched and the data from the backup will be copied from cold to hot storage in the background.

• You can now allow a container to manage time on the host by using the ‘prlctl set MyCT –features time:on’ command.

• Native discard support in ploop enabling automatic discard requests on all ext4 filesystems over ploop block devices, except containers running on Virtuozzo Storage.

209 Chapter 2. Virtuozzo Hybrid Server

2.100.3 3. Bug Fixes

• Under certain circumstances, a VM with IDE disks could crash or corrupt guest data (during migration or snapshot operations). (PSBM-82223)

• journald may get stuck, waiting endlessly for “–verify” to complete, stalling services in non-operable state. (PSBM-93924)

• It was found that the memcg ID number of a cgroup was released earlier than needed and could then be reused by a different cgroup. As a result, certain reference counters could be corrupted, leading toa kernel crash in memcg_css_release_check_kmem(). (PSBM-94269)

• Storage services may not have enough RAM if at least one virtual environment exists on host. To work around the issue, you can tweak the “StorageCacheLimitTotal” parameter in ‘/etc/vz/vcmmd.conf’. (PSBM-94761)

• Live migration of a VM without shared storage fails with “Input/output error”. (PSBM-95071)

• Other fixes. (PSBM-90278, PSBM-90319, PSBM-91520, PSBM-92070, PSBM-92102, PSBM-92934, PSBM-93339, PSBM-93495, PSBM-93526, PSBM-93584, PSBM-93785, PSBM-93813, PSBM-93850, PSBM-93872, PSBM-93893, PSBM-93926, PSBM-93934, PSBM-93982, PSBM-94081, PSBM-94227, PSBM-94245, PSBM-94263, PSBM-94270, PSBM-94321, PSBM-94322, PSBM-94375, PSBM-94457, PSBM-94520, PSBM-94580, PSBM-94581, PSBM-94727, PSBM-95066, PSBM-95077, PSBM-95187, PSBM-95397, PSBM-95398, PSBM-95413, PSBM-95432, PSBM-95571, PSBM-95607, PSBM-95717, PSBM-95737, PSBM-95777, PSBM-95788, PSBM-95870, PSBM-95922, PSBM-95959, PSBM-95979, PSBM-96072, PSBM-96157, PSBM-96187)

2.100.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-060.json.

210 Chapter 2. Virtuozzo Hybrid Server

2.101 Kernel update: Virtuozzo ReadyKernel patch 84.0 for all supported Virtuozzo 7.0 and Virtuozzo Infrastructure Platform kernels

Issue date: 2019-07-23

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-058

2.101.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo 7.0 and Virtuozzo Infrastructure Platform. NOTE: No more patches are planned for the kernel 3.10.0-693.11.6.vz7.40.4, support for which ends with this update.

2.101.2 2. Bug Fixes

• [3.10.0-693.11.6.vz7.40.4 to 3.10.0-957.12.2.vz7.86.2] Processes could get stuck in copy_net_ns() forever. (PSBM-96057)

• [3.10.0-862.9.1.vz7.63.3 to 3.10.0-957.12.2.vz7.86.2] fuse_kio_pcs: kernel crash in pcs_sockio_xmit(). (VSTOR-21044)

2.101.3 3. Installing the Update

Install the update by running ‘yum update’.

2.101.4 4. References

• readykernel-patch-40.4-84.0-1.vl7

• readykernel-patch-43.10-84.0-1.vl7

• readykernel-patch-46.7-84.0-1.vl7

211 Chapter 2. Virtuozzo Hybrid Server

• readykernel-patch-48.2-84.0-1.vl7

• readykernel-patch-63.3-84.0-1.vl7

• readykernel-patch-64.7-84.0-1.vl7

• readykernel-patch-73.24-84.0-1.vl7

• readykernel-patch-73.29-84.0-1.vl7

• readykernel-patch-85.17-84.0-1.vl7

• readykernel-patch-86.2-84.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-058.json.

2.102 Kernel update: Virtuozzo ReadyKernel patch 83.0 for all supported Virtuozzo 7.0 and Virtuozzo Infrastructure Platform kernels

Issue date: 2019-07-12

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2019-057

2.102.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported kernels of Virtuozzo 7.0 and Virtuozzo Infrastructure Platform.

2.102.2 2. Bug Fixes

• [3.10.0-862.9.1.vz7.63.3 to 3.10.0-957.12.2.vz7.86.2] It was found that the in-kernel implementation of Virtuozzo Storage client stored latency values in milliseconds rather than in microseconds, resulting in bogus statistics data. (PSBM-94882)

212 Chapter 2. Virtuozzo Hybrid Server

• [3.10.0-957.10.1.vz7.85.17 and 3.10.0-957.12.2.vz7.86.2] It was discovered that a race could happen between removal of memcg and workingset_refault() running in parallel. This could result in a kernel crash in memcg_inc_ws_activate(). (PSBM-95700)

• [All but 3.10.0-957.12.2.vz7.96.17] It was discovered that a node with dozens of CPU cores, lots of RAM and many VMs running could get into a situation when almost all CPU cores were busy in mmu_shrink_scan(). This could happen because memory shrinking was done under kvm_lock spinlock and only for one VM at a time. All CPU cores but one just waited for kvm_lock in such cases, while the last one was busy with the actual memory shrinking for a VM. (PSBM-95077)

• mem_cgroup_reparent_charges() could get stuck while holding cgroup_mutex and make the whole system hang. (VSTOR-24241)

2.102.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.102.4 4. References

• readykernel-patch-40.4-83.0-1.vl7

• readykernel-patch-43.10-83.0-1.vl7

• readykernel-patch-46.7-83.0-1.vl7

• readykernel-patch-48.2-83.0-1.vl7

• readykernel-patch-63.3-83.0-1.vl7

• readykernel-patch-64.7-83.0-1.vl7

• readykernel-patch-73.24-83.0-1.vl7

• readykernel-patch-73.29-83.0-1.vl7

• readykernel-patch-85.17-83.0-1.vl7

• readykernel-patch-86.2-83.0-1.vl7

• readykernel-patch-96.17-83.0-1.vl7

The JSON file with the list of new and updated packages is available at

213 Chapter 2. Virtuozzo Hybrid Server

https://docs.virtuozzo.com/vza/VZA-2019-057.json.

2.103 Kernel update: Virtuozzo ReadyKernel patch 82.2 for Virtuozzo 7.0.8 HF1 and 7.0.10 HF1

Issue date: 2019-06-27

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-053

2.103.1 1. Overview

The fixes for CVE-2019-11477 and CVE-2019-11478 released in the ReadyKernel patch 82.0 turned outto cause network-related issues. These fixes are removed in this ReadyKernel patch for the kernels 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1) and 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1). Until the issues with the kernel fixes are resolved, you may consider other mitigations for CVE-2019-11477 and CVE-2019-11478, outlined in the referred link: either to disable selective acknowledgments system-wide for TCP connections, or to use iptables to drop connections with an MSS size that may allow to exploit the vulnerability. In addition, the patch fixes a stability issue.

2.103.2 2. Bug Fixes

• It was possible that two or more versions of ReadyKernel patches for the same kernel were installed and loaded at the same time. This could lead to kernel crashes. (PSBM-95718)

2.103.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

214 Chapter 2. Virtuozzo Hybrid Server

2.103.4 4. References

• https://access.redhat.com/security/vulnerabilities/tcpsack

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-053.json.

2.104 Important kernel security update: New kernel 2.6.32-042stab139.1; Virtuozzo 6.0 Update 12 Hotfix 43 (6.0.12-3743)

Issue date: 2019-06-20

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-052

2.104.1 1. Overview

This update provides a new kernel 2.6.32-042stab139.1 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.15.3.el6. The new kernel inherits security fixes for SACK-related issues in the TCP stack as wellasa few improvements for the MDS vulnerability patches.

2.104.2 2. Security Fixes

• [Important] A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and adenial of service (DoS). (CVE-2019-3896)

215 Chapter 2. Virtuozzo Hybrid Server

segments. A remote attacker could use this flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting in a denial of service (DoS). (CVE-2019-11477)

• [Moderate] tcp: excessive resource consumption while processing SACK blocks allows remote denial of service. (CVE-2019-11478)

• [Moderate] tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service. (CVE-2019-11479)

2.104.3 3. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

2.104.4 4. References

• https://access.redhat.com/errata/RHSA-2019:1488

• https://www.redhat.com/security/data/cve/CVE-2019-11477.html

• https://www.redhat.com/security/data/cve/CVE-2019-11478.html

• https://www.redhat.com/security/data/cve/CVE-2019-11479.html

• https://www.redhat.com/security/data/cve/CVE-2019-3896.html

• https://access.redhat.com/security/vulnerabilities/tcpsack

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-052.json.

2.105 Important kernel security update: New kernel 2.6.32-042stab139.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-06-20

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

216 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-051

2.105.1 1. Overview

This update provides a new kernel 2.6.32-042stab139.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.15.3.el6. The new kernel inherits security fixes for SACK-related issues in the TCP stack as well as a few improvements for the MDS vulnerability patches.

2.105.2 2. Security Fixes

• [Important] An integer overflow flaw was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented. Each fragment is aboutTCP maximum segment size (MSS) bytes. To efficiently process SACK blocks, the Linux kernel merges multiple fragmented SKBs into one, potentially overflowing the variable holding the number of segments. A remote attacker could use this flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting in a denial of service (DoS). (CVE-2019-11477)

• [Moderate] tcp: excessive resource consumption while processing SACK blocks allows remote denial of service. (CVE-2019-11478)

• [Moderate] tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service. (CVE-2019-11479)

2.105.3 3. Installing the Update

217 Chapter 2. Virtuozzo Hybrid Server

2.105.4 4. References

• https://access.redhat.com/errata/RHSA-2019:1488

• https://www.redhat.com/security/data/cve/CVE-2019-11477.html

• https://www.redhat.com/security/data/cve/CVE-2019-11478.html

• https://www.redhat.com/security/data/cve/CVE-2019-11479.html

• https://www.redhat.com/security/data/cve/CVE-2019-3896.html

• https://access.redhat.com/security/vulnerabilities/tcpsack

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-051.json.

2.106 Important kernel security update: Virtuozzo ReadyKernel patch 82.0 for all supported Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5 kernels

Issue date: 2019-06-20

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-050

2.106.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to all supported kernels of Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5.

218 Chapter 2. Virtuozzo Hybrid Server

2.106.2 2. Security Fixes

• [Important] An integer overflow was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented. Each fragment is aboutTCP maximum segment size (MSS) bytes. To efficiently process SACK blocks, the Linux kernel merges multiple fragmented SKBs into one, potentially overflowing the variable holding the number of segments. A remote attacker could use this flaw to crash the Linux kernel by sending a crafted sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting in a denial of service. (CVE-2019-11477)

• [Moderate] An excessive resource consumption issue was found in the way the Linux kernel’s networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel’s socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection. (CVE-2019-11478)

2.106.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.106.4 4. References

• readykernel-patch-40.4-82.0-1.vl7

• readykernel-patch-43.10-82.0-1.vl7

• readykernel-patch-46.7-82.0-1.vl7

• readykernel-patch-48.2-82.0-1.vl7

• readykernel-patch-63.3-82.0-1.vl7

• readykernel-patch-64.7-82.0-1.vl7

• readykernel-patch-73.24-82.0-1.vl7

• readykernel-patch-73.29-82.0-1.vl7

219 Chapter 2. Virtuozzo Hybrid Server

• readykernel-patch-85.17-82.0-1.vl7

• readykernel-patch-86.2-82.0-1.vl7

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11477

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11478

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-050.json.

2.107 Kernel update: Virtuozzo ReadyKernel patch 81.0 for Virtuozzo 7.0.9 to 7.0.10 HF1 as well as Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-06-14

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-049

2.107.1 1. Overview

2.107.2 2. Bug Fixes

• If the amount of free memory is low, OOM killer would kill the tasks from cgroups without memory guarantees first. However, it seems more reasonable to kill the tasks from cgroups which exceedtheir guarantees the most. (VSTOR-22575)

• Processes could hang while closing a file located on the storage cluster. (VSTOR-23689)

220 Chapter 2. Virtuozzo Hybrid Server

2.107.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.107.4 4. References

• readykernel-patch-73.29-81.0-1.vl7

• readykernel-patch-85.17-81.0-1.vl7

• readykernel-patch-86.2-81.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-049.json.

2.108 Virtuozzo ReadyKernel patch 81.0 for Virtuozzo 7.0.6 HF3 to 7.0.9 as well as Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-06-13

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-048

2.108.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.11.6.vz7.40.4 (Virtuozzo 7.0.6 HF3), 3.10.0-693.17.1.vz7.43.10 (Virtuozzo 7.0.7), 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), and 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5).

221 Chapter 2. Virtuozzo Hybrid Server

2.108.2 2. Bug Fixes

2.108.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.108.4 4. References

• readykernel-patch-40.4-81.0-1.vl7

• readykernel-patch-43.10-81.0-1.vl7

• readykernel-patch-46.7-81.0-1.vl7

• readykernel-patch-48.2-81.0-1.vl7

• readykernel-patch-63.3-81.0-1.vl7

• readykernel-patch-64.7-81.0-1.vl7

• readykernel-patch-73.24-81.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-048.json.

2.109 Product update: Virtuozzo 6.0 Update 12 Hotfix 42 (6.0.12-3742)

Issue date: 2019-06-13

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-047

222 Chapter 2. Virtuozzo Hybrid Server

2.109.1 1. Overview

This update provides a stability fix.

2.109.2 2. Bug Fixes

• Increased stability of license update process. (PSBM-95243)

2.109.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-047.json.

2.110 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.7 to 7.0.8

Issue date: 2019-06-03

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-046

2.110.1 1. Overview

223 Chapter 2. Virtuozzo Hybrid Server

2.110.2 2. Security Fixes

• [Important] A use-after-free vulnerability was found in the way KVM implements its device control API. When a device is created via kvm_ioctl_create_device(), it holds a reference to a VM object. This reference is transferred to file descriptor table of the caller. If such file descriptor was closed, reference count to the VM object could become zero, which could lead to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-6974)

• [Important] A use-after-free vulnerability was found in the way KVM emulates a preemption timer for L2 guests when nested virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)

• [Moderate] It was discovered that a certain sequence of operations related to IPv4 routing could trigger a kernel memory leak. An attacker could potentially exploit that from a container to cause a denial of service. (PSBM-94535)

2.110.3 3. Bug Fixes

• virtio_scsi: a race condition in the Linux block layer could cause certain I/O requests to hang. (PSBM-92312)

• It was discovered that inode tables created during online resize of an ext4 filesystem were not zeroed after that. This could potentially result in lower performance of the file system. (PSBM-93988)

• ploop: kernel crash in ploop_congested(). (PSBM-94270)

• It was found that if no PMU counters were exposed to guest, KVM skipped the whole remaining PMU-related initialization, including filling of LBR-related data. As it turned out, Windows Server 2016 Essentials tried to access these data during the installation and failed to install as a result. (PSBM-94429)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

224 Chapter 2. Virtuozzo Hybrid Server

2.110.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.110.5 5. References

• readykernel-patch-43.10-80.0-1.vl7

• readykernel-patch-46.7-80.0-1.vl7

• readykernel-patch-48.2-80.0-1.vl7

• readykernel-patch-63.3-80.0-1.vl7

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-046.json.

2.111 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.6 and 7.0.6 HF3

Issue date: 2019-06-03

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-045

2.111.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) and 3.10.0-693.11.6.vz7.40.4 (Virtuozzo 7.0.6 HF3). NOTE: No more patches are planned for kernel 3.10.0-693.1.1.vz7.37.30, support for which ends with this update.

225 Chapter 2. Virtuozzo Hybrid Server

2.111.2 2. Security Fixes

2.111.3 3. Bug Fixes

• ploop: kernel crash in ploop_congested(). (PSBM-94270)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

2.111.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.111.5 5. References

• readykernel-patch-37.30-77.0-1.vl7

• readykernel-patch-40.4-77.0-1.vl7

226 Chapter 2. Virtuozzo Hybrid Server

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-045.json.

2.112 Kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 10 HF1

Issue date: 2019-05-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-044

2.112.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernel 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0 Update 10 HF1).

2.112.2 2. Security Fixes

2.112.3 3. Bug Fixes

227 Chapter 2. Virtuozzo Hybrid Server

Essentials tried to access these data during the installation and failed to install as a result. (PSBM-94429)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

2.112.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.112.5 5. References

• readykernel-patch-86.2-80.0-1.vl7.x86_64.rpm

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-044.json.

2.113 Kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 10

Issue date: 2019-05-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-043

228 Chapter 2. Virtuozzo Hybrid Server

2.113.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernel 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0 Update 10).

2.113.2 2. Security Fixes

2.113.3 3. Bug Fixes

• ploop: kernel crash in ploop_congested(). (PSBM-94270)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

2.113.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.113.5 5. References

• readykernel-patch-85.17-80.0-1.vl7.x86_64.rpm

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-043.json.

229 Chapter 2. Virtuozzo Hybrid Server

2.114 Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-05-30

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-042

2.114.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 and 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5).

2.114.2 2. Security Fixes

230 Chapter 2. Virtuozzo Hybrid Server

2.114.3 3. Bug Fixes

• virtio_scsi: a race condition in the Linux block layer could cause certain I/O requests to hang. (PSBM-92312)

• ploop: kernel crash in ploop_congested(). (PSBM-94270)

• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

2.114.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.114.5 5. References

• readykernel-patch-64.7-80.0-1.vl7.x86_64.rpm

• readykernel-patch-73.24-80.0-1.vl7.x86_64.rpm

• readykernel-patch-73.29-80.0-1.vl7.x86_64.rpm

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-042.json.

231 Chapter 2. Virtuozzo Hybrid Server

2.115 Product update: Virtuozzo 6.0 Update 12 Hotfix 41 (6.0.12-3741)

Issue date: 2019-05-20

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-040

2.115.1 1. Overview

This update provides hypervisor-related fixes for the Microarchitectural Store Buffer Data (MDS) vulnerability as well as a stability fix.

2.115.2 2. Security Fixes

2.115.3 3. Bug Fixes

• Guest tools installation could fail on Ubuntu with 4.4.0-145 kernel due to an issue in get_user_pages. (PSBM-93867)

2.115.4 4. Installing the Update

Install the update by running ‘yum update’. If you use CPU pools, additional actions are required to mitigate the MDS vulnerability: for a custom CPU pool, run ‘cpupools recalc ‘; if you use the default CPU pool, move your nodes to a custom CPU pool as described in chapter 9 of the Virtuozzo User’s Guide.

232 Chapter 2. Virtuozzo Hybrid Server

2.115.5 5. References

• https://access.redhat.com/security/vulnerabilities/mds

• https://www.virtuozzo.com/blog-review/details/blog/view/ virtuozzo-guidance-on-the-microarchitectural-store-buffer-data-mds-vulnerability.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-040.json.

2.116 Product update: Virtuozzo 7.0 Update 10 Hotfix 1 (7.0.10-320)

Issue date: 2019-05-18

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-039

2.116.1 1. Overview

The Hotfix 1 for for Virtuozzo 7.0.10 mitigates the Microarchitectural Store Buffer Data (MDS) vulnerability and provides stability and usability bug fixes.

2.116.2 2. Security Fixes

233 Chapter 2. Virtuozzo Hybrid Server

2.116.3 3. Bug Fixes

• VM might not be resumed after live migration to a host with insufficient CPU features. (PSBM-93848)

• prl_disk_tool compact could fail to work with an error in get_discard_granularity. (PSBM-94168)

• Temporary disk snapshots could remain unmerged after live-migrating a VM located on shared storage. (PSBM-94264)

• pcompact/trim could fail to work for container disks located on shared storage with an error in get_discard_granularity. (PSBM-94425)

2.116.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the host. If you use CPU pools, additional actions are required to mitigate the MDS vulnerability: for a custom CPU pool, run ‘cpupools recalc’; if you use the default CPU pool, move your nodes to a custom CPU pool as described in section 8.6.1 of the Virtuozzo User’s Guide.

2.116.5 5. References

• https://access.redhat.com/security/vulnerabilities/mds

• https://www.virtuozzo.com/blog-review/details/blog/view/ virtuozzo-guidance-on-the-microarchitectural-store-buffer-data-mds-vulnerability.html

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-039.json.

2.117 Kernel update: Virtuozzo ReadyKernel patch 79.0 for Virtuozzo 7.0 Update 10

Issue date: 2019-05-16

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-038

234 Chapter 2. Virtuozzo Hybrid Server

2.117.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernel 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0 Update 10).

2.117.2 2. Bug Fixes

• It was found that the memcg ID number of a cgroup was released earlier than needed and could be reused by a different cgroup. As a result, certain reference counters could become corrupted, leading to a kernel crash in memcg_css_release_check_kmem(). (PSBM-94269)

• Freeing of a memory cgroup took longer than needed in certain cases. (PSBM-94398)

2.117.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.117.4 4. References

• readykernel-patch-85.17-79.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-038.json.

2.118 Important kernel security update: New kernel 2.6.32-042stab138.1; Virtuozzo 6.0 Update 12 Hotfix 40 (6.0.12-3739)

Issue date: 2019-05-16

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-037

235 Chapter 2. Virtuozzo Hybrid Server

2.118.1 1. Overview

This update provides a new kernel 2.6.32-042stab138.1 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.14.2.el6. The new kernel inherits security fixes for the Microarchitectural Store Buffer Data (MDS) vulnerability from the RHEL kernel.

2.118.2 2. Security Fixes

• [Important] A flaw was found in the implementation of the ‘fill buffer’, a mechanism usedbymodern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured toinfer data in the fill buffer. (CVE-2018-12130)

• [Moderate] Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the ‘processor store buffer’. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU’s processor store buffer. (CVE-2018-12126)

• [Moderate] Microprocessors use a ‘load port’ subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU’s pipelines. Stale load operations results are stored in the ‘load port’ table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127)

• [Moderate] Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091)

236 Chapter 2. Virtuozzo Hybrid Server

2.118.3 3. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

2.118.4 4. References

• https://access.redhat.com/errata/RHSA-2019:1169

• https://www.redhat.com/security/data/cve/CVE-2018-12126.html

• https://www.redhat.com/security/data/cve/CVE-2018-12127.html

• https://www.redhat.com/security/data/cve/CVE-2018-12130.html

• https://www.redhat.com/security/data/cve/CVE-2019-11091.html

• https://access.redhat.com/security/vulnerabilities/mds

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-037.json.

2.119 Important kernel security update: New kernel 2.6.32-042stab138.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-05-16

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2019-036

2.119.1 1. Overview

This update provides a new kernel 2.6.32-042stab138.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.14.2.el6. The new kernel inherits security fixes for the Microarchitectural Store Buffer Data (MDS) vulnerability from the RHEL kernel.

237 Chapter 2. Virtuozzo Hybrid Server

2.119.2 2. Security Fixes

2.119.3 3. Installing the Update

238 Chapter 2. Virtuozzo Hybrid Server

2.119.4 4. References

• https://access.redhat.com/errata/RHSA-2019:1169

• https://www.redhat.com/security/data/cve/CVE-2018-12126.html

• https://www.redhat.com/security/data/cve/CVE-2018-12127.html

• https://www.redhat.com/security/data/cve/CVE-2018-12130.html

• https://www.redhat.com/security/data/cve/CVE-2019-11091.html

• https://access.redhat.com/security/vulnerabilities/mds

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-036.json.

2.120 Kernel update: Virtuozzo ReadyKernel patch 78.0 for Virtuozzo 7.0 Updates 9, 10 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-05-13

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-035

2.120.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernels 3.10.0-862.20.2.vz7.73.24 and 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5) and 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0 Update 10).

239 Chapter 2. Virtuozzo Hybrid Server

2.120.2 2. Bug Fixes

• I/O errors were reported after a successful replacement of the ploop images. (VSTOR-22272)

• It was found that if a ploop image was revoked and then replaced using ‘ploop replace’, ‘abort’ flag was not cleared. As a result, subsequent I/O operations would fail. (VSTOR-22414)

2.120.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.120.4 4. References

• readykernel-patch-73.24-78.0-1.vl7

• readykernel-patch-73.29-78.0-1.vl7

• readykernel-patch-85.17-78.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-035.json.

2.121 Important kernel security update: New kernel 2.6.32-042stab137.1; Virtuozzo 6.0 Update 12 Hotfix 39 (6.0.12-3738)

Issue date: 2019-04-30

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-033

240 Chapter 2. Virtuozzo Hybrid Server

2.121.1 1. Overview

This update provides a new kernel 2.6.32-042stab137.1 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.12.1.el6. The new kernel introduces security and stability fixes.

2.121.2 2. Security Fixes

• [Important] A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the Linux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. (CVE-2018-13405)

2.121.3 3. Bug Fixes

• Minor ploop improvements.

2.121.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

2.121.5 5. References

• https://access.redhat.com/errata/RHSA-2019:0717

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-033.json.

241 Chapter 2. Virtuozzo Hybrid Server

2.122 Important kernel security update: New kernel 2.6.32-042stab137.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-04-30

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2019-032

2.122.1 1. Overview

This update provides a new kernel 2.6.32-042stab137.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.12.1.el6. The new kernel introduces security and stability fixes.

2.122.2 2. Security Fixes

2.122.3 3. Bug Fixes

• Minor ploop improvements.

2.122.4 4. Installing the Update

242 Chapter 2. Virtuozzo Hybrid Server

2.122.5 5. References

• https://access.redhat.com/errata/RHSA-2019:0717

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-032.json.

2.123 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0.7 HF2 to 7.0.8 HF1

Issue date: 2019-04-25

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-031

2.123.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), and 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1).

2.123.2 2. Bug Fixes

• If some process held the CPU cgroup of a container while the container was being stopped, the kernel would try to add this cgroup to the list of such structures again when the container was started the next time. This would corrupt the list, and calc_load_ve() function would go in an endless loop as a result. (PSBM-88251)

• ploop: potential data corruption due to a race between ‘prepare_merge’ and ‘submit_alloc’ operations. (PSBM-93349)

• High order page allocations were triggered by CRIU while restoring TCP sockets. (PSBM-93672)

• High order page allocations were made in neigh_probe() in certain cases. (PSBM-93713)

• It was discovered that network drivers could allocate memory for the socket buffers from pfmemalloc

243 Chapter 2. Virtuozzo Hybrid Server

memory reserves, even when it was unnecessary. As a result, the network packets were dropped by sk_filter_trim_cap() causing performance issues. (VSTOR-21390)

2.123.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.123.4 4. References

• readykernel-patch-46.7-77.1-1.vl7

• readykernel-patch-48.2-77.1-1.vl7

• readykernel-patch-63.3-77.1-1.vl7

• readykernel-patch-64.7-77.1-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-031.json.

2.124 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0.7

Issue date: 2019-04-25

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-030

2.124.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.17.1.vz7.43.10 (Virtuozzo 7.0.7).

244 Chapter 2. Virtuozzo Hybrid Server

2.124.2 2. Bug Fixes

• ploop: potential data corruption due to a race between ‘prepare_merge’ and ‘submit_alloc’ operations. (PSBM-93349)

• High order page allocations were triggered by CRIU while restoring TCP sockets. (PSBM-93672)

• High order page allocations were made in neigh_probe() in certain cases. (PSBM-93713)

• It was discovered that network drivers could allocate memory for the socket buffers from pfmemalloc memory reserves, even when it was unnecessary. As a result, the network packets were dropped by sk_filter_trim_cap() causing performance issues. (VSTOR-21390)

2.124.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.124.4 4. References

• readykernel-patch-43.10-77.1-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-030.json.

2.125 Kernel update: Virtuozzo ReadyKernel patch 77.0 for Virtuozzo 7.0.6 and 7.0.6 HF3

Issue date: 2019-04-25

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-029

245 Chapter 2. Virtuozzo Hybrid Server

2.125.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) and 3.10.0-693.11.6.vz7.40.4 (Virtuozzo 7.0.6 HF3).

2.125.2 2. Bug Fixes

• ploop: potential data corruption due to a race between ‘prepare_merge’ and ‘submit_alloc’ operations. (PSBM-93349)

• High order page allocations were triggered by CRIU while restoring TCP sockets. (PSBM-93672)

• High order page allocations were made in neigh_probe() in certain cases. (PSBM-93713)

2.125.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.125.4 4. References

• readykernel-patch-37.30-77.0-1.vl7

• readykernel-patch-40.4-77.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-029.json.

2.126 Product update: Virtuozzo 7.0 Update 10 (7.0.10-315)

Issue date: 2019-04-23

246 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-028

2.126.1 1. Overview

The Update 10 for Virtuozzo 7.0 provides a new feature as well as stability and usability bug fixes. It also introduces a new kernel 3.10.0-957.10.1.vz7.85.17, which is a rebase to the RHEL 7.6 kernel 3.10.0-957.10.1.el7.

2.126.2 2. New Features

• Improved shaman interaction with the dispatcher. The new commands ‘shaman cleanup-broken’ and ‘shaman sync’ allow you to clean up and sync shaman and cluster resources to avoid issues with resource migration. For more details, see section 8.9 “Troubleshooting Shaman Resources” in the User’s Guide. (PSBM-64247)

2.126.3 3. Bug Fixes

• Node could crash due to a bug in overlayfs. (PSBM-91794)

• Node could crash due to an issue with microcode. (PSBM-90809)

• MAC addresses were truncated for calculating hardware IDs (HWIDs). In case of InfiniBand devices with long MAC addresses, this could result in multiple nodes having the same HWIDs. (PSBM-93117)

• Live migration could fail with a CRIU error “Error (criu/tty.c:2324): tty: ctty inheritance detected sid/pgrp 345, no PTY peer with sid/pgrp needed”. (PSBM-76490)

• Zero available memory could be reported in containers based on the ubuntu-18.04-x86_64 template. (PSBM-90190)

• Other fixes. (PSBM-77022, PSBM-82991, PSBM-83783, PSBM-84241, PSBM-87926, PSBM-88107, PSBM-90384, PSBM-90449, PSBM-90586, PSBM-90731, PSBM-91524, PSBM-91819, PSBM-91824, PSBM-91867, PSBM-91882, PSBM-91956, PSBM-92050, PSBM-92132, PSBM-92238, PSBM-92378, PSBM-92694, PSBM-92869, PSBM-92894, PSBM-93060, PSBM-93077, PSBM-93274, PSBM-93313, PSBM-93352, PSBM-93400, PSBM-93461, PSBM-93571, PSBM-93675, PSBM-93728, PSBM-93751)

247 Chapter 2. Virtuozzo Hybrid Server

2.126.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the host.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-028.json.

2.127 Kernel update: Virtuozzo ReadyKernel patch 77.1 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-04-22

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-027

2.127.1 1. Overview

2.127.2 2. Bug Fixes

• ploop: potential data corruption due to a race between ‘prepare_merge’ and ‘submit_alloc’ operations. (PSBM-93349)

• High order page allocations were triggered by CRIU while restoring TCP sockets. (PSBM-93672)

• vzstat shows incorrect per-container scheduling latency (MLAT). (PSBM-93675)

• High order page allocations were made in neigh_probe() in certain cases. (PSBM-93713)

• It was discovered that network drivers could allocate memory for the socket buffers from pfmemalloc memory reserves, even when it was unnecessary. As a result, network packets were dropped by

248 Chapter 2. Virtuozzo Hybrid Server

sk_filter_trim_cap(), causing performance issues. (VSTOR-21390)

2.127.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.127.4 4. References

• readykernel-patch-73.24-77.1-1.vl7

• readykernel-patch-73.29-77.1-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-027.json.

2.128 Kernel update: Virtuozzo ReadyKernel patch 76.0 for Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-04-08

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-026

249 Chapter 2. Virtuozzo Hybrid Server

2.128.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernel 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0 Update 9 and Virtuozzo Infrastructure Platform 2.5).

2.128.2 2. Bug Fixes

• fuse_kio_pcs: kernel crash in process_pcs_init_reply() caused by a double free. (PSBM-93047, VSTOR-20922)

• fuse_kio_pcs: kernel crash in kpcs_kill_requests(). (PSBM-93479, VSTOR-20987)

2.128.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.128.4 4. References

• readykernel-patch-73.29-76.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-026.json.

2.129 Kernel update: Virtuozzo ReadyKernel patch 75.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-04-01

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-024

250 Chapter 2. Virtuozzo Hybrid Server

2.129.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.

2.129.2 2. Bug Fixes

• It was discovered that CPUID bits OSXSAVE and OSPKE were not updated properly by KVM when the guest system rebooted. As a result, the guest system could crash. (PSBM-93016)

• (Enhancement) Additional diagnostics was introduced to make it easier to detect and analyze skb drops caused by the usage of pfmemalloc reserves. (PSBM-93052)

2.129.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.129.4 4. References

• readykernel-patch-37.30-75.0-1.vl7

• readykernel-patch-40.4-75.0-1.vl7

• readykernel-patch-43.10-75.0-1.vl7

• readykernel-patch-46.7-75.0-1.vl7

• readykernel-patch-48.2-75.0-1.vl7

• readykernel-patch-63.3-75.0-1.vl7

• readykernel-patch-64.7-75.0-1.vl7

• readykernel-patch-73.24-75.0-1.vl7

• readykernel-patch-73.29-75.0-1.vl7

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-024.json.

251 Chapter 2. Virtuozzo Hybrid Server

2.130 Product update: Virtuozzo 7.0 Update 9 Hotfix 2 (7.0.9-547)

Issue date: 2019-03-22

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-023

2.130.1 1. Overview

The Hotfix 2 for for Virtuozzo 7.0.9 provides stability and usability bugfixes.

2.130.2 2. Bug Fixes

• Migration of a container from a Virtuozzo 7 Update 8 host to a Virtuozzo 7 Update 9 host initiated from Virtuozzo Automator could lead to a crash of vzmigrate. (PSBM-91577)

• Output of ‘prlctl list -i’ could be incomplete. (PSBM-91868)

• Virtuozzo Automator agent could consume very large amounts of RAM. The rmond plugin for the SNMPD service could also be affected. (PSBM-91874)

• Unable to add/delete/unlink journal on an existing chunk server. (PSBM-92575)

2.130.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-023.json.

252 Chapter 2. Virtuozzo Hybrid Server

2.131 Product update: Virtuozzo 6.0 Update 12 Hotfix 38 (6.0.12-3737)

Issue date: 2019-03-12

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-016

2.131.1 1. Overview

This update provides a stability fix.

2.131.2 2. Bug Fixes

• If shamand-monitor had been killed for some reason, there was no way to manage orphaned shaman-monitor with standard tools. (PSBM-91776)

2.131.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-016.json.

2.132 Kernel update: Virtuozzo ReadyKernel patch 74.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-03-07

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

253 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-015

2.132.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.

2.132.2 2. Bug Fixes

• It was found that unpacking a large tarball with a lot of small files could fail inside a container. This could happen because kmem limit was hit prematurely, while reclaimable memory was still available. (PSBM-91566)

• sr_mod: kernel crash in sr_block_revalidate_disk(). (PSBM-91598)

• Kernel crash in ext4_clear_inode(). (PSBM-91819)

• txqueuelen could not be changed via SIOCSIFTXQLEN ioctl on the host. (PSBM-92064)

• It was discovered that Docker running inside a Virtuozzo container could hit the limit on the network interfaces (256) when it tried to start 50+ its containers. This fix allows changing that limit for the running containers and increases the default limit to 1024. (PSBM-92132)

2.132.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.132.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-74.0-1.vl7/

254 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-74.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-74.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-015.json.

2.133 Product update: Virtuozzo 7.0 Update 9 Hotfix 1 (7.0.9-539)

Issue date: 2019-03-05

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-014

2.133.1 1. Overview

The Hotfix 1 for for Virtuozzo 7.0.9 provides stability and usability bugfixes.

2.133.2 2. Bug Fixes

• Provided updated packages for Object Storage (S3). (PSBM-92228)

• A few unused role names were shown and could be assigned on the network interface settings screen in Virtuozzo Storage. (PSBM-92227)

2.133.3 3. Installing the Update

Install the update as follows: (1) run ‘yum update’ on each node, one node at a time; (2) on the first node, run ‘prlctl enter vstorage-ui’ to enter the management panel container then run ‘yum clean all && yum update -y’ inside the container.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-014.json.

255 Chapter 2. Virtuozzo Hybrid Server

2.134 Product update: Virtuozzo 7.0 Update 9 (7.0.9-534)

Issue date: 2019-03-05

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-013

2.134.1 1. Overview

The Update 9 for Virtuozzo 7.0 provides new features as well as security, stability, and usability bug fixes.

2.134.2 2. Security Fixes

• [Important] An integer overflow flaw was found in create_elf_tables(). An unprivileged local userwith access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges onthe system. (CVE-2018-14634, PSBM-88914)

• [Important] It was discovered that a race condition between packet_do_bind() and packet_notifier() in the implementation of AF_PACKET could lead to use-after-free. An unprivileged user on the host or in a container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system. (CVE-2018-18559, PSBM-89677)

• [Moderate] The Linux kernel was found to be vulnerable to a NULL pointer dereference bug in the __netlink_ns_capable() function in the net/netlink/af_netlink.c file. A local attacker could exploit this when a net namespace with a netnsid is assigned to cause a kernel panic and a denial of service. (CVE-2018-14646, PSBM-90076)

2.134.3 3. New Features

• SR-IOV and PCI Passthrough support. Starting from this update, you can assign a host device to a virtual machine so that the device is automatically connected to the VM when you connect the device to the hardware node or start the VM. This method, also known as passthrough, allows host devices to appear and behave as if they were physically attached to the guest operating system. Virtuozzo supports

256 Chapter 2. Virtuozzo Hybrid Server

assigning PCI devices (physical NICs) and SR-IOV devices (virtual NICs). (PSBM-61363)

• Optimized container migration between Virtuozzo 7 hosts. (PSBM-46704, PSBM-66535)

• Support for hot plugging of VM network interfaces. Network interfaces can now be added to both running and stopped VMs. (PSBM-51854)

• Ability to configure QCOW2 cache size via libvirt. (PSBM-67894)

• Support for SUSE Linux Enterprise Server 15 (x64) in containers. (PSBM-87229)

• Support for Microsoft Windows Server 2019 guest OS in virtual machines. (PSBM-89362)

2.134.4 4. Bug Fixes

• Containers with NFS client inside could fail to migrate due to a CRIU issue. (PSBM-68738)

• Container with an NFS server inside could fail to start due to ploop lockup. (PSBM-80869)

• CPU limits could be reset by ‘systemctl daemon-reload’. (PSBM-80961)

• Non-existent Virtuozzo Storage disks could remain in VM config after migration and prevent creating backups of said VM. (PSBM-81638)

• After updating to Virtuozzo 7.0.7, a VM could fail to start with an error about incompatible CPU features. (PSBM-85513)

• In rare cases, two virtual machines could get the same MAC addresses. (PSBM-86986)

• Container could fail to start with the error “order:7 allocation failure in ip_set_net_init()”. (PSBM-87338)

• journald would crash on start after updating to Virtuozzo 7.0.8 (PSBM-88489)

• Migration of a container running SLES could fail and hang due to a CRIU issue. (PSBM-88499)

• Container restore operations could take a very long time due to an nbd client issue. (PSBM-89191)

• Unable to migrate Windows 2008 VMs with EFI to a Virtuozzo 7 host. (PSBM-89267)

• After migrating to Virtuozzo 7, nodes could use up swap entirely due to huge usage of tcache which should have been shrunk instead. (PSBM-89403)

• The default action triggered by stopping of vz.service (e.g., node reboot) was to suspend VEs, which could take a very long time and thus cause problems on nodes with lots of containers. The default action has been changed to stop VEs. (PSBM-89623)

257 Chapter 2. Virtuozzo Hybrid Server

• Processes in a VM could fail to access a disk on Virtuozzo Storage due to stuck fast path requests. (PSBM-90163)

• Other fixes. (PSBM-65642, PSBM-73001, PSBM-76790, PSBM-78956, PSBM-80024, PSBM-82512, PSBM-85318, PSBM-85381, PSBM-86637, PSBM-86655, PSBM-87062, PSBM-87099, PSBM-87281, PSBM-87357, PSBM-87360, PSBM-87536, PSBM-87556, PSBM-87593, PSBM-87642, PSBM-87670, PSBM-88142, PSBM-88176, PSBM-88417, PSBM-88558, PSBM-88577, PSBM-88578, PSBM-88724, PSBM-88809, PSBM-88818, PSBM-89055, PSBM-89136, PSBM-89210, PSBM-89215, PSBM-89221, PSBM-89265, PSBM-89290, PSBM-89342, PSBM-89609, PSBM-89651, PSBM-89714, PSBM-89839, PSBM-89866, PSBM-89882, PSBM-89891, PSBM-89931, PSBM-89938, PSBM-89961, PSBM-90055, PSBM-90099, PSBM-90148, PSBM-90150, PSBM-90174, PSBM-90270, PSBM-90317, PSBM-90360, PSBM-90430, PSBM-90471, PSBM-91340)

2.134.5 5. Installing the Update

Install the update by running ‘yum update’. Starting with this update, the fast path feature is enabled by default. If you want to enable fast path, reboot the node to the new kernel delivered in this update. If you want to keep fast path disabled, set ‘kdirect.enable=0’ in ‘/etc/vstorage/vstorage-mount.conf’ and reboot the node to the desired kernel.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-013.json.

2.135 Kernel update: New kernel 2.6.32-042stab136.1; Virtuozzo 6.0 Update 12 Hotfix 37 (6.0.12-3736)

Issue date: 2019-03-04

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-012

258 Chapter 2. Virtuozzo Hybrid Server

2.135.1 1. Overview

This update provides a new kernel 2.6.32-042stab136.1 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.11.1.el6. The new kernel introduces stability fixes.

2.135.2 2. Bug Fixes

• Under certain circumstances, pcompact could crash the host in ploop_relocblks_ioc(). (PSBM-90794)

• Added export for part_nr_sects_read(). (OVZ-7071)

• Fixed host crash in dma_memcpy_pg_to_iovec(). (OVZ-7080)

2.135.3 3. Installing the Update

Install the update by running ‘yum update’ and reboot the host.

2.135.4 4. References

• https://access.redhat.com/errata/RHBA-2018:3763

• https://access.redhat.com/errata/RHBA-2019:0064

• https://access.redhat.com/errata/RHSA-2019:0415

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-012.json.

2.136 Kernel update: New kernel 2.6.32-042stab136.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2019-03-04

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

259 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-011

2.136.1 1. Overview

This update provides a new kernel 2.6.32-042stab136.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.11.1.el6. The new kernel introduces stability fixes.

2.136.2 2. Bug Fixes

• Under certain circumstances, pcompact could crash the host in ploop_relocblks_ioc(). (PSBM-90794)

• Added export for part_nr_sects_read(). (OVZ-7071)

• Fixed host crash in dma_memcpy_pg_to_iovec(). (OVZ-7080)

2.136.3 3. Installing the Update

2.136.4 4. References

• https://access.redhat.com/errata/RHBA-2018:3763

• https://access.redhat.com/errata/RHBA-2019:0064

• https://access.redhat.com/errata/RHSA-2019:0415

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-011.json.

260 Chapter 2. Virtuozzo Hybrid Server

2.137 Kernel update: Virtuozzo ReadyKernel patch 73.1 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-02-20

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-010

2.137.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5. NOTE: No more patches are planned for kernel 3.10.0-514.26.1.vz7.33.22, support for which ends with this update.

2.137.2 2. Bug Fixes

• A typo in the fix for PSBM-91361, “Kernel crash (BUG_ON) ploop_relocblks_ioc().”, could lead to incorrect behaviour of ploop. (PSBM-91572)

• overlayfs: kernel crash in may_open(). (PSBM-91794)

2.137.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.137.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-73.1-1.vl7/

261 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-73.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-73.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-010.json.

2.138 Kernel update: Virtuozzo ReadyKernel patch 72.1 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-02-15

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-009

2.138.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.

262 Chapter 2. Virtuozzo Hybrid Server

2.138.2 2. Bug Fixes

• It was discovered that the previous ReadyKernel patch v72.0 does not allow Docker 18.09.2 to run inside Virtuozzo containers. This update fixes the issue. (PSBM-91689)

2.138.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.138.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-72.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-72.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-009.json.

2.139 Important kernel security update: Virtuozzo ReadyKernel patch 72.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-02-12

263 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-008

2.139.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.

2.139.2 2. Security Fixes

• [Important] It was discovered that a malicious user logged in to a Virtuozzo container could potentially overwrite the ‘vzctl’ binary on the host. The attacker could replace executables in that container with symlinks to ‘/proc/self/exe’. After that, ‘vzctl exec’ called from the host to run one of such executables would try to run the host’s ‘vzctl’ there instead. If the attacker managed to intercept that, they would be able to change the contents of the host’s ‘vzctl’ binary. The issue is similar to CVE-2019-5736, but affects ‘vzctl’ rather than ‘runc’. (PSBM-91042)

2.139.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.139.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-72.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-72.0-1.vl7/

264 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-72.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-008.json.

2.140 Product update: Virtuozzo 6.0 Update 12 Hotfix 36 (6.0.12-3734)

Issue date: 2019-02-11

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2019-007

2.140.1 1. Overview

This update provides a stability fix.

2.140.2 2. Bug Fixes

• Guest tools could fail to install in a Linux guest due to an issue with the ‘prl_eth’ kernel module. (PSBM-90584)

2.140.3 3. Installing the Update

Install the update by running ‘yum update’; then install the updated guest tools in VMs.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-007.json.

265 Chapter 2. Virtuozzo Hybrid Server

2.141 Kernel security update: Virtuozzo ReadyKernel patch 71.0 for Virtuozzo 7.0.6 to 7.0.8 HF1 and Virtuozzo Infrastructure Platform 2.5

Issue date: 2019-02-07

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-006

2.141.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) to 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1) and 3.10.0-862.20.2.vz7.73.24 (Virtuozzo Infrastructure Platform 2.5).

2.141.2 2. Security Fixes

• [Moderate] A flaw was found in the implementation of userfaultfd. An attacker is able tobypassfile permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behaviour. At this time there is an understanding there is no crash or priviledge escalation but the impact of modifications on these filesystems of files in production systems may haveadverse affects. (CVE-2018-18397)

2.141.3 3. Bug Fixes

• /proc/sys/net/core/somaxconn was not available in the containers. (PSBM-91032)

• ‘perf record -a’ causes segfaults in applications executing vsyscalls. (PSBM-91181)

• Kernel crash (BUG_ON) ploop_relocblks_ioc(). (PSBM-91361)

• Debug message ‘IPVS: Creating netns size=… id=…’ could be output many times to the system log when the network namespaces are initialized, making the log less readable. (PSBM-91527)

266 Chapter 2. Virtuozzo Hybrid Server

2.141.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.141.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-71.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-70.0-1.vl7/

• https://bugzilla.redhat.com/show_bug.cgi?id=1641548

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-006.json.

2.142 Kernel update: Virtuozzo ReadyKernel patch 71.0 for Virtuozzo 7.0.5

Issue date: 2019-02-07

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-005

267 Chapter 2. Virtuozzo Hybrid Server

2.142.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (7.0.5).

2.142.2 2. Bug Fixes

• /proc/sys/net/core/somaxconn was not available in the containers. (PSBM-91032)

• ‘perf record -a’ causes segfaults in applications executing vsyscalls. (PSBM-91181)

• Kernel crash (BUG_ON) ploop_relocblks_ioc(). (PSBM-91361)

• Debug message ‘IPVS: Creating netns size=… id=…’ could be output many times to the system log when the network namespaces are initialized, making the log less readable. (PSBM-91527)

2.142.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.142.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-71.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-005.json.

2.143 Kernel security update: Virtuozzo ReadyKernel patch 70.1 for Virtuozzo 7.0.6 to 7.0.7 HF3

Issue date: 2019-01-24

Applies to: Virtuozzo 7.0

268 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2019-004

2.143.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.1.1.vz7.37.30 (7.0.6) to 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3).

2.143.2 2. Security Fixes

• [Low] vhost: kernel crash (access out of bounds) in memcpy_fromiovecend(). (PSBM-90291)

2.143.3 3. Bug Fixes

• tcache was not shrunk in some situations. (PSBM-89403)

• Kernel crash (access out of bounds) in SyS_mincore(). (PSBM-90329)

• If the CPUs in the system supported memory protection keys for userspace (X86_FEATURE_PKU) but the kernel did not, resuming a container could fail. (PSBM-90828)

2.143.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.143.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-70.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-70.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-70.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-70.1-1.vl7/

269 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-70.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-004.json.

2.144 Kernel security update: Virtuozzo ReadyKernel patch 70.1 for Virtuozzo 7.0.4 HF3 and 7.0.5

Issue date: 2019-01-24

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-003

2.144.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.15 (7.0.4 HF3) and 3.10.0-514.26.1.vz7.33.22 (7.0.5). NOTE: No more patches are planned for kernel 3.10.0-514.16.1.vz7.30.15, support for which ends with this update.

2.144.2 2. Security Fixes

2.144.3 3. Bug Fixes

• Kernel crash (access out of bounds) in SyS_mincore(). (PSBM-90329)

• If the CPUs in the system supported memory protection keys for userspace (X86_FEATURE_PKU) but the kernel did not, resuming a container could fail. (PSBM-90828)

270 Chapter 2. Virtuozzo Hybrid Server

2.144.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.144.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-70.1-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-70.1-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-003.json.

2.145 Kernel security update: Virtuozzo ReadyKernel patch 70.0 for Virtuozzo 7.0.8 and 7.0.8 HF1

Issue date: 2019-01-24

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-001

2.145.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-862.9.1.vz7.63.3 (7.0.8) and 3.10.0-862.11.6.vz7.64.7 (7.0.8 HF1).

2.145.2 2. Security Fixes

• [Low] vhost: kernel crash (access out of bounds) in memcpy_fromiovecend(). (PSBM-90291)

271 Chapter 2. Virtuozzo Hybrid Server

2.145.3 3. Bug Fixes

• tcache was not shrunk in some situations. (PSBM-89403)

• Kernel crash (access out of bounds) in SyS_mincore(). (PSBM-90329)

2.145.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.145.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-70.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-70.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-001.json.

2.146 Important kernel security update: Virtuozzo ReadyKernel patch 69.0 for Virtuozzo 7.0.4 HF3 to 7.0.8 HF1

Issue date: 2018-12-24

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-089

2.146.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels.

272 Chapter 2. Virtuozzo Hybrid Server

2.146.2 2. Security Fixes

• [Important] A flaw was found in the implementation of NFS v4.1 in the Linux kernel. NFS v4.1shares mounted in different network namespaces at the same time can make bc_svc_process() usewrong back-channel ID and cause a use-after-free. A malicious user in a container can exploit this to cause a host kernel memory corruption and a system crash. (CVE-2018-16884)

2.146.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.146.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-69.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-69.0-1.vl7/

• https://bugzilla.redhat.com/show_bug.cgi?id=1660375

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-089.json.

273 Chapter 2. Virtuozzo Hybrid Server

2.147 Important kernel security update: Virtuozzo ReadyKernel patch 68.2 for Virtuozzo 7.0.4 HF3 to 7.0.8 HF1

Issue date: 2018-12-17

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-088

2.147.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels.

2.147.2 2. Security Fixes

• [Important] Transforming an IPv6 socket to an IPv4 and then transforming it back to a listening socket could result in a kernel memory corruption. An unprivileged user on the host or in a container could exploit this to crash the kernel. (CVE-2018-9568)

2.147.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.147.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-68.2-1.vl7/

274 Chapter 2. Virtuozzo Hybrid Server

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-68.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-68.2-1.vl7/

• https://bugzilla.redhat.com/show_bug.cgi?id=1655904

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-088.json.

2.148 Important kernel security update: New kernel 2.6.32-042stab134.8 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-12-12

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-087

2.148.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.8 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.6.3.el6. The new kernel introduces a security and stability fix.

2.148.2 2. Security Fixes

• [Important] Memory corruption due to incorrect socket cloning. (CVE-2018-9568)

275 Chapter 2. Virtuozzo Hybrid Server

2.148.3 3. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. These customers can download and install the update using the vzup2date utility included in the distribution. Reboot the host to apply the update.

2.148.4 4. References

• https://access.redhat.com/security/cve/cve-2018-9568

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-087.json.

2.149 Important kernel security update: New kernel 2.6.32-042stab134.8; Virtuozzo 6.0 Update 12 Hotfix 35 (6.0.12-3729)

Issue date: 2018-12-12

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-086

2.149.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.8 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.6.3.el6. The new kernel introduces a security and stability fix.

2.149.2 2. Security Fixes

• [Important] Memory corruption due to incorrect socket cloning. (CVE-2018-9568)

276 Chapter 2. Virtuozzo Hybrid Server

2.149.3 3. Installing the Update

Install the update by running ‘yum update’ and reboot the host.

2.149.4 4. References

• https://access.redhat.com/security/cve/cve-2018-9568

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-086.json.

2.150 Kernel security update: Virtuozzo ReadyKernel patch 67.0 for Virtuozzo 7.0.8 and 7.0.8 HF1

Issue date: 2018-11-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-085

2.150.1 1. Overview

2.150.2 2. Security Fixes

277 Chapter 2. Virtuozzo Hybrid Server

2.150.3 3. Bug Fixes

• It was discovered that a special sequence of operations involving NFS server in a container with FEATURES=’nfsd=on’ could crash the host kernel. (PSBM-90024)

• Asynchronous discard requests could fail with EIO because ploop did not properly align them. (PSBM-90052)

2.150.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.150.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-67.0-1.vl7/

• https://access.redhat.com/security/cve/cve-2018-14646

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-085.json.

2.151 Kernel update: Virtuozzo ReadyKernel patch 67.0 for Virtuozzo 7.0.4 HF3 to 7.0.7 HF3

Issue date: 2018-11-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-084

278 Chapter 2. Virtuozzo Hybrid Server

2.151.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (7.0.4 HF3) to 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3).

2.151.2 2. Bug Fixes

• It was discovered that a special sequence of operations involving NFS server in a container with FEATURES=’nfsd=on’ could crash the host kernel. (PSBM-90024)

• Asynchronous discard requests could fail with EIO because ploop did not properly align them. (PSBM-90052)

2.151.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.151.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-67.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-67.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-084.json.

279 Chapter 2. Virtuozzo Hybrid Server

2.152 Kernel update: New kernel 2.6.32-042stab134.7; Virtuozzo 6.0 Update 12 Hotfix 34 (6.0.12-3728)

Issue date: 2018-11-28

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-083

2.152.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.7 for Virtuozzo 6.0. The new kernel introduces stability fixes.

2.152.2 2. Bug Fixes

• Host with multiple ploop devices running on a debug kernel could crash in sysfs_addrm_start() on container stop. (PSBM-89413)

• In some circumstances, backing up containers to Acronis Backup could fail. (PSBM-89517)

• Ploop resize could fail and lead to access beyond the end of device. (PSBM-89687)

• Ploop over Virtuozzo Storage: in rare cases, resize could lead to ploop image corruption. (PSBM-89855)

• Running Ubuntu containers with systemd 229-4ubuntu21.8 could result in application failures due to /run/lock/ permission issues. (PSBM-89993)

• Running Ubuntu containers with systemd 229-4ubuntu21.9 could result in services failing to start because systemd-tmpfiles was unable to validate path due to symlinking issues. (PSBM-90038)

2.152.3 3. Installing the Update

Install the update by running ‘yum update’ and reboot the host.

280 Chapter 2. Virtuozzo Hybrid Server

2.152.4 4. References

• https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1804847

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-083.json.

2.153 Kernel update: New kernel 2.6.32-042stab134.7 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-11-28

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-082

2.153.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.7 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. The new kernel introduces stability fixes.

2.153.2 2. Bug Fixes

• Running Ubuntu containers with systemd 229-4ubuntu21.8 could result in application failures due to /run/lock/ permission issues. (PSBM-89993)

• Running Ubuntu containers with systemd 229-4ubuntu21.9 could result in services failing to start because systemd-tmpfiles was unable to validate path due to symlinking issues. (PSBM-90038)

281 Chapter 2. Virtuozzo Hybrid Server

2.153.3 3. Installing the Update

2.153.4 4. References

• https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1804847

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-082.json.

2.154 Kernel update: Virtuozzo ReadyKernel patch 66.0 for Virtuozzo 7.0.4 to 7.0.8 HF1

Issue date: 2018-11-12

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-081

2.154.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to all supported Virtuozzo kernels. NOTE: No more patches are planned for kernel 3.10.0-514.16.1.vz7.30.10, support for which ends with this update.

2.154.2 2. Bug Fixes

• cleancache: missing invalidation of an inode could cause data corruption. (PSBM-89050)

• Data corruption after online resize of an empty ploop image located on Virtuozzo Storage. (PSBM-89856)

282 Chapter 2. Virtuozzo Hybrid Server

2.154.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.154.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-66.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-66.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-081.json.

2.155 Important kernel security update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.7 HF3 to 7.0.8 HF1

Issue date: 2018-11-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-080

283 Chapter 2. Virtuozzo Hybrid Server

2.155.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (7.0.8), and 3.10.0-862.11.6.vz7.64.7 (7.0.8 HF1).

2.155.2 2. Security Fixes

• [Important] Use-after-free in the implementation of the shared memory. A flaw was found in the implementation of the shared memory in the Linux kernel. shm_mmap() function did not always check if the underlying file structures were valid, which could lead to use-after-free. A local unprivileged user could exploit this to crash the kernel by executing a special sequence of system calls. (PSBM-89717)

2.155.3 3. Bug Fixes

• Potential kernel crash in cbt_flush_cpu_cache(). (PSBM-89323)

• Incorrect accounting of network namespaces in the error paths in copy_net_ns(). (PSBM-89520)

• Errors in the implementation of online resize in ext4 caused failures of ploop resize operations. (PSBM-89583)

• Ploop: integer overflow in the implementation of direct IO could lead to errors when resizing theploop image. (PSBM-89725)

2.155.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.155.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-65.0-1.vl7/

284 Chapter 2. Virtuozzo Hybrid Server

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-080.json.

2.156 Kernel update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.6 to 7.0.7 HF2

Issue date: 2018-11-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-079

2.156.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-693.1.1.vz7.37.30 (7.0.6), 3.10.0-693.11.6.vz7.40.4 (7.0.6 HF3), 3.10.0-693.17.1.vz7.43.10 (7.0.7), and 3.10.0-693.21.1.vz7.46.7 (7.0.7 HF2).

2.156.2 2. Bug Fixes

• Potential kernel crash in cbt_flush_cpu_cache(). (PSBM-89323)

• Incorrect accounting of network namespaces in the error paths in copy_net_ns(). (PSBM-89520)

• Errors in the implementation of online resize in ext4 caused failures of ploop resize operations. (PSBM-89583)

• Ploop: integer overflow in the implementation of direct IO could lead to errors when resizing theploop image. (PSBM-89725)

2.156.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

285 Chapter 2. Virtuozzo Hybrid Server

2.156.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-65.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-079.json.

2.157 Kernel update: Virtuozzo ReadyKernel patch 65.0 for Virtuozzo 7.0.4 to 7.0.5

Issue date: 2018-11-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-078

2.157.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (7.0.4), 3.10.0-514.16.1.vz7.30.15 (7.0.4 HF3), and 3.10.0-514.26.1.vz7.33.22 (7.0.5).

2.157.2 2. Bug Fixes

• Potential kernel crash in cbt_flush_cpu_cache(). (PSBM-89323)

• Errors in the implementation of online resize in ext4 caused failures of ploop resize operations. (PSBM-89583)

• Ploop: integer overflow in the implementation of direct IO could lead to errors when resizing theploop image. (PSBM-89725)

286 Chapter 2. Virtuozzo Hybrid Server

2.157.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.157.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-65.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-65.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-078.json.

2.158 Important kernel security update: CVE-2018-18559; Virtuozzo ReadyKernel patch 64.0 for Virtuozzo 7.0.4 to 7.0.8 HF1

Issue date: 2018-10-26

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-077

2.158.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels.

2.158.2 2. Security Fixes

287 Chapter 2. Virtuozzo Hybrid Server

container could exploit this to crash the kernel or, potentially, to escalate their privileges in the system. (CVE-2018-18559)

2.158.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.158.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-64.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-64.0-1.vl7/

• https://bugzilla.redhat.com/show_bug.cgi?id=1641878

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-077.json.

2.159 Kernel update: Virtuozzo ReadyKernel patch 63.0 for Virtuozzo 7.0.4 to 7.0.8 HF1

Issue date: 2018-10-18

Applies to: Virtuozzo 7.0

288 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2018-076

2.159.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to all supported Virtuozzo kernels.

2.159.2 2. Bug Fixes

• Potential kernel crash in ext4_close_pfcache(). (PSBM-88809)

2.159.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.159.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-63.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-63.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-076.json.

289 Chapter 2. Virtuozzo Hybrid Server

2.160 Important kernel security update: CVE-2018-5391 and other issues; new kernel 2.6.32-042stab134.3; Virtuozzo 6.0 Update 12 Hotfix 33 (6.0.12-3724)

Issue date: 2018-10-15

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-075

2.160.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.3 for Virtuozzo 6.0. The new kernel introduces security and stability fixes.

2.160.2 2. Security Fixes

• [Important] A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

• [Important] An integer overflow flaw was found in the Linux kernel’s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system (Mutagen Astronomy). (CVE-2018-14634)

• [Low] The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY, but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. (CVE-2017-1000365)

290 Chapter 2. Virtuozzo Hybrid Server

2.160.3 3. Bug Fixes

• Under certain circumstances, ploop could crash after failed execution of kernel thread. (PSBM-88559)

• Under certain circumstances, Acronis Backup could trigger host crash in blk_cbt_update_size(). (PSBM-88570)

• Under certain circumstances, host could crash inside Acronis snumbd driver. (PSBM-88575)

• Under certain circumstances, Acronis Backup could trigger host hard lockup in __cbt_flush_cpu_cache. (PSBM-89323)

• Fixed locking in blk_release_queue() that led to hard lockup in blk_throtl_drain() (was broken in 2.6.32-754.6.3.el6 RHEL6 kernel). (PSBM-89391, RHBZ#1638926)

2.160.4 4. Installing the Update

Install the update by running ‘yum update’.

2.160.5 5. References

• https://access.redhat.com/errata/RHSA-2018:2846

• https://www.redhat.com/security/data/cve/CVE-2017-1000365.html

• https://www.redhat.com/security/data/cve/CVE-2018-5391.html

• https://www.redhat.com/security/data/cve/CVE-2018-14634.html

• https://access.redhat.com/security/vulnerabilities/mutagen-astronomy

• https://access.redhat.com/articles/3553061

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-075.json.

291 Chapter 2. Virtuozzo Hybrid Server

2.161 Important kernel security update: CVE-2018-5391 and other issues; new kernel 2.6.32-042stab134.3 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-10-15

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-074

2.161.1 1. Overview

This update provides a new kernel 2.6.32-042stab134.3 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. The new kernel introduces security and stability fixes.

2.161.2 2. Security Fixes

292 Chapter 2. Virtuozzo Hybrid Server

2.161.3 3. Bug Fixes

• Under certain circumstances, ploop could crash after failed execution of kernel thread. (PSBM-88559)

• Under certain circumstances, Acronis Backup could trigger host crash in blk_cbt_update_size(). (PSBM-88570)

• Under certain circumstances, host could crash inside Acronis snumbd driver. (PSBM-88575)

• Under certain circumstances, Acronis Backup could trigger host hard lockup in __cbt_flush_cpu_cache. (PSBM-89323)

• Fixed locking in blk_release_queue() that led to hard lockup in blk_throtl_drain() (was broken in 2.6.32-754.6.3.el6 RHEL6 kernel). (PSBM-89391, RHBZ#1638926)

2.161.4 4. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. These customers can download and install the update using the ‘vzup2date’ utility included in the distribution.

2.161.5 5. References

• https://access.redhat.com/errata/RHSA-2018:2846

• https://www.redhat.com/security/data/cve/CVE-2017-1000365.html

• https://www.redhat.com/security/data/cve/CVE-2018-5391.html

• https://www.redhat.com/security/data/cve/CVE-2018-14634.html

• https://access.redhat.com/security/vulnerabilities/mutagen-astronomy

• https://access.redhat.com/articles/3553061

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-074.json.

293 Chapter 2. Virtuozzo Hybrid Server

2.162 Important kernel security update: Virtuozzo ReadyKernel patch 62.2 for Virtuozzo 7.0.4 and 7.0.8 HF1

Issue date: 2018-09-28

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-072

2.162.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported Virtuozzo kernels.

2.162.2 2. Security Fixes

• [Low] The Linux kernel imposes a size limit on the memory needed to store the arguments and environment variables of a process, 1/4 of the maximum stack size (RLIMIT_STACK). However, the pointers to these data were not taken into account, which allowed attackers to bypass the limit and even exhaust the stack of the process. (CVE-2017-1000365)

2.162.3 3. Bug Fixes

• It was found that the implementation of high resolution timers (‘hrtimer’ subsystem) did not handle the situation when a timer was started simultaneously with its restart in another thread. As a result, a BUG_ON() could trigger in __run_hrtimer() leading to kernel crash. (PSBM-88818)

294 Chapter 2. Virtuozzo Hybrid Server

2.162.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.162.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-62.2-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-62.2-1.vl7/

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000365

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14634

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-072.json.

2.163 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.8 HF1

Issue date: 2018-09-07

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-067

295 Chapter 2. Virtuozzo Hybrid Server

2.163.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0.8 HF1.

2.163.2 2. Bug Fixes

• sunrpc: potential kernel crash (use after free) in svc_process_common(). (PSBM-73001)

• Potential out-of-bounds read in fuse_dev_splice_write(). (PSBM-87649)

• It was found that rpc_get_hdr() function from ‘fuse_kio_pcs’ module did not return valid values in ‘msg_size’ in some cases. As a result, the processes using large FUSE KIO messages could get stuck in an unkillable state. (PSBM-87877)

• File systems: insufficient error handling in sget() could lead to excessive memory consumption. (PSBM-88082)

2.163.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.163.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-60.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-067.json.

2.164 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.7 to 7.0.8

Issue date: 2018-09-07

Applies to: Virtuozzo 7.0

296 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2018-066

2.164.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0.7 to 7.0.8.

2.164.2 2. Bug Fixes

• fuse_kio_pcs: potential kernel crash (NULL pointer dereference) in pcs_map_encode_req(). (PSBM-87665)

• File systems: insufficient error handling in sget() could lead to excessive memory consumption. (PSBM-88082)

2.164.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.164.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-60.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-066.json.

2.165 Kernel update: Virtuozzo ReadyKernel patch 60.0 for Virtuozzo 7.0.4 to 7.0.7

Issue date: 2018-09-07

297 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-065

2.165.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to Virtuozzo 7.0.4 to 7.0.7.

2.165.2 2. Bug Fixes

• File systems: insufficient error handling in sget() could lead to excessive memory consumption. (PSBM-88082)

2.165.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.165.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-60.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-60.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-065.json.

298 Chapter 2. Virtuozzo Hybrid Server

2.166 Product update: Virtuozzo 7.0 Update 8 Hotfix 2 (7.0.8-514)

Issue date: 2018-09-03

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-064

2.166.1 1. Overview

This update provides a stability fix.

2.166.2 2. Bug Fixes

• EFI VMs created on Virtuozzo 7.0.8 and 7.0.8 Hotfix 1 have incorrect NVRAM.dat file. As a result, they may not start on 7.0.8 Hotfix 2 once stopped. VM console may display the message “Guest hasnot initialized the display (yet)”. For instructions on how to fix NVRAM.dat in such VMs, see the KB article #2953513. (PSBM-88233)

2.166.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-064.json.

299 Chapter 2. Virtuozzo Hybrid Server

2.167 Important kernel security update: CVE-2018-3620 and other issues; new kernel 3.10.0-862.11.6.vz7.64.7; Virtuozzo 7.0 Update 8 Hotfix 1 (7.0.8-507)

Issue date: 2018-08-30

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-063

2.167.1 1. Overview

This update provides a new kernel for Virtuozzo 7.0 that is a rebase to the Red Hat Enterprise Linux 7.5 kernel 3.10.0-862.11.6.el7. The new kernel inherits a number of security fixes from the RHEL kernel and introduces internal stability fixes.

2.167.2 2. Security Fixes

• [Important] A flaw was found in the Linux kernel’s skcipher component, which affectsthe skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation. (CVE-2017-13215)

• [Important] Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646)

300 Chapter 2. Virtuozzo Hybrid Server

of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693)

• [Important] A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390)

• [Moderate] ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually viaioctl concurrently, and this may lead to UAF or out-of-bound access. (CVE-2018-7566)

• [Important] The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fullyruled out. (CVE-2018-10675)

2.167.3 3. Bug Fixes

• Possible node hang due to sleepable memory allocation under spinlock in scsi_register_device_handler(). Found in the base RHEL kernel. (PSBM-87815, RHBZ#1619147)

• Node hang due to livelock in d_invalidate() due to cond_resched() in shrink_dentry_list(). Found in the base RHEL kernel. (PSBM-87864, RHBZ#1621921)

• Migration of a container with an NFS mount inside could fail with error ‘Killed by signal 11: Segmentation fault’. (PSBM-86775)

• Upgrading to Update 8 could reduce performance of VMs migrated from Virtuozzo 6 that had IDE disks and used the EFI boot option. (PSBM-87641)

• Incorrect reporting of Meltdown mitigation. (PSBM-87793)

• Haproxy processes were getting stuck in D state in lock_sock(). (PSBM-87858)

301 Chapter 2. Virtuozzo Hybrid Server

• MySQL socket could be lost during live migration of Ubuntu/Debian container running MySQL server. (PSBM-87913)

2.167.4 4. Installing the Update

Install the update by running ‘yum update’ and rebooting the node.

2.167.5 5. References

• https://access.redhat.com/errata/RHSA-2018:2384

• https://access.redhat.com/security/cve/CVE-2017-13215

• https://access.redhat.com/security/cve/CVE-2018-3620

• https://access.redhat.com/security/cve/CVE-2018-3646

• https://access.redhat.com/security/cve/CVE-2018-3693

• https://access.redhat.com/security/cve/CVE-2018-5390

• https://access.redhat.com/security/cve/CVE-2018-7566

• https://access.redhat.com/security/cve/CVE-2018-10675

• https://access.redhat.com/security/vulnerabilities/L1TF

• https://access.redhat.com/articles/3553061

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-063.json.

2.168 Kernel update: New kernel 2.6.32-042stab133.2; Virtuozzo 6.0 Update 12 Hotfix 32 (6.0.12-3719)

Issue date: 2018-08-30

Applies to: Virtuozzo 6.0

302 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2018-062

2.168.1 1. Overview

This update provides a new kernel 2.6.32-042stab133.2 for Virtuozzo 6.0. The new kernel introduces a stability fix.

2.168.2 2. Bug Fixes

• Regression in 2.6.32-042stab133.1: Host could crash during processing of (quite rare) fragmented TCP traffic. (PSBM-87976, OVZ-7048, OVZ-7049)

2.168.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-062.json.

2.169 Kernel update: New kernel 2.6.32-042stab133.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-08-30

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-061

303 Chapter 2. Virtuozzo Hybrid Server

2.169.1 1. Overview

This update provides a new kernel 2.6.32-042stab133.2 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. The new kernel introduces a stability fix.

2.169.2 2. Bug Fixes

• Regression in 2.6.32-042stab133.1: Host could crash during processing of (quite rare) fragmented TCP traffic. (PSBM-87976, OVZ-7048, OVZ-7049)

2.169.3 3. Installing the Update

Install the update with the ‘vzup2date’ utility included in the distribution.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-061.json.

2.170 Product update: Virtuozzo 6.0 Update 12 Hotfix 31 (6.0.12-3717)

Issue date: 2018-08-28

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-060

2.170.1 1. Overview

This update provides a stability fix.

304 Chapter 2. Virtuozzo Hybrid Server

2.170.2 2. Bug Fixes

• Centos 7.5 VM running on a host with an AMD CPU could crash after the host had been updated. (PSBM-87547)

2.170.3 3. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-060.json.

2.171 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.8

Issue date: 2018-08-27

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-059

2.171.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0.8.

2.171.2 2. Bug Fixes

• sunrpc: potential kernel crash (use after free) in svc_process_common(). (PSBM-73001)

• ‘libvirtd’ service was unresponsive because ‘cgroup_mutex’ was held for a long time. (PSBM-87281)

• Potential out-of-bounds read in fuse_dev_splice_write(). (PSBM-87649)

• Attempts to start a container fail with errors like ‘cannot create directory /sys/fs/cgroup/beancounter/<…>’. (PSBM-87670)

305 Chapter 2. Virtuozzo Hybrid Server

• Kernel bug: scheduling while atomic in scsi_register_device_handler(). (PSBM-87859)

2.171.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.171.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-59.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-059.json.

2.172 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.7 to 7.0.7 HF3

Issue date: 2018-08-27

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-058

2.172.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0.7 to 7.0.7 HF3.

2.172.2 2. Bug Fixes

• sunrpc: potential kernel crash (use after free) in svc_process_common(). (PSBM-73001)

• ‘libvirtd’ service was unresponsive because ‘cgroup_mutex’ was held for a long time. (PSBM-87281)

• Host system could hang because of a leaked cache-related counter in memcg. (PSBM-87642)

• Potential out-of-bounds read in fuse_dev_splice_write(). (PSBM-87649)

306 Chapter 2. Virtuozzo Hybrid Server

• Attempts to start a container fail with errors like ‘cannot create directory /sys/fs/cgroup/beancounter/<…>’. (PSBM-87670)

2.172.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.172.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-59.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-058.json.

2.173 Kernel update: Virtuozzo ReadyKernel patch 59.0 for Virtuozzo 7.0.4 to 7.0.6 HF3

Issue date: 2018-08-27

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-057

2.173.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0.4 to 7.0.6 HF3.

307 Chapter 2. Virtuozzo Hybrid Server

2.173.2 2. Bug Fixes

• sunrpc: potential kernel crash (use after free) in svc_process_common(). (PSBM-73001)

• Potential out-of-bounds read in fuse_dev_splice_write(). (PSBM-87649)

• Attempts to start a container fail with errors like ‘cannot create directory /sys/fs/cgroup/beancounter/<…>’. (PSBM-87670)

2.173.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.173.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-59.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-59.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-057.json.

2.174 Kernel update: Virtuozzo ReadyKernel patch 58.0 for Virtuozzo 7.0.8

Issue date: 2018-08-21

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-056

308 Chapter 2. Virtuozzo Hybrid Server

2.174.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to the kernel 3.10.0-862.9.1.vz7.63.3 (7.0.8).

2.174.2 2. Bug Fixes

• Haproxy processes were getting stuck in D state in lock_sock(). (PSBM-87858)

2.174.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.174.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-58.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-056.json.

2.175 Important kernel security update: CVE-2018-3620 and other issues; new kernel 2.6.32-042stab133.1; Virtuozzo 6.0 Update 12 Hotfix 30 (6.0.12-3713)

Issue date: 2018-08-20

Applies to: Virtuozzo 6.0

309 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2018-055

2.175.1 1. Overview

This update provides a new kernel 2.6.32-042stab133.1 for Virtuozzo 6.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.3.5.el6. The new kernel inherits a number of security fixes from the new RHEL kernel and introduces internal stability fixes.

2.175.2 2. Security Fixes

• [Important] An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693)

• [Important] A flaw was found in Linux kernel’s KVM virtualization subsystem. The VMX codedoesnot

310 Chapter 2. Virtuozzo Hybrid Server

restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host’s userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges. (CVE-2018-10901)

• [Moderate] Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861)

• [Moderate] In the Linux kernel versions 4.12, 3.10, 2.6, and possibly earlier, a race condition vulnerability exists in the sound system allowing for a potential deadlock and memory corruption due to use-after-free condition and thus denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2018-1000004)

2.175.3 3. Bug Fixes

• Host could crash during restore of container with a mounted NFS share inside. (PSBM-86632)

• Sctp: soft lockups caused by hb_timer getting stuck. (PSBM-86812)

• ‘ip neigh ls’ did not show all neighbors. (PSBM-87521)

• OS template cache for vzfs-based Ubuntu 16.04 container could not be created or updated. (PSBM-87152)

2.175.4 4. Installing the Update

Install the update by running ‘yum update’.

2.175.5 5. References

• https://access.redhat.com/errata/RHSA-2018:2390

• https://access.redhat.com/security/cve/CVE-2017-0861

311 Chapter 2. Virtuozzo Hybrid Server

• https://access.redhat.com/security/cve/CVE-2018-3620

• https://access.redhat.com/security/cve/CVE-2018-3646

• https://access.redhat.com/security/cve/CVE-2018-3693

• https://access.redhat.com/security/cve/CVE-2018-5390

• https://access.redhat.com/security/cve/CVE-2018-7566

• https://access.redhat.com/security/cve/CVE-2018-10901

• https://access.redhat.com/security/cve/CVE-2018-1000004

• https://access.redhat.com/security/vulnerabilities/L1TF

• https://access.redhat.com/articles/3553061

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-055.json.

2.176 Important kernel security update: CVE-2018-3620 and other issues; new kernel 2.6.32-042stab133.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-08-20

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-054

2.176.1 1. Overview

This update provides a new kernel 2.6.32-042stab133.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.3.5.el6. The new kernel inherits a number of security fixes from the new RHEL kernel and introduces internal stability fixes.

312 Chapter 2. Virtuozzo Hybrid Server

2.176.2 2. Security Fixes

• [Important] A flaw was found in Linux kernel’s KVM virtualization subsystem. The VMX codedoesnot restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host’s userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges. (CVE-2018-10901)

• [Moderate] ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init()

313 Chapter 2. Virtuozzo Hybrid Server

when the first write happens and the pool is empty. A user can reset the pool size manually viaioctl concurrently, and this may lead to UAF or out-of-bound access. (CVE-2018-7566)

2.176.3 3. Bug Fixes

• Host could crash during restore of container with a mounted NFS share inside. (PSBM-86632)

• Sctp: soft lockups caused by hb_timer getting stuck. (PSBM-86812)

• ‘ip neigh ls’ did not show all neighbors. (PSBM-87521)

2.176.4 4. Installing the Update

Install the update with the ‘vzup2date’ utility included in the distribution.

2.176.5 5. References

• https://access.redhat.com/errata/RHSA-2018:2390

• https://access.redhat.com/security/cve/CVE-2017-0861

• https://access.redhat.com/security/cve/CVE-2018-3620

• https://access.redhat.com/security/cve/CVE-2018-3646

• https://access.redhat.com/security/cve/CVE-2018-3693

• https://access.redhat.com/security/cve/CVE-2018-5390

• https://access.redhat.com/security/cve/CVE-2018-7566

• https://access.redhat.com/security/cve/CVE-2018-10901

• https://access.redhat.com/security/cve/CVE-2018-1000004

• https://access.redhat.com/security/vulnerabilities/L1TF

314 Chapter 2. Virtuozzo Hybrid Server

• https://access.redhat.com/articles/3553061

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-054.json.

2.177 Kernel update: Virtuozzo ReadyKernel patch 57.0 for Virtuozzo 7.0.7 to 7.0.8

Issue date: 2018-08-14

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-053

2.177.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to kernels 3.10.0-693.17.1.vz7.43.10 (7.0.7), 3.10.0-693.21.1.vz7.46.7 (7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (7.0.8).

2.177.2 2. Bug Fixes

• Kernel module ‘ip_set’ tried to allocate physically contiguous memory areas for its array of pointers to ‘ip_set’ structures in ip_set_net_init(). If large enough maximum number of IP sets was requested from the user space, memory allocation would fail. Containers would fail to start as a result. (PSBM-87338)

315 Chapter 2. Virtuozzo Hybrid Server

2.177.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.177.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-57.0-2.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-57.0-2.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-57.0-2.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-57.0-2.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-053.json.

2.178 Important kernel security update: CVE-2017-18344; Virtuozzo ReadyKernel patch 56.0 for Virtuozzo 7.0.8

Issue date: 2018-08-09

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-052

2.178.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to kernel 3.10.0-862.9.1.vz7.63.3 (7.0.8).

316 Chapter 2. Virtuozzo Hybrid Server

2.178.2 2. Security Fixes

• [Important] The implementation of timer_create system call in the Linux kernel before 4.14.8 doesn’t properly validate the sigevent::sigev_notify field, which leads to out-of-bounds access in the show_timer function (called when /proc/$PID/timers is read). This allows userspace applications to read arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE). (CVE-2017-18344)

2.178.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.178.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-56.0-3.vl7/

• http://www.openwall.com/lists/oss-security/2018/08/02/3

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2018-052.json.

2.179 Product update: Virtuozzo 7.0 Update 8 (7.0.8-486)

Issue date: 2018-08-07

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-051

2.179.1 1. Overview

The Update 8 for Virtuozzo 7.0 provides new features as well as stability and usability bug fixes.

317 Chapter 2. Virtuozzo Hybrid Server

2.179.2 2. New Features

• Support of Ubuntu 18.04 in virtual machines. (PSBM-82931)

• Live migration of VMs between datastores. You can now live-migrate virtual machines between datastores using the ‘prlctl move’ command. For more details, see the None

• Fast path. This feature may boost Virtuozzo Storage read performance if node I/O is a bottleneck. In this case, enabling fast path may increase maximum node I/O up to 3 times in some cases. For more details, see the Virtuozzo Storage Administrator’s Command Line Guide. (PSBM-64450)

• CRIU now supports live migration of containers running MariaDB with the ‘PrivateDevices=true’ option set. (PSBM-57362)

2.179.3 3. Bug Fixes

• Node could crash with error in ‘mem_cgroup_iter’. (PSBM-75892)

• Container running a Java process could fail to migrate live due to a CRUI issue. (PSBM-78762)

• Container live migration could fail on the restoration stage with a CRIU error ‘Cannot create tun device’. (PSBM-79229)

• Container live migration could fail with a CRIU error ‘mnt: Cannot open ./run/user/0: No such file or directory’. (PSBM-82221)

• Container migration could fail with a CRIU error ‘uns: send resp error: Bad file descriptor’. (PSBM-82222)

• Container live migration could fail due to a CRIU issue with bindmounted Unix sockets. (PSBM-82616)

• VMs created in Virtuozzo Automator had no disk serial numbers. (PSBM-83606)

• Containers could fail to start due to host running out of cgroups. (PSBM-83628)

• Node could crash in shrink_slab() on attempt to mount a bad ext4 image. (PSBM-83691)

• Nodes running Virtuozzo Storage could overload and slow down significantly due to insufficient default pagecache limit. (PSBM-84694)

• Automatically assigned VNC port of a container could change on applying new configuration to said container. (PSBM-85959)

• MAC/IP filtering did not prevent ARP spoofing. (PSBM-86140)

318 Chapter 2. Virtuozzo Hybrid Server

• Other fixes. (PSBM-46610, PSBM-60161, PSBM-78310, PSBM-78703, PSBM-78973, PSBM-81706, PSBM-81809, PSBM-81937, PSBM-82254, PSBM-82313, PSBM-82404, PSBM-82615, PSBM-83154, PSBM-83161, PSBM-83224, PSBM-83266, PSBM-83369, PSBM-83383, PSBM-83581, PSBM-83615, PSBM-83624, PSBM-83746, PSBM-83783, PSBM-84005, PSBM-84028, PSBM-84943, PSBM-84967, PSBM-85005, PSBM-85109, PSBM-85797, PSBM-85844, PSBM-85975, PSBM-86053, PSBM-86077, PSBM-86093, PSBM-86446, PSBM-86498, PSBM-86509, PSBM-86568, PSBM-86638, PSBM-86706)

2.179.4 4. Installing the Update

Install the update by running ‘yum update’.

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-051.json.

2.180 Important kernel security update: CVE-2017-18344; Virtuozzo ReadyKernel patch 56.0 for all supported Virtuozzo 7.0 kernels

Issue date: 2018-08-06

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-050

2.180.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo 7.0 kernels.

2.180.2 2. Security Fixes

319 Chapter 2. Virtuozzo Hybrid Server

kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE). (CVE-2017-18344)

2.180.3 3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

2.180.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-56.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-56.0-1.vl7/

• http://www.openwall.com/lists/oss-security/2018/08/02/3

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-050.json.

2.181 Important kernel security update: CVE-2018-13405 and other; Virtuozzo ReadyKernel patch 55.0 for all supported Virtuozzo 7.0 kernels

Issue date: 2018-08-02

Applies to: Virtuozzo 7.0

320 Chapter 2. Virtuozzo Hybrid Server

Virtuozzo Advisory ID: VZA-2018-049

2.181.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported Virtuozzo 7.0 kernels.

2.181.2 2. Security Fixes

• [Important] It was discovered that the local users could create files with an unintended group ownership and with group execution and SGID permission bits set. It was possible when a directory was SGID, belonged to a certain group and was writable by a user who was not a member of this group. This could lead to excessive permissions granted in case when they should not. (CVE-2018-13405)

• [Moderate] A flaw was discovered in the implementation of SCTP protocol. A local unprivileged user could exploit it to cause soft lockups in the kernel (and, eventually, a denial of service) using specially crafted sequences of system calls. (PSBM-86804)

2.181.3 3. Bug Fixes

• Kernel warning in kill_block_super() when a mount operation fails. (PSBM-80743)

• It was discovered that the system could fail to restore a container (‘VZctlError: Not enough system resources’) if the container had more mounts than one third of the limit shown in /proc/sys/fs/ve-mount-nr. (PSBM-86511)

• Missing unlock_page() in the error path in fuse_readpages_fill(). (PSBM-86790)

2.181.4 4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

321 Chapter 2. Virtuozzo Hybrid Server

2.181.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-55.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-55.0-1.vl7/

• https://access.redhat.com/security/cve/cve-2018-13405

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-049.json.

2.182 Important kernel security update: CVE-2018-3639 (x86 AMD) and other issues; new kernel 2.6.32-042stab132.1; Virtuozzo 6.0 Update 12 Hotfix 29 (6.0.12-3710)

Issue date: 2018-07-17

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-048

2.182.1 1. Overview

This update provides a new kernel 2.6.32-042stab132.1 for Virtuozzo 6.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.2.1.el6. The new kernel introduces security fixes.

322 Chapter 2. Virtuozzo Hybrid Server

2.182.2 2. Security Fixes

• [Important] [x86 AMD] An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)

• [Moderate] By mmap()ing a FUSE-backed file onto a process’s memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive forother attacks). (CVE-2018-1120)

• [Moderate] A Floating Point Unit (FPU) state information leakage flaw was found in the way the Linux kernel saved and restored the FPU state during task switch. Linux kernels that follow the ‘Lazy FPU Restore’ scheme are vulnerable to the FPU state information leakage issue. An unprivileged local attacker could use this flaw to read FPU state bits by conducting targeted cache side-channel attacks, similar to the Meltdown vulnerability disclosed earlier this year. (CVE-2018-3665)

• [Moderate] A flaw was found in the way the Linux kernel handled exceptions delivered afterastack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver interrupts and exceptions, they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting inDoS. This CVE-2018-10872 was assigned due to regression of CVE-2018-8897. (CVE-2018-10872)

2.182.3 3. Installing the Update

Install the update by running ‘yum update’.

323 Chapter 2. Virtuozzo Hybrid Server

2.182.4 4. References

• https://access.redhat.com/errata/RHSA-2018:2164

• https://www.redhat.com/security/data/cve/CVE-2018-1120.html

• https://www.redhat.com/security/data/cve/CVE-2018-3639.html

• https://www.redhat.com/security/data/cve/CVE-2018-3665.html

• https://www.redhat.com/security/data/cve/CVE-2018-10872.html

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-048.json.

2.183 Important kernel security update: CVE-2018-3639 (x86 AMD) and other issues; new kernel 2.6.32-042stab132.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-07-17

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-047

2.183.1 1. Overview

This update provides a new kernel 2.6.32-042stab132.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.2.1.el6. The new kernel introduces security fixes.

324 Chapter 2. Virtuozzo Hybrid Server

2.183.2 2. Security Fixes

2.183.3 3. Installing the Update

Install the update with the ‘vzup2date’ utility included in the distribution.

325 Chapter 2. Virtuozzo Hybrid Server

2.183.4 4. References

• https://access.redhat.com/errata/RHSA-2018:2164

• https://www.redhat.com/security/data/cve/CVE-2018-1120.html

• https://www.redhat.com/security/data/cve/CVE-2018-3639.html

• https://www.redhat.com/security/data/cve/CVE-2018-3665.html

• https://www.redhat.com/security/data/cve/CVE-2018-10872.html

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-047.json.

2.184 Kernel security update: Virtuozzo ReadyKernel patch 54.0 for Virtuozzo 7.0.7 HF2 and 7.0.7 HF3

Issue date: 2018-07-13

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-046

2.184.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo 7.0 kernels 3.10.0-693.21.1.vz7.46.7 (7.0.7 HF2) and 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3).

2.184.2 2. Security Fixes

326 Chapter 2. Virtuozzo Hybrid Server

attacks). (CVE-2018-1120)

2.184.3 3. Bug Fixes

• Kernel crashes (NULL pointer dereference) if memory allocation fails in alloc_vfsmnt(). (PSBM-86420)

• Kernel crash in fuse_direct_IO_bvec(). (PSBM-86446)

2.184.4 4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

2.184.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-54.0-1.vl7/

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-046.json.

2.185 Kernel security update: Virtuozzo ReadyKernel patch 54.0 for Virtuozzo 7.0.4 to 7.0.7 (excl. hotfixes)

Issue date: 2018-07-13

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-045

327 Chapter 2. Virtuozzo Hybrid Server

2.185.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo 7.0 kernels 3.10.0-514.16.1.vz7.30.10 (7.0.4), 3.10.0-514.16.1.vz7.30.15 (7.0.4 HF3), 3.10.0-514.26.1.vz7.33.22 (7.0.5), 3.10.0-693.1.1.vz7.37.30 (7.0.6), 3.10.0-693.11.6.vz7.40.4 (7.0.6 HF3), and 3.10.0-693.17.1.vz7.43.10 (7.0.7).

2.185.2 2. Security Fixes

2.185.3 3. Bug Fixes

• Kernel crashes (NULL pointer dereference) if memory allocation fails in alloc_vfsmnt(). (PSBM-86420)

2.185.4 4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

2.185.5 5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-54.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-54.0-1.vl7/

328 Chapter 2. Virtuozzo Hybrid Server

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-045.json.

2.186 Product update: Virtuozzo 7.0 Update 7 Hotfix 4 (7.0.7-474)

Issue date: 2018-07-04

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-044

2.186.1 1. Overview

The Hotfix 4 for Virtuozzo 7.0 Update 7 provides a new feature.

2.186.2 2. New Features

• Support for Ubuntu 18.04 in containers.

2.186.3 3. Installing the Update

Install the update by running ‘yum update’. Install the Ubuntu 18.04 container template by running ‘yum install ubuntu-18.04-x86_64-ez’.

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-044.json.

2.187 Kernel update: Virtuozzo ReadyKernel patch 53.0 for Virtuozzo 7.0.5 to 7.0.7 HF3

Issue date: 2018-07-02

329 Chapter 2. Virtuozzo Hybrid Server

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-043

2.187.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with stability fixes. The patch applies to Virtuozzo 7.0 kernels 3.10.0-514.26.1.vz7.33.22 (7.0.5), 3.10.0-693.1.1.vz7.37.30 (7.0.6), 3.10.0-693.11.6.vz7.40.4 (7.0.6 HF3), 3.10.0-693.17.1.vz7.43.10 (7.0.7), 3.10.0-693.21.1.vz7.46.7 (7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (7.0.7 HF3).

2.187.2 2. Bug Fixes

• Potential kernel crash (NULL pointer dereference) in sysfs_readdir(). (PSBM-85929)

• Potential kernel crash (NULL pointer dereference) in ip6_route_dev_notify(). (PSBM-86093)

2.187.3 3. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

2.187.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-53.0-1.vl7/

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-043.json.

330 Chapter 2. Virtuozzo Hybrid Server

2.188 Kernel update: Virtuozzo ReadyKernel patch 53.0 for Virtuozzo 7.0.3 to 7.0.4 HF3

Issue date: 2018-07-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-042

2.188.1 1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with a stability fix. The patch applies to Virtuozzo 7.0 kernels 3.10.0-327.42.0.vz7.20.18 (7.0.3), 3.10.0-514.16.1.vz7.30.10 (7.0.4), and 3.10.0-514.16.1.vz7.30.15 (7.0.4 HF3). NOTE: No more patches are planned for kernel 3.10.0-327.42.0.vz7.20.18, support for which ends with this update.

2.188.2 2. Bug Fixes

• Potential kernel crash (NULL pointer dereference) in sysfs_readdir(). (PSBM-85929)

2.188.3 3. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

2.188.4 4. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-53.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-53.0-1.vl7/

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-042.json.

331 Chapter 2. Virtuozzo Hybrid Server

2.189 Important kernel security update: CVE-2018-10675 and other issues; new kernel 2.6.32-042stab131.1; Virtuozzo 6.0 Update 12 Hotfix 28 (6.0.12-3709)

Issue date: 2018-06-25

Applies to: Virtuozzo 6.0

Virtuozzo Advisory ID: VZA-2018-041

2.189.1 1. Overview

This update provides a new kernel 2.6.32-042stab131.1 for Virtuozzo 6.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.el6. The new kernel introduces security and stability fixes.

2.189.2 2. Security Fixes

• [Important] The do_get_mempolicy() function in ‘mm/mempolicy.c’ in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannotbe fully ruled out. (CVE-2018-10675)

• [Moderate] It was found that AIO interface didn’t use the proper rw_verify_area() helper function with extended functionality, for example, mandatory locking on the file. Also rw_verify_area() makes extended checks, for example, that the size of the access doesn’t cause overflow of the provided offset limits. This integer overflow in fs/aio.c in the Linux kernel before 3.4.1 allows local users tocausea denial of service or possibly have unspecified other impact via a large AIO iovec. (CVE-2012-6701)

• [Moderate] Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830)

• [Moderate] A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a

332 Chapter 2. Virtuozzo Hybrid Server

specially crafted RSA key. This flaw panics the machine during the verification of the RSAkey. (CVE-2016-8650)

• [Moderate] A race condition leading to a NULL pointer dereference was found in the Linux kernel’s Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system. (CVE-2017-2671)

• [Moderate] It was found that the original fix for CVE-2016-6786 was incomplete. There exist arace between two concurrent sys_perf_event_open() calls when both try and move the same pre-existing software group into a hardware context. (CVE-2017-6001)

• [Moderate] Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in ‘mm/mempolicy.c’ in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. (CVE-2017-7616)

• [Moderate] The mm subsystem in the Linux kernel through 4.10.10 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) viaan application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)

• [Moderate] It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in ‘block/bio.c’ do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition. (CVE-2017-12190)

• [Moderate] The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker. (CVE-2017-18203)

• [Moderate] An error in the “_sctp_make_chunk()” function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS. (CVE-2018-5803)

• [Low] Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple

333 Chapter 2. Virtuozzo Hybrid Server

read accesses to files in the /sys/class/sas_phy directory. (CVE-2018-7757)

2.189.3 3. Bug Fixes

• Reloading the nf_conntrack module could result in node crash. (PSBM-85938)

2.189.4 4. Installing the Update

Install the update by running ‘yum update’.

2.189.5 5. References

• https://access.redhat.com/errata/RHSA-2018:1854

• https://www.redhat.com/security/data/cve/CVE-2012-6701.html

• https://www.redhat.com/security/data/cve/CVE-2015-8830.html

• https://www.redhat.com/security/data/cve/CVE-2016-8650.html

• https://www.redhat.com/security/data/cve/CVE-2017-2671.html

• https://www.redhat.com/security/data/cve/CVE-2017-6001.html

• https://www.redhat.com/security/data/cve/CVE-2017-7616.html

• https://www.redhat.com/security/data/cve/CVE-2017-7889.html

• https://www.redhat.com/security/data/cve/CVE-2017-12190.html

• https://www.redhat.com/security/data/cve/CVE-2017-18203.html

• https://www.redhat.com/security/data/cve/CVE-2018-5803.html

• https://www.redhat.com/security/data/cve/CVE-2018-7757.html

• https://www.redhat.com/security/data/cve/CVE-2018-10675.html

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-041.json.

334 Chapter 2. Virtuozzo Hybrid Server

2.190 Important kernel security update: CVE-2018-10675 and other issues; new kernel 2.6.32-042stab131.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-06-25

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-040

2.190.1 1. Overview

This update provides a new kernel 2.6.32-042stab131.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 that is a rebase to the Red Hat Enterprise Linux 6.10 kernel 2.6.32-754.el6. The new kernel introduces security and stability fixes.

2.190.2 2. Security Fixes

• [Moderate] A flaw was found in the Linux kernel key management subsystem in which a local attacker

335 Chapter 2. Virtuozzo Hybrid Server

could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSAkey. (CVE-2016-8650)

• [Low] Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the

336 Chapter 2. Virtuozzo Hybrid Server

Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory. (CVE-2018-7757)

2.190.3 3. Bug Fixes

• Reloading the nf_conntrack module could result in node crash. (PSBM-85938)

2.190.4 4. Installing the Update

Install the update with the ‘vzup2date’ utility included in the distribution.

2.190.5 5. References