[Debian] [Announce] [Security] vzctl 4.9.4
Ola Lundqvist
ola at inguza.com
Wed Sep 9 13:21:36 PDT 2015
Hi Igor, Sergey and Kir
I have now uploaded corrected packages to download.openvz.org/debian. This
time I decided to upload both to testing and stable repositories (both for
wheezy and jessie) at once as this is a security fix. Normally I wait about
10 days.
I have also uploaded to debian unstable. However the security backport is
pending acceptance from the security team.
I'll let you know when I have got the security backport in Debian stable
(jessie) too.
Best regards,
// Ola
On Wed, Sep 9, 2015 at 9:09 PM, Ola Lundqvist <ola at inguza.com> wrote:
> Privet Igor
>
> This will be the upgrade logic. Let me know if you find any flaw in it.
>
> TMPCFG=$(mktemp)
> if ! grep VE_PRIVATE /etc/vz/vz.conf > $TMPCFG ; then
> echo "#Missing VE_PRIVATE assuming default" > $TMPCFG
> echo 'VE_PRIVATE=/vz/private/$VEID' >> $TMPCFG
> fi
> #cat $TMPCFG
> for CF in /etc/vz/conf/*.conf ; do
> if ! grep VE_LAYOUT "$CF" > /dev/null ; then
> VEID=$(basename "$CF" | sed 's/\.conf$//;')
> X=simfs
> if [ -e "${VE_PRIVATE}/root.hdd/DiskDescriptor.xml" ] ; then
> X=ploop
> fi
> . $TMPCFG
> echo "Securing CT configuration $CF by adding VE_LAYOUT=$X"
> echo "" >> $CF
> echo "# Upgrade `date`: Securing CT config by adding VE_LAYOUT=$X" >> $CF
> echo "VE_LAYOUT=$X" >> $CF
> fi
> done
> rm -f $TMPCFG
> Best regards,
>
> // Ola
>
> On Fri, Sep 4, 2015 at 9:36 AM, Igor Bazhitov <ibazhitov at odin.com> wrote:
>
>> Hi, Ola.
>>
>> > It does not matter really. Both ways will do.
>>
>> All 4 patches for vzctl-4.8 are attached.
>>
>> > However I have a question. As I understand the config is changed at
>> > creation or start.
>>
>> Yes.
>>
>> > Should it be changed at upgrade time too to make sure
>> > the next start is safe? Or is it changed before it is a security hazard?
>>
>> Well, it definitely would be better to add correct VE_LAYOUT values to
>> all CT configs during vzctl upgrade, since there could be a large time
>> gap between vzctl upgrade and existing CTs (re)start. But in this case
>> you'll need to implement the CT layout detection logic inside the
>> upgrade script. The logic is simple: if there is a
>> "root.hdd/DiskDescriptor.xml" file inside the CT's private directory
>> (e.g. /vz/private/100) then we have "ploop" layout, otherwise - "simfs"
>> layout.
>>
>> WBR, Igor Bazhitov.
>>
>> 03.09.2015 21:31, Ola Lundqvist writes:
>> > Hi Igor
>> >
>> > It does not matter really. Both ways will do.
>> >
>> > However I have a question. As I understand the config is changed at
>> > creation or start. Should it be changed at upgrade time too to make sure
>> > the next start is safe? Or is it changed before it is a security hazard?
>> >
>> > /Ola
>> >
>> > Sent from a phone
>> >
>> > Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <ibazhitov at odin.com
>> > <mailto:ibazhitov at odin.com>>:
>> >
>> > Hi, Ola.
>> >
>> > There are 4 patches in the original fix - 2 of them making various
>> > preparations and the other 2 do the actual fix. Do you need them
>> ported
>> > to vzctl-4.8 as is, or as one big cumulative patch?
>> >
>> > WBR, Igor Bazhitov.
>> >
>> > 01.09.2015 00:22, Ola Lundqvist writes:
>> > > Privet Kir and Igor
>> > >
>> > > Sources and patches here:
>> > > ftp://ftp.debian.org/debian/pool/main/v/vzctl/
>> > >
>> > > Source is named .orig.tar.gz
>> > > and the patches are either in .diff.gz or packaged in
>> .debian.tar.gz
>> > >
>> > > I think we should at least backport 4.8 (current stable) and then
>> > maybe
>> > > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip
>> > that.
>> > >
>> > > Thanks in advance
>> > >
>> > > // Ola
>> > >
>> > > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
>> > <mailto:kir at odin.com>
>> > > <mailto:kir at odin.com <mailto:kir at odin.com>>> wrote:
>> > >
>> > >
>> > >
>> > > On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>> > >> I was. :-) Thanks!
>> > >>
>> > >> Will look into this shortly. Will also look into backporting
>> > the fix.
>> > >
>> > > Ola,
>> > >
>> > > I think Igor (in Cc) will be able to provide the fix
>> backported,
>> > > just let us know which version do you have in Debian (and a
>> link
>> > > to sources, as I guess you have some patches in there, too).
>> > >
>> > > Kir.
>> > >
>> > >
>> > >>
>> > >> // Ola
>> > >>
>> > >> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin
>> > <kir at openvz.org <mailto:kir at openvz.org>
>> > >> <mailto:kir at openvz.org <mailto:kir at openvz.org>>> wrote:
>> > >>
>> > >>
>> > >>
>> > >> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>> > >>
>> > >> Hi
>> > >>
>> > >> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>> > >>
>> > >> Hi again
>> > >>
>> > >> Also I can not find where to download the
>> software
>> > >> (neither binaries nor
>> > >> sources). Is it only available in git?
>> > >>
>> > >> It is not so difficult to find sources.
>> > >> We have one git repo for openvz sources -
>> > >> src.openvz.org <http://src.openvz.org>
>> > <http://src.openvz.org>.
>> > >> vzctl sources are here
>> > >>
>> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>> > >>
>> > >>
>> > >> Ola is probably asking about the source tarball. It's
>> here:
>> > >>
>> >
>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> Cheers
>> > >>
>> > >> // Ola
>> > >>
>> > >> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>> > >> <<mailto:ola at inguza.com
>> > <mailto:ola at inguza.com>>ola at inguza.com <mailto:ola at inguza.com>
>> > >> <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
>> > wrote:
>> > >>
>> > >> Hi Sergey
>> > >>
>> > >> How serious should we consider this problem?
>> > >> Should I ask the Debian
>> > >> security team (Debian do not accept new
>> > revisions,
>> > >> just backports for
>> > >> security fixes to their stable releases) to
>> > >> backport this correction to the
>> > >> current vzctl stable package?
>> > >>
>> > >> In the meantime I'll build this 4.9.4 for
>> debian
>> > >> unstable and also upload
>> > >> to the openvz download directory. First
>> testing
>> > >> and then after a few days
>> > >> to the wheezy and jessie stable targets.
>> > >>
>> > >> Regards,
>> > >>
>> > >> // Ola
>> > >>
>> > >>
>> > >>
>> > >> On Tue, Aug 25, 2015 at 2:32 PM, Sergey
>> Bronnikov
>> > >> <sergeyb at openvz.org
>> > <mailto:sergeyb at openvz.org> <mailto:sergeyb at openvz.org
>> > <mailto:sergeyb at openvz.org>>>
>> > >> wrote:
>> > >>
>> > >> OpenVZ project has released a new vzctl
>> > update
>> > >> for legacy OpenVZ.
>> > >> Read below for more information.
>> Everybody is
>> > >> advised to upgrade.
>> > >>
>> > >> Changes
>> > >> =======
>> > >> * store VE layout to VE config on start
>> > >> * store VE layout in VE config during
>> create
>> > >> and convert
>> > >>
>> > >> See full changelog here:
>> > >>
>> > https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>> > >>
>> > >> Download
>> > >> ========
>> > >>
>> http://wiki.openvz.org/Download/vzctl/4.9.4
>> > >>
>> > >>
>> > >> Thanks
>> > >> ======
>> > >> OpenVZ project would like to thank the
>> > >> RACK911LABS for discovering this
>> > >> bug and
>> > >> providing the attack scenario.
>> > >>
>> > >>
>> > >> Bug reporting
>> > >> =============
>> > >> Please report all bugs found to
>> > >>
>> > <https://bugs.openvz.org/>https://bugs.openvz.org/
>> > >>
>> > >>
>> > >> Other sources of info on updates
>> > >> ================================
>> > >> See http://planet.openvz.org/ to view
>> all the
>> > >> news (including updates)
>> > >> online.
>> > >> There you can also find RSS/Atom feed
>> links.
>> > >>
>> > >>
>> > >> Regards,
>> > >> OpenVZ team
>> > >>
>> > _______________________________________________
>> > >> Announce mailing list
>> > >> Announce at openvz.org
>> > <mailto:Announce at openvz.org> <mailto:Announce at openvz.org
>> > <mailto:Announce at openvz.org>>
>> > >>
>> > https://lists.openvz.org/mailman/listinfo/announce
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> --- Inguza Technology AB --- MSc in
>> Information
>> > >> Technology ----
>> > >> / ola at inguza.com <mailto:ola at inguza.com>
>> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> > >> Annebergsslingan 37 \
>> > >> | opal at debian.org <mailto:opal at debian.org>
>> > <mailto:opal at debian.org <mailto:opal at debian.org>>
>> > >> 654 65 KARLSTAD |
>> > >> | http://inguza.com/
>> Mobile: +46
>> > >> (0)70-332 1551
>> > <tel:%2B46%20%280%2970-332%201551> |
>> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4
>> 18A1
>> > >> B1CF 0FE5 3DD9 /
>> > >>
>> > >>
>> > ---------------------------------------------------------------
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> --- Inguza Technology AB --- MSc in Information
>> > >> Technology ----
>> > >> / ola at inguza.com <mailto:ola at inguza.com>
>> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> > >> Annebergsslingan 37 \
>> > >> | opal at debian.org <mailto:opal at debian.org>
>> > <mailto:opal at debian.org <mailto:opal at debian.org>>
>> > >> 654 65 KARLSTAD |
>> > >> | http://inguza.com/ Mobile: +46
>> > >> (0)70-332 1551
>> <tel:%2B46%20%280%2970-332%201551> |
>> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
>> B1CF
>> > >> 0FE5 3DD9 /
>> > >>
>> > >>
>> > ---------------------------------------------------------------
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> --- Inguza Technology AB --- MSc in Information Technology
>> ----
>> > >> / <mailto:ola at inguza.com
>> > <mailto:ola at inguza.com>>ola at inguza.com <mailto:ola at inguza.com>
>> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> > >> Annebergsslingan 37 \
>> > >> | <mailto:opal at debian.org
>> > <mailto:opal at debian.org>>opal at debian.org <mailto:opal at debian.org>
>> > >> <mailto:opal at debian.org <mailto:opal at debian.org>>
>> > 654 65 KARLSTAD
>> > >> |
>> > >> | <http://inguza.com/>http://inguza.com/
>> Mobile:
>> > >> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551>
>> > <tel:%2B46%20%280%2970-332%201551> |
>> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5
>> 3DD9 /
>> > >>
>> ---------------------------------------------------------------
>> > >>
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > --- Inguza Technology AB --- MSc in Information Technology ----
>> > > / ola at inguza.com <mailto:ola at inguza.com> <mailto:ola at inguza.com
>> > <mailto:ola at inguza.com>>
>> > > Annebergsslingan 37 \
>> > > | opal at debian.org <mailto:opal at debian.org>
>> > <mailto:opal at debian.org <mailto:opal at debian.org>>
>> > 654 65
>> > > KARLSTAD |
>> > > | http://inguza.com/ Mobile: +46 (0)70-332 1551
>> > <tel:%2B46%20%280%2970-332%201551> |
>> > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
>> > > ---------------------------------------------------------------
>> > >
>> >
>>
>>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com Annebergsslingan 37 \
> | opal at debian.org 654 65 KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Annebergsslingan 37 \
| opal at debian.org 654 65 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150909/d087cc77/attachment-0001.html>
More information about the Debian
mailing list