[Debian] [Announce] [Security] vzctl 4.9.4

Ola Lundqvist ola at inguza.com
Wed Sep 9 13:21:36 PDT 2015


Hi Igor, Sergey and Kir

I have now uploaded corrected packages to download.openvz.org/debian. This
time I decided to upload both to testing and stable repositories (both for
wheezy and jessie) at once as this is a security fix. Normally I wait about
10 days.

I have also uploaded to debian unstable. However the security backport is
pending acceptance from the security team.

I'll let you know when I have got the security backport in Debian stable
(jessie) too.

Best regards,

// Ola

On Wed, Sep 9, 2015 at 9:09 PM, Ola Lundqvist <ola at inguza.com> wrote:

> Privet Igor
>
> This will be the upgrade logic. Let me know if you find any flaw in it.
>
> TMPCFG=$(mktemp)
> if ! grep VE_PRIVATE /etc/vz/vz.conf > $TMPCFG ; then
>   echo "#Missing VE_PRIVATE assuming default" > $TMPCFG
>   echo 'VE_PRIVATE=/vz/private/$VEID' >> $TMPCFG
> fi
> #cat $TMPCFG
> for CF in /etc/vz/conf/*.conf ; do
>    if ! grep VE_LAYOUT "$CF" > /dev/null ; then
> VEID=$(basename "$CF" | sed 's/\.conf$//;')
> X=simfs
> if [ -e "${VE_PRIVATE}/root.hdd/DiskDescriptor.xml" ] ; then
>    X=ploop
> fi
> . $TMPCFG
> echo "Securing CT configuration $CF by adding VE_LAYOUT=$X"
> echo "" >> $CF
> echo "# Upgrade `date`: Securing CT config by adding VE_LAYOUT=$X" >> $CF
> echo "VE_LAYOUT=$X" >> $CF
>    fi
> done
> rm -f $TMPCFG
> Best regards,
>
> // Ola
>
> On Fri, Sep 4, 2015 at 9:36 AM, Igor Bazhitov <ibazhitov at odin.com> wrote:
>
>> Hi, Ola.
>>
>> > It does not matter really. Both ways will do.
>>
>> All 4 patches for vzctl-4.8 are attached.
>>
>> > However I have a question. As I understand the config is changed at
>> > creation or start.
>>
>> Yes.
>>
>> > Should it be changed at upgrade time too to make sure
>> > the next start is safe? Or is it changed before it is a security hazard?
>>
>> Well, it definitely would be better to add correct VE_LAYOUT values to
>> all CT configs during vzctl upgrade, since there could be a large time
>> gap between vzctl upgrade and existing CTs (re)start. But in this case
>> you'll need to implement the CT layout detection logic inside the
>> upgrade script. The logic is simple: if there is a
>> "root.hdd/DiskDescriptor.xml" file inside the CT's private directory
>> (e.g. /vz/private/100) then we have "ploop" layout, otherwise - "simfs"
>> layout.
>>
>> WBR, Igor Bazhitov.
>>
>> 03.09.2015 21:31, Ola Lundqvist writes:
>> > Hi Igor
>> >
>> > It does not matter really. Both ways will do.
>> >
>> > However I have a question. As I understand the config is changed at
>> > creation or start. Should it be changed at upgrade time too to make sure
>> > the next start is safe? Or is it changed before it is a security hazard?
>> >
>> > /Ola
>> >
>> > Sent from a phone
>> >
>> > Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <ibazhitov at odin.com
>> > <mailto:ibazhitov at odin.com>>:
>> >
>> >     Hi, Ola.
>> >
>> >     There are 4 patches in the original fix - 2 of them making various
>> >     preparations and the other 2 do the actual fix. Do you need them
>> ported
>> >     to vzctl-4.8 as is, or as one big cumulative patch?
>> >
>> >     WBR, Igor Bazhitov.
>> >
>> >     01.09.2015 00:22, Ola Lundqvist writes:
>> >     > Privet Kir and Igor
>> >     >
>> >     > Sources and patches here:
>> >     > ftp://ftp.debian.org/debian/pool/main/v/vzctl/
>> >     >
>> >     > Source is named .orig.tar.gz
>> >     > and the patches are either in .diff.gz or packaged in
>> .debian.tar.gz
>> >     >
>> >     > I think we should at least backport 4.8 (current stable) and then
>> >     maybe
>> >     > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip
>> >     that.
>> >     >
>> >     > Thanks in advance
>> >     >
>> >     > // Ola
>> >     >
>> >     > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com
>> >     <mailto:kir at odin.com>
>> >     > <mailto:kir at odin.com <mailto:kir at odin.com>>> wrote:
>> >     >
>> >     >
>> >     >
>> >     >     On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
>> >     >>     I was. :-) Thanks!
>> >     >>
>> >     >>     Will look into this shortly. Will also look into backporting
>> >     the fix.
>> >     >
>> >     >     Ola,
>> >     >
>> >     >     I think Igor (in Cc) will be able to provide the fix
>> backported,
>> >     >     just let us know which version do you have in Debian (and a
>> link
>> >     >     to sources, as I guess you have some patches in there, too).
>> >     >
>> >     >     Kir.
>> >     >
>> >     >
>> >     >>
>> >     >>     // Ola
>> >     >>
>> >     >>     On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin
>> >     <kir at openvz.org <mailto:kir at openvz.org>
>> >     >>     <mailto:kir at openvz.org <mailto:kir at openvz.org>>> wrote:
>> >     >>
>> >     >>
>> >     >>
>> >     >>         On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
>> >     >>
>> >     >>             Hi
>> >     >>
>> >     >>             On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
>> >     >>
>> >     >>                 Hi again
>> >     >>
>> >     >>                 Also I can not find where to download the
>> software
>> >     >>                 (neither binaries nor
>> >     >>                 sources). Is it only available in git?
>> >     >>
>> >     >>             It is not so difficult to find sources.
>> >     >>             We have one git repo for openvz sources -
>> >     >>             src.openvz.org <http://src.openvz.org>
>> >     <http://src.openvz.org>.
>> >     >>             vzctl sources are here
>> >     >>
>> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
>> >     >>
>> >     >>
>> >     >>         Ola is probably asking about the source tarball. It's
>> here:
>> >     >>
>> >
>> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
>> >     >>
>> >     >>
>> >     >>
>> >     >>
>> >     >>
>> >     >>                 Cheers
>> >     >>
>> >     >>                 // Ola
>> >     >>
>> >     >>                 On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
>> >     >>                 <<mailto:ola at inguza.com
>> >     <mailto:ola at inguza.com>>ola at inguza.com <mailto:ola at inguza.com>
>> >     >>                 <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
>> >     wrote:
>> >     >>
>> >     >>                     Hi Sergey
>> >     >>
>> >     >>                     How serious should we consider this problem?
>> >     >>                     Should I ask the Debian
>> >     >>                     security team (Debian do not accept new
>> >     revisions,
>> >     >>                     just backports for
>> >     >>                     security fixes to their stable releases) to
>> >     >>                     backport this correction to the
>> >     >>                     current vzctl stable package?
>> >     >>
>> >     >>                     In the meantime I'll build this 4.9.4 for
>> debian
>> >     >>                     unstable and also upload
>> >     >>                     to the openvz download directory. First
>> testing
>> >     >>                     and then after a few days
>> >     >>                     to the wheezy and jessie stable targets.
>> >     >>
>> >     >>                     Regards,
>> >     >>
>> >     >>                     // Ola
>> >     >>
>> >     >>
>> >     >>
>> >     >>                     On Tue, Aug 25, 2015 at 2:32 PM, Sergey
>> Bronnikov
>> >     >>                     <sergeyb at openvz.org
>> >     <mailto:sergeyb at openvz.org> <mailto:sergeyb at openvz.org
>> >     <mailto:sergeyb at openvz.org>>>
>> >     >>                     wrote:
>> >     >>
>> >     >>                         OpenVZ project has released a new vzctl
>> >     update
>> >     >>                         for legacy OpenVZ.
>> >     >>                         Read below for more information.
>> Everybody is
>> >     >>                         advised to upgrade.
>> >     >>
>> >     >>                         Changes
>> >     >>                         =======
>> >     >>                         * store VE layout to VE config on start
>> >     >>                         * store VE layout in VE config during
>> create
>> >     >>                         and convert
>> >     >>
>> >     >>                         See full changelog here:
>> >     >>
>> >      https://src.openvz.org/projects/OVZL/repos/vzctl/commits
>> >     >>
>> >     >>                         Download
>> >     >>                         ========
>> >     >>
>> http://wiki.openvz.org/Download/vzctl/4.9.4
>> >     >>
>> >     >>
>> >     >>                         Thanks
>> >     >>                         ======
>> >     >>                         OpenVZ project would like to thank the
>> >     >>                         RACK911LABS for discovering this
>> >     >>                         bug and
>> >     >>                         providing the attack scenario.
>> >     >>
>> >     >>
>> >     >>                         Bug reporting
>> >     >>                         =============
>> >     >>                         Please report all bugs found to
>> >     >>
>> >      <https://bugs.openvz.org/>https://bugs.openvz.org/
>> >     >>
>> >     >>
>> >     >>                         Other sources of info on updates
>> >     >>                         ================================
>> >     >>                         See http://planet.openvz.org/ to view
>> all the
>> >     >>                         news (including updates)
>> >     >>                         online.
>> >     >>                         There you can also find RSS/Atom feed
>> links.
>> >     >>
>> >     >>
>> >     >>                         Regards,
>> >     >>                              OpenVZ team
>> >     >>
>> >      _______________________________________________
>> >     >>                         Announce mailing list
>> >     >>                         Announce at openvz.org
>> >     <mailto:Announce at openvz.org> <mailto:Announce at openvz.org
>> >     <mailto:Announce at openvz.org>>
>> >     >>
>> >      https://lists.openvz.org/mailman/listinfo/announce
>> >     >>
>> >     >>
>> >     >>
>> >     >>                     --
>> >     >>                       --- Inguza Technology AB --- MSc in
>> Information
>> >     >>                     Technology ----
>> >     >>                     /  ola at inguza.com <mailto:ola at inguza.com>
>> >     <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> >     >>                               Annebergsslingan 37        \
>> >     >>                     |  opal at debian.org <mailto:opal at debian.org>
>> >     <mailto:opal at debian.org <mailto:opal at debian.org>>
>> >     >>                                654 65 KARLSTAD            |
>> >     >>                     |  http://inguza.com/
>> Mobile: +46
>> >     >>                     (0)70-332 1551
>> >     <tel:%2B46%20%280%2970-332%201551> |
>> >     >>                     \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4
>> 18A1
>> >     >>                     B1CF 0FE5 3DD9  /
>> >     >>
>> >     >>
>> >      ---------------------------------------------------------------
>> >     >>
>> >     >>
>> >     >>
>> >     >>                 --
>> >     >>                   --- Inguza Technology AB --- MSc in Information
>> >     >>                 Technology ----
>> >     >>                 /  ola at inguza.com <mailto:ola at inguza.com>
>> >     <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> >     >>                       Annebergsslingan 37        \
>> >     >>                 |  opal at debian.org <mailto:opal at debian.org>
>> >     <mailto:opal at debian.org <mailto:opal at debian.org>>
>> >     >>                        654 65 KARLSTAD            |
>> >     >>                 |  http://inguza.com/                Mobile: +46
>> >     >>                 (0)70-332 1551
>> <tel:%2B46%20%280%2970-332%201551> |
>> >     >>                 \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
>> B1CF
>> >     >>                 0FE5 3DD9  /
>> >     >>
>> >     >>
>> >      ---------------------------------------------------------------
>> >     >>
>> >     >>
>> >     >>
>> >     >>
>> >     >>
>> >     >>     --
>> >     >>      --- Inguza Technology AB --- MSc in Information Technology
>> ----
>> >     >>     /  <mailto:ola at inguza.com
>> >     <mailto:ola at inguza.com>>ola at inguza.com <mailto:ola at inguza.com>
>> >     <mailto:ola at inguza.com <mailto:ola at inguza.com>>
>> >     >>                      Annebergsslingan 37        \
>> >     >>     |  <mailto:opal at debian.org
>> >     <mailto:opal at debian.org>>opal at debian.org <mailto:opal at debian.org>
>> >     >>     <mailto:opal at debian.org <mailto:opal at debian.org>>
>> >            654 65 KARLSTAD
>> >     >>        |
>> >     >>     |  <http://inguza.com/>http://inguza.com/
>> Mobile:
>> >     >>     +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551>
>> >     <tel:%2B46%20%280%2970-332%201551> |
>> >     >>     \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5
>> 3DD9  /
>> >     >>
>> ---------------------------------------------------------------
>> >     >>
>> >     >
>> >     >
>> >     >
>> >     >
>> >     > --
>> >     >  --- Inguza Technology AB --- MSc in Information Technology ----
>> >     > /  ola at inguza.com <mailto:ola at inguza.com> <mailto:ola at inguza.com
>> >     <mailto:ola at inguza.com>>
>> >     >  Annebergsslingan 37        \
>> >     > |  opal at debian.org <mailto:opal at debian.org>
>> >     <mailto:opal at debian.org <mailto:opal at debian.org>>
>> >      654 65
>> >     > KARLSTAD            |
>> >     > |  http://inguza.com/                Mobile: +46 (0)70-332 1551
>> >     <tel:%2B46%20%280%2970-332%201551> |
>> >     > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>> >     >  ---------------------------------------------------------------
>> >     >
>> >
>>
>>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola at inguza.com                    Annebergsslingan 37        \
> |  opal at debian.org                   654 65 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Annebergsslingan 37        \
|  opal at debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150909/d087cc77/attachment-0001.html>


More information about the Debian mailing list