[Debian] [Announce] [Security] vzctl 4.9.4
Igor Bazhitov
ibazhitov at odin.com
Mon Sep 21 01:39:11 PDT 2015
Hi, Ola.
The script looks correct.
WBR, Igor Bazhitov.
09.09.2015 22:09, Ola Lundqvist writes:
> Privet Igor
>
> This will be the upgrade logic. Let me know if you find any flaw in it.
>
> TMPCFG=$(mktemp)
> if ! grep VE_PRIVATE /etc/vz/vz.conf > $TMPCFG ; then
> echo "#Missing VE_PRIVATE assuming default" > $TMPCFG
> echo 'VE_PRIVATE=/vz/private/$VEID' >> $TMPCFG
> fi
> #cat $TMPCFG
> for CF in /etc/vz/conf/*.conf ; do
> if ! grep VE_LAYOUT "$CF" > /dev/null ; then
> VEID=$(basename "$CF" | sed 's/\.conf$//;')
> X=simfs
> if [ -e "${VE_PRIVATE}/root.hdd/DiskDescriptor.xml" ] ; then
> X=ploop
> fi
> . $TMPCFG
> echo "Securing CT configuration $CF by adding VE_LAYOUT=$X"
> echo "" >> $CF
> echo "# Upgrade `date`: Securing CT config by adding VE_LAYOUT=$X" >> $CF
> echo "VE_LAYOUT=$X" >> $CF
> fi
> done
> rm -f $TMPCFG
> Best regards,
>
> // Ola
>
> On Fri, Sep 4, 2015 at 9:36 AM, Igor Bazhitov <ibazhitov at odin.com
> <mailto:ibazhitov at odin.com>> wrote:
>
> Hi, Ola.
>
> > It does not matter really. Both ways will do.
>
> All 4 patches for vzctl-4.8 are attached.
>
> > However I have a question. As I understand the config is changed at
> > creation or start.
>
> Yes.
>
> > Should it be changed at upgrade time too to make sure
> > the next start is safe? Or is it changed before it is a security hazard?
>
> Well, it definitely would be better to add correct VE_LAYOUT values to
> all CT configs during vzctl upgrade, since there could be a large time
> gap between vzctl upgrade and existing CTs (re)start. But in this case
> you'll need to implement the CT layout detection logic inside the
> upgrade script. The logic is simple: if there is a
> "root.hdd/DiskDescriptor.xml" file inside the CT's private directory
> (e.g. /vz/private/100) then we have "ploop" layout, otherwise - "simfs"
> layout.
>
> WBR, Igor Bazhitov.
>
> 03.09.2015 21:31, Ola Lundqvist writes:
> > Hi Igor
> >
> > It does not matter really. Both ways will do.
> >
> > However I have a question. As I understand the config is changed at
> > creation or start. Should it be changed at upgrade time too to make sure
> > the next start is safe? Or is it changed before it is a security hazard?
> >
> > /Ola
> >
> > Sent from a phone
> >
> > Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <ibazhitov at odin.com <mailto:ibazhitov at odin.com>
> > <mailto:ibazhitov at odin.com <mailto:ibazhitov at odin.com>>>:
> >
> > Hi, Ola.
> >
> > There are 4 patches in the original fix - 2 of them making various
> > preparations and the other 2 do the actual fix. Do you need them ported
> > to vzctl-4.8 as is, or as one big cumulative patch?
> >
> > WBR, Igor Bazhitov.
> >
> > 01.09.2015 00:22, Ola Lundqvist writes:
> > > Privet Kir and Igor
> > >
> > > Sources and patches here:
> > > ftp://ftp.debian.org/debian/pool/main/v/vzctl/
> > >
> > > Source is named .orig.tar.gz
> > > and the patches are either in .diff.gz or packaged in .debian.tar.gz
> > >
> > > I think we should at least backport 4.8 (current stable) and then
> > maybe
> > > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can skip
> > that.
> > >
> > > Thanks in advance
> > >
> > > // Ola
> > >
> > > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <kir at odin.com <mailto:kir at odin.com>
> > <mailto:kir at odin.com <mailto:kir at odin.com>>
> > > <mailto:kir at odin.com <mailto:kir at odin.com> <mailto:kir at odin.com
> <mailto:kir at odin.com>>>> wrote:
> > >
> > >
> > >
> > > On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
> > >> I was. :-) Thanks!
> > >>
> > >> Will look into this shortly. Will also look into backporting
> > the fix.
> > >
> > > Ola,
> > >
> > > I think Igor (in Cc) will be able to provide the fix backported,
> > > just let us know which version do you have in Debian (and a link
> > > to sources, as I guess you have some patches in there, too).
> > >
> > > Kir.
> > >
> > >
> > >>
> > >> // Ola
> > >>
> > >> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin
> > <kir at openvz.org <mailto:kir at openvz.org> <mailto:kir at openvz.org
> <mailto:kir at openvz.org>>
> > >> <mailto:kir at openvz.org <mailto:kir at openvz.org> <mailto:kir at openvz.org
> <mailto:kir at openvz.org>>>> wrote:
> > >>
> > >>
> > >>
> > >> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
> > >>
> > >> Hi
> > >>
> > >> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
> > >>
> > >> Hi again
> > >>
> > >> Also I can not find where to download the software
> > >> (neither binaries nor
> > >> sources). Is it only available in git?
> > >>
> > >> It is not so difficult to find sources.
> > >> We have one git repo for openvz sources -
> > >> src.openvz.org <http://src.openvz.org> <http://src.openvz.org>
> > <http://src.openvz.org>.
> > >> vzctl sources are here
> > >> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
> > >>
> > >>
> > >> Ola is probably asking about the source tarball. It's here:
> > >>
> > http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Cheers
> > >>
> > >> // Ola
> > >>
> > >> On Tue, Aug 25, 2015 at 11:15 PM, Ola Lundqvist
> > >> <<mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>ola at inguza.com
> <mailto:ola at inguza.com> <mailto:ola at inguza.com <mailto:ola at inguza.com>>
> > >> <mailto:ola at inguza.com
> <mailto:ola at inguza.com> <mailto:ola at inguza.com
> <mailto:ola at inguza.com>>>>
> > wrote:
> > >>
> > >> Hi Sergey
> > >>
> > >> How serious should we consider this problem?
> > >> Should I ask the Debian
> > >> security team (Debian do not accept new
> > revisions,
> > >> just backports for
> > >> security fixes to their stable releases) to
> > >> backport this correction to the
> > >> current vzctl stable package?
> > >>
> > >> In the meantime I'll build this 4.9.4 for debian
> > >> unstable and also upload
> > >> to the openvz download directory. First testing
> > >> and then after a few days
> > >> to the wheezy and jessie stable targets.
> > >>
> > >> Regards,
> > >>
> > >> // Ola
> > >>
> > >>
> > >>
> > >> On Tue, Aug 25, 2015 at 2:32 PM, Sergey Bronnikov
> > >> <sergeyb at openvz.org <mailto:sergeyb at openvz.org>
> > <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
> <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>
> > <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>>>>
> > >> wrote:
> > >>
> > >> OpenVZ project has released a new vzctl
> > update
> > >> for legacy OpenVZ.
> > >> Read below for more information.
> Everybody is
> > >> advised to upgrade.
> > >>
> > >> Changes
> > >> =======
> > >> * store VE layout to VE config on start
> > >> * store VE layout in VE config
> during create
> > >> and convert
> > >>
> > >> See full changelog here:
> > >>
> > https://src.openvz.org/projects/OVZL/repos/vzctl/commits
> > >>
> > >> Download
> > >> ========
> > >>
> http://wiki.openvz.org/Download/vzctl/4.9.4
> > >>
> > >>
> > >> Thanks
> > >> ======
> > >> OpenVZ project would like to thank the
> > >> RACK911LABS for discovering this
> > >> bug and
> > >> providing the attack scenario.
> > >>
> > >>
> > >> Bug reporting
> > >> =============
> > >> Please report all bugs found to
> > >>
> > <https://bugs.openvz.org/>https://bugs.openvz.org/
> > >>
> > >>
> > >> Other sources of info on updates
> > >> ================================
> > >> See http://planet.openvz.org/ to
> view all the
> > >> news (including updates)
> > >> online.
> > >> There you can also find RSS/Atom
> feed links.
> > >>
> > >>
> > >> Regards,
> > >> OpenVZ team
> > >>
> > _______________________________________________
> > >> Announce mailing list
> > >> Announce at openvz.org
> <mailto:Announce at openvz.org>
> > <mailto:Announce at openvz.org <mailto:Announce at openvz.org>>
> <mailto:Announce at openvz.org <mailto:Announce at openvz.org>
> > <mailto:Announce at openvz.org <mailto:Announce at openvz.org>>>
> > >>
> > https://lists.openvz.org/mailman/listinfo/announce
> > >>
> > >>
> > >>
> > >> --
> > >> --- Inguza Technology AB --- MSc in Information
> > >> Technology ----
> > >> / ola at inguza.com <mailto:ola at inguza.com> <mailto:ola at inguza.com
> <mailto:ola at inguza.com>>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > >> Annebergsslingan 37 \
> > >> | opal at debian.org <mailto:opal at debian.org> <mailto:opal at debian.org
> <mailto:opal at debian.org>>
> > <mailto:opal at debian.org <mailto:opal at debian.org>
> <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > >> 654 65 KARLSTAD |
> > >> | http://inguza.com/ Mobile: +46
> > >> (0)70-332 1551
> > <tel:%2B46%20%280%2970-332%201551> |
> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1
> > >> B1CF 0FE5 3DD9 /
> > >>
> > >>
> > ---------------------------------------------------------------
> > >>
> > >>
> > >>
> > >> --
> > >> --- Inguza Technology AB --- MSc in Information
> > >> Technology ----
> > >> / ola at inguza.com <mailto:ola at inguza.com> <mailto:ola at inguza.com
> <mailto:ola at inguza.com>>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > >> Annebergsslingan 37 \
> > >> | opal at debian.org <mailto:opal at debian.org> <mailto:opal at debian.org
> <mailto:opal at debian.org>>
> > <mailto:opal at debian.org <mailto:opal at debian.org>
> <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > >> 654 65 KARLSTAD |
> > >> | http://inguza.com/ Mobile: +46
> > >> (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551> |
> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
> > >> 0FE5 3DD9 /
> > >>
> > >>
> > ---------------------------------------------------------------
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> --- Inguza Technology AB --- MSc in Information Technology ----
> > >> / <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>ola at inguza.com
> <mailto:ola at inguza.com> <mailto:ola at inguza.com <mailto:ola at inguza.com>>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > >> Annebergsslingan 37 \
> > >> | <mailto:opal at debian.org <mailto:opal at debian.org>
> > <mailto:opal at debian.org <mailto:opal at debian.org>>>opal at debian.org
> <mailto:opal at debian.org> <mailto:opal at debian.org
> <mailto:opal at debian.org>>
> > >> <mailto:opal at debian.org <mailto:opal at debian.org>
> <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > 654 65 KARLSTAD
> > >> |
> > >> | <http://inguza.com/>http://inguza.com/ Mobile:
> > >> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551>
> <tel:%2B46%20%280%2970-332%201551>
> > <tel:%2B46%20%280%2970-332%201551> |
> > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > >> ---------------------------------------------------------------
> > >>
> > >
> > >
> > >
> > >
> > > --
> > > --- Inguza Technology AB --- MSc in Information Technology ----
> > > / ola at inguza.com <mailto:ola at inguza.com>
> <mailto:ola at inguza.com <mailto:ola at inguza.com>>
> <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > > Annebergsslingan 37 \
> > > | opal at debian.org <mailto:opal at debian.org> <mailto:opal at debian.org
> <mailto:opal at debian.org>>
> > <mailto:opal at debian.org <mailto:opal at debian.org>
> <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > 654 65
> > > KARLSTAD |
> > > | http://inguza.com/ Mobile: +46 (0)70-332
> 1551 <tel:%2B46%20%280%2970-332%201551>
> > <tel:%2B46%20%280%2970-332%201551> |
> > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5
> 3DD9 /
> > > ---------------------------------------------------------------
> > >
> >
>
>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology ----
> / ola at inguza.com <mailto:ola at inguza.com>
> Annebergsslingan 37 \
> | opal at debian.org <mailto:opal at debian.org> 654 65
> KARLSTAD |
> | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> ---------------------------------------------------------------
>
More information about the Debian
mailing list