[Debian] [Announce] [Security] vzctl 4.9.4
Ola Lundqvist
ola at inguza.com
Mon Sep 21 01:50:05 PDT 2015
Hi Igor
Unfortunately it was not. The order was wrong for ploop containers. I have
corrected that problem though.
Thanks anyway for checking.
// Ola
On Mon, Sep 21, 2015 at 10:39 AM, Igor Bazhitov <ibazhitov at odin.com> wrote:
> Hi, Ola.
>
> The script looks correct.
>
> WBR, Igor Bazhitov.
>
> 09.09.2015 22:09, Ola Lundqvist writes:
> > Privet Igor
> >
> > This will be the upgrade logic. Let me know if you find any flaw in it.
> >
> > TMPCFG=$(mktemp)
> > if ! grep VE_PRIVATE /etc/vz/vz.conf > $TMPCFG ; then
> > echo "#Missing VE_PRIVATE assuming default" > $TMPCFG
> > echo 'VE_PRIVATE=/vz/private/$VEID' >> $TMPCFG
> > fi
> > #cat $TMPCFG
> > for CF in /etc/vz/conf/*.conf ; do
> > if ! grep VE_LAYOUT "$CF" > /dev/null ; then
> > VEID=$(basename "$CF" | sed 's/\.conf$//;')
> > X=simfs
> > if [ -e "${VE_PRIVATE}/root.hdd/DiskDescriptor.xml" ] ; then
> > X=ploop
> > fi
> > . $TMPCFG
> > echo "Securing CT configuration $CF by adding VE_LAYOUT=$X"
> > echo "" >> $CF
> > echo "# Upgrade `date`: Securing CT config by adding VE_LAYOUT=$X" >> $CF
> > echo "VE_LAYOUT=$X" >> $CF
> > fi
> > done
> > rm -f $TMPCFG
> > Best regards,
> >
> > // Ola
> >
> > On Fri, Sep 4, 2015 at 9:36 AM, Igor Bazhitov <ibazhitov at odin.com
> > <mailto:ibazhitov at odin.com>> wrote:
> >
> > Hi, Ola.
> >
> > > It does not matter really. Both ways will do.
> >
> > All 4 patches for vzctl-4.8 are attached.
> >
> > > However I have a question. As I understand the config is changed at
> > > creation or start.
> >
> > Yes.
> >
> > > Should it be changed at upgrade time too to make sure
> > > the next start is safe? Or is it changed before it is a security
> hazard?
> >
> > Well, it definitely would be better to add correct VE_LAYOUT values
> to
> > all CT configs during vzctl upgrade, since there could be a large
> time
> > gap between vzctl upgrade and existing CTs (re)start. But in this
> case
> > you'll need to implement the CT layout detection logic inside the
> > upgrade script. The logic is simple: if there is a
> > "root.hdd/DiskDescriptor.xml" file inside the CT's private directory
> > (e.g. /vz/private/100) then we have "ploop" layout, otherwise -
> "simfs"
> > layout.
> >
> > WBR, Igor Bazhitov.
> >
> > 03.09.2015 21:31, Ola Lundqvist writes:
> > > Hi Igor
> > >
> > > It does not matter really. Both ways will do.
> > >
> > > However I have a question. As I understand the config is changed at
> > > creation or start. Should it be changed at upgrade time too to
> make sure
> > > the next start is safe? Or is it changed before it is a security
> hazard?
> > >
> > > /Ola
> > >
> > > Sent from a phone
> > >
> > > Den 3 sep 2015 12:37 skrev "Igor Bazhitov" <ibazhitov at odin.com
> <mailto:ibazhitov at odin.com>
> > > <mailto:ibazhitov at odin.com <mailto:ibazhitov at odin.com>>>:
> > >
> > > Hi, Ola.
> > >
> > > There are 4 patches in the original fix - 2 of them making
> various
> > > preparations and the other 2 do the actual fix. Do you need
> them ported
> > > to vzctl-4.8 as is, or as one big cumulative patch?
> > >
> > > WBR, Igor Bazhitov.
> > >
> > > 01.09.2015 00:22, Ola Lundqvist writes:
> > > > Privet Kir and Igor
> > > >
> > > > Sources and patches here:
> > > > ftp://ftp.debian.org/debian/pool/main/v/vzctl/
> > > >
> > > > Source is named .orig.tar.gz
> > > > and the patches are either in .diff.gz or packaged in
> .debian.tar.gz
> > > >
> > > > I think we should at least backport 4.8 (current stable) and
> then
> > > maybe
> > > > oldstable 3.0.30. 3.0.24 is oldold stable so I guess you can
> skip
> > > that.
> > > >
> > > > Thanks in advance
> > > >
> > > > // Ola
> > > >
> > > > On Mon, Aug 31, 2015 at 11:17 PM, Kir Kolyshkin <
> kir at odin.com <mailto:kir at odin.com>
> > > <mailto:kir at odin.com <mailto:kir at odin.com>>
> > > > <mailto:kir at odin.com <mailto:kir at odin.com> <mailto:
> kir at odin.com
> > <mailto:kir at odin.com>>>> wrote:
> > > >
> > > >
> > > >
> > > > On 08/31/2015 12:15 PM, Ola Lundqvist wrote:
> > > >> I was. :-) Thanks!
> > > >>
> > > >> Will look into this shortly. Will also look into
> backporting
> > > the fix.
> > > >
> > > > Ola,
> > > >
> > > > I think Igor (in Cc) will be able to provide the fix
> backported,
> > > > just let us know which version do you have in Debian
> (and a link
> > > > to sources, as I guess you have some patches in there,
> too).
> > > >
> > > > Kir.
> > > >
> > > >
> > > >>
> > > >> // Ola
> > > >>
> > > >> On Mon, Aug 31, 2015 at 8:47 PM, Kir Kolyshkin
> > > <kir at openvz.org <mailto:kir at openvz.org> <mailto:kir at openvz.org
> > <mailto:kir at openvz.org>>
> > > >> <mailto:kir at openvz.org <mailto:kir at openvz.org> <mailto:
> kir at openvz.org
> > <mailto:kir at openvz.org>>>> wrote:
> > > >>
> > > >>
> > > >>
> > > >> On 08/26/2015 01:26 AM, Sergey Bronnikov wrote:
> > > >>
> > > >> Hi
> > > >>
> > > >> On 23:19 Tue 25 Aug , Ola Lundqvist wrote:
> > > >>
> > > >> Hi again
> > > >>
> > > >> Also I can not find where to download the
> software
> > > >> (neither binaries nor
> > > >> sources). Is it only available in git?
> > > >>
> > > >> It is not so difficult to find sources.
> > > >> We have one git repo for openvz sources -
> > > >> src.openvz.org <http://src.openvz.org> <
> http://src.openvz.org>
> > > <http://src.openvz.org>.
> > > >> vzctl sources are here
> > > >>
> https://src.openvz.org/projects/OVZL/repos/vzctl/browse
> > > >>
> > > >>
> > > >> Ola is probably asking about the source tarball.
> It's here:
> > > >>
> > >
> http://download.openvz.org/utils/vzctl/4.9.4/src/vzctl-4.9.4.tar.bz2
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> Cheers
> > > >>
> > > >> // Ola
> > > >>
> > > >> On Tue, Aug 25, 2015 at 11:15 PM, Ola
> Lundqvist
> > > >> <<mailto:ola at inguza.com <mailto:
> ola at inguza.com>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>ola at inguza.com
> > <mailto:ola at inguza.com> <mailto:ola at inguza.com <mailto:
> ola at inguza.com>>
> > > >> <mailto:ola at inguza.com
> > <mailto:ola at inguza.com> <mailto:ola at inguza.com
> > <mailto:ola at inguza.com>>>>
> > > wrote:
> > > >>
> > > >> Hi Sergey
> > > >>
> > > >> How serious should we consider this
> problem?
> > > >> Should I ask the Debian
> > > >> security team (Debian do not accept new
> > > revisions,
> > > >> just backports for
> > > >> security fixes to their stable
> releases) to
> > > >> backport this correction to the
> > > >> current vzctl stable package?
> > > >>
> > > >> In the meantime I'll build this 4.9.4
> for debian
> > > >> unstable and also upload
> > > >> to the openvz download directory. First
> testing
> > > >> and then after a few days
> > > >> to the wheezy and jessie stable targets.
> > > >>
> > > >> Regards,
> > > >>
> > > >> // Ola
> > > >>
> > > >>
> > > >>
> > > >> On Tue, Aug 25, 2015 at 2:32 PM, Sergey
> Bronnikov
> > > >> <sergeyb at openvz.org <mailto:
> sergeyb at openvz.org>
> > > <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>>
> > <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>
> > > <mailto:sergeyb at openvz.org <mailto:sergeyb at openvz.org>>>>
> > > >> wrote:
> > > >>
> > > >> OpenVZ project has released a new
> vzctl
> > > update
> > > >> for legacy OpenVZ.
> > > >> Read below for more information.
> > Everybody is
> > > >> advised to upgrade.
> > > >>
> > > >> Changes
> > > >> =======
> > > >> * store VE layout to VE config on
> start
> > > >> * store VE layout in VE config
> > during create
> > > >> and convert
> > > >>
> > > >> See full changelog here:
> > > >>
> > > https://src.openvz.org/projects/OVZL/repos/vzctl/commits
> > > >>
> > > >> Download
> > > >> ========
> > > >>
> > http://wiki.openvz.org/Download/vzctl/4.9.4
> > > >>
> > > >>
> > > >> Thanks
> > > >> ======
> > > >> OpenVZ project would like to thank
> the
> > > >> RACK911LABS for discovering this
> > > >> bug and
> > > >> providing the attack scenario.
> > > >>
> > > >>
> > > >> Bug reporting
> > > >> =============
> > > >> Please report all bugs found to
> > > >>
> > > <https://bugs.openvz.org/>https://bugs.openvz.org/
> > > >>
> > > >>
> > > >> Other sources of info on updates
> > > >> ================================
> > > >> See http://planet.openvz.org/ to
> > view all the
> > > >> news (including updates)
> > > >> online.
> > > >> There you can also find RSS/Atom
> > feed links.
> > > >>
> > > >>
> > > >> Regards,
> > > >> OpenVZ team
> > > >>
> > > _______________________________________________
> > > >> Announce mailing list
> > > >> Announce at openvz.org
> > <mailto:Announce at openvz.org>
> > > <mailto:Announce at openvz.org <mailto:Announce at openvz.org>>
> > <mailto:Announce at openvz.org <mailto:Announce at openvz.org>
> > > <mailto:Announce at openvz.org <mailto:Announce at openvz.org>>>
> > > >>
> > > https://lists.openvz.org/mailman/listinfo/announce
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> --- Inguza Technology AB --- MSc in
> Information
> > > >> Technology ----
> > > >> / ola at inguza.com <mailto:
> ola at inguza.com> <mailto:ola at inguza.com
> > <mailto:ola at inguza.com>>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > > >> Annebergsslingan 37 \
> > > >> | opal at debian.org <mailto:
> opal at debian.org> <mailto:opal at debian.org
> > <mailto:opal at debian.org>>
> > > <mailto:opal at debian.org <mailto:opal at debian.org>
> > <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > > >> 654 65 KARLSTAD |
> > > >> | http://inguza.com/
> Mobile: +46
> > > >> (0)70-332 1551
> > > <tel:%2B46%20%280%2970-332%201551> |
> > > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36
> 4FE4 18A1
> > > >> B1CF 0FE5 3DD9 /
> > > >>
> > > >>
> > >
> ---------------------------------------------------------------
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> --- Inguza Technology AB --- MSc in
> Information
> > > >> Technology ----
> > > >> / ola at inguza.com <mailto:ola at inguza.com>
> <mailto:ola at inguza.com
> > <mailto:ola at inguza.com>>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > > >> Annebergsslingan 37 \
> > > >> | opal at debian.org <mailto:opal at debian.org>
> <mailto:opal at debian.org
> > <mailto:opal at debian.org>>
> > > <mailto:opal at debian.org <mailto:opal at debian.org>
> > <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > > >> 654 65 KARLSTAD |
> > > >> | http://inguza.com/
> Mobile: +46
> > > >> (0)70-332 1551
> <tel:%2B46%20%280%2970-332%201551> |
> > > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4
> 18A1 B1CF
> > > >> 0FE5 3DD9 /
> > > >>
> > > >>
> > >
> ---------------------------------------------------------------
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> --- Inguza Technology AB --- MSc in Information
> Technology ----
> > > >> / <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>ola at inguza.com
> > <mailto:ola at inguza.com> <mailto:ola at inguza.com <mailto:
> ola at inguza.com>>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > > >> Annebergsslingan 37 \
> > > >> | <mailto:opal at debian.org <mailto:opal at debian.org>
> > > <mailto:opal at debian.org <mailto:opal at debian.org>>>
> opal at debian.org
> > <mailto:opal at debian.org> <mailto:opal at debian.org
> > <mailto:opal at debian.org>>
> > > >> <mailto:opal at debian.org <mailto:opal at debian.org>
> > <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > > 654 65 KARLSTAD
> > > >> |
> > > >> | <http://inguza.com/>http://inguza.com/
> Mobile:
> > > >> +46 (0)70-332 1551 <tel:%2B46%20%280%2970-332%201551>
> > <tel:%2B46%20%280%2970-332%201551>
> > > <tel:%2B46%20%280%2970-332%201551> |
> > > >> \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF
> 0FE5 3DD9 /
> > > >>
> ---------------------------------------------------------------
> > > >>
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > --- Inguza Technology AB --- MSc in Information Technology
> ----
> > > > / ola at inguza.com <mailto:ola at inguza.com>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>>
> > <mailto:ola at inguza.com <mailto:ola at inguza.com>
> > > <mailto:ola at inguza.com <mailto:ola at inguza.com>>>
> > > > Annebergsslingan 37 \
> > > > | opal at debian.org <mailto:opal at debian.org> <mailto:
> opal at debian.org
> > <mailto:opal at debian.org>>
> > > <mailto:opal at debian.org <mailto:opal at debian.org>
> > <mailto:opal at debian.org <mailto:opal at debian.org>>>
> > > 654 65
> > > > KARLSTAD |
> > > > | http://inguza.com/ Mobile: +46 (0)70-332
> > 1551 <tel:%2B46%20%280%2970-332%201551>
> > > <tel:%2B46%20%280%2970-332%201551> |
> > > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5
> > 3DD9 /
> > > >
> ---------------------------------------------------------------
> > > >
> > >
> >
> >
> >
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > / ola at inguza.com <mailto:ola at inguza.com>
> > Annebergsslingan 37 \
> > | opal at debian.org <mailto:opal at debian.org> 654 65
> > KARLSTAD |
> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > ---------------------------------------------------------------
> >
>
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Annebergsslingan 37 \
| opal at debian.org 654 65 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/debian/attachments/20150921/b38a0b50/attachment-0001.html>
More information about the Debian
mailing list