4.79. kexec-tools
An updated kexec-tools package that adds one enhancement is now available for Red Hat Enterprise Linux 5.
The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.
Enhancement
- BZ#772164
- Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.7 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64 Hypervisor with an Intel CPU is the only supported implementation. Note that the dump target must be specified in the /etc/kdump.conf file.
All users of kexec-tools are advised to upgrade to this updated package, which adds this enhancement.
An updated kexec-tools package that resolves three security issues, fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kexec-tools package contains the
/sbin/kexec
binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec
binary facilitates a new kernel to boot using the kernel's kexec
feature either on a normal or a panic reboot. The kexec
fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.
Security Fixes
- CVE-2011-3588
- Kdump used the
SSH
(Secure Shell)StrictHostKeyChecking=no
option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in thevmcore
dumps. - CVE-2011-3589
- The mkdumprd utility created
initrd
files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. - CVE-2011-3590
- The mkdumprd utility included unneeded sensitive files (such as all files from the
/root/.ssh/
directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak wheninitrd
files were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in/etc/kdump.conf
are included in the initrd. The default is the key generated when running theservice kdump propagate
command,/root/.ssh/kdump_id_rsa
.
Red Hat would like to thank Kevan Carstensen for reporting these issues.
Bug Fixes
- BZ#678308
- On certain hardware, the kexec kernel incorrectly attempted to use a reserved memory range, and failed to boot with an error. This update adapts the underlying source code to determine the size of a backup region dynamically. As a result,
kexec
no longer attempts to use the reserved memory range, and boots as expected. - BZ#682359
- The
mkdumprd
utility lacked proper support for using VLAN devices over a bond interface. Consequently, the network could not be correctly set up in the kexec kernel and Kdump failed to capture a core dump. This update modifiesmkdumprd
so it now provides full support for configuring VLAN devices over a bond interface. Kdump now successfully dumps thevmcore
file to a remote machine in such a scenario. - BZ#759006
- A bug in the
mkdumprd
caused Kdump to be unable to bring up a network interface card (NIC) if a NIC configuration file, such as/etc/sysconfig/network-scripts/ifcfg-eth0
, did not contain a default gateway. When sending thevmcore
file over a network using theSSH
orNFS
protocol, any attempt to bring the NIC up failed with the following error:ifup: option with empty value "gateway"
Consequently, the connection to the remote machine could not be established and Kdump failed to dump thevmcore
file. With this update, mkdumprd performs a check whether the default gateway is specified and thus avoids adding an empty gateway into the/etc/kdump.conf
file. Thevmcore
file is now successfully dumped to a remote machine. - BZ#760844
- A bug in
mkdumprd
caused Kdump to be unable to bring up a bridge device when its slave device was renamed in the kexec kernel. When sending thevmcore
file over a bridged network, any attempt to bring the bridge device up failed with a similar error:ifup: Ignoring unknown interface eth2
Consequently, the connection to the remote machine could not be established and Kdump failed to dump thevmcore
file. This update modifiesmkdumprd
to search for the correct slave device names in NIC configuration files instead of using the old names. Kdump over a bridged network now works as expected. - BZ#761048
- Certain storage devices, such as HP Smart Array 5i controllers using the
CCISS
driver, are known to be non-resettable in the kexec kernel. Therefore, when such a device was selected as a dump target, any attempt to dump a core file on it caused the kexec kernel to become unresponsive. This update modifiesmkdumprd
to check whether the target device is resettable. If the target device is non-resettable, then Kdump will not start and the kexec kernel no longer hangs under these circumstances. - BZ#761336
- The
mkdumprd
utility was unable to handle errors returned by themakedumpfile
command if the command was piped with other commands. Therefore, when sending a core dump file over a network using the SSH protocol andmakedumpfile
failed, the system rebooted immediately instead of dropping to the shell. This update allowsmkdumprd
to catch return codes of piped commands so that Kdump now fails right after amakedumpfile
failure and the system drops correctly to the shell. - BZ#765702
- The
mkdumprd
utility did not properly handle renaming of NIC devices in the kexec kernel. Therefore, when sending a core dump using a VLAN device over a bond interface, Kdump displayed various error messages related to VLAN device names. This update modifiesmkdumprd
so it now works with VLAN device names correctly. - BZ#781907
- The
mkdumprd
utility did not handle NFS unmount failures correctly. Therefore, when dumping a core over theNFS
protocol and a test attempt to unmount an NFS export failed,mkdumprd
removed all files from this NFS export. This update correctsmkdumprd
so that it only removes empty NFS exports and no data loss occurs under these circumstances.
Enhancements
- BZ#668706
- The
mkdumprd
utility lacked support for theXFS
file system, and therefore Kdump failed to capture the vmcore dump file on XFS file systems. This update backports support for theXFS
file system from Red Hat Enterprise Linux 6 so Kdump now creates core dumps onXFS
file systems as expected. - BZ#690678
- This update adds a new option for the
mkdumprd
utility,blacklist
. This option allowsmkdumprd
to prevent specified kernel modules from being loaded into the kexec kernel. - BZ#715531
- With this update, the
mkdumprd
utility supports static route configuration so that Kdump is now able to dump thevmcore
file to a remote machine over a network with static routing. - BZ#719384
- The
mkdumprd
utility has been modified to recognize and supportiSCSI
devices so that iSCSI devices can now be specified as a dump target. - BZ#743217
- Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.8 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64
Hypervisor
with an Intel CPU is the only supported implementation. Note that the dump target must be specified in the/etc/kdump.conf
file.
All users of kexec-tools are advised to upgrade to this updated package, which resolves these security issues, fixes these bugs and adds these enhancements.