4.79. kexec-tools

An updated kexec-tools package that adds one enhancement is now available for Red Hat Enterprise Linux 5.
The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.

Enhancement

BZ#772164
Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.7 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64 Hypervisor with an Intel CPU is the only supported implementation. Note that the dump target must be specified in the /etc/kdump.conf file.
All users of kexec-tools are advised to upgrade to this updated package, which adds this enhancement.
An updated kexec-tools package that resolves three security issues, fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kexec-tools package contains the /sbin/kexec binary and utilities that together form the user-space component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel.

Security Fixes

CVE-2011-3588
Kdump used the SSH (Secure Shell) StrictHostKeyChecking=no option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps.
CVE-2011-3589
The mkdumprd utility created initrd files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target.
CVE-2011-3590
The mkdumprd utility included unneeded sensitive files (such as all files from the /root/.ssh/ directory and the host's private SSH keys) in the resulting initrd. This could lead to an information leak when initrd files were previously created with world-readable permissions. Note: With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in /etc/kdump.conf are included in the initrd. The default is the key generated when running the service kdump propagate command, /root/.ssh/kdump_id_rsa.
Red Hat would like to thank Kevan Carstensen for reporting these issues.

Bug Fixes

BZ#678308
On certain hardware, the kexec kernel incorrectly attempted to use a reserved memory range, and failed to boot with an error. This update adapts the underlying source code to determine the size of a backup region dynamically. As a result, kexec no longer attempts to use the reserved memory range, and boots as expected.
BZ#682359
The mkdumprd utility lacked proper support for using VLAN devices over a bond interface. Consequently, the network could not be correctly set up in the kexec kernel and Kdump failed to capture a core dump. This update modifies mkdumprd so it now provides full support for configuring VLAN devices over a bond interface. Kdump now successfully dumps the vmcore file to a remote machine in such a scenario.
BZ#759006
A bug in the mkdumprd caused Kdump to be unable to bring up a network interface card (NIC) if a NIC configuration file, such as /etc/sysconfig/network-scripts/ifcfg-eth0, did not contain a default gateway. When sending the vmcore file over a network using the SSH or NFS protocol, any attempt to bring the NIC up failed with the following error:
ifup: option with empty value "gateway"
Consequently, the connection to the remote machine could not be established and Kdump failed to dump the vmcore file. With this update, mkdumprd performs a check whether the default gateway is specified and thus avoids adding an empty gateway into the /etc/kdump.conf file. The vmcore file is now successfully dumped to a remote machine.
BZ#760844
A bug in mkdumprd caused Kdump to be unable to bring up a bridge device when its slave device was renamed in the kexec kernel. When sending the vmcore file over a bridged network, any attempt to bring the bridge device up failed with a similar error:
ifup: Ignoring unknown interface eth2
Consequently, the connection to the remote machine could not be established and Kdump failed to dump the vmcore file. This update modifies mkdumprd to search for the correct slave device names in NIC configuration files instead of using the old names. Kdump over a bridged network now works as expected.
BZ#761048
Certain storage devices, such as HP Smart Array 5i controllers using the CCISS driver, are known to be non-resettable in the kexec kernel. Therefore, when such a device was selected as a dump target, any attempt to dump a core file on it caused the kexec kernel to become unresponsive. This update modifies mkdumprd to check whether the target device is resettable. If the target device is non-resettable, then Kdump will not start and the kexec kernel no longer hangs under these circumstances.
BZ#761336
The mkdumprd utility was unable to handle errors returned by the makedumpfile command if the command was piped with other commands. Therefore, when sending a core dump file over a network using the SSH protocol and makedumpfile failed, the system rebooted immediately instead of dropping to the shell. This update allows mkdumprd to catch return codes of piped commands so that Kdump now fails right after a makedumpfile failure and the system drops correctly to the shell.
BZ#765702
The mkdumprd utility did not properly handle renaming of NIC devices in the kexec kernel. Therefore, when sending a core dump using a VLAN device over a bond interface, Kdump displayed various error messages related to VLAN device names. This update modifies mkdumprd so it now works with VLAN device names correctly.
BZ#781907
The mkdumprd utility did not handle NFS unmount failures correctly. Therefore, when dumping a core over the NFS protocol and a test attempt to unmount an NFS export failed, mkdumprd removed all files from this NFS export. This update corrects mkdumprd so that it only removes empty NFS exports and no data loss occurs under these circumstances.

Enhancements

BZ#668706
The mkdumprd utility lacked support for the XFS file system, and therefore Kdump failed to capture the vmcore dump file on XFS file systems. This update backports support for the XFS file system from Red Hat Enterprise Linux 6 so Kdump now creates core dumps on XFS file systems as expected.
BZ#690678
This update adds a new option for the mkdumprd utility, blacklist. This option allows mkdumprd to prevent specified kernel modules from being loaded into the kexec kernel.
BZ#715531
With this update, the mkdumprd utility supports static route configuration so that Kdump is now able to dump the vmcore file to a remote machine over a network with static routing.
BZ#719384
The mkdumprd utility has been modified to recognize and support iSCSI devices so that iSCSI devices can now be specified as a dump target.
BZ#743217
Kdump on Xen HVM guests is now enabled in Red Hat Enterprise Linux 5.8 as a Technology Preview. Performing a local dump to an emulated (IDE) disk using an Intel 64 Hypervisor with an Intel CPU is the only supported implementation. Note that the dump target must be specified in the /etc/kdump.conf file.
All users of kexec-tools are advised to upgrade to this updated package, which resolves these security issues, fixes these bugs and adds these enhancements.