[pve-devel] POSSIBLE BIG SECURITY BUG in Proxmox - Kernel ?

Detlef Bracker bracker at 1awww.com
Wed Apr 29 05:36:46 CEST 2015


Dear,

ca. at the 4th april Proxmox comes with updates the kernel Linux version
2.6.32-37-pve
And this activate automaticly without manual setting in grub, why I am
sure, that I have change
the kernel on 2 hosts without a reboot!

And in one future the hoster, so as we, must reboot the host and then
the new kernel 2.6.32-37-pve
is active and I mean, that this create a big security horror - please
check this, why we cant
do it with our hosts, they in production and one of them is blocked from
operating center
about this, short hours later the reboot! We are in clearing for a
resolution today - I hope so!

When the host start with kernel 2.6.32-37-pve we find in log:

Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): warning: mounting
unchecked fs, running e2fsck is
recommended
Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): using internal journal
Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): mounted filesystem with
ordered data mode
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: Loading kernel module for a network
device with CAP_SYS_MODULE
(deprecated).  Use CAP_NET_ADMIN and alias netdev-dummy0 instead
Apr 25 13:59:30 ns315405 kernel: device dummy0 entered promiscuous mode
Apr 25 13:59:30 ns315405 kernel: vmbr1: port 1(dummy0) entering
forwarding state
Apr 25 13:59:30 ns315405 kernel: device eth0 entered promiscuous mode
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'

So ipv6 cant load! This is normal not a big problem, why can been
cleared later, but now, the next
big bug make problems:

Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): warning: mounting
unchecked fs, running e2fsck is
recommended
Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): using internal journal
Apr 25 13:59:30 ns315405 kernel: EXT3-fs (dm-0): mounted filesystem with
ordered data mode
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: Loading kernel module for a network
device with CAP_SYS_MODULE

(deprecated).  Use CAP_NET_ADMIN and alias netdev-dummy0 instead
Apr 25 13:59:30 ns315405 kernel: device dummy0 entered promiscuous mode
Apr 25 13:59:30 ns315405 kernel: vmbr1: port 1(dummy0) entering
forwarding state
Apr 25 13:59:30 ns315405 kernel: device eth0 entered promiscuous mode
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 13:59:30 ns315405 kernel: ipv6: Unknown parameter `disabled'

and later:

Apr 25 14:00:20 ns315405 postmulti[81148]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 /usr/sbin/cron[81207]: (CRON) INFO (Running
@reboot jobs)
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81216]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: ip_tables: (C) 2000-2006 Netfilter Core
Team
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81247]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: kvm: Nested Virtualization enabled
Apr 25 14:00:20 ns315405 kernel: kvm: Nested Paging enabled
Apr 25 14:00:20 ns315405 kernel: Netfilter messages via NETLINK v0.30.
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81255]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 pvepw-logger[81269]: starting pvefw logger
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81266]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: tun: Universal TUN/TAP device driver, 1.6
Apr 25 14:00:20 ns315405 kernel: tun: (C) 1999-2004 Max Krasnyansky
<maxk at qualcomm.com>
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81287]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81293]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:20 ns315405 postmulti[81320]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:20 ns315405 kernel: Enabling conntracks and NAT for ve0
Apr 25 14:00:20 ns315405 kernel: nf_conntrack version 0.5.0 (16384
buckets, 65536 max)
Apr 25 14:00:21 ns315405 kernel: ip6_tables: (C) 2000-2006 Netfilter
Core Team
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 postmulti[81414]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:21 ns315405 postfix[81419]: warning: inet_protocols:
disabling IPv6 name/address support:

Address family not supported by protocol
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 postfix/master[81431]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 postfix/master[81431]: warning: inet_protocols:
disabling IPv6 name/address

support: Address family not supported by protocol
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:21 ns315405 pve-firewall[81481]: starting server
Apr 25 14:00:21 ns315405 kernel: ploop_dev: module loaded
Apr 25 14:00:21 ns315405 kernel: ip_set: protocol 6
Apr 25 14:00:21 ns315405 kernel: ipv6: Unknown parameter `disabled'

and later:

Apr 25 14:00:41 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:41 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:41 ns315405 pve-firewall[81481]: status update error:
command '/sbin/ip6tables-save'

failed: exit code 1
Apr 25 14:00:51 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:51 ns315405 kernel: ipv6: Unknown parameter `disabled'
Apr 25 14:00:51 ns315405 pve-firewall[81481]: status update error:
command '/sbin/ip6tables-save'

failed: exit code 1
Apr 25 14:00:59 ns315405 kernel: EXT3-fs error (device dm-0):
ext3_lookup: deleted inode referenced:

91406386

The big problems are:

a) The PVE-Firewall not working any more!
b) Possible Traffic goes wrong ways when in configuration BRIDGE with
MAC to a container!
c) Innode disk problems

until the boot, the host works absolute secure und fine and never we had
stress with the operating center!

Regards

Detlef









-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20150429/d0cb12a3/attachment.sig>


More information about the pve-devel mailing list