Chapter 10. Servers and Services

Restricted Cipher Suites in Default httpd Configuration

With this update, the default configuration of the mod_ssl module in the httpd web server no longer enables support for SSL cipher suites using the single DES, IDEA, or SEED encryption algorithms.

Allowed SSL protocols configurable in the Cyrus IMAP server

With this update, it is possible to configure which Secure Sockets Layer (SSL) protocols the Cyrus IMAP server allows. For example, users can disable SSLv3 connections and thus mitigate the impact of the POODLE vulnerability.

dstat command now supports symbolic links

The dstat command has been enhanced to support the use of symbolic links as parameter values. This enables users to dynamically specify the boot device name, which ensures that dstat displays correct information after hot plugs and similar operations. Note that symbolic links must be specified in the /dev/disk/ directory and the full path must be used with the command.

rng-tools rebased to version 5

The rng-tools packages, which provide random number generator user space utilities, have been upgraded to upstream version 5. This update enables the random number generator daemon (rngd) on the Intel x86- and Intel 64-based EM64T/AMD64 CPU models by default and takes advantage of entropy provided by the RDRAND hardware random number generator instruction. The enhancement update also increases performance and security on the Intel architecture hardware, especially in the server applications.

NetworkManager Connection Editor usability improvements

This update enhances nm-connection-editor, which now enables easier editing of IP addresses and routes. In addition, nm-connection-editor attempts to automatically detect and highlight typos and incorrect configurations.

ypbind can now be set to specific rebind intervals

The NIS binding process ypbind traditionally checked for the fastest NIS server every 15 minutes, however many firewalls have a default timeout of 10 minutes. This caused intermittent failures of ypbind when trying to rebind. This update adds a tunable option, -r, to ypbind that enables setting a specific rebind interval in seconds.

Rebase of the squid packages

The squid packages have been upgraded to upstream version 3.1.23, which provides a number of bug fixes and enhancements over the previous version. Among others, this update adds the support for the HTTP/1.1 POST and PUT responses with no message body to squid.

dhcpd handles dhcp option 97 - Client Machine Identifier (pxe-client-id)

It is now possible to reserve (statically allocate) IP addresses for a particular client based on its identifier sent in option 97; for example:
host pixi {   option pxe-client-id 0 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff;   fixed-address 1.2.3.4; }

Tomcat log file rotation can now be disabled

By default, Tomcat log files are rotated on the first write operation which occurs after midnight, and given the file name {prefix}{date}{suffix}, where the format for date is YYYY-MM-DD. To allow Tomcat log file rotation to be disabled, the parameter rotatable has been added. If this parameter is set to false, the log file will not be rotated and the filename will be {prefix}{suffix}. The default value is true.

cups supports failover

It is now possible to direct jobs to a single printer with failover to other printers instead of using load balancing among printers that is built into CUPS. Jobs can be directed to the first working printer of a set, the preferred printer, with other printers used only if the preferred one is unavailable.

openssh supports adjusting LDAP queries

Administrators can now adjust Lightweight Directory Access Protocol (LDAP) queries to obtain public keys from servers that use a different schema.

ErrorPolicy description added to cupsd.conf(5) manual page

Description of the ErrorPolicy directive with supported values has been added to the cupsd.conf(5) manual page. The ErrorPolicy directive defines the default policy used when a backend is unable to send a print job to the printer.

Allowed SSL protocols configurable in dovecot

With this update, it is possible to configure which Secure Sockets Layer (SSL) protocols dovecot allows. For example, users can disable SSLv3 connections and thus mitigate the impact of the POODLE vulnerability. Due to security concerns, SSLv2 and SSLv3 are now also disabled by default, and they have to be allowed manually if the user needs them.

openssh supports wildcards for PermitOpen option

The PermitOpen option in the sshd_config file now supports wildcards.

tomcatjss supports TLS versions 1.1 and 1.2

Tomcat has been updated to support the Transport Layer Security cryptographic protocol version 1.1 (TLSv1.1) and Transport Layer Security cryptographic protocol version 1.2 (TLSv1.2) using Java Security Services.

squid supports hiding or rewriting HTTP headers

The squid packages are now built with the --enable-http-violations option and allow the user to hide or rewrite HTTP headers.

bind supports RPZ-NSIP and RPZ-NSDNAME

RPZ-NSIP and RPZ-NSDNAME records can now be used with Response Policy Zone (RPZ) in the BIND configuration.

openssh supports forcing exact permissions on uploaded files

With this update, OpenSSH can force exact permissions on files that are newly uploaded using the Secure File Transfer Protocol (SFTP).

Mailman now includes enhanced DMARC mitigation features

With this update, Mailman introduces several enhanced Domain-based Message Authentication, Reporting & Conformance (DMARC) mitigation features. For example, Mailman can be configured to recognize Sender alignment for Domain Key Identified Mail (DKIM) signatures and it is now able to correctly handle forwarded messages from domains with a reject DMARC policy.