Chapter 14. Servers and Services

mod_nss now supports server-side SNI

This update adds server-side Server Name Indication (SNI) support to the mod_nss package. (BZ#1295490)

Non-root user support in httpd mod_rewrite

The mod_rewrite module provided with the Apache HTTP Server now supports running external mapping programs as a non-root user. This reduces security risk from using mod_rewrite mapping because a non-privileged process can be used. (BZ#1035230)

tomcat6 now supports disableURLRewriting

This update adds the disableURLRewriting attribute to the Tomcat 6 servlet container. The attribute allows to disable support for using URL rewriting to track session IDs for specific contexts. (BZ#1221877)

Logging capabilities of the tftp server have been enhanced

As a result of improved logging, the Trivial File Transfer Protocol (TFTP) server can now track successes and failures. For example, a log event is now created when a client successfully finishes downloading a file, or the file not found message is provided in case of a failure. (BZ#917817)

Squid can log IP addresses and ports of remote hosts

In previous versions, the Squid caching and forwarding web proxy had the ability to log the URL, which included the host name. However, Squid could not log the IP address of the destination server. This update enables Squid to log IP addresses and ports of remote hosts, which is especially useful when dealing with hosts that have multiple IP addresses. (BZ#848124)

new ignore-client-uids option

When a client machine can boot different operating systems (OS), each OS can send a different DHCP client identifier (UID) and consequently obtain a different IP address from the server. Now, the user can configure a server to treat such a machine as a single entity regardless of the OS it runs at the moment with a new ignore-client-uids option.
This option causes the server to not record a client's UID in its lease. To configure ignore-client-uids, add the following line to the /etc/dhcp/dhcpd.conf file:
ignore-client-uids true;
This configuration causes that the UID for clients will not be recorded. If this statement is not present or has a value of false or off, then client UIDs will be recorded. (BZ#1196768)

A Tuned profile optimized for Oracle database servers has been included

A new oracle Tuned profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The oracle profile is based on the enterprise-storage profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off. (BZ#1196294)

New package: squid34

A new package squid34 version 3.4.14 has been released. This package cannot be installed together with the squid package. squid34 improves stability and fixes multiple bugs originally reported against squid.
The most important new features in squid34 include:
  • Helper protocol extensions
  • SSL Server Certificate Validator
  • Store-ID
  • TPROXY Support for OpenBSD 5.1 and later, and FreeBSD 9 and later
  • Transaction Annotations
  • Multicast DNS (BZ#1265328)

The BIND server now supports CAA records

Certification Authority Authorization (CAA) support has been added to the Berkeley Internet Name Domain (BIND) server. Now, users can restrict Certification Authorities by specifying the DNS record. (BZ#1252611)

The LocalAddress and LocalPort keywords are now supported for Match conditions in sshd_config

Systems connected to several physical networks might require different access policies. With this update, you can enforce different policies for different local addresses or ports directly in sshd_config, without the need to run several services with different configuration files. (BZ#1211673)

Support for disabling selected GSSAPI key exchange algorithms

After CVE-2015-4000 (Logjam) was discovered, the gss-group1-sha1 algorithm is not considered secure anymore. Previously, there was no possibility to disable this single key exchange method. With this update, the administrator can disable this or other selected algorithms used by GSSAPI key exchange in sshd_config. (BZ#1253060)

New authorized_keys_command option in pam_ssh_agent_auth

Managing sudo rules across multiple systems might require to list SSH keys from LDAP, which was previously not possible. With this update, you can set up pam_ssh_agent_auth to get the authorized keys from LDAP or a different service easily. The feature has been backported from the upstream version. (BZ#1299555)