BZ#519281

Prior to this update, the autofs utility did not reset the map entry status on a reload request. As a result, newly added map entries that had previously recorded a mount failure failed to work. With this update, autofs resets the map entry status on a reload request and map entries are mounted as expected.

BZ#54613

Prior to this update, reloading an existing map could consume an extensive amount of memory. This occurred because the automount daemon failed to free the memory which it preliminary allocated to the map before it had detected that the map already existed. With this update, the memory is freed and the memory leak no longer occurs on map reload.

BZ#549607

The autofs daemon failed to mount hidden Windows shares when using the auto.smb program map. This occurred because the program map did not translate the $ sign in the share names correctly. With this update, the code that matches the share names has been added and the hidden shares are mounted as expected.

BZ#551599

Prior to this update, the autofs utility could terminate with a segmentation fault when attempting certain mounts. This occurred due to a race condition between mount handling threads for mounts that had previously recorded a mount failure. This update adds a check that verifies that the automount cache map entry is valid and the error no longer occurs.

BZ#559796

The autofs utility failed to mount folders from Windows Server with the ampersand (&) in their name. With this update, such folders are mounted successfully.

BZ#560124

Prior to this update, the automount(8) man page referred to a non-existent man page. This was caused by a typographical error in the code. With this update, the man page reference has been corrected and the man page is displayed as expected.

BZ#561213

Due to a deadlock, autofs could stop responding when attempting to mount map entries that were nested within maps. With this update, the underlying code has been changed and, where possible, nested map entries mount correctly.

BZ#562703

Prior to this update, automount could terminate unexpectedly with a pthreads error. This occurred because attempts to acquire the master map lock occasionally failed as the lock was held by another thread. With this update, the underlying code has been adapted to wait for a short time before failing.

BZ#563956

Previously, the automount daemon did not support receiving paged results from an LDAP (Lightweight Directory Access Protocol) server. This update adds the code that handles paged results and such results are processed correctly.

BZ#570783

Prior to this update, if a key entry of an automount map began with an asterisk (*) sign, the daemon failed with a segmentation fault because the sign was not matched correctly. With this update, such asterisk signs are handled correctly.

BZ#576775

Prior to this update, a race condition could have caused the automount daemon to terminate unexpectedly. This happened because the parse_sun module pre-opened and cached the Network File System (NFS) mount module so that the mount module could be accessed by other modules quickly. With this update, the underlying code has been changed and the race condition on longer occurs.

BZ#589573

Prior to this update, the automount daemon stopped responding on startup when started with an already-mounted CIFS (Common Internet File System) share due to a deadlock. With this update, the underlying code has been changed and the deadlock no longer occurs.

BZ#593378

Prior to this update, automount failed to look up mounts from multiple included map sources. This occurred due to a problem with negative caching. With this update, the underlying code has been changed and automount performs the included map lookups correctly.

BZ#601935

When mounting new mounts, the automount daemon could have stopped responding. This occurred due to an execution order race during expire thread creation. This update refactors the code handling expire thread creation and the problem no longer occurs.

BZ#632006

The autofs utility failed to mount Lustre metadata target (MDT) failover mounts because it could not understand the mount point syntax. With this update, the mount point syntax is processed correctly and the failover is mounted as expected.

BZ#632471

Prior to this update, autofs failed occasionally to reload an updated map correctly when the map type was specified explicitly. This occurred because the map stale flag was cleared after the map entry lookup instead of being cleared at the update completion. With this update, the underlying code has been changed to clear the stale flag at the completion of the update and the maps are reread correctly.

BZ#667273

Previously, autofs could have terminated unexpectedly with a segmentation fault if it was heavily loaded with mount requests to service. This occurred due to an invalid pointer. With this update, the underlying code has been changed and autofs no longer crashes in such circumstances.

BZ#668354

Previously, when expanding the & character on map key substitution, autofs handled the white space characters in the key incorrectly. With this update, the underlying code has been changed and the expanding of such keys is handled correctly.

BZ#692524

Previously, autofs could have terminated unexpectedly with a segmentation fault when reloading maps. This occurred when the master map referenced null maps. This error has been fixed, and autofs no longer crashes when reloading such maps.

BZ#579312

The automount daemon now supports LDAP simple authenticated binds.

BZ#538408

This update adds the --dumpmaps option to the automount command, which allows you to dump the maps from their source as seen by the automount daemon.

BZ#547510

Previously, if multiple mount locations were present, the selection of a mount depended on the weight value defined by the user and on the server response time. With this update, the user can use the option --use-weight-only to make the selection priority depend only on the weight value.

BZ#566481

The autofs utility did not allow the locality name attribute (l) for an LDAP DN (Distinguish Name) in master map entries. This update adds the code to allow the use of DNs with the locality attribute in their name.

BZ#607785

With this update, the autofs utility supports SASL (Simple Authentication and Security Layer) external authentication with certificates using maps stored on an LDAP server.

BZ#610266

This update adds simple Base64 encoding for LDAP and thus allows hashing of the password entries in the /etc/autofs_ldap_auth.conf configuration file.

BZ#629357

The autofs utility now provides IP addresses for map entries that use host names with multiple network addresses in its debugging output.

BZ#510809

When a directory contained a symbolic link to itself, the readlink command incorrectly gave the following error message:

Too many levels of symbolic links.

With this update, the readlink command is able to correctly resolve values of recursive symbolic links to directories and no error messages are given.

BZ#684249

When values of LC_TIME and LC_CTYPE variables differed, the sort utility sometimes terminated due to an assertion failure. This bug has been fixed and the sort utility no longer crashes in the described scenario.

BZ#559098

When a child process was terminated by a signal, the su utility returned the wrong exit code of 0, which means exit success. With this update, the su utility always returns the correct exit code in the described scenario.

BZ#668247

Previously, when the dd utility read data from a pipe and received a signal such as SIGPIPE, it stopped reading the current block and started with the new one immediately. This caused random output values when the dd utility was used to measure the size of an input file. With this update, the new iflag=fullblock option is available. When the option is used, the dd utility always continues to read incomplete blocks after receiving a signal.

BZ#664895

On certain file systems such as VxFS, the Veritas File System, the rmdir() system call returned the wrong error code for non-empty directories. This caused the rmdir utility to fail to ignore the error when the --ignore-fail-on-non-empty command line option was specified. This bug has been fixed and the rmdir utility now handles errors on non-empty directories on VxFS partitions properly.

BZ#515499

Previously, when the ls -1U command was called with two or more arguments and with at least one non-empty directory as an argument, directory entry names were printed before the name of their parent directories. This bug has been fixed and now the entries are printed in correct order.

BZ#525199

Previously, the cp, mv and install utilities were unable to preserve extended attributes on files with read-only permissions. This bug has been fixed and the extended attributes are now preserved correctly by those utilities.

BZ#537463

If the --ghost option was enabled for an automount point, the du command failed on an automounted directory if it was not mounted yet. This bug has been fixed and the du command now succeeds on an automounted directory on the first attempt.

BZ#520630

Due to a regression, running the df -l command with a specific device specified resulted in a Permission denied error message for regular users. This bug has been fixed and specifying a device now works for regular users.

Note

Note that running the df -l command to list all devices was not affected by this bug; it worked as expected previously and continues to do so subsequent to this update.

BZ#628953

Because of internal reordering of arguments, the runcon utility was not able to handle execution of commands with arguments without the option separator --. With this update, the runcon utility no longer reorders arguments and this bug no longer occurs.

Note

Note that syntax runcon RUNCONARGS COMMAND -- COMMANDARGS is incorrect; if the option separator is used, it must precede the COMMAND.

BZ#627285

Previously, the --backup option of the mv command did not work with directories and the cannot move [directory] to a subdirectory of itself error message was returned. This bug has been fixed and the --backup option now works with directories as expected.

BZ#524805

Previously, the runuser utility man page contained incorrect information about PAM API calls. With this update, the documentation has been amended.

BZ#586957

Previously, certain scripts parsing the LS_COLORS environment variable used insufficient escaping, resulting in slow shell start-up in directories with too many files. This bug has been fixed and the shell start-up time is now more independent of the current directory.

BZ#658839

When moving a directory into another non-empty directory, the mv utility returned a confusing cannot move [directory] to a subdirectory of itself error message. This bug has been fixed and the correct Directory not empty error message is now returned instead.

BZ#681598

Previously, due to a bug in the su utility, the suspend command did not work for root users in tcsh shell. With this update, when the suspend command is called in a root shell, the Suspended (signal) message is returned and the user is put back into their user shell.

BZ#584802, BZ#610559, BZ#660186

This update improves the coreutils documentation in the following ways: descriptions of the runcon and chcon utilities have been added; the behavior of newly added groups is now described; and the description of the mkdir --mode command has been extended.

BZ#523923

Previously, deletion of a large number of files via the rm utility was taking too much time. With this update, the code has been optimized and the deletion is now faster.

BZ#513153

With this update, many unnecessary warning messages of attempts for preserving ACLs on file systems without the support for ACLs have been suppressed, unless the preservation of ACLs is explicitly requested.

BZ#582774

With this update, the -L (logical) and -P (physical) command line options are now supported. These options are used for resolving the path of current working directory.

BZ#489842

When lsattr or chattr was pointed at a non-existent file, an error was returned in that the exit code was always zero. This was because ls reported an error if any occurred, and lsattr did the same, reporting the last error encountered. This patch fixes this error, and lsattr and chattr provide the correct error.

BZ#491385

After using resize2fs to perform an offline resize of a file system, running e2fsck gave an error, stating the wrong block count for the resize inode. This was because the resize inode was not being properly cleared. This patch checks to see if the file system has grown to the point where the resize_inode is no longer needed, then cleans it so e2fsck does not have to. The correct block count is now given for the resize inode.

BZ#506643

Previously, e2fsprogs libblkid probe_all() could mismatch devices when scanning whole disks without partitions where the name ended in a number. This caused a mount failure. With this patch these disks are also scanned, so the devices are mounted correctly.

BZ#553216

When a host was re-kickstarted, mpath mount with LABEL failed with the error “mount: /dev/sdk already mounted or /san/intf busy”. This was because the probe_one() function scanned /dev before /dev/mapper. This patch disables all calls from libdevmapper via #undef HAVE_DEVMAPPER, instead using the standard support for “normal” non-dm devices. This results in mpath can mount without errors.

BZ#562044

Running “e2fsck -y -f” on a corrupted file system printed errors when “e2fsck -y” previous reported the file system to be cleaned of errors. This occurred when a file had its i_file_acl block cloned as a duplicate. This duplicate was then cleared because the file system did not have the xattr feature, and the inode was subsequently removed due to an invalid mode. The second e2fsck pass found the cloned xattr block in use but not owned by any file, so had to fix up the block bitmaps. This patch fixes an existing brace misalignment and skips the processing of the duplicate xattr blocks on a non-xattr file system, as these will be cleaned at a later point, allowing the clean to occur properly.

BZ#579836

On 64-bit system, a sign extension bug in libcom_err caused incorrect error messages to be emitted. This was because an error code as an (int) was passed to error_message as an (unsigned int), especially when using libgssapi_krb5. This meant that error_message() failed to find a matching error table. To fix this, error_message() has been changed to follow the same method error_table_name() does when error_message() calls it. That is, it drops most of the higher bits of the parameter passed before continuing, so now correct error messages are emitted.

BZ#580671

A sparse journal (which indicates corruption) was not fixed by e2fsck, causing file system errors and a shut down after mount. This was because e2fsck marked the file system as clean so it would mount, but did not fix that block, so when the journal reached this point again it failed once more. This patch changes process_journal_block() to clear and recreate the journal inode if it is sparse, that is if it gets block 0, allowing e2fsck to correctly fix a sparse journal.

BZ#606757

Previously, chattr and lsattr would return “error code = 0” even when they have not done anything, which made error checking difficult in scripts. With this patch, if there are errors they will be reported with a non-zero exit code. It will give explicit errors when attempting to set files that are not files or directories (which are not currently supported under Linux). Also, the -f flag will suppress error messages from being printed even though the exit status will still be non-zero.

BZ#607843

When checking a particular volume, e2fsck exited with a signal 11 (segmentation fault). This was caused by floating point errors. This patch edits get_icount_el to prevent point precision errors on large file systems from causing the search interpolation algorithm from performing an infinite loop, allowing e2fsck to check the volume correctly.

BZ#618134

The fsck command returned a 0 status instead of an appropriate error code on an exec() failure, due to an error in the code. This patch fixes the error so that the appropriate error code is now returned.

BZ#637920

Previously, blkid cachine caused a tag search (blkid -l -t ...) to return empty results. This occurred mostly in debug code, where dev->bid_type is not-NULL before dereferencing the pointer. This has been edited and blkid cachine now returns proper results.

BZ#669676

Previously, e2fsprogs failed to build with newer gettext package. This was due to a problem in auto-fu. This patch fixes this allowing the packages to build correctly.

BZ#675694

If more than 128 devices were specified on the blkid command line, the devices[] array overflowed, resulting in a crash. This patch avoids the problem by dynamically allocating the devices[] array based on the number of arguments, resulting in more than 128 devices being able to be specified on the blkid command line.

BZ#696930

Running blkid on s390x caused a crash with a signal 11 (segmentation fault) error. This was due to an error in the code regarding floating points. This patch frees a pointer that was not initialized to null, allowing blkid to run correctly on s390x.

BZ#678304

It was possible for the UUIDD to generate duplicate UIDs under certain circumstances. This occurred when the socket backlog in the UUIDD daemon was full, therefore the connection was refused and uuid_generate_time() fell back to unsafe ways of generating a UUID, resulting in the duplicates. Also, fcntle(2) did not work for the synchronization of threads belonging to the same process, contributing to the problem. This patch introduces a safe variant of uuid_generate_time() and fixes the locking of the clock state counter file which prevents UUIDD from generating duplicate UIDs.

BZ#681071

Running e2fsck on a corrupted file system gave a “should never happen” error. This occurred when a directory with an htree index had an incorrect and too-large i_size field. This patch prevents e2fsck from crashing and prompts the user to remove the htree index so that it can be rebuilt after pass 3, allowing file systems with this error to be fixed.

BZ#563909

When running blkid, stale mounts can occasionally be seen within the cache. While running blkid -c /dev/null gets around this, it can become a runtime issue when blkid is run against a machine with several hundred disks. As such this patch adds a garbage collection routine feature. This performs a garbage collection pass on the /etc/blkid.tab file by adding the -g option to the blkid program. The man page has also been updated with more information about what the -g garbage collection option does.

BZ#587778

The mkfs reserved blocks were originally set to 5% by default, with a 1% step size. This was considered excessive for large file systems. With this patch, the reserved blocks amount now accepts a floating point for better accuracy when setting the percent. Also, mke2fs and tune2fs now accept a floating point number from the user to improve the level of accuracy offered.

BZ#264681

Prior to this update, using any mod_ldap directive within a VirtualHost context prevented the module from caching results for that particular virtual host. This update adapts the mod_ldap module to make sure that caching now works correctly in such configurations.

BZ#552303, BZ#632407

When the mod_proxy module was configured as a reverse proxy, multiple unrelated bugs may have prevented it from operating correctly, and may have led to incorrect handling of connection timeouts or even data corruption. With this update, various patches have been applied to address this issue, and the mod_proxy module can now serve as a reverse proxy as expected.

BZ#580008

When the mod_deflate module was configured to compress responses and an HTTP client prematurely terminated a connection, the previous version of the httpd service may have terminated unexpectedly with a segmentation fault. This update applies a patch that resolves this issue, and httpd no longer crashes.

BZ#604727

Prior to this update, the mod_authnz_ldap module was unable to handle referrals from an LDAP server. This update introduces the LDAPChaseReferrals directive, which allows users to enable referral chasing.

BZ#614423

Previously, when the OID() function was used as part of the SSLRequire directive, it was unable to parse certificate attributes of an unknown type. Consequent to this, strings that use the Abstract Syntax Notation One (ASN.1) notation were not rendered properly, and may have been incorrectly prefixed with a random string. This update adapts the OID() function to parse all unknown attributes as ASN.1 strings, so that these strings are now rendered as expected.

BZ#649648

Due to incorrect handling of the SSL certificate cache, an attempt to use an SSL configuration with multiple VirtualHost sections that use identical ServerName values rendered the httpd service unable to start. With this update, the underlying source code has been adapted to address this issue, and using multiple VirtualHost sections with identical ServerNames values no longer prevents httpd from starting.

BZ#673276

Due to incorrect handling of responses with multiple duplicate headers, when a user configured the httpd service to transform HTTP response headers by specifying edit as a value of the Header directive, only one of the matching headers was retained. This has now been fixed, and the edit mode is now applied correctly across all HTTP response headers.

BZ#674102

When using the prefork Multi-Processing Module (MPM), children processes with persistent connections (that is, with the KeepAlive directive set to On) kept processing new requests even when a graceful restart had been issued. This update applies a patch that corrects this error, and children processes with persistent connections no longer process new requests when a graceful restart is requested.

BZ#678057

Prior to this update, an attempt to use the ProxyPassReverse directive with a balancer:// URL that included a path segment caused redirect responses to map the HTTP Location header paths incorrectly. This error has been fixed, and HTTP Location header paths are now mapped correctly.

BZ#679994

Previously, the FilterProvider directive of the mod_filter module was unable to match against non-standard HTTP response headers. With this update, the underlying source code has been adapted to address this issue, and the FilterProvider directive is now able to match against non-standard HTTP response headers as expected.

BZ#691497

When configured as a reverse proxy, the previous version of the mod_proxy module was unable to establish an SSL connection via an intermediary proxy configured using the ProxyRemote directive. This update adapts the mod_proxy module to support this configuration.

BZ#698402

Prior to this update, the mod_include module may have failed to parse certain Server Side Include (SSI) documents if the response contained attribute boundaries that were split across multiple buckets. This update corrects this error, and such SSI documents can now be parsed as expected.

BZ#379811

When using the mod_cache module, by default, the CacheMaxExpire directive is only applied to responses which do not specify their expiry date. Previously, it was not possible to limit the maximum expiry time for all resources. This update adapts the mod_cache module to provide support for hard as a second argument of the CacheMaxExpire directive, allowing a maximum expiry time to be enforced for all resources.

BZ#555870

The mod_proxy_balancer load balancer module has been updated to provide support for the bybusyness scheduler algorithm.

BZ#612198

The mod_reqtimeout module has been added. When enabled, this module allows fine-grained timeouts to be applied during request parsing.

BZ#658766

The mod_proxy and mod_proxy_http modules have been updated to provide support for remote HTTPS proxy servers by using the HTTP CONNECT method.

BZ#699544

After system installation, the dhclient utility failed to start after boot on an interface configured to get an IPv4 address from DHCP. This bug has been fixed and the dhclient utility now starts properly in the described scenario.

BZ#624704

Previously, when a logical network with VLAN tag 0 was created, this value was out of range for logical networks, the host would never create a sub interface 0 and the cluster network would stay in non-operational mode. With this update, the /etc/sysconfig/network-scripts/ifup script has been fixed and logical networks with VLAN tag 0 can now be created.

BZ#676851

Previously, when the netfs script performed a lazy unmount on a NFS file system, sometimes cached data would be written out before the shutdown scripts were able to take down the network interfaces. This caused various machines to have been hanging on shutdown. With this update, the netfs script has been fixed and the physical machines no longer hang in the described scenario.

BZ#664091

When the biosdevname utility sets a name for a PCI device, it uses a # character to specify the device interface. Subsequently, when network services were restarted, the network init script returned an error message, such as ifcfg-ifcfg-pci3#1: No such file or directory even though the interface itself was properly found. With this update, the network init script parses the # character correctly and no error messages are given in the described scenario.

BZ#462095

If an Ethernet interface had letters in the device file name (such as ethWAN or ethVZ) instead of just numbers (such as eth0 or eth5), the /sbin/ifup script failed to enable VLANs configured on such interfaces after the network service was restarted. This bug has been fixed and the /sbin/ifup script now properly configures VLANs regardless of their names.

BZ#604669

When a bonding interface was configured in the /etc/modprobe.conf file without specifying the options in the BONDING_OPTS variable, the arp_ip_target parameter value was cleared after a network restart. Subsequently, the interface connection could not be restored. With this update, the ifdown-eth script has been fixed to only add the arp_ip_target parameter if it is not present, fixing this bug.

BZ#649995

Previously, the following diagnostic error message was given in every tcsh shell:

		grep: character class syntax is [[:space:]], not [:space:].

This bug has been fixed in the /etc/profile.d/lang.csh script and the error message is no longer returned.

BZ#671386

Due to a change in a status message of the dmraid utility, the following error messages appeared on boot, when the previous version of the initscripts package was installed:

	failed to stat() /dev/mapper/no
	failed to stat() /dev/mapper/block
	failed to stat() /dev/mapper/devices
	failed to stat() /dev/mapper/found

With this update, the /rc.d/rc.sysinit script has been fixed and the error messages no longer appear on boot.

BZ#685038

When a system was rebooted while the network switch was down and the network interface had the PERSISTENT_DHCLIENT variable set to yes, the dhclient utility still failed to start on boot. With this update, the ifup-eth init script has been fixed and the dhclient utility starts as expected when PERSISTENT_DHCLIENT=yes is configured.

BZ#687849

Previously, when no Internet Small Computer System Interface (iSCSI) check was done during shutdown or reboot, the following redundant error message was given:

	find: /sys/class/iscsi_session/: No such file or directory.

With this update, the /etc/rc.d/init.d/network script has been fixed and the error message is no longer displayed.

BZ#687890

Previously, the following redundant error message was given during system shutdown:

	Unmounting file systems:  Cannot umount ""

With this update, the /rc.d/init.d/functions script has been fixed and the error message is no longer displayed.

BZ#692893

Due to a bug in the /etc/ssh/ssh_config init script, the value of the LANG variable overwrote the same variable on a remote system as the config settings were passed via OpenSSH, even if the LANG variable was already set. This sometimes caused undesired locale settings with unsupported character set to be set on the target system. This bug has been fixed and the LANG variable is no longer overwritten in the described scenario.

BZ#703203

Due to a bug in the /etc/init.d/halt script, no mount point set up with the word nfs anywhere in its path could be unmounted at reboot or shutdown. This bug has been fixed and such mount points are now unmounted properly.

BZ#684909

Previously, if no IPv4 address was configured, then DHCP for an IPv6 address was not carried out. Subsequently, the eth0 interface had the default IPv6 link-local address assigned to it, instead the address that would be allocated to it via IPv6 dhcpd utility. This bug has been fixed in the /etc/sysconfig/network-scripts/ifup-eth script and now, the dhcp6c daemon is started and an IPv6 address is acquired for the address as well as additional information such as DNS servers etc.

BZ#674221

Previously, if a bonded interface was created and the slave interface includes the setting MASTER=bond0 (where bond0 is the bonded interface) the slave did not start. This bug has been fixed in the /etc/sysconfig/network-scripts/ifcfg-ethX script and the bonded interface now brings up the slave interface and communicate as expected.

BZ#669728

Previously, when MAC (Media Access Control) addresses were switched on a virtual machine or a physical machine with two network interfaces, the sbin/ifdown script became unresponsive when the network was restarted. With this update, the script recognizes that the MAC address for the network interface is wrong and then ignores it, thus fixing this bug.

BZ#665601

The sysctl utility uses . as the path delimiter while VLAN interfaces use . as the ID delimiter. This conflict caused all sysctl calls on a VLAN interface to terminate without any output, causing various issues with IPv6 auto-configuration feature. With this update, several scripts of the iniscripts package have been patched and the sysctl calls no longer hang on VLAN interfaces.

BZ#648524

Previously, the /sysconfig/network-scripts/network-functions script calculated wrong value of the DEVICETYPE variable for IPoIB (IP over Infiniband) child interfaces. Subsequently, the variable could not be used to handle the specific need of the interface, such as calling the ifup-${DEVICETYPE} script. This bug has been fixed and the DEVICETYPE variable value is now calculated correctly for IPoIB interfaces.

BZ#637176

When multiple PIDs (Process Identifiers) are passed to the checkpid() function, it exits with the return value of 0 after finding the first existing PID. This is intended behavior of the function but the accompanying comment in the code indicated that the function fully supported multiple PIDs as arguments, which was confusing for some users. With this update, the comment in the code has been clarified.

BZ#713988

When the X Window System was started by the startx command on the console, the desktop was always displayed in English regardless of the language configured in the /etc/sysconfig/i18n file. With this update, the bug has been fixed in the /etc/profile.d/lang.sh script, and the language setting is now properly recognized when X starts.

BZ#624385

With this update, various init scripts have been enhanced so that they are able to parse configuration files located in the /etc/sysctl.d/ directory. This makes it easier to install or remove RPM packages packages that modify kernel runtime parameters.

BZ#612877

With this update, the ifup and ifdown scripts can recognize and act upon configuration for IPv6 that contains alias devices. Now, multiple IPv6 addresses can be configured on the same interface and can be controlled separately.

BZ#507515

With this update, the ifup script reports duplicate IP addresses via the syslog utility to the /var/log/messages file, in addition to printing its messages on standard output.

BZ#653621

With this update, support for the 1731/02 OSM/OSX network device has been added to the initscrips package.

BZ#689898

With this update, an explanatory comment has been added to the /rc.d/init.d/netfs and the /rc.d/rc.sysinit init scripts regarding the mount -t no* syntax.

BZ#741877

The Intel i350 Gigabit Network adapters failed to pass traffic in SR-IOV (Single Root I/O Virtualization) mode because multiple RX queues were being used, which the hardware does not support in this mode. With this update, the number of RX queues is now limited to one if SR-IOV gets enabled.

BZ#752735

Previously, link power down could not be used. The code for it was already in place but was disabled. With this update, link power down has been enabled in the code and works as expected.

BZ#755482

In some cases, a client skipped issuing a COMMIT call to the server when it determined that it will need to do another such call in the near future. Consequently, the NFS code failed to re-mark the inode as dirty, and the VFS file system failed to issue the call on the next pass. The inode had pages that needed to be cleaned but the inode itself was not marked as dirty. The kdump tuned writeback thresholds to a very low value in order to keep the page cache small. In this environment, the above bug often caused the client to become unresponsive when writing out the vmcore file. With this update, an upstream patch has been provided to address this issue and the hangs no longer occur.

BZ#759387

The IDE error handling code uses the IDE interrupt handler and the general interrupt handler. This could lead to the erroneous execution of kexec/kdump code that was intended to only run at boot time. As a result, the asserted IDE IRQ line would be cleared without the interrupt being handled, which in turn caused the system to become unresponsive during the shut down of the kexec/kdump kernel. To fix this bug, a new test for the IRQ status, which should be IRQ_DISABLED, has been introduced to ensure that the code introduced for the kexec/kdump kernel only executes at boot time.

BZ#750460

When the SMP (Symmetric Multi Processing) kernel ran the crash_kexec() function, the local Advanced Programmable Interrupt Controllers (APICs) could have pending interrupt requests (IRQs) in their vector tables. If there was more than one pending IRQ within the same 32-bit word in the Local APIC (LAPIC) vector table registers, the I/O APIC subsystem would enter setup with pending interrupts left in the LAPIC, causing various degrees of malfunctioning depending on the stuck interrupt vector. This update adds the MAX_LOOPS parameter to limit number of iterations and to provide enough time for the pending IRQs to be cleared if the loop was to lock-up for whatever reason, thus fixing this bug.

BZ#766803

Previously, the domain_update_iommu_coherency() function set domains, by default, as coherent when the domain was not attached to any input/output memory management units (IOMMUs). Consequently, such a domain could update context entries non-coherently via the domain_context_mapping_one() function. To resolve this issue, domain_update_iommu_coherency() has been updated to use the safer default value and domains not attached to any IOMMU are now set as non-coherent.

BZ#746343

If management firmware is present and a device is down, the firmware assumes control of the phy register. Previously, phy access was allowed from the host and it collided with firmware phy accesses, resulting in unpredictable behavior such as BMC (Baseboard Management Controller) LAN link being lost over time. With this update, the bug is fixed in the tg3 driver by only allowing phy accesses while the driver has control of the device.

BZ#744147

In certain circumstances, the evdev_pass_event() function with a spinlock attached was interrupted and called again, eventually resulting in a deadlock. A patch has been provided to address this issue by disabling interrupts when the spinlock is obtained. This prevents the deadlock from occurring.

BZ#750458

The unsolicited frame control infrastructure requires a table of DMA addresses for the hardware to look up the frame buffer location by an index. The hardware expects the elements of this table to be 64-bit quantities. Previously, the dma_addr_t parameter was wrongly used to reference these elements. Consequently, all unsolicited frame protocols were affected, particularly SATA-PIO and SMP, which prevented direct-attached SATA drives and expander-attached drives from being discovered. A patch has been provided to address this issue and SATA drives are now recognized correctly on 32-bit platforms.

BZ#755483

A previous patch introduced with BZ#732775 had the following unintended consequence: if no poll method was defined for files in the /proc/ directory, processes could become unresponsive while they were reading files from this directory. This update restores the default poll behaviour for files in /proc/ that do not have any poll method defined, thus fixing this bug.

Note that procfs files are not real files and unless they may specifically produce more data after a time (such as /proc/kmsg), they should not be polled for more data as some of them cannot be polled for reading. For the most part, all the data they can produce are instantly available.

BZ#754129

When directories mounted on a server are rearranged, they may then nest in a different order and clients may become unable to see or reassign the directories properly. Previously, the __d_unalias() and __d_materialise_dentry() functions did not provide loop prevention. As a consequence, NFS threads sometimes became unresponsive upon encountering a loop in the dentry tree. To fix this bug, this update adds additional loop checks and if a process tries to access a dentry that would otherwise cause the kernel to complete the loop, the ELOOP error code is returned and a message is logged.

BZ#758024

With this update, the latest cciss driver has been provided, which adds support for new HP Smart Array controllers.

BZ#749459

Previously, when the iput() function was called while it held the nfs_access_lru lock could result in problems since iput() can sleep, and it can also attempt to allocate memory. This update removes an optimisation that is not present in the mainline kernel series. Now, iput() is never called while holding a spinlock in the nfs_access_cache_shrinker() function, thus preventing this bug.

BZ#750848

Under certain circumstances, a deadlock could occur between the khubd process of the USB stack and the modprobe of the usb-storage module. This was because the khubd process, when attempting to delete a USB device, waited for the reference count of knode_bus to be of value 0. However, modprobe, when loading the usb-storage module, scans all USB devices and increments the reference count, preventing the khubd process from continuing. With this update, the underlying source code has been modified to address this issue, and a deadlock no longer occurs in the described scenario.

BZ#745726

A previously applied patch (introduced as a fix in CVE-2011-1898) prevented PCI pass-through inside the assign_device domctl via a security check. Because the security check was not included in the test_assign_device domctl, qemu-dm could not handle any failures in the test_assign_device domctl, ultimately causing an HVM guest to have a partly accessible PCI device, which in come cases resulted in a crash of the host machine. With this update, the security check introduced in CVE-2011-1898 has been replicated in the test_assign_device domctl, thus fixing this issue.

BZ#741273

In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command for every bad command when a driver error handler reports success. When several bad commands pointed to a same device, the device was probed multiple times. When the device was in a state where it did not respond to commands even after a recovery function returned success, the error handler had to wait for the commands to time out. This significantly impeded the recovery process. With this update, SCSI mid-layer error routines to send test commands have been fixed to respond once per device instead of once per bad command, thus reducing error recovery time considerably.

BZ#750451

When an INIT_ACK packet is sent with no STATE COOKIE mandatory parameter, the expected abort error cause is Mandatory Parameter missing. Previously, the Invalid mandatory parameter error cause was given instead. With this update, a bug in the sctp_process_missing_param() function has been fixed and now, correct error cause value for missing parameters is set in the described scenario.

BZ#750457

When a COOKIE_ACK message with a packet length smaller then the chunk length defined was received, SCTP (Stream Control Transmission Protocol) sent an ABORT message with incorrectly encoded PROTOCOL VIOLATION error cause. With this update, the underlying code has been fixed and the ABORT message is now encoded properly in the described scenario.

BZ#750842

Due to a regression, the byte count on the wrong buffer was adjusted to account for endian differences. This resulted in the wrong buffer length being passed to the callers on big endian machines, which in turn resulted in data returned from the server being incorrectly rejected with "Invalid transact2 SMB: " error messages. This bug was first reported on the 64-bit PowerPC architecture. With this update, the correct buffer length is now passed in the described scenario.

BZ#750841

Previously, if a connect change occurs on a USB device, it is reported the same way as a disconnect. As a consequence, the "hub 1-1.6:1.0: Cannot enable port X. Maybe the USB cable is bad?" were issued by the dmesg utility when a low speed USB device was connected to port X. With this update, the port reset code in the hub driver has been changed, code of the usb_reset_device() function has been fixed to prevent the routine from futilely retrying the reset after a disconnect has occurred, and no error messages are now returned in the described scenario.

BZ#744700

The operational state of a network device, represented by the value in /sys/class/net/eth<X>/operstate, was not initialized by default and reported unknown when the network device was up and was using the tg3 driver. This update fixes the tg3 driver to properly set the operstate value.

BZ#750912

The be2net driver does not use lock-less Tx paths and its xmit() function is protected by the netif_tx_lock spinlock; as are the set_multicast_list() and set_rx_mode() functions. This configuration setup involves sending a message to the card firmware and getting a reply back, which involves delay up to several miliseconds long. As a consequence, the requeue counter increased by high numbers. With this update, the NETIF_F_LLTX feature has been enabled and locking of own Tx paths has been implemented. Now, only small portions of multicast configuration needs to be locked in the described scenario.

BZ#743611

Prior to this update, the ndisc_send_skb() function was using an incorrect macro to increment the ICMP6 statistics. As a result, an out-of-bound element in an array which resides in the size-128 slab pool was incremented, causing data corruption. If the array was near the end of the slab page, user data corruption could occur. This update fixes the above-mentioned function to use the correct macro for incrementing the ICMP6 statistics, and data corruption no longer occurs.

BZ#742282

A previously introduced patch reduced the size of the DMA zone under the Xen hypervisor. Consequently, drivers trying to allocate contiguous memory with the dma_alloc_coherent() API often had their requests fail. This resulted in BIOS update failures on some systems with large flash memory. With this update, the zone restriction in dma_alloc_coherent() is relaxed, thus fixing this issue.

BZ#747872

When the hangcheck timer expires and tries to reboot the machine, it stops all other CPUs in the configuration. However, the CPU that stops the other CPUs is still enabled for interrupts. Consequently, I/O or external interrupts might arrive at the local CPU and the corresponding interrupt handler might try to acquire a lock. Previously, if a remote CPU was holding the lock while the local CPU stopped it, the result was a deadlock. The system became unresponsive instead of performing a reboot. With this update, interrupts are disabled before stopping remote CPUs and the hangs no longer occur in the described scenario.

BZ#747876

On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a memory shortage the first time, all pages on the active or inactive lists are considered referenced. This causes the memory management on IBM System z to do a full check over all page cache pages and start writeback for all of them. As a consequence, the system became temporarily unresponsive when the described situation occurred. With this update, only pages with active mappers are checked and the page scan now does not cause the hangs.

BZ#750477

Previously, kernel was allowed to reduce the number of unnecessary commit calls by skipping the commit when there was a large number of outstanding pages being written. However, that test did not properly handle the edge case when the number of commits (ncommit) was zero. Consequently, inodes sometimes remained on the sb->s_dirty list and could not be freed by the inode cache shrinker. As a result, the nfs_inode_cache structure grew very large over time. With this update, the call to the nfs_write_inode() function is immediately returned when commit == 0, thus fixing this bug.

BZ#750508

A previous kernel patch removed a call in the nfs_file_release() function to the filemap_fdatawrite() function. Consequently, data written to a NFS file, which had been mapped into memory via the mmap() function and not yet flushed to the backing device, were lost as soon as the file was closed. This update adds the filemap_fdatawrite() call back to the nfs_file_flush() function, which fixes this regression.

BZ#746600

The Xen network back-end driver was supposed to turn on all of its possible features until it negotiated with the front-end. However, after the negotiation, it did not disable the features declined by the front-end. This caused Windows guest using the xenpv-win network driver to not be able to transmit data to the host over TCP. This update properly disables the features which are not supported by the front-end.

Enhancement

BZ#743806

This update improves the performance of delete/unlink operations in a GFS2 file system containing large files by adding a layer of metadata read-ahead for indirect blocks.

BZ#719746

Prior to this update, a race condition in TIPC's (Transparent Inter-process Communication) recv_msg function caused kernel panic. This update modifies TIPC's socket locking logic, and kernel panic no longer occurs.

BZ#722855

The RHSA-2009:1243 update introduced a regression in the way file locking on NFS (Network File System) was handled. This caused applications to hang if they made a lock request on a file on an NFS version 2 or 3 file system that was mounted with the sec=krb5 option. With this update, the original behavior of using mixed RPC authentication flavors for NFS and locking requests has been restored.

BZ#726625

An incorrect call to the nfs4_drop_state_owner function caused the NFSv4 state reclaimer thread to be stuck in an infinite loop while holding the Big Kernel Lock (BKL). With this update, the aforementioned call has been removed, thus, fixing this issue.

BZ#728163

Certain systems do not correctly set the ACPI FADT APIC mode bit. They set the bit to "cluster" mode instead of "physical" mode which caused these systems to boot without the TSC. With this update, the ACPI FADT check has been removed due to its unreliability, thus, fixing this issue.

BZ#712885

A bug was found in the way the x86_emulate() function handled the IMUL instruction in the Xen hypervisor. On systems without support for hardware assisted paging (HAP), such as those running CPUs that do not have support for (or those that have it disabled) Intel Extended Page Tables (EPT) or AMD Virtualization (AMD-V) Rapid Virtualization Indexing (RVI), this bug could cause fully-virtualized guests to crash or lead to silent memory corruption. In reported cases, this issue occurred when booting fully-virtualized Red Hat Enterprise Linux 6.1 guests with memory cgroups enabled on a Red Hat Enterprise Linux 5.7 host.

BZ#727592

The fix provided in CVE-2010-3432 information in sctp_packet_config(), which is called before appending data chunks to a packet, was no longer reset, ultimately causing performance issues. With this update, packet information is reset after a packet transmit, thus, fixing the aforementioned performance issues.

BZ#721300

Prior to this update, an attempt to use the vfree() function on a vmalloc()'ed area could result in a memory leak. With this update, the underlying source code has been modified to address this issue, and a memory leak no longer occurs.

BZ#727590

A problem with the XFS dio error handling was discovered. If a misaligned write I/O operation was issued, XFS would return -EINVAL without unlocking the inode's mutex. This caused any further operations on the inode to become unresponsive. This update adds a missing mutex_unlock operation to the dio error path, solving this issue.

BZ#726619

Older versions of be2net cards firmware may not recognize certain commands and return illegal/unsupported errors, causing confusing error messages to appear in the logs. With this update, the driver handles these errors gracefully and does not log them.

BZ#723552

This patch fixes the inability of the be2net driver to work in a kdump environment. It clears an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel after a crash.

BZ#726628

When a block device object was allocated, the bd_super field was not being explicitly initialized to NULL. Previous users of the block device object may have set the bd_super field to NULL when the object is released by calling the kill_block_super() function. Some third party file systems do not always use this function and as a result the bd_super field could have become uninitialized when the object was allocated again. This could cause a kernel panic in the blkdev_releasepage() function when the uninitialised bd_super field was dereferenced. With this update, the bd_super field is properly initialized in the bdget function, and kernel panic no longer occurs.

BZ#727835

Under some circumstances, error reports within the XFS file system could dereference a NULL pointer cause kernel panic. This update fixes the NULL pointer dereference, and kernel panic no longer occurs

BZ#719930

This update makes the size of the three DLM hash tables consistent: 1024 entries with a Red Hat Enterprise Linux 5-specific change to allocate the tables using vmalloc allowing a higher maximum size that can be allocated for these tables. This results in improved DLM/GFS performance when there are many locks being held (that is, many GFS files being used).

BZ#704735

The be2iscsi driver passed a local variable in the request_irq function which lead to corruption in /proc/interrupts. All data in /proc/interrupts was correct except the device names. This update fixes the incorrect devices names in /proc/interrupts.

BZ#660871

Calling the mptctl_fasync() function to enable async notification caused the fasync_struct data structure, which was allocated, to never be freed. fasync_struct remained on the event list of the mptctl module even after a file was closed and released. After the file was closed, fasync_struct had an invalid file pointer which was dereferenced when the mptctl module called the kill_fasync() function to report any events. The use of the invalid file pointer could result in a deadlock on the system because the send_sigio() function tried to acquire the rwlock in the f_owner field of the previously closed file. With this update, a release callback function has been added for the file operations in the mptctl module. fasync_struct is now properly freed when a file is closed, no longer causing a deadlock.

BZ#665427

If an error occurred during I/O, the SCSI driver reset the megaraid_sas controller to restore it to normal state. However, on Red Hat Enterprise Linux 5, the waiting time to allow a full reset completion for the megaraid_sas controller was too short. The driver incorrectly recognized the controller as stalled, and, as a result, the system stalled as well. With this update, more time is given to the controller to properly restart, thus, the controller operates as expected after being reset.

BZ#695493

On a Red Hat Enterprise Linux 5.7 system, it is advisable to update the firmware of the HP ProLiant Generation 6 (G6) controller's firmware to version 5.02 or later. Once the firmware is successfully updates, reboot the system and kdump will work as expected.

HP G6 controllers include: P410i, P411, P212, P712, and P812.

In addition, kdump may fail when using the HP Smart Array 5i Controller on a Red Hat Enterprise Linux 5.7 system.

BZ#696153

Under certain circumstances, a command could have been left unprocessed when using either the cciss or hpsa driver because the HP Smart Array controller considered those commands to be completed when, in fact, they were still waiting in the completion queue. This could have caused the file system to become read-only or panic, and the whole system to become unstable. This update adds an extra read operation to both the cciss and hpsa drivers, with the result that commands in the completion queue are properly processed.

BZ#646513

A call to the HP_GETHOSTINFO ioctl (I/O Control) in the mptctl module could result in the MPT (Message Passing Technology) fusion driver being reset due to erroneous detection of completed ioctl commands. With this update, the message context sent to the mptctl module is stored (previously, it was zeroed). When an ioctl command completes, the saved message context is used to recognize the completion of the message, thus resolving the faulty detection.

BZ#664592

Using the cciss driver, when a TUR (Test Unit Ready) was executed, the rq->bio pointer in the blk_rq_bytes function was of value null, which resulted in a null pointer dereference, and, consequently, kernel panic occurred. With this update, the rq->bio pointer is used only when the blk_fs_request(rq) condition is true; thus, kernel panic no longer occurs.

BZ#706244

Using the megaraid_sas driver, if a user configured 2 logical disks on a RAID volume whose disks are larger than 2 TB, with the start of the second logical disk after the 2 TB mark, and FastPath was enabled, FastPath read operations to the second logical disk were read from the incorrect location on disk. However, write operations were not affected and were always directed to the correct disk location. With this update, the driver detects if LBA > 0xffffffff & cdb_len < 16, then converts the cdb from the OS to a 16 byte CDB, before firing it as a FastPath I/O, fixing this issue.

BZ#656032

Due to incorrect ordering of glocks, a deadlock could occur in the code which reclaims unlinked inodes when multiple nodes were trying to deallocate the same unlinked inode. This update resolves the lock ordering issue, and unlinked inodes are now properly deallocated under all circumstances.

BZ#669527

The bnx2i driver could cause a system crash on IBM POWER7 systems. The driver's page tables were not set up properly on Big Endian machines, causing extended error handling (EEH) errors on PowerPC machines. With this update, the page tables are properly set up, and a system crash no longer occurs in the aforementioned case.

BZ#700203, BZ#673616

VDSO (Virtual Dynamically-linked Shared Object) kernel variables must be exported in vextern.h, otherwise they end up as undefined pointers. When calling the VDSO gettimeofday() function in Red Hat Enterprise Linux 5, a missing declaration lead to a segmentation fault. With this update, the sysctl_vsyscall system call is properly exported, and segmentation faults no longer occur.

BZ#660661

Due to an off-by-one error, gfs2_grow failed to take the very last rgrp parameter into account when adding up the new free space. With this update, the GFS2 kernel properly counts all the new resource groups and fixes the statfs file correctly.

BZ#683155

GFS2 (Global File System 2) keeps track of the list of resource groups to allow better performance when allocating blocks. Previously, when the user created a large file in GFS2, GFS2 could have run out of allocation space because it was confined to the recently-used resource groups. With this update, GFS2 uses the MRU (Most Recently Used) list instead of the list of the recently-used resource groups. The MRU list allows GFS2 to use all available resource groups and if a large span of blocks is in use, GFS2 uses allocation blocks of another resource group.

BZ#690555

Multiple GFS2 nodes attempted to unlink, rename, or manipulate files at the same time, causing various forms of file system corruption, panics, and withdraws. This update adds multiple checks for dinode's i_nlink value to assure inode operations such as link, unlink, or rename no longer cause the aforementioned problems.

BZ#694669

Prior to this update, a race in the GFS2 glock state machine could cause nodes to become unresponsive. Specifically, all nodes but one would hang, waiting for a particular glock. All the waiting nodes had the W (Waiting) bit set. The remaining node had the glock in the Exclusive Mode (EX) with no holder records. The race was caused by the Pending Demote bit, which could be set and then immediately reset by another process. With this update, the Pending Demote bit is properly handled, and GFS2 nodes no longer hang.

BZ#691460

Certain IBM storage arrays, such as the IBM 1745 and 1746, could have stopped responding or failed to load the device list of the scsi_dh_rdac kernel module. This occurred because the scsi_dh_rdac device list did not contain these storage arrays. With this update, the arrays have been added to the list, and they are now detected and operate as expected.

BZ#665197

Prior to this update, the following message was displayed when booting a Red Hat Enterprise Linux 5 system on a virtual guest:

WARNING calibrate_APIC_clock: the APIC timer calibration may be wrong.

This was due to the MAX_DIFFERENCE parameter value (in the APIC calibration loop) of 1000 cycles being too aggressive for virtual guests. APIC (Advanced Programmable Interrupt Controllers) and TSC (Time Stamp Counter) reads normally take longer than 1000 cycles when performed from inside a virtual guest, due to processors being scheduled away from and then back onto the guest. With this update, the MAX_DIFFERENCE parameter value has been increased to 10,000 for virtual guests.

BZ#675727

Prior to this update, a segmentation fault occurred when an application called VDSO's gettimeofday() function due to erroneous exporting of the wall_to_monotonic construct. With this update, the wall_to_monotonic construct is correctly exported, and a crash no longer occurs.

BZ#675793

A cpu mask that is being waited on after an IPI call was not the same cpu mask that was being passed into the IPI call function. This could result in not up-to-date values being stored in the cache. The loop in the flush_tlb_others() function waited for the cpu mask to be cleared, however, that cpu mask could have been incorrect. As a result, the system could become unresponsive. With this update, the cpu mask being waited on is the same cpu mask used in the IPI call function, and the system no longer hangs.

BZ#659594

A bug was discovered in the bonding driver that occurred when using netpoll and changing, adding or removing slaves from a bond. The misuse of a per-cpu flag in the bonding driver during these operations at the wrong time could lead to the detection of an invalid state in the bonding driver, triggering kernel panic. With this update, the use of the aforementioned per-cpu flag has been corrected and a kernel panic no longer occurs.

BZ#692921

The kdump kernel could fail when handling an IPI (Inter-processor interrupt) that was in-flight as the initial kernel crashed. This was due to an IPI-related data structure within kdump's kernel not being properly initialized, resulting in a dereference of an invalid pointer. This update addresses this issue, and the kdump kernel no longer fails upon encountering an in-flight IPI.

BZ#669961

For a device that used a Target Portal Group (TPG) ID which occupied the full 2 bytes in the RTPG (Report Target Port Groups) response (with either byte exceeding the maximum value that may be stored in a signed char), the kernel's calculated TPG ID would never match the group_id that it should. As a result, this signed char overflow also caused the ALUA handler to incorrectly identify the AAS (Asymmetric Access State) of the specified device as well as incorrectly interpret the supported AAS of the target. With this update, the aforementioned issue has been addressed and no longer occurs.

BZ#673058

A race could occur when an internal multipath structure (pgpath) was freed before it was used to signal the path group initialization was complete (via pg_init_done). This update includes a number of fixes that address this issue. multipath is now increasingly robust when multipathd restarts are combined with I/O operations to multipath devices and storage failures.

BZ#680561

The event device (evdev) failed to lock data structures when adding or removing input devices. As a result, kernel panic occurred in the evdev_release function during a system restart. With this update, locking of data structures works as expected, and kernel panic no longer occurs.

BZ#670373

Prior to this update, kernel panic occurred in the kfree() due to a race condition in the acpi_bus_receive_event() function. The acpi_bus_receive_event() function left the acpi_bus_event_list list attribute unlocked between checking it whether it was empty and calling the kfree() function on it. With this update, a check was added after the lock has been lifted in order to prevent the race and the calling of the kfree() function on an empty list.

BZ#677703

Running a reboot test on an iSCSI root host resulted in kernel panic. When the iscsi_tcp module is destroying a connection it grabs the sk_callback_lock and clears the sk_user_data/conn pointer to signal that the callback functions should not execute the operation. However, some functions were not grabbing the lock, causing a NULL pointer kernel panic when iscsi_sw_tcp_conn_restore_callbacks was called and, consequently, one of the callbacks was called. With this update, the underlying source code has been modified to address this issue, and kernel panic no longer occurs.

BZ#664931

Prior to this update, a multi-threaded application, which invoked popen(3) internally, could cause a thread stall by FILE lock corruption. The application program waited for a FILE lock in glibc, but the lock seemed to be corrupted, which was caused by a race condition in the COW (Copy On Write) logic. With this update, the race condition was corrected and FILE lock corruption no longer occurs.

BZ#667673

The ext4 file system could end up corrupted after a power failure occurred even when file system barriers and local write cache was enabled. This was due to faulty barrier flag setting in WRITE_SYNC requests. With this update, this issue has been fixed, and ext4 file system corruption no longer occurs.

BZ#627496

When selecting a new window, the tcp_select_window() function tried not to shrink the offered window by using the maximum of the remaining offered window size and the newly calculated window size. The newly calculated window size was always a multiple of the window scaling factor, however, the remaining window size was not since it depended on rcv_wup/rcv_nxt. As a result, a window was shrunk when it was scaled down. With this update, aligning the remaining window to the window scaling factor assures a window is no longer shrunk.

BZ#695369

Configuring a network bridge with no STP (Spanning Tree Protocol) and a 0 forwarding delay could result in the flooding of all packets on the link for 20 seconds due to various issues in the source code. With this update, the underlying source code has been modified to address this issue, and a traffic flood on the network bridge no longer occurs.

BZ#646816

Prior to this update, the /proc/diskstats file showed erroneous values. This occurred when the kernel merged two I/O operations for adjacent sectors which were located on different disk partitions. Two merge requests were submitted for the adjacent sectors, the first request for the second partition and the second request for the first partition, which was then merged to the first request. The first submission of the merge request incremented the in_flight value for the second partition. However, at the completion of the merge request, the in_flight value of a different partition (the first one) was decremented. This resulted in the erroneous values displayed in the /proc/diskstats file. With this update, the merging of two I/O operations which are located on different disk partitions has been fixed and works as expected.

BZ#643441

If an application opened a file with the O_DIRECT flag on an NFS client and performed write operations on it of size equal to wsize (size of the blocks of data passed between the client and the server), the NFS client sent two RPCs (Remote Procedure Calls) when only one RPC needed to be send. Write operations of size smaller than wsize worked as expected. With this update, write operations of size equal to wsize now work as expected and no longer cause the NFS client to send out unnecessary RPCs.

BZ#653286

Under certain circumstances, a crash in the kernel could occur due to a race condition in the lockd_down function, which did not wait for the lockd process to come down. With this update, the lockd_down function has been fixed, and the kernel no longer crashes.

BZ#671595

Prior to this update, the be2net driver failed to work with bonding, causing flapping errors (the interface switches between states up and down) in the active interface. This was due to the fact that the netdev->trans_start pointer in the be_xmit function was not updated. With this update, the aforementioned pointer has been properly updated and flapping errors no longer occur.

BZ#664705, BZ#664707

For certain NICs, the operstate state (stored in, for example, the /sys/class/net/eth0/operstate file) was showing the unknown state even though the NIC was working properly. This was due to the fact that at the end of a probe operation, the netif_carrier_off was not being called. With this update, the netif_carrier_off is properly called after a probe operation, and the operstate state now correctly displays the operational state of an NIC.

BZ#506630

RHEL5.7 has introduced the new multicast snooping feature for virt bridge. The feature is disabled by default in order to not break any existing configurations. To enable the feature, please set the tunnable parameter below to 1:

/sys/class/net/breth0/bridge/multicast_snooping

Please also note that with multicast snooping enabled, it may caused a regression with some switches where it causes a break in the multicast forwarding for some peers.

BZ#661110

Outgoing packets were not fragmented after receiving the icmpv6 pkt-too-big message when using the IPSecv6 tunnel mode. This was due to the lack of IPv6 fragmentation support over an IPsec tunnel. With this update, IPv6 fragmentation is fully supported and works as expected when using the IPSecv6 tunnel mode.

BZ#667234

The fix introduced with BZ#560013 added a check for detection of the northbridge device into the amd_fixup_dcm() function to make Red Hat Enterprise Linux 5 guests boot on a 5.4.z Xen hypervisor. However, the added check caused a kernel panic due to missing multi-node CPU topology detection on AMD CPU family 0x15 systems. To preserve backwards compatibility, the check has not been removed but is triggered only on AMD Family 15h systems (code-named "Magny-Cours"). AMD family 0x15 systems do not require the aforementioned check because they are not supported as 5.4 Xen Hypervisor hosts. For Xen Hypervisor 5.5, this issue has been fixed, which makes the check obsolete.

BZ#675258

Booting a Red Hat Enterprise Linux 5.4 or later kernel failed (the system became unresponsive) due to the zeroing out of extra bytes of memory of the reset vector. The reset vector is comprised of two 16-bit registers (high and low). Instead of zeroing out 32-bits, the kernel was zeroing out 64-bits. On some machines this overwritten memory was used during the boot process, resulting in a hang. With this update, the long data type has been changed to the unsigned 32-bit data type; thus, resolving the issue. The Red Hat Enterprise Linux 5.4 and later kernel now boot as expected on the machines affected by this bug.

BZ#678074

Setting the capture levels on the Line-In capture channel when using an ARX USB I/O sound card for recording and playback did not work properly. The set values were not persistent. With this update, the capture values are now cached in the usb-audio driver leaving the set capture levels unchanged.

BZ#688926

This update fixes a bug in the way isochronous input data was returned to user space for usbfs (USB File System) transfers, resolving various audio issues.

BZ#645431

The Red Hat Enterprise Linux kernel can now be tainted with a tech preview status. If a kernel module causes the tainted status, then running the command cat /proc/modules will display a (T) next to any module that is tainting the kernel.

For more information about Technology Previews, refer to:

https://access.redhat.com/support/offerings/techpreview/

Important: Running a kernel with the tainted flag set may limit the amount of support that Red Hat can provide for the system.

BZ#525898

Previously, paravirtualized Xen guests allocated all low memory (all memory for 64-bit) to ZONE_DMA, rather than using ZONE_DMA32 and ZONE_NORMAL. The guest kernels now use all three zones the same way natively running kernels do.

BZ#651512

While bringing down an interface, the e1000 driver failed to properly handle IRQs (Interrupt Requests), resulting in the reception of the following messages:

irq NN: nobody cared...

With this update, the driver's down flag is set later in the process of bringing down an interface, specifically, after all timers have exited, preventing the IRQ handler from being called and exiting early without handling the IRQ.

BZ#651837

By default, libsas defines a wideport based on the attached SAS address, rather than the specification compliant “strict” definition of also considering the local SAS address. In Red Hat Enterprise Linux 5.7, only the default “loose” definition is available. The implication is that if an OEM configures an SCU controller to advertise different SAS addresses per PHY, but hooks up a wide target or an expander to those PHYs, libsas will only create one port. The expectation, in the “strict” case, is that this would result in a single controller multipath configuration.

It is not possible to use a single controller multipath without the strict_wide_port functionality. Multi-controller multipath should behave as a expected.

A x8 multipath configuration through a single expander can still be obtained under the following conditions:

1. Start with an SCU SKU that exposes (2) x4 controllers (total of 8 PHYs)
2. Assign sas_address1 to all the PHYs on controller1
3. Assign sas_address2 to all the PHYs on controller2
4. Hook up the expander across all 8 PHYs
5. Configure multipath across the two controller instances

It is critical for controller1 to have a distinct address from controller2, otherwise the expander will be unable to correctly route connection requests to the proper initiator.

BZ#673242

Previously, on VMware, the time ran too fast on virtual machines with more than 4GHz TSC (Time Step Counter) processor frequency if they were using PIT/TSC based timekeeping. This was due to a calculation bug in the get_hypervisor_cycles_per_sec function. This update fixes the calculation, and timekeeping works correctly for such virtual machines.

BZ#661478

A formerly introduced patch that provided extended PCI config space access on AMD systems caused the lpfc driver to fail when it tried to initialize hardware. On kernel-xen, Hypervisor trapped the aforementioned accesses and truncated them, causing the lpfc driver to fail to initialize hardware. Note that this issue was only observed when using the lpfc driver with the following parameters: Vendor_ID=0x10df, Device_ID=0xf0e5. With this update, the part of the patch related to kernel-xen that was causing the failures was removed and the lpfc driver now works as expected.

BZ#698879

Hot removing a PCIe device and, consequently, hot plugging it again caused kernel panic. This was due to a PCI resource for the SR-IOV Virtual Function (vf) not being released after the hot removing, causing the memory area in the pci_dev struct to be used by another process. With this update, when a PCIe device is removed from a system, all resources are properly released; kernel panic no longer occurs.

BZ#672368, BZ#695490

In a four node cluster environment, a deadlock could occur on machines in the cluster when the nodes accessed a GFS2 file system. This resulted in memory fragmentation which caused the number of network packet fragments in requests to exceed the network hardware limit. The network hardware firmware dropped the network packets exceeding this limit. With this update, the network packet fragmentation was reduced to the limit of the network hardware, no longer causing problems during memory fragmentation.

BZ#674298

Prior to this update, if a CT/ELS pass-through command timed out, the QLogic 8Gb Fibre Channel adapter created a firmware dump. With this update, firmware dumps are no longer created when CT/ELS pass-through requests time out as a firmware dump is not necessary in this case.

BZ#695357

Setting a DASD (Direct Access Storage Device) device offline while another process is trying to open that device caused a race in the dasd_open function. The dasd_open function tried to read a pointer from the private_data field after the structure has already been freed, resulting in a dereference of an invalid pointer. With this update, the aforementioned pointer is now stored in a different structure; thus, preventing the race condition.

BZ#666080

Deleting a file on a GFS2 file system caused the inode, which the deleted file previously occupied, to not be freed. Specifically, this only occurred when a file was deleted on a particular node while other nodes in the cluster were caching that same inode. The mechanism for ensuring that inodes are correctly deallocated when the final close occurs was dependent on a previously corrected bug (BZ#504188 ). In order to ensure that iopen glocks are not cached beyond the lifetime of the inode, and thus prevent deallocation by another inode in the cluster, this update marks the iopen glock as not to be cached during the inode disposal process.

BZ#610093

In some cases the NFS server fails to notify NFSv4 clients about renames and unlinks done by non-NFS users of the server. An application on a client may then be able to open the file at its old location (read old cached data from it and perform read locks on it), long after the file no longer exists at that location on the server. To work around this issue, use NFSv3 instead of NFSv4. Alternatively, turn off support for leases by writing the value 0 to the /proc/sys/fs/leases-enable file (ideally on boot, before the NFS server is started). This change prevents NFSv4 delegations from being given out, restoring correctness at the expense of some performance.

BZ#662102

Booting Red Hat Enterprise Linux 5 with the crashkernel=X parameter enabled for the kdump kernel does not always succeed. This is because the kernel may not be able to find a suitable memory range for the crashkernel due to the fragmentation of the physical memory. Similarly, if a user specifies the starting address of the reserved memory, the specified memory range may be occupied by other parts of the kernel (in this case, the initrd, i.e. initial ramdisk). This update adds two debugging kernel parameters (bootmem_debug and ignore_loglevel) which allow to diagnose what causes the crashkernel to not be assigned enough memory.

BZ#698873

In Red Hat Enterprise Linux 5.7 netconsole was enabled to work with software network bridges. This disables previous workaround used by RHEV Manager Agent (VDSM) to use ethernet network interface directly.

Customers wishing to continue using netconsole logging on the RHEL 5.7 nodes registered with RHEV Manager, should modify the /etc/sysconfig/netconsole file and change the line where the DEV variable is set to:

DEV=rhevm

and restart the netconsole service with:

# service netconsole restart

BZ#669909

Prior to this update, a rhev-agent could not be started due to missing a /dev/virtio-ports/ directory. This was due to the fact that the udev utility does not parse the KOBJ_CHANGE event. With this update, the KOBJ_ADD event is invoked instead so that symlinks in /dev/virtio-ports are created when a port name is obtained.

BZ#673459

Using a virtio serial port from an application, filling it until the write command returns -EAGAIN and then executing a select command for the write command caused the select command to not return any values, when using the virtio serial port in a non-blocking mode. When used in a blocking mode, the write command waited until the host indicated it used up the buffers. This was due to the fact that the poll operation waited for the port->waitqueue pointer, however, nothing woke the waitqueue when there was room again in the queue. With this update, the queue is woken via host notifications so that buffers consumed by the host can be reclaimed, the queue freed, and the application write operations may proceed again.

BZ#653236

Prior to this update, a FW/SW semaphore collision could lead to an link establishment failure on an SFP+ (Small Form-factor Pluggable) transceiver module. With this update, the underlying source code has been modified to address this issue, and SFP+ modules work as expected.

BZ#680531

Enabling the Header Splitting mode on all Intel 82599 10 Gigabit Ethernet hardware could lead to unpredictable behavior. With this update, the Header Splitting mode is never enabled on the aforementioned hardware. Additionally, this update fixes VM pool allocation issues based on MAC address filtering, and limits the scope of VF access to promiscuous mode.

BZ#657166

Using an XFS file system, when an I/O error occurred during an intermediate commit on a rolling translation, the xfs_trans_commit() function freed the structure of the transaction and the related ticket. However, the duplicate transaction, which is used when the transaction continues, still contained a pointer to the freed ticket. Therefore, when the second transaction was canceled, the ticked was freed for the second time, causing kernel panic. This update adds reference counting to the ticket to avoid multiple freeing of a ticket when a commit error occurs.

BZ#616125

A spurious BUG_ON() call caused the module_refcount variable to not be always accurate outside of the atomic state within the stop_machine function, observed mainly under heavy network load. This update removed the BUG_ON() call, fixing this issue.

BZ#695197

A previously introduced patch added support for displaying the temperature of application-specific integrated circuits (ASIC). However, a missing increment of the work_counter variable in the be_worker function caused the be_cmd_get_die_temperature function to be called every 1 second (instead of the 32 seconds it should be), and the be_cmd_get_die_temperature function to be called even when it was not supported. This update fixes this issue.

BZ#695168

Prior to this update, the stat.st_blksize parameter was always set to PAGE_CACHE_SIZE, causing performance issues. With this update, the underlying source code has been modified to address this issue, and Red Hat Enterprise Linux 5 systems no longer suffer from performance issues caused by the aforementioned parameter.

BZ#710584

Broken scatterlist handling during command construction caused SMP commands to fail, resulting in the SCU driver not detecting drives behind expanders. This update fixes the SCU driver to detect drives placed behind expanders.

BZ#658012

Kernel panic occurred when a non-maskable interrupt was issued during a forced shutdown of the XFS file system. This was due to a spinlock occurring in various functions. With this update, the spinlocks have been removed, and kernel panic no longer occurs. Additionally, the CONFIG_XFS_DEBUG option is disabled by default on kernel-debug.

BZ#663123

Prior to this update, the /proc/partitions file was not being updated after LUNs were created using the hpacucli utility (which adds, deletes, identifies, and repairs logical and physical disks). This issue has been fixed via the update of the CCISS driver to version 3.6.26-5, as noted in BZ#635143.

BZ#704963

When the ibmvscsi driver reset its CRQ and attempted to re-register the CRQ, it received an H_CLOSED response, indicating that the Virtual I/O Server is not yet ready to receive commands. As a result, the ibmvscsi driver caused the VSCSI adapter to go offline and fail to recover. This update re-enables interrupts so that when the Virtual I/O Server is ready and sends the CRQ initialization request, it is properly received and processed.

BZ#710477

This update ensures that all remote ports are deleted when a Virtual I/O Server fails in a dual Virtual I/O Server multipath configuration, so that a path failover works as expected and the ibmvfc driver no longer becomes unresponsive. For a single path configuration, the remote ports go into a devloss state.

BZ#717742

Installation of HVM guests failed on AMD hosts. This update provides a number of patches which resolve this issue, and HVM guests can be installed on AMD hosts as expected.

BZ#710498

Using iSCSI offload resulted in EEH (Enhanced Error Handling) errors caused by missing programming of the page sizes on systems which do not use the 4K PAGE_SIZE. With this update, the underlying source code has been modified to address this issue, and EEH errors no longer occur when using iSCSI offload.

BZ#700546

File system corruption could occur on a file system with the qla2xxx driver due to missing block I/O back/front segment size setting. This update adds the block I/O back/front segment size setting, resolving this issue.

BZ#696182, BZ#696182, BZ#707299

The tg3 network driver has been updated to support the Broadcom 5720 Network Interface Controller. Additionally, the tg3 network driver includes a number of fixes to support the Broadcom 5719 Network Interface Controller.

BZ#684842

The mpt2sas driver now allows customer specific display support.

BZ#689047

Support for DMI OEM flags to set pci=bfsort has been added.

BZ#651429

The ipr driver now supports the SAS VRAID capability on the new CRoC-based SAS adapters on IBM POWER7 systems.

BZ#684361

The AHCI driver has been updated to support for SATA RAID on future Intel chipsets.

BZ#570366

The ixgbe driver now provides support for PCIe AER (Advanced Error Reporting).

BZ#739823

A previously applied patch to help clean-up a failed nmi_watchdog check by disabling various registers caused single-vcpu Xen HVM guests to become unresponsive during boot when the host CPU was an Intel Xeon Processor E5405 or an Intel Xeon Processor E5420, and the VM configuration did not have the apic = 1 parameter set. With this update, NMI_NONE is the default watchdog on AMD64 HVM guests, thus, fixing this issue.

BZ#730686

A previously introduced patch forced the ->flush and ->fsync operations to wait on all WRITE and COMMIT remote procedure calls (RPC) to complete to ensure that those RPCs were completed before returning from fsync() or close(). As a consequence, all WRITEs issued by nfs_flush_list were serialized and caused a performance regression on NFS clients. This update changes nfs_flush_one and nfs_flush_multi to not wait for WRITEs issued when the FLUSH_SYNC parameter is set, resolving performance issues on NFS clients.

BZ#733665

When setting the value in the /proc/sys/vm/dirty_writeback_centisecs file via echo, the actual saved value was always one less than the given value (for example, setting 500 resulted in 499 being set). This update fixes this off-by-one error, and values in /proc/sys/vm/dirty_writeback_centisecs are now correctly set.

BZ#732775

When reading a file from a subdirectory in /proc/bus/pci/ while hot-unplugging the device related to that file, the system would crash. With this update, the kernel correctly handles the simultaneous removal of a device, and access to the representation of that device in the proc file system.

BZ#738389

Prior to this update, MTU was constrained to 1500 unless Scatter/Gather I/O (SG) was supported by the NIC; in the case of netback, this would mean unless SG was supported by the front-end. Because the hotplugging scripts ran before features have been negotiated with the front-end, at that point SG would still be disabled, breaking anything using larger MTUs, (for example, cluster communication using that NIC). This update inverts the behavior and assumes SG to be present until negotiations prove otherwise (in such a case, MTU is automatically reduced).

BZ#734157

A previously applied patch introduced a regression for 3rd party file systems that do not set the FS_HAS_IODONE2 flag, specifically, the Oracle Cluster File System 2 (OCFS2). The patch removed a call to the aio_complete function, resulting in no completion events being processed, causing userspace applications to become unresponsive. This update reintroduces the aio_complete function call, fixing this issue.

BZ#732946

This update fixes a race between TX and MCC events where an MCC event could kill a NAPI schedule by a succeeding TX event, which resulted in network transfer pauses.

BZ#730685

Previously, when the Xen Hypervisor split a 2 MB page into 4 KB pages, it linked the new page from the PDE (Page Directory Entry) before it filled entries of the page with appropriate data. Consequently, when doing a live migration with EPT (Extended Page Tables) enabled on a non-idle guest running with more than two virtual CPUs, the guest often terminated unexpectedly. With this update, the Xen Hypervisor prepares the page table entry first, and then links it in, fixing this bug.

BZ#730682

This update adds a missing patch that enables WOL (Wake-on-LAN) on the second port of a Intel Ethernet Server Adapter I350.

BZ#736275

Kernel panic occurred on a Red Hat Enterprise Linux 5.7 QLogic FCoE host during I/O operations with fabric faults due to a NULL fcport object dereference in the qla24xx_queuecommand function. This update adds a check that returns DID_NO_CONNECT if the fcport object is NULL.

BZ#732945

Packet statistics in /proc/net/dev occasionally jumped backwards. This was because the cat /proc/net/dev command was processed while the loop updating the counter was running, sometimes resulting in partially updated counter (causing the statistics to be incorrect). This update fixes this bug by using a temporary variable while summing up all the RX queues, and only then updating the /proc/net/dev statistics, making the whole operation atomic. Additionally, this update provides a patch that fixes a problem with the 16-bit RX dropped packets HW counter by maintaining a 32-bit accumulator in the driver to prevent frequent wraparound.

BZ#734772

Prior to this update, the nosharecache NFS mount option was not always honored. If two mount locations specified this option, the behavior would be the same as if the option was not specified. This was because of missing checks that enforced this option. This update adds the missing checks, resolving this issue.

BZ#728521

When kdump was triggered under a heavy load, the system became unresponsive and failed to capture a crash dump. This update fixes interrupt handling for kdump so that kdump successfully captures a crash dump while under a heavy load.

BZ#732440

Previously, configurations where Max BW was set to 0 produced the following message:

Illegal configuration detected for Max BW - using 100 instead.

With this update, such message is produced only when debugging is enabled, and such configuration is no longer called Illegal.

BZ#733152

If the be2net driver could not allocate new SKBs in the RX completion handler, it returned messages to the console and dropped packets. With this update, the driver increases the netdevice rx_dropped counter instead, and no longer produces messages in the console.

BZ#734761

If iSCSI was not supported on a bnx2 device, the bnx2_cnic_probe() function returned NULL and the cnic device was not be visible to bnx2i. This prevented bnx2i from registering and then unregistering during cnic_start() and caused the following warning message to appear:

bnx2 0003:01:00.1: eth1: Failed waiting for ULP up call to complete

BZ#737475

Prior to this update, failures to bring up the Broadcom BCM57710 Ethernet Controller occurred and the following error messages:

eth0: Something bad had happen! Aii!
[bnx2x_release_hw_lock:1536(eth0)]Releasing a lock on resource 8
eth0: Recovery flow hasn't been properly completed yet. Try again later. If u
still see this message after a few retries then power cycle is required.

With this update, the underlying source code has been modified to address this issue, and the Broadcom BCM57710 Ethernet Controller no longer fails to start.

BZ#738392

This update introduces support for jumbo frames in the Xen networking backend. However, old guests will still revert to a 1500-byte MTU after migration. This update also changes how the guest will probe the backend's Scatter/Gather I/O functionality. As long as a recent enough kernel is installed in the destination host, this will ensure that the guest will keep a large MTU even after migration.

BZ#736742

Previously, the inet6_sk_generic() function was using the obj_size variable to compute the address of its inner structure, causing memory corruption. With this update, the sk_alloc_size() is called every time there is a request for allocation, and memory corruption no longer occurs.

BZ#728518

Prior to this update, Xen did not implement certain ALU opcodes. As a result, when a driver used the missing opcodes on memory-mapped I/O areas, it caused the guest to crash. This update adds all the missing opcodes. In particular, this fixes a BSOD crash from the Windows e1000 driver.

BZ#732377

With this update, the JSM driver has been updated to support the Bell2 (with PLX chip) 2-port adapter on IBM POWER7 systems. Additionally, EEH support has been added to JSM driver.

BZ#561224

When the Sandra multi-media benchmark utility was run on a Windows guest, the guest terminated unexpectedly when the utility tried to access the Model Specific Register 0x480 (IA32_VMX_BASIC). A patch has been provided to address this issue and the benchmark utility no longer causes a Windows guest to crash.

BZ#666225, BZ#693918

When a migration was attempted during the early boot stage in a virtual machine running Windows XP, the virtual machine failed to boot correctly. This bug has been fixed, and the virtual machine now boots properly in the described scenario.

BZ#713389

When a host with a floppy drive attached and Red Hat Enterprise Linux 5.7 installed was being migrated to another host with kernel version 2.6.18-238.14.1 installed, the migration process failed and the host was left in a stopped state. A patch has been provided to address this issue and the migration now finishes successfully in the described scenario.

BZ#713392

Due to a regression, when the values for maximum downtime or maximum speed were increased during a migration, the guests experienced heavy stalls and the migration did not finish in a reasonable time. With this update, a patch has been provided and the migration process finishes successfully in the described scenario.

BZ#508949

When an iSCSI server was configured and the block device was shared on a host, if a guest on another host performed a write operation on the shared device and the iSCSI server was restarted, the standard output of the QEMU monitor on the source host was flooded with redundant error messages. With this update, calls to write out these messages have been removed from the code, thus fixing this bug.

BZ#641854

Previously, when a CD image with a read-only flag set was ejected from a drive on a guest, the read-only flag was preserved. Consequently, the image could not be re-attached to the drive. A patch has been provided to address this issue, and the read-write flag is now set correctly when an image is ejected from a drive, allowing CD images to be changed on-the-fly.

BZ#644706

Previously, the QEMU monitor used an incorrect handler to process passwords to encrypted images. Consequently, the monitor became unresponsive on the first command when attempting to start a guest with an encrypted qcow2 (QEMU Copy-on-Write) image. With this update, the command handler and the password handler are used properly, and the guest now starts successfully in the described scenario.

BZ#644793

In hot plug mode, when a PCI device was being attached to a QEMU guest with the -no-kvm command line option, the qemu-kvm utility terminated with a segmentation fault. This bug has been fixed, and qemu-kvm now exits properly and returns appropriate error messages in the described scenario.

BZ#581555

When the cont command of the QEMU monitor was used to restore a domain saved to a file via the virsh utility, if an incoming migration had been specified for the virtual machine, cont sometimes took effect before the migration was complete. As a consequence, the restore process or the migration sometimes failed. This bug has been fixed, and now the cont command is only accepted after the incoming migration has successfully finished.

BZ#652135

Due to flaws in the IDE CD-ROM emulation, the guest kernel and the anaconda installer sometimes failed to recognize the installation media after the optional testing of installation media had been made. Consequently, the installation process became unresponsive and could not continue. With this update, a memory leak in the bdrv_close() function has been fixed, the installation process no longer gets stuck and the retry function can now be properly used if the installation medium is not recognized the first time.

BZ#657149

When a system_reset signal was sent to a guest with a pass-through NIC (Network Interface Card) attached, a kernel panic occurred in the guest. This bug has been fixed, and the guest now reboots properly in the described scenario.

BZ#659172

When the CHAOS-Concurrent Hardware And OS test job was run in the WHQL (Windows Hardware Quality Labs) test environment on a Windows guest, the run pwrtest child job failed even though the main CHAOS job passed. This bug has been fixed in the KVM BIOS, and the run pwrtest job now passes successfully in the described scenario.

BZ#665023

The QEMU emulator did not enqueue mouse events; it simply records the latest mouse state. Prior to this update, double click or dragging mouse events were sometimes lost, especially on high-latency connections. Now, the code for mouse descriptors has been fixed, and lost mouse events occur much less frequently.

BZ#640051

Previously, it was possible to issue a single "lvconvert" command that both allocated and freed the supplied physical extents. This update logically splits this functionality so that an lvconvert command can either allocate or free physical extents, but disallows performing both operations in a single command, with the result that lvcreate is more consistent and easier to use.

BZ#643500

The entire /proc/self/maps file is now read before maps entries are operated upon.

BZ#653643

The command "vgextend --restoremissing" reported success even in the case of partial failure of an operation, which was potentially confusing. Partial failures are now reported as such.

BZ#656394

The default permissions on the /etc/lvm/ directory have been changed to allow non-root users to use required functionality.

BZ#667174

The "lvchange --test" command now exits cleanly.

BZ#671459

An unnecessary and harmless "File-based locking initialization failed." error message that may have occurred during system startup has been removed.

BZ#672816

O_DIRECT is now always used when opening block devices to check for partitioning.

BZ#710618

Reducing a striped logical volume converted to a mirror could have resulted in corruption. This update fixes the rounding operations in striped volume reduction, and a mirror over a striped volume is now reduced successfully.

BZ#709388

The lvmdump command now works properly with the SELinux's Multi-Level Security policy.

BZ#697959

The vgimportclone script triggered a code path in the "lvm" command which accessed already-released memory when a duplicate physical volume (PV) was found. Problematic strings are now saved to a temporary buffer, and this issue no longer occurs.

BZ#651590

If a transient error occurred while a mirror was being repaired, such as a failing device re-appearing, the repair could have failed and a locking error reported. With this update, the mirror repair operation successfully completes in the described situation.

BZ#680961

The lvm2 package has been upgraded to upstream version 2.02.84, which provides a number of bug fixes over the previous version. Those bug fixes also include:

• A possible overflow in maximum stripe size and physical extent has been fixed.
• pvmove polling no longer fails if another process has already cleaned up.
• Error messages issued by the lvcreate command now refer to "free space" rather than "extents".
• A memory leak in the persistent filter creation error path has been plugged.
• The label cache is no longer revalidated immediately after scanning.
• VG (volume group) allocation policy in metadata being invalid could have caused a memory leak, which has been plugged.
• An unrecognized allocation policy in metadata is now ignored rather than aborting the executed command.
• The redundant "No PV label" error message is now suppressed when several PVs are removed without MDAs.
• The vgchange command now only updates VG metadata once when making multiple changes.
• The vgchange command now processes the "-a", "--refresh", "--monitor" and "--poll" options like lvchange does.
• The vgchange command no longer takes a write lock when the "--refresh", "--poll" or "--monitor" options are supplied.
• The lvconvert command now respects the "--yes" and "--force" options when converting an active log.
• If lvm1 metadata is used, partial mode is limited in operation to prevent a crash for operations not yet supported.

BZ#189462

Invalidated snapshots are now automatically unmounted by dmeventd.

BZ#213942

Tag length restrictions have been removed, and certain punctuation characters, namely / = ! : # and &, are now accepted.

BZ#427298

This update makes it possible to set up a policy of automatic snapshot extension whenever remaining snapshot space drops below a threshhold defined by the new "snapshot_autoextend_threshold" option in the /etc/lvm/lvm.conf configuration file. With this option set, a snapshot either becomes invalidated, as per the previous behavior, or it is extended and automatically continues to function as long as long as free Volume Group space permits.

BZ#433768

The cling allocation policy has been extended to recognize PV (physical volume) tags in the "cling_by_tags" option in lvm.conf.

BZ#644578

A new configurable option, "pv_min_size", has been added to the lvm.conf configuration file. This option can be used to improve performance of commands that scan all devices by setting the pv_min_size value to skip device reading below a certain predefined level.

BZ#659264

The man pages for the pvmove, pvcreate, pvremove, pvresize, pvscan and lvscan commands have been updated and improved.

BZ#644079, BZ#640101

Converting a mirror log type from disk to mirrored is now supported.

BZ#708492

Striped mirrors are now supported.

BZ#680961

The lvm2 package has been upgraded to upstream version 2.02.84, which provides a number of enhancements over the previous version. Those enhancements include:

• Multiple "--addtag" and "--deltag" options can now be supplied as parameters.
• Independent vgchange arguments can now be used together.
• The output from "dmsetup ls --tree" has been added to lvmdump.
• Command processing has been sped up by caching the resolved configuration tree.
• Multiple pvchange command line options can now be specified simultaneously.
• An unnecessary call to unlock during volume deactivation has been eliminated.
• "Fusion-io" is now accepted in the device type filter.
• The "metadata_read_only" option has been added to the global section of the lvm.conf configuration file. If this option is enabled, no operations that change on-disk metadata will be permitted, including automatic repairs of metadata in read-only mode.
• device-mapper devices are now skipped during scans if they contain only error targets or are pseudo-terminal devices.
• The unquoting of quoted double-quotes and backslashes has been sped up.
• CRC32 calculations have been sped up by using a larger lookup table.

BZ#554956

When running on a machine with an aliased network interface, a small memory leak may have occurred and the snmpd daemon may have incorrectly spammed syslog with the following message:

error on subcontainer '' insert (-1)

Although the message itself is completely harmless, it may have filled the system log. This update adapts the underlying source code to make sure the snmpd no longer leaks memory or produces the aforementioned message when processing aliased interfaces.

BZ#556824

When running on a big-endian machine, the snmpd daemon incorrectly mixed pointers to integers of a different size, and reported wrong indexes of the UDP-MIB::udpTable table. With this update, this error no longer occurs, and snmpd now reports correct indexes.

BZ#557758

When loading a list of installed RPM packages for the HOST-RESOURCE::hrSWInstalledTable table, a rare race condition may have occurred if an RPM package was being updated, installed, or removed at the same time, causing the snmpd daemon to terminate unexpectedly with a segmentation fault. With this update, snmpd has been adapted to recover from such a situation, and no longer crashes in this scenario.

BZ#561875

When retrieving data for the Remote Network Monitoring Management Information Base (RMON-MIB), the snmpd daemon may have leaked file descriptors. As a result, the file descriptors available to the snmpd process may have been exhausted, rendering the daemon unable to respond to SNMP requests. With this update, all unnecessary file descriptors are appropriately closed, and snmpd now works as expected.

BZ#561882

When a network interface was not active and the snmpd service was unable to obtain its real speed from the kernel, it incorrectly reported an erroneous value of the IF-MIB::ifSpeed object. This update corrects the snmpd daemon to report the correct speed if the kernel provides it, and not to report the speed of a disabled network at all if it cannot be obtained.

BZ#562376, BZ#653780

Prior to this update, the snmpd daemon did not initialize the structures for the IP-MIB::ipSystemStatsTable and IP-MIB::ipIfStatsTable tables properly. Consequent to this, when a counter in these tables exceeded 32 bits, the following error message may have been written to the system log:

looks like a 64bit wrap, but prev!=new

This update corrects the initialization of the aforementioned tables, resolving this issue.

BZ#574035

Prior to this update, when a user provided a passphrase that was too short, various SNMP utilities such as snmpget or snmpwalk incorrectly returned exit code 0. This error no longer occurs, and the SNMP utilities now return a non-zero exit code in this scenario.

BZ#584769

Previously, the logrotate configuration file shipped with the net-snmp packages restarted the snmpd daemon whenever the /var/log/snmpd.log file was rotated. However, this led to an unnecessary interruption of the SNMP service, and may have negatively affected several SNMP counters. With this update, the aforementioned configuration file has been adapted to only notify the running snmpd daemon that the log file should be reopened, and no longer interrupts the SNMP service.

Note

By default, the snmpd daemon writes messages to the system log (that is, the /var/log/messages file). Since logging to the /var/log/snmpd.log file is optional and must be enabled manually, most users were not affected by this bug.

BZ#587617

The upstream test suite that was previously shipped as part of the source RPM package did not work with the TCP and UDP protocols for IPv6, and reported false errors. This update adapts the test suite to work with IPv6 as expected.

BZ#587785

When responding to an SNMP GET request of an unknown row in the IF-MIB::ifTable table, the Net-SNMP daemon incorrectly returned a noCreation error. This update applies a patch that resolves this issue, and the snmpd daemon now correctly returns a noSuchInstance error as specified by the SNMP standards.

BZ#591416

During recompilation of the net-snmp source package, the configure script reported an error. Although this error was completely harmless and did not affect the resulting build in any way, it unnecessarily polluted the output of the rpmbuild command. To prevent this, the error in the header ordering has been fixed so that the package can be rebuilt with no error messages.

BZ#595322

Prior to this update, index values of the HOST-RESOURCES-MIB::hrFSTable and HOST-RESOURCES-MIB::hrStorageTable tables were not persistent across device remounts (that is, a particular index may have been different before and after a device was unmounted and mounted again). With this update, the snmpd daemon has been updated to keep track of mounted and unmounted devices in order to retain the same indexes across remounts.

BZ#600319

Previously, the snmpd daemon was updated to send SNMP responses to broadcast requests from the same interface on which the SNMP was received. However, this update also introduced an error which prevented it from sending responses to unicast request on multihomed machines (that is, on machines with multiple network interfaces, each facing a different network). This update corrects this error so that the snmpd daemon is now able to both answer unicast requests on multihomed machines and send responses to broadcast requests from the same interface on which the request was received.

BZ#630905

Due to a possible race condition, the snmpd daemon may have failed to count some processes when populating the UCD-SNMP-MIB::prTable table. With this update, the underlying source code has been adapted to prevent such a race condition so that all processes are now counted as expected.

BZ#645303

Due to a possible overflow of a 32-bit signed integer, the snmptranslate tool may have reported wrong ranges of objects with the Unsigned32 syntax. This update adapts snmptranslate to use 64-bit values for integer ranges, so that the utility no longer produces incorrect Unsigned32 ranges.

BZ#645317

Previously, the snmpd service returned an incorrect value of the IP-MIB::ipv6InterfaceForwarding object: for forwarding it reported 0 instead of 1, and for notForwarding it reported 1 instead of 2. With this update, this error no longer occurs, and snmpd now reports the value of IP-MIB::ipv6InterfaceForwarding in accordance with RFC 4293.

BZ#654384

Previously, the snmpd daemon strictly implemented RFC 2780. However, this specification no longer scales well with modern big storage devices with small allocation units, and consequently, snmpd reported a wrong value of the HOST-RESOURCES-MIB::hrStorageSize object when working with a large file system (larger than 16TB), because the accurate value would not fit into Integer32 as specified in the RFC. To address this issue, this update adds a new option to the /etc/snmp/snmpd.conf configuration file, realStorageUnits. By changing the value of this option to 0, users can now enable recalculating all values in hrStorageTable to ensure that the multiplication of hrStorageSize and hrStorageAllocationUnits always produces an accurate device size. On the other hand, the values of hrStorageAllocationUnits are artificial and do not represent the real size of the allocation unit on the storage device.

BZ#659354

When running on a big-endian machine, the snmpd daemon reported wrong values of storage sizes in the HOST-RESOURCES-MIB::hrStorageTable table. This was caused by incorrect use of pointers to integers of a different size. With this update, the snmpd daemon has been adapted to use pointers to integer values in the HOST-RESOURCES-MIB::hrStorageTable implementation. As a result, the sizes in the aforementioned table are now reported correctly.

BZ#663863

When an object identifier (OID) was out of the subtree registered by the proxy statement in the /etc/snmp/snmpd.conf configuration file, the previous version of the snmpd daemon failed to use a correct OID of proxied GETNEXT requests. With this update, snmpd now adjusts the OIDs of proxied GETNEXT requests correctly and sends correct requests to the remote agent as expected.

BZ#676669

After processing the SIGUP signal, the snmpd daemon may have stopped to report a correct value in the HOST-RESOURCES-MIB::hrStorageTable table. This update corrects this error so that when the SIGHUP signal is processed, the snmpd daemon now provides correct values in HOST-RESOURCES-MIB::hrStorageTable.

BZ#676955

The previous version of snmptrapd, the Net-SNMP daemon for processing traps, leaked memory when processing incoming SNMP traps in embedded Perl. This caused the amount of consumed memory to grow over time, making the memory consumption was even larger if the daemon was processing SNMPv1 traps. With this update, the underlying source code has been adapted to prevent such memory leaks, and processing incoming SNMP traps in embedded Perl no longer increases the memory consumption.

BZ#680347

The previous version of the snmpd daemon failed to detect newly added or activated interfaces, and did not show them in the IPV6-MIB::ipv6IfTable table. With this update, a patch has been applied to address this issue, and the snmpd daemon now properly refreshes the table whenever a new interface appears.

BZ#683142

Prior to this update, the snmpd daemon did not detect errors when accessing the /proc file system. Consequent to this, an attempt to read information about an exited process while gathering information for a HOST-RESOURCES-MIB::hrSWRunTable table caused the daemon to terminate unexpectedly with a segmentation fault. This update adapts the underlying source code to make sure that such errors are now properly detected, and snmpd no longer crashes when populating HOST-RESOURCES-MIB::hrSWRunTable.

BZ#704443

The previous version of the snmpd daemon incorrectly processed requests with malformed Basic Encoding Rules (BER), namely with the wrong type field of Community, RequestID, Error-status, and Error-index attributes. The updated snmpd daemon properly checks encoding of incoming packets and silently drops malformed requests as required by SNMP RFCs.

BZ#556842

Previously, the SYNOPSIS section of the snmpnetstat(1) manual page incorrectly listed the -CP option instead of -Cp. This error has been fixed so that the aforementioned manual page no longer contains misleading information.

BZ#583807

In the description of the linkUpDownNotifications directive, the snmpd.conf(5) manual page treats the linkUp and linkDown notifications as containing the ifIndex, ifAdminStatus, and ifOperStatus objects. Previously, the snmpd daemon did not include these objects in outgoing notifications. With this update, the snmpd daemon has been adapted to add these objects to the outgoing notifications as described in the manual page.

BZ#613584

Prior to this update, the help messages of various SNMP-related tools and their corresponding manual pages (such as the snmptrapd(8) page) incorrectly suggested -D token as a valid syntax of the -D command line option. This update corrects this error, and both manual pages and help messages of the affected tools now strictly use the -Dtoken syntax as expected.

BZ#664523

With this update, the UCD-SNMP-MIB::dskTable table has been enhanced to report 64-bit statistics of available, used, and free disk space. As a result, the table now provides the following new columns: dskTotalLow, dskTotalHigh, dskAvailLow, dskAvailHigh, dskUsedLow, and dskUsedHigh.

BZ#610812

Due to an incorrect SELinux policy, SELinux did not allow FreeRADIUS to disable storing core dump files upon a failure. This update applies a backported patch that addresses this issue, and FreeRADIUS can now be configured not to create core dumps as expected.

BZ#632573

Previously, when a leaked file descriptor was detected during a system update, an Access Vector Cache (AVC) message was written to the audit log. With this update, the relevant SELinux policy has been added to prevent SELinux from reporting file descriptors leaked during a system update.

BZ#651609

When running in enforcing mode, SELinux did not allow the clustat utility to bind to a reserved port. This update adapts the SELinux rules to permit such connection, so that clustat is now able to bind to the required port as expected.

BZ#657571

Prior to this update, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the modprobe utility from sending the SIGNULL signal to all processes. With this update, the relevant policy has been fixed, and SELinux no longer prevents modprobe from sending SIGNULL to all processes.

BZ#662677

When Samba is configured to run as a Windows Internet Name Server (WINS) that is integrated to a Name Service Switch (NSS), programs that resolve a NetBIOS name require access to the /var/cache/samba/unexpected.tdb file. Previously, SELinux incorrectly denied this access. This update adapts the relevant SELinux policy to allow this access, and programs resolving a NetBIOS name are now able to access this file as expected.

BZ#666513

Previous versions of the seliux-policy packages did not provide a SELinux policy for the /var/spool/rsyslog/ directory. With this update, this policy has been added.

BZ#667692

When the utmp option in the /etc/samba/smb.conf configuration file is set to yes, Samba records sessions in the utmp and wtmp files. Prior to this update, the SELinux policy did not allow the smbd daemon to write to the wtmp file. With this update, the SELinux policy has been corrected, so that Samba is now allowed to work as expected.

BZ#672289

When running in enforcing mode, SELinux did not allow the net utility to create a Kerberos keytab file when the system was joined to a Windows 2003 Active Directory domain. This update corrects this error, and SELinux no longer prevents the net utility from creating a Kerberos keytab file.

BZ#672540

Prior to this update, an attempt to use the System Security Services Daemon (SSSD) with an LDAP domain connected to an OpenLDAP server over the Transport Layer Security (TLS) protocol caused various AVC messages to be written to the audit log. This update applies a backported patch that resolves this issue, so that no unnecessary AVC messages are recorded.

BZ#674452

The rsyslogd tool allows a user to change the maximum number of open file descriptors by adding the $MaxOpenFiles directive to the /etc/rsyslog.conf file. Previously, an attempt to use this directive to set a number that is larger than the default value failed, because SELinux prevented rsyslogd from accessing setrlimit. This update corrects the relevant policy to allow this access, so that the rsyslogd tool is now able to increase the maximum number of open file descriptors as expected.

BZ#674689

In order to perform its job, the pyzor client requires access to certain files in users' home directories. Prior to this update, SELinux did not allow pyzor to access these files if the home directories were located on an NFS mount point. With this update, SELinux no longer denies pyzor access to NFS-mounted home directories, allowing it to work correctly.

BZ#678496

Due to missing SELinux policies, various AVC messages may have been reported when attempting to start the pulse or ipvsadm service. This update adds the relevant policies to make sure these services can be started as expected.

BZ#689960

For debugging purposes, Openswan allows a user to specify a directory in which to store a core dump file in case the pluto service crashes. Prior to this update, running SELinux in enforcing mode rendered Openswan unable to create such a core dump. With this update, the relevant policy has been corrected, and SELinux no longer prevents Openswan from creating core dump files.

BZ#693723

The sshd service, ssh client, and other SSH-aware utilities need to read data from the /dev/random and /dev/urandom devices. Prior to this update, SELinux may have incorrectly prevented these programs from accessing these devices. This update adapts the SELinux policy so that these utilities are able to read data from both /dev/random and /dev/urandom as expected.

BZ#694865

Due to an incorrect SELinux policy, the Pyzor spam filtering system was incorrectly denied access to configuration files located in the /etc/ directory. This update corrects the SELinux policy to make sure Pyzor is no longer prevented from accessing its configuration files.

BZ#697804

With SELinux running in enforcing mode, any communication via the Stream Control Transmission Protocol (SCTP) was denied. With this update, the relevant SELinux policy has been adapted to allow the SCTP communication.

BZ#698043

Prior to this update, restarting the vsftpd service by using the service vsftpd restart command caused an AVC message to be written to the audit log. With this update, SELinux rules have been added to address this issue, and restarting the vsftpd service no longer produces AVC messages.

BZ#698257

With SELinux enabled, running the named service in a chroot environment rendered it unable to update log files. This error has been fixed, and SELinux no longer prevents named from updating the log files.

BZ#703458

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the lsusb command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

BZ#703482

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the kpartx -x command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

BZ#703714

Due to an incorrect SELinux policy, when the OpenAIS Standards-Based Cluster Framework was started, various AVC messages were written to the audit log, and the openais service was unable to use UDP port 5404. This error has been fixed, the relevant SELinux policy has been corrected, and the openais service now works as expected.

BZ#704690

Previous versions of the selinux-policy packages were missing SELinux rules for the syslog-ng syslog server. With this update, these rules have been added.

BZ#705327

Previously, using the arping utility on an IBM System z machine incorrectly caused an AVC message to be written to the audit log. This update corrects the relevant SELinux policy, and running arping no longer produces unnecessary AVC messages.

BZ#707101

Prior to this update, SELinux incorrectly prevented the clamav-milter utility to from opening a socket, causing it to terminate with an error. With this update, this error has been fixed, and clamav-milter can now be used as expected.

BZ#707139

With SELinux running in enforcing mode, the Apache HTTP Server may have been unable to use the worker Multi-Processing Module (MPM). This update applies a backported patch that adds the httpd_execmem boolean. As a result, SELinux no longer prevents the Apache HTTP Server from loading the worker MPM.

BZ#708986

Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the user_u and staff_u SELinux users from running the ssh-keygen utility. This update fixes the relevant policy, and both user_u and staff_u users are now able to run ssh-keygen as expected.

BZ#709045

Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented the crontab -l command from producing the expected results. This update corrects the relevant policy so that the command works as expected.

BZ#711725

Prior to this update, the SELinux Multi-Level Security (MLS) policy prevented the iprinit, iprdump, and iprupdate services from working correctly. With this update, this error no longer occurs, and the aforementioned services are able to work as expected.

BZ#713797

Due to an error in SELinux rules, running SELinux in enforcing mode rendered the clustat utility unable to connect to a cluster port. With this update, the SELinux rules have been updated to permit such connection, resolving this issue.

BZ#714960

Prior to this update, the .k5login files in the users' home directories were labeled with a wrong security context, which caused SELinux to incorrectly prevent the krb5_child process from accessing these files. With this update, the security context of the .k5login files has been corrected so that krb5_child is no longer denied access to these files.

BZ#662097

This update introduces the squid_selinux(8) manual page, which provides detailed documentation of the SELinux policy for the squid daemon.

BZ#671498

This update adds a new security context for devices in the /dev/hpilo/ directory, which provide an interface to the HP Integrated Lights-Out (iLO) remote management functionality.

BZ#675007

While running the LDAP cache cleanup task, an issue with a corrupted group cache occurred, and the user was stripped of membership of every group except his primary group. This issue has been fixed and the aforementioned problem now no longer occurs.

BZ#676027

When the LDAP server defined in the first ldap_uri entry was unreachable, the login attempt to the system failed with a segmentation fault due to an issue in the failover processing. With this update, the segmentation fault no longer occurs if the first LDAP server can't be reached.

BZ#678412

Modifying or deleting a user or group account on an LDAP server did not result in an update of the cache on a login attempt. With this update, the cache is always properly updated during the login process. Outside of a login attempt, entries now remain as they were cached until the cache timeout expires.

BZ#678778

When performing an initgroups() request on a user, the IPA provider did not properly remove group memberships from the local cache when they were removed from the IPA server. With this update, a removed group is no longer present in the local cache.

BZ#691900

Previously, when GECOS information (an entry in the /etc/passwd file) for a user was missing, SSSD did not look for this information in the cn attribute as it should have. SSSD now correctly falls back to the cn attribute for GECOS if the GECOS field is empty, making SSSD fully compliant with section 5.3 of RFC 2307.

BZ#694149

For large cache files, if a user was removed from a group in LDAP, memory allocation could grow exponentially while processing the removal from the cache, potentially resulting in an OOM (Out of Memory) situation. With this update, this issue has been fixed, and SSSD no longer allocates unnecessarily large amounts of memory when removing a user from a group in LDAP.

BZ#707574

When the first DNS entry defined in the /etc/resolv.conf file was unreachable, SSSD failed to connect to any subsequent DNS server to resolve the SRV record. This caused SSSD to permanently operate in offline mode. This bug has been fixed and SSSD is now able to connect to an alternate server if the primary server is down.

BZ#665314

The following bugs have also been fixed:

• Issues with LDAP search filters that require escaping.
• Nested group issues with RFC2307bis LDAP servers without the memberOf plug-in.
• Several thread-safety issues in the sss_client code.

BZ#665314

The sssd package has been upgraded to upstream version 1.5.1, which provides a number of bug fixes and enhancements over the previous version. The following enhancements are the most significant:

• Support for delayed online Kerberos authentication has been improved.
• A Kerberos access provider to honor the .k5login authorization file has been added.
• The verbosity of PAM_TEXT_INFO messages for cached credentials has been reduced.
• Group support to the simple access provider has been added.
• The time delay between connecting to a network or VPN and acquiring a TGT (Ticket Granting Ticket) has been significantly reduced.
• A feature for the automatic Kerberos ticket renewal has been added.
• SSSD now provides a Kerberos ticket for long-lived processes or cron jobs even when the user logs out.
• Several new features to the LDAP access provider have been added.
• Support for shadow access control has been added.
• Support for the authorizedService access control has been added.
• The ability to mix-and-match LDAP access control features has been added.
• An option for a separate password-change LDAP server for platforms not supporting LDAP referrals has been added.
• Support for manual page translations has been added.
• Support for searching out and returning information about netgroups stored in LDAP has been added.
• The performance of group processing of RFC2307 LDAP servers has been improved.
• A new option, dns_discovery_domain, which allows for better configuration of SRV records for failover, has been added.