-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
6.3 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.3
Edition 3
Red Hat Engineering Content Services
Abstract
Preface
Note
Chapter 1. Important Changes to External Kernel Parameters
procfs
entries, sysfs
default values, boot parameters, kernel configuration options, or any noticeable behavior changes. For more details on the features added and bugs fixed in the Red Hat Enterprise Linux 6.3 kernel, refer to the Kernel chapter in the 6.3 Release Notes, or Section 5.135.14, “ RHSA-2012:0862 — Moderate: Red Hat Enterprise Linux 6.3 kernel security, bug fix, and enhancement update ” in this book.
pci=use_crs
- The
pci=use_crs
boot parameter no longer needs to be specified to force PCI resource allocations to correspond to a specific host bridge the device resides on. It is now the default behavior. CONFIG_HPET_MMAP
,hpet_mmap
- The high-resolution timer's capacity to remap the HPET registers into the memory of a user process has been enabled via the
CONFIG_HPET_MMAP
option. Additionally, thehpet_mmap
kernel parameter has been added. pcie_p=nomsi
- The
pcie_p=nomsi
kernel parameter has been added to allow users to disable MSI/MSI-X for PCI Express Native Hotplug (that is, thepciehp
driver). When enabled all PCIe ports use INTx for hotplug services. msi_irqs
- A per-PCI device subdirectory has been added to sysfs:
/sys/bus/pci/devices/<device>/msi_irqs
. This subdirectory exports the set of MSI vectors allocated by a given PCI device, by creating a numbered subdirectory for each vector undermsi_irqs
. For each vector, various attributes can be exported. Currently the only attribute, namedmode
, tracks the operational mode of that vector (MSI versus MSI-X). CONFIG_PCI_DEBUG
- When the
CONFIG_PCI_DEBUG=y
option is configured, the-DDEBUG
flag is automatically added to theEXTRA_CFLAGS
compilation flags. CONFIG_STRICT_DEVMEM
- The
CONFIG_STRICT_DEVMEM
option is enabled by default for the PowerPC architecture. This option restricts access to the/dev/mem
device. If this option is disabled, userspace access to all memory is allowed, including kernel and userspace memory, and accidental memory (write) access could potentially be harmful. - kdump/kexec configuration options
- The following kernel configuration options were enabled for the kdump/kexec kernel dumping mechanism on IBM System z:
CONFIG_KEXEC_AUTO_RESERVE=y CONFIG_CRASH_DUMP=y CONFIG_PROC_VMCORE=y
KEXEC_AUTO_THRESHOLD
- The default value for the
KEXEC_AUTO_THRESHOLD
option has been lowered to 2 GB. /proc/mounts
- The
/proc/mounts
file now shows the following mount options for CIFS under thedir_mode=
parameter:nostrictsync noperm backupuid backupgid
dmesg_restrict
- Writing to the
/proc/sys/kernel/dmesg_restrict
file is only allowed for a root user that has theCAP_SYS_ADMIN
identifier set. printk.always_kmsg_dump
- A new kernel parameter,
printk.always_kmsg_dump
, has been added to save the final kernel messages to the reboot, halt, poweroff, and emergency_restart paths. For usage information, refer to the/usr/share/doc/kernel-doc-<version>/Documentation/kernel-parameters.txt
file. - ulimit
- The default hard ulimit on the number of files has been increased to
4096
:~]$
ulimit -Hn
4096 soft_panic
- A watchdog module parameter,
soft_panic
, has been added. Whensoft_panic
is set to1
, it causes softdog to invoke kernel panic instead of a reboot when the softdog timer expires. By invoking kernel panic, the system executes kdump, if kdump is configured. Kdump then generates a vmcore which provides additional information on the reasons of the failure. - perf examples
- The
/usr/share/doc/perf-<version>/examples.txt
documentation file has been added to the perf package. shm_rmid_forced
- Support for the
shm_rmid_forced
sysctl option has been added. When set to1
, all shared memory objects not referenced in current ipc namespace (with no tasks attached to it) will be automatically forced to use IPC_RMID. For more information refer to/usr/share/doc/kernel-doc-<version>/Documentation/sysctl/kernel.txt
file. - UV systems reduced boot time
- A number of patches have been applied to the kernel in Red Hat Enterprise Linux 6.3 to improve overall performance and reduce boot time on extremely large UV systems (patches were tested on a system with 2048 cores and 16 TB of memory). Additionally, boot messages for the SGI UV2 platform were updated.
accept_local
- The
/proc/sys/net/ipv4/conf/*/accept_local
sysctl setting has been added to allow a system to receive packets it sent itself. This is needed in order to work with certain load balancing solutions that load balance to themselves. CONFIG_VGA_SWITCHEROO
- The
CONFIG_VGA_SWITCHEROO
configuration option is now enabled by default to allow switching between two graphics cards. O_DIRECT
in FUSE- Support for the
O_DIRECT
flag for files in FUSE (File system in Userspace) has been added. CONFIG_IP_MROUTE_MULTIPLE_TABLES
- The
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
has been added to enable support for multiple independent multicast routing instances. nfs.max_session_slots
- The
nfs.max_session_slots
module/kernel boot parameter has been added. This parameter sets the maximum number of session slots that an NFS client attempts to negotiate with the server. - Default mount option for
/proc
- In Red Hat Enterprise Linux 6.3, the default mount option of
/proc
during boot up has been changed to:~]#
mount -t proc -o nosuid,noexec,nodev proc /proc
For third party modules which create devices viaprocfs
, please remountprocfs
with the old option:~]#
mount -t proc /proc /proc
Chapter 2. Technology Previews
2.1. Storage and File Systems
- LVM support for (non-clustered) thinly-provisioned snapshots
- A new implementation of LVM copy-on-write (cow) snapshots is available in Red Hat Enterprise Linux 6.3 as a Technology Preview. The main advantage of this implementation, compared to the previous implementation of snapshots, is that it allows many virtual devices to be stored on the same data volume. This implementation also provides support for arbitrary depth of recursive snapshots (snapshots of snapshots of snapshots …).This feature is for use on a single system. It is not available for multi-system access in cluster environments.For more information, refer to the documentation of the
-s/--snapshot
option in thelvcreate
man page.Package: lvm2-2.02.95-10 - LVM support for (non-clustered) thinly-provisioned LVs
- Logical Volumes (LVs) can now be thinly provisioned to manage a storage pool of free space to be allocated to an arbitrary number of devices when needed by applications. This allows creation of devices that can be bound to a thinly provisioned pool for late allocation when an application actually writes to the pool. The thinly-provisioned pool can be expanded dynamically if and when needed for cost-effective allocation of storage space. In Red Hat Enterprise Linux 6.3, this feature is introduced as a Technology Preview. You must have the device-mapper-persistent-data package installed to try out this feature. For more information, refer to the
lvcreate(8)
man page.Package: lvm2-2.02.95-10 - Dynamic aggregation of LVM metadata via lvmetad
- Most LVM commands require an accurate view of the LVM metadata stored on the disk devices on the system. With the current LVM design, if this information is not available, LVM must scan all the physical disk devices in the system. This requires a significant amount of I/O operations in systems that have a large number of disks.The purpose of the
lvmetad
daemon is to eliminate the need for this scanning by dynamically aggregating metadata information each time the status of a device changes. These events are signaled tolvmetad
byudev
rules. Iflvmetad
is not running, LVM performs a scan as it normally would.This feature is provided as a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6.3. To enable it, refer to theuse_lvmetad
parameter in the/etc/lvm/lvm.conf
file, and enable thelvmetad
daemon by configuring thelvm2-lvmetad
init script.Package: lvm2-2.02.95-10 - Parallel NFS
- Parallel NFS (pNFS) is a part of the NFS v4.1 standard that allows clients to access storage devices directly and in parallel. The pNFS architecture eliminates the scalability and performance issues associated with NFS servers in deployment today.pNFS supports 3 different storage protocols or layouts: files, objects and blocks. The Red Hat Enterprise Linux 6.3 NFS client supports the files layout protocol.To automatically enable the pNFS functionality, create the
/etc/modprobe.d/dist-nfsv41.conf
file with the following line and reboot the system:alias nfs-layouttype4-1 nfs_layout_nfsv41_files
Now when the-o minorversion=1
mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.For more information on pNFS, refer to http://www.pnfs.com/.Package: kernel-2.6.32-279 - Open multicast ping (Omping), BZ#657370
- Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.Package: omping-0.0.4-1
- System Information Gatherer and Reporter (SIGAR)
- The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.3, SIGAR is considered a Technology Preview package.Package: sigar-1.6.5-0.4.git58097d9
- fsfreeze
- Red Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a new command that halts access to a file system on a disk. fsfreeze is designed to be used with hardware RAID devices, assisting in the creation of volume snapshots. For more details on the fsfreeze utility, refer to the
fsfreeze(8)
man page.Package: util-linux-ng-2.17.2-12.7 - DIF/DIX support
- DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue
O_DIRECT
I/O. These applications may use the raw block device, or the XFS file system inO_DIRECT
mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use withO_DIRECT
I/O and DIF/DIX hardware should enable this feature.For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.Package: kernel-2.6.32-279 - Filesystem in user space
- Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in user space.Package: fuse-2.8.3-4
- Btrfs, BZ#614121
- Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The Btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.
Warning
Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems.Package: btrfs-progs-0.19-12 - LVM Application Programming Interface (API)
- Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.Package: lvm2-2.02.95-4
- FS-Cache
- FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.Package: cachefilesd-0.10.2-1
- eCryptfs File System
- eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is provided as a Technology Preview in Red Hat Enterprise Linux 6.Package: ecryptfs-utils-82-6
2.2. Networking
- QFQ queuing discipline
- In Red Hat Enterprise Linux 6.3, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.Package: kernel-2.6.32-279
- vios-proxy, BZ#721119
- vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.Package: vios-proxy-0.1-1
- IPv6 support in IPVS
- The IPv6 support in IPVS (IP Virtual Server) is considered a Technology Preview.Package: kernel-2.6.32-279
2.3. Clustering and High Availability
- Utilizing CPG API for inter-node locking
- Rgmanager includes a feature which enables it to utilize Corosync's Closed Process Group (CPG) API for inter-node locking. This feature is automatically enabled when Corosync's RRP feature is enabled. Corosync's RRP feature is considered fully supported. However, when used with the rest of the High-Availability Add-Ons, it is considered a Technology Preview.Package: rgmanager-3.0.12.1-12
- Support for redundant ring for standalone Corosync, BZ#722469
- Red Hat Enterprise Linux 6.3 includes support for redundant ring with autorecovery feature as a Technology Preview. Refer to Section 3.7, “Clustering” for a list of known issues associated with this Technology Preview.Package: corosync-1.4.1-7
- corosync-cpgtool, BZ#688260
- The corosync-cpgtool now specifies both interfaces in a dual ring configuration. This feature is a Technology Preview.Package: corosync-1.4.1-7
- Disabling rgmanager in /etc/cluster.conf, BZ#723925
- As a consequence of converting the
/etc/cluster.conf
configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.Consequently, Red Hat Enterprise Linux 6 includes a feature (as a Technology Preview) that forces the following requirements:- rgmanager must refuse to start if it sees the
<rm disabled="1">
flag in/etc/cluster.conf
. - rgmanager must stop any resources and exit if the
<rm disabled="1">
flag appears in/etc/cluster.conf
during a reconfiguration.
Package: rgmanager-3.0.12.1-12 - libqb package
- The libqb package provides a library with the primary purpose of providing high performance client server reusable features, such as high performance logging, tracing, inter-process communication, and polling. This package is introduced as a dependency of the pacemaker package, and is considered a Technology Preview in Red Hat Enterprise Linux 6.3.Package: libqb-0.9.0-2
- pacemaker, BZ#456895
- Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hat cluster stack.Package: pacemaker-1.1.7-6
2.4. Authentication
- Support for central management of SSH keys, BZ#803822
- Previously, it was not possible to centrally manage host and user SSH public keys. Red Hat Enterprise Linux 6.3 includes SSH public key management for Identity Management servers as a Technology Preview. OpenSSH on Identity Management clients is automatically configured to use public keys which are stored on the Identity Management server. SSH host and user identities can now be managed centrally in Identity Management.Package: sssd-1.8.0-32
- SELinux user mapping, BZ#803821
- Red Hat Enterprise Linux 6.3 introduces the ability to control the SELinux context of a user on a remote system. SELinux user map rules can be defined and, optionally, associated with HBAC rules. These maps define the context a user receives depending on the host they are logging into and the group membership. When a user logs into a remote host which is configured to use SSSD with the Identity Management backend, the user's SELinux context is automatically set according to mapping rules defined for that user. For more information, refer to http://freeipa.org/page/SELinux_user_mapping. This feature is considered a Technology Preview.Package: sssd-1.8.0-32
- SSSD support for automount map caching, BZ#761570
- In Red Hat Enterprise Linux 6.3, SSSD includes a new Technology Preview feature: support for caching automount maps. This feature provides several advantages to environments that operate with
autofs
:- Cached automount maps make it easy for a client machine to perform mount operations even when the LDAP server is unreachable, but the NFS server remains reachable.
- When the
autofs
daemon is configured to look up automount maps via SSSD, only a single file has to be configured:/etc/sssd/sssd.conf
. Previously, the/etc/sysconfig/autofs
file had to be configured to fetch autofs data. - Caching the automount maps results in faster performance on the client and lower traffic on the LDAP server.
Package: sssd-1.8.0-32
2.5. Security
- TPM
- TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview in Red Hat Enterprise Linux 6.3.Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2
2.6. Devices
- SR-IOV on the be2net driver, BZ#602451
- The SR-IOV functionality of the Emulex
be2net
driver is considered a Technology Preview in Red Hat Enterprise Linux 6.3. You must meet the following requirements to use the latest version of SR-IOV support:- You must run the latest Emulex firmware (revision 4.1.417.0 or later).
- The server system BIOS must support the SR-IOV functionality and have virtualization support for Direct I/O VT-d.
- You must use the GA version of Red Hat Enterprise Linux 6.3.
SR-IOV runs on all Emulex-branded and OEM variants of BE3-based hardware, which all require thebe2net
driver software.Package: kernel-2.6.32-279 - iSCSI and FCoE boot
- iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.3. These two features, which are provided by the
bnx2i
andbnx2fc
Broadcom drivers, remain a Technology Preview until further notice.Package: kernel-2.6.32-279 - mpt2sas lockless mode
- The
mpt2sas
driver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.Package: kernel-2.6.32-279
2.7. Kernel
- Thin-provisioning and scalable snapshot capabilities
- The
dm-thinp
targets,thin
andthin-pool
, provide a device mapper device with thin-provisioning and scalable snapshot capabilities. This feature is available as a Technology Preview.Package: kernel-2.6.32-279 - kdump/kexec kernel dumping mechanism for IBM System z
- In Red Hat Enterprise Linux 6.3, the kdump/kexec kernel dumping mechanism is enabled for IBM System z systems as a Technology Preview, in addition to the IBM System z stand-alone and hypervisor dumping mechanism. The auto-reserve threshold is set at 4 GB; therefore, any IBM System z system with more than 4 GB of memory has the kexec/kdump mechanism enabled.Sufficient memory must be available because kdump reserves approximately 128 MB as default. This is especially important when performing an upgrade to Red Hat Enterprise Linux 6.3. Sufficient disk space must also be available for storing the dump in case of a system crash. Kdump is limited to DASD or QETH networks as dump devices until kdump on SCSI disk is supported.The following warning message may appear when kdump is initialized:
..no such file or directory
This message does not impact the dump functionality and can be ignored. You can configure or disable kdump via/etc/kdump.conf
, system-config-kdump, or firstboot. - Kernel Media support
- The following features are presented as Technology Previews:
- The latest upstream video4linux
- Digital video broadcasting
- Primarily infrared remote control device support
- Various webcam support fixes and improvements
Package: kernel-2.6.32-279 - Remote audit logging
- The audit package contains the user space utilities for storing and searching the audit records generated by the
audit
subsystem in the Linux 2.6 kernel. Within the audispd-plugins sub-package is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6.Package: audispd-plugins-2.2-2 - Linux (NameSpace) Container [LXC]
- Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
- Diagnostic pulse for the fence_ipmilan agent, BZ#655764
- A diagnostic pulse can now be issued on the IPMI interface using the
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for theoff
operation in a production cluster.Package: fence-agents-3.1.5-17
2.8. Virtualization
- Performance monitoring in KVM guests, BZ#645365
- KVM can now virtualize a performance monitoring unit (vPMU) to allow virtual machines to use performance monitoring. Additionally it supports Intel's “architectural PMU” which can be live-migrated across different host CPU versions, using the
-cpu
host flag.With this feature, Red Hat virtualization customers are now able to utilize performance monitoring in KVM guests seamlessly. The virtual performance monitoring feature allows virtual machine users to identify sources of performance problems in their guests, using their preferred pre-existing profiling tools that work on the host as well as the guest. This is an addition to the existing ability to profile a KVM guest from the host.This feature is a Technology Preview in Red Hat Enterprise Linux 6.3.Package: kernel-2.6.32-279 - Dynamic virtual CPU allocation
- KVM in Red Hat Enterprise Linux 6.3 now supports dynamic virtual CPU allocation, also called vCPU hot plug, to dynamically manage capacity and react to unexpected load increases on their platforms during off-peak hours.The virtual CPU hot-plugging feature gives system administrators the ability to dynamically adjust CPU resources in a guest. Because a guest no longer has to be taken offline to adjust the CPU resources, the availability of the guest is increased.This feature is a Technology Preview in Red Hat Enterprise Linux 6.3. Currently, only the vCPU hot-add functionality works. The vCPU hot-unplug feature is not yet implemented.Package: qemu-kvm-0.12.1.2-2.295
- Virtio-SCSI capabilities
- KVM Virtualization's storage stack has been improved with the addition of virtio-SCSI (a storage architecture for KVM based on SCSI) capabilities. Virtio-SCSI provides the ability to connect directly to SCSI LUNs and significantly improves scalability compared to virtio-blk. The advantage of virtio-SCSI is that it is capable of handling hundreds of devices compared to virtio-blk which can only handle 25 devices and exhausts PCI slots.Virtio-SCSI is now capable of inheriting the feature set of the target device with the ability to:
- attach a virtual hard drive or CD through the virtio-scsi controller,
- pass-through a physical SCSI device from the host to the guest via the QEMU scsi-block device,
- and allow the usage of hundreds of devices per guest; an improvement from the 32-device limit of virtio-blk.
This feature is a Technology Preview in Red Hat Enterprise Linux 6.3Package: qemu-kvm-0.12.1.2-2.295 - Support for in-guest S4/S3 states
- KVM's power management features have been extended to include native support for S4 (suspend to disk) and S3 (suspend to RAM) states within the virtual machine, speeding up guest restoration from one of these low power states. In earlier implementations guests were saved or restored to/from a disk or memory that was external to the guest, which introduced latency.Additionally, machines can be awakened from S3 with events from a remote keyboard through SPICE.This feature is a Technology Preview and is disabled by default in Red Hat Enterprise Linux 6.3. To enable it, select the
/usr/share/seabios/bios-pm.bin
file for the VM bios instead of the default/usr/share/seabios/bios.bin
file.The native, in-guest S4 (suspend to disk) and S3 (suspend to RAM) power management features support the ability to perform suspend to disk and suspend to RAM functions in the guest (as opposed to the host), reducing the time needed to restore a guest by responding to simple keyboard gestures input. This also removes the need to maintain an external memory-state file. This capability is supported on Red Hat Enterprise Linux 6.3 guests and Windows guests running on any hypervisor capable of supporting S3 and S4.Package: seabios-0.6.1.2-19 - System monitoring via SNMP, BZ#642556
- This feature provides KVM support for stable technology that is already used in data center with bare metal systems. SNMP is the standard for monitoring and is extremely well understood as well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6 allows the KVM hosts to send SNMP traps on events so that hypervisor events can be communicated to the user via standard SNMP protocol. This feature is provided through the addition of a new package: libvirt-snmp. This feature is introduced as a Technology Preview.Package: libvirt-snmp-0.0.2-3
- Wire speed requirement in KVM network drivers
- Virtualization and cloud products that run networking work loads need to run wire speeds. Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which limits other features like memory overcommit and guest migrationThe macvtap/vhost zero-copy capabilities allow the user to use those features when high performance is required. This feature improves performance for any Red Hat Enterprise Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.Package: qemu-kvm-0.12.1.2-2.295
2.9. Resource Management
- numad package
- The numad package provides a daemon for NUMA (Non-Uniform Memory Architecture) systems that monitors NUMA characteristics. As an alternative to manual static CPU pining and memory assignment, numad provides dynamic adjustment to minimize memory latency on an ongoing basis. The package also provides an interface that can be used to query the
numad
daemon for the best manual placement of an application. The numad package is introduced as a Technology Preview.Package: numad-0.5-4.20120522git
Chapter 3. Known Issues
3.1. Installation
anaconda
component- Setting the qla4xxx parameter
ql4xdisablesysfsboot
to1
may cause boot from SAN failures. anaconda
component- Installing Red Hat Enterprise Linux 6.3 using the text user interface on a system which already has a Red Hat Enterprise Linux system installed on the disk, and going back to the initial Anaconda installation page (using the Back button) may cause a traceback error.
dracut
component- Installations to a network root device, such as an iSCSI device, do not function properly when using DHCP, preventing the installed system from rebooting. To work around this issue, when installing to an iSCSI root device, you must select the Anaconda installer option
Bind targets to network interfaces
; do not leave it unselected, as is the default. Additionally, you must use static IP addresses if using a network root device.To work around this issue when installing via kickstart, add the--iface=
option to the iSCSI command, for example:iscsi --ipaddr 10.34.39.46 --port 3260 --target iqn.2009-02.com.kvm:iscsibind --iface=eth0
anaconda
component- Red Hat Enterprise Linux 6.3 fails to boot when installed without LVM and booted from a Storage Area Network (SAN). To work around this issue, ensure that the
/boot
partition is using the first partition of multipath, or use LVM (which is the default behavior). anaconda
component- To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the
zerombr
kickstart command. The--initlabel
option of theclearpart
command is not intended to serve this purpose. anaconda
component, BZ#676025- Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select
Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode). anaconda
component- In Red Hat Enterprise Linux 6.3, Anaconda allows installation to disks of size 2.2 TB and larger, but the installed system may not boot properly. Disks of size 2.2 TB and larger may be used during the installation process, but only as data disks (that is, should not be used as bootable disks).
anaconda
component- On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the
/boot
volume on an encrypted volume. anaconda
component- The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example,
sdc
instead ofsda
).During installation, verify the storage device size, name, and type when configuring partitions and file systems. -
kernel
component - Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically
em1
is used instead ofeth0
on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades. -
anaconda
component - The
kdump default on
feature currently depends on Anaconda to insert thecrashkernel=
parameter to the kernel parameter list in the boot loader's configuration file. firstaidkit
component- The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda
component, BZ#623261- In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the
clearpart --initlabel
kickstart command. Adding the--all
switch—as inclearpart --initlabel --all
—ensures disks are cleared correctly. squashfs-tools
component- During the installation on POWER systems, error messages similar to the following may be returned to sys.log:
attempt to access beyond end of device loop0: rw=0, want=248626, limit=248624
These errors do not prevent installation and only occur during the initial setup. The file system created by the installer will function correctly. anaconda
component- When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot
component, BZ#613929- The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda
component- The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart
component- Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.
3.2. Entitlement
subscription manager
component- When registering a system with firstboot, the RHN Classic option is checked by default in the Subscription part.
subscription manager
component, BZ#811771- Subscription Manager now disables gpgcheck for any repositories it manages which have an empty
gpgkey
. To re-enable the repository, upload the GPG keys, and ensure that the correct URL is added to your custom content definition.
3.3. Deployment
cpuspeed
component, BZ#626893- Some HP Proliant servers may report incorrect CPU frequency values in
/proc/cpuinfo
or/sys/device/system/cpu/*/cpufreq
. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that theHP Power Regulator
option in the BIOS is set toOS Control
. An alternative available on more recent systems is to setCollaborative Power Control
toEnabled
. releng
component, BZ#644778- Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
grub
component, BZ#695951- On certain UEFI-based systems, you may need to type
BOOTX64
rather thanbootx64
to boot the installer due to case sensitivity issues. grub
component, BZ#698708- When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.
3.4. Virtualization
virt-p2v
component, BZ#816930- Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
virt-p2v
component, BZ#808820- When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
vdsm
component, BZ#826921- The following parameter has been deprecated in the
/etc/vdsm/vdsm.conf
file:[irs] nfs_mount_options = soft,nosharecache,vers=3
This parameter will continue to be supported in versions 3.x, but will be removed in version 4.0 of NFS. Customers using this parameter should upgrade their domains to V2 and greater and set the parameters from the GUI. vdsm
component, BZ#749479- When adding a bond to an existing network, its world-visible MAC address may change. If the DHCP server is not aware that the new MAC address belongs to the same host as the old one, it may assign the host a different IP address, that is unknown to the DNS server nor to Red Hat Enterprise Virtualization Manager. As a result, Red Hat Enterprise Virtualization Manager VDSM connectivity is broken.To work around this issue, configure your DHCP server to assign the same IP for all the MAC addresses of slave NICs. Alternatively, when editing a management network, do not check connectivity, and make sure that Red Hat Enterprise Virtualization Manager / DNS use the newly-assigned IP address for the node.
vdsm
component- Vdsm uses cgroups if they are available on the host. If the
cgconfig
service is turned off, turn it on with thechkconfig cgconfig on
command and reboot. If you prefer not to reboot your system, restarting thelibvirt
service and vdsm should be sufficient. ovirt-node
component, BZ#747102- Upgrades from Beta to the GA version will result in an incorrect partitioning of the host. The GA version must be installed clean. UEFI machines must be set to legacy boot options for RHEV-H to boot successfully after installation.
kernel
component- When a system boots from SAN, it starts the
libvirtd
service, which enables IP forwarding. The service causes a driver reset on both Ethernet ports which causes a loss of all paths to an OS disk. Under this condition, the system cannot load firmware files from the OS disk to initialize Ethernet ports, eventually never recovers paths to the OS disk, and fails to boot from SAN. To work around this issue add thebnx2x.disable_tpa=1
option to the kernel command line of the GRUB menu, or do not install virtualization related software and manually enable IP forwarding when needed. vdsm
component- If the
/root/.ssh/
directory is missing from a host when it is added to a Red Hat Enterprise Virtualization Manager data center, the directory is created with a wrong SELinux context, and SSH'ing into the host is denied. To work around this issue, manually create the/root/.ssh
directory with the correct SELinux context:~]#
mkdir /root/.ssh
~]#chmod 0700 /root/.ssh
~]#restorecon /root/.ssh
vdsm
component- VDSM now configures libvirt so that connection to its local read-write UNIX domain socket is password-protected by SASL. The intention is to protect virtual machines from human errors of local host administrators. All operations that may change the state of virtual machines on a Red Hat Enterprise Virtualization-controlled host must be performed from Red Hat Enterprise Virtualization Manager.
libvirt
component- In earlier versions of Red Hat Enterprise Linux, libvirt permitted PCI devices to be insecurely assigned to guests. In Red Hat Enterprise Linux 6, assignment of insecure devices is disabled by default by libvirt. However, this may cause assignment of previously working devices to start failing. To enable the old, insecure setting, edit the
/etc/libvirt/qemu.conf
file, set therelaxed_acs_check = 1
parameter, and restartlibvirtd
(service libvirtd restart
). Note that this action will re-open possible security issues. virtio-win
component, BZ#615928- The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt
component, BZ#622649- libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access to the network. To work around this issue, use the
service libvirt reload
command to restore libvirt's additional iptables rules. virtio-win
component, BZ#612801- A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm
component, BZ#720597- Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium often crashes during the final steps of the installation process due to a system hang. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm
component, BZ#612788- A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v
component, BZ#618091- The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v
component, BZ#678232- The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.
3.5. Storage and File Systems
Driver Update Disk
component- The hpsa driver installed from the AMD64 and Intel 64 Driver Update Program ISO might not be loaded properly on Red Hat Enterprise Linux 6.3. Consequently, the system can become unresponsive. To work around this problem, use the
pci=nomsi
kernel parameter before installing the driver from the ISO. lvm2
component, BZ#832392- When
issue_discards=1
is configured in the/etc/lvm/lvm.conf
file, moving physical volumes via thepvmove
command results in data loss. To work around this issue, ensure thatissue_discards=0
is set in yourlvm.conf
file before moving any physical volumes. lvm2
component, BZ#832033- When using the
lvmetad
daemon (currently a Technology Preview), avoid passing the--test
argument to commands. The use of the--test
argument may lead to inconsistencies in the cache thatlvmetad
maintains. This issue will be fixed in a future release. If the--test
argument has been used, fix any problems by restarting thelvmetad
daemon. lvm2
component, BZ#820229- It is not possible to rename thin logical volumes using tools provided in the current LVM2 release. The rename operation returns the following error:
lvrename Cannot rename <volume_name>: name format not recognized for internal LV <pool_name>
This issue will be fixed in the next LVM2 release. device-mapper-multipath
component- Multipath's
queue_without_daemon yes
default option queues I/O even though all iSCSI links have been disconnected when the system is shut down, which causes LVM to become unresponsive when scanning all block devices. As a result, the system cannot be shut down. To work around this issue, add the following line into thedefaults
section of/etc/multipath.conf
:queue_without_daemon no
initscripts
component- Running the file system check (using fsck) on a NFS mounted file system fails, and causes the system to fail to boot and drop into a shell. To work around this issue, disable fsck on any
/boot
partitions by setting the sixth value of a/boot
entry in/etc/fstab
to0
. kernel
component, BZ#606260- The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
lvm2
component- The dracut utility currently only supports one FiberChannel over Ethernet (FCoE) connection to be used to boot from the root device. Consequently, booting from a root device that spans multiple FCoE devices (for example, using RAID, LVM or similar techniques) is not possible.
-
lvm2
component - The
pvmove
command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:~]$
lvconvert -m +1 <vg/lv> <new PV>
~]$lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:~]$
lvconvert --mirrorlog core <vg/lv>
~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
or~]$
lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
3.6. Networking
kernel
component- Some e1000e NICs may not get an IPv4 address assigned after the system is rebooted. To work around this issue, add the following line to the
/etc/sysconfig/network-scripts/ifcfg-eth<X>
file:LINKDELAY=10
NetworkManager
component, BZ#758076- If a Certificate Authority (CA) certificate is not selected when configuring an 802.1x or WPA-Enterprise connection, a dialog appears indicating that a missing CA certificate is a security risk. This dialog presents two options: ignore the missing CA certificate and proceed with the insecure connection, or choose a CA certificate. If the user elects to choose a CA certificate, this dialog disappears and the user may select the CA certificate in the original configuration dialog.
samba
component- Current Samba versions shipped with Red Hat Enterprise Linux 6.3 are not able to fully control the user and group database when using the
ldapsam_compat
back end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. Theldapsam_compat
back end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the newldapsam
back end and the new LDAP schema. Theldapsam_compat
back end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using theldapsam_compat
back end with their existing LDAP setup even when all the above restrictions apply. kernel
component, BZ#816888- Running the QFQ queuing discipline in a virtual guest eventually results in kernel panic.
kernel
component- Because RHEL6.3 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to
/usr/share/doc/kernel-doc-<version>/Documentation/networking/ip-sysctl.txt
and https://access.redhat.com/site/solutions/53031. perftest
component- The rdma_bw and rdma_lat utilities (provided by the perftest package) are now deprecated and will be removed from the perftest package in a future update. Users should use the following utilities instead: ib_write_bw, ib_write_lat, ib_read_bw, and ib_read_lat.
3.7. Clustering
corosync
component, BZ#722469- A double ring failure results in the spinning of the corosync process. Also, because DLM relies on SCTP, which is non-functional, many features of the cluster software that rely on DLM do not work properly.
luci
component, BZ#615898luci
will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node hasricci
version 0.12.2-14.
3.8. Authentication
- Identity Management component
- When using the Identity Management WebUI in the Internet Explorer browser, you may encounter the following issues:
- While the browser window is not maximized or many users are logged into the WebUI, scrolling down a page to select a user may not work properly. As soon as the user's checkbox is selected, the scroll bar jumps back up without selecting the user. This error also occurs when a permission is added to a privilege. (BZ#831299)
- When attempting to edit a service, the edit page for that service may occasionally be blank, or show only labels for Principal or Service without showing their values. When adding a service, under certain conditions, the drop-down menu lists the available services and hosts but users are unable to select any of the entries. (BZ#831227)
- When adding a permission of type subtree, the text area to specify the subtree is too small and non-resizable making it difficult to enter long subtree entries. (BZ#830817 )
- When adding a delegation, its attributes are separated by disproportionately large vertical spaces. (BZ#829899)
- When adding a member, the edge of the displayed window suggests it can be resized. However, resizing of the window does not work. When adding a Sudo Command to a Sudo Command group, the first group overlays with the column title. (BZ#829746)
- Adding a new DNS zone causes the window to be incorrectly rendered as text on the existing page. (BZ#827583)
- Identity Management component, BZ#826973
- When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (
O=$REALM
, where$REALM
is the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the--subject
option is specified. To work around this issue, add the following option for the second stage of the installation:--subject "O=$REALM"
where$REALM
is the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected. - Identity Management component, BZ#822350
- When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the
ipa passwd
command. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication. - Identity Management component
- In the Identity Management webUI, deleting a DNS record may, under come circumstances, leave it visible on the page showing DNS records. This is only a display issue and does not affect functionality of DNS records in any way.
- Identity Management component, BZ#783502
- The Identity Management permission plug-in does not verify that the set of attributes specified for a new permission is relevant to the target object type that the permission allows access to. This means a user is able to create a permission which allows access to attributes that will never be present in the target object type because such attributes are not allowed in its object classes. You must ensure that the chosen set of attributes for which a new permission grants access to is relevant to the chosen target object type.
- Identity Management component, BZ#790513
- The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the
ipa-client-install
setup script. To work around this issue, install the policycoreutils package manually:~]#
yum install policycoreutils
- Identity Management component, BZ#813376
- Updating the Identity Management LDAP configuration via the
ipa-ldap-updater
fails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user. - Identity Management component, BZ#794882
- With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the
netgroup-find
option to search for external hosts.Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule. - Identity Management component, BZ#786629
- Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The
filter
,subtree
, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission. sssd
component, BZ#808063- The manpage entry for the
ldap_disable_paging
option in thesssd-ldap
man page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified. - Identity Management component, BZ#812127
- Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
- Identity Management component, BZ#812122
- Identity Management
sudo
commands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:~]$
ipa sudocmd-add /usr/bin/X
⋮ ~]$ipa sudocmd-add /usr/bin/x
ipa: ERROR: sudo command with name "/usr/bin/x" already exists - Identity Management component
- Identity Management and the
mod_ssl
module should not be installed on the same system, otherwise Identity Management is unable to issue certificates becausemod_ssl
holds themod_proxy
hooks. To work around this issue, uninstall mod_ssl. - Identity Management component
- When an Identity Management server is installed with a custom hostname that is not resolvable, the
ipa-server-install
command should add a record to the static hostname lookup table in/etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to/etc/hosts
when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:- Run the
ipa-server-install
without the--ip-address
option and pass the IP address interactively. - Add a record to
/etc/hosts
before the installation is started. The record should contain the Identity Management server IP address and its full hostname (thehosts(5)
man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable. sssd
component, BZ#750922- Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the\,
character sequence. The most likely example of this is for an invalidmemberUID
entry to appear in an LDAP group of the form:memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.If the upgrade issue occurs, identifiable by the following debug log message:(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.Warning
Removing the/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials). sssd
component, BZ#751314- When a group contains certain incorrect multi-valued
memberUID
values, SSSD fails to sanitize the values properly. ThememberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the brokenmemberUID
values as their usernames. This, for example, causes problems during cache indexing. - Identity Management component, BZ#750596
- Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
- Identity Management component
- The Identity Management (ipa) package cannot be build with a
6ComputeNode
subscription. - Identity Management component
- On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the search button is clicked, an internal error is returned.
sssd
component, BZ#741264- Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.To work around this issue, disable referral-chasing by setting the following parameter in the
[domain/DOMAINNAME]
section of the/etc/sssd/sssd.conf
file:ldap_referrals = false
3.9. Devices
ipmitool
component- Not specifying the
-N
option when setting retransmission intervals of IPMI messages over the LAN or LANplus interface may cause various error messages to be returned. For example:~]#
ipmitool -I lanplus -H $HOST -U root -P $PASS sensor list
Unable to renew SDR reservation Close Session command failed: Reservation cancelled or invalid ~]#ipmitool -I lanplus -H $HOST -U root -P $PASS delloem powermonitor
Error getting power management information, return code c1 Close Session command failed: Invalid command ipmitool
component- The ipmitool may crash in certain cases. For example, when an incorrect password is used, a segmentation fault occurs:
~]#
ipmitool -I lanplus -H $HOST -U root -P wrongpass delloem powermonitor
Error: Unable to establish IPMI v2 / RMCP+ session Segmentation fault (core dumped) kernel
component,- Unloading the
be2net
driver with a Virtual Function (VF) attached to a virtual guest results in kernel panic. kernel
component- The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the
sg_scan
command) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality. kernel
component- iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.3. These two features, which are provided by the
bnx2i
andbnx2fc
Broadcom drivers, remain a Technology Preview until further notice. kexec-tools
component- Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet,
UUID/LABEL
resolving is not functional. Avoid using theUUID/LABEL
syntax when dumping core to Btrfs file systems. busybox
component- When running kdump in a busybox environment and dumping to a Btrfs file system, you may receive the following error message:
/etc/kdump.conf: Unsupported type btrfs
However, Btrfs is supported as a kdump target. To work around this issue, install the btrfs-progs package, verify that the/sbin/btrfsck
file exists, and retry. trace-cmd
component- The
trace-cmd
service does start on 64-bit PowerPC and IBM System z systems because thesys_enter
andsys_exit
events do not get enabled on the aforementioned systems. trace-cmd
component- trace-cmd's subcommand,
report
, does not work on IBM System z systems. This is due to the fact that theCONFIG_FTRACE_SYSCALLS
parameter is not set on IBM System z systems. tuned
component- Red Hat Enterprise Linux 6.1 and later enter processor power-saving states more aggressively. This may result in a small performance penalty on certain workloads. This functionality may be disabled at boot time by passing the
intel_idle.max_cstate=0
parameter, or at run time by using the cpu_dma_latency pm_qos interface. libfprint
component- Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$
lsusb -v -d 147e:2016 | grep bcdDevice
kernel
component- The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (
lpfc
) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication. kernel
component- The recommended minimum HBA firmware revision for use with the
mpt2sas
driver is "Phase 5 firmware" (that is, with version number in the form05.xx.xx.xx
). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
3.10. Kernel
kernel
component- Intel Xeon E5-XXXX V2 Series Processor running on the C600 chipset is not supported in Red Hat Enterprise Linux 6.3. An "unsupported hardware" message can therefore be reported by the kernel.
kernel
component- The Red Hat Enterprise Linux 6.3 kernels upgraded the
mlx4
modules to a later version. If the modules are used together with, for example, the HP InfiniBand Enablement Kit, the behavior is different. Consequently, certain Mellanox cards do not come up with network interfaces on Red Hat Enterprise Linux 6.3. To work around this problem, themlx7_core
module has to be loaded with theport_type_array
option and a2
parameter for each used InfiniBand card. Follow this example to manually load the driver for two cards in the system:~]#
rmmod mlx4_en
~]#rmmod mlx4_core
~]#modprobe mlx4_core port_type_array=2,2
~]#modprobe mlx4_en
~]#ip a
The last of the above commands will show the new interfaces. To configure these parameters to be applied by the system when the modules are loaded, run:~]#
echo 'options mlx4_core port_type_array=2,2' >/etc/modprobe.d/mlx4_core.conf
kernel
component- When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the
iscsi_firmware
parameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA. kernel
component- In Red Hat Enterprise Linux 6.3, three module parameters (
num_lro
,rss_mask
, andrss_xor
) that were supported by older versions of themlx4_en
driver have become obsolete and are no longer used. If you supply these parameters, the Red Hat Enterprise Linux 6.3 driver will ignore them and log a warning. kernel
component- Due to a race condition, in certain cases, writes to RAID4/5/6 while the array is reconstructing could hang the system.
kernel
component- The installation of Red Hat Enterprise Linux 6.3 i386 may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
vmalloc=256MB
kernel
component- If a device reports an error, while it is opened (via the
open(2)
system call), then the device is closed (via theclose(2)
system call), and the/dev/disk/by-id
link for the device may be removed. When the problem on the device that caused the error is resolved, theby-id
link is not re-created. To work around this issue, run the following command:~]#
echo 'change' > /sys/class/block/sdX/uevent
kernel
component- Platforms with BIOS/UEFI that are unaware of PCI-e SR-IOV capabilities may fail to enable virtual functions
kernel
component- When an HBA that uses the
mpt2sas
driver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch. kernel
component, BZ#690523- If appropriate SCSI device handlers (
scsi_dh
modules) are not available when the storage driver (for example,lpfc
) is first loaded, I/O operations may be issued to SCSI multipath devices that are not ready for those I/O operations. This can result in significant delays during system boot and excessive I/O error messages in the kernel log.Provided the storage driver is loaded beforemultipathd
is started (which is the default behavior), users can work around this issue by making sure the appropriate SCSI device handlers (scsi_dh
modules) are available by specifying one of the following kernel command line parameters which dracut consumes:rdloaddriver=scsi_dh_emc
rdloaddriver=scsi_dh_rdac,scsi_dh_hp_sw
rdloaddriver=scsi_dh_emc,scsi_dh_rdac,scsi_dh_alua
Note that the order of the listedscsi_dh
modules does not matter.Specifying one of the above parameters causes thescsi_dh
module(s) to load before the storage driver is loaded or multipath is started. kernel
component, BZ#745713- In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the
nohpet
parameter or, alternatively, theclocksource=jiffies
parameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add thehpet=0
parameter in it. kernel
component- On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAM
It is possible to avoid the memory trimming by using thedisable_mtrr_trim
kernel command line option. kernel
component- The
perf record
command becomes unresponsive when specifying a tracepoint event and a hardware event at the same time. kernel
component- On 64-bit PowerPC, the following command may cause kernel panic:
~]#
./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
kernel
component- Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the
select()
call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention. kernel
component, BZ#770545- In Red Hat Enterprise Linux 6.2 and Red Hat Enterprise Linux 6.3, the default value for
sysctl vm.zone_reclaim_mode
is now0
, whereas in Red Hat Enterprise Linux 6.1 it was1
. kernel
component- Using Alsa with an HDA Intel sound card and the Conexant CX20585 codec causes sound and recording failures. To work around this issue, add the following line to the
/etc/modprobe.d/dist-alsa.conf
file:options snd-hda-intel model=thinkpad
kernel
component- In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
To work around this issue, unload the Brocadebfa
driver. kernel
component- The
lpfc
driver is deprecating thesysfs
mbox
interface as it is no longer used by the Emulex tools. Reads and writes are now stubbed out and only return the-EPERM
(Operation not permitted) symbol. kernel
component- In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for
scsi
devices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump. kernel
component, BZ#679262- In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in
/proc/kallsyms
and/proc/modules
show all zeros when accessed by a non-root user. kernel
component- Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the
nomce
kernel boot option, which disables machine check error reporting, or themce=ignore_ce
kernel boot option, which disables correctable machine check error reporting. -
kernel
component - The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add thepci=bfsort
parameter to the kernel command line, and check again. kernel
component- Enabling CHAP (Challenge-Handshake Authentication Protocol) on an iSCSI target for the
be2iscsi
driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target. kernel
component- Newer VPD (Vital Product Data) blocks can exceed the size the
tg3
driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, thenvram
test fails when running theethtool –t
command on BCM5719 and BCM5720 Ethernet Controllers. kernel
component- Running the
ethtool -t
command on BCM5720 Ethernet controllers causes a loopback test failure because thetg3
driver does not wait long enough for a link. kernel
component- The
tg3
driver in Red Hat Enterprise Linux 6.2 does not include support for Jumbo frames and TSO (TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a result, the following error message is returned when attempting to configure, for example, Jumbo frames:SIOCSIFMTU: Invalid argument
kernel
component- The default interrupt configuration for the Emulex LPFC FC/FCoE driver has changed from INT-X to MSI-X. This is reflected by the
lpfc_use_msi
module parameter (in/sys/class/scsi_host/host#/lpfc_use_msi
) being set to2
by default, instead of the previous0
.Two issues provide motivation for this change: SR-IOV capability only works with the MSI-X interrupt mode, and certain recent platforms only support MSI or MSI-X.However, the change to the LPFC default interrupt mode can bring out host problems where MSI/MSI-X support is not fully functional. Other host problems can exist when running in the INT-X mode.If any of the following symptoms occur after upgrading to, or installing Red Hat Enterprise Linux 6.2 with an Emulex LPFC adapter in the system, change the value of thelpfc
module parameter,lpfc_use_msi
, to0
:- The initialization or attachment of the
lpfc
adapter may fail with mailbox errors. As a result, thelpfc
adapter is not configured on the system. The following message appear in/var/log/messages
:lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0 lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0 lpfc 0000:04:08.0: 0:1477 Failed to set up hba ACPI: PCI interrupt for device 0000:04:08.0 disabled
- While the
lpfc
adapter is operating, it may fail with mailbox errors, resulting in the inability to access certain devices. The following message appear in/var/log/messages
:lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00 lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
- Performing a warm reboot causes any subsequent boots to halt or stop because the BIOS is detecting the
lpfc
adapter. The system BIOS logs the following messages:Installing Emulex BIOS ...... Bringing the Link up, Please wait... Bringing the Link up, Please wait...
kernel
component- The minimum firmware version for NIC adapters managed by
netxen_nic
is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself. kernel
component, BZ#683012- High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the
vmcore
. As a result, the second kernel is not loaded, and the system becomes unresponsive. kernel
component- Triggering kdump to capture a
vmcore
through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent thevmcore
from being captured. -
kernel
component - Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel
component- In Red Hat Enterprise Linux 6.2,
nmi_watchdog
registers with theperf
subsystem. Consequently, during boot, theperf
subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with thenmi_watchdog=0
kernel parameter set, or run the following command to disable it at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enablenmi-watchdog
, use the following commandecho 1 > /proc/sys/kernel/nmi_watchdog
kernel
component, BZ#603911- Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to
BUG: NMI Watchdog detected LOCKUP
and have eitherftrace_modify_code
oripi_handler
in the backtrace. To work around this issue, disable NMI watchdog by setting thenmi_watchdog=0
kernel parameter, or using the following command at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
kernel
component- On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a
vmcore
via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH. kernel
component, BZ#587909- A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel
component- The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either
nmi_watchdog=2
ornmi_watchdog=lapic
parameters. The parameternmi_watchdog=1
is not supported. -
kernel
component - The kernel parameter,
pci=noioapicquirk
, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
3.11. Desktop
libwacom
component- The Lenovo X220 Tablet Touchscreen is not supported in the kernel shipped with Red Hat Enterprise Linux 6.3.
wacomcpl
package, BZ#769466- The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
gnome-settings-daemon
component, BZ#826128- On some tablets, using the NVIDIA Graphics drivers to configure Twinview causes the tablet motions to be incorrectly mapped to the laptop screen instead of the tablet itself. Using the stylus on the tablet moves the cursor on the laptop screen.
acroread
component- Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel
component, BZ#681257- With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd
component- When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution
component- Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item Folder → Refresh). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda
component- The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the Set... button that appears.
xorg-x11-server
component, BZ#623169- In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.
3.12. Tools
matahari
component- The Matahari agent framework (matahari-*) packages are deprecated starting with the Red Hat Enterprise Linux 6.3 release. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users. It is strongly recommended that users discontinue the use of the matahari packages and other packages which depend on the Matahari infrastructure (specifically, libvirt-qmf and fence-virtd-libvirt-qpid). It is recommended that users uninstall Matahari from their systems to remove any possibility of security issues being exposed.Users who choose to continue to use the Matahari agents should note the following:
- The matahari packages are not installed by default starting with Red Hat Enterprise Linux 6.3 and are not enabled by default to start on boot when they are installed. Manual action is needed to both install and enable the
matahari
services. - The default configuration for qpid (the transport agent used by Matahari) does not enable access control lists (ACLs) or SSL. Without ACLs/SSL, the Matahari infrastructure is not secure. Configuring Matahari without ACLs/SSL is not recommended and may reduce your system's security.
- The matahari-services agent is specifically designed to allow remote manipulation of services (start, stop). Granting a user access to Matahari services is equivalent to providing a remote user with root access. Using Matahari agents should be treated as equivalent to providing remote root SSH access to a host.
- By default in Red Hat Enterprise Linux, the Matahari broker (
qpidd
running on port49000
) does not require authentication. However, the Matahari broker is not remotely accessible unless the firewall is disabled, or a rule is added to make it accessible. Given the capabilities exposed by Matahari agents, if Matahari is enabled, system administrators should be extremely cautious with the options that affect remote access to Matahari.
Note that Matahari will not be shipped in future releases of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7), and may be considered for formal removal in a future release of Red Hat Enterprise Linux 6. libreport
component- An error in the default libreport configuration causes the following warning message to appear during problem reporting:
/bin/sh: line 4: reporter-bugzilla: command not found
This warning message has no effect on the functionality of libreport. To prevent the warning message from being displayed, replace the following lines in the/etc/libreport/events.d/ccpp_event.conf
file:abrt-action-analyze-backtrace && ( bug_id=$(reporter-bugzilla -h `cat duphash`) && if test -n "$bug_id"; then abrt-bodhi -r -b $bug_id fi )
with:abrt-action-analyze-backtrace
irqbalance
component, BZ#813078- The
irqbalance(1)
man page does not contain documentation for theIRQBALANCE_BANNED_CPUS
andIRQBALANCE_BANNED_INTERRUPTS
environment variables. The following documentation will be added to this man page in a future release:IRQBALANCE_BANNED_CPUS
Provides a mask of cpus which irqbalance should ignore and never assign interrupts to. This is a hex mask without the leading '0x', on systems with large numbers of processors each group of eight hex digits is sepearated ba a comma ','. i.e. `export IRQBALANCE_BANNED_CPUS=fc0` would prevent irqbalance from assigning irqs to the 7th-12th cpus (cpu6-cpu11) or `export IRQBALANCE_BANNED_CPUS=ff000000,00000001` would prevent irqbalance from assigning irqs to the 1st (cpu0) and 57th-64th cpus (cpu56-cpu63).
IRQBALANCE_BANNED_INTERRUPTS
Space seperated list of integer irq's which irqbalance should ignore and never change the affinity of. i.e. export IRQBALANCE_BANNED_INTERRUPTS="205 217 225"
rsyslog
component- rsyslog does not reload its configuration after a
SIGHUP
signal is issued. To reload the configuration, thersyslog
daemon needs to be restarted:~]#
service rsyslog restart
parted
component- The parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes (EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders. Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAV DASD drives will fail. To work around this issue, complete the installation on a non EAV DASD drive, then add the EAV device after the installation using the tools provided in the s390-utils package.
Chapter 4. New Packages
Note
- [Updated 9 June 2012]
- This advisory has been updated to reflect the fact that java-1.7.0-openjdk is fully supported and no longer claims that java-1.7.0-openjdk is a Technology Preview feature. The packages included in this revised update have not been changed in any way from the packages included in the previous version of this advisory.
Note
- RHEL AUS Server (v. 6.2 for 64-bit x86_64)
- RHEL EUS Server (v. 6.2.z for 64-bit x86_64)
- Red Hat Enterprise Linux Client (v. 6 for 64-bit x86_64)
- Red Hat Enterprise Linux Compute Node (v. 6 for x86_64)
- Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64)
- Red Hat Enterprise Linux Workstation (v. 6 for x86_64)
- HP Smart Array Controllers
Chapter 5. Package Updates
5.1. 389-ds-base
Bug Fixes
- BZ#834096
- Prior to this update, simultaneous updates that included deleting an attribute in an entry could cause the domain directory server to abort with a segmentation fault. This update checks whether a modified attribute entry has a NULL value. Now, the server handles simultaneous updates as expected.
- BZ#836251
- Prior to this update, the get_entry function did not accept a NULL pblock. As a consequence, the Account Usability feature did not return the correct information about user account expiration and locked status. This update modifies the underlying code so that the get_entry function now accepts a NULL pblock.
Security Fixes
- CVE-2012-2678
- A flaw was found in the way 389 Directory Server handled password changes. If an LDAP user has changed their password, and the directory server has not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute.
- CVE-2012-2746
- It was found that when the password for an LDAP user was changed, and audit logging was enabled (it is disabled by default), the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on" (the default option), prevents 389 Directory Server from writing plain text passwords to the audit log. This option can be configured in
/etc/dirsrv/slapd-ID/dse.ldif
.
Note
Security Fix
- CVE-2012-0833
- A flaw was found in the way the 389 Directory Server daemon (ns-slapd) handled access control instructions (ACIs) using certificate groups. If an LDAP user that had a certificate group defined attempted to bind to the directory server, it would cause ns-slapd to enter an infinite loop and consume an excessive amount of CPU time.
Bug Fixes
- BZ#743979
- Previously, 389 Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. Consequently, the server sometimes stopped responding to requests under heavy loads. This update replaces the original locking mechanism with the POSIX (Portable Operating System Interface) read/write locking mechanism. The server is now always responsive under heavy loads.
- BZ#745201
- Previously, Distinguished Names (DNs) were not included in access log records of LDAP compare operations. Consequently, this information was missing in the access logs. This update modifies the underlying source code so that DNs are logged and can be found in the access logs.
- BZ#752577
- Previously, when 389 Directory Server was under heavy load and operating in a congested network, problems with client connections sometimes occurred. When there was a connection problem while the server was sending Simple Paged Result (SPR) search results to the client, the LDAP server called a cleanup routine incorrectly. Consequently, a memory leak occurred and the server terminated unexpectedly. This update fixes the underlying source code to ensure that cleanup tasks are run correctly and no memory leaks occur. As a result, the server does not terminate or become unresponsive under heavy loads while servicing SPR requests.
- BZ#757897
- Previously, certain operations with the Change Sequence Number (CSN) were not performed efficiently by the server. Consequently, the ns-slapd daemon consumed up to 100% of CPU time when performing a large number of CSN operations during content replication. With this update, the underlying source code has been modified to perform the CSN operations efficiently. As a result, large numbers of CSN operations can be performed during content replications without any performance issues.
- BZ#757898
- Previously, allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method when checking the Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. Memory leaks no longer occur and the LDAP server no longer crashes in this scenario.
- BZ#759301
- Previously, 389 Directory Server did not handle the Entry USN (Update Sequence Number) index correctly. Consequently, the index sometimes became out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the underlying source code of the Entry USN plug-in. As a result, the Entry USN index is now handled by the server correctly.
- BZ#772777
- Previously, search filter attributes were normalized and substring regular expressions were compiled repeatedly for every entry in the search result set. Consequently, using search filters with many attributes and substring subfilters resulted in poor search performance. This update ensures that search filters are pre-compiled and pre-normalized before being applied. These changes result in better search performance when applying search filters with many attributes and substring subfilters.
- BZ#772778
- Previously, the number of ACIs (Access Control Information records) to be cached was limited to 200. Consequently, evaluating a Directory Server entry against more than 200 ACIs failed with the following error message:
acl_TestRights - cache overflown
This update increases the default ACI cache limit to 2000 and allows it to be configurable by means of the new parameternsslapd-aclpb-max-selected-acls
in the configuration file entry "cn=ACL Plugin,cn=plugins,cn=config". As a result, the aforementioned error message is not displayed unless the new limit is exceeded, and it is now possible to change the limit when needed. - BZ#772779
- Previously, the restore command contained a code path leading to an infinite loop. Consequently, 389 Directory Server sometimes became unresponsive when performing a restore from a database backup. This update removes the infinite loop code path from the underlying source code. As a result, the server does not stop responding when performing a database restore.
- BZ#781485
- Previously, performing the
ldapmodify
operation to modify RUV (Replica Update Vector) entries was allowed. Consequently, 389 Directory Server became unresponsive when performing such operations. This update disallows direct modification of RUV entries. As a result, the server does not stop responding when performing such operations, and returns an error message advising usage of theCLEANRUV
operation instead. - BZ#781495
- Previously, to identify restart events of 389 Directory Server, the
logconv.pl
script searched server logs for the "conn=0 fd=" string. Consequently, the script reported a wrong number of server restarts. This update modifies the script to search for the "conn=1 fd=" string instead. As a result, the correct number of server restarts is now returned. - BZ#781500
- When reloading a database from an LDIF (LDAP Data Interchange Format) file that contained an RUV element with an obsolete or decommissioned replication master, the changelog was invalidated. As a consequence, 389 Directory Server emitted error messages and required re-initialization. This update ensures that the user is properly informed about obsolete or decommissioned replication masters, and that such masters are deleted from the RUV entries. Database is now reloaded as expected in this scenario.
- BZ#781516
- Previously, when a non-leaf node became a tombstone entry, its child entries lost the parent-child relationships. Consequently, non-leaf tombstone entries could have been reaped prior to their child tombstone entries. This update fixes the underlying source code so that parent-child relationships are maintained even when a non-leaf entry is deleted. As a result, tombstones are now reaped correctly in the bottom-up order.
- BZ#781529
- Previously, no validation of managed entry attributes against the managed entry template was performed before updating 389 Directory Server's managed entries. Consequently, managed entries could have been updated after updating an original entry attribute that was not contained in the managed entry template. This update adds a check that compares modified attributes with managed entry template attributes. As a result, the managed entries are not updated unless the modified attributes of the original entry are contained in the managed entry template.
- BZ#781533
- Previously, 389 Directory Server did not shut down before all running tasks had been completed. Consequently, it sometimes took a long time for the Directory Server to shut down when a long-running task was being carried out. This update enhances the underlying source code with a check for server shutdown requests during performance of long-running tasks. As a result, the server shuts down in a standard amount of time even when a long-running task is being processed.
- BZ#781537
- Previously, 389 Directory Server expected the value of the
authzid
attribute to be fully BER (Basic Encoding Rules) encoded. Consequently, the following error was returned when performing theldapsearch
command with proxy authorization:unable to parse proxied authorization control (2 (protocol error))
This update modifies the underlying source code so that full BER encoding of the provided authzid value is not required. As a consequence, no error is returned in the scenario described above. - BZ#781538
- Previously, the buffer for matching rule OIDs (Object Identifiers) had a fixed size of 1024 characters. Consequently, matching rule OIDs got truncated when their total length exceeded 1024 characters. This update modifies the underlying source code to use a dynamically allocated buffer instead of the one with a fixed size. As a result, any number of matching rule OIDs can be handled without being truncated.
- BZ#781539
- Previously, executing the
ldapsearch
command on the "cn=config" object returned all attributes of the object, including attributes with empty values. This update ensures that attributes with empty values are not saved into "cn=config", and enhances theldapsearch
command with a check for empty attributes. As a result, only attributes that have a value are returned in the aforementioned scenario. - BZ#781541
- Previously, log records of operations performed using a proxy user contained the main user as the one who performed the operation. This update ensures that the proxy user is logged in log records of the search, add, mod, del, and modrdn operations.
- BZ#784343
- Previously, the database upgrade scripts checked if the server was offline by checking for the presence of
.pid
files. In some cases, however, the files remain present even if the associated processes have already been terminated. Consequently, the upgrade scripts sometimes assumed that the Directory Server was online and did not proceed with the database upgrade even if the server was actually offline. This update adds an explicit test to check if the processes referenced in the.pid
files are really running. As a result, the upgrade scripts now work as expected. - BZ#784344
- Previously, the
repl-monitor
command used only the subdomain part of hostnames for host identification. Consequently, hostnames with the identical subdomain part (for example: "ldap.domain1", "ldap.domain2") were identified as a single host, and inaccurate output was produced. This update ensures that the entire hostname is used for host identification. As a result, all hostnames are identified as separate and output of therepl-monitor
command is accurate. - BZ#788140
- Previously, the server used unnormalized DN strings to perform internal search and modify operations while the code for modify operations expected normalized DN strings. Consequently, error messages like the following one were logged when performing replication with domain names specified in unnormalized format:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 32
This update ensures that DN strings are normalized before being used in modify operations. As a result, replication does not produce the error messages in the aforementioned scenario. - BZ#788722
- Previously, the
389-ds-base/ldap/servers/snmp/
directory contained.mib
files without copyright headers. Consequently, the files could not be included in certain Linux distributions due to copyright reasons. This update merges information from all such files into theredhat-directory.mib
file, which contains the required copyright information, and ensures that it is the only file in the directory. As a result, no copyright issues block 389 Directory Server from being included in any Linux distribution. - BZ#788724
- Previously, the underlying source code for extensible search filters used
strcmp
routines for value comparison. Consequently, using extensible search filters with binary data returned incorrect results. This update modifies the underlying source code to use binary-aware functions. As a result, extensible search filters work with binary data correctly. - BZ#788725
- Previously, value normalization of the search filter did not respect the used filter type and matching rules. Consequently, when using different values than the default comparison type for the searched attribute syntax, search attempts returned incorrect results. This update modifies the underlying source code to use normalization sensitive to matching rules on filter attributes and values. As a result, search results in accordance with the matching rules are returned.
- BZ#788729
- Previously on the Directory Server, tombstones of child entries in a database were handled incorrectly. Therefore, if the database contained deleted entries that were converted to tombstones, an attempt to reindex the
entryrdn
index failed with the following error message:_entryrdn_insert_key: Getting "nsuniqueid=ca681083-69f011e0-8115a0d5-f42e0a24,ou=People,dc=example,dc=com" failed
With this update, 389 Directory Server handles tombstones of child entries correctly, and theentryrdn
index can now be reindexed successfully with no errors. - BZ#788731
- Previously, RUV tombstone entries were indexed incorrectly by the
entryrdn
index. Consequently, attempts to search for such entries were not successful. This update ensures correct indexing of RUV tombstone entries in theentryrdn
index and search attempts for such entries are now successful. - BZ#788741
- Previously, the DNA (Distributed Numeric Assignment) plug-in used too short timeout for requests to replicate a range of UIDs. Consequently, using replication with DNA to add users sometimes failed on networks with high latency, returning the following error message:
Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed
With this update, the default timeout for such replication requests has been set to 10 minutes. As a result, no errors are returned when using replication with DNA to add users, and the operation succeeds. - BZ#788745
- Previously, change sequence numbers (CSNs) in RUV were not refreshed when a replication role was changed. Consequently, data on the server became inconsistent. This update ensures that CSNs are refreshed when a replication role is changed. As a result, data inconsistency is no longer observed in the previously mentioned cases.
- BZ#788749
- Previously, errors in schema files were not reported clearly in log files. Consequently, the messages could be incorrectly interpreted as reporting an error in the
dse.ldif
file. This update modifies the error messages so that they include the name of and path to the file where the error was found. - BZ#788750
- Previously, the server used an outdated version of the nisDomain schema after an upgrade. Consequently, restarting 389 Directory Server after an upgrade produced the following error message:
attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [nisDomain]
This update ensures that the server uses the latest version of the nisDomain schema. As a result, restarting the server after an upgrade does not show any errors. - BZ#788751
- 389 Directory Server previously did not properly release allocated memory after finishing normalization operations. This caused memory leaks to occur during server's runtime. This update fixes the underlying code to release allocated memory properly so that memory leaks no longer occur under these circumstances
- BZ#788753
- Previously, the "connection" attribute was not included in the cn=monitor schema, which caused the access control information (ACI) handling code to ignore the ACI. Consequently, requesting the
connection
attribute when performing anonymous search on cn=monitor returned theconnection
attribute, even though it was denied by the default ACI. This update ensures that the ACI is processed even if the attribute is not in the schema. As a result, theconnection
attribute is not displayed if the ACI denies it. - BZ#788754
- Previously, several memory leak errors sometimes occurred during the server's runtime. This update fixes all the memory leak errors so that none of them occur anymore.
- BZ#788755
- Previously, IPv4-mapped IPv6 addresses were treated as independent addresses by 389 Directory Server. Consequently, errors were reported during server startup when such addresses conflicted with standard IPv4 addresses. This update ensures that the IPv4 part of every IPv4-mapped IPv6 address is compared with existing IPv4 addresses. As a result, the server starts with no errors even when IPv4-mapped IPv6 addresses conflict with standard IPv4 addresses.
- BZ#788756
- Previously, the 389-ds-base man pages contained several typos and factual errors. This update corrects the man pages so that they contain correct information and no typos.
- BZ#790491
- Previously, a NULL pointer dereference sometimes occurred when initializing a Directory Server replica. Consequently, the server terminated unexpectedly with a segmentation fault. This update enhances the underlying source code for replica initialization with a check for the NULL value. As a result, replica initialization always finishes successfully.
- BZ#796770
- Previously, a double free error sometimes occurred during operations with orphaned tombstone entries. Consequently, when an orphaned tombstone entry was passed to the
tombstone_to_glue
function, the Directory Server terminated unexpectedly. This update fixes the logic for getting ancestor tombstone entries and eliminates the chance to convert a tombstone entry into an orphaned entry. As a result, unexpected server termination no longer occurs in the aforementioned scenario. - BZ#800215
- Previously, an internal loop was incorrectly handled in code of the
ldapcompare
command. Consequently, performing concurrent comparison operations on virtual attributes caused the Directory Server to become unresponsive. This update fixes the internal loop issue. As a result, the server performs concurrent comparison operations without any issues. - BZ#803930
- Previously, when upgrading 389 Directory Server, server startup had been initiated before the actual upgrade procedure finished. Consequently, the startup failed with the following error message:
ldif2dbm - _get_and_add_parent_rdns: Failed to convert DN cn=TESTRELM.COM to RDN
This update ensures that the server does not start before the upgrade procedure finishes. As a result, the server boots up successfully after the upgrade. - BZ#811291
- Previously, the code of the range read operation did not correctly handle situations when an entry was deleted while a ranged search operation was being performed. Consequently, performing delete and ranged search operations concurrently under heavy loads caused the Directory Server to terminate unexpectedly. This update fixes the underlying source code to handle such situations correctly. As a result, the server does not terminate before performing delete and ranged search operations concurrently under heavy loads.
- BZ#813964
- When performing delete and search operations against 389 Directory Server under high load, the DB_MULTIPLE_NEXT pointer to the stack buffer could have been set to an invalid value. As a consequence, pointer's dereference lead to an attempt to access memory that was not allocated for the stack buffer. This caused the server to terminate unexpectedly with a segmentation fault. With this update, the DB_MULTIPLE_NEXT pointer is now properly tested. If the pointer's value is invalid, the page or value is considered deleted and the stack buffer is reloaded. As a result, the segmentation fault no longer occurs in this scenario.
- BZ#815991
- The
ldap_initialize()
function is not thread-safe. Consequently, 389 Directory Server terminated unexpectedly during startup when using replication with many replication agreements. This update ensures that calls of theldap_initialize()
function are protected by a mutual exclusion. As a result, when using replication with many replication agreements, the server starts up correctly. - BZ#819643
- Due to an error in the underlying source code, an attempt to rename an RDN (Relative Distinguished Name) string failed if the new string sequence was the same except of using the different lower/upper case of some letters. This update fixes the code so that it is possible to rename RDNs to the same string sequence with case difference.
- BZ#821542
- Previously, the letter case information was ignored when renaming DN strings. Consequently, if the new string sequence differed only in the case of some letters, a DN string was only converted to lowercase and the case information lost. This update modifies the underlying code so that it is now possible to rename RDNs to the same string sequence with case difference.
- BZ#822700
- Previously, the code for ACI handling did not reject incorrectly specified DNs. Consequently, incorrectly specified DNs in an ACI caused 389 Directory Server to terminate unexpectedly during startup or after an online import. This update ensures that the underlying source code for ACI handling rejects incorrectly specified DNs. As a result, the server does not terminate in this scenario.
- BZ#824014
- Previously, the code handling the “
entryusn
” attribute modified cache entries directly. Consequently under heavy loads, the server terminated unexpectedly when performing delete and search operations using the “entryusn
” and “memberof
” attributes with referential integrity enabled. This update ensures that the entries are never modified in the cache directly. As a result, the server performs searches in the previously described conditions without terminating unexpectedly.
Enhancements
- BZ#683241
- Previously, post-operation plug-ins were executed after initial operation results had been returned to the LDAP client. Consequently, some results of the initial operation might not have been immediately available. This update introduces the "betxnpreoperation" and "betxnpostoperation" plug-in types. Plug-ins of these types run inside the regular transaction of initial operations. As a result, when these plug-in types are used, operations triggered by the initial operation complete before completion of the initial operation.
- BZ#766322
- Previously, there was no easy way to determine what default search base an LDAP client should use. Consequently, LDAP clients with no search base configured attempted to search against 389 Directory Server. This update adds a new attribute, defaultNamingContext, to the root DSE (Directory Server Entry). As a result, clients can query the root DSE for the value of the defaultNamingContext attribute and use the returned value as a search base.
- BZ#768086
- This update introduces the nsslapd-minssf-exclude-rootdse configuration attribute, with possible values "on" and "off". If its value is "off", which is the default, the server allows clients to access the root DSE even if the Security Strenght Factor (SSF) value is less than the nsslapd-minssf attribute value. As a result, it is possible to allow access to the root DSE without using SSL/TLS even if the rest of the server requires SSL/TLS.
- BZ#768091
- Previously, the delete operation was not allowed for Managed Entry Config entries. Consequently, attempts to delete such entries were rejected with the following error message:
ldap_delete: Server is unwilling to perform (53) additional info: Not a valid operation.
This update modifies the underlying source code so that deletion of Managed Entry Config entries is allowed and can be performed successfully. - BZ#781501
- Previously, extended user account information was not available to LDAP clients from 389 Directory Server. This update adds support for Account Usable Request Control, which enables LDAP clients to get the extended user account information.
- BZ#788760
- Previously, the
logconv.pl
script was only able to produce a summary of operations for a file or for a requested period. This update introduces the-m
option for generation of per-second statistics, and the-M
option for generation of per-minute statistics. The statistics are generated in CSV format suitable for further post-processing. - BZ#790433
- Previously, all newly created entries had to be added to groups manually. This update adds a new plug-in which ensures automatic adding of each new entry to a group if it matches certain criteria.
5.2. abrt and libreport
Security Fixes
- CVE-2012-5659
- It was found that the /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not sufficiently sanitize its environment variables. This could lead to Python modules being loaded and run from non-standard directories (such as /tmp/). A local attacker could use this flaw to escalate their privileges to that of the abrt user.
- CVE-2012-5660
- A race condition was found in the way ABRT handled the directories used to store information about crashes. A local attacker with the privileges of the abrt user could use this flaw to perform a symbolic link attack, possibly allowing them to escalate their privileges to root.
5.3. abrt, libreport, btparser, and python-meh
Note
Security Fixes
- CVE-2012-1106
- If the C handler plug-in in ABRT was enabled (the abrt-addon-ccpp package installed and the abrt-ccpp service running), and the sysctl fs.suid_dumpable option was set to "2" (it is "0" by default), core dumps of set user ID (setuid) programs were created with insecure group ID permissions. This could allow local, unprivileged users to obtain sensitive information from the core dump files of setuid processes they would otherwise not be able to access.
- CVE-2011-4088
- ABRT did not allow users to easily search the collected crash information for sensitive data prior to submitting it. This could lead to users unintentionally exposing sensitive information via the submitted crash reports. This update adds functionality to search across all the collected data. Note that this fix does not apply to the default configuration, where reports are sent to Red Hat Customer Support. It only takes effect for users sending information to Red Hat Bugzilla.
Bug Fixes
- BZ#809587, BZ#745976
- When the ABRT GUI was used to report a bug using the menu button Report problem with ABRT, an empty bug was created. This update removes this button as it was only used for testing purposes.
- BZ#800828
- When a new dump directory was saved to
/var/spool/abrt-upload/
via the reporter-upload utility, the ABRT daemon copied the dump directory to/var/spool/abrt/
and incremented the crash count which was already incremented before. Due to the crash count being incremented twice, the dump directory was marked as a duplicate of itself and removed. With this update, the crash count is no longer incremented for remotely uploaded dump directories, thus fixing the issue. - BZ#747624
- The /usr/bin/abrt-cli utility was missing a man page. This update adds the
abrt-cli(1)
man page. - BZ#796216
- Analyzing lines of a kernel oops caused the
line
variable to be freed twice. This update fixes this bug, and kernel oopses are now properly analyzed. - BZ#770357
- Prior to this update, ABRT email notification via the
mailx
plug-in did not function properly due to a missing default configuration file for themailx
plug-in. This update adds a default configuration file for themailx
plug-in:/etc/libreport/plugins/mailx.conf
. - BZ#799352
- Starting the ABRT daemon resulted in an error if dbus was not installed on the system. This update removes the dbus dependency and the ABRT daemon can now be started even if dbus is not installed on the system.
- BZ#727494
- The previous version of ABRT silently allowed users to report the same problem to Bugzilla multiple times. This behavior is now changed and users are warned if the report was already submitted. The max allowed size of email attachments and local logs was increased to 1 MB. This fixes the problem where longer reports were being lost when sent via email or stored locally using the
logger
plug-in. - BZ#746727
- This update fixes a bug which caused the
/tmp/anaconda-tb-*
files to be sometimes recognized as a binary file and sometimes as a text file. - BZ#771597
- ABRT 2.x has added various new daemons. However, not all of the added daemons were properly enabled during the transition from ABRT 1.x. With this update, all daemons are correctly started and updating from ABRT 1.x to ABRT 2.x works as expected.
- BZ#751068
- The abrt-cli package previously depended on the abrt-addon-python package. This prevented users from removing the abrt-addon-python package via Yum as the abrt-cli would be removed as well. With this update, a new “virtual” abrt-tui package has been added that pulls all the required packages in order to use ABRT on the command line, thus, resolving the aforementioned issue.
- BZ#749100
- Previously, some strings in the ABRT tools were not marked as translatable. This update fixes this issue.
- BZ#773242
- When ABRT attempted to move data, a misleading message was returned to the user informing that a copy of the dump was created. This update improves this message so that it is clear that ABRT does not copy data but moves it.
- BZ#811147
- When a backtrace contains a frame with text consisting of function arguments that was too long, the backtrace printer in GDB truncates the arguments. The backtrace parser could not handle the truncated arguments and did not format them properly. With this update, the backtrace parser detects the truncated strings, indicating the function arguments were truncated. The parser state then adapts to this situation and correctly parses the backtrace.
- BZ#823411
- A change in the Bugzilla API prevented the ABRT
bugzilla
plug-in from working correctly. This update resolves this issue by modifying the source code to work with the new Bugzilla API. - BZ#758366
- This update fixes a typographical error in the commentary of various ABRT configuration files.
- BZ#625485
- The previous version of ABRT generated an invalid XML log file. This update fixes this and every non-ASCII character is now escaped.
- BZ#788577
- Unlike ABRT, python-meh was not including a list of environment variables in its problem reports. A list of environment variables is useful information for assignees of the created bug. With this update, code producing a list of environment variables and passing it to libreport was added to python-meh, and problem reports generated by python-meh now include lists of environment variables.
5.4. acroread
Security Fix
- CVE-2012-1530, CVE-2013-0601, CVE-2013-0602, CVE-2013-0603, CVE-2013-0604, CVE-2013-0605, CVE-2013-0606, CVE-2013-0607, CVE-2013-0608, CVE-2013-0609, CVE-2013-0610, CVE-2013-0611, CVE-2013-0612, CVE-2013-0613, CVE-2013-0614, CVE-2013-0615, CVE-2013-0616, CVE-2013-0617, CVE-2013-0618, CVE-2013-0619, CVE-2013-0620, CVE-2013-0621, CVE-2013-0623, CVE-2013-0626
- This update fixes several security flaws in Adobe Reader. These flaws are detailed in the Adobe Security bulletin APSB13-02. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.
5.5. alsa-utils
Bug Fix
- BZ#674199
- Prior to this update, the alsactl tool tried to initialize all sound cards if the /etc/asound.state file was not present. As a consequence, SElinux could deny access to non-existent devices. This update modifies the underlying code so that alsactl is called only once from udev.
Enhancement
- BZ#650113
- With this update, the alsa-delay and alsaloop utilities have been added to alsa-utils to manage the system audio delay.
5.6. anaconda
Bug Fixes
- BZ#690058
- Prior to this update, the
noprobe
argument in a kickstart file was not passed to the last known codepath. Consequently, the noprobe request was not properly honored by Anaconda. This update improves the code so that the argument is passed to the last known codepath. As a result, device drivers are loaded according to thedevice
command in the kickstart file. - BZ#691794
- Previously, an improper device file that provided access to an array as a whole was used to initialize the boot loader in a Device Mapper Multipath (DM-Multipath) environment. Consequently, the system was not bootable. Anaconda has been modified to enumerate all drives in an array and initialize the boot loader on each of them. As a result, the system now boots as expected.
- BZ#723404
- When performing a minimal installation from media without the use of a network, network devices did not have a working default network configuration. Consequently, bringing a network device up after reboot using the
ifup
command failed. This update sets the value ofBOOTPROTO
todhcp
in default network device configuration files. As a result, network devices can be activated successfully using theifup
command after reboot in the scenario described. - BZ#727136
- When Anaconda places a PowerPC Reference Platform (PReP) boot partition on a different drive to the root partition, the system cannot boot. This update forces the PReP boot partition to be on the same drive as the root partition. As a result, the system boots as expected.
- BZ#734128
- Due to a regression, when installing on systems with pre-existing mirrored Logical Volumes (LV), the installer failed to properly detect the Logical Volume Management configuration containing mirrored logical volumes. Consequently, a mirrored logical volume created before installation was not shown and could not be used in kickstart. The code to handle mirrored logical volumes has been updated to make use of the udev information that changed due to a previous bug fix. As a result, mirrored logical volumes are correctly detected by the installer.
- BZ#736457
- On IBM System z architectures, z/VM guests with only one CPU allocated failed to read the Conversational Monitor System (CMS) configuration file used by the installation environment. Consequently, users of z/VM guests with a single CPU had to either pass all installation environment configuration values on the kernel boot line or supply the information at the interactive prompts as the installation environment booted up. This update improves the code to detect the number of guests after mounting the
/proc
file. As a result, guests with one CPU can bring the boot device online so the CMS configuration file can be read and automated installations proceed as expected. - BZ#738577
- The
repo
commands in kickstart generated by Anaconda contained base installation repository information but they should contain only additional repositories added either by therepo
kickstart command or in the graphical user interface (GUI). Consequently, in media installations, therepo
command generated for installation caused a failure when the kickstart file was used. With this update, Anaconda now generatesrepo
commands only for additional repositories. As a result, kickstart will not fail for media installations. - BZ#740870
- Manual installation on to BIOS RAID devices of level 0 or level 1 produced an Intel Media Storage Manager (IMSM) metadata read error in the installer. Consequently, users were not able to install to such devices. With this update, Anaconda properly detects BIOS RAID level 0 and level 1 IMSM metadata. As a result, users are able to install to these devices.
- BZ#746495
- The LiveCD environment was missing a legacy symlink to the devkit-disks utility. Consequently, the call that modified automounter behavior was never properly executed. The code has been updated to call the proper non-legacy binary. As a result,
USB
devices used during installation are no longer automounted. - BZ#747219
- The console
tty1
was put under control of Anaconda, but was not returned when Anaconda exited. Consequently, init did not have permission to modify tty1's settings to enable Ctrl+C functionality when Anaconda exited, which resulted in Ctrl+C not working when the installer prompted the user to press the Ctrl+C or Ctrl+Alt+Delete key combination after Anaconda terminated unexpectedly. A code returning tty1 control back to init was added to Anaconda. As a result, Ctrl+C now works as expected if the user is prompted to press it when Anaconda crashes. - BZ#750126
- The Bash version used in the buildinstall script had a bug that influenced parsing of the
=~
operator. This operator is used to check for the architecture when including files. Consequently, some binaries which provide thegrub
command were present on x86_64 versions of the installer, but were missing from i686 media. The Bash code has been modified to prevent this bug. As a result, the binaries are now also present on i686 media and users can now use the grub command from installation media as expected. - BZ#750417
- Due to bad ordering in the unmounting sequence, the dynamic linker failed to link libraries, which caused the mdadm utility not to work and exit with the status code of
127
. This update fixes the ordering in the unmounting sequence and as a result, the dynamic linker and mdadm now work correctly. - BZ#750710
- There was no check to see if the file descriptors passed as
stdout
andstderr
were distinct. Consequently, if the stdout and stderr descriptors were the same, using them both for writing resulted in overwriting and the log file not containing all of the lines expected. With this update, if the stdout and stderr descriptors are the same then only one of them is used for both stdin and stderr. As a result, the log file contains all lines from both stdout and stderr. - BZ#753108
- When installing on a system with more than one disk with a PowerPC Reference Platform (PReP) partition present, the PReP partitions that should be left untouched were updated. This update corrects the problem so that PReP partitions other than the one used during installation are left untouched. As a result, old PReP partitions do not get updated.
- BZ#754031
- The kernel command line
/proc/cmdline
ends with\n
but the installer only checked for\0
. Consequently, thedevel
argument was not detected when it was the last argument on the command line and the installation failed. This update improves the code to also check for\n
. As a result, thedevel
argument is correctly parsed and installation proceeds as expected. - BZ#756608
- Network installations on IBM System z check the nameserver address provided using the ping command. Environments restricting
ICMP
ECHO
packets will cause this test to fail, halting the installation and asking the user whether or not the provided nameserver address is valid. Consequently, automated installations using kickstart will stop if this test fails. With this update, in the event that the ping test fails, thenslookup
command is used to validate the provided nameserver address. If thenslookup
test succeeds then kickstart will continue with the installation. As a result, automated network installations on IBM System z in non-interactive mode will complete as expected in the scenario described. - BZ#760250
- When configuring a system with multiple active network interfaces and the
ksdevice
=link
command was present, thelink
specification was not used consistently for device activation and device configuration. Consequently, other network devices having link status were sometimes misconfigured using the settings targeted to the device activated by the installer. With this update, the code has been improved and now refers to the same device withlink
specification both in case of device activation and device configuration. As a result, when multiple devices with link status are present during installation,ksdevice
=link
specification of the device to be activated and used by the installer does not cause misconfiguration of another device having link status. - BZ#766902
- When configuring the network using the Anaconda GUI hostname screen, the keyboard shortcut for the Configure Network button was missing. This update adds the C keyboard shortcut. Network configuration can now be invoked using the Alt+C keyboard shortcut.
- BZ#767727
- The Ext2FS class in Anaconda has a maximum file size attribute correctly set to
8 TB
, but Ext3FS and Ext4FS inherited this value without overriding it. Consequently, when attempting to create an ext3 or ext4 file system of a size greater than8Tb
the installer would not allow it. With this update, the installer's upper bound for new ext3 and ext4 filesystem size has been adjusted from8Tb
to16TB
. As a result, the installer now allows creation of ext3 and ext4 filesystems up to16TB
. - BZ#769145
- The Anaconda dhcptimeout boot option was not working. NetworkManager used a
DHCP
transaction timeout of 45 seconds without the possibility of configuring a different value. Consequently, in certain cases NetworkManager failed to obtain a network address. NetworkManager has been extended to read the timeout parameter from a DHCP configuration file and use that instead of the default value. Anaconda has been updated to write out the dhcptimeout value to the interface configuration file used for installation. As a result, the boot optiondhcptimeout
works and NetworkManager now waits to obtain an address for the duration of the DHCP transaction period as specified in the DHCP client configuration file. - BZ#783245
- Prior to this update,
USB3
modules were not in the Anaconda install image. Consequently, USB3 devices were not detected by Anaconda during installation. This update adds the USB3 modules to the install image and USB3 devices are now detected during installation. - BZ#783841
- When the kickstart
clearpart
command or the installer's automatic partitioning options to clear old data from the system's disks were used with complex storage devices such as logical volumes and software RAID, LVM tools caused the installation process to become unresponsive due to a deadlock. Consequently, the installer failed when trying to remove old metadata from complex storage devices. This update changes the LVM commands in the udev rules packaged with the installer to use a less restrictive method of locking and the installer was changed to explicitly remove partitions from a disk instead of simply creating a new partition table on top of the old contents when it initializes a disk. As a result, LVM no longer hangs in the scenario described. - BZ#785400
- The
/usr/lib/anaconda/textw/netconfig_text.py
file tried to import a module from the wrong location. Consequently, Anaconda failed to start and the following error message was generated:No module named textw.netconfig_text
The code has been corrected and the error no longer occurs in the scenario described. - BZ#788537
- Prior to this update, kickstart repository entries did not use the global proxy setting. Consequently, on networks restricted to use a proxy installation would terminate unexpectedly when attempting to connect to additional repository entries in a kickstart file if no proxy had been explicitly specified. This update changes the code to use the global proxy if an additional repository has no proxy set for it. As a result, the global proxy setting will be used and installation will proceed as expected in the scenario described.
- BZ#800388
- The kickstart pre and post installation scripts had no information about the proxy being used by Anaconda. As a consequence, programs such as wget and curl would not work properly in a pre-installation and post-installation script on networks restricted to using a proxy. This update sets the
PROXY
,PROXY_USER
,PROXY_PASSWORD
environmental variables. As a result, pre and post installation scripts now have access to the proxy setting used by Anaconda. - BZ#802397
- Using the
--onbiosdisk
=NUMBER
option for the kickstartpart
command sometimes caused installation failures as Anaconda was not able to find the disk that matches the specified BIOS disk number. Users wishing to use BIOS disk numbering to control kickstart installations were not able to successfully install Red Hat Enterprise Linux. This update adjusts the comparison in Anaconda that matches the BIOS disk number to determine the Linux device name. As a result, users wishing to use BIOS disk numbering to control kickstart installations will now be able to successfully install Red Hat Enterprise Linux. - BZ#805910
- Due to a regression, when running the system in Rescue mode with no or only uninitialized disks, the Anaconda storage subsystem did not check for the presence of a GUI before presenting the user with a list of options. Consequently, when the user selected continue the installer terminated unexpectedly with a traceback. This update adds a check for presence of the GUI and falls back to a TUI if there is none. As a result, the user is informed about the lack of usable disks in the scenario described.
- BZ#823810
- When using Anaconda with Qlogic qla4xxx devices in firmware boot mode and with iSCSI targets set up in BIOS (either enabled or disabled), the devices were exposed as iSCSI devices. But in this mode the devices cannot be handled with the iscsiadm and libiscsi tools used by the installer. Consequently, installation failed with a traceback during examination of storage devices by the installer. This update changes the installer to not try to manage iSCSI devices set up with qla4xxx firmware with iscsiadm or libiscsi. As a result, installation in an environment with iSCSI targets set up by qla4xxx devices in firmware mode finishes successfully.
Note
The firmware boot mode is turned on and off by theqla4xxx.ql4xdisablesysfsboot
boot option. With this update, it is enabled by default.
Enhancements
- BZ#500273
- There was no support for binding of
iSCSI
connections to network interfaces, which is required for installations using multiple iSCSI connections to a target on a single subnet for Device Mapper Multipath (DM-Multipath) connectivity. Consequently, DM-Multipath connectivity could not be used on a single subnet as all devices used the default network interface. With this update, theBind targets to network interfaces
option has been added to the “Advanced Storage Options” dialog box. When turned on, targets discovered specifically for all active network interfaces are available for selection and login. For kickstart installations a newiscsi
--iface
option can be used to specify network interface to which a target should be bound. Once interface binding is used, all iSCSI connections have to be bound, that is to say the--iface
option has to be specified for all iscsi commands in kickstart. Network devices required for iSCSI connections can be activated either using kickstart network command with the--activate
option or in the graphical user interface (GUI) using the Configure Network button from the “Advanced Storage Options” dialog (“Connect Automatically” has to be checked when configuring the device so that the device is also activated in the installer). As a result, it is now possible to configure and use DM-Multipath connectivity for iSCSI devices using different network interfaces on a single subnet during installation. - BZ#625697
- The curl command line tool was not in the install image file. Consequently, curl could not be used in the
%pre
section of kickstart. This update adds curl to the install image and curl can be used in the%pre
section of kickstart. - BZ#660686
- Support for installation using IP over InfiniBand (IPoIB) interfaces has been added. As a result, it is possible to install systems connected directly to an
InfiniBand
network using IPoIB network interfaces. - BZ#663647
- Two new options were added to the kickstart
volgroup
command to specify initially unused space in megabytes or as a percentage of the total volume group size. These options are only valid for volume groups being created during installation. As a result, users can effectively reserve space in a new volume group for snapshots while still using the--grow
option for logical volumes within the same volume group. - BZ#671230
- The
GPT
disk label is now used for disks of size 2.2 TB and larger. As a result, Anaconda now allows installation to disks of size 2.2 TB and larger, but the installed system will not always boot properly on non-EFI
systems. Disks of size 2.2 TB and larger may be used during the installation process, but only as data disks; they should not be used as bootable disks. - BZ#705328
- When an interface configuration file is created by a configuration application such as Anaconda, NetworkManager generates the Universally Unique IDentifier (UUID) by hashing the existing configuration file name. Consequently, the same UUID was generated on multiple installed systems for a given network device name. With this update, a random UUID is generated by Anaconda for NetworkManager so that it does not have to generate the connection UUID by hashing the configuration file name. As a result, each network connection of all installed systems has different UUID.
- BZ#735791
- When
IPv6
support is set to be disabled by the installer using thenoipv6
boot option, or thenetwork
--nopipv6
kickstart command, or by using the “Configure TCP/IP” screen of the loader Text User Interface (TUI), and no network device is configured forIPv6
during installation, the IPv6 kernel modules on the installed system will now be disabled. - BZ#735857
- The ability to configure a
VLAN
discovery option for Fibre Channel over Ethernet (FCoE) devices added during installation using Anaconda's graphical user interface was required. All FCoE devices created in Anaconda installer were configured to perform VLAN discovery using the fcoemon daemon by setting theAUTO_VLAN
value of its configuration file toyes
. A new “Use auto vlan” checkbox was added to the “Advanced Storage Options” dialog, which is invoked by the Add Advanced Target button in “Advanced Storage Devices” screen. As a result, when adding FCoE device in Anaconda, it is now possible to configure the VLAN discovery option of the device using “Use auto vlan” checkbox in “Advanced Storage Options” dialog. The value ofAUTO_VLAN
option of FCoE device configuration file/etc/fcoe/cfg-device
is set accordingly. - BZ#737097
- The lsscsi and sg3_utils were not present in the install image. Consequently, maintenance of Data Integrity Field (DIF) disks was not possible. This update adds the lsscsi and sg3_utils to the install image and now utilities to maintain DIF disks can be used during the installation.
- BZ#743784
- Anaconda creates FCoE configuration files under the
/etc/fcoe/
directory using biosdevname, which is the new style interface naming scheme, for all the available Ethernet interfaces for FCoE BFS. However, it did not add the ifname kernel command line argument for FCoE interface that stays offline after discovering FCoE targets during installation. Because of this, during subsequent reboot the system tried to find the old styleethX
interface name in/etc/fcoe/
, which does not match the file created by Anaconda using biosdevname. Therefore, due to the missing FCoE config file, FCoE interface is never created on this interface. Consequently, during FCoE BFS installation, when an Ethernet interface went offline after discovering the targets, FCoE links did not come up after reboot. This update adds dracutip
parameters for all FCoE interfaces including those that went offline during installation. As a result, FCoE interfaces disconnected during installation will be activated after reboot. - BZ#744129
- Installations with the
swap
--recommended
command in kickstart created a swap file of size 2 GB plus the installed RAM size regardless of the amount of RAM installed. Consequently, machines with a large amount of RAM had huge swap files prolonging the time before the oom_kill syscall was invoked even in malfunctioning cases. In this update, swap size calculations forswap
--recommended
were changed to meet the values recommended in the documentation https://access.redhat.com/site/solutions/15244 and the--hibernation
option was added for theswap
kickstart command and as the default in GUI/TUI installations. As a result, machines with a lot of RAM have a reasonable swap size now ifswap
--recommended
is used. However, hibernation might not work with this configuration. If users want to use hibernation they should useswap
--hibernation
. - BZ#755147
- If there are multiple Ethernet interfaces configured for FCoE boot, by default, only the primary interface is turned on and the other interfaces are not configured. This update sets the value
ONBOOT
=yes
in theifcfg
configuration file during installation for all network interfaces used by FCoE. As a result, all network devices used for installation to FCoE storage devices are activated automatically after reboot. - BZ#770486
- This update adds the Netcat (
nc
) networking utility to the install environment. Users can now use thenc
program in Rescue mode. - BZ#773545
- The virt-what shell script has been added to the install image. Users can now use the virt-what tool in kickstart.
- BZ#784327
- Firmware files were loaded only from RPM files in
$prefix/lib/firmware
paths on a Driver Update Disk (DUD). This update adds the$prefix/lib/firmware/updates
directory to the path to be searched for firmware. RPM files containing firmware updates can now have firmware files in%prefix/lib/firmware/updates
.
5.7. atlas
Bug Fix
- BZ#723350
- Previously, binary files from the base atlas package contained illegal instructions from an incompatible instruction set (3DNow!). As a consequence, an "Illegal instruction" error was displayed. This update disables usage of the instruction set.
5.8. audit
- The "auditctl" command now allows shell-escaped file names for better handling of file names with spaces in them.
- There is a new utility, auvirt, that extracts a report about the virtualization events.
- The auditd.conf configuration option, "tcp_max_per_addr", now allows up to 1024 concurrent connections from the same IP address. While this is not recommended for normal use, it helps in situations where a number of client systems are behind a NAT, which causes them to appear to have the same IP address.
Bug Fixes
- BZ#803349
- Previously, not enough information was parsed to determine whether audit records are part of the same event if the server's node name was longer than approximately 80 characters. With this update, the problem has been fixed.
- BZ#797848
- This update fixes a typo in the audit.rules(7) man page.
Enhancements
- BZ#658630
- Prior to this update, if the audit rules had a typo or the command was not supported by the Linux kernel, either an error was triggered and you were able to stop processing the rules or, as the other option, you were able to ignore any errors in which case it completed everything it could but returned success. This update introduces the "-c" option to auditctl which works like the ignore option, but instead of returning success, the "-c" option returns failure if any rule triggers an error. Note that like the ignore option, the "-c" option continues to process all audit rules.
- BZ#766920
- This release adds support for a new kernel auditing feature that allows for inter-field comparisons. For each audit event, the Linux kernel collects information about what is causing the event. Now, you can use the "-C" option to compare: "auid", "uid", "euid", "suid", "fsuid", or "obj_uid"; and "gid", "egid", "sgid", "fsgid", or "obj_gid". The two groups cannot be mixed. Comparisons can use either the equal or not equal operators. Note that for this enhancement to work, the system must boot the Linux 2.6.32-244 kernel or later.
5.9. augeas
Bug Fixes
- BZ#759311
- Previously, the "--autosave" option did not work correctly when using Augeas in batch mode, which caused that configuration changes were not saved. As a consequence, configuration changes could be saved only in interactive mode. This update ensures that the "--autosave" option functions in batch mode as expected.
- BZ#781690
- Prior to this update, when parsing GRUB configuration files, Augeas did not parse the "--encrypted" option of the "password" command correctly. Instead, it parsed the "--encrypted" part as the password, and the password hash as a second "menu.lst" filename. This update ensures that the "--encrypted" option of the password command is parsed correctly when parsing GRUB configuration files.
- BZ#820864
- Previously, Augeas was not able to parse the /etc/fstab file containing mount options with an equals sign but no value. This update fixes the fstab lens so that it can handle such mount options. As a result, Augeas can now parse an /etc/fstab file containing mount options with an equals sign but no value correctly.
Enhancements
- BZ#628507
- Previously, the finite-automata-DOT graph tool (fadot) did not support the -h option. Consequently, when fadot was launched with the -h option the "Unknown option" message was displayed. This update adds support for the -h option and ensures that a help message is displayed when fadot is launched with the option.
- BZ#808662
- Previously, Augeas did not have a lens to parse the /etc/mdadm.conf file. Consequently, the tool for conversion of physical servers to virtual guests, Virt-P2V, could not convert physical hosts on MD devices. This update adds a new lens to parse the /etc/mdadm.conf file, enabling Virt-P2V to convert physical hosts on MD devices as expected.
5.10. authconfig
Bug Fixes
- BZ#689717
- Prior to this update, SSSD configuration files failed to parse if the files were not correctly formatted. As a consequence, the authconfig utility could abort unexpectedly. With this update, the error is correctly handled, the configuration file is backed up, and a new file is created.
- BZ#708850
- Prior to this update, the man page "authconfig(8)" referred to non-existing obsolete configuration files. This update modifies the man page to point to configuration files that are currently modified by authconfig.
- BZ#749700
- Prior to this update, a deprecated "krb_kdcip" option was set instead of the "krb5_server" option when the SSSD configuration was updated. This update modifies the SSSD configuration setting to use the "krb5_server" option to set the Kerberos KDC server address.
- BZ#755975
- Prior to this update, the authconfig command always returned the exit value "1" when the "--savebackup" option was used, due to handling of nonexisting configuration files on the system. With this update, the exit value is "0" if the configuration backup succeeds even if some configuration files which can be handled by authconfig, are not present on the system.
Enhancements
- BZ#731094
- Prior to this update, the authconfig utility did not support the SSSD configuration with the IPA backend. This update allows to join an IPAv2 domain with the system via the ipa-client-install command.
- BZ#804615
- With this update, the nss_sss module is also used in the "services" entry of the nsswitch.conf file when configuring this file.
5.11. autofs
Bug Fix
- BZ#870929
- During the boot-up sequence, when the automount daemon was using an internal host map, automount terminated unexpectedly with a segmentation fault. This bug has been fixed and the crashes no longer occur in the described scenario.
Bug Fixes
- BZ#772946
- A recent change to correct a problem with included map entry removal introduced a new problem with included map key look-up. The condition used in the previous patch was too broad and the map key lookup mechanism failed to find keys in an included multi-mount map entry. The condition has been modified so that keys in multi-mount map entries are now found correctly.
- BZ#772356
- A function that checks validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false-positive failures. With this update, the faulty logic test has been fixed and false-positive failures no longer occur.
- BZ#790674
- Previously, autofs submounts incorrectly handled shutdown synchronization and lock restrictions. As a consequence, automount could become unresponsive when submounts expired. With this update, the submount shuts down only after passing through the state ST_SHUTDOWN, ST_SHUTDOWN_PENDING, or ST_SHUTDOWN_FORCE, or when the state changes to ST_READY.
- BZ#753964
- Prior to this update, two IPv6 compatibility functions were erroneously not included in the autofs interface to the libtirpc library. This prevented the autofs IPv6 RPC code from working. With this update, the libtirpc interface code for autofs has been fixed.
- BZ#782169
- When using the legacy auto.net script for the hosts map, an error in the script for handling multiple occurrences of exports prevented the script from returning any of the exported paths. This bug has been fixed by modifying the script to select only a unique list of exports, thus eliminating duplicate exports.
- BZ#787595
- Due to changes to the mount.nfs utility to take advantage of the support for NFS mount options in the kernel, the RPC processing had moved from mount.nfs to the kernel. However, the kernel RPC had to wait for RPC requests to servers that were not available to time out, resulting in very slow interactive response when attempting an automount to a server that was not available. This update changes the autofs RPC code to detect this situation early and provide proper error messages as soon as possible.
- BZ#760945
- Previously, although the /net/ and /misc/ directories are exclusively used by the default /etc/auto.master utility, they were not specified in the autofs RPM package. As a result, the rpm utility reported them as not owned by any package. This update adds both these directories to the autofs spec file.
- BZ#745527
- Previously, the autofs init.d script failed to return proper usage messages if called with no arguments, or incorrect arguments. This bug has been fixed and the script now prints the usage information as expected.
Enhancement
- BZ#683523
- Initial support for the System Security Services Daemon (SSSD) as a map source has been added to the autofs package.
5.12. axis
Security Fix
- CVE-2012-5784
- Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
5.13. bacula
Bug Fixes
- BZ#728693
- Prior to this update, the logwatch tool did not check the "/var/log/bacula*" file. As a consequence, the logwatch report was incomplete. This update adds all log files to the logwatch configuration file. Now, the logwatch report is complete.
- BZ#728697
- Prior to this update, the bacula tool itself created the "/var/spool/bacula/log" file. As a consequence, this log file used an incorrect SELinux context. This update modifies the underlying code to create the /var/spool/bacula/log file in the bacula package. Now, this log file has the correct SELinux context.
- BZ#729008
- Prior to this update, the bacula packages were built without the CFLAGS variable "$RPM_OPT_FLAGS". As a consequence, the debug information was not generated. This update modifies the underlying code to build the packages with CFLAGS="$RPM_OPT_FLAGS. Now, the debug information is generated as expected.
- BZ#756803
- Prior to this update, the perl script which generates the my.conf file contained a misprint. As a consequence, the port variable was not set correctly. This update corrects the misprint. Now, the port variable is set as expected.
- BZ#802158
- Prior to this update, values for the "show pool" command was obtained from the "res->res_client" item. As a consequence, the output displayed incorrect job and file retention values. This update uses the "res->res_pool" item to obtain the correct values.
- BZ#862240
- Prior to this update, bacula-storage-common utility wrongly removed alternatives for the bcopy function during the update. As a consequence, the Link to bcop.{mysql,sqlite,postgresql} disappeared after updating. This update modifies the underlying code to remove these links directly in storage-{mysql,sqlite,postgresql} and not in bacula-storage-common.
5.14. bind-dyndb-ldap
Security Fix
- CVE-2012-3429
- A flaw was found in the way bind-dyndb-ldap performed the escaping of names from DNS requests for use in LDAP queries. A remote attacker able to send DNS queries to a named server that is configured to use bind-dyndb-ldap could use this flaw to cause named to exit unexpectedly with an assertion failure.
LDAP
back end is a plug-in for BIND that provides back-end capabilities to LDAP databases. It features support for dynamic updates and internal caching that help to reduce the load on LDAP servers.
Note
Bug Fixes
- BZ#751776
- The bind-dyndb-ldap plug-in refused to load an entire zone when it contained an invalid Resource Record (RR) with the same Fully Qualified Domain Name (FQDN) as the zone name (for example an MX record). With this update, the code for parsing Resource Records has been improved. If an invalid RR is encountered, an error message “Failed to parse RR entry” is logged and the zone continues to load successfully.
- BZ#767489
- When the first connection to an
LDAP
server failed, the bind-dyndb-ldap plug-in did not try to connect again. Consequently, users had to execute the "rndc reload" command to make the plug-in work. With this update, the plug-in periodically retries to connect to an LDAP server. As a result, user intervention is no longer required and the plug-in works as expected. - BZ#767492
- When the
zone_refresh
period timed out and a zone was removed from theLDAP
server, the plug-in continued to serve the removed zone. With this update, the plug-in no longer serves zones which have been deleted from LDAP when thezone_refresh
parameter is set. - BZ#789356
- When the named daemon received the
rndc reload
command or aSIGHUP
signal and the plug-in failed to connect to an LDAP server, the plug-in caused named to terminate unexpectedly when it received a query which belonged to a zone previously handled by the plug-in. This has been fixed, the plug-in no longer serves its zones when connection to LDAP fails during reload and no longer crashes in the scenario described. - BZ#796206
- The plug-in terminated unexpectedly when named lost connection to an
LDAP
server for some time, then reconnected successfully, and some zones previously present had been removed from the LDAP server. The bug has been fixed and the plug-in no longer crashes in the scenario described. - BZ#805871
- Certain string lengths were incorrectly set in the plug-in. Consequently, the Start of Authority (SOA) serial number and expiry time were incorrectly set for the forward zone during ipa-server installation. With this update, the code has been improved and the SOA serial number and expiry time are set as expected.
- BZ#811074
- When a Domain Name System (DNS) zone was managed by a bind-dyndb-ldap plugin and a sub-domain was delegated to another
DNS
server, the plug-in did not put A or AAAA glue records in the “additional section” of a DNS answer. Consequently, the delegated sub-domain was not accessible by other DNS servers. With this update, the plug-in has been fixed and now returns A or AAAA glue records of a delegated sub-domain in the “additional section”. As a result, delegated zones are correctly resolvable in the scenario described. - BZ#818933
- Previously, the bind-dyndb-ldap plug-in did not escape non-ASCII characters in incoming DNS queries correctly. Consequently, the plug-in failed to send answers for queries which contained non-ASCII characters such as “,”. The plug-in has been fixed and now correctly returns answers for queries with non-ASCII characters.
Enhancements
- BZ#733371
- The bind-dyndb-ldap plug-in now supports two new attributes,
idnsAllowQuery
andidnsAllowTransfer
, which can be used to set ACLs for queries or transfers. Refer to/usr/share/doc/bind-dyndb-ldap/README
for information on the attributes. - BZ#754433
- The plug-in now supports the new zone attributes
idnsForwarders
andidnsForwardPolicy
which can be used to configure forwarding. Refer to/usr/share/doc/bind-dyndb-ldap/README
for a detailed description. - BZ#766233
- The plug-in now supports zone transfers.
- BZ#767494
- The plug-in has a new option called
sync_ptr
that can be used to keep A and AAAA records and their PTR records synchronized. Refer to/usr/share/doc/bind-dyndb-ldap/README
for a detailed description. - BZ#795406
- It was not possible to store configuration for the plug-in in
LDAP
and configuration was only taken from thenamed.conf
file. With this update, configuration information can be obtained fromidnsConfigObject
in LDAP. Note that options set in named.conf have lower priority than options set in LDAP. The priority will change in future updates. Refer to the README file for more details.
5.15. bind
Bug Fix
- BZ#838956
- Due to a race condition in the rbtdb.c source file, the named daemon could terminate unexpectedly with the INSIST error code. This bug has been fixed in the code and the named daemon no longer crashes in the described scenario.
Security Fix
- CVE-2012-5688
- A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
Security Fix
- CVE-2012-4244
- A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Security Fix
- CVE-2012-3817
- An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Bug Fix
- BZ#858273
- Previously, BIND rejected "forward" and "forwarders" statements in static-stub zones. Consequently, it was impossible to forward certain queries to specified servers. With this update, BIND accepts those options for static-stub zones properly, thus fixing this bug.
Security Fix
- CVE-2012-5166
- A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
DNS
(Domain Name System) protocols. BIND includes a DNS server (named
), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Note
Bug Fixes
- BZ#734458
- When
/etc/resolv.conf
contained nameservers with disabled recursion, nslookup failed to resolve certain host names. With this update, a patch has been applied and nslookup now works as expected in the scenario described. - BZ#739406
- Prior to this update, errors arising on automatic update of DNSSEC trust anchors were handled incorrectly. Consequently, the
named
daemon could become unresponsive on shutdown. With this update, the error handling has been improved andnamed
exits on shutdown gracefully. - BZ#739410
- The multi-threaded
named
daemon uses the atomic operations feature to speed-up access to shared data. This feature did not work correctly on 32-bit and 64-bit PowerPC architectures. Therefore,named
sometimes became unresponsive on these architectures. This update disables the atomic operations feature on 32-bit and 64-bit PowerPC architectures, which ensures thatnamed
is now more stable and reliable and no longer hangs. - BZ#746694
- Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and
named
could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs. - BZ#759502
- The
named
daemon, configured as the master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described. - BZ#759503
- During a DNS zone transfer,
named
sometimes terminated unexpectedly with an assertion failure. With this update, a patch has been applied to make the code more robust, andnamed
no longer crashes in the scenario described. - BZ#768798
- Previously, the
rndc.key
file was generated during package installation by therndc-confgen -a
command, but this feature was removed in Red Hat Enterprise Linux 6.1 because users reported that installation of bind package sometimes hung due to lack of entropy in/dev/random
. Thenamed
initscript now generatesrndc.key
during the service startup if it does not exist. - BZ#786362
- After the
rndc reload
command was executed,named
failed to update DNSSEC trust anchors and emitted the following message to the log:managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
This issue was fixed in the 9.8.2rc1 upstream version. - BZ#789886
- Due to an error in the bind spec file, the bind-chroot subpackage did not create a
/dev/null
device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed. - BZ#795414
- The dynamic-db plug-ins were loaded too early which caused the configuration in the
named.conf
file to override the configuration supplied by the plug-in. Consequently,named
sometimes failed to start. With this update thenamed.conf
is parsed before plug-in initialization andnamed
now starts as expected. - BZ#812900
- Previously, when the
/var/named
directory was mounted the/etc/init.d/named
initscript did not distinguish between situations whenchroot
configuration was enabled and whenchroot
was not enabled. Consequently, when stopping thenamed
service the/var/named
directory was always unmounted. The initscript has been fixed and now unmounts/var/named
only whenchroot
configuration is enabled. As a result,/var/named
stays mounted after thenamed
service is stopped whenchroot
configuration is not enabled. - BZ#816164
- Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns "1" as the exit code when fails to get answer.
Enhancements
- BZ#735438
- By default BIND returns resource records in round-robin order. The
rrset-order
option now supportsfixed
ordering. When this option is set, the resource records for each domain name are always returned in the order they are loaded from the zone file. - BZ#788870
- Previously,
named
logged too many messages relating to external DNS queries. The severity of these error messages has been decreased from “notice” to “debug” so that the system log is not flooded with mostly unnecessary information. - BZ#790682
- The
named
daemon now uses portreserve to reserve the Remote Name Daemon Control (RNDC) port to avoid conflicts with other services.
5.16. binutils
Bug Fixes
- BZ#676194
- Previously, the GNU linker could terminate unexpectedly with a segmentation fault when attempting to link together object files of different architectures (for example, an object file of 32-bit Intel P6 with an object file of Intel 64). This update modifies binutils so that the linker now generates an error message and refuses to link object files in the scenario described.
- BZ#809616
- When generating build-ID hashes, the GNU linker previously allocated memory for BSS sections. Consequently, the linker could use more memory than was necessary. This update modifies the linker to skip BSS sections and thus avoid unnecessary memory usage when generating build-ID hashes.
Enhancements
- BZ#739444
- With this update, backported patches have been included to support new AMD processors. Also, a duplicate entry for the bextr instruction has been removed from the disassembler's table.
- BZ#739144
- The GNU linker has been modified in order to improve performance of Table of Contents (TOC) addressability and Procedure Linkage Table (PLT) call stubs on the PowerPC and PowerPC 64 architectures.
5.17. biosdevname
Bug Fix
- BZ#865446
- Previously, biosdevname did not handle PCI cards with multiple ports properly. Consequently, only the network interface of the first port of these cards was renamed according to the biosdevname naming scheme. This bug has been fixed and network interfaces of all ports of these cards are now renamed as expected.
5.18. brltty
Bug Fixes
- BZ#684526
- Previously, building the brltty package could fail on the ocaml's unpackaged files error. This happened only if the ocaml package was pre-installed in the build root. The "--disable-caml-bindings" option has been added in the %configure macro so that the package now builds correctly.
- BZ#809326
- Previously, the /usr/lib/libbrlapi.so symbolic link installed by the brlapi-devel package incorrectly pointed to ../../lib/libbrlapi.so. The link has been fixed to correctly point to ../../lib/libbrlapi.so.0.5.
5.19. busybox
Security Fixes
- CVE-2006-1168
- A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox.
- CVE-2011-2716
- The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages.
Bug Fixes
- BZ#751927
- Prior to this update, the "findfs" command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs.
- BZ#752134
- If the "grep" command was used with the "-F" and "-i" options at the same time, the "-i" option was ignored. As a consequence, the "grep -iF" command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the "-F" and "-i" options works as expected.
- BZ#782018
- Prior to this update, the msh shell did not support the "set -o pipefail" command. This update adds support for this command.
- BZ#809092
- Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario.
- BZ#752132
- Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur.
5.20. byacc
Bug Fix
- BZ#743343
- Byacc's maximum stack depth was reduced from 10000 to 500 between byacc releases. If deep enough else-if structures were present in source code being compiled with byacc, this could lead to out-of-memory conditions, resulting in YACC Stack Overflow and build failure. This updated release restores the maximum stack depth to its original value, 10000. Note: the underlying LR algorithm still imposes a hard limit on the number of parsable else-if statements. Restoring the maximum stack depth to its original value means source code with deep else-if structures that previously compiled against byacc will again do so.
5.21. c-ares
Bug Fixes
- BZ#730695
- Previously, when searching for AF_UNSPEC or AF_INET6 address families, the c-ares library fell back to the AF_INET family if no AF_INET6 addresses were found. Consequently, IPv4 addresses were returned even if only IPv6 addresses were requested. With this update, c-ares performs the fallback only when searching for AF_UNSPEC addresses.
- BZ#730693
- The ares_parse_a_reply() function leaked memory when the user attempted to parse an invalid reply. With this update, the allocated memory is freed properly and the memory leak no longer occurs.
- BZ#713133
- A switch statement inside the ares_malloc_data() public function was missing a terminating break statement. This could result in unpredictable behavior and sometimes the application terminated unexpectedly. This update adds the missing switch statement and the ares_malloc_data() function now works as intended.
- BZ#695426
- When parsing SeRVice (SRV) record queries, c-ares was accessing memory incorrectly on architectures that require data to be aligned in memory. This caused the program to terminate unexpectedly with the SIGBUS signal. With this update, c-ares has been modified to access the memory correctly in the scenario described.
- BZ#640944
- Previously, the ares_gethostbyname manual page did not document the ARES_ENODATA error code as a valid and expected error code. With this update, the manual page has been modified accordingly.
5.22. cdrkit
Bug Fix
- BZ#797990
- Prior to this update, overlapping memory was handled incorrectly. As a consequence, newly created paths could be garbled when calling "genisoimage" with the "-graft-points" option to graft the paths at points other than the root directory. This update modifies the underlying code to generate graft paths as expected.
5.23. certmonger
Bug Fixes
- BZ#765599
- Prior to this update, one of the examples provided in the getting-started.txt file did not work as expected if the daemon was prevented from accessing files in user-specified locations, for example by the SELinux policy. With this update, this problem is now documented in the getting-started.txt file.
- BZ#765600
- Prior to this update, the certmonger daemon was not configured to start by default when the package was installed. This update enables the certmonger service by default.
- BZ#796542
- Prior to this update, the "getcert" command could under certain circumstances, display the misleading error message "invalid option" when an option that required an argument was used and the argument was not specified. This update modifies the error code so that the correct message is now sent.
Enhancement
- BZ#766167
- Prior to this update, newly added certificates were not automatically visible. To see these certificates, servers had to be manually restarted. This update adds the emission of D-Bus signals over the message bus to allow applications to perform the actions they need to use a new certificate. Also, the new "-C" option was added to invoke a user-specified command.
5.24. chkconfig
Bug Fixes
- BZ#696305
- When installing multiple Linux Standard Base (LSB) services which only had LSB headers, the stop priority of the related LSB init scripts could have been miscalculated and set to "-1". With this update, the LSB init script ordering mechanism has been fixed, and the stop priority of the LSB init scripts is now set correctly.
- BZ#706854
- When an LSB init script requiring the "$local_fs" facility was installed with the "install_initd" command, the installation of the script could fail under certain circumstances. With this update, the underlying code has been modified to ignore this requirement because the "$local_fs" facility is always implicitly provided. LSB init scripts with requirements on "$local_fs" are now installed correctly.
- BZ#771454
- If an LSB init script contained "Required-Start" dependencies, but the LSB service installed was not configured to start in any runlevel, the dependencies could have been applied incorrectly. Consequently, the installation of the LSB service failed silently. With this update, chkconfig no longer strictly enforces "Required-Start" dependencies for installation if the service is not configured to start in any runlevel. LSB services are now installed as expected in this scenario.
- BZ#771741
- Previously, chkconfig did not handle dependencies between LSB init scripts correctly. Therefore, if an LSB service was enabled, LSB services that were depending on it could have been set up incorrectly. With this update, chkconfig has been modified to determine dependencies properly, and dependent LSB services are now set up as expected in this scenario.
5.25. cifs-utils
Security Fix
- CVE-2012-1586
- A file existence disclosure flaw was found in mount.cifs. If the tool was installed with the setuid bit set, a local attacker could use this flaw to determine the existence of files or directories in directories not accessible to the attacker.
Note
mount.cifs from the cifs-utils package distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs.
Bug Fixes
- BZ#769923
- The cifs.mount(8) manual page was previously missing documentation for several mount options. With this update, the missing entries have been added to the manual page.
- BZ#770004
- Previously, the mount.cifs utility did not properly update the "/etc/mtab" system information file when remounting an existing CIFS mount. Consequently, mount.cifs created a duplicate entry of the existing mount entry. This update adds the del_mtab() function to cifs.mount, which ensures that the old mount entry is removed from "/etc/mtab" before adding the updated mount entry.
- BZ#796463
- The mount.cifs utility did not properly convert user and group names to numeric UIDs and GIDs. Therefore, when the "uid", "gid" or "cruid" mount options were specified with user or group names, CIFS shares were mounted with default values. This caused shares to be inaccessible to the intended users because UID and GID is set to "0" by default. With this update, user and group names are properly converted so that CIFS shares are now mounted with specified user and group ownership as expected.
- BZ#805490
- The cifs.upcall utility did not respect the "domain_realm" section in the "krb5.conf" file and worked only with the default domain. Consequently, an attempt to mount a CIFS share from a different than the default domain failed with the following error message:mount error(126): Required key not availableThis update modifies the underlying code so that cifs.upcall handles multiple Kerberos domains correctly and CIFS shares can now be mounted as expected in a multi-domain environment.
Enhancements
- BZ#748756
- The cifs.upcall utility previously always used the "/etc/krb5.conf" file regardless of whether the user had specified a custom Kerberos configuration file. This update adds the "--krb5conf" option to cifs.upcall allowing the administrator to specify an alternate krb5.conf file. For more information on this option, refer to the cifs.upcall(8) manual page.
- BZ#748757
- The cifs.upcall utility did not optimally determine the correct service principal name (SPN) used for Kerberos authentication, which occasionally caused krb5 authentication to fail when mounting a server's unqualified domain name. This update improves cifs.upcall so that the method used to determine the SPN is now more versatile.
- BZ#806337
- This update adds the "backupuid" and "backupgid" mount options to the mount.cifs utility. When specified, these options grant a user or a group the right to access files with the backup intent. For more information on these options, refer to the mount.cifs(8) manual page.
5.26. cluster and gfs2-utils
Bug Fixes
- BZ#759603
- A race condition existed when a node lost contact with the quorum device at the same time as the token timeout period expired. The nodes raced to fence, which could lead to a cluster failure. To prevent the race condition from occurring, the cman and
qdiskd
interaction timer has been improved. - BZ#750314
- Previously, a cluster partition and merge during startup fencing was not detected correctly. As a consequence, the DLM (Distributed Lock Manager) lockspace operations could become unresponsive. With this update, the partition and merge event is now detected and handled properly. DLM lockspace operations no longer become unresponsive in the described scenario.
- BZ#745538
- Multiple
ping
command examples on the qdisk(5) manual page did not include the-w
option. If theping
command is run without the option, the action can timeout. With this update, the-w
option has been added to thoseping
commands. - BZ#745161
- Due to a bug in libgfs2, sentinel directory entries were counted as if they were real entries. As a consequence, the mkfs.gfs2 utility created file systems which did not pass the fsck check when a large number of journal metadata blocks were required (for example, a file system with block size of 512, and 9 or more journals). With this update, incrementing the count of the directory entry is now avoided when dealing with sentinel entries.
GFS2
file systems created with large numbers of journal metadata blocks now pass the fsck check cleanly. - BZ#806002
- When a node fails and gets fenced, the node is usually rebooted and joins the cluster with a fresh state. However, if a block occurs during the rejoin operation, the node cannot rejoin the cluster and the attempt fails during boot. Previously, in such a case, the cman init script did not revert actions that had happened during startup and some daemons could be erroneously left running on a node. The underlying source code has been modified so that the cman init script now performs a full rollback when errors are encountered. No daemons are left running unnecessarily in this scenario.
- BZ#804938
- The RELAX NG schema used to validate the cluster.conf file previously did not recognize the
totem.miss_count_const
constant as a valid option. As a consequence, users were not able to validatecluster.conf
when this option was in use. This option is now recognized correctly by the RELAX NG schema, and thecluster.conf
file can be validated as expected. - BZ#819787
- The
cmannotifyd
daemon is often started after the cman utility, which means thatcmannotifyd
does not receive or dispatch any notifications on the current cluster status at startup. This update modifies the cman connection loop to generate a notification that the configuration and membership have changed. - BZ#749864
- Incorrect use of the
free()
function in the gfs2_edit code could lead to memory leaks and so cause various problems. For example, when the user executed thegfs2_edit savemeta
command, the gfs2_edit utility could become unresponsive or even terminate unexpectedly. This update applies multiple upstream patches so that thefree()
function is now used correctly and memory leaks no longer occur. With this update, save statistics for thegfs2_edit savemeta
command are now reported more often so that users know that the process is still running when saving a large dinode with a huge amount of metadata. - BZ#742595
- Previously, the gfs2_grow utility failed to expand a GFS file system if the file system contained only one resource group. This was due to the old code being based on
GFS1
(which had different fields) that calculated distances between resource groups and did not work with only one resource group. This update adds thergrp_size()
function in libgfs2, which calculates the size of the resource group instead of determining its distance from the previous resource group. A file system with only one resource group can now be expanded successfully. - BZ#742293
- Previously, the gfs2_edit utility printed unclear error messages when the underlying device did not contain a valid GFS2 file system, which could be confusing. With this update, users are provided with additional information in the aforementioned scenario.
- BZ#769400
- Previously, the mkfs utility provided users with insufficient error messages when creating a
GFS2
file system. The messages also contained absolute build paths and source code references, which was unwanted. A patch has been applied to provide users with comprehensive error messages in the described scenario. - BZ#753300
- The
gfs_controld
daemon ignored an error returned by thedlm_controld
daemon for thedlmc_fs_register()
function while mounting a file system. This resulted in a successful mount, but recovery of aGFS
file system could not be coordinated using Distributed Lock Manager (DLM). With this update, mounting a file system is not successful under these circumstances and an error message is returned instead.
Enhancements
- BZ#675723, BZ#803510
- The gfs2_convert utility can be used on a
GFS1
file system to convert a file system fromGFS1
toGFS2
. However, the gfs2_convert utility required the user to run the gfs_fsck utility prior to conversion, but because this tool is not included in Red Hat Enterprise Linux 6, users had to use Red Hat Enterprise Linux 5 to run this utility. With this update, the gfs2_fsck utility now allows users to perform a completeGFS1
toGFS2
conversion on Red Hat Enterprise Linux 6 systems. - BZ#678372
- Cluster tuning using the
qdiskd
daemon and the device-mapper-multipath utility is a very complex operation, and it was previously easy to misconfigureqdiskd
in this setup, which could consequently lead to a cluster nodes failure. Input and output operations of theqdiskd
daemon have been improved to automatically detect multipath-related timeouts without requiring manual configuration. Users can now easily deployqdiskd
with device-mapper-multipath. - BZ#733298, BZ#740552
- Previously, the cman utility was not able to configure Redundant Ring Protocol (RRP) correctly in corosync, resulting in RRP deployments not working propely. With this update, cman has been improved to configure RRP properly and to perform extra sanity checks on user configurations. It is now easier to deploy a cluster with RRP and the user is provided with more extensive error reports.
- BZ#745150
- With this update, Red Hat Enterprise Linux High Availability has been validated against the VMware vSphere 5.0 release.
- BZ#749228
- With this update, the fence_scsi fencing agent has been validated for use in a two-node cluster with High Availability LVM (HA-LVM).
5.27. cluster-glue
Bug Fixes
- BZ#758127
- Previously, the environment variable "LRMD_MAX_CHILDREN" from the program /etc/sysconfig/pacemaker was not properly evaluated. As a result, the "max_child_count" variable in the Local Resource Management Daemon (lrmd) was not modified. With this update, the bug has been fixed so that the environment variable "LRMD_MAX_CHILDREN" is evaluated as expected.
- BZ#786746
- Previously, if Pacemaker attempted to cancel a recurring operation while the operation was executed, the Local Resource Management Daemon (lrmd) did not cancel the operation correctly. As a result the operation was not removed from the repeat list. With this update, a canceled operation is now marked to be removed from the repeat operation list if it is canceled during the execution so that recurring canceled operations are never executed again.
5.28. clustermon
Bug Fixes
- BZ#742431
- Prior to this update, under certain circumstances, outgoing queues in inter-node communication of the modclusterd service could grow over time. To prevent this behavior, the inter-node communication is now better balanced and queues are restricted in size. Forced queue interventions are logged in the /var/log/clumond.log file.
- BZ#794907
- When the clustermon utility was used to get the cluster schema from the server, the schema was returned in an invalid format, preventing further processing. This bug has been fixed and clustermon now provides an exact copy of the schema in the described scenario.
5.29. cluster
Bug Fix
- BZ#878373
- Previously, the fenced daemon was creating its log file with insecure permissions. Even though no sensitive data, such as passwords, usernames, or IP addresses were ever stored in the file, with this update, log files are created with correct permissions. Permissions of an existing log file is also automatically corrected if necessary.
Bug Fix
- BZ#849049
- Previously, it was not possible to specify start-up options to the dlm_controld daemon. As a consequence, certain features were not working as expected. With this update, it is possible to use the /etc/sysconfig/cman configuration file to specify dlm_controld start-up options, thus fixing this bug.
Bug Fix
- BZ#982699
- Previously, the cman init script did not handle its lock file correctly. During a node reboot, this could have caused the node itself to be evicted from the cluster by other members. With this update, the cman init script now handles the lock file correctly, and no fencing action is taken by other nodes of the cluster.
5.30. conman
Enhancement
- BZ#738967
- Users are now able to configure the maximum number of open files. This allows the conman daemon to easily manage a large number of nodes.
5.31. control-center
Bug Fix
- BZ#771600
- Previous versions of the control-center package contained gnome-at-mobility, a script that requires a software component that is not distributed with Red Hat Enterprise Linux 6 nor is present in any of the available channels. With this update, the non-functional gnome-at-mobility script has been removed and is no longer distributed as part of the control-center package.
Enhancements
- BZ#524942
- The background configuration tool now uses the XDG Base Directory Specification to determine where to store its data file. By default, this file is located at ~/.config/gnome-control-center/backgrounds.xml. Users can change the ~/.config/ prefix by setting the XDG_DATA_HOME environment variable, or set the GNOMECC_USE_OLD_BG_PATH environment variable to 1 to restore the old behavior and use the ~/.gnome2/backgrounds.xml file.
- BZ#632680
- The control-center-extra package now includes a GNOME Control Center shell. This shell provides a user interface for launching the various Control Center utilities.
- BZ#769465, BZ#801363
- The GNOME Control Center now provides a configuration utility for Wacom graphics tablets, which replaces the wacompl utility.
5.32. coolkey
Bug Fixes
- BZ#700907
- Prior to this update, Coolkey did not recognize Spice virtualized CAC cards unless the card contained at least 3 certificates. This update fixes this issue so that cards with one or two certificates are recognized by Coolkey as expected. Note that this issue may also have affected some non-virtualized CAC cards.
- BZ#713132
- Under certain error conditions, Coolkey could leak memory data because a variable buffer was not being freed properly. With this update, the aforementioned buffer is properly freed, and memory leaks no longer occur.
5.33. coreutils
Bug Fixes
- BZ#772172
- The "pr -c [filename]" and "pr -v [filename]" commands, which serve to show control and non-printing characters, cause the pr utility to terminate with a segmentation fault in multibyte locales. With this update, the underlying code has been modified and the pr utility now works as expected.
- BZ#771843
- The "-Z" option of the ls command did not explain sufficiently that only the last format option is taken into consideration and the user did not understand why the "ls -Zl" and "ls -lZ" command returned a different output. With this update, the ls info documentation has been improved.
- BZ#769874
- The "tail --follow" command uses the inotify API to follow the changes in a file. However, inotify does not work on remote file systems and the tail utility should fall back to polling for files on such file systems. The remote file systems GPFS and FhGFS were missing from the remote file system list and therefore "tail --follow" did not display the updates to the file on these file systems. These file systems have been added to the remote file system list and the problem no longer occurs.
- BZ#751974
- If SELinux was enabled, the "ls -l" command leaked one string for each non-empty directory name specified on the command line. With this update, such strings are freed from the memory and the problem no longer occurs.
- BZ#754057
- The su utility could remain unresponsive if it ran a process that ignored the SIG_CHLD signal. This happened because the su utility uses the waitpid() function to wait for a child process. The loop mechanism with the waitpid() function waited for the process to be in the stopped status. However, a process masking the SIG_CHLD signal will never be in that status. With this update, the loop mechanism was improved to handle this situation correctly and the problem no longer occurs.
- BZ#804604
- In a non-interactive tcsh shell, the colorls.csh script returned the following error: tput: No value for $TERM and no -T specifiedThis happened because the tcsh shell did not short-circuit the evaluation of the logical AND in a colorls.csh expression. With this update, checking for an interactive shell has been modified and the script no longer returns the error message.
Enhancements
- BZ#766461
- In the default listing, the df utility showed long file system names including UUID. Consequently, the columns following the file system names were pushed to the right and made the df output hard to read. As long UUID system names are becoming more common, df now prints the referent when a long name refers to a symlink, and no file systems are specified.
- BZ#691466
- The user could not use octal digit mode when cleaning special set-user-id and set-group-id bits on a directory with the chmod tool. This is an upstream change, however as it was possible in all the previous Red Hat Enterprise Linux releases, it is necessary to provide backwards compatibility. Therefore, the chmod tool now again allows the user to clear the special bits on the directories using octal digit mode if the octal digit mode is at least 5 digits long.
5.34. corosync
Bug Fix
- BZ#849554
- Previously, the corosync-notifyd daemon, with dbus output enabled, waited 0.5 seconds each time a message was sent through dbus. Consequently, corosync-notifyd was extremely slow in producing output and memory of the Corosync server grew. In addition, when corosync-notifyd was killed, its memory was not freed. With this update, corosync-notifyd no longer slows down its operation with these half-second delays and Corosync now properly frees memory when an IPC client exits.
Bug Fixes
- BZ#741455
- The mainconfig module passed an incorrect string pointer to the function that opens the corosync log file. If the path to the file (in cluster.conf) contained a non-existing directory, an incorrect error message was returned stating that there was a configuration file error. The correct error message is now returned informing the user that the log file cannot be created.
- BZ#797192
- The coroipcc library did not delete temporary buffers used for Inter-Process Communication (IPC) connections that are stored in the /dev/shm shared-memory file system. The /dev/shm memory resources became fully used and caused a Denial of Service event. The library has been modified so that applications delete temporary buffers if the buffers were not deleted by the corosync server. The /dev/shm system is now no longer cluttered with needless data.
- BZ#758209
- The range condition for the update_aru() function could cause incorrect checking of message IDs. The corosync utility entered the "FAILED TO RECEIVE" state and failed to receive multicast packets. The range value in the update_aru() function is no longer checked and the check is now performed using the fail_to_recv_const constant.
- BZ#752159
- If the corosync-notifyd daemon was running for a long time, the corosync process consumed an excessive amount of memory. This happened because the corosync-notifyd daemon failed to indicate that the no-longer used corosync objects were removed, resulting in memory leaks. The corosync-notifyd daemon has been fixed and the corosync memory usage no longer increases if corosync-notifyd is running for long periods of time.
- BZ#743813
- When a large cluster was booted or multiple corosync instances started at the same time, the CPG (Closed Process Group) events were not sent to the user. Therefore, nodes were incorrectly detected as no longer available, or as leaving and re-joining the cluster. The CPG service now checks the exit code in such scenarios properly and the CPG events are sent to users as expected.
- BZ#743815
- The OpenAIS EVT (Eventing) service sometimes caused deadlocks in corosync between the timer and serialize locks. The order of locking has been modified and the bug has been fixed.
- BZ#743812
- When corosync became overloaded, IPC messages could be lost without any notification. This happened because some services did not handle the error code returned by the totem_mcast() function. Applications that use IPC now handle the inability to send IPC messages properly and try sending the messages again.
- BZ#747628
- If both the corosync and cman RPM packages were installed on one system, the RPM verification process failed. This happened because both packages own the same directory but apply different rights to it. Now, the RPM packages have the same rights and the RPM verification no longer fails.
- BZ#752951
- corosync consumed excessive memory because the getaddrinfo() function leaked memory. The memory is now freed using the freeadrrinfo() function and getaddrinfo() no longer leaks memory.
- BZ#773720
- It was not possible to activate or deactivate debug logs at runtime due to memory corruption in the objdb structure. The debug logging can now be activated or deactivated on runtime, for example by the "corosync-objctl -w logging.debug=off" command.
Enhancement
- BZ#743810
- Each IPC connection uses 48 K in the stack. Previously, multi-threading applications with reduced stack size did not work correctly, which resulted in excessive memory usage. Temporary memory resources in a heap are now allocated to the IPC connections so that multi-threading applications no longer need to justify IPC connections' stack size.
Bug Fix
- BZ#929100
- When running applications which used the Corosync IPC library, some messages in the dispatch() function were lost or duplicated. This update properly checks the return values of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and ensures that the IPC client is correctly informed about the real number of messages in the ring buffer. Now, messages in the dispatch() function are no longer lost or duplicated.
5.35. cpio
Bug Fix
- BZ#866467
- Previously, the cpio command was unable to split file names longer than 155 bytes into two parts during the archiving operation. Consequently, cpio could terminate unexpectedly with a segmentation fault. This bug has been fixed and cpio now handles long file names without any crashes.
Bug Fix
- BZ#746209
- Prior to this update,the options --to-stdout and --no-absolute-filenames were not listed in the cpio (1) manual page. This update includes the missing options and corrects several misprints.
5.36. cpuspeed
Bug Fixes
- BZ#642838
- Prior to this update, the PCC driver used the “userspace” governor was loaded instead of the “ondemand” governor when loading. This update modifies the init script to also check the PCC driver.
- BZ#738463
- Prior to this update, the cpuspeed init script tried to set cpufrequency system files on a per core basis which was a deprecated procedure. This update sets thresholds globally.
- BZ#616976
- Prior to this update, the cpuspeed tool did not reset MIN and MAX values, when the configuration file was emptied. As a consequence, the MIN_SPEED or MAX_SPEED values were not reset as expected. This update adds conditionals in the init script to check these values. Now, the MIN_SPEED or MAX_SPEED values are reset as expected.
- BZ#797055
- Prior to this update, the init script did not handle the IGNORE_NICE parameter as expected. As a consequence, "-n" was added to command options when the IGNORE_NICE parameter was set. This update modifies the init script to stop adding the NICE option when using the IGNORE_NICE parameter.
5.37. crash
Bug Fixes
- BZ#754291
- If the kernel was configured with the Completely Fair Scheduler (CFS) Group Scheduling feature enabled (CONFIG_FAIR_GROUP_SCHED=y), the "runq" command of the crash utility did not display all tasks in CPU run queues. This update modifies the crash utility so that all tasks in run queues are now displayed as expected. Also, the "-d" option has been added to the "runq" command, which provides debugging information same as the /proc/sched_debug file.
- BZ#768189
- The "bt" command previously did not handle recursive non-maskable interrupts (NMIs) correctly on the Intel 64 and AMD64 architectures. As a consequence, the "bt" command could, under certain circumstances, display a task backtrace in an infinite loop. With this update, the crash utility has been modified to recognize a recursion in the NMI handler and prevent the infinite displaying of a backtrace.
- BZ#782837
- Under certain circumstances, the number of the "elf_prstatus" entries in the header of the compressed kdump core file could differ from the number of CPUs running when the system crashed. If such a core file was analyzed by the crash utility, crash terminated unexpectedly with a segmentation fault while displaying task backtraces. This update modifies the code so that the "bt" command now displays a backtrace as expected in this scenario.
- BZ#797229
- Recent changes in the code caused the crash utility to incorrectly recognize compressed kdump dump files for the 64-bit PowerPC architecture as dump files for the 32-bit PowerPC architecture. This caused the crash utility to fail during initialization. This update fixes the problem and the crash utility now recognizes and analyzes the compressed kdump dump files for the 32-bit and 64-bit PowerPC architectures as expected.
- BZ#817247
- The crash utility did not correctly handle situations when a user page was either swapped out or was not mapped on the IBM System z architecture. As a consequence, the "vm -p" command failed and either a read error occurred or an offset va1lue of a swap device was set incorrectly. With this update, crash displays the correct offset value of the swap device or correctly indicates that the user page is not mapped.
- BZ#817248
- The crash utility did not correctly handle situations when the "bt -t" and "bt -T" commands were run on an active task on a live system on the IBM System z architecture. Consequently, the commands failed with the "bt: invalid/stale stack pointer for this task: 0" error message. This update modifies the source code so that the "bt -t" and "bt -T" commands execute as expected.
Enhancements
- BZ#736884
- With this update, crash now supports the "sadump" dump file format created by the Fujitsu Stand Alone Dump facility.
- BZ#738865
- The crash utility has been modified to fully support the "ELF kdump" and "compressed kdump" dump file formats for IBM System z.
- BZ#739096
- The makedumpfile facility can be used to filter out specific kernel data when creating a dump file, which can cause the crash utility to behave unpredictably. With this update, the crash utility now displays an early warning message if any part of the kernel has been erased or filtered out by makedumpfile.
5.38. crash-trace-command
Bug Fix
- BZ#729018
- Previously, the "trace.so" binary in the crash-trace-command package was compiled by the GCC compiler without the "-g" option. Therefore, no debugging information was included in its associated "trace.so.debug" file. This could affect a crash analysis performed by the Automatic Bug Reporting Tool (ABRT) and its retrace server. Also, proper debugging of crashes using the GDB utility was not possible under these circumstances. This update modifies the Makefile of crash-trace-command to compile the "trace.so" binary with the "RPM_OPT_FLAGS" flag, which ensures that the GCC's "-g" option is used during the compilation. Debugging and a crash analysis can now be performed as expected.
5.39. createrepo
Bug Fix
- BZ#623105
- Prior to this update, the shebang line of the modifyrepo.py script contained "#!/usr/bin/env python", so the system path was used to locate the Python executable. When another version of Python was installed on the system, and "/usr/local/python" was specified in the PATH environment variable, scripts did not work due to Python compatibility problems. With this update, the shebang line is modified to "#!/usr/bin/python", so that the system version of Python is always used.
5.40. cryptsetup-luks
Bug Fix
- BZ#746648
- For some configurations, the cryptsetup utility incorrectly translated major:minor device pairs to device names in the /dev/ directory (for example, on HP Smart Array devices). With this update, the underlying source code has been modified to address this issue, and the cryptsetup utility now works as expected. (BZ#755478) * If a device argument for the "cryptsetup status" command included a /dev/mapper/ prefix, the prefix was duplicated in the command's output. The output was fixed and no longer includes duplicated strings.
5.41. ctdb
Bug Fix
- BZ#794888
- Prior to this update, the ctdb working directory, all subdirectories and the files within were created with incorrect SELinux contexts when the ctdb service was started. This update uses the post-install script to create the ctdb directory, and the command "/sbin/restorecon -R /var/ctdb" sets now the right SELinux context.
5.42. cups
Bug Fix
- BZ#854472
- Previously, when no authentication was initially provided (or even requested), cups returned the "forbidden" status rather than the correct "unauthorized" status. Consequently, certain operations, such as attempts to move a job between queues using the web user interface, failed. An upstream patch has been provided to address this bug and cups now returns correct status in the described scenario.
Bug Fix
- BZ#873592
- Previously, with LDAP browsing enabled, one of the objects used for LDAP queries was freed twice, which caused the cupsd service to terminate unexpectedly with a segmentation fault. Additionally, names of browsed LDAP queues were truncated by a single character. Consequently, only one print queue was listed if multiple print queues with names varying only in the last character were defined. With this update, an upstream patch that resolves these problems has been back-ported, and the cupsd service no longer crashes and LDAP print queues are now displayed correctly.
Bug Fixes
- BZ#738410
- Prior to this update, the textonly filter did not always correctly generate output when a single copy was requested. The textonly filter generates output for a single or multiple copies by spooling the output for one copy into a temporary file, then sending the content of that temporary file as many times as required. However, if the filter was used for the MIME-type conversion rather than as a PostScript Printer Description (PPD) filter, and a single copy was requested, the temporary file was not created and the program failed with the "No such file or directory" message. With this update, the textonly filter has been modified to create a temporary file regardless of the number of copies specified. The data is now sent to the printer as expected.
- BZ#738914, BZ#740093
- Previously, empty jobs could be created using the "lp" command either by submitting an empty file to print (for example by executing "lp /dev/null") or by providing an empty file as standard input. In this way, a job was created but was never processed. With this update, creation of empty print jobs is not allowed, and the user is now informed that no file is in the request.
- BZ#806818
- The German translation for the search page template of the web interface contained an error that prevented the search feature from functioning correctly: attempting to search for a printer in the CUPS web interface failed, and an error message was displayed in the browser. The bug in the search template has been fixed, and the search feature in the German locale now works as expected in this scenario.
5.43. cvs
Bug Fixes
- BZ#671145
- Prior to this update, the C shell (csh) did not set the CVS_RSH environment variable to "ssh" and the remote shell (rsh) was used instead when the users accessed a remote CVS server. As a consequence, the connection was vulnerable to attacks because the remote shell is not encrypted or not necessarily enabled on every remote server. The cvs.csh script now uses valid csh syntax and the CVS_RSH environment variable is properly set at log-in.
- BZ#695719
- Prior to this update, the xinetd package was not a dependency of the cvs package. As a result, the CVS server was not accessible through network. With this update, the cvs-inetd package, which contains the CVS inetd configuration file, ensures that the xinetd package is installed as a dependency and the xinetd daemon is available on the system.
5.44. cyrus-sasl
Bug Fix
- BZ#878357
- Previously, the GSSAPI plug-in kept credential handles open the whole time a client was connected. These handles hold a pointer to a Kerberos replay cache structure. When the replay cache is a file, that structure includes an open file descriptor. When too many clients were using GSSAPI, the server could run out of file handles. Consequently, the client could become unresponsive until restarted. With this update, a GSSAPI credential handle is closed immediately after the plug-in gets the security context, thus preventing this bug.
5.45. dash
Bug Fix
- BZ#706147
- Prior to this update, the dash shell was not an allowed login shell. As a consequence, users could not log in using the dash shell. This update adds the dash to the /etc/shells list of allowed login shells when installing or upgrading dash package and removes it from the list when uninstalling the package. Now, users can login using the dash shell.
5.46. db4
Bug Fix
- BZ#784662
- The db4 spec file incorrectly stated that the "License" is simply "BSD", whereas it is in fact licensed under both the BSD and Sleepycat licenses, the latter of which differs from the Berkeley Software Distribution (BSD) license by including a redistribution clause. This update corrects the spec file so it correctly states that the db4 software is provided under the "Sleepycat and BSD" license.
Bug Fix
- BZ#1012586
- Due to an incorrect order of the mutex initialization calls, the rpm utility became unresponsive under certain circumstances, until it was terminated. With this update, the order of the mutex initialization calls has been revised. As a result, the rpm utility no longer becomes unresponsive.
5.47. dbus
Security Fix
- CVE-2012-3524
- It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus).
5.48. device-mapper-multipath
Bug Fix
- BZ#837594
- When a multipath vector (a dynamically allocated array) was resized to a smaller size, device-mapper-multipath did not reassign the pointer to the array. If the array location was changed by reducing its size, device-mapper-multipath corrupted its memory. With this update, device-mapper-multipath correctly reassigns the pointer in this scenario, and memory corruption no longer occurs.
Bug Fixes
- BZ#812832
- The
multipathd
daemon was not correctly stopping waiter threads during shutdown. The waiter threads could access freed memory and cause the daemon to terminate unexpectedly during shutdown. With this update, themutlipathd
daemon now correctly stops the waiter threads before they can access any freed memory and no longer crashes during shutdown. - BZ#662433
- When Device Mapper Multipath was stopped,
multipathd
did not disable thequeue_if_no_path
option on multipath devices by default. Whenmultipathd
was stopped during shutdown, I/O of the device was added to the queue if all paths to a device were lost, and the shutdown process became unresponsive. With this update, multipathd now sets thequeue_without_daemon
option tono
by default. As a result, all multipath devices stop queueing whenmultipathd
is stopped and multipath now shuts down as expected. - BZ#752989
- Device Mapper Multipath uses regular expressions in built-in device configurations to determine a multipath device so as to apply the correct configuration to the device. Previously, some regular expressions for resolving the device vendor name and product ID were not specific enough. As a consequence, some devices could be matched with incorrect device configurations. With this update, the product and vendor regular expressions have been modified so that all multipath devices are now configured properly.
- BZ#754586
- After renaming a device, there was a race condition between
multipathd
and udev to rename the new multipath device nodes. If udev renamed the device node first,multipathd
removed the device created by udev and failed to create the new device node. With this update,multipathd
immediately creates the new device nodes, and the race condition no longer occurs. As a result, the renamed device is now available as expected. - BZ#769527
- Previously, the
flush_on_last_dev
handling code did not implement handling of the queue feature properly. Consequently, even though theflush_on_last_del
feature was activated,multipathd
re-enabled queueing on multipath devices that could not be removed immediately after the last path device was deleted. With this update, the code has been fixed and when the user setsflush_on_last_del
, their multipath devices correctly disable queueing, even if the devices cannot be closed immediately. - BZ#796384
- Previously, Device Mapper Multipath used a fixed-size buffer to read the Virtual Device Identification page [0x83]. The buffer size was sometimes insufficient to accommodate the data sent by devices and the ALUA (Asymmetric Logical Unit Access) prioritizer failed. Device Mapper Multipath now dynamically allocates a buffer large enough for the Virtual Device Identification page and the ALUA prioritizer no longer fails in the scenario described.
- BZ#744210
- Previously,
multipathd
did not set themax_fds
option by default, which sets the maximum number of file descriptors thatmultipathd
can open. Also, theuser_friendly_names
setting could only be configured in thedefaults
section of/etc/multipath.conf
. The user had to setmax_fds
manually and override thedefault user_friendly_names
value in their device-specific configurations. With this update, multipath now setsmax_fds
to the system maximum by default, anduser_friendly_names
can be configured in thedevices
section ofmultipath.conf
. Users no longer need to set max_fds for large setups, and they are able to select user_friendly_names per device type. - BZ#744756
- Previously, to modify a built-in configuration, the vendor and product strings of the user's configuration had to be identical to the vendor and product strings of the built-in configuration. The vendor and product strings are regular expressions, and the user did not always know the correct vendor and product strings needed to modify a built-in configuration. With this update, the
hwtable_regex_match
option was added to the defaults section ofmultipath.conf
. If it is set toyes
, Multipath uses regular-expression matching to determine if the user's vendor and product strings match the built-in device configuration strings: the user can use the actual vendor and product information from their hardware in their device configuration, and it will modify the default configuration for that device. The option is set tono
by default. - BZ#750132
- Previously,
multipathd
was using a deprecated Out-of-Memory (OOM) adjustment interface. Consequently, the daemon was not protected from the OOM killer properly; the OOM killer could kill the daemon when memory was low and the user was unable to restore failed paths. With this update,multipathd
now uses the new Out-of-Memory adjustment interface and can no longer be killed by the Out-of-Memory killer. - BZ#702222
- The
multipath.conf
file now contains a comment which informs the user that the configuration must be reloaded for any changes to take effect. - BZ#751938
- The
multipathd
daemon incorrectly exited with code1
whenmultipath -h
(print usage) was run. With this update, the underlying code has been modified andmultipathd
now returns code0
as expected in the scenario described. - BZ#751039
- Some
multipathd
threads did not check ifmultipathd
was shutting down before they started their execution. Consequently, themultipathd
daemon could terminate unexpectedly with a segmentation fault on shutdown. With this update, themultipathd
threads now check ifmultipathd
is shutting down before triggering their execution, andmultipathd
no longer terminates with a segmentation fault on shutdown. - BZ#467709
- The
multipathd
daemon did not have a failover method to handle switching of path groups when multiple nodes were using the same storage. Consequently, if one node lost access to the preferred paths to a logical unit, while the preferred path of the other node was preserved,multipathd
could end up switching back and forth between path groups. This update adds thefollowover
failback method to device-mapper-multipath. If thefollowover
failback method is set,multipathd
does not fail back to the preferred path group, unless it just came back online. When multiple nodes are using the same storage, a path failing on one machine now no longer causes the path groups to continually switch back and forth.
Enhancements
- BZ#737051
- The NetApp brand name has been added to the documentation about the RDAC (Redundant Disk Array Controller) checker and prioritizer.
- BZ#788963
- The built-in device configuration for Fujitsu ETERNUS has been added.
- BZ#760852
- If the multipath checker configuration was set to
tur
, the checks were not performed asynchronously. If a device failed and the checker was waiting for the SCSI layer to fail back, the checks on other paths were kept waiting. The checker has been rewritten so as to check the paths asynchronously, and the path checking on other paths continues as expected. - BZ#799908
- A built-in configuration for IBM XIV Storage System has been added.
- BZ#799842
- The NetApp LUN built-in configuration now uses the
tur
path checker by default. Also flush_on_last_del has been enabled, dev_loss_tmo has been set toinfinity
, fast_io_fail_tmo has been set to5
, and pg_init_retries has been set to50
.
5.49. dhcp
Security Fixes
- CVE-2012-3571
- A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time.
- CVE-2012-3954
- Two memory leak flaws were found in the dhcpd daemon. A remote attacker could use these flaws to cause dhcpd to exhaust all available memory by sending a large number of DHCP requests.
Bug Fixes
- BZ#656339
- Previously, when dhclient was unsuccessful in obtaining or renewing an address, it restored the resolv.conf file from backup even when there were other dhclient processes running. Consequently, network traffic could be unnecessarily interrupted. The bug in dhclient-script has been fixed and dhclient now restores resolv.conf from backup only if there are no other dhclient processes running.
- BZ#747017
- A bug caused an infinite loop in a dhcpd process when dhcpd tried to parse the slp-service-scope option in dhcpd.conf. As a consequence, dhcpd entered an infinite loop on startup consuming 100% of the CPU cycles. This update improves the code and the problem no longer occurs.
- BZ#752116
- Previously, the DHCPv4 client did not check whether the address received in a DHCPACK message was already in use. As a consequence, it was possible that after a reboot two clients could have the same, conflicting, IP address. With this update, the bug has been fixed and DHCPv4 client now performs duplicate address detection (DAD) and sends a DHCPDECLINE message if the address received in DHCPACK is already in use, as per RFC 2131.
- BZ#756759
- When dhclient is invoked with the "-1" command-line option, it should try to get a lease once and on failure exit with status code 2. Previously, when dhclient was invoked with the "-1" command-line option, and then issued a DHCPDECLINE message, it continued in trying to obtain a lease. With this update, the dhclient code has been fixed. As a result, dhclient stops trying to obtain a lease and exits after sending DHCPDECLINE when started with the "-1" option.
- BZ#789719
- Previously, dhclient kept sending DHCPDISCOVER messages in an infinite loop when started with the "-timeout" option having a value of 3 or less (seconds). With this update, the problem has been fixed and the "-timeout" option works as expected with all values.
Enhancements
- BZ#790686
- The DHCP server daemon now uses portreserve for reserving ports 647 and 847 to prevent other programs from occupying them.
- BZ#798735
- All DHCPv6 options defined in RFC5970, except for the Boot File Parameters Option, were implemented. This allows the DHCPv6 server to pass boot file URLs back to IPv6-based netbooting clients (UEFI) based on the system's architecture.
5.50. ding-libs
Bug Fixes
- BZ#736074
- Prior to this update, memory could become corrupted if the initial table size exceeded 1024 buckets. This update modifies libdhash so that large initial table sizes now correctly allocate memory.
- BZ#801393
- Prior to this update, buffers were filled and one character above the allocated size would be set to the null terminator if the combination of two strings,concatenated by the function path_concat(), exceeded the size of the destination buffer. This update modifies the underlying code so that the null terminator is no longer added after the end of the buffer.
5.51. dmraid
Bug Fixes
- BZ#729971
- Prior to this update, a grub installation failed silently on a dmraid mirror because the device geometry of RAID sets was not set properly. Consequently, the set partition's MBR failed to be created and the partition failed to boot. With this update, the underlying code has been modified and the geometry on dmraid devices is set up correctly.
- BZ#729032
- The dmraid binary was compiled without gcc's -g option and the debuginfo file did not contain the ".debug_info" section. Consequently, it was not possible to generate debugging information and debug dmraid properly. With this update, the binary has been compiled with the proper debugging options and the problem no longer occurs.
- BZ#701501
- When the dmraid tool was accessing a 4 KB sector or smaller, it returned a misleading error message. With this update, the library function that checks the device size has been modified and the error message is no longer displayed under these circumstances.
5.52. dnsmasq
Enhancement
- BZ#794792
- A new subpackage, dnsmasq-utils, has been added. The dnsmasq-utils subpackage contains the dhcp_lease_time and dhcp_release utilities, which serve to query and remove DHCP server leases using the standard DHCP protocol.
5.53. docbook-utils
Bug Fixes
- BZ#639866
- Prior to this update, the Perl script used for generating manpages contained a misprint in the header. As a consequence, the header syntax of all manual pages that docbook-utils built was wrong. This update corrects the script. Now the manual page headers have the right syntax.
5.54. dracut
Bug Fix
- BZ#860351
- If the "/boot/" directory was not on a separate file system, dracut called the sha512hmac utility with a file name prefixed with "/sysroot/boot". Consequently, sha512mac searched for the file checksum in "/boot/", returned errors, and dracut considered the FIPS check to have failed. Eventually, a kernel panic occurred. With this update, dracut uses a symlink linking "/boot" to "/sysroot/boot", sha512mac can now access files in "/boot/", and FIPS checks now pass, allowing the system to boot properly in the described scenario.
Bug Fix
- BZ#839296
- Previously, the default mount option of the proc file system used during boot was "mount -t proc -o nosuid,noexec,nodev proc /proc". This caused that device nodes in the proc file system were inaccessible by certain kernel drivers. With this update, the option has been changed to previously used "mount -t proc proc /proc", so that the proc file system can be successfully accessed by kernel drivers.
Bug Fixes
- BZ#788119
- Previously, if a dracut module did not contain an "install" file, dracut could not execute the "installkernel" command. Consequently, the dracut fips-aesni module could not be included in the initramfs image. Now, "installkernel" can be correctly executed in the described scenario, thus fixing this bug.
- BZ#761584
- Previously, dracut failed to start up a degraded RAID array, resulting in a non-booting system. With this update, dracut uses the rd_retry kernel command-line parameter value and after rd_retry/2 seconds attempts to force the array to start, thus fixing this bug.
- BZ#747840
- During boot-up, dracut called the "udevadm settle" command several times. As a result, inconsequential messages about the command timeout were sometimes returned, creating clutter in the console output. This update fixes the bug and the messages are no longer returned in the described scenario.
- BZ#735529
- Occasionally, dracut attempted to assemble an array before all disks were available. As a result, dracut started the array in degraded mode or failed altogether. This bug has been fixed and dracut now forces degraded arrays to start only after a period of time controlled by the rd_retry kernel command-line parameter.
- BZ#714039
- The dracut package depended on the vconfig package although vconfig is not used by dracut. This update removes the dependency on vconfig.
- BZ#794863
- Previously, if a network interface was brought up, dracut waited for two seconds to detect that the link was up. For certain network cards, two seconds is not long enough. Consequently, the network was not properly set up and the system could not boot. Now, dracut waits for ten seconds, thus fixing this bug.
- BZ#752584
- Dracut did not set the broadcast address for network interfaces it started up, resulting in a 0.0.0.0 broadcast address. This bug has been fixed and the default broadcast address is now set properly on startup.
- BZ#703164
- The FILES section of the dracut man page has been amended to fix inaccurate content.
- BZ#752073
- If the user adds multiple "console=[tty]" parameters on the kernel command line, the last parameter specifies the primary console. Previously, dracut failed to initialize this console and instead initialized /dev/tty0 unconditionally. This bug has been fixed and dracut now initializes the correct console in the described scenario.
- BZ#788618
- When no user name and password were specified in an iSCSI interface, dracut reused the login information from a previous iSCSI parameter. Consequently, the authentication failed and the system did not boot up. This update fixes the bug.
Enhancements
- BZ#722879
- Previously, it was not possible to exclude a kernel driver from the initramfs image to reduce its size. This update introduces the "--omit-driver" option to provide this functionality.
- BZ#752005
- The "lsinitrd" command has been enhanced to support initramfs images compressed by the LZMA algorithm.
5.55. dropwatch
Bug Fix
- BZ#725464
- Prior to this update, the dropwatch utility could become unresponsive because it was waiting for a deactivation acknowledgement to be issued by an already deactivated or stopped service. With this update, dropwatch detects an attempt to deactivate/stop an already deactivated/stopped service and no longer hangs.
Bug Fix
- BZ#684713
- Previously, the dropwatch utility could terminate unexpectedly with a segmentation fault. The failure was caused by a double-free error which occurred while issuing the start and stop messages. This update removes the freeing function calls from the underlying code, which prevents the dropwatch utility from crashing.
5.56. dvd+rw-tools
Bug Fix
- BZ#807474
- Prior to this update, the growisofs utility wrote chunks of 32KB and reported an error during the last chunk when burning ISO image files that were not aligned to 32KB. This update allows the written chunk to be smaller than a multiple of 16 blocks.
5.57. e2fsprogs
Bug Fixes
- BZ#786021
- Prior to this update, checksums for backup group descriptors appeared to be wrong when the "e2fsck -b" option read these group descriptors and cleared UNINIT flags to ensure that all inodes were scanned. As a consequence, warning messages were sent during the process. This update recomputes checksums after the flags are changed. Now, "e2fsck -b" completes without these checksum warnings.
- BZ#795846
- Prior to this update, e2fsck could discard valid inodes when using the "-E discard" option. As a consequence, the file system could become corrupted. This update modifies the underlying code so that disk regions containing valid inodes are no longer discarded.
5.58. efibootmgr
Bug Fix
- BZ#715216
- In a Coverity Scan analysis, an allocation, which was not checked for errors, was discovered. With this update, the allocation is now checked for errors, thus the bug is fixed.
5.59. elinks
Security Fix
- CVE-2012-4545
- It was found that ELinks performed client credentials delegation during the client-to-server GSS security mechanisms negotiation. A rogue server could use this flaw to obtain the client's credentials and impersonate that client to other servers that are using GSSAPI.
5.60. espeak
Bug Fix
- BZ#789997
- Previously, eSpeak manipulated the system sound volume. As a consequence, eSpeak could set the sound volume to maximum regardless of the amplitude specified. The sound volume management code has been removed from eSpeak, and now only PulseAudio manages the sound volume.
5.61. expect
Bug Fixes
- BZ#674866
- Prior to this update, the expect(1) manual page was not formatted properly. As a result, the content of the manual page was not readable. The formatting has been corrected to ensure easy readability.
- BZ#735962
- Prior to this update, the passmass script did not call the "su" binary with the full path (/bin/su). The passmass script has been modified to call "/bin/su" rather than "su", which is more secure.
- BZ#742911
- Due to incorrect characters matching, applications created by the autoexpect utility could terminate unexpectedly with a segmentation fault. With this update, the number of characters is matched correctly and applications created by autoexpect run successfully.
- BZ#782859
- Previously, the expect-devel subpackage contained a symbolic link to the expect library, which led to an unnecessary dependency. With this update, the link is located in the expect package.
5.62. fcoe-target-utils
Bug Fixes
- BZ#752699
- Prior to this update, starting targetadmin without the fcoe-target utility could cause the following output:
OSError: [Errno 2] No such file or directory: '/sys/kernel/config/target
This update modifies the underlying code so that now a warning message is displayed if targetcli is invoked without running the fcoe-target service. - BZ#813664
- Prior to this update, fcoe-target-utils used the executable name "targetadmin" which did not reflect the current name in the upstream version. This update changes the name to "targetcli", to match the upstream version.
- BZ#815981
- Prior to this update, the configuration state was saved to "tcm_start.sh", and the fcoe-target init script restored the state from this file when the fcoe-target service was started. For increased reliability, this update uses a new method to save and restore fcoe-target configuration; it is now saved to "/etc/target/saveconfig.json".
Enhancement
- BZ#750277
- Prior to this update, the fcoe-target-utils packages for the Fibre Channel over Ethernet (FCoE) target mode were available only as technical preview. With this update, the fcoe-target-utils packages are fully supported in Red Hat Enterprise Linux 6.
5.63. fcoe-utils
Bug Fix
- BZ#804936
- The "service fcoe status" command returned an incorrect return value when the fcoe service was running. With this update, the underlying code has been modified and fcoe now returns the correct code under these circumstances.
5.64. febootstrap
5.65. fence-agents
Bug Fix
- BZ#872620
- The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Prior to this update, the operation of the fence_vmware_soap fencing agent was slow and could corrupt data when used on the VMWare vSphere platform with hundreds of virtual machines. This update fixes a problem with virtual machines that do not have a valid UUID, which can be created during failed P2V (Physical-to-Virtual) processes. Now, the fencing process is also much faster and it does not terminate if a virtual machines without an UUID is encountered.
Bug Fixes
- BZ#769681
- The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the "up" and "down" states, the API includes number of other states. Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states even if the machine was running. This allowed for successful fencing before the machine was really powered off. With this update, the fence_rhevm agent detects the power status of a cluster node more conservatively, and the "off" status is returned only if the machine is actually powered off, that is in the "down" state.
- BZ#772597
- Previously, the fence_soap_vmware fence agent was not able to work with more than one hundred machines in a cluster. Consequently, fencing a cluster node running in a virtual machine on VMWare with the fence_soap_vmware fence agent failed with the "KeyError: 'config.uuid'" error message. With this update, the underlying code has been fixed to support fencing on such clusters.
- BZ#740484
- Previously, the fence_ipmilan agent failed to handle passwd_script argument values that contained space characters. Consequently, it was impossible to use a password script that required additional parameters. This update ensures that fence_ipmilan accepts and properly parses values for the passwd_script argument with spaces.
- BZ#771211
- Previously, the fence_vmware_soap fence agent did not expose the proper virtual machine path for fencing. With this update, fence_vmware_soap has been fixed to support this virtual machine identification.
- BZ#714841
- Previously, certain fence agents did not generate correct metadata output. As a result, it was not possible to use the metadata for automatic generation of manual pages and user interfaces. With this update, all fence agents generate their metadata as expected.
- BZ#771936
- Possible buffer overflow and null dereference defects were found by automatic tools. With this update, these problems have been fixed.
- BZ#785091
- Fence agents that use an identity file for SSH terminated unexpectedly when a password was expected but was not provided. This bug has been fixed and proper error messages are returned in the described scenario.
- BZ#787706
- The fence_ipmilan fence agent did not respect the power_wait option and did not wait after sending the power-off signal to a device. Consequently, the device could terminate its shutdown sequence. This bug has been fixed and fence_ipmilan now waits before shutting down a machine as expected.
- BZ#741339
- The fence_scsi agent creates the fence_scsi.dev file that contains a list of devices that the node registered with during an unfence operation. This file was unlinked for every unfence action. Consequently, if multiple fence device entries were used in the cluster.conf file, fence_scsi.dev only contained the devices that the node registered with during the most recent unfence action. Now, instead of the unlink call, if the device currently being registered does not exists in fence_scsi.dev, it is added to the file.
- BZ#804169
- If the "delay" option was set to more than 5 seconds while a fence device was connected via the telnet_ssl utility, the connection timed out and the fence device failed. Now, the "delay" option is applied before the connection is opened, thus fixing this bug.
- BZ#806883
- Previously, XML metadata returned by a fence agent incorrectly listed all attributes as "unique". This update fixes this problem and the attributes are now marked as unique only when this information is valid.
- BZ#806912
- This update fixes a typographical error in an error message in the fence_ipmilan agent.
- BZ#806897
- Prior to this update, the fence agent for IPMI (Intelligent Platform Management Interface) could return an invalid return code when the "-M cycle" option was used. This invalid return code could cause invalid interpretation of a fence action, eventually causing the cluster to become unresponsive. This bug has been fixed and only predefined return codes are now returned in the described scenario.
- BZ#804805
- Previously, the fence_brocade fence agent did not distinguish the "action" option from the standard "option" option. Consequently, the "action" option was ignored and the node was always fenced. This bug has been fixed and both options are now properly recognized and acted upon.
Enhancement
- BZ#742003
- This updates adds the feature to access Fujitsu RSB fencing device using secure shell.
5.66. fence-virt
Bug Fixes
- BZ#753974
- Prior to this update, the libvirt-qpid plug-in did not handle exceptions correctly. As a consequence, the fence_virtd daemon could unexpectedly terminate with a segmentation fault if the connection to the specified qpid daemon failed. This update modifies the exception handling. Now, the fencing operation works as expected.
- BZ#758392
- Prior to this update, the hashing utility sha_verify did not handle errors correctly when a key file could not be read. As a consequence, the fence_virtd daemon could unexpectedly terminate with a segmentation fault when receiving a fencing request if fence_virtd failed to read the specified key file during startup. This update modifies the error handling if a key file cannot be read. Now, fence_virtd no longer terminates under these conditions.
- BZ#761215
- Prior to this update, the XML example for serial mode in the fence_virt.conf(5) man page contained an incorrect closing tag. This update corrects this tag.
- BZ#806949
- Prior to this update, the libvirt-qpid plug-in was linked directly against the qpid libraries instead of only the qmfv2 library. As a consequence, newer versions of the qpid libraries could not be used with the libvirt-qpid plug-in. This update no longer links against the qpid libraries directly. Now, also newer qpid libraries can be used with libvirt-qpid.
- BZ#809101
- Prior to this update, the fence_virtd.conf manpage and the fence_virtd.conf generator incorrectly stated that by default, fence_virtd listened on all network interfaces. Both have been amended to state that by default, fence_virtd listens on the default network interface.
5.67. file
Bug Fixes
- BZ#795425
- The file utility did not contain a "magic" pattern for detecting QED images and was therefore not able to detect such images. A new "magic" pattern for detecting QED images has been added, and the file utility now detects these images as expected.
- BZ#795761
- The file utility did not contain a "magic" pattern for detecting VDI images and was therefore not able to detect such images. A new "magic" pattern for detecting VDI images has been added, and the file utility now detects these images as expected.
- BZ#797784
- Previously, the file utility did not attempt to load "magic" patterns from the ~/.magic.mgc file, which caused "magic" patterns stored in this file to be unusable. This update modifies the file utility so it now attempts to load the ~/.magic.mgc file. The file is loaded if it exists and "magic" patterns defined in this file work as expected.
- BZ#801711
- Previously, the file utility used read timeout when decompressing files using the "-z" option. As a consequence, the utility was not able to detect files compressed by the bzip2 tool. The underlying source code has been modified so that file no longer uses read timeout when decompressing compressed files. Compressed files are now detected as expected when using the "-z" option.
- BZ#859834
- Previously, the file utility contained multiple "magic" patterns to detect output of the "dump" backup tool. On big-endian architectures, the less detailed "magic" pattern was used and output of the file utility was inconsistent. The less detailed "magic" pattern has been removed, and only one, more detailed, "magic" pattern to detect "dump" output is used now.
Bug Fixes
- BZ#688136
- Previously, the file utility contained "magic" patterns that incorrectly detected files according to one byte only. Unicode text files starting with that particular byte could be therefore incorrectly recognized as DOS executable files. This update removes the problematic patterns. Patterns that match less than 16 bits are no longer accepted, and the utility no longer detects Unicode files as DOS executables.
- BZ#709846
- Previously, the "magic" pattern for detection of Dell BIOS headers was outdated. As a consequence, the file utility did not detect newer BIOS formats. The "magic" pattern has been updated, and the file utility now detects new formats of Dell BIOS properly.
- BZ#719583
- Previously, users were allowed to add new "magic" files only into the home directory. As a consequence, users were not able to configure "magic" patterns for certain special file formats system-wide. With this update, a backported patch provides a way to read "magic" patterns from the /etc/magic file.
- BZ#733229
- Previously, "magic" patterns for Python were insufficient. The file utility was therefore unable to detect a Python script according to the Python function definition. With this update, detection of Python is improved, and Python scripts are properly recognized.
- BZ#747999
- Previously, the file utility did not contain a "magic" pattern for detection of files compressed using the LZMA algorithm. As a consequence, the file utility was unable to detect these files. This update adds the missing "magic" pattern, and LZMA compressed files are now detected as expected.
- BZ#758109
- Previously, the file utility did not contain a "magic" pattern to detect the swap signature on Itanium microprocessors. As a consequence, the file utility was unable to detect the signature. This update adds the missing "magic" pattern, and the swap signature on Itanium microprocessors is detected as expected.
- BZ#760083
- Previously, the file utility did not parse the name of an RPM package from the RPM file. As a consequence, the utility did not print the name of the RPM package. This update adds a "magic" pattern for RPM package name parsing, and the name is now printed as expected.
5.68. firefox
Security Fixes
- CVE-2013-0775, CVE-2013-0780, CVE-2013-0782, CVE-2013-0783
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2013-0776
- It was found that, after canceling a proxy server's authentication prompt, the address bar continued to show the requested site's address. An attacker could use this flaw to conduct phishing attacks by tricking a user into believing they are viewing a trusted site.
Important
Security Fixes
- CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967
- A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-1959
- A malicious web page could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges.
- CVE-2012-1966
- A flaw in the context menu functionality in Firefox could allow a malicious website to bypass intended restrictions and allow a cross-site scripting attack.
- CVE-2012-1950
- A page different to that in the address bar could be displayed when dragging and dropping to the address bar, possibly making it easier for a malicious site or user to perform a phishing attack.
- CVE-2012-1955
- A flaw in the way Firefox called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.
- CVE-2012-1957
- A flaw in a parser utility class used by Firefox to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Firefox. This issue could have affected other browser components or add-ons that assume the class returns sanitized input.
- CVE-2012-1961
- A flaw in the way Firefox handled X-Frame-Options headers could allow a malicious website to perform a clickjacking attack.
- CVE-2012-1963
- A flaw in the way Content Security Policy (CSP) reports were generated by Firefox could allow a malicious web page to steal a victim's OAuth 2.0 access tokens and OpenID credentials.
- CVE-2012-1964
- A flaw in the way Firefox handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted.
- CVE-2012-1965
- A flaw in the way Firefox handled feed:javascript URLs could allow output filtering to be bypassed, possibly leading to a cross-site scripting attack.
Security Fixes
- CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964
- A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3969, CVE-2012-3970
- A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3967, CVE-2012-3968
- Two flaws were found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3966
- A flaw was found in the way Firefox decoded embedded bitmap images in Icon Format (ICO) files. A web page containing a malicious ICO file could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3980
- A flaw was found in the way the "eval" command was handled by the Firefox Web Console. Running "eval" in the Web Console while viewing a web page containing malicious content could possibly cause Firefox to execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3972
- An out-of-bounds memory read flaw was found in the way Firefox used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). A web page containing malicious content could possibly cause an information leak, or cause Firefox to crash.
- CVE-2012-3976
- It was found that the SSL certificate information for a previously visited site could be displayed in the address bar while the main window displayed a new page. This could lead to phishing attacks as attackers could use this flaw to trick users into believing they are viewing a trusted site.
- CVE-2012-3978
- A flaw was found in the location object implementation in Firefox. Malicious content could use this flaw to possibly allow restricted content to be loaded.
Security Fix
- CVE-2012-4194, CVE-2012-4195, CVE-2012-4196
- Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code.
Security Fixes
- CVE-2013-0744, CVE-2013-0746, CVE-2013-0750, CVE-2013-0753, CVE-2013-0754, CVE-2013-0762, CVE-2013-0766, CVE-2013-0767, CVE-2013-0769
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2013-0758
- A flaw was found in the way Chrome Object Wrappers were implemented. Malicious content could be used to cause Firefox to execute arbitrary code via plug-ins installed in Firefox.
- CVE-2013-0759
- A flaw in the way Firefox displayed URL values in the address bar could allow a malicious site or user to perform a phishing attack.
- CVE-2013-0748
- An information disclosure flaw was found in the way certain JavaScript functions were implemented in Firefox. An attacker could use this flaw to bypass Address Space Layout Randomization (ASLR) and other security restrictions.
Security Fixes
- CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-3986, CVE-2012-3991
- Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.
- CVE-2012-1956, CVE-2012-3992, CVE-2012-3994
- Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks.
- CVE-2012-3993, CVE-2012-4184
- Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code.
Bug Fix
- BZ#809571, BZ#816234
- In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue.If you experience this issue:
- Start Firefox.
- Type "about:config" (without quotes) into the URL bar and press the Enter key.
- If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button.
- Right-click in the Preference Name list. In the menu that opens, select New -> Boolean.
- Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.
- Select "true" for the boolean value and then press the OK button.
Security Fixes
- CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-4202
- A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-4210
- A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges.
- CVE-2012-4207
- A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-4209
- A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins.
- CVE-2012-5841
- A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks.
- CVE-2012-4201
- A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks.
5.69. firstboot
Enhancements
- BZ#704187
- Prior to this update, the firstboot utility did not allow users to change the timezone. This update adds the timezone module to firstboot so that users can now change the timezone in the reconfiguration mode.
- BZ#753658
- Prior to this update, the firstboot service did not provide a status option. This update adds the "firstboot service status" option to show if firstboot is scheduled to run on the next boot or not.
5.70. flash-plugin
Security Fix
- CVE-2012-1535
- This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-18. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-24. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2013-0633, CVE-2013-0634
- This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-04. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-22. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
- This update fixes three vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-27. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fix
- CVE-2013-0630
- This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed in the Adobe Security bulletin APSB13-01. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
Security Fixes
- CVE-2013-0638, CVE-2013-0639, CVE-2013-0642, CVE-2013-0644, CVE-2013-0645, CVE-2013-0647, CVE-2013-0649, CVE-2013-1365, CVE-2013-1366, CVE-2013-1367, CVE-2013-1368, CVE-2013-1369, CVE-2013-1370, CVE-2013-1372, CVE-2013-1373, CVE-2013-1374
- This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB13-05. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
- CVE-2013-0637
- A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
5.71. fontforge
Bug Fix
- BZ#676607
- Previously, the "configure.in" file did not include information on how to handle 64-bit PowerPC architectures. Attempting to install the fontforge-devel multilib PowerPC and 64-PowerPC RPM packages on the same 64-bit PowerPC machine led to conflicts between those packages. This update modifies the "configure.in" file, so that fontforge-devel multilib RPM packages are allowed to be installed on the same machine. The conflicts no longer occur in the described scenario.
5.72. fprintd
Bug Fix
- BZ#665837
- Previously, if no USB support was available on a machine (for example, virtual machines on a hypervisor that disabled USB support for guests), the fprintd daemon received the SIGABRT signal, and therefore terminated abnormally. Such crashes did not cause any system failure; however, the Automatic Bug Reporting Tool (ABRT) was alerted every time. With this update, the underlying code has been modified so that the fprintd daemon now exits gracefully on machines with no USB support.
5.73. freeradius
Security Fix
- CVE-2012-3547
- A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP).
Bug Fixes
- BZ#787116
- The radtest command-line argument to request the PPP hint option was not parsed correctly. Consequently, radclient did not add the PPP hint to the request packet and the test failed. This update corrects the problem and radtest now functions as expected.
- BZ#705723
- After log rotation, the freeradius logrotate script failed to reload the radiusd daemon after a log rotation and log messages were lost. This update has added a command to the freeradius logrotate script to reload the radiusd daemon and the radiusd daemon reinitializes and reopens its log files after log rotation as expected.
- BZ#712803
- The radtest argument with the eap-md5 option failed because it passed the IP family argument when invoking the radeapclient utility and the radeapclient utility did not recognize the IP family. The radeapclient now recognizes the IP family argument and radtest now works with eap-md5 as expected.
- BZ#700870
- Previously, freeradius was compiled without the "--with-udpfromto" option. Consequently, with a multihomed server and explicitly specifying the IP address, freeradius sent the reply from the wrong IP address. With this update, freeradius has been built with the --with-udpfromto configuration option and the RADIUS reply is always sourced from the IP the request was sent to.
- BZ#753764
- The password expiration field for local passwords was not checked by the unix module and the debug information was erroneous. Consequently, a user with an expired password in the local password file was authenticated despite having an expired password. With this update, check of the password expiration has been modified. A user with an expired local password is denied access and correct debugging information is written to the log file.
- BZ#690756
- Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS PostgreSQL tables failed to be created. With this update, the syntax has been adjusted and the tables are created as expected.
- BZ#782905
- When FreeRADIUS received a request, it sometimes failed with the following message:
WARNING: Internal sanity check failed in event handler for request 6
This bug was fixed by upgrading to upstream version 2.1.12. - BZ#810605
- FreeRADIUS has a thread pool that will dynamically grow based on load. If multiple threads using the rlm_perl() function are spawned in quick succession, freeradius sometimes terminated unexpectedly with a segmentation fault due to parallel calls to the rlm_perl_clone() function. With this update, mutex for the threads has been added and the problem no longer occurs.
5.74. freetype
Security Fix
- CVE-2012-5669
- A flaw was found in the way the FreeType font rendering engine processed certain Glyph Bitmap Distribution Format (BDF) fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
5.75. ftp
Bug Fix
- BZ#783868
- Prior to this update, using the ftp command "put" when the stack size was set to unlimited caused the sysconf(_SC_ARG_MAX) function to return -1, which in turn resulted in the malloc() function being called with an argument of 0 and causing an "Out of memory" message to be displayed. With this update, the underlying source code has been improved to allocate a reasonable minimum of memory. As a result, the "Out of memory" message no longer appears if the stack size was previously set to unlimited.
Bug Fixes
- BZ#871072
- Previous implementation of FTP did not free the memory allocated for its commands correctly. Consequently, memory leaks occurred whenever the "append", "put" and "send" commands were run. With this update, the underlying source code has been corrected and allocated memory is now freed as expected.
- BZ#871547
- Previously, the size of the buffer used for an FTP macro definition was limited to 200 characters. Therefore, if the size of the macro was larger than 200 characters, the buffer overflowed and the FTP client terminated unexpectedly. This update extends the buffer of the FTP macro to match the size of the FTP command line limit, which is now 4296 characters. The FTP client no longer crashes in this scenario.
Enhancement
- BZ#871060
- Previously, the command line width in the FTP client was limited to 200 characters. With this update, the maximum possible length of the FTP command line has been extended to 4296 characters.
Bug Fix
- BZ#869858
- Prior to this update, the ftp client could encounter a buffer overflow and aborted if a macro longer than 200 characters was defined and then used after a connection. This update modifies the underlying code and the buffer that holds memory for the macro name was extended. Now, ftp matches the length of the command line limit and the ftp client no longer aborts when a macro with a long name is executed.
Bug Fixes
- BZ#665337
- Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.
- BZ#786004
- Prior to this update, "append", "put", and "send" commands were causing system memory to leak. The memory holding the ftp command was not freed appropriately. With this update, the underlying source code has been improved to correctly free the system resources and the memory leaks are no longer present.
- BZ#849940
- Previously, the ftp client could not be invoked to run directly in the active mode. This functionality has been added to the source code and documented in the manual page. The client can now be executed with an additional "-A" command line parameter and will run in the active mode.
- BZ#852636
- Previously, the ftp client hung up when the ftp-data port (20) was not available (e.g. was blocked). The client then had to be terminated manually. Additional logic has been added to the source code. With this update, ftp has an internal timeout set to 30 seconds. If there is no answer from the server when this time has passed, ftp will now gracefully time out and not hang up.
5.76. gawk
Bug Fix
- BZ#829558
- Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, any text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.
Bug Fixes
- BZ#648906
- Prior to this update, the gawk utility could, under certain circumstances, interpret some run-time variables as internal zero-length variable prototypes. When gawk tried to free such run-time variables, it actually freed the internal prototypes, that were allocated just once due to memory savings. As a consequence, gawk sometimes failed and the error message "awk: double free or corruption" was displayed. With this update the problem has been corrected and the error no longer occurs.
- BZ#740673
- Prior to this update, the gawk utility did not copy variables from the command line arguments. As a consequence, the variables were not accessible as intended. This update modifies the underlying code so that gawk makes copies of those variables.
- BZ#743242
- Prior to this update, the Yacc interpreter encountered problems handling larger stacks. As a consequence, the Yacc interpreter could fail with a stack overflow error when interpreting the AWK code. This update enlarges the stack and Yacc can now handle these AWK programs.
5.77. gcc
Bug Fixes
- BZ#751767
- The gfortran compiler could fail to compile the code with an internal compiler error. This happened because the gfc_type_for_size() function from the trans-types.c library did not return the correct data type if the demanded bit precision was less than the built-in bit precision size of the corresponding type. With this update, the function returns the corresponding wider type if no suitable narrower type has been found and the code is compiled correctly.
- BZ#756138
- The G++ compiler terminated unexpectedly with a segmentation fault and returned an internal compiler error when compiling with the -O2 or -O3 optimization option. This happened because the compiler tried to cancel the same loop twice in the remove_path() function. With this update, the loop is canceled only once and the segmentation fault no longer occurs in this scenario.
- BZ#756651
- Previously, GCC could generate incorrect code if combining instructions when splitting a two-set pattern. This was due to an error in the way the split patterns were handled while combining the instructions. With this update, the code handling instruction combining has been fixed and the problem no longer occurs.
- BZ#767604
- Previously, GCC could terminate unexpectedly with an internal compiler error, which was triggered by aggressive loop peeling enabled by the "-mtune=z10" setting when moving registers. With this update, the registers are determined from the instruction patterns correctly and the compilation succeeds in this scenario.
- BZ#799491
- Typing into Web Console in Firefox caused Firefox to terminate unexpectedly. This happened because the compiler incorrectly cloned one of the functions called under these circumstances. With this update, the function is no longer cloned and the problem no longer occurs.
Enhancement
- BZ#739443
- Previously, the GCC compiler did not contain the header with functions for converting the half-float type. This update adds the header and also fixes GCC so that it works correctly with the "-march=native" option on AMD FX processor microarchitectures.
5.78. gdb
Bug Fixes
- BZ#739685
- To load a core file, GDB requires the binaries that were used to produce the core file. GDB uses a built-in detection to load the matching binaries automatically. However, you can specify arbitrary binaries manually and override the detection. Previously, loading other binaries that did not match the invoked core file could cause GDB to terminate unexpectedly. With this update, the underlying code has been modified and GDB no longer crashes under these circumstances.
- BZ#750341
- Previously, GDB could terminate unexpectedly when loading symbols for a C++ program compiled with early GCC compilers due to errors in the cp_scan_for_anonymous_namespaces() function. With this update, an upstream patch that fixes this bug has been adopted and GDB now loads any known executables without crashing.
- BZ#781571
- If GDB failed to find the associated debuginfo rpm symbol files, GDB displayed the following message suggesting installation of the symbol files using the yum utility:Missing separate debuginfo for the main executable file Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/47/830504b69d8312361b1ed465ba86c9e815b800However, the suggested "--enablerepo='*-debuginfo'" option failed to work with RHN (Red Hat Network) debug repositories. This update corrects the option in the message to "--enablerepo='*-debug*'" and the suggested command works as expected.
- BZ#806920
- On PowerPC platforms, DWARF information created by the IBM XL Fortran compiler does not contain the DW_AT_type attribute for DW_TAG_subrange_type; however, DW_TAG_subrange_type in the DWARF information generated by GCC always contains the DW_AT_type attribute. Previously, GDB could interpret arrays from IBM XL Fortran compiler incorrectly as it was missing the DW_AT_type attribute, even though this is in accordance with the DWARF standard. This updated GDB now correctly provides a stub index type if DW_AT_type is missing for any DW_TAG_subrange_type, and processes debug info from both IBM XL Fortran and GCC compilers correctly.
5.79. gdm
Bug Fix
- BZ#860646
- When gdm was used to connect to a server via XDMCP (X Display Manager Control Protocol), another connection to a remote system using the "ssh -X" command resulted in wrong authorization with the X server. Consequently, applications such as xterm could not be displayed on the remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key in the described scenario, thus fixing this bug.
5.80. gd
Bug Fix
- BZ#790400
- Prior to this update, ,the gd graphics library handled inverted Y coordinates incorrectly, when changing the thickness of a line. As a consequence, lines with changed thickness were drawn incorrectly. This update modifies the underlying code to draw lines with changed thickness correctly.
5.81. gegl
Security Fix
- CVE-2012-4433
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the gegl utility processed .ppm (Portable Pixel Map) image files. An attacker could create a specially-crafted .ppm file that, when opened in gegl, would cause gegl to crash or, potentially, execute arbitrary code.
5.82. geronimo-specs
Bug Fix
- BZ#818755
- Prior to this update, the geronimo-specs-compat package description contained inaccurate references. This update removes these references so that the description is now accurate.
5.83. ghostscript
Security Fix
- CVE-2012-4405
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.
Bug Fixes
- BZ#643105
- Prior to this update, the gdevcups driver, which produces CUPS Raster output, handled memory allocations incorrectly. This could cause the ghostscript program to terminate unexpectedly in some situations. This update applies backported fixes for handling the memory allocations to this version of ghostscript and the crash no longer occurs.
- BZ#695766
- Prior to this update, certain input files containing CID Type2 fonts were rendered with incorrect character spacing. This update modifies the code so that all input files with CID Type2 fonts are rendered correctly.
- BZ#697488
- Prior to this update, the page orientation was incorrect when pages in the landscape orientation were converted to the PXL raster format. This update matches landscape-page sizes as well as portrait-page sizes, and sets the orientation parameter correctly when a match is found.
5.84. gimp
Security Fixes
- CVE-2012-3481
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
- CVE-2011-2896
- A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
- CVE-2012-3403
- A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file format plug-in. An attacker could create a specially-crafted KiSS palette file that, when opened, could cause the CEL plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
5.85. glib2
Bug Fix
- BZ#782194
- Prior to this upate, the gtester-report script was not marked as executable in the glib2-devel package. As a consequence, the gtester-report did not run with the default permissions. This update changes the glib2-devel package definition so that this script is now executable.
5.86. glibc
Bug Fix
- BZ#843571
- Prior to this update, glibc incorrectly handled the "options rotate" option in the /etc/resolv.conf file when this file also contained one or more IPv6 name servers. Consequently, DNS queries could unexpectedly fail, particularly when multiple queries were issued by a single process. This update fixes internalization of the listed servers from /etc/resolv.conf into glibc's internal structures, as well as the sorting and rotation of those structures to implement the "options rotate" capability. Now, DNS names are resolved correctly in glibc in the described scenario.
Security Fix
- CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
- Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
Bug Fix
- BZ#837026
- A programming error caused an internal array of nameservers to be only partially initialized when the /etc/resolv.conf file contained IPv6 nameservers. Depending on the contents of a nearby structure, this could cause certain applications to terminate unexpectedly with a segmentation fault. The programming error has been fixed, which restores proper behavior with IPv6 nameservers listed in the /etc/resolv.conf file.
Bug Fix
- BZ#902685
- A logic error caused glibc's DNS code to incorrectly handle rejected responses from DNS servers. Consequently, after a server returned a REJECT response, additional servers defined in the /etc/resolv.conf file sometimes failed to be searched. With this update, glibc properly cycles through the servers listed in /etc/resolv.conf even if one of them returns the REJECT response, thus fixing this bug.
Bug Fix
- BZ#864046
- Prior to this update, an error in memory management within the glibc nscd daemon resulted in attempts to free a pointer that was not provided by the malloc() function. Consequently, nscd could terminate unexpectedly. This bug only happened when handling groups with a large number of members. This update ensures that memory allocated by the pool allocator is no longer passed to "free". Instead, we allow the pool allocator's garbage collector to reclaim the memory. As a result, nscd no longer crashes on groups with a large number of members.
Security Fix
- CVE-2012-3480
- Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.
Bug Fixes
- BZ#808545
- Previously, if the
nscd
daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlyingA
orAAAA
response. This caused the nscd daemon to wait an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL for the entire record. DNS entries are now reloaded as expected in this scenario. - BZ#789238
- Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This problem was exposed by a bug fix provided in the RHSA-2012:0058 update.
- BZ#688720
- glibc had incorrect information for numeric separators and groupings for French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the incorrect separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed.
- BZ#781646
- On some processors, when calling the
memcpy()
function, the optimized function variant was used. However, the optimized function variant copies the buffer backwards. As a result, if the source and target buffers were overlapping, the program behaved in an unexpected way. While such calling is a violation of ANSI/ISO standards and therefore considered an error, this update restores the prior memcpy() behavior and such programs now use the non-optimized variant of the function to allow applications to behave as before. - BZ#782585
- Previously, the dynamic loader generated an incorrect ordering for initialization, which did not adhere to the ELF specification. This could result in incorrect ordering of DSO (Dynamic Shared Object) constructors and destructors. With this update, the dependency resolution has been fixed.
- BZ#739971
- The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members. Consequently, applications, such as id, failed to list all the groups a particular user was a member of. With this update, group parsing has been fixed.
- BZ#740506
- Due to a race condition within its
malloc()
routines, glibc incorrectly allocated too much memory. This could cause a multi-threaded application to allocate more memory to the threads than expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables. - BZ#795498
- Previously, glibc looked for an error condition in the incorrect location and therefore failed to process a second response buffer in the
gaih_getanswer()
function. As a consequence, thegetaddrinfo()
function could not properly return all addresses. This update fixes an incorrect error test condition ingaih_getanswer()
so that glibc now correctly parses the second response buffer. Thegetaddrinfo()
function now correctly returns all addresses. - BZ#750531
- Previously, compiling code that was using the
htons()
function with the-O2
and-Wconversion
parameters caused bogus warnings similar to the following:warning: conversion to \u2018short unsigned int\u2019 from \u2018int\u2019 may alter its value
This update fixes types in multiple macros and the warning is no longer returned under these circumstances. - BZ#696472
- Previously, glibc did not properly detect Intel Core i3, i5, and i7 processors. As a result, glibc sometimes used incorrect implementations of several functions resulting in poor performance. This update fixes the detection process and the library provides proper function implementation to the processors.
- BZ#771342
- Previously, glibc did not initialize the robust futex list after a
fork()
call. As a result, shared robust mutex locks were not cleaned up after the child process exited. This update ensures that the robust futex list is correctly initialized after a fork system call. - BZ#754628
- When a process corrupted its heap, the
malloc()
function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses themmap()
function to allocate memory for the error message instead of themalloc()
function. The malloc() deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully. - BZ#788959, BZ#797094, BZ#809602
- Previously, glibc unconditionally used
alloca()
to allocate buffers in various routines. If such allocations applied large internal memory requests, stack overflows could occur and the application could terminate unexpectedly. This update applies several upstream patches so that glibc now usesmalloc()
for these allocations and the problem no longer occurs. - BZ#789209
- Previously, glibc used an incorrect symbol for the Ukrainian currency. With this update, the symbol has been fixed.
- BZ#752123
- Previously, it was not possible to install the 32-bit glibc-utils package on 64-bit systems and the package was therefore missing on 64-bit Intel architectures. This update modifies the spec file so as to move the respective files and avoid conflicts. As a result, the package is now installed on these 64-bit systems as expected.
- BZ#657572, BZ#785984
- Previously, glibc added unneccessary spaces to abbreviated month names in the Finish and Chinese locales. With this update, the underlying code has been modified and the spaces are no longer added in the abbreviated month names in the locales.
- BZ#767746
- Previously, glibc returned incorrect error codes from the
pthread_create()
function. Consequently, some programs incorrectly issued an error for a transient failure, such as a temporary out-of-memory condition. This update ensures that glibc returns the correct error code when memory allocation fails in thepthread_create()
function. - BZ#752122
- Previously, glibc's dynamic loader incorrectly detected Advanced Vector Extensions (AVX) capabilities and could terminate unexpectedtly with a segmentation fault. This update fixes the AVX detection and the problem no longer occurs.
- BZ#766513
- Previously, an error string in glibc's
getopt
routines changed and, as the respective Japanese translation was not adapted, the system failed to find the Japanese version of the message. As a result, the error message was displayed in English even if the system locale was set to Japanese. This update fixes the Japanese translation of the error string and the problem no longer occurs. - BZ#751750
- Previously, glibc's locking in the
IO_flush_all_lockp()
function was incorrect. This resulted in a race condition with occasional deadlocks when calling thefork()
function in multi-threaded applications. This update fixes the locking and avoids the race condition. - BZ#784402
- Previously, the
nscd
daemon cached all transient results even if they were negative. This could result in erroneous nscd results. This update ensures that negative results of transient errors are not cached. - BZ#804630
- When the
resolv.conf
file contained only nameservers with IPv6 andoptions rotate
was set, the search domain was always appended. However, this is not desired in the case of fully qualified domain names (FQDN) and if an FQDN was used, the resolution failed. With this update, the underlying code has been modified and if more than one IPv6 nameserver is defined inresolv.conf
, the FQDN is resolved correctly. Refer to bug 771204 for further information about this problem. - BZ#789189
- Previously, when parsing the
resolv.conf
file, glibc did not handle the parsing of spaces in nameserver entries correctly. Consequently, correct DNS lookups failed. This update fixes the space parsing and the problem no longer occurs. - BZ#804689
- The
getaddrinfo()
call could return an incorrect value. This happened because the query for getaddrinfo was more complex than necessary and getaddrinfo failed to handle the additional information returned by the query correctly. With this update, the query no longer returns the addition information and the problem is fixed.
Enhancements
5.87. gnome-desktop
Bug Fix
- BZ#829891
- Previously, when a user hit the system's hot-key (most commonly Fn+F7) to change display configurations, the system could potentially switch to an invalid mode, which would fail to display. With this update, gnome-desktop now selects valid XRandR modes and correctly switching displays with the hot-key works as expected.
Bug Fix
- BZ#639732
- Previously, due to an object not being destroyed, the Nautilus file manager could consume an excessive amount of memory. Consequently, constantly growing resident memory would slow down the system. The source code has been modified to prevent memory leaks from occurring and Nautilus now consumes a reasonable amount of memory.
5.88. gnome-keyring
Bug Fix
- BZ#860644
- Due to a bug in the thread-locking mechanism, the gnome-keyring daemon could sporadically become unresponsive while reading data. This update fixes the thread-locking mechanism and no more deadlocks occur in gnome-keyring in the described scenario.
Bug Fixes
- BZ#708919, BZ#745695
- Previously, the mechanism for locking threads was missing. Due to this, gnome-keyring could have, under certain circumstances, terminated unexpectedly on multiple key requests from the integrated ssh-agent. With this update, the missing mechanism has been integrated into gnome-keyring so that gnome-keyring now works as expected.
5.89. gnome-packagekit
Bug Fix
- BZ#839197
- Previously, it was possible for the user to log out of the system or shut it down while the PackageKit update tool was running and writing to the RPM database (rpmdb). Consequently, rpmdb could become damaged and inconsistent due to the unexpected termination and cause various problems with subsequent operation of the rpm, yum, and PackageKit utilities. This update modifies PackageKit to not allow shutting down the system when a transaction writing to rpmdb is active, thus fixing this bug.
5.90. gnome-power-manager
Bug Fix
- BZ#676866
- After resuming the system or re-enabling the display, an icon could appear in the notification area with an erroneous tooltip that read "Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor." and included a URL to an external web page. This error message was incorrect, had no effect on the system and could be safely ignored. In addition, linking to an external URL from the notification and status area is unwanted. To prevent this, the icon is no longer used for debugging idle problems.
5.91. gnome-screensaver
Bug Fix
- BZ#860643
- When a Mandatory profile was enabled, the "Lock screen when screen saver is active" option in the Gnome Screensaver Preferences window was not disabled. This bug could lead to security risks for users. With this update, the lock-screen option is disabled as expected in the described scenario, thus preventing this bug.
5.92. gnome-settings-daemon
Bug Fix
- BZ#866528
- Previously, when a system hotkey was used to change the display configuration, sometimes a valid XRandR configuration failed to be selected and the monitors were not kept in clone mode. Consequently, it was impossible to switch displays. With this update, gnome-settings-daemon always selects valid XRandR modes, and sets or unsets clone mode as expected, thus fixing this bug.
Bug Fixes
- BZ#693843
- Previously, the selected keyboard layout on certain machines reverted to the "US" layout every time the user logged in. With this update, the bug has been fixed so that the selected keyboard layout is not reverted anymore.
- BZ#805036
- Previously, the automatic mapping of the screen tablet did not work with the NVIDIA driver. With this update, support for the NV-CONTROL extension has been added so that the automatic mapping of the screen tablet now works as expected.
- BZ#805042
- Previously, the button mapping to actions did not work in the Wacom graphics tablet plug-in. As a result, the Map Buttons did not display in the GUI and activating buttons on the Wacom graphics tablet had no effect. With this update, these problems have been fixed.
Enhancements
- BZ#769464
- With this update, Wacom graphics tablets are now supported with gnome-settings-daemon.
- BZ#816646
- This update modifies the way gnome-settings-daemon stores settings in GConf. Previously, the settings were stored per user and per device. With this update, the settings are now stored per user, per device, and per machine.
5.93. gnome-system-monitor
Bug Fixes
- BZ#682011
- Prior to this update, the gnome-system-monitor failed to correctly parse the contents of the /proc/cpuinfo file if it included an informational entry about the machine model on 64-bit PowerPC architectures. As a consequence, a false "Unknown CPU model" processor was incorrectly reported by the application. This update changes the parsing code to discard such information when it does not identify an additional processor.
- BZ#692956
- Prior to this update, the gnome-system-monitor parser code expected a certain string to identify the CPU speed which is not used for all architectures. As a consequence, the gnome-system-monitor could fail to correctly parse the processor speed from /proc/cpuinfo when a different string was used, for example on 64-bit PowerPC. This update changes the parsing code to support different string types used on such architectures.
5.94. gnome-terminal
Bug Fix
- BZ#819796
- Prior to this update, gnome-terminal was not completely localized into Asamese. With this update, the Assamese locale has been updated.
5.95. graphviz
Bug Fixes
- BZ#772637
- Previously, the dot tool could generate different images on 32-bit and 64-bit architectures, which could consequently lead to multilib conflicts of packages that use graphviz during its build process. The problem was caused by different instructions used for floating points processing. On 32-bit Intel architecture, the code is now compiled with the "--ffloat-store" compiler flag, which ensures that identical images are generated regardless of the used architecture.
- BZ#821920
- The graphviz-tcl package included the "demo" directory, which contained examples in various languages. This caused implicit dependencies to be introduced. With this update, all examples are installed as documentation, which reduces the number of implicit dependencies.
- BZ#849134
- The "dot -c" command which is run in the %postun scriptlet recreates graphviz configuration files to be up-to-date with the current state of the installed plug-ins. Previously, if the command failed to load plug-ins specified in the configuration files, warning messages were printed when removing the graphviz-gd package. These messages could have been confusing, and have been therefore removed.
5.96. grep
Bug Fix
- BZ#741452
- Previously, the grep utility was not able to handle the EPIPE error. If a SIGPIPE signal was blocked by the shell, grep kept continuously printing error messages. An upstream patch has been applied to address this problem, so that grep exits on the first EPIPE error and prints only one error message.
5.97. grubby
Bug Fix
- BZ#696960
- Previously, when grubby was executed with the "--args=[arguments] --update-kernel=ALL" options to update command line arguments for all kernels whose boot configuration was stored in the edited configuration file, it updated only arguments for the first kernel in the file. As a result, arguments for the other kernels were not updated. This update ensures that arguments for all kernels in a configuration file are updated when grubby is launched with the aforementioned options.
5.98. grub
Bug Fix
- BZ#670266
- Due to an error in the underlying source code, previous versions of GRUB sometimes failed to boot in Unified Extensible Firmware Interface (UEFI) mode when booting from the network on systems with multiple Pre-boot Execution Environment (PXE) network interface cards (NICs). This update ensures that GRUB attempts to identify and use an active interface that has already successfully acquired an address via Dynamic Host Configuration Protocol (DHCP) instead of using the one suggested by the system. As a result, booting from the network in UEFI mode now works as expected on systems with multiple NICs.
5.99. gstreamer-plugins-base
Enhancement
- BZ#755777
- This update adds color-matrix support for color conversions to the ffmpegcolorspace plugin.
5.100. gtk2
Bug Fixes
- BZ#697437
- Previously, the "Open Files" dialog box failed to show the "Size" column if it was previously used in "Search" mode. This update fixes the bug by ensuring that the "Size" column is always displayed accordingly to the "Show Size Column" context menu option.
- BZ#750756
- Previously, copying text from selectable labels, such as those displayed in message dialog boxes, using the Ctrl+Insert key combination did not work. This update adds the Ctrl+Insert key combination that copies selected text to clipboard when activated.
- BZ#801620
- Previously, certain GTK applications, such as virt-viewer, failed to properly initialize key bindings associated with menu items. This was due to a bug in the way properties associated with the menu items were parsed by the library. This update fixes the bug, rendering the menu items accessible again by key bindings for applications that use this feature.
Enhancement
- BZ#689188
- Previously, the "Open Files" dialog box could appear with an abnormal width when the "file type" filter contained a very long string (as observed with certain image hosting websites), making the dialog unusable. With this update, the dialog box splits the filter string into multiple lines of text, so that the dialog keeps a reasonable width.
5.101. gvfs
Bug Fixes
- BZ#599055
- Previously, rules for ignoring mounts were too restrictive. If the user clicked on an encrypted volume in the Nautilus' sidebar, an error message was displayed and the volume could not be accessed. The underlying source code now contains additional checks so that encrypted volumes have proper mounts associated (if available), and the file system can be browsed as expected.
- BZ#669526
- Due to a bug in the kernel, a freshly formatted Blu-ray Disk Rewritable (BD-RE) medium contains a single track with invalid data that covers the whole medium. This empty track was previously incorrectly detected, causing the drive to be unusable for certain applications, such as Brasero. This update adds a workaround to detect the empty track, so that freshly formatted BD-RE media are properly recognized as blank.
- BZ#682799, BZ#746977, BZ#746978, BZ#749369, BZ#749371, BZ#749372
- The code of the gvfs-info, gvfs-open, gvfs-cat, gvfs-ls and gvfs-mount utilities contained hard-coded exit codes. This caused the utilities to always return zero on exit. The exit codes have been revised so that the mentioned gvfs utilities now return proper exit codes.
- BZ#746905
- When running gvfs-set-attribute with an invalid command-line argument specified, the utility terminated unexpectedly with a segmentation fault. The underlying source code has been modified so that the utility now prints a proper error message when an invalid argument is specified.
- BZ#809708
- Due to missing object cleanup calls, the gvfsd daemon could use excessive amount of memory, which caused the system to become unresponsive. Proper object cleanup calls have been added with this update, which ensures that the memory consumption is constant and the system does not hang in this scenario.
5.102. hivex
5.103. hsqldb
Enhancement
- BZ#816735
- HSQLdb has been updated to add stubs for JDBC 4.1
5.104. hwdata
Enhancements
- BZ#737467
- With this update, the monitor database has been updated with information about the Acer 76ie monitor. Also, several duplicate monitor entries have been removed from the database.
- BZ#760014
- The pci.ids database has been updated with information about the Atheros wireless network adapter, Killer Wireless-N 1103.
5.105. icedtea-web
Security Fixes
- CVE-2012-3422
- An uninitialized pointer use flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could possibly cause a web browser using the IcedTea-Web plug-in to crash, disclose a portion of its memory, or execute arbitrary code.
- CVE-2012-3423
- It was discovered that the IcedTea-Web plug-in incorrectly assumed all strings received from the browser were NUL terminated. When using the plug-in with a web browser that does not NUL terminate strings, visiting a web page containing a Java applet could possibly cause the browser to crash, disclose a portion of its memory, or execute arbitrary code.
Security Fix
- CVE-2012-4540
- A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a malicious web page could cause a web browser using the IcedTea-Web plug-in to crash or, possibly, execute arbitrary code.
5.106. imsettings
Bug Fix
- BZ#713433
- Prior to this update, the IMSettings daemon unexpectedly invalidated the previous pointer after obtaining a new pointer. This update modifies IMSettings so that the code is updated after all transactions are finished.
5.107. indent
Bug Fixes
- BZ#733265
- Prior to this update, suffixes were incorrectly separated when running the indent utility on code with decimal float constants. As a consequence, indent could encounter a compilation syntax error. This update modifies indent to understand decimal float suffixes as proposed by the N1312 draft of ISO/IEC WDTR24732. Now, indent handles decimal float constants as expected.
- BZ#784304
- Prior to this update, the internal test-suite did not signal test failure by exit code if indent failed to pass the test. This update adds an exit call with non-zero value to signal failure.
5.108. initscripts
Bug Fix
- BZ#854852
- Previously, the naming policy for VLAN names was too strict. Consequently, the if-down utility did not properly remove descriptively-named interfaces from the /proc/net/vlan/config file. This update removes the name format check and if-down now works as expected in the described scenario.
Bug Fixes
- BZ#781493
- The previous version of initscripts did not support IPv6 routing in the same way as IPv4 routing. IPv6 addressing and routing could be achieved only by specifying the
ip
commands explicitly with the-6
flag in the/etc/sysconfig/network-scripts/rule-DEVICE_NAME
configuration file where DEVICE_NAME is the name of the respective network interface. With this update, the related network scripts have been modified to provide support for IPv6-based policy routing and IPv6 routing is now configured separately in the/etc/sysconfig/network-scripts/rule6-DEVICE_NAME
configuration file. - BZ#786404
- During the first boot after system installation, the kernel entropy was relatively low to generate high-quality keys for
sshd
. With this update, the entropy created by the disk activity during system installation is saved in the/var/lib/random-seed
file and used for key generation. This provides enough randomness and allows generation of keys based on sufficient entropy. - BZ#582002
- In emergency mode, every read request from the
/dev/tty
device ended with an error and consequently, it was not possible to read from the/dev/tty
device. This happened because, when activating single-user mode, the rc.sysinit script called the sulogin application directly. However, sulogin needs to be the console owner to operate correctly. With this update, rc.sysinit starts the rcS-emergency job, which then runs sulogin with the correct console setting. - BZ#588993
- The ifconfig utility was not able to handle 20-byte MAC addresses in InfiniBand environments and reported that the provided addresses were too long. With this update, the respective
ifconfig
commands have been changed to aliases to the respective ip commands and ifconfig now handles 20-byte MAC addresses correctly. - BZ#746045
- Due to a logic error, the
sysfs()
call did not remove thearp_ip_target
correctly. As a consequence, the following error was reported when attempting to shut down a bonding device:ifdown-eth: line 64: echo: write error: Invalid argument
This update modifies the script so that the error no longer occurs andarp_ip_target
is now removed correctly. - BZ#746808
- The
serial.conf
file now contains improved comments on how to create an/etc/init/tty<device>.conf
file that corresponds to the active serial device. - BZ#802119
- The
network
service showed error messages on service startup similar to the following:Error: either "dev" is duplicate, or "20" is a garbage.
This was due to incorrect splitting of the parsed arguments. With this update, the arguments are processed correctly and the problem no longer occurs. - BZ#754984
- The
halt
initscript did not contain support for theapcupsd
daemon, the daemon for power mangement and controlling of APC's UPS (Uninterruptible Power Supply) supplies. Consequently, the supplies were not turned off on power failure. This update adds the support to the script and the UPS models are now turned off in power-failure situations as expected. - BZ#755175
- In the previous version of initscripts, the comments with descriptions of variables
kernel.msgmnb
andkernel.msgmax
were incorrect. With this update, the comments have been fixed and the variables are now described correctly. - BZ#787107
- Due to an incorrect logic operator, the following error was returned on network service shutdown as the shutdown process failed:
69: echo: write error: Invalid argument
With this update, the code of the shutdown initscript has been modified and the error is no longer returned on network service shutdown. - BZ#760018
- The system could remain unresponsive for some time during shutdown. This happened because initscript did not check if there were any CIFS (Common Internet File System) share mounts and failed to unmount any mounted CIFS shares before shutdown. With this update, a CIFS shares check has been added and the shares are stopped prior to shutdown.
- BZ#721010
- The ifup-aliases script was using the ifconfig tool when starting IP alias devices. Consequently, the ifup execution was gradually slowing down significatly with the increasing number of the devices on the NIC (Network Interface Card) device. With this update, IP aliases now use the ip tool instead of ifconfig and the performance of the ifup-aliases script remains constant in the scenario described.
- BZ#765835
- Prior to this update, the netconsole script could not discover and resolve the MAC address of a router specified in the
/etc/sysconfig/netconsole
file. This happened because the address was resolved as two identical addresses and the script failed. This update modifies the netconsole script so that it handles the MAC address correctly and the device is discovered as expected. - BZ#757637
- In the Malay (
ms_MY
) locale, some services did not work properly. This happened due to a typographical mistake in the ms.po file. This update fixes the mistake and services in the ms_MY locale run as expected. - BZ#749610
- The
primary
option for bonding in the ifup-eth tool had a timing issue when bonding NIC devices. Consequently, the bonding was configured, but it was the active interface that was enslaved first. With this update, the timing of bonding with theprimary
option has been corrected and the device defined in theprimary
option is enslaved first as expected.
Enhancement
- BZ#704919
- Users can now set the NIS (Network Information Service) domain name by configuring the
NISDOMAIN
parameter in the /etc/sysconfig/network file, or other relevant configuration files.
5.109. iok
5.109.1. RHBA-2012:1164 — iok bug fix update
Bug Fixes
- BZ#814541, BZ#814548
- Previously, when saving a keymap with a specified name, predefined naming convention was followed and the file name was saved with the "-" prefix without noticing the user. With this update, if the user attempts to save a keymap, a dialog box displaying the required file name format appears.
- BZ#819795
- This update provides the complete iok translation for all supported locales.
5.109.2. RHBA-2012:0392 — iok bug fix update
Bug Fixes
- BZ#736992
- Due to xkb keymaps being rewritten in a recent update of the xkeyboard-config package, the iok's language list contained incorrect xkb keymap names when selecting the Hindi X Keyboard Extension (XKB). To fix this problem, the iok's xkb parser has been rewritten.
- BZ#752667
- Previously, iok looked for files with the ".mim" suffix in the "~/.m17n" directory instead of the "~/.m17n.d" directory. This update modifies the directory path to the correct "~/.m17n.d" so that the user-defined keymap files are saved in the correct directory.
- BZ#752668
- Previously, when using the on-screen keyboard, mouse clicks on various characters worked as expected. However, finger inputs failed because the first selected character was selected regardless of what characters the user selected next. With this update, users can use the drag-and-drop feature when running iok in advanced mode (the "iok -a" command), which allows users to drag the first key button over the second button. The drag-and-drop feature is not available in iok's default mode.
- BZ#798592
- Due to a small size of the xkb name array, if the user selected the xkb-Malayalam keymap (enhanced Indian Script with the Rupee sign), and then pressed the "To English" button, the iok utility could terminate unexpectedly. With this update, the size of the xkb name array has been increased so that the utility no longer crashes in the described scenario.
5.110. ipa
Security Fix
- CVE-2012-5484
- A weakness was found in the way IPA clients communicated with IPA servers when initially attempting to join IPA domains. As there was no secure way to provide the IPA server's Certificate Authority (CA) certificate to the client during a join, the IPA client enrollment process was susceptible to man-in-the-middle attacks. This flaw could allow an attacker to obtain access to the IPA server using the credentials provided by an IPA client, including administrative access to the entire domain if the join was performed using an administrator's credentials.
Note
This weakness was only exposed during the initial client join to the realm, because the IPA client did not yet have the CA certificate of the server. Once an IPA client has joined the realm and has obtained the CA certificate of the IPA server, all further communication is secure. If a client were using the OTP (one-time password) method to join to the realm, an attacker could only obtain unprivileged access to the server (enough to only join the realm).
Note
Bug Fixes
- BZ#810900
- The Identity Management password policy plug-in for the Directory Server did not properly sort the history of user passwords when it was checking the sanity of a password change. Due to this bug, the user password history was sorted randomly, and, consequently, a random password was removed rather than the oldest password when the list overflowed. As a result, users could bypass the password policy requirement for password repetition. User passwords are now sorted correctly in the Identity Management password plug-in for the Directory Server, and the password policy requirement for password repetition is properly enforced.
- BZ#805478
- Due to a bug in the Identity Management permission plug-in, an attempt to rename a permission always resulted in an error. Consequently, users had to remove the permission and create a new permission with a new name when attempting to rename a permission. With this update, the underlying source code has been modified to address this issue, and users are now able to rename permissions.
- BZ#701677
- Previously, the DNS plug-in did not allow users to set a query or a transfer policy for a zone managed by Identity Management. Therefore, users could not control who could query or transfer zones in the same way they do with zones stored in plain text files. With this update, users can set ACLs for every zone managed by Identity Management; thus, users can control who can query their zones or run zone transfers.
- BZ#773759
- Non-admin users with an appropriate permission can change passwords of other users. However, the target group of this permission was previously not limited. Consequently, a non-admin user with the permission to change passwords could change the password of the admin user and acquire access to the admin account. With this update, the permission was changed to allow password changes for non-admin users only.
- BZ#751173
- When the
ipa passwd
CLI command was used to change user's password, it returned the following error message when the password change failed:ipa: ERROR: Constraint violation: Password Fails to meet minimum strength criteria
User password changes are a subject of a configured password policy. Without a proper error message, it may be difficult to investigate why the password change failed (password complexity, too soon to change password, etc.) and amend the situation. The Directory Server plug-in that is used to change passwords now returns a proper error message if theipa passwd
command fails. - BZ#751597
- When an Identity Management server is installed with a custom hostname which is not properly resolvable in DNS, an IP address for the custom hostname is requested from the user. Next, a host record is added to the
/etc/hosts
file so that the custom hostname is resolvable and the installation can continue. However, previously, the record was not added when the IP address was passed using the--ip-address
option. As a result, installation failed because subsequent steps could not resolve the machine's IP address. With this update, a host record is added to/etc/hosts
even when the IP address is passed via the--ip-address
option, and the installation process continues as expected. - BZ#751769
- Identity Management could not be installed on a server with a custom LDAP server instance even though the LDAP server instance runs on a custom port and therefore does not conflict with Identity Management. As a result, users could not deploy custom LDAP instances on a system with Identity Management. With this update, Identity Management no longer enforces that no LDAP instances exist. Instead, it checks that reserved LDAP ports (
389
and636
) are free. Users can combine an Identity Management server with custom LDAP server instances as long as they run on custom ports. - BZ#753484
- When the Kerberos single sign-on to the Identity Management Web UI failed, the Web UI did not fall back to the login and password authentication. Workstations outside of the Identity Management Kerberos realm, or with incompatible browsers, could not access the Web UI unless a fallback from Kerberos authentication to login and password authentication was configured on the Identity Management web server. The Web UI is now able to fall back to form based authentication when Kerberos authentication cannot be used.
- BZ#754973
- The
force-sync
,re-initialize
, anddel
sub-commands of theipa-replica-manage
command failed when used against a winsync agreement on an Active Directory machine, limiting the user's ability to control winsync replication agreements. With this update, theipa-replica-manage
was fixed to manage both standard replication agreement and winsync agreements in a more robust way. - BZ#757681
- The Identity Management installer did not process the host IP address properly when the
--no-host-dns
option was passed. When a hostname was not resolvable and the--no-host-dns
option was used, the ipa-replica-install utility failed during the installation and did not amend the hostname resolution in the same way as the ipa-server-install utility does. With this update, ipa-server-install and ipa-replica-install now share host IP address processing, and both add a record to the/etc/hosts
file when the server or replica hostname is not resolvable. - BZ#759100
- The Identity Management server installation script did not properly handle situations when a server had 2 IP addresses assigned, and failed to proceed with the installation. This update fixes the installation script, and installing the Identity Management server in a dual-NIC configuration works as expected.
- BZ#750828
- When Identity Management is installed with the
--external-ca
option, the installation is divided in two stages. The second stage of the installation process reads configuration options from a file stored by the first stage. Previously, the installer did not properly store a value with the DNS forwarder IP address, which was then misread by the second stage of the installation process, and name server configuration in the second stage of the installation failed. With this update, the forwarder option is correctly stored, and installation works as expected. - BZ#772043
- Prior to this update, the Identity Management netgroup plug-in did not validate netgroup names. Consequently, a netgroup with an invalid name could be stored in an LDAP server which could then crash when the invalid value was processed by the NIS plug-in. The Identity Management netgroup plug-in now enforces stricter validation of netgroup names.
- BZ#772150
- Certain Identity Management replica agreements ignored a list of attributes that should have been excluded from replication. Identity Management attributes that are generated locally on each master by the LDAP server plug-in (in this case, the
memberOf
attribute) were being replicated. This forced all Identity Management replicas' LDAP servers to re-process thememberOf
data and increase the load on the LDAP servers. When many entries were added to a replica in a short period of time, or when a replica was being re-initialized from another master, all replicas were flooded withmemberOf
changes, which caused high load on all replica machines and caused performance issues. New replica agreements, added by the ipa-replica-install utility, no longer ignore lists of attributes excluded from replication. Re-initialization or a high number of added entries in an Identity Management LDAP server no longer causes performance issues caused bymemberOf
processing. Old replica agreements have also been updated to contain the correct list of attributes excluded from replication. - BZ#784025
- The
ipa automountmap-add-indirect
command creates a new map and adds a key to the parent map (auto.master
by default) which references the new indirect map. Because map nesting is only allowed in theauto.master
map, a submount map referenced in other maps needs to follow a standard submount format (that is, <key> <origin> <mapname>) so that the referenced map is correctly loaded from LDAP. However, theautomountmap-add-indirect
sub-command did not follow this distinction and the <origin> and <mapname> attributes were not filled correctly. Therefore, submount maps referenced in a non-auto.master
map were not recognized as automount maps by theautofs
client software, and were not mounted. Submount maps referenced in a map that is not anauto.master
map now follow a standard submount format, with the correct <key>, <origin> (-fstype=autofs
), and <mapname> (ldap:$MAP_NAME
).autofs
client software is now able to correctly process submount maps both in auto.master and in other maps, and mount them. - BZ#785756
- Prior to this update, the Identity Management user plug-in used a hard-coded default value for user's home directory instead of using the value that was configured. When an administrator changed the default user home directory in the Identity Management config plug-in from the default value to a custom value, this value was not honored when a user was added. This update fixes this bug, and when a new user is created without a custom home directory specified via a special option, the default configured home directory is used.
- BZ#797274
- The Identity Management certificate template did not include a
subjectKeyIdentifier
field even though it is marked with the SHOULD keyword in the RFC 3280 document. Because of this, certain applications processing these certificates could report errors. With this update, the certificate template for both current and new IPA server installations now contain thesubjectKeyIdentifier
field. - BZ#797562
- Identity Management host and DNS plug-ins did not properly process hostnames or DNS zone names with a trailing dot. Consequently, the created host record FQDN attribute contained two values instead of one normalized value. This may have caused issues in further host record processing. With this update, all hostnames are normalized using a format without a trailing dot. The Identity Management DNS plug-in now accepts DNS zone names in both formats — with and without a trailing dot.
- BZ#797565
- Previously, CSVs were split in both CLI and server part of Identity Management processing. As a result, values which contained escaped comma characters were incorrectly split for the second time. With this update, CSV processing is done only in the client interface. Identity Management RPC interfaces (both XML-RPC and JSON-RPC) no longer process CSVs. Comma escaping was also replaced with quoting.
- BZ#797566
- The Identity Management server uninstall process removed system users that were added as a part of an Identity Management installation. This included
dirsrv
orpkiuser
users, which the Directory Server uses to run its instances. These users also own log files produced by the Directory Server. If an Identity Management server was installed again, and the newly added system users' UIDs changed, the Directory Server could fail to start because the Directory Server instance was not permitted to write to the log files owned by the old system users with different UIDs. With this update, system users generated by an Identity Management server installation are no longer removed during the uninstall process. - BZ#747693
- Identity Management plug-ins for LDAP ACI management (permission, selfservice, and delegation plug-ins) did not process their options in a robust way and had a relaxed validation of passed values. ACI management plug-ins could return Internal Errors when empty options or the
--raw
option were passed. An Internal Error was also returned when an invalid attribute was passed to the ACI attribute list option. Option processing is now more robust and more strict in validation. Proper errors are now returned when invalid or empty option values are passed. - BZ#746805
- Objects which have an enabled/disabled state (that is, user accounts, sudo rules, HBAC rules, SELinux policies) were not distinguished in related search pages in the Web UI. Lines containing disabled objects are now grayed out in the search pages, and enabled columns have a different icon for each state.
- BZ#802912
- An Identity Management certificate did not read a custom user certificate subject base when validating a new certificate issuer. When an Identity Management server is installed with a custom subject base, and does not use the default subject base, issuing new certificates in the Identity Management Certificate Authority may return invalid issuer errors. With this update, a custom user certificate subject base is always read before the certificate issuer is validated, and the aforementioned errors are no longer returned when certificates are issued.
- BZ#803050
- Clicking Cancel in an error dialog in the Web UI when an unexpected error, such as an internal server error, was received made the Web UI unusable because the error message replaced the page content. With this update, error messages have their own containers, which fixes the aforementioned issue.
- BZ#803836
- Identity Management did not configure its Directory Server instance to always keep its RootDSE available anonymously and decrypted. As a consequence, when a user changed the
nsslapd-minssf
attribute in the Directory Server instance configuration to increase security demands on the connection to the instance, some applications (for example, SSSD) may have stopped working as they could no longer read RootDSE anonymously. To fix this issue, Identity Management now sets thensslapd-minssf-exclude-rootdse
option in the Directory Server instance configuration. Users and applications can access RootDSE in an Identity Management Directory Server instance anonymously even when the instance is configured with increased security demands on incoming connections. - BZ#807366
- Previously, the Netgroup page in the Web UI did not have input fields for specifying
all
options. With this update, the entire Netgroup page has been redesigned to add this functionality. - BZ#688765
- Identity Management DNS plug-in did not validate the contents of DNS records. Some DNS record types (for example, MX, LOC, or SRV) have a complex data structure which needs to be stored, otherwise the record is not resolvable. Relaxed DNS plug-in validation let users create invalid records which then could not be resolved even though they were stored in LDAP. With this update, every DNS record type (except the experimental A6 DNS record type) is now validated with respect to a relevant RFC document. The validation covers most common user errors and also provides the user with guidance on why the entered record is invalid. Users are also able to create more complex DNS records without detailed knowledge of their structure as the improved DNS plug-in interface provides guidance when creating DNS records. Also, the DNS plug-in does not let users enter invalid records any more.
Enhancements
Note
- BZ#759501
- When the number of failed login attempts exceeds the maximum that is configured, the account is locked. However, an investigation of the lock-out status of a particular user was difficult as the number of failed login attempts was not replicated. Identity Management now includes a new
ipa user-status
command that provides the number of failed login attempts on all configured replicas along with the time of the last successful or failed login attempt. - BZ#766181
- When a new user is added, a User Private Group (UPG) is created and assigned as that user's primary group by default. However, there may be use cases when an administrator wants to use a common group assigned as a primary group for all users. The Directory Server plug-in that handles the creation of UPGs can now be disabled with a new utility — ipa-managed-entries. This utility lets administrators disable automatic creation of UPGs, and allows all new users to share a common group as their primary group.
- BZ#767725
- When an Identity Management server is configured with DNS support, DNS zone dynamic update policy allows Identity Management clients to update a relevant DNS forward record if the client IP address changes. However, for security reasons, clients cannot be allowed to update their reverse records because they would be able to change any record in the reverse zone. With this update, an Identity Management DNS zone can be configured to allow automatic updates of client reverse records when the forward record is updated with the new IP address. As a result, both forward and reverse records for a client machine can be updated when the client IP address changes.
- BZ#772044
- The Identity Management
host
plug-in did not allow storing of machine MAC addresses. Administrators could not assign MAC addresses to host entries in Identity Management. With this update, a new attribute for MAC addresses was added to the Identity Management host plug-in. Administrators can now assign a MAC address to a host entry. The value can then be read from the Identity Management LDAP server with, for example, the following command:~]$
getent ethers <hostname>
- BZ#772301
- When a forward DNS record was created, no corresponding reverse record was created even when both the forward and the reverse zone were managed by Identity Management. Users always had to create both the forward and the reverse records manually. With this update, both CLI and Web UI now have the option to automatically create a reverse record when an IPv4 or IPv6 forward record is created.
- BZ#807361
- Prior to this update, all DNS records in an Identity Management Directory Server instance were publicly accessible. With a publicly accessible DNS tree in the Directory Server instance, anyone with access to the server could acquire all DNS data. This operation is normally restricted with access control rules. It is a common security practice to keep this information restricted to only a selected group of users. Therefore, with this update, the entire LDAP tree with DNS records is now accessible only to the LDAP driver which feeds the data to the name server, admin users, or users with a new permission called
Read DNS Entries
. As a result, only permitted users can now access all DNS records in Identity Management Directory Server instances. - BZ#753483
- The Identity Management server did not allow the creation of DNS zones with conditional forwarding, which lets the name server forward all zone requests to a custom forwarder. With this update, the Identity Management DNS plug-in allows users to create a DNS zone and set a conditional forwarder and a forwarding policy for that zone.
- BZ#803822
- Support for SSH public key management was added to Identity Management server; OpenSSH on Identity Management clients is automatically configured to use the public keys stored on the Identity Management server. This feature is a Technology Preview.
- BZ#745968
- The DNS page in the Web UI did not allow navigation from A or AAAA records to the related PTR records. This update adds a link which points to a related PTR record if it exists.
5.111. ipmitool
Bug Fix
- BZ#907926
- Previously, enabling the "ipmi" and "link" keys in user access information using the ipmitool utility did not work properly. Consequently, the values of these settings were not taken into account. A patch has been provided that ensures the values of these settings are read and processed as expected.
Bug Fix
- BZ#828678
- In the previous ipmitool package update, new options "-R" and "-N" were added to adjust the retransmission rate of outgoing IPMI requests over lan and lanplus interfaces. Implementation of these options set wrong default value of the retransmission timeout and outgoing request timed out prematurely. In addition, in some corner cases, ipmitool could have terminated unexpectedly with a segmentation fault when the timeout occurred. This update fixes the default timeout value and ipmitool without the "-N" option retransmits outgoing IPMI requests like in previous versions.
Bug Fixes
- BZ#715615
- Previously, the exit code of the "ipmitool -o list" command was set incorrectly so that the command always returned 1. This update modifies ipmitool to return the exit code 0 as expected.
- BZ#725993
- The "ipmitool sol payload" and "ipmitool sel" commands previously accepted incorrect argument values, which caused the ipmitool utility to terminate unexpectedly with a segmentation fault. With this update, argument values of these commands are now validated, and ipmitool no longer crashes but generates an error message when used with incorrect arguments.
Enhancements
- BZ#748073
- Previously, ipmitool could not be used to set retransmission intervals of IPMI messages over the LAN or lanplus interface. This update introduces new options, "-R" and "-N", which can be used to specify number of retransmissions and delay between them (in seconds) when transferring IPMI messages using the LAN or lanplus interfaces.
- BZ#739358
- The "ipmitool delloem" command has been updated to the latest upstream version, which includes the new "vFlash" command allowing to show information about extended SD cards. This patch also updates documentation of the "ipmitool delloem" commands, improves error descriptions and adds support for new hardware.
5.112. iproute
Bug Fixes
- BZ#730627
- The ip6tunnel mode command passed a zeroed parameter structure to the kernel, which attempted to change all tunnel parameters to zero and failed. Consequently, users could not change ip6tunnel parameters. With this update, the ip6tunnel code has been changed so that it updates only the changed parameters. As a result, it is now possible for users to adjust ip6tunnel parameters as expected.
- BZ#736106
- The lnstat utility used an incorrect file descriptor for its dump output. Consequently, the lnstat utility printed its dump output to stderr rather than to stdout. The code has been fixed and lnstat now prints its dump output to stdout.
Enhancements
- BZ#748767
- The tc utility (a traffic control tool) has been enhanced to allow users to work with the Multi-queue priority (MQPRIO) Queueing Discipline (qdiscs) scheduler. With MQPRIO qdiscs, QOS can be offloaded from NICs that support external QOS schedulers. As a result, it is now possible for users to monitor traffic classes, gather statistics, set socket-buffer (SKB) priority and socket-priority-to-traffic-class mapping.
- BZ#788120
- The tc utility has been updated to work with Quick Fair Queueing (QFQ) kernel features. Users can now take advantage of the new QFQ-traffic scheduler from user space.
- BZ#812779
- This update adds support for multiple multicast routing tables.
5.113. iprutils
Bug Fix
- BZ#849556
- Previously, a buffer overflow bug caused the iprconfig utility to terminate unexpectedly with a segmentation fault when displaying detailed information of a disk device. A patch has been provided to address this issue and iprconfig no longer crashes in the described scenario.
5.114. iptraf
Bug Fix
- BZ#682350
- Prior to this update, interface names were checked by IPTraf against a whitelist of names to determine whether an interface was supported. Network devices can have arbitrary names and due to the changes for "Consistent Network Device Naming", the interface names will change to location-based names. Consequently, IPTraf could reject certain interface names. This update removes the interface name check and as a result IPTraf always accepts device names.
5.115. ipvsadm
Bug Fix
- BZ#788529
- Prior to this update, the ipvsadm utility did not correctly handle out-of-order messages from the kernel concerning the sync daemon. As a consequence, the "ipvsadm --list --daemon" command did not always output the status of the sync daemon. With this update, the ordering of messages from the kernel no longer influences the output, and the command always returns the sync daemon status.
5.116. irqbalance
Bug Fix
- BZ#845374
- The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance had some problems while classifying certain NIC devices that resulted into performance impact on affected systems. With this update, the NIC classification mechanism has been updated to work with all types of NICs.
Bug Fix
- BZ#682211
- The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class, which caused irqbalance to not recognize network interrupts correctly. As a consequence, systems using biosdevname NIC naming did not have their hardware interrupts distributed and pinned as expected. With this update, the device classification mechanism has been improved, and so ensures a better interrupts distribution.
5.117. irssi
Bug Fixes
- BZ#639258
- Prior to this update, when the user attempted to use the "/unload" command to unload a static module, Irssi incorrectly marked this module as unavailable, rendering the user unable to load this module again without restarting the client. This update adapts the underlying source code to ensure that only dynamic modules can be unloaded.
- BZ#845047
- The previous version of the irssi(1) manual page documented "--usage" as a valid command line option. This was incorrect, because Irssi no longer supports this option and an attempt to use it causes it to fail with an error. With this update, the manual page has been corrected and no longer documents unsupported command line options.
5.118. iscsi-initiator-utils
Bug Fixes
- BZ#738192
- The iscsistart utility used hard-coded values as its settings. Consequently, it could take several minutes before change failure detection and path failover when using dm-multipath took place. With this update, the iscsistart utility has been modified to process settings provided on the command line.
- BZ#739049
- The iSCSI README file incorrectly listed the --info option as the option to display iscsiadm iSCSI information. The README has been corrected and it now states correctly that you need to use the "-P 1" argument to obtain such information.
- BZ#739843
- The iSCSI discovery process via a TOE (TCP Offload Engine) interface failed if the "iscsiadm -m iface" command had not been executed. This happened because the "iscsiadm -m" discovery command did not check interface settings. With this update, the iscsiadm tool creates the default ifaces settings when first used and the problem no longer occurs.
- BZ#796574
- If the port number was passed with a non-fully-qualified hostname to the iscsiadm tool, the tool created records with the port being part of the hostname. Consequently, the login or discovery operation failed because iscsiadm was not able to find the record. With this update, the iscsiadm portal parser has been modified to separate the port from the hostname. As a result, the port is parsed and processed correctly.
Enhancement
- BZ#790609
- The iscsidm tool has been updated to support the ping command using QLogic's iSCSI offload cards and to manage the CHAP (Challenge-Handshake Authentication Protocol) entries on the host.
5.119. jakarta-commons-httpclient
Security Fix
- CVE-2012-5783
- The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
5.120. java-1.5.0-ibm
Security Fix
- CVE-2012-1531, CVE-2012-3143, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5069, CVE-2012-5071, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1725
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
5.121. java-1.6.0-ibm
Security Fix
- CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1682, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-0551, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
5.122. java-1.6.0-openjdk
Security Fixes
- CVE-2012-5086, CVE-2012-5084, CVE-2012-5089
- Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072
- Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- CVE-2012-5079
- It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
- CVE-2012-5081
- It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
- CVE-2012-5075
- It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
- CVE-2012-4416
- A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
- CVE-2012-5077
- It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
- CVE-2012-3216
- It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
- CVE-2012-5085
- This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
Note
Security Fixes
- CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428
- Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2013-1478, CVE-2013-1480
- Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
- CVE-2013-0432
- A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions.
- CVE-2013-0435
- The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted.
- CVE-2013-0427, CVE-2013-0433, CVE-2013-0434
- Multiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- CVE-2013-0424
- It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
- CVE-2013-0440
- It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
- CVE-2013-0443
- It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack.
Note
Security Fixes
- CVE-2012-1682
- It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions.
- CVE-2012-0547
- A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.
Security Fixes
- CVE-2013-1486
- An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
- CVE-2013-0169
- It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
Note
Bug Fixes
- BZ#751203
- Previously, after updating OpenJDK to java-1.6.0-openjdk-1.6.0.0-1.40.1.9.10.el6_1, the Java Remote Object Registry (rmiregistry) started only if run with the java.rmi.server.codebase argument, otherwise the registry start failed. This update fixes the regression and the registry can be started without the argument as expected.
- BZ#767537
- Channel binding for the Kerberos protocol was implemented incorrectly and OpenJDK did not process Kerberos GSS (General Security Services) contexts which did not have incoming channel binding. This resulted in interopability problems with Internet Explorer on Windows Server 2008. With this update, OpenJDK handles unset channel binding correctly and processes Kerberos GSS contexts as expected.
- BZ#804632
- The SystemTap script translator (stap) run with jstack() systemtap support could terminate with an error similar to the following:
ERROR: kernel read fault at 0x0000000000000018 (addr) near identifier '@cast' at /usr/share/systemtap/tapset/x86_64/jstack.stp:362:29
This update improves the jstack code including, for example, the constant definition and error handling, and the stap script with jstack now works more reliably. - BZ#805936, BZ#807324
- This update fixes multiple problems that occurred when using signed jar files.
Enhancement
- BZ#751410
- Support for huge pages was added.
5.123. java-1.6.0-sun
Security Fix
- CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446, CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1481
- This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page.
Security Fix
- CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089
- This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages.
5.124. java-1.7.0-ibm
Security Fix
- CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1718, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4820, CVE-2012-4821, CVE-2012-4822, CVE-2012-4823, CVE-2012-5067, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
Security Fix
- CVE-2012-0547, CVE-2012-0551, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725, CVE-2012-1726, CVE-2012-3136, CVE-2012-4681
- This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
5.125. java-1.7.0-openjdk
Security Fixes
- CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0444
- Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2013-1478, CVE-2013-1480
- Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
- CVE-2013-0432
- A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions.
- CVE-2013-0435
- The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted.
- CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434
- Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- CVE-2013-0424
- It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
- CVE-2013-0440
- It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
- CVE-2013-0443
- It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack.
Security Fixes
- CVE-2013-1486, CVE-2013-1484
- Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2013-1485
- An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
- CVE-2013-0169
- It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
Security Fixes
- CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5084, CVE-2012-5089
- Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2012-5076, CVE-2012-5074
- The default Java security properties configuration did not restrict access to certain com.sun.org.glassfish packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted.
- CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072
- Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- CVE-2012-5079
- It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
- CVE-2012-5081
- It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
- CVE-2012-5070, CVE-2012-5075
- It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use these flaws to disclose sensitive information.
- CVE-2012-4416
- A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
- CVE-2012-5077
- It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
- CVE-2012-3216
- It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
- CVE-2012-5085
- This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
Bug Fix
- BZ#880352
- Previously, the Krb5LoginModule config class did not return a proper KDC list when krb5.conf file contained the "dns_lookup_kdc = true" property setting. With this update, a correct KDC list is returned under these circumstances.
Security Fix
- CVE-2012-3174, CVE-2013-0422
- Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Security Fixes
- CVE-2012-4681, CVE-2012-1682, CVE-2012-3136
- Multiple improper permission check issues were discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
- CVE-2012-0547
- A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.
5.126. java-1.7.0-oracle
Security Fix
- CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449, CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1479, CVE-2013-1480, CVE-2013-1489
- This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page.
Security Fix
- CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, CVE-2012-0547
- This update fixes several vulnerabilities in the Oracle Java 7 Runtime Environment and the Oracle Java 7 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Security Alert page.
Security Fix
- CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5067, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
- This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page.
Security Fix
- CVE-2012-3174, CVE-2013-0422
- This update fixes two vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page.
5.127. jss
5.127.1. RHBA-2012:0920 — jss bug fix update
Bug Fixes
- BZ#767768
- During key archival process, DRM (Data Recovery Manager) decrypted user's private keys and then re-encrypted the keys for storage purposes. The reverse process took place during key recovery; therefore, the private key was not processed in a token at all times as the decrypted private key was present in the DRM memory between the time of decryption and encryption. This update adds the secure PKCS #12 and PKCS #5 v2.0 support, support for wrapping and unwrapping private keys in their token, and secure private key handling for TMS (Token Management System) key recovery to Red Hat Certificate System 8.1. As a result, the key archival operations now happen in the token.
- BZ#767771
- The "kra.storageUnit.hardware" configuration parameter did not exist in DRM's CS.cfg after upgrade. Consequently, if parameter "kra.storageUnit.hardware" was defined, recovery operations failed and the server returned the following error message:
PKCS #12 Creation Failed java.lang.IllegalArgumentException: bagType or bagContent is null
This update modifies the jss, pki-kra, pki-common components so that the "kra.storageUnit.hardware" configuration parameter is processed correctly. As a result, the key archival and recovery process is successful on in-place upgraded and migrated instances. - BZ#767773
- Previously, JSS was using the HSM (Hardware Security Module) token name as manufacturer ID. If the HSM token name differed from the manufacturer ID, the key archival and recovery failed. This update adds logic to JSS so that it can recognize the currently supported HSMs: nCipher and SafeNet. Key archival and recovery in TMS and non-TMS Common Criteria environments now work as expected.
5.128. kabi-whitelists
Enhancements
- BZ#722619
- Multiple symbols have been added to the Red Hat Enterprise Linux 6.3 kernel application binary interface (ABI) whitelists.
- BZ#737276
- Multiple symbols for Hitachi loadable device drivers have been added to the kernel ABI whitelists.
- BZ#753771
- This update modifies the structure of the kabi-whitelists package: whitelists are now ordered according to various Red Hat Enterprise Linux releases, and a symbolic link that points to the latest release has been added.
- BZ#803885
- The "__dec_zone_page_state" and "dec_zone_page_state" symbols have been added to the kernel ABI whitelists.
- BZ#810456
- The "blk_queue_rq_timed_out", "fc_attach_transport", "fc_release_transport", "fc_remote_port_add", "fc_remote_port_delete", "fc_remote_port_rolechg", "fc_remove_host", and "touch_nmi_watchdog" symbols have been added to the kernel ABI whitelists.
- BZ#812463
- Multiple symbols for Oracle Cloud File System have been added to the kernel ABI whitelists.
- BZ#816533
- The "get_fs_type" and "vscnprintf" have been added to the kernel ABI whitelists.
5.129. kdeartwork
Bug Fix
- BZ#736624
- Previously, the KPendulum and KRotation screen savers, listed in the OpenGL group of KDE screen savers, produced only a blank screen. This update disables KPendulum and KRotation and none of them is listed in the OpenGL group anymore.
5.130. kdebase
Bug Fixes
- BZ#608007
- Prior to this update, the Konsole context menu item "Show menu bar" was always checked in new windows even if this menu item was disabled before. This update modifies the underlying code to handle the menu item "Show menu bar" as expected.
- BZ#729307
- Prior to this update, users could not define a default size for xterm windows when using the Konsole terminal in KDE. This update modifies the underlying code and adds the functionality to define a default size.
5.131. kdebase-workspace
Bug Fix
- BZ#749460
- Prior to this update, the task manager did not honor the order of manually arranged items. As a consequence, manually arranged taskbar entries were randomly rearranged when the user switched desktops. This update modifies the underlying code to make manually arranged items more persistent.
Bug Fix
- BZ#724960
- Previously, the kdebase-workspace package relied on the bluez-libs-devel package for rebuild. However, bluez-libs-devel was not supported on IBM System z architectures and builds could be created only with help of the fake-build-provides package which is not required behavior. With this update, the bluez-libs-devel package is no longer required as a dependency on IBM System z architecture and rebuilds are successful.
5.132. kdelibs3
Bug Fixes
- BZ#681901
- Prior to this update, the kdelibs3 libraries caused a conflict for the subversion version control tool. As a consequence, subvervision was not correctly built if the kdelibs3 libraries were installed. This update modifies the underlying code to avoid this conflict. Now, subversion builds as expected with kdelibs3.
- BZ#734447
- kdelibs3 provided its own set of trusted Certificate Authority (CA) certificates. This update makes kdelibs3 use the system set from the ca-certificates package, instead of its own copy.
5.133. kdelibs
Security Fixes
- CVE-2012-4512
- A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-4513
- A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory.
Bug Fixes
- BZ#587016
- Prior to this update, the KDE Print dialog did not remember previous settings, nor did it allow the user to save the settings. Consequent to this, when printing several documents, users were forced to manually change settings for each printed document. With this update, the KDE Print dialog retains previous settings as expected.
- BZ#682611
- When the system was configured to use the Traditional Chinese language (the zh_TW locale), Konqueror incorrectly used a Chinese (zh_CN) version of its splash page. This update ensures that Konqueror uses the correct locale.
- BZ#734734
- Previously, clicking the system tray to display hidden icons could cause the Plasma Workspaces to consume an excessive amount of CPU time. This update applies a patch that fixes this error.
- BZ#754161
- When using Konqueror to recursively copy files and directories, if one of the subdirectories was not accessible, no warning or error message was reported to the user. This update ensures that Konqueror displays a proper warning message in this scenario.
- BZ#826114
- Prior to this update, an attempt to add "Terminal Emulator" to the Main Toolbar caused Konqueror to terminate unexpectedly with a segmentation fault. With this update, the underlying source code has been corrected to prevent this error so that users can now use this functionality as expected.
Security Fixes
- CVE-2012-4512
- A heap-based buffer overflow flaw was found in the way the CSS (Cascading Style Sheets) parser in kdelibs parsed the location of the source for font faces. A web page containing malicious content could cause an application using kdelibs (such as Konqueror) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-4513
- A heap-based buffer over-read flaw was found in the way kdelibs calculated canvas dimensions for large images. A web page containing malicious content could cause an application using kdelibs to crash or disclose portions of its memory.
Bug Fix
- BZ#698286
- Previously, on big-endian architectures, including IBM System z, the Konqueror web browser could terminate unexpectedly or become unresponsive when loading certain web sites. A patch has been applied to address this issue, and Konqueror no longer crashes or hangs on the aforementioned architectures.
5.134. kdepim
Bug Fix
- BZ#811125
- Prior to this update, the cyrus-sasl-plain package was not a dependency of the kdepim package. As a consequence, Kmail failed to send mail. This update modifies the underlying code to include the cyrus-sasl-plain dependency.
5.135. kernel
Security Fixes
- CVE-2012-4508, Important
- A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file.
- CVE-2013-4299, Moderate
- An information leak flaw was found in the way the Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible.
- CVE-2013-2851, Low
- A format string flaw was found in the Linux kernel's block layer. A privileged, local user could potentially use this flaw to escalate their privileges to kernel level (ring0).
Bug Fixes
- BZ#1016105
- The crypto_larval_lookup() function could return a larval, an in-between state when a cryptographic algorithm is being registered, even if it did not create one. This could cause a larval to be terminated twice, and result in a kernel panic. This occurred for example when the NFS service was running in FIPS mode, and attempted to use the MD5 hashing algorithm even though FIPS mode has this algorithm blacklisted. A condition has been added to the crypto_larval_lookup() function to check whether a larval was created before returning it.
- BZ#1017505, BZ#1017506
- A previous change in the port auto-selection code allowed sharing of ports with no conflicts, extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
- BZ#1017903
- When the Audit subsystem was under heavy load, it could loop infinitely in the audit_log_start() function instead of failing over to the error recovery code. This could cause soft lockups in the kernel. With this update, the timeout condition in the audit_log_start() function has been modified to properly fail over when necessary.
- BZ#1020527
- Previously, power-limit notification interrupts were enabled by default on the system. This could lead to degradation of system performance or even render the system unusable on certain platforms, such as Dell PowerEdge servers. A patch has been applied to disable power-limit notification interrupts by default and a new kernel command line parameter "int_pln_enable" has been added to allow users observing these events using the existing system counters. Power-limit notification messages are also no longer displayed on the console. The affected platforms no longer suffer from degraded system performa