6.6 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.6
Chapter 1. Red Hat Enterprise Linux 6.6 International Languages
- East Asian Languages - Japanese, Korean, Simplified Chinese, and Traditional Chinese
- European Languages - English, German, Spanish, French, Portuguese Brazilian, and Russian,
- Indic Languages - Assamese, Bengali, Gujarati, Hindi, Kannada, Malayalam, Marathi, Oriya, Punjabi, Tamil, and Telugu
Table 1.1. Red Hat Enterprise Linux 6 International Languages
|China||Simplified Chinese||zh_CN.UTF-8||AR PL (ShanHeiSun and Zenkai) Uni||fonts-chinese, scim-pinyin, scim-tables|
|Japan||Japanese||ja_JP.UTF-8||Sazanami (Gothic and Mincho)||fonts-japanese, scim-anthy|
|Korea||Hangul||ko_KR.UTF-8||Baekmuk (Batang, Dotum, Gulim, Headline)||fonts-korean, scim-hangul|
|Taiwan||Traditional Chinese||zh_TW.UTF-8||AR PL (ShanHeiSun and Zenkai) Uni||fonts-chinese, scim-chewing, scim-tables|
|Brazil||Portuguese||pt_BR.UTF-8||standard latin fonts|
|France||French||ft_FR.UTF-8||standard latin fonts|
|Germany||German||de_DE.UTF-8||standard latin fonts|
|Italy||Italy||it_IT.UTF-8||standard latin fonts|
|Russia||Russian||ru_RU.UTF-8||KOI8-R, fonts-KOI8-R-100dpi, fonts-KOI8-R-75dpi and xorg-x11-fonts-cyrillic||fonts-KO18-R, fonts-KO18-R-100 dpi,fonts-KO18-R-75dpi, xorg-x11-fonts-cyrillic|
|Spain||Spanish||es_ES.UTF-8||standard latin fonts|
|India||Assamese||as_IN.UTF-8||Lohit Bengali||fonts-bengali, scim-m17n, m17n-db-assamese|
|Bengali||bn_IN.UTF-8||Lohit Bengali||fonts-bengali, scim-m17n, m17n-db-bengali|
|Gujarati||gu_IN.UTF-8||Lohit Gujarati||fonts-gujarati, scim-m17n, m17n-db-gujarati|
|Hindi||hi_IN.UTF-8||Lohit Hindi||fonts-hindi, scim-m17n, m17n-db-hindi|
|Kannada||kn_IN.UTF-8||Lohit Kannada||fonts-kannada, scim-m17n, m17n-db-kannada|
|Malayalam||ml_IN.UTF-8||Lohit Malayalam||fonts-malayalam, scim-m17n, m17n-db-malayalam|
|Marathi||mr_IN.UTF-8||Lohit Hindi||fonts-hindi, scim-m17n, m17n-db-marathi|
|Oriya||or_IN.UTF-8||Lohit Oriya||fonts-oriya, scim-m17n, m17n-db-oriya|
|Punjabi||pa_IN.UTF-8||Lohit Punjabi||fonts-punjabi, scim-m17n, m17n-db-punjabi|
|Tamil||ta_IN.UTF-8||Lohit Tamil||fonts-tamil, scim-m17n, m17n-db-tamil|
|Telugu||te_IN.UTF-8||Lohit Telugu||fonts-telugu, scim-m17n, m17n-db-telugu|
Chapter 2. Important Changes to External Kernel Parameters
sysfsdefault values, boot parameters, kernel configuration options, or any noticeable behavior changes.
- Using this parameter provides an estimate of how much memory is available for starting new applications without swapping. However, unlike the data provided by the Cache or Free fields, MemAvailable takes into account page cache and also that not all reclaimable slab will be reclaimable due to items being in use.
- This parameter allows the user to determine the specific number of kilobytes of physicial RAM that a committed address space is not permitted to exceed when the overcommit_memory parameter is set to "2". Therefore, overcommit_bytes works as the counterpart to the overcommit_ratio, and setting one automatically disables the other.
- Setting this parameter to a non-zero value will disable the reporting of new entries introduced to /proc/meminfo and the kernel will keep the legacy (2.6.32) layout when reporting data through that interface. Note that the default value is "1". This parameter is available to Red Hat Enterprise Linux 6 only, for reasons of retroactive compatibility.
- This parameter allows the kdump kernel to disable BSP during boot and then to successfully boot up with multiple processors. This resolves the problem of lack of available interrupt vectors for systems with a high number of devices and ensures that kdump can now successfully capture a core dump on these systems.
- Previously usable only for VGA hardware, this parameter now supports the "efi" value, which allows users to debug early booting issues on EFI hardware.
- By setting the value of this parameter to "on" or "off", the user can enable or disable the Error Detection and Correction (EDAC) module to report hardware events. It is also possible to make EDAC impossible to be overridden by a higher-priority module by using the "force" value. The default value of this parameter is "on".
- This parameter enables the user to turn off the support of large pages, using the "sp_off" value. By default, however, large pages are supported as long as the Intel input/output management unit (IOMMU) meets the requirements.
- Previously, NFSv4 clients could resume expired or lost file locks. Nevertheless, this sometimes resulted in file corruption if the file was modified in the meantime. Therefore, recovering these locks has been disabled, but can be enabled by changing the value of the above parameter from "0" to "1". Note, however, that doing so still carries a risk of data corruption.
Chapter 3. Device Drivers
bnx2idriver has been upgraded to version 220.127.116.11.
hpsadriver has been upgraded to version 3.4.4-1-RH1.
bfadriver has been upgraded to version 18.104.22.168.
mvsasdriver has been upgraded to the latest upstream version.
qla4xxxdriver has been upgraded to version 5.03.00.00.06.06-k0.
mpt2sasdriver has been upgraded to version 16.100.00.00.
qla2xxxdriver has been upgraded to version 8.07.00.08.06.6-k.
bnx2fcdriver has been upgraded to version 2.4.2.
lpfcdriver has been upgraded to version 10.2.8020.1.
- Device driver ID changes have been implemented for the
pm80xxdriver to support series 8 controllers.
- Configuration parameters have been updated for the
be2iscsidriver to support Dual Chute mode.
- The version string has been changed for the
megaraid_sasdriver has been upgraded to the latest upstream version. In addition, its changelog has been updated.
- The Brocade
BNAdriver has been updated to version 22.214.171.124.
qlcnicdriver has been updated to version 5.3.59.
- The Emulex
be2netdriver has been updated to version 10.2.
bnx2xdriver has been updated to utilize the version 7.8.19 firmware.
qlgedriver has been updated to version 1.00.00.34.
- A fix has been implemented for the
igbvfdriver to properly handle 32-bit DMA masks.
- A fix has been implemented for the
igbdriver to properly handle 32-bit DMA masks.
bnx2driver has been updated to version 2.2.4.
- All Mellanox
mlxdrivers have been updated to their latest upstream versions.
i40evfdriver has been updated to its latest upstream version.
i40edriver has been updated to its latest upstream version.
netxendriver has been updated to version 4.0.82.
enicdriver has been updated to support the Cisco low latency network interface controller.
ixbevfdriver has been updated to the latest upstream version.
ixbedriver has been updated to the latest upstream version.
tg3driver has been updated to version 3.137.
- Product naming has been updated for the
- The General Public License header and Copyright information have been updated for the
- A cache device mapper target has been added to the
cnicdriver has been updated to version 2.5.20. In addition, its copyright year has been updated.
sb_edachas been updated to support the Haswell microarchitecture-based systems.
- The InfiniBand
iserdriver has been updated to version 1.3.
- The InfiniBand
srpdriver has been updated to the latest upstream version. In addition, its release date information has been updated.
- The InfiniBand
qibdriver has been updated to support Direct Connect Architecture.
intel_pstatedriver has been updated to support Haswell CPU models.
rtsxdriver has been updated to support the Realtek RTL8411B Ethernet controller.
openvswitchdriver has been updated to support the Stream Control Transmission Protocol.
Direct Rendering Manager (DRM)module has been updated to version 3.14.2.
cnicdriver has been updated to version 2.5.20. In addition, its copyright year has been updated.
hid-multitouchmodule has been updated to the latest upstream version, adding the support for Windows 8-certified touchescreens.
- An update notifier for changes of Open Firmware device tree properties has been implemented into the
DRBGmodule has been implemented, introducing a SP800-90A Deterministic Random Bit Generator.
- Accelerated computation for the PCLMULQDQ instruction has been implemented into the
ccisdriver has been updated to the latest upstream version.
NVMedriver has been updated to include device and queue numbers in interrupt names.
- MCE decoding support has been expanded for the
Chapter 4. Technology Previews
4.1. Storage and File Systems
- dm-era Device Mapper
- The device-mapper-persistent-data package now provides tools to help use the new
dm-eradevice mapper functionality released as a Technology Preview. The
dm-erafunctionality keeps track of which blocks on a device were written within user-defined periods of time called an
era. This functionality allows backup software to track changed blocks or restore the coherency of a cache after reverting changes.
- dm-cache device-mapper Target
dm-cachedevice-mapper target, which allows fast storage devices to act as a cache for slower storage devices, has been added as a Technology Preview. See the lvmcache manual page for more information.
- Cross Realm Kerberos Trust Functionality for samba4 Libraries
- The Cross Realm Kerberos Trust functionality provided by Identity Management, which relies on the capabilities of the samba4 client library, is included as a Technology Preview starting with Red Hat Enterprise Linux 6.4. This functionality uses the libndr-nbt library to prepare Connection-less Lightweight Directory Access Protocol (CLDAP) messages.Package: samba-3.6.9-164
- System Information Gatherer and Reporter (SIGAR)
- The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.4 and later, SIGAR is considered a Technology Preview package.Package: sigar-1.6.5-0.4.git58097d9
- DIF/DIX support
- DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue
O_DIRECTI/O. These applications may use the raw block device, or the XFS file system in
O_DIRECTmode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use with
O_DIRECTI/O and DIF/DIX hardware should enable this feature.For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide.Package: kernel-2.6.32-431
- LVM Application Programming Interface (API)
- Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.Package: lvm2-2.02.100-8
- FS-Cache in Red Hat Enterprise Linux 6 enables networked file systems (for example, NFS) to have a persistent cache of data on the client machine.Package: cachefilesd-0.10.2-1
- Mellanox SR-IOV Support
- Single Root I/O Virtualization (SR-IOV) is now supported as a Technology Preview in the Mellanox
libmlx4library and the following drivers:
- Open multicast ping (Omping), BZ#657370
- Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.Package: omping-0.0.4-1
- QFQ queuing discipline
- In Red Hat Enterprise Linux 6, the tc utility has been updated to work with the Quick Fair Scheduler (QFQ) kernel features. Users can now take advantage of the new QFQ traffic queuing discipline from userspace. This feature is considered a Technology Preview.Package: kernel-2.6.32-431
- vios-proxy, BZ#721119
- vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.Package: vios-proxy-0.2-1
4.3. Clustering and High Availability
- luci support for fence_sanlock
- The luci tool now supports the sanlock fence agent as a Technology Preview. The agent is available in the luci's list of agents.Package: luci-0.26.0-48
- Recovering a node via a hardware watchdog device
- New fence_sanlock agent and checkquorum.wdmd, included in Red Hat Enterprise Linux 6.4 as a Technology Preview, provide new mechanisms to trigger the recovery of a node via a hardware watchdog device. Tutorials on how to enable this Technology Preview will be available at https://fedorahosted.org/cluster/wiki/HomePageNote that SELinux in enforcing mode is currently not supported.Package: cluster-126.96.36.199-59
- Apache Modules for External Authentication
- A set of Apache modules has been added to Red Hat Enterprise Linux 6.6 as a Technology Preview. The
mod_lookup_identityApache modules in the respective packages can be used by Web applications to achieve tighter interaction with external authentication and identity sources, such as Identity Management in Red Hat Enterprise Linux.
- Simultaneous maintaining of TGTs for multiple KDCs
- Kerberos version 1.10 added a new cache storage type, DIR:, which allows Kerberos to maintain Ticket Granting Tickets (TGTs) for multiple Key Distribution Centers (KDCs) simultaneously and auto-select between them when negotiating with Kerberized resources. Red Hat Enterprise Linux 6.4 and later includes SSSD enhanced to allow the users to select the DIR: cache for users that are logging in via SSSD. This feature is introduced as a Technology Preview.Package: sssd-1.9.2-129
- TPM (Trusted Platform Module) hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The trousers and tpm-tools packages are considered a Technology Preview.Packages: trousers-0.3.4-4, tpm-tools-1.3.4-2
- mpt2sas lockless mode
mpt2sasdriver is fully supported. However, when used in the lockless mode, the driver is a Technology Preview.Package: kernel-2.6.32-431
- Kernel Media support
- The following features are presented as Technology Previews:
- The latest upstream video4linux
- Digital video broadcasting
- Primarily infrared remote control device support
- Various webcam support fixes and improvements
- Linux (NameSpace) Container [LXC]
- Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6 provides application level containers to separate and control the application resource usage policies via cgroups and namespaces. This release includes basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.Packages: libvirt-0.9.10-21, virt-manager-0.9.0-14
- Diagnostic pulse for the fence_ipmilan agent, BZ#655764
- A diagnostic pulse can now be issued on the IPMI interface using the
fence_ipmilanagent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for the
offoperation in a production cluster.Package: fence-agents-3.1.5-35
- Red Hat Enterprise Linux 6.6 Hosted as a Generation 2 Virtual Machine
- As a Technology Preview, Red Hat Enterprise Linux 6.6 can be used as a generation 2 virtual machine in the Microsoft Hyper-V Server 2012 R2 host. In addition to the functions supported in the previous generation, generation 2 provides new functions on a virtual machine; for example: boot from a SCSI virtual hard disk, and UEFI firmware support.
Chapter 5. Deprecated Functionality
- Btrfs file system
- B-tree file system (Btrfs) is considered deprecated for Red Hat Enterprise Linux 6. Btrfs was previously provided as a Technology Preview, available on AMD64 and Intel 64 architectures.
- eCryptfs file system
- eCryptfs file system, which was previously available as a Technology Preview, is considered deprecated for Red Hat Enterprise Linux 6.
- Following the deprecation of Matahari packages in Red Hat Enterprise Linux 6.3, at which time the mingw packages were noted as deprecated, and the subsequent removal of Matahari packages from Red Hat Enterprise Linux 6.4, the mingw packages are now being removed from Red Hat Enterprise Linux 6.6.The mingw packages will no longer be shipped in future Red Hat Enterprise Linux 6 minor releases, nor will they receive security-related updates. Consequently, users are advised to uninstall any earlier releases of the mingw packages from their Red Hat Enterprise Linux 6 systems.
- The VirtIO SCSI driver has been removed from the virtio-win package and is no longer supported on Microsoft Windows Server 2003 platform.
- The qemu-guest-agent-win32 package is no longer shipped as part of the qemu-kvm package. The Windows guest agent is now delivered in the Supplementary channel together with other Windows components, for example, virtio-win drivers.
- Prior to Red Hat Enterprise Linux 6.5 release, the Red Hat Enterprise Linux High Availability Add-On was considered fully supported on certain VMware ESXi/vCenter versions in combination with the fence_scsi fence agent. Due to limitations in these VMware platforms in the area of SCSI-3 persistent reservations, the
fence_scsifencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations:Users using
fence_scsion an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information.
- The systemtap-grapher package has been removed from Red Hat Enterprise Linux 6. For more information, see https://access.redhat.com/solutions/757983.
- The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.
- The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.
Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product.
- The libvirt-qpid is no longer part of the fence-virt package.
- The openscap-perl subpackage has been removed from openscap.
Chapter 6. Known Issues
- To automatically create an appropriate partition table on disks that are uninitialized or contain unrecognized formatting, use the
zerombrkickstart command. The
--initlabeloption of the
clearpartcommand is not intended to serve this purpose.
- On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the
/bootvolume on an encrypted volume.
- The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example,
sda).During installation, verify the storage device size, name, and type when configuring partitions and file systems.
kdump default onfeature currently depends on Anaconda to insert the
crashkernel=parameter to the kernel parameter list in the boot loader's configuration file.
- In some circumstances, disks that contain a whole disk format (for example, an LVM Physical Volume populating a whole disk) are not cleared correctly using the
clearpart --initlabelkickstart command. Adding the
clearpart --initlabel --all—ensures disks are cleared correctly.
- When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
- The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
- The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
- Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.
- If multiple repositories are enabled, subscription-manager installs product certificates from all repositories instead of installing the product certificate only from the repository from which the RPM package was installed.
- The ns-slapd utility terminates unexpectedly if it cannot rename the
dirsrv-<instance>log files in the
/var/log/directory due to incorrect permissions on the directory.
- Some HP Proliant servers may report incorrect CPU frequency values in
/sys/device/system/cpu/*/cpufreq. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that the
HP Power Regulatoroption in the BIOS is set to
OS Control. An alternative available on more recent systems is to set
Collaborative Power Controlto
- Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
- On certain UEFI-based systems, you may need to type
bootx64to boot the installer due to case sensitivity issues.
- When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.
- If a
virtiodevice is created where the number of vectors is set to a value higher than 32, the device behaves as if it was set to a zero value on Red Hat Enterprise Linux 6, but not on Enterprise Linux 7. The resulting vector setting mismatch causes a migration error if the number of vectors on any
virtiodevice on either platform is set to 33 or higher. It is, therefore, not recommended to set the
vectorvalue to be greater than 32.
- Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2 require some CPU features, for example Compare Exchange 8Byte and Compare Exchange 16Byte, which are not present in all qemu-kvm CPU models. As a consequence, Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2 guests do not boot if they use the following CPU model definitions: Opteron_G1, Conroe, and kvm64. To work around this problem, use CPU models that include the features required by Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2, for example Penryn, Nehalem, Westmere, SandyBridge, Haswell, Opteron_G2, Opteron_G3, Opteron_G4, or Opteron_G5.
- KVM (Kernel-based Virtual Machine) cannot handle the values written in the MSR_IA32_MC4_CTL preprocessor macro by Linux guests when using some CPU or family model values. As a consequence, kernel panic occurs when booting on Red Hat Enterprise Linux 4 guests. Red Hat Enterprise Linux 5 and later incorrectly ignore certain exceptions so they are not affected. To work around this problem, use the
nomcekernel command-line option on the guest, which disables MCE support. Alternatively, use a different CPU model name on the virtual machine configuration. As a result, guests boot as expected and kernel panic no longer occurs.
- After alternately hot plugging and unplugging SCSI disks more then three times, the guest displays information about the incorrect SCSI disk that has been removed. The work around this problem, the guest can need to wait for up to three minutes before it can rescan the bus to obtain correct information of the changed device.
- When upgrading the
NetKVMdriver through the Windows Device Manager, the old registry values are not removed. As a consequence, for example, non-existent parameters may be available.
- When working with very large images (larger than 2TB) created with very small cluster sizes (for example, 512bytes), block I/O errors can occur due to timeouts in qemu. To prevent this problem from occurring, use the default cluster size of 64KiB or larger.
- On Microsoft Windows Server 2012 containing large dynamic VHDX (Hyper-V virtual hard disk) files and using the ext3 file system, a call trace can appear, and, consequently, it is not possible to shut down the guest. To work around this problem, use the ext4 file system or set a logical block size of 1MB when creating a VHDX file. Note that this can only be done by using Microsoft PowerShell as the Hyper-V manager does not expose the –BlockSizeBytes option which has the default value of 32MB. To create a dynamix VHDX file with an approximate size of 2.5TB and 1MB block size run:
New-VHD –Path .\MyDisk.vhdx –SizeBytes 5120MB –BlockSizeBytes 1MB -Dynamic
- The storage drivers do not support the
virsh vol-resizecommand options
--shrink. Use of the
--shrinkoption will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x4)Use of the
--allocateoption will result in the following error message:
error: invalid argument: storageVolumeResize: unsupported flags (0x1)Shrinking a volume's capacity is possible as long as the value provided on the command line is greater than the volume allocation value as seen with the
virsh vol-infocommand. You can shrink an existing volume by name through the followind sequence of steps:
In order to allocate more space on the volume, follow a similar sequence, but adjust the allocation to a larger value than the existing volume.
- Dump the XML of the larger volume into a file using the
- Edit the file to change the name, path, and capacity values, where the capacity must be greater than or equal to the allocation.
- Create a temporary smaller volume using the
vol-createwith the edited XML file.
- Back up and restore the larger volumes data using the
vol-uploadcommands to the smaller volume.
- Use the
vol-deletecommand to remove the larger volume.
- Use the
vol-clonecommand to restore the name from the larger volume.
- Use the
vol-deletecommand to remove the temporary volume.
- It is not possible to downgrade a driver using the
Search for the best driver in these locationsoption because the newer and installed driver will be selected as the "best" driver. If you want to force installation of a particular driver version, use the
Don't searchoption and the button to select the folder of the older driver. This method will allow you to install an older driver on a system that already has a driver installed.
- Performing Automatic System Recovery (ASR) on Windows 2003 guest system with virtio-blk attached system disk fails. To work around this issue, the following files need to be copied from virtio-win floppy image to ASR floppy image :
- There is a known issue with the Microsoft Hyper-V host. If a legacy network interface controller (NIC) is used on a multiple-CPU virtual machine, there is an interrupt problem in the emulated hardware when the IRQ balancing daemon is running. Call trace information is logged in the
- Under certain circumstances, virtual machines try to boot from an incorrect device after a network boot failure. For more information, please refer to this article on Customer Portal.
- When a Red Hat Enterprise Linux 6.4 guest updates the kernel and then the guest is turned off through Microsoft Hyper-V Manager, the guest fails to boot due to incomplete grub information. This is because the data is not synced properly to disk when the machine is turned off through Hyper-V Manager. To work around this problem, execute the
synccommand before turning the guest off.
- Using the mouse scroll wheel does not work on Red Hat Enterprise Linux 6.4 guests that run under certain version of Microsoft Hyper-V Manager. However, the scroll wheel works as expected when the vncviewer utility is used.
- Microsoft Windows Server 2012 guests using the e1000 driver can become unresponsive consuming 100% CPU during boot or reboot.
- When a kernel panic is triggered on a Microsoft Hyper-V guest, the kdump utility does not capture the kernel error information; an error is only displayed on the command line. This is a host problem. Guest kdump works as expected on Microsoft Hyper-V 2012 R2 host.
- AMD Opteron G1, G2 or G3 CPU models on qemu-kvm use the family and models values as follows: family=15 and model=6. If these values are larger than 20, the
lahfm_lmCPU feature is ignored by Linux guests, even when the feature is enabled. To work around this problem, use a different CPU model, for example AMD Opteron G4.
- KVM guests must not be allowed to update the host CPU microcode. KVM does not allow this, and instead always returns the same microcode revision or patch level value to the guest. If the guest tries to update the CPU microcode, it will fail and show an error message similar to:
CPU0: update failed (for patch_level=0x6000624)To work around this, configure the guest to not install CPU microcode updates; for example, uninstall the microcode_ctl package Red Hat Enterprise Linux of Fedora guests.
- Converting a physical server running either Red Hat Enterprise Linux 4 or Red Hat Enterprise Linux 5 which has its file system root on an MD device is not supported. Converting such a guest results in a guest which fails to boot. Note that conversion of a Red Hat Enterprise Linux 6 server which has its root on an MD device is supported.
- When converting a physical host with a multipath storage, Virt-P2V presents all available paths for conversion. Only a single path must be selected. This must be a currently active path.
- The balloon service on Windows 7 guests can only be started by the Administrator user.
- A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
- Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium can lead to the system being unresponsive and, consequently, to a crash during the final steps of the installation process. To work around this issue, use the Windows Update utility to install the Service Pack.
- A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
- The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
- The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.
- The libguestfs packages do not support remote access to disks over the network in Red Hat Enterprise Linux 6. Consequently, the virt-sysprep tool as well as other tools do not work with remote disks. Users who need to access disks remotely with tools such as virt-sysprep are advised to upgrade to Red Hat Enterprise Linux 7.
6.5. Storage and File Systems
- Tools provided by the device-mapper-persistent-data package fail to operate on 4K hard-sectored metadata devices.
- In UEFI mode, when creating a partition for software RAID, anaconda can be unable to allocate the
/boot/efimount point to the software RAID partition and fails with the "have not created /boot/efi" message in such a scenario.
- Users might be unable to access a partition created by parted. To work around this problem, reboot the machine.
- When filling a thin pool to 100% by writing to thin volume device, access to all thin volumes using this thin pool can be blocked. To prevent this, try not to overfill the pool. If the pool is overfilled and this error occurs, extend the thin pool with new space to continue using the pool.
- The Qlogic QLA2xxx driver can miss some paths after booting from Storage Area Network (SAN). To workaroud this problem, run the following commands:
echo "options qla2xxx ql2xasynclogin=0" > /etc/modprobe.d/qla2xxx.conf mkinitrd /boot/initramfs-`uname -r`.img `uname -r` --force
- Unloading the
nfsmodule can cause the system to terminate unexpectedly if the fsx utility was ran with NFSv4.1 before.
- When the
multipathdservice is not running, failed devices will not be restored. However, the multipath command gives no indication that multipathd is not running. Users can unknowingly set up multipath devices without starting the
multipathdservice, keeping failed paths from automatically getting restored. Make sure to start multipathing by
- either running:
~]# mpathconf --enable ~]# service multipathd start
~]# chkconfig multipathd on ~]# service multipathd start
multipathdwill automatically start on boot, and multipath devices will automatically restore failed paths.
- When the administrator disables use of the
lvmetaddaemon in the
lvm.conffile, but the daemon is still running, the cached metadata are remembered until the daemon is restarted. However, if the
lvm.confis reset to
1without an intervening
lvmetadrestart, the cached metadata can be incorrect. Consequently, VG metadata can be overwritten with previous versions. To work around this problem, stop the
lvmedatdaemon manually when disabling
lvm.conf. The daemon can only be restarted after
use_lvmetadhas been set to 1. To recover from an out-of-sync
lvmetadcache, execute the
pvscan --cachecommand or restart
lvmetad. To restore metadata to correct versions, use vgcfrestore with a corresponding file in
- Due to the limitations of the LVM 'mirror' segment type, it is possible to encounter a deadlock situation when snapshots are created of mirrors. The deadlock can occur if snapshot changes (e.g. creation, resizing or removing) happen at the same time as a mirror device failure. In this case, the mirror blocks I/O until LVM can respond to the failure, but the snapshot is holding the LVM lock while trying to read the mirror.If the user wishes to use mirroring and take snapshots of those mirrors, then it is recommended to use the 'raid1' segment type for the mirrored logical volume instead. This can be done by adding the additional arguments '--type raid1' to the command that creates the mirrored logical volume, as follows:
~]$ lvcreate --type raid1 -m 1 -L 1G -n my_mirror my_vg
- The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
pvmovecommand cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:
lvconvert -m +1 <vg/lv> <new PV>~]$
lvconvert -m -1 <vg/lv> <old PV>Mirror logs can be handled in a similar fashion:
lvconvert --mirrorlog core <vg/lv>~]$
lvconvert --mirrorlog disk <vg/lv> <new PV>or
lvconvert --mirrorlog mirrored <vg/lv> <new PV>~]$
lvconvert --mirrorlog disk <vg/lv> <old PV>
- Under certain conditions, when the server is processing multiple outgoing replication or windows sync agreements using the TLS or SSL protocol, and processing incoming client requests that use TLS or SSL, and incoming BIND requests where the password used is hashed using SSHA512, the server becomes unresponsive to new incoming client requests. A restart of the
dirsrvservice is required. As the server is unresponsive, restarting can require terminating the
ns-slapdprocess by running the
- In cluster environment, the multicast traffic from the guest to a host can be unreliable. To work around this problem, enable multicast_querier for the bridge. The setting is located in the
/sys/class/net/<bridge_name>/bridge/multicast_querierfile. Note that if the setting is not available, the problem should not occur.
- A missing part of the
bcmadriver causes the
brcmsmacdriver not to load automatically when the
bcmadriver scans the for devices. This causes the kernel not to load the
brcmsmacmodule automatically on boot. Symptoms can be confirmed by running the
lspci -vcommand for the device and noting the driver to be
brcmsmac. To load the driver manually, run
modprobe brcmsmacon the command line.
- Under certain conditions, when the server is processing multiple outgoing replication or windows sync agreements using the TLS or SSL protocol, and processing incoming client requests that use TLS or SSL and Simple Paged Results, the server becomes unresponsive to new incoming client requests. The
dirsrvservice will stop responding to new incoming client requests. A restart of the
dirsrvservice is required to restore service.
- When some Fibre Channel over Ethernet (FCoE) switch ports connected to the bfa host bus adapter go offline and then return in the online state, the bfa port may not re-establish the connection with the switch. This is due to a failure of the bfa driver's retry logic when interacting with certain switches. To work around this problem, reset the bfa link. This can be done either by running:
]# echo 1 > /sys/class/fc_host/host/issue_lipor by running:
]# modprobe -r bfa && modprobe bfa
- For HP systems running in HP FlexFabric mode, the designated iSCSI function can only be used for iSCSI offload related operations and will not be able to perform any other Layer 2 networking tasks, for example, DHCP. In the case of iSCSI boot from SAN, the same SAN MAC address is exposed to both the corresponding ifconfig record and the iSCSI Boot Firmware Table (iBFT), therefore, Anaconda will skip the network selection prompt and will attempt to acquire the IP address as specified by iBFT. If DHCP is desired, Anaconda will attempt to acquire DHCP using this iSCSI function, which will fail and Anaconda will then try to acquire DHCP indefinitely. To work around this problem, if DHCP is desired, the user must use the
asknetworkinstallation parameter and provide a "dummy" static IP address to the corresponding network interface of the iSCSI function. This prevents Anaconda from entering an infinite loop and allows it to request the iSCSI offload function to perform DHCP acquisition instead.
- If the corresponding network interface has not been brought up by dracut or the tools from the iscsi-initiator-utils package, this prevents the correct MAC address from matching the offload interface, and host bus adapter (HBA) mode will not work without manual intervention to bring the corresponding network interface up. To work around this problem, the user must select the corresponding Layer 2 network interface when anaconda prompts the user to choose "which network interface to install through". This will inherently bring up the offload interface for the installation.
- When an
igblink us up, the following ethtool fields display incorrect values as follows:
- Supported ports: [ ] - for example, an empty bracket can be displayed.
- Supported pause frame use: No - however, pause frame is supported.
- Supports auto-negotiation: No - auto-negotiation is supported.
- Advertised pause frame use: No - advertised pause frame is turned on.
- Advertised auto-negotiation: No - advertised auto-negotiation is turned on.
- Speed: Unknown! - the speed is known and can be verified using the dmesg tool.
- End-to-End (E2E) slaves that communicated with an E2E master once can synchronize to Peer-to-Peer (P2P) masters and vice versa. The slaves cannot update their path delay value because E2E ports reject peer delay requests from P2P ports. However, E2E ports accept SYNC messages from P2P ports and the slaves keep updating clock frequency based on undesired offset values that are calculated by using the old path delay value. Therefore, a time gap will occur if the master port is started with an incorrect delay mechanism. The "delay request on P2P" or "pdelay_req on E2E port" message can appear. To work around these problems, use a single delay mechanism for one PTP communication path. Also, because E2E and P2P mismatch can trigger a time gap of slave clock, pay attention to the configuration when starting or restarting a node on a running domain.
- If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the
ipa trust-addcommand will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the
/etc/hostsfile. In this case, the FreeIPA server will use only the IPv4 address and executing
ipa trust-addwill be successful.
- Destroying the root port before any NPIV ports can cause unexpected system behavior, including a full system crash. Note that one instance where the root port is destroyed before the NPIV ports is when the system is shut down. To work around this problem, destroy NPIV ports before destroying the root port that the NPIV ports were created on. This means that for each created NPIV port, the user should write to the
sysfs vport_deleteinterface to delete that NPIV port. This should be done before the root port is destroyed. Users are advised to script the NPIV port deletion and configure the system such that the script is executed before the
fcoeservice is stopped, in the shutdown sequence.
- A Linux LIO FCoE target causes the
bfadriver to reset all FCoE targets which might lead to data corruption on LUN. To avoid these problems, do not use the
bfadriver with a Linux FCoE target.
- Typically, on platforms with no Intelligent Platform Management Interface (IPMI) hardware the user can see the following message the on the boot console and in dmesg log:
Could not set up I/O spaceThis message can be safely ignored, unless the system really does have IPMI hardware. In that case, the message indicates that the IPMI hardware could not be initialized. In order to support Advanced Configuration and Power Interface (ACPI) opregion access to IPMI functionality early in the boot, the IPMI driver has been statically linked with the kernel image. This means that the IPMI driver is "loaded" whether or not there is any hardware. The IPMI driver will try to initialize the IPMI hardware, but if there is no IPMI hardware present on the booting platform, the driver will print error messages on the console and in the dmesg log. Some of these error messages do not identify themselves as having been issued by the IPMI driver, so they can appear to be serious, when they are harmless.
- After an ixgbe Fibre Channel over Ethernet (FCoE) session is created, server reboot can cause some or all of the FCoE sessions to not be created automatically. To work around this problem, follow the following steps (assuming that eth0 is the missing NIC for the FCoE session):
ifconfig eth0 down ifconfig eth0 up sleep 5 dcbtool sc eth0 dcb on sleep 5 dcbtool sc eth0 pfc e:1 a:1 w:1 dcbtool sc eth0 app:fcoe e:1 a:1 w:1 service fcoe restart
- The InfiniBand UD transport test utility could become unresponsive when the
ibv_ud_pingpongcommand was used with a packet size of 2048 or greater. UD is limited to no more than the smallest MTU of any point in the path between point A and B, which is between 0 and 4096 given that the largest MTU supported (but not the smallest nor required) is 4096. If the underlying Ethernet is jumbo frame capable, and with a 4096 IB MTU on an RoCE device, the max packet size that can be used with UD is 4012 bytes.
- IPA creates a new DNS zone in two separate steps. When the new zone is created, it is invalid for a short period of time.
A/AAAArecords for the name server belonging to the new zone are created after this delay. Sometimes, BIND attempts to load this invalid zone and fails. In such a case, reload BIND by running either
service named restart.
bind-dyndb-ldaplibrary incorrectly compares current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket is not renewed under certain circumstances, which causes the connection to the LDAP server to fail. The connection failure often happens after a
BINDservice reload is triggered by the
logrotateutility, and you need to run the
pkill -9 namedcommand to terminate BIND after a deadlock occurs. To work around this problem, set the validity period of the Kerberos ticket to be at least 10 minutes shorter than the logrotate period.
BINDservice incorrectly handles errors returned by dynamic databases (from dyndb API). As a consequence,
BINDenters a deadlock situation on shutdown under certain circumstances. No workaround is available at the moment. If the deadlock occurs, terminate
BINDby running the
pkill -9 namedcommand and restart the service manually.
- The latest version of the sfc NIC driver causes lower UDP and TX performance with large amounts of fragmented UDP packets. This problem can be avoided by setting a constant interrupt moderation period (not adaptive moderation) on both sides, sending and receiving.
- Some network interface cards (NICs) might fail to get an IPv4 address assigned after the system is booted. The default time to wait for the link to come up is 5 seconds. To work around this issue, increase this wait time by specifying the LINKDELAY directive in the interface configuration file. For example, add the following line to the
LINKDELAY=10In addition, check STP settings on all network switches in the path of the DHCP server as the default STP forward delay is 15 seconds.
- Current Samba versions shipped with Red Hat Enterprise Linux 6 are not able to fully control the user and group database when using the
ldapsam_compatback end. This back end was never designed to run a production LDAP and Samba environment for a long period of time. The
ldapsam_compatback end was created as a tool to ease migration from historical Samba releases (version 2.2.x) to Samba version 3 and greater using the new
ldapsamback end and the new LDAP schema. The
ldapsam_compatback end lack various important LDAP attributes and object classes in order to fully provide full user and group management. In particular, it cannot allocate user and group IDs. In the Red Hat Enterprise Linux Reference Guide, it is pointed out that this back end is likely to be deprecated in future releases. Refer to Samba's documentation for instructions on how to migrate existing setups to the new LDAP schema.When you are not able to upgrade to the new LDAP schema (though upgrading is strongly recommended and is the preferred solution), you may work around this issue by keeping a dedicated machine running an older version of Samba (v2.2.x) for the purpose of user account management. Alternatively, you can create user accounts with standard LDIF files. The important part is the assignment of user and group IDs. In that case, the old Samba 2.2 algorithmic mapping from Windows RIDs to Unix IDs is the following: user RID = UID * 2 + 1000, while for groups it is: group RID = GID * 2 + 1001. With these workarounds, users can continue using the
ldapsam_compatback end with their existing LDAP setup even when all the above restrictions apply.
- Because Red Hat Enterprise Linux 6 defaults to using Strict Reverse Path filtering, packets are dropped by default when the route for outbound traffic differs from the route of incoming traffic. This is in line with current recommended practice in RFC3704. For more information about this issue please refer to
- The external Advanced Encryption Standard (AES) New Instructions (AES-NI) engine is no longer available in openssl; the engine is now built-in and therefore no longer needs to be manually enabled.
- The redundant ring feature of corosync is not fully supported in combination with InfiniBand or Distributed Lock Manager (DLM). A double ring failure can cause both rings to break at the same time on different nodes. In addition, DLM is not functional if ring0 is down.
- Clustered environment is not supported by
lvmetadat the moment. If global/use_lvmetad=1 is used together with global/locking_type=3 configuration setting (clustered locking), the use_lvmetad setting is automatically overriden to
lvmetadis not used in this case at all. Also, the following warning message is displayed:
WARNING: configuration setting use_lvmetad overriden to 0 due to locking_type 3. Clustered environment not supported by lvmetad yet.
luciwill not function with Red Hat Enterprise Linux 5 clusters unless each cluster node has
- OpenLDAP and 389 Directory Server treat the grace logins differently. 389 Directory Server treats them as "number of grace logins left" while OpenLDAP treats them as "number of grace logins used". Currently the SSSD only handles the semantics used by 389 Directory server. As a result, when using OpenLDAP server, the grace password warning might be incorrect.
- The Identity Management server does not write the initial user password correctly to password history. As a consequence, when a new Identity Management user is created and a password is generated for him, the first time that user changes the password, the value of the first password is disregarded when the password policy plug-in checks the password history. This means that user can "change" the initial password to the same value as the previous one, with no regards to the configured password history. Password history is applied correctly to all subsequent password changes.
- When an Identity Management server installed on Red Hat Enterprise Linux 6.2 is updated to the version provided by Red Hat Enterprise Linux 6.4 or later, the new pbac permission "Write DNS Configuration" is created without any of the required object classes. Consequently, the permission may not show up on the Identity Management Web UI permission page or when the
--sizelimitparameter is used for the CLI
permission-findcommand. The permission is still accessible using the command line when the
--sizelimitoption is not specified. To work around this problem, run the following command on the server to trigger the DNS permission update process again and fix the list of permission object classes:
/usr/share/ipa/updates/40-dns.updateThis problem can also be avoided when a replica of Red Hat Enterprise Linux 6.4 or later is installed, or when an Identity Management server is reinstalled or upgraded.
- ipa-adtrust-install, an Identity Management Active Directory Trust configuration tool, does not explicitly specify authentication mechanism when performing Active Directory Trust configuration changes. When the user specifies the default LDAP authentication mechanism other than the expected default (for example, by setting the SASL_MECH configuration option to GSSAPI in the LDAP configuration file for the root user,
.ldaprc), ipa-adtrust-install will not use the expected authentication mechanism and will fail to configure some of the parts of the Active Directory Integration feature, a crash of samba daemon (smbd) can occur or the user will be unable to use the feature. To work around this problem, remove any user default settings related to LDAP authentication mechanism from the
.ldaprcfile. The ipa-adtrust-install installer will then successfully configure the Active Directory integration feature.
- The Identity Management installer configures all integrated services to listen on all interfaces. The administrator has no means to instruct the Identity Management installer to listen only on chosen interfaces even though the installer requires a valid interface IP address as one installation parameter. To work around this problem, change service configuration after Identity Management installation.
- Identity Management LDAP permission manipulation plugin validates subtree and filter permission specifiers as mutually exclusive even though it is a valid combination in the underlying LDAP Access Control Instruction (ACI). Permissions with filter and subtree specifiers can be neither created nor modified. This affects for example the
Add Automount Keyspermission which cannot be modified.
- In some cases the certificates tracked by certmonger are not cleared when running the
ipa-server-install --uninstallcommand. This will cause a subsequent re-installation to fail with an unexpected error.
- The ssh_cache utility sets the DEBUG level after it processes the command-line parameters. If the command-line parameters cannot be processed, the utility prints DEBUG lines that are not supposed to be printed by default. To avoid this, correct parameters must be used.
- It is possible to specify the
enumerate=truevalue in the
sssd.conffile to access all users in the system. However, using
enumerate=trueis not recommended in large environments as this can lead to high CPU consumption. As a result, operations like login or logout can be slowed down.
- The Identity Management server processes Kerberos Password Expiration Time field as a 32-bit integer. If Maximum Lifetime of a user password in Identity Management Password Policy is set to a value causing the resulting Kerberos Password Expiration Time timestamp to exceed 32 bits and to overflow, the passwords that are being changed are configured with an expiration time that lies in the past and are always rejected. To ensure that new user passwords are valid and can be changed properly, do not set password Maximum Lifetime in Identity Management Password Policy to values that would cause the Kerberos Password Expiration Time timestamp to exceed 32 bits; that is, passwords that would expire after 2038-01-19. At the moment, recommended values for the Maximum Lifetime field are numbers lower than 9000 days.
- When reconnecting to an LDAP server, SSSD does not check it was re-initialized during the downtime. If the server was re-initialized during the downtime and was filled with completely different data, SSSD does not update its database. As a consequence, the user can get invalid information from SSSD. To work around this problem:
- stop SSSD before reconnecting to the re-initialized server;
- clear the SSSD caches manually before reconnecting;
- start SSSD.
- In environments where entropy is scarce, the kadmind tool can take longer to initialize after startup than it did in previous releases as it attempts to read data from the
/dev/randomfile and seed its internal random number generator (RNG). Clients which attempt to connect to the
kadminservice can time out and fail with a GSS-API or Kerberos error. After the service completely finishes initializing itself, it will process messages received from now-disconnected clients and can log clock-skew or decrypt-integrity-check-failed errors for those connections. To work around this problem, use a service such as
rngdto seed the system RNG using hardware sources of entropy.
- The Identity Management server in Red Hat Enterprise Linux 6.3 introduced a technical preview of SELinux user mapping feature, which enabled a mapping of SELinux users to users managed by the Identity Management based on custom rules. However, the default configured SELinux user (
guest_u:s0) used when no custom rule matches is too constraining. An Identity Management user authenticating to Red Hat Enterprise Linux 6.5 or later can be assigned the too constraining SELinux user in which case a login through graphical session would always fail. To work around this problem, change a too constraining default SELinux user in the Identity Management server from
guest_u:s0to a more relaxed value
kinit admin ipa config-mod ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023An unconfined SELinux user will be now assigned to the Identity Management user by default, which will allow the user to successfully authenticate through graphical interface.
- When upgrading the ipa-server package using anaconda, the following error message is logged in the
/sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directoryThis problem does not occur when using yum.
- In the Identity Manager subdomain code, a User Principal Name (UPN) is by default built from the SAM Account Name and Active Directory trust users, that is
user@DOMAIN. The UPN can be changed to differ from the UPN in Active Directory, however only the default format,
user@DOMAIN, is supported.
- Sometimes, group members may not be visible when running the
getent group groupnamecommand. This can be caused by an incorrect
[domain/DOMAINNAME]section of the
sssd.conffile. SSSD supports three LDAP schema types: RFC 2307, RFC 2307bis, and IPA. By default, SSSD uses the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attribute member (or sometimes uniqueMember) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.When encountering this problem:
If the workaround does not work, add
ldap_schema = rfc2307bisin the
- detele the
- and restart SSSD.
ldap_group_member = uniqueMemberin the
sssd.conffile, delete the cache file and restart SSSD.
- Identity Management component, BZ#826973
- When Identity Management is installed with its CA certificate signed by an external CA, the installation is processed in 2 stages. In the first stage, a CSR is generated to be signed by an external CA. The second stage of the installation then accepts a file with the new signed certificate for the Identity Management CA and a certificate of the external CA. During the second stage of the installation, a signed Identity Management CA certificate subject is validated. However, there is a bug in the certificate subject validation procedure and its default value (
$REALMis the realm of the new Identity Management installation) is never pulled. Consequently, the second stage of the installation process always fails unless the
--subjectoption is specified. To work around this issue, add the following option for the second stage of the installation:
$REALMis the realm of the new Identity Management installation. If a custom subject was used for the first stage of the installation, use its value instead. Using this work around, the certificate subject validation procedure succeeds and the installation continues as expected.
- Identity Management component, BZ#822350
- When a user is migrated from a remote LDAP, the user's entry in the Directory Server does not contain Kerberos credentials needed for a Kerberos login. When the user visits the password migration page, Kerberos credentials are generated for the user and logging in via Kerberos authentication works as expected. However, Identity Management does not generate the credentials correctly when the migrated password does not follow the password policy set on the Identity Management server. Consequently, when the password migration is done and a user tries to log in via Kerberos authentication, the user is prompted to change the password as it does not follow the password policy, but the password change is never successful and the user is not able to use Kerberos authentication. To work around this issue, an administrator can reset the password of a migrated user with the
ipa passwdcommand. When reset, user's Kerberos credentials in the Directory Server are properly generated and the user is able to log in using Kerberos authentication.
- Identity Management component, BZ#790513
- The ipa-client package does not install the policycoreutils package as its dependency, which may cause install/uninstall issues when using the
ipa-client-installsetup script. To work around this issue, install the policycoreutils package manually:
yum install policycoreutils
- Identity Management component, BZ#813376
- Updating the Identity Management LDAP configuration via the
ipa-ldap-updaterfails with a traceback error when executed by a non-root user due to the SASL EXTERNAL bind requiring root privileges. To work around this issue, run the aforementioned command as the root user.
- Identity Management component, BZ#794882
- With netgroups, when adding a host as a member that Identity Management does not have stored as a host already, that host is considered to be an external host. This host can be controlled with netgroups, but Identity Management has no knowledge of it. Currently, there is no way to use the
netgroup-findoption to search for external hosts.Also, note that when a host is added to a netgroup as an external host, rather than being added in Identity Management as an external host, that host is not automatically converted within the netgroup rule.
- Identity Management component, BZ#786629
- Because a permission does not provide write access to an entry, delegation does not work as expected. The 389 Directory Server (389-ds) distinguishes access between entries and attributes. For example, an entry can be granted add or delete access, whereas an attribute can be granted read, search, and write access. To grant write access to an entry, the list of writable attributes needs to be provided. The
subtree, and other options are used to target those entries which are writable. Attributes define which part(s) of those entries are writable. As a result, the list of attributes will be writable to members of the permission.
- The manpage entry for the
ldap_disable_pagingoption in the
sssd-ldapman page does not indicate that it accepts the boolean values True or False, and defaulting to False if it is not explicitly specified.
- Identity Management component, BZ#812127
- Identity Management relies on the LDAP schema to know what type of data to expect in a given attribute. If, in certain situations (such as replication), data that does not meet those expectations is inserted into an attribute, Identity Management will not be able to handle the entry, and LDAP tools have do be used to manually clean up that entry.
- Identity Management component, BZ#812122
- Identity Management
sudocommands are not case sensitive. For example, executing the following commands will result in the latter one failing due to the case insensitivity:
ipa sudocmd-add /usr/bin/X⋮ ~]$
ipa sudocmd-add /usr/bin/xipa: ERROR: sudo command with name "/usr/bin/x" already exists
- Identity Management component
- When an Identity Management server is installed with a custom hostname that is not resolvable, the
ipa-server-installcommand should add a record to the static hostname lookup table in
/etc/hostsand enable further configuration of Identity Management integrated services. However, a record is not added to
/etc/hostswhen an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable.
- Run the
--ip-addressoption and pass the IP address interactively.
- Add a record to
/etc/hostsbefore the installation is started. The record should contain the Identity Management server IP address and its full hostname (the
hosts(5)man page specifies the record format).
- Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
libldb. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the
\,character sequence. The most likely example of this is for an invalid
memberUIDentry to appear in an LDAP group of the form:
memberUIDis a multi-valued attribute and should not have multiple users in the same attribute.If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldbremove the
/var/lib/sss/db/cache_<DOMAIN>.ldbfile and restart SSSD.
/var/lib/sss/db/cache_<DOMAIN>.ldbfile purges the cache of all entries (including cached credentials).
- When a group contains certain incorrect multi-valued
memberUIDvalues, SSSD fails to sanitize the values properly. The
memberUIDvalue should only contain one username. As a result, SSSD creates incorrect users, using the broken
memberUIDvalues as their usernames. This, for example, causes problems during cache indexing.
- Identity Management component
- Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
- Identity Management component
- The Identity Management (ipa) package cannot be build with a
- Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.To work around this issue, disable referral-chasing by setting the following parameter in the
[domain/DOMAINNAME]section of the
ldap_referrals = false
- When using large block size (1MB), the tape driver sometimes returns an EBUSY error. To work around this problem, use a smaller block size, that is 256KB.
- On some of the older Broadcom tg3 devices, the default Maximum Read Request Size (MRRS) value of 512 byte is known to cause lower performance. It is because these devices perform direct memory access (DMA) requests serially. 1500-byte ethernet packet will be broken into 3 PCIE read requests using 512 byte MRRS. When using a higher MRRS value, the DMA transfer can be faster as fewer requests will be needed. However, the MRRS value is meant to be tuned by system software and not by the driver. PCIE Base spec 3.0 section 7.8.4 contains an implementation note that illustrates how system software might tune the MRRS for all devices in the system. As a result, Broadcom modified the tg3 driver to remove the code that sets the MRRS to 4K bytes so that any value selected by system software (BIOS) will be preserved.
- The Brocade BFA Fibre Channel and FCoE driver does not currently support dynamic recognition of Logical Unit addition or removal using the sg3_utils utilities (for example, the
sg_scancommand) or similar functionality. Please consult Brocade directly for a Brocade equivalent of this functionality.
- Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet,
UUID/LABELresolving is not functional. Avoid using the
UUID/LABELsyntax when dumping core to Btrfs file systems.
trace-cmdservice does not start on 64-bit PowerPC and IBM System z systems because the
sys_exitevents do not get enabled on the aforementioned systems.
- trace-cmd's subcommand,
report, does not work on IBM System z systems. This is due to the fact that the
CONFIG_FTRACE_SYSCALLSparameter is not set on IBM System z systems.
- Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
lsusb -v -d 147e:2016 | grep bcdDevice
- The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (
lpfc) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication.
- The recommended minimum HBA firmware revision for use with the
mpt2sasdriver is "Phase 5 firmware" (that is, with version number in the form
05.xx.xx.xx). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
- When Single Root I/O Virtualization (SR-IOV) is enabled on mlx4 adapters, initialization of the
mlx4_coremodule can take longer than 30 seconds. However,
udevhas a 30-second timer for hardware initialization and terminates the modprobe sequence if the time is exceeded. As a consequence, the
mlx4_ibmodules are not loaded after the
mlx4_coremodule has finished initializing.Two workarounds are available:To work around the
udevtime limit, run the
rmmod mlx4_core; modprobe mlx4_corecommand on a system that does not run on mlx4 hardware. Running this command enables you to have the full configured number of virtual devices, but for example guest operating systems that are configured to start on boot may need to be started manually once all the devices are present.Alternatively, reduce either the total number of virtual functions that are enabled on the card, or functions that are probed by the guest driver, or both, until the card initialization sequence can be reliably completed in less than 30 seconds. However, you can be limited in the number of guests you can run due to insufficient virtual functions.
- The modprobe configuration file does not use the full path name of the
modprobebinary file. As a consequence, modprobe fails to load the
ib_qibmodule. To work around this problem, run the
modprobe ib_qibcommand after each boot. Alternatively, to fix the problem permanently, edit the
/etc/modprobe.d/truescale.confand change the instance of modprobe to be /sbin/modprobe. As a result, the
ib_qibmodule loads as expected.
- Sun Fire X4500 data server enumerates the e1000 card with Peripheral Component Interconnect Extended (PCI-X) and enables 64-bit direct memory access (DMA), however, 64-bit DMA is not fully supported on this hardware. If possible, disable 64-bit DMA in BIOS.
- Use of multiboot images makes discerning different image types problematic during kernel updates. As a consequence, using the tboot package and multiple types of kernels at the same time does not work properly. If, for example, tboot is in use and the kernel-debug package is installed, bootloader configuration can sometimes reflect an incorrect image list. To avoid this, do not use the kernel-debug on a system utilizing tboot, or vice versa. If such a situation is unavoidable, manually verify that the bootloader configuration is reasonable after each update before rebooting.
- When the debug kernel is installed and also used as the Red Hat Enterprise Linux kdump kernel, the reserved kdump memory must be increased to a minimum of 256 MB. To assure this setting, start the system-config-kdump tool, modify the kdump memory, and reboot your Linux instance. Alternatively, you can configure a particular kernel that is always used as the kdump kernel, independently of the running kernel. For more information, consult the Red Hat Enterprise Linux 6 Deployment Guide.
- Red Hat Enterprise Linux 6.4 changed the maximum read/write socket memory default value to be higher, allowing for better performance on some machines. It was observed that if the values of
?mem_maxare not symmetrical between two machines, the performance can be negatively affected. To work around this problem, adjust the value of
?mem_maxto be equal across all Red Hat Enterprise Linux systems in the network.
- The vxfs module might not work properly on Red Hat Enterprise Linux 6.4 and later because of the broken
radix_tree_gang_lookup_slotsymbol. Consult Symantec should you require a workaround for this issue.
- Enabling TCP Segmentation Offload (TSO) on TAP interface may cause low throughput when the uplink is a high-speed interface. To improve throughput, turn off TSO on the tap interface of the virtual machine.
- When using Chelsio's iSCSI HBAs for an iSCSI root partition, the first boot after install fails. This occurs because Chelsio's iSCSI HBA is not properly detected. To work around this issue, users must add the
iscsi_firmwareparameter to grub's kernel command line. This will signal to dracut to boot from the iSCSI HBA.
- The installation of Red Hat Enterprise Linux 6.3 i386 and later may occasionally fail. To work around this issue, add the following parameter to the kernel command line:
- If a device reports an error, while it is opened (via the
open(2)system call), then the device is closed (via the
close(2)system call), and the
/dev/disk/by-idlink for the device may be removed. When the problem on the device that caused the error is resolved, the
by-idlink is not re-created. To work around this issue, run the following command:
echo 'change' > /sys/class/block/sdX/uevent
- When an HBA that uses the
mpt2sasdriver is connected to a storage using an SAS switch LSI SAS 6160, the driver may become unresponsive during Controller Fail Drive Fail (CFDF) testing. This is due to faulty firmware that is present on the switch. To fix this issue, use a newer version (14.00.00.00 or later) of firmware for the LSI SAS 6160 switch.
- In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In other cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen hypervisor. To work around this, add the
nohpetparameter or, alternatively, the
clocksource=jiffiesparameter to the kernel command line of the guest. Or, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the
hpet=0parameter in it.
- On some systems, Xen full-virt guests may print the following message when booting:
WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing <number>MB of RAMIt is possible to avoid the memory trimming by using the
disable_mtrr_trimkernel command line option.
- On 64-bit PowerPC, the following command may cause kernel panic:
./perf record -agT -e sched:sched_switch -F 100 -- sleep 3
- Applications are increasingly using more than 1024 file descriptors. It is not recommended to increase the default soft limit of file descriptors because it may break applications that use the
select()call. However, it is safe to increase the default hard limit; that way, applications requiring a large amount of file descriptors can increase their soft limit without needing root privileges and without any user intervention.
- In network only use of Brocade Converged Network Adapters (CNAs), switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes continuous messages on the host console:
bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivityTo work around this issue, unload the Brocade
- In Red Hat Enterprise Linux 6, a legacy bug in the PowerEdge Expandable RAID Controller 5 (PERC5) which causes the kdump kernel to fail to scan for
scsidevices. It is usually triggered when a large amounts of I/O operations are pending on the controller in the first kernel before performing a kdump.
- In Red Hat Enterprise Linux 6.2 and later, due to security concerns, addresses in
/proc/modulesshow all zeros when accessed by a non-root user.
- Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the
nomcekernel boot option, which disables machine check error reporting, or the
mce=ignore_cekernel boot option, which disables correctable machine check error reporting.
- The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DACIf the device name is incorrect, add the
pci=bfsortparameter to the kernel command line, and check again.
- The minimum firmware version for NIC adapters managed by
netxen_nicis 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself.
- High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the
vmcore. As a result, the second kernel is not loaded, and the system becomes unresponsive.
- Triggering kdump to capture a
vmcorethrough the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent the
vmcorefrom being captured.
- Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
- In Red Hat Enterprise Linux 6.2,
nmi_watchdogregisters with the
perfsubsystem. Consequently, during boot, the
perfsubsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with the
nmi_watchdog=0kernel parameter set, or run the following command to disable it at run time:
echo 0 > /proc/sys/kernel/nmi_watchdogTo re-enable
nmi-watchdog, use the following command
echo 1 > /proc/sys/kernel/nmi_watchdog
- Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to
BUG: NMI Watchdog detected LOCKUPand have either
ipi_handlerin the backtrace. To work around this issue, disable NMI watchdog by setting the
nmi_watchdog=0kernel parameter, or using the following command at run time:
echo 0 > /proc/sys/kernel/nmi_watchdog
- On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a
vmcorevia NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH.
- A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
- The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either
nmi_watchdog=lapicparameters. The parameter
nmi_watchdog=1is not supported.
- The kernel parameter,
pci=noioapicquirk, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
- In a multi-thread Python program, if a non-main thread receives a signal while the
signal.pause()function is in use in the main thread,
signal.pause()does not return or otherwise handle the received signal, and
signal.pause()works only when the main thread is signaled. As a consequence, a Python program could become unresponsive. To work around this problem, avoid calling
signal.pause()in the main thread.
- The mesa-private-llvm packages have a syntax error in their %postun script in versions prior to 3.4. As a consequence, when updating mesa-private-llvm to a later version, the following error message is displayed:
Upgrading from mesa-private-llvm-3.3-0.3.rc3.el6.x86_64 causes: /sbin/ldconfig: relative path `1' used to build cache warning: %postun(mesa-private-llvm-3.3-0.3.rc3.el6.x86_64) scriptlet failed, exit status 1This message is harmless and does not affect the user.
- The X server in Red Hat Enterprise Linux 6.5, when presented with an
xorg.conffile that identifies both a PCI driver and an fbdev driver, the fbdev driver is ignored and only the PCI device is initialized. In Red Hat Enterprise Linux 6.6, the server can attempt to initialize both devices present in such a configuration file. As a consequence, installations in this scenario initialize on all screens, which can cause a loss of functionality. To work around this problem, edit
xorg.confmanually: remove the fbdev device stanza or edit it appropriately. As a result, a single X server can now drive both PCI devices using native drivers and non-PCI devices with the fbdev driver.
- The gnome-panel utility can sometimes terminate unexpectedly on 64-bit PowerPC architecture using the XDMCP protocol.
- Red Hat Enterprise Linux 6 graphics stacs does not support NVIDIA Optimus hardware configurations. On laptops with both Intel and NVIDIA GPUs, some or all external video ports may not function correctly when using the Intel GPU. If external video ports are needed, configure the BIOS to use the NVIDIA GPU instead of the Intel GPU if possible.
- Two-finger scrolling is default for devices that announce two-finger capability. However, on certain machines, although the touchpad announces two-finger capability, events generated by the device only contain a single finger position at a time and two-finger scrolling therefore does not work. To work around this problem, use edge scrolling instead.
- In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue:
- Start Firefox.
about:configinto the URL bar and press the Enter key.
- If prompted with "This might void your warranty!", click thebutton.
- Right-click in thelist. In the menu that opens, select → .
- Type "storage.nfs_filesystem" (without quotes) for the preference name and then click thebutton.
truefor the boolean value and then press the button.
- The wacomcpl package has been deprecated and has been removed from the package set. The wacomcpl package provided graphical configuration of Wacom tablet settings. This functionality is now integrated into the GNOME Control Center.
- Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
- With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 NVIDIA chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
- When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
- Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item→ ). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
- The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the button that appears.
- In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.
- The mvapich2 packages use the
GNU Autotoolsset of tools (
libtool) to process its configuration. Features included in version 1.12 and later are required, but are not available in Red Hat Enterprise Linux 6.6 and earlier. As a consequence, rebuilding mvapich2 fails with earlier versions of
GNU Autotools. To work around this problem, uninstall the autoconf, automake, and libtool packages, rebuild mvapich2, and then reinstall
- Under certain circumstances, the
IPMIservice is not started and the
ipmi_devintfkernel module that provides the device node interface is not loaded. As a consequence, some hardware could reboot unexpectedly after installation before the first intentional reboot. To work around this problem, run the following commands as root:
chkconfig --level 345 ipmi on
service ipmi restart
service bmc-watchdog condrestartAlternatively, log in as root, create the
/etc/modprobe.d/watchdog-reboot-workaround.conffile, and include the following three aliases:
- alias acpi:IPI000*:* ipmi_si
- alias acpi:IPI000*:* ipmi_devintf
- alias acpi:IPI000*:* ipmi_msghandler
- The following example in the description of the -V option in the ssh-keygen(1) manual page is incorrect:
“-4w:+4w” (valid from four weeks ago to four weeks from now)If you set a date range in this format, the certificate is valid from four weeks ago until now.
- Attempting to access the CURLINFO_PRIVATE value can cause curl to terminate unexpectedly with a segmentation fault.
- The ALSA plug-in is not supported in Red Hat Enterprise Linux 6. Instead of the ALSA plug-in, use the pulseaudio plug-in. To enable it, use the
--plugin rpdsndoption with the
xfreerdpcommand without specifying which plug-in should be used; the pulseaudio plug-in will be used automatically in this case.
- Personal Identity Verification (PIV) Endpoint Cards which support both CAC and PIV interfaces might not work with the latest coolkey update; some signature operations like PKINIT can fail. To work around this problem, downgrade coolkey to the version shipped with Red Hat Enterprise Linux 6.3.
- Even if the stored credentials are used , the report-gtk utility can report the following error message:
Wrong settings detected for Red Hat Customer Support [..]To work around this problem, close the dialog window; the
Password=<rhn-password>credentials in the
/etc/libreport/plugins/rhtsupport.confwill be used in the same way they are used by report-rhtsupport.For more information, refer to this Knowledge Base article.
- When a user password is used to lock a console with vlock, the console can only be unlocked with the user password, not the root password. That is, even if the first inserted password is incorrect, and the user is prompted to provide the root password, entering the root password fails with an error message.
- Libreoffice contains a number of harmless files used for testing purposes. However, on Microsoft Windows system, these files can trigger false positive alerts on various anti-virus software, such as Microsoft Security Essentials. For example, the alerts can be triggered when scanning the Red Hat Enterprise Linux 6 ISO file.
- When the computer runs on battery, custom brightness level is not remembered and restored if power saving features like "dim display when idle" or "reduce backlight brightness when idle" are enabled.
- rsyslog does not reload its configuration after a
SIGHUPsignal is issued. To reload the configuration, the
rsyslogdaemon needs to be restarted:
service rsyslog restart
Chapter 7. New Packages
Chapter 8. Updated Packages
- When a new user was created on Active Directory (AD) and their password was set, the system administor checked the flag "User must change password on next login". Afterwards, the default password was sent to Red Hat Directory Server (RHDS), which set the password but removed the aforementioned flag. With this update, the flag for password change at next login persists, and the password sync tool for by-passing the 7-day constraint is allowed if the flag is checked.
- If an ACI (access control instruction) is configured to give permissions to "self", bound user itself, the result of a granted access for an entry was cached and could erroneously be reused for all entries. Consequently, a bound client could retrieve entries or attributes it was not supposed to, or fail to retrieve those entries and attributes it was supposed to retrieve. With this update, certain accesses are granted per entry, making sure that if a granted access is cached, it is purged for the next entry.
- The multi-master replication protocol keeps a cumulative counter of the relative time offsets between servers. However, prior to this update, if the system time was adjusted by more than one day, the counter became off by more than one day. Consequently, a replication consumer refused to accept changes from the master and the replication process failed. This update adds a new configuration attribute to cn=config - nsslapd-ignore-time-skew, with the default of "off". In addition, an error message is logged warning the system administrator about the time skew issue. Alternatively, if this attribute is set to "on", a replication consumer allows replication to proceed despite the excessive time skew.
- Previously, when an invalid install script from host name to the server was supplied, a vague error message was returned to the user. This update provides a proper error message to be returned when a setup script encounters an error in the host name.
- Previously, the size of the directory server was constantly increasing after search requests for simple paged results were processed. The memory leak causing this bug has been fixed, and the server size no longer increases in the aforementioned situation.
- Prior to this update, Windows Sync Control request returned the renamed member of a group entry only, not the group containing this member. As a consequence, renaming user Distinguished Name (DN) on Active Directory (AD) was not applied to the synced member DN in a group that the user DN belonged to. With this update, once a rename operation is received from AD, Windows Sync Control searches groups having a member value, and replaces the old DN with the renamed DN. In addition, Windows Sync Control also updates the renamed member DN in a group as intended.
- Previously, when importing an LDAP Data Interchange Format (LDIF) or doing a replication initialization that contained tombstone entries, the parent entry of the tombstone entry had its numsubordinate entry count incorrectly incremented. With this update, the parent entry numsubordinate attribute is not updated when processing a tombstone entry, and numsubordinate value is now accurate in all entries.
- Previously, calculating the size of an entry in the memory was underestimated: the entry cache size was larger than the specified size in the configuration. This bug has been fixed by calculating each entry size more accurately, which leads to more accurate size of the entry cache.
- When trying to process an empty log file, the logconv.pl utility failed to run and reported a series of Perl errors. To fix this bug, empty log files are checked and ignored, and logconv.pl reports the empty log file by the following message:
Skipping empty access log, /var/log/dirsrv/slapd-ID/access.
- While a Total Replication Update or Replica Initialization was occurring, the server could terminate unexpectedly. With this update, the replication plugin is not allowed to terminate while the total update of replica is still running, and the server thus no longer crashes.
- Prior to this update, using the "-f" filter option caused the rsearch utility to return a filter syntax error. This update makes sure the filter is properly evaluated, and rsearch now works correctly when using the "-f" option.
- Previously, when a search request for simple paged results was sent to a server and the request was abandoned, the paged result slot in the connection table was not properly released. Consequently, as the slot was not available, the temporary initial slot number "-1" was kept to access an array, which caused its invalid access. With this update, the abandoned slot content is properly deleted for reuse. As a result, the temporary slot number is now replaced with the correct slot number, and invalid array accesses no longer occur.
- Due to exceeded size limit, Access Control Instruction (ACI) group evaluation failed. However, the "sizelimit" value could be a false value retrieved from a non-search operation. With this update, detected false values are replaced with an unlimited value (-1), and ACI group evaluation no longer fails due to an unexpected sizelimit exceeded error.
- Performing an LDAP operation using the proxied authentication control could previously lead to server memory leaks. With this update, the allocated memory is released after the operation completion, and the server no longer leaks memory when processing operations using the proxied authentication control.
- Prior to this update, the tombstone data resurrection did not consider the case in which its parent entry became a conflict entry. In addition, resurrected tombstone data treatment was missing in the entryrdn index. As a consequence, the parent-child relationship became confused when the tombstone data was being resurrected. With this update, the Directory Information Tree (DIT) structure is properly maintained; even if the parent of a tombstone-data entry becomes a conflict entry, the parent-child relationship is now correctly managed.
- Due to improper use of the valueset_add_valueset() function, which expects only empty values to be passed to it, the server could terminate unexpectedly. This update handles the misuse of the function, which now no longer causes the server to crash.
- Previously, the logging level was too verbose for the severity of the message, and the errors log could fill up with redundant messages. To fix this bug, the logging has been changed to be written only when "access control list processing" log level is being used, and thus the errors log no longer fills up with harmless warning messages.
- Previously, if the do_search() function failed at the early phase, the memory storing the given baseDN was not freed. The underlying source code has been fixed, and the baseDN no longer leaks memory even if the search fails at the early phase.
- Previously, in the entry cache, some delete operations failed with an error when entries were deleted while tombstone purging was in process. This update retries to obtain the parent entry until it succeeds or times out. As a result, delete operations in the entry cache now succeed as intended.
- Previously, when Multi Master Replication was configured, if an entry was updated on Master 1 and deleted on Master2, the replicated update from Master 1 could target on a deleted entry (a tombstone). This led to two consequences. Firstly, the replicated update failed and could break the replication. Secondly, the tombstone entries differed on Master 1 and Master 2. This update allows updates on a tombstone if the update originates in a replication. Now, replication succeeds and tombstone entries are identical on all servers.
- When deleting a node entry whose descendants were all deleted, previously, only the first position was checked. Consequently, the child entry at the first position was deleted in the database. However, it could be reused for the replaced tombstone entry, which reported the false error "has children", and thus caused the node deletion to fail. With this update, instead of checking the first position, all child entries are checked whether they are tombstones or not; in case all of them are tombstones, the node is deleted. Now, the false error "has children" is no longer reported, and a node entry whose children are all tombstones is successfully deleted.
- When a replication is configured, a replication change log database is also a target of the backup. However, backing up a change log database previously failed because there was no back end instance associated with the replication change log database. As a consequence, backing up on a server failed. With this update, if a backing up database is a change log database, the db2bak.pl utility skips checking the back end instance, and backing up thus works as intended.
- When processing a large amount of access logs without using any verbose options, memory continued to grow until the system was exhausted of available memory, or logs were completely processed. The back-ported feature causing excessive memory consumption has been removed, and memory now remains stable regardless of the amount of logging being processed.
- Previously, the following message was incorrectly coded as an error level:
changelog iteration code returned a dummy entry with csn %s, skipping ...Consequently, once the server run into the state, this benign error message was logged in the error log repeatedly. To fix this bug, the log level has been changed, and the the message is no longer logged.
- Prior to this update, when performing a modrdn operation on a managed entry, the managed entry plugin failed to properly update managed entry pointer. The underlying source code has been fixed, and the managed entry link now remains intact on modrdn operations.
- The previous MemberOf plugin code assumed the Distinguished Name (DN) value to have the correct syntax, and did not check the normalized value of that DN. This could lead to dereferencing a NULL pointer and unexpected termination. This update checks the normalized value and logs a proper error. As a result, invalid DN no longer causes crashes and errors are properly logged.
- When adding and deleting entries, the modified parent entry, numsubordinates, could be replaced in the entry cache, even if the operation failed. As a consequence, parent numsubordinate count could be incorrectly updated. This update adds code to unswitch the parent entry in the cache, and parent numsubordinate count is now guaranteed to be correct.
- Previously, if nested tombstone entries were present, parents were always purged first, and thus their child entries became orphaned. With this update, when doing the tombstone purge, the candidate list is processed in the reverse order, which removes the child entries before the parent entries. As a result, orphaned tombstone entries are no longer left orphaned after purging.
- Previously, a tombstone purge thread issued a callback search that started reading the id2entry file, even if the back end had already been stopped or disabled. This could cause the server to terminate unexpectedly. Now, when performing a search and returning entries, this update checks if the back end is started before reading id2entry. As a result, even if the tombstone purge occurs while the back end is stopped, the server no longer crashes.
- Due to various mistakes in the source code, potential memory leaks, corrupted memory, or crashes could occur. All the aforementioned bugs have been addressed, and the server now behaves as expected without crashing or leaking memory.
- Due to a failure in back end transaction, the post plugin was not properly passed to the back end. As a consequence, the ldapdelete client unexpectedly executed a tombstone deletion. A failure check code has been added with this update, and a tombstone deletion by ldapdelete now fails as expected.
- Previously, the server enabled the rsa_null_sha cipher, which was not considered secure. With this update, rsa_null_sha is no longer available.
- Previously, the caller of the slapi_valueset_add_attr_valuearray_ext() function freed the returned Slapi_ValueSet data type improperly upon failure. Consequently, Slapi_ValueSet leaked memory when the attribute adding operation failed. This update adds the code to free the memory, and returned Slapi_ValueSet no longer leaks memory.
- Prior to this update, syntax plugins were loaded during bootstrapping. However, in that phase, attributes had already been handled. As a consequence, the sorted results of multi-attribute values in schema and Directory Server specific Entries (DSE) became invalid. This update adds a default syntax plugin, and the sorted results of DSE and schema are now in the right order.
- Previously, environment variables, except from TERM and LANG, were ignored if a program was started using the "service" utility. Consequently, memory fragmentation could not be configured. To fix this bug, mallopt environment variables, "SLAPD_MXFAST", "MALLOC_TRIM_THRESHOLD_" and "MALLOC_MMAP_THRESHOLD_", have been made configurable. Now, memory fragmentation can be controlled explicitly and provide instructions to the "service" utility.
- Prior to this update, when running a CLEANALLRUV task, the changelog replication incorrectly examined a Change Sequence Number (CSN) which could be deleted and returned as the minimum CSN for a replica. With this update, CSNs that are from a "cleaned" replica ID are ignored, and replication now uses the correct minimum CSN.
- Previously, a group on Active Directory (AD) had a new member which was not a target of windows sync and existed only on AD. If an operation was executed on AD, the member was replaced with other members which were the targets of the windows sync. Consequently, the new member values were not synchronized. With this update, a modify operation follows including the member value, which is now proceeded by confirming the existence on AD, thus fixing the bug.If a group on Active Directory (AD) and Directory Server (DS) had members which were local, not synchronized, and the members were removed from the group on one side, the delete operation was synchronized and all the members including the local ones were deleted. The underlying source code has been modified to check, firstly, if an attribute is completely deleted on one side, secondly, if each value on the other side is in the sync scope. In addition, the value is now put to the mode for the delete only if the value is in the sync scope.
- Previously, the manual page for the logconv.pl utility was missing some of the command line options. The manual page has been updated to show the complete usage of logconv.pl with all the available options.
- Due to a bug in partial restoration, the order of the restored index became confused. With this update, the default compare function is called. Now, after running a partial restoration, indexing problems no longer occur.
- In processing Class of Service (CoS) definition entry, if the cosTemplateDn entry was not yet given when the cosAttribute entry was being processed, the parent entry Distinguished Name (DN) was set to cosTemplateDn automatically. Consequently, the parent entry could be an ancestor entry of an entry to be updated. In addition, if the entry was a target of the betxn type of plugins, a deadlock occurred. With this update, the parent entry DN is added only when codTemplateDn is not provided. Now, even if cosAttribute and cosTemplateDn are listed in the order in the CoS definition entry and the betxn type plug-ins are enabled, updating an entry no longer causes deadlocks.
- Previously, if Virtual List View (VLV) search failed with "timelimit" or "adminlimit" server resources, the allocated ID list was not freed. Consequently, when the failure occurred, the memory used for the ID list leaked. This update adds the free code for the error cases, and the memory leaks caused by the VLV failure no longer occur.
- Previously, only the root Distinguished Name (DN) accounts were able to specify users that could bypass the password policy settings or add hashed passwords to users. With this update, non-root DN accounts are allowed to perform these types of operations as well.
- Bug fixes for replication conflict resolution
- When the machine suspended, the NetworkManager daemon deactivated all network devices on that machine. Consequently, the Wake-on-LAN clients did not work because this network device was powered down, and thus could not receive the Magic Packet. With this update, NetworkManager leaves devices running at suspend time if they have the Wake-on-LAN or Wake-on-Wireless-LAN variable enabled, and Wake-on-LAN works as intended if the administrator enables it.
- Previously, NetworkManager used the kernel's Point-to-point protocol over Ethernet (PPPoE) driver, which did not inform userland when it received a PPPoE Active Discovery Terminate (PADT) frame. As a consequence, when connecting to certain digital subscriber line (DSL) providers, the NetworkManager daemon failed to notice whether the connection was dropped. With this update, NetworkManager uses a userland PPPoE driver rather than the kernel driver, and dropped DSL connections are now noticed for all providers.
- NetworkManager automatically provides an autoconnect for interfaces. Previously, when this connection was altered and saved, NetworkManager terminated unexpectedly. The write_ip4_setting() function has been updated to fix this bug, and NetworkManager no longer crashes after saving altered configuration.
- Due to improper synchronization between multiple threads when accessing shared data objects, the bonobo-activation-server process was in certain cases killed by the SIGSEGV signal. With this update, clean-up tasks on one thread have been deferred, so synchronization is no longer necessary. As a result, the process does not crash anymore in the described scenario.
- Due to a regression, some systems reported the following entry in the Automatic Bug Reporting Tool (ABRT) even though no applications were being tested at the time and the systems were idle:"Process /usr/sbin/packagekitd was killed by signal 11 (SIGSEGV)"A patch has been provided to fix this bug, and ABRT no longer produces such error messages.
- When running the "pkcon install" command, the pkcon utility failed to provide a prompt for the user requiring more information. Instead, the pkcon utility terminated unexpectedly and returned the following error:"Fatal error: user declined simulation"An upstream patch has been provided to fix this bug. As a result, pkcon prompts the user with "Proceed with changes? [N/y]" to get an input, and completes successfully.
- Due to a series of processes all aborting and nsswitch malfunctioning, starting the KVM host or guest displayed error messages on ABRT. The bug has been fixed, and KVM no longer returns error messages.
8.5. Release Notes
8.6. X11 client libraries
- CVE-2013-1981, CVE-2013-1982, CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987, CVE-2013-1988, CVE-2013-1989, CVE-2013-1990, CVE-2013-1991, CVE-2013-2003, CVE-2013-2062, CVE-2013-2064
- Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
- CVE-2013-1997, CVE-2013-1998, CVE-2013-1999, CVE-2013-2000, CVE-2013-2001, CVE-2013-2002, CVE-2013-2066
- Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
- A buffer overflow flaw was found in the way the XListInputDevices() function of X.Org X11's libXi runtime library handled signed numbers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
- A flaw was found in the way the X.Org X11 libXt runtime library used uninitialized pointers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
- Two stack-based buffer overflow flaws were found in the way libX11, the Core X11 protocol client library, processed certain user-specified files. A malicious X11 server could possibly use this flaw to crash an X11 client via a specially crafted file.
- Previously, updating the mesa-libGL package did not update the libX11 package, although it was listed as a dependency of mesa-libGL. This bug has been fixed and updating mesa-libGL now updates all dependent packages as expected.
- Previously, closing a customer application could occasionally cause the X Server to terminate unexpectedly. After this update, the X Server no longer hangs when a user closes a customer application.
- Previously, kernel oops messages were deleted by ABRT, and thus the user was not sufficiently informed about the kernel behavior. With this update, kernel oops messages are kept and also supplemented by an explanation. The previous behavior can be restored in the newly created /etc/abrt/plugins/oops.conf file (man abrt-oops.conf).
- With this update, ABRT messages include machine host name.
- Previously, the AIDE utility did not handle 'prelink' files properly if the prelink package was not installed. As a consequence, initializing the database by running the 'aide --init' command caused errors, and the database could not then be read with the 'aide --check' command. With this update, after running the 'aide --init' command in the described situation, a warning massage is displayed that prompts the user to install the prelink package first.
- Prior to this update, the AIDE utility did not process the 'report_attributes' parameter correctly. Consequently, running the 'aide --check' command resulted in an incomplete report and a segmentation fault. A patch has been applied to address this bug, and AIDE now works as expected when reporting forced attributes.
- Previously, the Akonadi service used the hard-coded ~/.local/share/akonadi socket directory. As a consequence, the Akonadi server did not start if the home directory was located on Andrew File System (AFS), which did not support the creation of UNIX sockets. With this update, the directory that holds the sockets has been changed to '/tmp/[username]-akonadi.[random]'. As a result, Akonadi starts on systems with the home directory on AFS as expected.
- The alsa-utils packages have been updated with various upstream fixes to improve stability and usage.
- Previously, Abstract Machine Test Utility (AMTU) did not handle the name of the interface correctly under certain circumstances. As a consequence, AMTU failed to obtain a list of network interfaces to test. With this update, the interface hardware type and carriers are obtained from the /sys/class/net/ directory. Now, only an Ethernet and a token ring can be used, and a carrier must be present. As a result, AMTU handles the new network interface names as expected.
- Prior to this update, AMTU ran network tests on interfaces configured with a static IP that did not have an existing connection, causing those tests to fail. With this update, AMTU no longer runs tests on interfaces that are not up.
- Previously, the name of the network interface was restricted to 4 characters on 32-bit systems and 8 characters on 64-bit system due to using the sizeof() operator instead of the strlen() function. As a consequence, AMTU did not correctly display the full network interface name in certain portions of the output. A patch has been applied to address this bug, and AMTU now always displays the full network interface name as expected.
- When users of IBM System z had the kdump package installed, the default kernel was set to
kernel-kdump. However, the
zIPLutility ignored the
Kdumpand debugged kernels when creating the
zipl.conffile. Consequently, after updating the system, the newly-installed kernel was not set as the default entry in
zipl.confsince the default kernel has been set to
kernel-kdump. Now, if a kernel name includes “-kdump”, such a kernel is not set as default instead of the newly-installed kernel.
- Under certain circumstances, downloading of a kickstart file could fail due slow network initialization. To address this bug, a new
GATEWAY_PING_TIMEOUToption has been added to the Network Manager. The option checks connectivity to the server before reporting a network interface as being connected. With this update, Anaconda has been modified to use this feature by the
nicedelayboot option that can now be used in cases of very slow network initialization.
- No major release version was written to the boot menu for Red Hat Enterprise Linux. As a consequence, after installing on a multi-boot system, it was not clear which Red Hat Enterprise Linux entry corresponded to which major version. The boot menu entry now contains the major version of the Red Hat Enterprise Linux release. For Red Hat Enterprise Linux 6, this means there is the
Red Hat Enterprise Linux 6entry. Note that there is not the minor version number, such as
6.6. This is because there is currently no infrastructure to update the boot menu entry in place, so the entry would be incorrect after an upgrade.
- When a bonding device was specified in the
%presection of a kickstart file and used with the
%includekickstart option, Anaconda could not create the bond interface correctly. This update applies a patch to fix this bug and bonding interfaces are created as expected in the described scenario.
- Previously, it was not possible to specify a local domain name by the kickstart
networkcommand. As a consequence, if a short host name was configured by the kickstart network
--hostnameoption, name resolution of short names from local domain did not work properly in the Anaconda installer. A new
--domainoption for the
networkcommand has been added to address this bug.
- When upgrading using Anaconda, it attempted to enable all swap devices listed in the
/etc/fstab/directory on the system. However, Anaconda did not check whether the swap devices existed. Consequently, non-existent swap devices listed in
/etc/fstab/caused errors to be returned during an upgrade. With this update, when Anaconda encounters such a device, it displays a dialog window allowing the user to either skip the device or abort the upgrade.
--percentparameter was omitted in the output kickstart file, even if it was provided in the input kickstart file. As a consequence, the installation would be less reproducible using the output kickstart file. With this update, the kickstart code has been modified to not omit the
--percentparameter from the output kickstart file.
- Previously, Anaconda did not check the VLAN ID that was passed as a boot parameter. Therefore, Anaconda could not retrieve a kickstart file on an NFS volume over a VLAN interface, because a VLAN connection had not been established. This update modifies Anaconda to check the VLAN ID.
- During installation, the
/tmp/size directory was always 250M. On systems with a large number of drives, large driver update disks, or a large number of repositories,
/tmp/space could be exhausted, causing the installation to terminate unexpectedly. With this update, 50% of memory is reserved for
/tmp/on systems with RAM greater than 512M, thus the installation proceeds correctly in the aforementioned scenario.
- This update allows using the symbolic console device identifier for the
cio_ignorekernel parameter in the
generic.prmfile for the IBM System z. Using this identifier prevents issues which may arise if no default console device number is available at installation time, or if the console device number is different from what was previously a hard-coded value in the
generic.prmfile. As a result, console devices using a different device identifier than what was previously hard-coded into the
generic.prmfile can be removed from the blacklist and made available for use.
- The interpretation of the "ausearch -i" command, alternatively "ausearch --interpret", has been improved. * New event types are supported by the audit packages. * Remote logging bugs have been fixed. * The ausearch matching has been improved. * The augenrules utility support has been added to the audit packages. * Management of audispd plugins has been completely reworked. * The updated ausearch and aureport utilities can now produce reports from logs not included in the configured audit log directory by specifying the directory containing the logs on the command line. * The auditctl list rules command (the -l option) now outputs rules from the kernel in a new format which matches the formatting accepted to be loaded into the kernel.
- Previously, the audisp-remote plugin did not connect to the remote server after a transient "critical" network error. The underlying source code has been patched, and audisp-remote now connects to the remote server as intended.
- With this update, audit rules can be built from a directory of rule files. Rule files can be stored in the /etc/audit/rules.d/ directory based on what packages are installed. When rules need to be loaded into the kernel, they are now assembled into one master file by the augenrules utility and then loaded.
- This update adds a new command line option, --checkpoint. When invoked, the --checkpoint option causes the ausearch utility to report only new complete events on successive executions. This option is especially useful for running periodic reports that display the updates since the last report.
- BZ#1001635, BZ#1059383
- Previously, the Grub lens did not support "setkey", "lock", and "foreground" directives, which caused virt-v2v process to terminate unexpectedly with an error message. The bug has been fixed, and virt-v2v process no longer fails.
- BZ#1093711, BZ#1016904
- When sudo configuration files, sudoers, contained directives with user aliases or group names using underscore characters, the sudoers lens was unable to parse the configuration file. With this update, underscores have been permitted in group names, and the sudoers lens now parses files successfully.
- Prior to this update, when shell configuration files contained "export" lines with multiple variables or case statements with two semicolons (;;) on the same line as an expression, Augeas was unable to parse these files. With this update, Augeas handles multiple variables on the same export line and case statements with two semicolons as expected, and the aforementioned files are successfully parsed.
- Previously, when the sysconfig lens was used to parse a shell configuration file containing a blank comment after another comment, the parsing process failed. The lens has been fixed to parse this combination of comments, and parsing is now finished successfully.
- When parsing yum configuration files with spaces around key or value separators, Augeas was unable to parse the files. The underlying source code has been fixed, and yum configuration files are now parsed successfully.
- Prior to this update, no generic lens existed for parsing the INI-style files, and parsing thus failed with an error message. The IniFile module has been fixed to contain generic lenses, and INI-style files are now parsed as intended.
- When automounter maps contained references to hosts with host names containing hyphens, the automounter lens failed to parse the /etc/auto.export configuration file. A patch has been provided to fix this bug, and /etc/auto.export is now parsed as expected.
- Prior to this update, the default rsyslog configuration file provided in Red Hat Enterprise Linux failed to parse using Augeas. The rsyslog lens has been fixed to parse the filters and templates used, and /etc/rsyslog.conf is now parsed successfully.
- When Nagios Remote Plugin Executor (NRPE) configuration files contained the "allow_bash_command_substitution" option, the NRPE lens was unable to parse the files. A patch has been provided to fix this bug, and files with "allow_bash_command_substitution" are now parsed as intended.
- With this update, lenses have been added to parse configuration files relating to Red Hat JBoss A-MQ, including ActiveMQ configurations, ActiveMQ XML files, Jetty configuration, and JMX access files.
- A new lens has been added to parse the Splunk configuration files, and thus the user can now manage Splunk configuration through the Puppet module.
- Previously, the authconfig utility did not back up the /etc/passwd files, /etc/group, /etc/shadow, and /etc/gshadow files. As a consequence, if the "authconfig --restorebackup" command was run, these files were not reverted. With this update, authconfig backs up the aforementioned files, and when the "--restorebackup" option is used, it properly reverts the state of these files.
- Prior to this update, the authconfig utility did not properly read the LDAP base from the nslcd.conf file if there were multiple specific the LDAP bases specified. Consequently, the value of the LDAP base read from nslcd.conf was incorrect. With this update, authconfig ignores the specific LDAP bases, and reads and overwrites only the general LDAP base value.
- In some cases the authconfig utility was not able to properly detect whether SSSD or Winbind should be enabled. As a consequence, these daemons were stopped when authconfig was run although they should have not been effected. With this update, authconfig no longer changes the state nor restarts the services if the services configuration is not changed. As a result, the SSSD or Winbind runs after the execution of the "authconfig --update" command and does not effect any settings related to SSSD or Winbind.
- When the "authconfig --disableipav2 --update" command was used, the "ipa-client-install --uninstall" command was not run. As a consequence, the IPA client was not properly deinitialized on the machine and the machine was not removed from the previously joined domain. The updated authconfig utility now correctly calls "ipa-client-install --uninstall" in the described scenario, and the IPA client of the machine is properly deinitialized, and the machine removed from the domain.
- Prior to this update, the default umask when creating home directories with the pam_mkhomedir utility was 0022, which made these directories world-readable. To fix this bug, the "umask=0077" option with pam_mkhomedir is used by default, and the home directories newly created by pam_mkhomedir are no longer world-readable.
- Previously, the ipa-client-install command used for the IPAv2 domain join was interactively asking for input. When called from the authconfig-gtk GUI, the user could not interact with it, and thus the domain join operation failed. With this update, the authconfig GUI uses the "ipa-client-install --unattended" command and no longer tries to interact with the user. As a result, the IPAv2 domain join operation is now successful.
- The authconfig utility is now able to set up the automount entry in the nsswitch.conf file to pull information from the LDAP server via the SSSD client.
- The am-utils package, which provides automatic mounting of maps in the amd format, is no longer supported in Red Hat Enterprise Linux 6. However, amd-formatted maps are still needed for example when using keys containing the forward slash (/), using wildcard matching for keys, or performing more complex actions after the key is matched. This update adds a parser for amd-formatted maps to the autofs utility.
- If an IPv6 link-local address contained the percent sign (%), the autofs utility incorrectly reported the address as invalid. The mount location validity check has been updated, and the incorrect reports no longer occur in the described case.
- When checking the mount option string, the automount daemon did not take into account the length of the string, which led to incorrect comparisons. As a consequence, the mount probes did not include NFS version 3 when the "-v" option was used, and under some circumstances, the mounts were not created properly. The option matching has been modified to account for option length, thus fixing this bug.
- Due to previous changes to the autofs utility, autofs was not properly handling remote procedure calls (RPC) to probe server availability. Consequently, autofs was not querying the portmapper service for NFS version 2 and NFS version 3 mounts correctly. The RPC handling in autofs has been updated, and autofs now queries host availability properly.
- The negative cache timeout was not handled properly by the autofs utility. Consequently, autofs was not correctly reading included automounter maps. This update fixes the handling of the negative cache in autofs.
- BZ#1068999, BZ#1081285
- The autofs utility did not apply mutual exclusion when using the initialization and termination functions from the OpenLDAP library. As these functions are not thread-safe, a double free error occurred and autofs terminated unexpectedly. This bug has been fixed by adding a mutual exclusion condition for the aforementioned OpenLDAP functions.
- The autofs utility did not correctly process the output from the scandir() function. Consequently, autofs could terminate unexpectedly with a segmentation fault. The autofs utility has been modified to correctly read the scandir() output.
- If the standard I/O file descriptors were closed by a process that started the autofs utility, autofs, before entering daemon state, could create file descriptor corresponding to one of the standard I/O file descriptors. When autofs entered daemon mode, these file descriptors were closed and autofs terminated unexpectedly. Now, the device control file descriptor is closed after the autofs file system version check and a new descriptor is opened after autofs enters daemon mode.
- The autofs utility did not properly check for entries that corresponded to previously failed mount attempts, the so-called "negative entries". Consequently, when the "autofs mount" command was specified with the "browse" option, the autofs utility could create directories that did not correspond to map entries within the corresponding automounter map. With this update, the check for negative map entries has been fixed.
- When calling the autofs parser, the scan buffer was sometimes not properly reset for the next scan. Consequently, incorrect success returns occurred for subsequent operations. The autofs utility attempted to add these returned entries, which led to a segmentation fault. This bug has been fixed by adding a function that resets the parse buffer at the start of each map entry scan.
- BZ#768708, BZ#885849
- Previously, when the ARCOUNT field in the DNS Response Header contained a non-zero value, avahi-daemon performed a check and logged errors about invalid DNS packets being received. Note that a non-zero value of ARCOUNT is an indication of additional data sections in the DNS packet, but avahi-daemon does not interpret them. As a consequence, avahi-daemon was not sufficiently interoperable with other mDNS/DNS-SD implementations, and the automatic service discovery thus did not provide the user with the expected results on some platforms. Additionally, avahi-daemon logged inaccurate information which cluttered log files. The redundant check has been removed, and the described situation no longer occurs.
- Previously, various options such as maximum count of cached resource records or numerous options related to handling of connected clients to the avahi-daemon could not be configured. As a consequence, in large networks, the avahi-daemon could reach the upper bound of some internal limits. In addition, the avahi-daemon was exhibiting erroneous behavior, such as logging error messages and failing to discover some services in large networks. To fix this bug, support for configuring various internal limits has been introduced with the following newly added options: cache-entries-max, clients-max, objects-per-client-max, entries-per-entry-group-max. For details about these options, see the avahi-daemon.conf(5) manual page.
- Under certain circumstances, a file descriptor leak occurred in nested Bash functions. This bug has been fixed and file descriptors are no longer leaked in the described case.
- Due to a bug in the tty driver, an ioctl call could return the "-EINTR" error code when the "read" command was interrupted by a signal, such as SIGCHLD. As a consequence, the subsequent "read" call caused the Bash shell to abort with a "double free or corruption (out)" error message. The applied patch corrects the tty driver to use the "-ERESTARTSYS" error code so the system call is restarted if needed. As a result, Bash no longer crashes in this scenario.
- When the HISTFILESIZE variable was set to a value larger than zero, the HISTSIZE variable was set to zero as well. If the .bash_history file had time stamps enabled and was not empty, executing the "su - " command caused Bash to become unresponsive. This bug has been fixed, and Bash no longer hangs in the aforementioned scenario.
- Previously, Bash did not process quote characters correctly when using here-strings with multi-line input in a function declaration. Consequently, the declaration was corrupted, which affected copying such functions, or transferring them to another shell. This bug has been fixed, and here-strings with multi-line input are now processed correctly.
- When processing larger associative arrays inside Bash scripts, a memory leak occurred. This bug has been fixed, and Bash no longer leaks memory when working with associative arrays.
- If a command substitution enclosed in double-quote characters contained a double-quoted string, Bash performed brace expansion on the command before performing command substitution. Consequently, the command created different output than expected. The bug has been fixed, and command substitution now precedes brace expansion in the described case.
- After editing a command in vi visual mode, Bash echoed every substituted command, which produced a lengthy shell output when editing loops. This behavior has been changed and Bash now only echoes the original string in the described scenario.
named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
- Previously, the
allow-notifyconfiguration option did not take into account the Transaction SIGnature (TSIG) key for authentication. Consequently, this caused a slave server not to accept a
NOTIFYmessage from a non-master server that used the TSIG key for authentication, even though the slave server was configured to accept
NOTIFYmessages when the specific TSIG key was used. The
namedsource code has been fixed to also check the TSIG key ID when receiving a
NOTIFYmessage from a non-master server, and the slave server now correctly accepts
NOTIFYmessages in this scenario.
- Prior to this update, the Response Rate Limiting (RRL) functionality in BIND distributed in Red Hat Enterprise Linux 6 was missing the
nodata-per-secondoptions. As a consequence, users of BIND that was configured to use the RRL functionality could not explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain. With this update, the missing functionality has been backported to BIND, and users can now explicitly filter empty responses for a valid domain and referrals or delegations to the server for a given domain when using the RRL functionality in BIND.
- Previously, the host utility used the same send buffer for all outgoing queries. As a consequence, under high network load, a race condition occurred when the buffer was used by multiple queries, and the host utility terminated unexpectedly with a segmentation fault when sending of one query finished after another query had been sent. The host utility source code has been modified to use a separate send buffer for all outgoing queries, and the described problem no longer occurs.
- Prior to this update, a bug in the BIND resolver source code caused a race condition, which could lead to prematurely freeing a fetch memory object. As a consequence, BIND could terminate unexpectedly with a segmentation fault when it accessed already freed memory. The BIND resolver source code has been fixed to guarantee that the resolver fetch object is not freed until there is no outstanding reference to that object, and BIND no longer crashes in this scenario.
- Previously, the manual page for the dig utility contained upstream-specific options for an Internationalized Domain Name (IDN) library. Consequently, these options did not function as expected and users were incapable of disabling IDN support in dig following the steps from the manual page. The dig(1) manual page has been modified to include the options of the IDN library used in Red Hat Enterprise Linux and users can now successfully disable IDN support in dig following the steps from the manual page.
- Prior to this update, due to a regression, the dig utility could access an already freed query when trying multiple origins during domain name resolution. Consequently, the dig utility sometimes terminated unexpectedly with a segmentation fault, especially when running on a host that had multiple search domains configured in the
/etc/resolv.conffile. The dig source code has been modified to always use a query that is still valid when trying the next origin, and the dig utility no longer crashes in this scenario.
- Prior to this update, the
namedsource code was unable to correctly handle the Internet Control Message Protocol (ICMP) Destination unreachable (Protocol unreachable) responses. Consequently, an error message was logged by
namedupon receiving such an ICMP response but BIND did not add the address of the name server to a list of unreachable name servers. This bug has been fixed, and no errors are now logged when the ICMP Destination unreachable (Protocol unreachable) response is received.
- Previously, the
/var/named/chroot/etc/localtimefile was created during the installation of the bind-chroot package, but its SELinux context was not restored. Consequently,
/var/named/chroot/etc/localtimehad an incorrect SELinux context. With this update, the command to restore the SELinux context of
/var/named/chroot/etc/localtimeafter creation has been added in the post transaction section of the SPEC file, and the correct SELinux context is preserved after installing bind-chroot.
- Previously, the
/var/named/named.cafile was outdated and the IP addresses of certain root servers were not valid. Although the
namedservice fetches the current IP addresses of all root servers during its startup, invalid IP addresses can reduce performance just after a restart. Now,
/var/named/named.cahas been updated to include the current IP addresses of root servers.
- Prior to this update, the
namedinit script checked the existence of the
rndc.keyfile only during the server startup. Consequently, the init script generated
rndc.keyeven if the user had a custom Remote Name Daemon Control (RNDC) configuration. This bug has been fixed, and the init script no longer generates
rndc.keyif the user has a custom RNDC configuration.
- Previously, when calling the
sqlitecommands, the zone2sqlite utility used a formatting option that did not add single quotes around the argument. As a consequence, zone2sqlite was unable to perform operations on tables whose name started with a digit or contained the period (
.) or dash (
–) characters. With this update, zone2sqlite has been fixed to use the correct formatting option and the described problem no longer occurs.
- Previously, the
namedinit script did not check whether the PID written in the
named.pidfile was a PID of a running
namedserver. After an unclean shutdown of the server, the PID written in
named.pidcould belong to an existing process while the
namedserver was not running. Consequently, the init script could identify the server as running and therefore the user was unable to start the server. With this update, the init script has been enhanced to perform the necessary check, and if the PID written in
named.pidis not a PID of the running
namedserver, the init script deletes the
named.pidfile. The check is performed before starting, stopping, or reloading the server, and before checking its status. As a result, the user is able to start the server without problems in the described scenario.
- Prior to this update, BIND was not configured with the
--enable-filter-aaaaconfiguration option. As a consequence, the
filter-aaaa-on-v4option could not be used in the BIND configuration. The
--enable-filter-aaaaoption has been added, and users can now configure the
filter-aaaa-on-v4option in BIND.
- Prior to this update, the
namedinit script command
configtestdid not check if BIND was already running, and mounted or unmounted the file system into a chroot environment. As a consequence, the
namedchroot file system was damaged by executing the
configtestcommand while the
namedservice was running in a chroot environment. This bug has been fixed, and using the init script
configtestcommand no longer damages the file system if
namedis running in a chroot environment.
- Previously, due to a missing statement in the
namedinit script, the init script could return an incorrect exit status when calling certain commands (namely,
test) if the
namedconfiguration included an error. Consequently, for example, when the
service named configtestcommand was run, the init script returned a zero value meaning success, regardless of the errors in the configuration. With this update, the init script has been fixed to correctly return a non-zero value in case of an error in the
- Previously, ownership of some documentation files installed by the bind package was not correctly set. Consequently, the files were incorrectly owned by
namedinstead of the
rootuser. A patch has been applied, and the ownership of documentation files installed by the bind package has been corrected.
- Prior to this update, the
/dev/randomdevice, which is a source of random data, did not have a sufficient amount of entropy when booting a newly installed virtual machine (VM). Consequently, generating the
/etc/rndc.keyfile took excessively long when the
namedservice was started for the first time. The init script has been changed to use
/dev/randomas the source of random data, and the generation of
/etc/rndc.keynow consumes a more reasonable amount of time in this scenario.
- Previously, the nsupdate utility was unable to correctly handle an extra argument after the
-roption, which sets the number of User Datagram Protocol (UDP) retries. As a consequence, when an argument followed the
-roption, nsupdate terminated unexpectedly with a segmentation fault. A patch has been applied, and nsupdate now handles the
-roption with an argument as expected.
- Previously, when the
namedservice was running in a chroot environment, the init script checked whether the server was already running after it had mounted the chroot file system. As a consequence, if some directories were empty in the chroot environment, they were mounted again when the
service named startcommand was used. With this update, the init script has been fixed to check whether
namedis running before mounting file system into the chroot environment and no directories are mounted multiple times in this scenario.
- Previously, BIND was not configured with the
--with-dlopen=yesoption. As a consequence, external Dynamically Loadable Zones (DLZ) drivers could not be dynamically loaded. A patch has been applied, and external DLZ drivers are now dynamically loadable as expected.
- Previously, the number of workers and client-objects was hard-coded in the Lightweight Resolver Daemon (
lwresd) source, and it was insufficient. This update adds two new options: the
lwres-tasksoption, which can be used for modifying the number of workers created, and the
lwres-clientsoption, which can be used for specifying the number of client objects created per worker. The options can be used inside the
lwresstatement in the
- This update adds support for the TLSA resource record type in input zone files, as specified in RFC 6698. TLSA records together with Domain Name System Security Extensions (DNSSEC) are used for DNS-Based Authentication of Named Entities (DANE).
named) will be restarted automatically.
- Previously, the ld linker could overwrite a valid SONAME with an empty string in a DT_NEEDED record. Consequently, certain programs were linked but could not be executed because symbols from some libraries were not loaded. With this update, the ld linker correctly handles empty strings in SONAMEs, and programs linked by ld now can be executed as expected.
- When creating a shared library for a "ppc64" target, the ld linker selected linker stubs that were not thread-safe by default. Consequently, if such a shared library was used by a multi-threaded application, calls into the library could fail in unpredictable ways. To fix this problem, the ld linker now build shared libraries for "ppc64" targets with thread-safe linker stubs.
- The readelf utility incorrectly assumed that a long name table would always be available if an archive used long names. Consequently, readelf could terminate unexpectedly with a segmentation fault on archive libraries that used long names but did not have a long name table. To fix this problem, readelf now verifies the existence of a long name table on archive libraries.
- The ld linker incorrectly handled certain TLS relocations that appears in debugging (DWARF) sections. Consequently, debugging information for some variables in TLS sections could be incorrect. With this update, the ld linker now correctly handles TLS relocations in DWARF sections, and the related TLS variables now can be properly examined.
- Due to the way the Python programming language was packaged for Red Hat Enterprise Linux, the boost packages could not be provided for secondary architectures. For example, boost-devel.i686 was not available on the x86-64 architecture. The Python packaging has been updated, and it is now possible to install secondary-architecture versions of the boost packages.
- A coding error in the shared_ptr pointer previously caused a memory leak when serializing and unserializing shared pointers. The shared_ptr code has been corrected and the memory leak now no longer occurs.
- Due to an error in threading configuration of GNU Compiler Collection (GCC) version 4.7 or later, Boost failed to detect the support for multithreading versions of GCC. This patch fixes the error and Boost now detects multithreading support in the described circumstances correctly.
- Prior to this update, a number of boost libraries were not compatible with GCC provided with Red Hat Developer Toolset. A fix has been implemented to address this problem and the affected libraries now properly work with Red Hat Developer Toolset GCC.
- The mpi.so library was previously missing from the boost libraries. Consequently, using the Message Passing Interface (MPI) in combination with Python scripts failed. With this update, mpi.so is included in the boost packages and using MPI with Python works as expected.
- The MPICH2 library has been replaced with a later version, MPICH 3.0. Note that Boost packaging has been updated accordingly and new packages are named boost-mpich* instead of boost-mpich2*.
- Smart Card readers have multiple modes, some of which have limitations on the size of commands that can be sent to the Smart Card. Previously, OmniKey 3121 supported the modes of operation that allowed longer commands, but not in the standard CCID way. As a consequence, the user received an unrecoverable error message when running a long command. This update recognizes OmniKey 3121 and enables the longer modes so that longer commands are successfully executed on the Smart Card.
- This update fixes the implementation of the remove_known_ca dbus call in the certmonger package to prevent the certmonger daemon from terminating unexpectedly when called by remove_known_ca.
- This update adds the certmonger_selinux manual page to document the effect that SELinux has in limiting the allowed access to locations for the certmonger daemon. Also, the selinux.txt document has been added to the certmonger package to provide more details about interaction with SELinux. A reference to certmonger_selinux and selinux.txt has been added to other certmonger man pages.
- Previously, the fencing time comparison did not work as expected when fence agent completed too fast or the corosync callback was delayed. Consequently, the Distributed Lock Manager (DLM) became unresponsive when waiting for fencing to complete. With this update, different time stamps that are not effected by the sequence of fencing or corosync callbacks are now saved and compared, and DLM no longer hangs in the aforementioned situation.
- Prior to this update, the "pcs stonith confirm <node>" command failed to acknowledge the STONITH fencing technique. As a consequence, any requests from other nodes in the cluster or from clients in the same node became ignored. A patch has been provided to fix this bug, and "pcs stonith confirm" now works as expected, fencing the specified node successfully.
- Due to an error in the configuration, the qdisk daemon in some situations used an incorrect "tko" parameter for its wait period when initializing. Consequently, qdisk initialization could be significantly delayed and, under some circumstances, failed entirely. With this update, the cluster configuration file has been fixed, and qdisk initialization now proceeds as expected.
- Previously, the ccs_read_logging() function used the create_daemon_path() function to generate daemon-specific CCS paths for the attributes. As a consequence, attributes on individual logging_daemons were not applied correctly. This bug has been fixed, and attributes on individual logging_daemons are now applied correctly.
- Due to a code error in corosnync, after the corosync utility terminated unexpectedly with a segmentation fault, the qdiskd daemon evicted other cluster nodes. The underlying source code has been patched, and qdiskd no longer evicts the other nodes if corosync crashes.
- Prior to this update, running the "ccs_tool -verbose" command caused ccs_tool to terminate unexpectedly with a segmentation fault. This bug has been fixed, and ccs_tool now returns an error message providing more information.
- Due to an overly restrictive umask, running the "gfs2_grow" command changed the /etc/mtab file permissions from default 644 to 600. A patch has been provided to fix this bug, and gfs2_grow no longer resets /etc/mtab permissions.
- Previously, fsck.gfs2 did not fix corrupt quota_change system files. As a consequence, attempts to mount the file system (FS) resulted in an error, even though fsck.gfs2 reported the FS to be clean. With this patch, if fsck.gfs2 finds a corrupted quota_change file, it can rebuild it. Now, GFS2 mounts successfully as intended.
- Previous attempts to mount a GFS2 file system that had already been mounted prevented further mount attempts from other nodes from completing. With this update, mount.gfs2 no longer leaves the mount group when the file system is already mounted, and attempts to mount an already mounted GFS2 file system are handled properly.
- Prior to this update, a GFS2 volume failed to mount after conversion from GFS to GFS2, and the gfs2_convert utility aborted with a segmentation fault. The gfs2-utils code has been patched to fix this bug, and the aforementioned conversions now proceed successfully.
- To aid debugging and administration, fsck.gfs2 now logs a message to the system log when it starts and ends.
- Previously, the modcluster service mishandled requests with size in bytes divisible by 4096, which is the size of the read buffer in bytes. Consequently, modcluster incorrectly evaluated such requests as errors. This bug has been fixed, and modcluster now processes all requests as expected.
- Previously, the FindGTK2.cmake module was missing from the cmake packages. As a consequence, building GTK2 applications failed. This update adds FindGTK2.cmake and GTK2 applications now build as expected.
- Prior to this update, CMake ignored some options when working with the rpmbuild-4.8 package. As a consequence, building RPM packages on an RPM-based system failed. With this update, CMake works with rpmbuild-4.8 correctly, and the above problem no longer occurs.
- Due to an error in the "add_custom_target" command, CMake previously did not detect a custom target after creating it. With this update "add_custom_target" works properly, and CMake detects a created custom target as expected.
- A certain variable was previously uninitialized in the coolkey code. If that variable inherited a single "magic" value, coolkey could fail to present any certificates or keys that were stored in a smart card controlled by coolkey (a CAC, PIV, or coolkey card). Consequently, although the smart card was recognized, the certificates and keys were not visible to some applications. With this update, that variable is now initialized to a safe value and coolkey now presents its certificates and keys properly.
- Previously, the "df" command did not display target device information when a symbolic link was specified as a parameter. Consequently, the information about the file was shown instead of the information about the device. This update applies a patch to fix this bug and the "df" command works as expected in the described scenario.
- When no user was specified, the "id -G" and "groups" commands printed the default group ID listed in the password database. Consequently, the IDs were in certain cases ineffective or incorrect. With this update, the commands have been enhanced to print only proper IDs, thus showing correct information about the groups.
- A previous update of the coreutils packages fixed the tail utility to handle symbolic links correctly. However, due to this update, tail returned unnecessary warnings about reverting to polling. This update provides a patch to fix this bug and the warning is only shown when necessary.
- A recent update of the coreutils packages changed the format of the output from the "df" and "df -k" commands to one line per entry, which is required for POSIX mode. As a consequence, scripts relying on the previous two lines per entry format started to fail. To fix this bug, two-line entries have been reintroduced to the output for modes other than POSIX. As a result, scripts relying on the two-line format no longer fail.
- A recent update of the coreutils packages caused a regression in the signal handling in the su utility. As a consequence, when the SIGTERM signal was received, a parent process was killed instead of the su process. With this update, handling of the SIGTERM signal has been fixed and su no longer kills the parent process upon receiving the termination signal.
- The chcon(1) manual page did not describe the default behavior when dereferencing symbolic links; the "--dereference" option was not documented. This update adds the appropriate information to the manual page.
- Certain file systems, for example XFS, have special features such as speculative preallocation of memory holes. These features could cause a failure of the "dd" command test in the upstream test suite. As a consequence, the coreutils package source rpm could not be rebuilt on XFS file systems. To address this bug, the test has been improved to prevent the failures in the described scenario.
- The "tail --follow" command uses the inotify API to follow the changes in a file. However, inotify does not work on remote file systems and the tail utility is supposed to fall back to polling for files on such file systems. Previously, the Veritas file system was missing from the remote file system list and therefore, "tail --follow" did not display the updates to the file on this file system. The Veritas file system has been added to the remote file system list and the problem no longer occurs.
- This update enhances the "dd" command to support the count_bytes input flag. When the flag is specified, the count is treated as numbers of bytes rather than blocks. This feature is useful for example when copying virtual disk images.
- If the cpg clients on active cluster nodes terminated while corosync on one of the nodes was paused, corosync did not update its internal information about cpg clients on other nodes properly after resuming. Consequently, that node considered the terminated cgp clients to be still up and running. This update modifies the cpg code to ensure that corosync properly updates information about the cpg membership in this situation.
- Previously, corosync terminated unexpectedly with a segmentation fault when started on a system with the /dev/shm device full. This happened because the corosync logging system, logsys, could not be properly initialized. This update improves handling of the logsys initialization, and corosync now displays an appropriate error message and exits gracefully if logsys cannot be initialized.
- Due to a list corruption bug in the Corosync Closed Process Group (CPG) API, corosync could terminate unexpectedly with a segmentation fault under some circumstances. To fix this problem, corosync has been modified to handle the CPG init and list removal functions in the same thread.
- Previously, corosync could abort without logging an error properly if it was unable to store a file to the user's file system. With this update, corosync now properly verifies whether a "blackbox" can be stored on the file system. A failure of a ring ID store operation is no longer handled by assert but corosync now tries to log an error and then exits gracefully.
- Previously, when using the InfiniBand Architecture (IBA) as a transport protocol for corosync, corosync could not properly handle the restart of the IBA subnet manager (SM). If the IBA SM was restarted, corosync was not able to start or became unresponsive if it was already running. A series of patches addressing this problem has been applied to corosync, and it now works properly as expected in this scenario.
- BZ#1056310, BZ#1109187
- Prior to this update, the turbostat utility did not correctly access the energy status register on certain Intel Core processors. As a consequence, turbostat displayed the following error message:/dev/cpu/0/msr offset 0x641 read failedWith this update, turbostat has been fixed to correctly access the proper energy status registers. As a result, turbostat now returns the expected data in the described scenario.
- This update adds support for the Intel Broadwell Microarchitecture to the turbostat utility.
- Previously, crash-trace-command displayed incorrect "Packager" and "Vendor" information. With this update, crash-trace-command prints "Red Hat, Inc." in these fields as expected.
- Previously, the createrepo utility did not test file locking correctly. As a consequence, createrepo terminated unexpectedly with a traceback when it was executed in a directory located on a Common Internet File System (CIFS) share provided by a NetApp storage appliance. The test for file locking has been corrected and createrepo now works as expected in the described situation.
- Prior to this update, if the createrepo utility was executed with the "-i" or "--pkglist" options and the specified file name did not exist, createrepo terminated unexpectedly with a traceback. The createrepo utility has been modified to handle this error condition properly, and it now exits gracefully in this situation.
- Prior to this update, the createrepo packages had descriptions which did not indicate that the maintenance utilities were present in the package. This update corrects this omission.
- This update introduces support for the following new options to the modifyrepo utility: "--checksum", used to specify the checksum type; "--unique-md-filenames", used to include the file's checksum in the file name; and "--simple-md-filenames", used to not include the file's checksum in the file name. The "--unique-md-filenames" option is a default option for this utility.
- Previously, certain options were not described in the modifyrepo(1) and mergerepo(1) man pages. These man pages now document the following modifyrepo utility command line options: "--mdtype", "--remove", "--compress", "--no-compress", "--compress-type", "--checksum", "--unique-md-filenames", "--simple-md-filenames", "--version", and "--help". These man pages also now document the following mergerepo utility command line options: "--no-database", "--compress-type", "--version", and "--help".
- FIPS products are now defined by the presence of the dracut-fips package in the system. During the initialization of a library, a cryptographic module is supposed to determine if the library is a FIPS product to reduce the amount of required integrity tests. For this purpose, a new constructor function has been added to the cryptsetup-libs library. The constructor detects if the /etc/system-fips file, which is a part of dracut-fips, exists in the system, and determines if a FIPS integrity test is needed.
- Prior to this update, CTDB sometimes waited too long for file locks to establish. Consequently, clients accessing a CTDB file-server cluster could time out due to high latency. With this update, the underlying code has been fixed to address the problem, and clients can now access files on a CTDB file-server cluster without timeouts.
- Previously, when CTDB was configured to use two bonded interfaces, CTDB failed to assign an IP address to the second bonded interface. As a consequence, the cluster status of the cluster node was shown as "PARTIALLYONLINE" even when the actual status was "OK". The script which handles the network interfaces has been fixed and the cluster status now shows the correct value.
- Prior to this update, CTDB under some circumstances attempted to free allocated memory at an invalid address which caused CTDB to terminate unexpectedly with a segmentation fault. This update fixes the underlying code and CTDB uses the correct address for freeing allocated memory. As a result, the crash no longer occurs.
- A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
- It was discovered that CUPS allowed certain users to create symbolic links in certain directories under
/var/cache/cups/. A local user with the
lpgroup privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
- When the system was suspended during polling a configured BrowsePoll server, resuming the system left the
cups-polldprocess awaiting a response even though the connection had been dropped causing discovered printers to disappear. Now, an HTTP timeout is used so the request can be retried. As a result, printers that use BrowsePoll now remain available in the described scenario.
- A problem with HTTP multipart handling in the CUPS scheduler caused some browsers to not work correctly when attempting to add a printer using the web interface. This has been fixed by applying a patch from a later version, and all browsers now work as expected when adding printers.
- When a discovered remote queue was determined to no longer be available, the local queue was deleted. A logic error in the CUPS scheduler caused problems in this situation when there was a job queued for such a destination. This bug has been fixed so that jobs are not started for removed queues.
- CUPS maintains a cache of frequently used string values. Previously, when a returned string value was modified, the cache lost its consistency, which led to increased memory usage. Instances where this happened have been corrected to treat the returned values as read-only.
- A missing check has been added, preventing the scheduler from terminating when logging a message about not being able to determine a job's file type.
- A fix for incorrect handling of collection attributes in the Internet Printing Protocol (IPP) version 2.0 replies has been applied.
- The CUPS scheduler did not use the
fsync()function when modifying its state files, such as
printers.conf, which could lead to truncated CUPS configuration files in the event of power loss. A new
SyncOnClose, has been added to enable the use of
fsync()on such files. The directive is enabled by default.
- The default environment variables for jobs were set before the CUPS configuration file was read, leading to the
SetEnvdirective in the
cupsd.conffile having no effect. The variables are now set after reading the configuration, and
- Older versions of the RPM Package Manager (RPM) were unable to build the cups packages due to a newer syntax being used in the spec file. More portable syntax is now used, allowing older versions to build CUPS as expected.
- A spelling typo in one of the example options for the
cupsctlcommand has been fixed in the
cronscript shipped with CUPS had incorrect permissions, allowing world-readability on the script. This file is now given permissions “0700”, removing group- and world-readability permissions.
- The Generic Security Services (GSS) credentials were cached under certain circumstances. This behavior is incorrect because sending the cached copy could result in a denial due to an apparent “replay” attack. A patch has been applied to prevent replaying the GSS credentials.
- A logic error in the code handling the web interface made it not possible to change the
Make and Modelfield for a queue in the web interface. A patch has been applied to fix this bug and the field can now be changed as expected.
- The CUPS scheduler did not check whether the client connection had data available to read before reading. This behavior led to a 10 second timeout in some instances. The scheduler now checks for data availability before reading, avoiding the timeout.
- The Common Gateway Interface (CGI) scripts were not executed correctly by the CUPS scheduler, causing requests to such scripts to fail. Parameter handling for the CGI scripts has been fixed by applying a patch and the scripts can now be executed properly.
cupsddaemon will be restarted automatically.
- A memory leak in the Digest MD5 plugin was discovered. Specifically, the make_client_response() function did not correctly free the output buffer. Consequently, applications that used Digest MD5 with very large datasets could terminate unexpectedly. This update corrects make_client_response() and closes the memory leak. As a result, applications using Digest MD5 as part of authentication with large datasets now work as expected.
- Previously, unnecessary quote characters were used in the cyrus-sasl.spec file when the user was created using the useradd command. Consequently, the Saslauth user was created with quotes in the comment field ("Saslauthd user"). With this update, unnecessary quotes have been removed from the comment field.
- The ad_compat option has been backported to the cyrus-sasl packages from upstream. This option controls compatibility with AD or similar servers that require both integrity and confidentiality bits selected during security layer negotiation.
- When running a command on a specific device, the multipath utility did not accept device specification using the major:minor format. This bug has been fixed, and a multipath device can now be associated with the multipath command using a path device major:minor specification.
- Previously, the readsector0 checker did not consider the blocksize when calculating the number of blocks to read, which led to readsector0 reading too much on 512 byte devices causing device errors. With this update, readsector0 considers the device blocksize when calculating the amount to read, and 512 byte devices now work with the readsector0 checker as intended.
- Prior to this update, the code that handles multipathd sysfs devices could free a device structure while other data still pointed to it. As a consequence, the multipathd daemon could occasionally experience use-after-free memory corruption leading to unexpected termination. The sysfs device handling code for multipathd has been rewritten, and multipathd no longer frees sysfs device memory while it is still in use.
- Some of multipathds prioritizers run scsi commands with long timeouts. These prioritizers do not run asynchronously and multipathd becomes busy waiting for one to timeout. Consequently, the multipathd daemon can become unresponsive for as long as 5 minutes when a path fails. With this update, the prioritizers use the "checker_timeout" option to configure their timeout. Now, prioritizer timeouts can be adjusted using the checker_timeout option to prevent multipathd hangs.
- When a multipath device was reloaded outside the multipathd daemon and existing paths were removed from the device, mutipathd still treated them as belonging to a multipath device. Consequently, multipathd tried to access a non-existent path_group and terminated unexpectedly. With this update, multipathd correctly disassociates removed paths and no longer crashes when existing paths are removed by external programs.
- If the multipathd daemon failed to add a path to the multipath device table, the path was incorrectly orphaned. As a consequence, the multipath utility treated the path as belonging to a multipath device, and multipathd could keep attempting to switch to a non-existent path_group. The underlying source code has been fixed, and multipathd now correctly orphans paths that cannot be added to the multipath device table.
- This update adds the force_sync multipath.conf option. Setting force_sync to "yes" keeps the multipathd daemon from calling the path checkers in asynchronous mode, which forces multipathd to run only one checker at a time. In addition, with this option set, multipathd no longer takes up a significant amount of CPU when a large number of paths is present.
- Previously, the default path ordering often led to the Round Robin path selector picking multiple paths to the same controller, reducing the performance benefit from multiple paths. With this update, multipath reorders device paths in order to alternate between device controllers, leading to a performance improvement.
- This update adds iscsi support for the "fast_io_fail_tmo" option to allow the user to modify the speed of multipath responding to failed iscsi devices.
- With this update, "-w" and "-W" options have been added to multipath; the "-w" option removes the named WWID from the wwids file, the "-W" option removes all WWIDs from the wwids file except for the WWIDs of the current multipath devices.
- The thin_dump utility as well as other persistent-data tools supported only 512 B block sizes on accessed devices. Consequently, persistent-data tools could perform I/O to misaligned buffers. The underlying source code has been updated to support 4 KB block size, thus fixing this bug.
- When a packet with checksum having the value of 0xffff was received by the dhcpd daemon, the packet was discarded. With this update, checksum with value 0xffff is perceived as correct, and the packet is now processed as intended.
- Previously, the user could not run IPv6 version of the dhcrelay service, because there was no such initiation script. To fix this bug, the initiation script of dhcrelay has been added, and the user can now run service for IPv6 version of dhcrelay.
- When IPv6 version of the dhcpd daemon served too many requests, the /var/lib/dhcpd/dhcpd.leases file grew uncontrollably in size. As a consequence, dhcpd refused to restart with the following error message:file is too long to bufferAn upstream patch has been backported to fix this bug, and dhcpd for IPv6 now rotates /var/lib/dhcpd/dhcpd.leases to prevent it from growing.
- When using ISC DHCP server and clients on Infiniband cards (IPoIB), the hardware address, called GUID, did not appear in logs. This update adds GUIDs to the logs for IPoIB.
- Every time the dhcpd daemon started, the ownership of the /var/lib/dhcpd/dhcpd.leases file was changed from dhcpd:dhcpd to root:root. A Fedora patch has been backported to fix this bug, and the ownership of /var/lib/dhcpd/dhcpd.leases no longer changes.
- When having failover configuration of the dhcpd daemon and using very long lease times for clients, the following error was returned when starting dhcpd:unable to write leaseA patch has been applied to fix this bug, and error messages no longer appear in logs.
- Previously, when starting the dhcpd daemon or the dhcrelay agent, the user specified the name of the network interface. If longer than 15 characters, dhcpd or dhcrelay terminated unexpectedly with the following error message:*** buffer overflow detected ***A patch has been backported to fix this bug, and dhcpd or dhcrelay now exit gracefully with a new error message informing the user that the interface name is too long.
- Previously, the Dnsmasq service status verification in the init script was not sufficiently robust and only determined the presence of all the instances of Dnsmasq running on the system. As a consequence, the init script identified Dnsmasq as running even when no Dnsmasq system instance had been initiated. The init script has been fixed to explicitly verify the process with the process ID written in the PID file of the system instance. As a result, the status of the Dnsmasq system instance is now identified correctly even if there are running instances not started by the init script.
- The Anaconda "fcoe=edd:<dcb_setting>" option was introduced to allow systems in multi-path configuration to boot from the Storage Area Network (SAN). Previously, the option worked correctly only with the systems that used Enhanced Disk Drive Services (EDD) BIOS. Consequently, systems that did not use EDD, such as UEFI-based systems, could fail to boot from SAN. With this update, the option has been enhanced to work correctly with all systems.
- In FIPS mode, the self checking of binaries is only done if the /etc/system-fips file is present. The dracut utility did not copy /etc/system-fips and certain checksum files in the initial ram file system (initramfs). As a consequence, the self check of the binaries, which was needed to decrypt a partition, was not done so that the partition could not been unlocked. Now, dracut copies all the needed files in the initramfs, and systems with encrypted disks can now boot successfully in FIPS mode.
- The dracut(8) manual page did not describe certain new features. With this update, the missing information has been added to the manual page.
- The nvme driver was missing from the initrd images. Consequently, when Red Hat Enterprise Linux was installed on a non-volatile memory express (NVMe) storage, the post-installation reboot failed. This update adds the missing driver and Red Hat Enterprise Linux can be installed on NVMe storages as expected.
- Only the plymouth module was responsible for creating the initramfs /emergency/ directory. When the module was omitted during the installation, /emergency/ was not created. This behavior caused errors to be returned because other modules required /emergency/ too. With this update, /emergency/ is created regardless of loaded modules.
- The /dev/btrfs-control device node is only created, after the btrfs kernel module is loaded. Previously, utilities that attempted to access the node prior to the module was loaded terminated unexpectedly. Now, the dracut initramfs environment statically creates the device node. As a result, when a utility tries to access the node, the kernel loads btrfs automatically so that the utility no longer fails in the described scenario.
- The iscsistart utility, which is used for adding iSCSI disks, could be executed only when network interfaces had been brought up successfully. When the interfaces had not been correctly specified on the kernel command line, it was not possible to run the utility and boot the system from iSCSI disks. Now, when iSCSI disks are requested on the kernel command line, the dracut initramfs environment runs iscsistart even if no network interface is properly specified, thus allowing the system to boot from iSCSI disks.
- With the iSCSI server not being available, the iscsistart utility took a very long time to connect to it, which slowed the boot process. With this update, iscsistart is now launched in the background, thus connecting to the iSCSI server as soon as it is available. As a result, booting no longer takes enormous amount of time.
- This update enables the server to boot from a secondary device in case the primary device fails. The new "rootfallback=<secondary_device>" parameter has been added to the dracut parameters. This parameter is used when the primary device specified with the "root=<primary_device>" parameter cannot be found.
- The resize2fs utility sometimes caused file system corruption during an offline resize of an ext4 file system. This happened because resize2fs did not reserve all existing metadata blocks prior to executing the resize operation. This update fixes resize2fs to reserve all existing metadata blocks as expected in this situation.
- The tune2fs man page states that the "-f" option can be used to remove a file system journal even if the journal requires replay. However, earlier versions of tune2fs did not behave as documented. This update allows tune2fs to remove a dirty journal by supplying two "-f" options on the command line.
- With previous versions of mke2fs, it was possible to specify an unsupported and unmountable file system revision on the command line by using the "-r" option. The mke2fs utility now refuses to create a file system with a revision higher than is currently supported.
- Previously, the e2image program could run against a mounted block device, resulting in an inconsistent metadata image. With this update, the e2image program now displays a warning message if the block device is mounted, and requires the "-f" option to proceed in this case.
- With previous versions of e2fsck, "zeroed-out" directory blocks were not reported or repaired. The e2fsck utility now detects and repairs this type of corruption.
- The enable_periodic_fsck option has been added to /etc/mke2fs.conf to enable or disable periodic e2fsck operations when creating new file systems with the mke2fs utility. A periodic file system check is enabled by default.
- Previously, the exit status of the edac-utils package init script was not set correctly. As a consequence, running the 'service edac status' command returned exit status 0, which was not expected behavior because no programs were running after executing the 'service edac start' command. With this update, the returned exit status has been changed to 3 in the described situation.
- Previously, during their boot process, some newer machines created variables larger than 1024 bytes, which the kernel API for Unified Extensible Firmware Interface (UEFI) does not support. Consequently, the efibootmgr utility received an error trying to read such variables, and skipped them, which caused anaconda to fail to create boot variables. This update changes efibootmgr to show the variables but not to display their contents. As a result, anaconda is able to read the large variables, and creates boot variables successfully.
- BZ#755728, BZ#1059897
- This update introduces an eu-stack tool that retrieves the backtrace of a process or a core file. * The elfutils libdwfl() functions have been extended to provide support for associating a process state to a Dwfl object. A state can be attached to a process or a core file using the new dwfl_core_file_attach() and dwfl_linux_proc_attach() functions. When a state is attached to a Dwfl object, a new function, dwfl_getthreads(), can be used to iterate over the running threads. It is possible for each thread to unwind and inspect the frames on the call stack using the new dwfl_getthread_frames() function. * The libraries and utilities provide various improvements to recognize DWARF version 4, DWARF GNU tool chain extensions (typed DWARF stack, call_site, entry_value, DW_AT_high_pc, DW_OP_GNU_parameter_ref, and experimental support for DWZ multifiles), and new functions to handle DWARF location expressions. * The eu-readelf utility now supports the "/SYM64/" special entry to read 64-bit ar archive files used on IBM System z architecture.
- Prior to this update, the eu-readelf utility was unable to read a corrupted ELF file with a missing string table. As a consequence, eu-readelf terminated unexpectedly with a segmentation fault. With this update, eu-readelf has been fixed to skip the data sections with a non-existent string table and read only valid data. As a result, eu-readelf no longer crashes in this scenario.
- Previously, due to bugs in certain tool chain utilities, the main ELF file and the separate debuginfo file had different header types or flags. As a consequence, the eu-unstrip utility was unable to combine the ELF file and the separate debuginfo file. The same problem occurred when the main ELF file was prelinked after the debug information was separated into a debuginfo file. With this update, eu-unstrip displays a warning message similar to "ELF header identification (e_ident) different" and shows which header field does not match if the stripped and unstripped files cannot be combined. Also, the "--force" option has been added so that the user can ignore the warning and combine such files anyway. Additionally, eu-unstrip prints a warning message if the DWARF data need adjusting for prelinking bias. As a result, eu-unstrip now prints appropriate warning messages and the mismatching main ELF and separate debuginfo files can be recombined into one using the "--force" option.
- Previously, the ethtool utility did not support the Backplane link type. As a consequence, ethtool did not return "supported link modes" and "advertised link modes" on be2net-based devices. With this update, the support for Backplane has been added, and ethtool now returns "supported link modes" and "advertised link modes" as expected.
- Previously, the ethtool utility did not correctly communicate with the network device driver when attempting to set Large Receive Offload (LRO) options. Consequently, it was not possible to set the LRO options on devices supporting LRO. With this update, ethtool has been fixed to communicate correctly with the network device driver, and the LRO options can now be set on network devices.
- Due to a change to the ixgbe driver, the "ethtool -d" command in non-raw mode stopped providing output. As a consequence, "ethtool -d" could not be used to examine the state of ixgbe devices. To fix this bug, ethool has been changed to work with the new ixgbe device driver, and the "ethtool -d" command in non-raw mode can now be used again on the ixgbe devices.
- With this update, the ethtool utility supports the Medium Dependent Interface Crossover (MDI-X) mode setting on the e1000, e1000e, and igb drivers.
- Previously, the option to choose the time format in the Evolution application was not offered for certain languages. As a consequence, the calendar component editor always showed time in the 24-hour format. With this update, the correct time format is displayed based on the selection the user makes in the Edit menu: Preferences, Calendar and Tasks.
- Prior to this update, newly created local address books were not set correctly. Consequently, address books in the Evolution application could not be deleted, and incorrect data was displayed. With this update, address books can be removed, contacts in separated address books remain visible only in the appropriate address books, and the add, edit, and remove operations no longer cause any inconsistency.
- Previously, the Evolution application did not always handle adding new attachments correctly. As a consequence, attaching a large file caused the Evolution application to terminate unexpectedly under certain circumstances. A patch has been applied to address this bug, and adding new attachments no longer causes Evolution to crash.
- Previously, the Evolution application displayed only a general prompt for the Smart Card PIN. As a consequence, the user could be uncertain what PIN to enter. This update improves the prompt, and the user now knows what certificate the requested PIN belongs to.
- Prior to this update, the Evolution application did not correctly handle calling the "Mark All As Read" function. Consequently, Evolution could become unresponsive until the operation was completely finished. A patch has been provided to fix this problem, and Evolution no longer hangs in the described situation.
- Previously, an error could occur when displaying a new email notification. As a consequence, the Evolution application did not work correctly under certain circumstances. With this update, the bug has been fixed and email notifications are correctly displayed.
- Due to incorrect locking of table access, Evolution previously became unresponsive on startup. This update fixes locking of table access, and Evolution now starts up as intended.
- With this update, support for TLS version 1.2 for mail accounts has been added to Evolution.
- BZ#641632, BZ#642232, BZ#841556, BZ#1114528
- Previously, timeout options could not be entered to the fence_brocade agent. In addition, issued commands were not persistent, which could lead to problems if fencing hardware was rebooted. Also, when invalid password was entered, the fence agent was terminated as a stale process without any error message being reported to the user. This update provides a new implementation of fence agents that solves the aforementioned bugs.
- Previously, users of the fence_ilo agent were not able to enter password that contained the quotation mark character ("). This update allows users to enter any character in the password as expected.
- If the user name to log in to the fence_vmware_soap device does not have the correct privileges set, a python exception is thrown. Prior to this update, the fence_vmware_soap agent terminated the exception when the user did not have privileges for required operations. With this update, the user is informed by an error message that these privileges are not sufficient.
- Previously, fence agents could use key-based authentication over SSH even if the user wanted to use password authentication. As a consequence, the user was unable to log in. This update ensures that proper authentication is used, and the user can now log in using password authentication.
- Previously, using the fence_scsi_check.pl watchdog script failed to induce soft or clean reboot. But when Global File System 2 (GFS2) or other file systems were used, unmounting file systems could be blocked. This update provides a new fence_scsi_check_reboot.pl script, which ensures hard reboot, and problems with unmounting no longer occur.
- Prior to this update, the fence_vmware_soap fencing agent did not support the "--delay" option, which is indispensable for avoiding fence races. This update adds the "--delay" option, which delays start of fence agents for a given amount of seconds, and thus prevents fence races from occurring.
- Previously, the fence_apc utility was hard-coded with SSH1 connectivity. As a consequence, fence_apc was unable to connect to power distribution units that required SSH2 connectivity. This update introduces the "--ssh-options" option, which makes it possible to specify SSH connectivity options in fence_apc. Thus, all fencing agents that support SSH can now be adjusted to meet the SSH requirements of the fencing device.
- Previously, the fence_rsb agent was unable to work with certain versions of firmware. As a consequence, fence_rsb failed after an outlet powered off. However, fence_rsb kept on issuing the command to power the outlet back on. With this update, new firmware versions are supported, and fence_rsb succeeds in turning off and on the outlet.
- Prior to this update, fence agents that connected using the SSH protocol failed on login if an identity file was used as the method of authentication. The bug has been fixed, and these fence agents now successfully authenticate through an identity file.
- Previously, the manual page for the fence_virt.conf file did not describe the relationship between socket path for fence_virtd and virtual machine serial socket path. This could cause confusions or misunderstandings. With this update, the description of "path" in the manual page has been extended to explain the aforementioned difference.
- Prior to this update, the fence-virt agent could not fence inactive virtual machines. As a consequence, the cluster became unresponsive because the fence_virtd daemon was unable to find the running domain. The underlying source code has been patched, and fence-virt now fences both active and inactive virtual machines.
- CVE-2014-0237, CVE-2014-0238, CVE-2014-3479, CVE-2014-3480, CVE-2012-1571
- Multiple denial of service flaws were found in the way file parsed certain Composite Document Format (CDF) files. A remote attacker could use either of these flaws to crash file, or an application using file, via a specially crafted CDF file.
- CVE-2014-1943, CVE-2014-2270
- Two denial of service flaws were found in the way file handled indirect and search rules. A remote attacker could use either of these flaws to cause file, or an application using file, to crash or consume an excessive amount of CPU.
- Previously, the output of the "file" command contained redundant white spaces. With this update, the new STRING_TRIM flag has been introduced to remove the unnecessary white spaces.
- Due to a bug, the "file" command could incorrectly identify an XML document as a LaTex document. The underlying source code has been modified to fix this bug and the command now works as expected.
- Previously, the "file" command could not recognize .JPG files and incorrectly labeled them as "Minix filesystem". This bug has been fixed and the command now properly detects .JPG files.
- Under certain circumstances, the "file" command incorrectly detected NETpbm files as "x86 boot sector". This update applies a patch to fix this bug and the command now detects NETpbm files as expected.
- Previously, the "file" command incorrectly identified ASCII text files as a .PIC image file. With this update, a patch has been provided to address this bug and the command now correctly recognizes ASCII text files.
- On 32-bit PowerPC systems, the "from" field was missing from the output of the "file" command. The underlying source code has been modified to fix this bug and "file" output now contains the "from" field as expected.
- The "file" command incorrectly detected text files as "RRDTool DB version ool - Round Robin Database Tool". This update applies a patch to fix this bug and the command now correctly detects text files.
- Previously, the "file" command supported only version 1 and 2 of the QCOW format. As a consequence, file was unable to detect a "qcow2 compat=1.1" file created on Red Hat Enterprise Linux 7. With this update, support for QCOW version 3 has been added so that the command now detects such files as expected.
- Previously, the file-roller application did not correctly handle file names with spaces. As a consequence, an error could occur when adding files to an archive because names with spaces were not properly recognized by file-roller, for example when using the 'Compress' menu item in the Nautilus file manager. With this update, file-roller uses the correct API to handle file names. As a result, archives are created as expected and errors no longer occur in the described situation.
- When the "compat" method is specified in the nsswitch.conf file, special entries containing the "+" or "-" characters are allowed to be used in the /etc/passwd file. Previously, when the finger utility was run with a "username" argument on a host that had the special entries in /etc/passwd, finger terminated with a segmentation fault. With this update, the code that handles the "username" argument has been fixed to perform the necessary checks and the finger utility no longer crashes in the described scenario.
- Previously, the flex static libraries for 32-bit and 64-bit architectures were included in the same package. Consequently, an attempt to compile an i386 code on an x86_64 system failed unless the 64-bit version of the flex utility had been removed. With this update, the libraries have been moved to separate packages, and flex works as expected in the described scenario.
- Previously, when the font cache file was stored on a Network File System (NFS), the fontconfig library sometimes did not handle mmap() calls correctly. As a consequence, applications using fontconfig, for example the GNOME terminal, could terminate unexpectedly with a bus error. With this update, the FONTCONFIG_USE_MMAP environment variable has been added to handle the mmap() calls regardless of the file system, and these calls are no longer used if the cache file is stored on an NFS. As a result, the bus errors no longer occur in the described situation.
- Previously, the 25-no-bitmap-fedora.conf file name contained the word 'fedora', although file names in Red Hat Enterprise Linux are not supposed to include the word 'Fedora'. With this update, 25-no-bitmap-fedora.conf has been renamed to 25-no-bitmap-dist.conf, and the spec file has been updated.
- Under certain conditions, the proxy server needs the ability to time out to the home server in less than a second. With this update, three new features addressing this requirement have been added:The home server's "response_window" configuration option now accepts fractional values with down to microsecond precision and the minimum of one millisecond.The "response_window" configuration option with the same precision is now also supported in client sections to enable lowering of the home server's response window for specific clients.The "response_timeouts" configuration option is now supported in home server sections, allowing to specify the number of times when a request is permitted to miss the response window before the home server enters the defunct state.
- Previously, the GNU Compiler Collection (GCC) did not handle compiling partial specialization invalid C++ code correctly. As a consequence, GCC could terminate unexpectedly with a segmentation fault. The bug has been fixed and GCC now provides a translation-time error instead of crashing.
- Previously, the GNU Compiler Collection (GCC) did not handle loop vectorization correctly. Consequently, GCC could terminate with a segmentation fault. With this update, GCC correctly ignores the debug statements when the vectorizer is looking for a loop-exit PHI node, and GCC now compiles the code as expected.
- Previously, after compiling the source code of a program using the "-fprofile-arcs" and "-ftest-coverage" command-line options, the program was run and the gcov utility was started, but after that, a new source code file was created and gcov was started again. As a consequence, gcov damaged the existing .gcda files. After this update, functions are properly restored if a failure occurs, and gcov no longer damages other files.
- Previously, if an invalid code in gnu++11 mode used an initializer list with an invalid value in its constructor, the g++ compiler terminated with a segmentation fault. With this update, the constructor is better tested for incorrect values, and g++ no longer crashes in the described scenario.
- Previously, the Clang compiler did not handle certain headers correctly. As a consequence, a program using the typeinfo and exception headers failed to compile, and an "incomplete type" error message was displayed. With this update, the exception header in the libstdc++ library has been adjusted, and programs now compile as expected with the Clang compiler.
- Previously, the standard uncaught_exception() function returned the "True" value even when the initialization of the exception object was not complete. As a consequence, the GNU Compiler Collection (GCC) could generate wrong code. With this update, uncaught_exception() returns the "True" value only after the exception object is created, and GCC always generates correct code as expected.
- Prior to this update, the g++ compiler rejected code that tried to pass a type with a non-trivial copy constructor through variable arguments. As a consequence, programs compiled with the GNU Compiler Collection (GCC) terminated unexpectedly with an "Illegal instruction" error message. With this update g++ now accepts the code because it treats passing variadic arguments of non-trivial types as a pass-by-invisible reference.
- Previously, the gfortran compiler did not correctly handle compiling code that involved invalid old-style initialization for derived type components. As a consequence, gfortran could terminate unexpectedly with a segmentation fault. A patch has been applied to address this bug, and the code is now properly rejected when needed, and an appropriate error message is displayed.
- Larger aggregate contains the same fields as the smaller one with just some fields added at the end. Prior to this update, optimizing code that contained conversion from a larger aggregate to a smaller aggregate could cause the GNU Compiler Collection (GCC) to generate incorrect code. Consequently, using GCC with turned on optimizations failed and a segmentation fault occurred. With this update, conversions between aggregates with different sizes are never considered useless, and GCC no longer generates incorrect code in the described situation.
- OpenMP 4.0 support has been added to the GNU OpenMP library, which allows applications built with DTS 3.0 and using OpenMP to link on Red Hat Enterprise Linux 6.
- Previously, when the users tried to debug certain core dump files generated from multi-threaded applications, GDB was unable to handle correctly specific situations, for example, when a referenced DWARF Compilation Unit was aged out. As a consequence, performing the "thread apply all bt" command to display a backtrace of all threads could cause GDB to terminate unexpectedly. A patch has been provided to fix this bug, and GDB no longer crashes in this scenario.
- Previously, when executing the signal handling code, GDB was calling certain non-reentrant functions, such as the calloc() function. This could sometimes result in a deadlock situation. To avoid deadlocks in this scenario, the relevant GDB code has been modified to handle non-reentrant functions correctly.
- Previously, due to a bug in a specific function in the support for Python, if a Python script read a memory region from the program that was being debugged, and the reference to the memory region became out of scope, GDB did not deallocate the memory. As a consequence, this led to a memory leak, which was particularly significant in memory-intensive scenarios. A patch has been applied, and GDB now frees the acquired memory correctly.
- Prior to this update, GDB did not add the necessary offsets when dealing with bit fields inside nested instances of the struct data type. Consequently, when the user tried to set the value of a bit field that was declared inside such a data structure, GDB was unable to calculate it correctly. With this update, GDB calculates the values of bit fields inside nested data structures correctly.
- Previously, GDB was unable to correctly access Thread Local Storage (TLS) data on statically linked binaries. Consequently, the user could not inspect TLS data on the program being debugged if the program was linked statically. This bug has been fixed, and users can now inspect TLS data on statically linked binaries as expected.
- Prior to this update, GDB incorrectly handled symbolic links related to build-id files. As a consequence, when the user tried to debug core dump files generated from programs that were not installed on the system, GDB printed misleading error messages instructing the user to run incorrect commands to install the binary files. Subsequently, the suggested commands did not fully work and the program package was not correctly installed. This bug has been fixed, and GDB now issues a message containing correct commands to install the necessary binary files.
- This update adds the "$_exitsignal" internal variable to GDB. Now, when debugging a core dump file of a program that was killed by a signal, "$_exitsignal" provides the signal number to the user.
- Due to the bugs in the XDMCP remote desktop protocol chooser and indirect query code, deadlocks and incorrect size arguments occurred on GDM. As a consequence, the host chooser failed to properly delegate to other hosts. To fix this bug, correct-size information is now used, and the recursive deadlock has been removed. As a result, the indirect chooser now works more reliably.
- Previously, the logic for determining when to force the X server to run on virtual console 1 was inadequate, which caused the login screen and subsequent user sessions to switch to virtual console 7 after the initial logout. This update introduces a change in the logic to make virtual console 1 use the statically hardwired display. Now, only auxiliary displays needed for user switching run on virtual console 7 and above, and the main login screen with subsequent user sessions always runs on virtual console 1.
- Prior to this update, the "Switch User" menu item depended on the GDM display manager for starting a login screen. Consequently, the "Switch User" menu item terminated unexpectedly if the user initially logged in with KDM. With this update, the broken "Switch User" menu item is hidden if the user has not logged in with GDM.
- Due to a missing NULL check in the code, a benign error was logged in the slave log file when logging in via a remote XDMCP connection. The missing NULL check has been added to fix this bug, and error messages are no longer returned.
- Previously, GDM failed to create xauth entries usable by remote X clients. Consequently, remote clients could not gain access to the host X server without resorting to ssh tunnels. With this update, GDM writes out xauth entries suitable for remote clients when the DisallowTCP option is set to "false" in the configuration. As a result, xauth entries usable by remote clients are now successfully generated.
- When debugging was enabled and DNS misconfigured, errors in debug logging code made GDM enter an infinite loop. As a consequence, the XDMCP remote desktop protocol did not work or worked sporadically when debug mode was enabled; debug code printed NULL instead of remote server host in failure scenarios. To fix this bug, the debug code has been changed not to call itself and not to nullify or leak the host name. As a result, GDM no longer locks up and returns more comprehensible error messages.
- Due to incorrect handling of the machine state in user switching code, user switching applet could terminate unexpectedly shortly after login. With this update, the machine state is handled differently, and user switching applet crashes no longer occur.
- If the window manager attempted to focus a window before user interaction, benign warning messages were logged in the /var/log/gdm/:0-greeter.log file. With this update, window focusing in the early start up is avoided, and the window manager no longer returns warning messages.
- Previously, when the xgettext utility encountered an invalid file and generated a warning message it would exit with a fatal error if any additional files were supplied to be processed. Consequently, no output was generated. This update fixes the error-processing code and xgettext now works as expected in the described situation.
- Previously, the ghostscript-fonts package contained fonts with a restrictive license. With this update, the fonts with restricted rights causing a licensing problem are removed from the package.
- An out-of-bounds write flaw was found in the way the glibc's readdir_r() function handled file system entries longer than the NAME_MAX character constant. A remote attacker could provide a specially crafted NTFS or CIFS file system that, when processed by an application using readdir_r(), would cause that application to crash or, potentially, allow the attacker to execute arbitrary code with the privileges of the user running the application.
- It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.
- When performing an address lookup to a defective Domain Name System (DNS) server using the getaddrinfo utility with the ai_family option set to AF_UNSPEC, the server could respond with a valid response for the A record and a referral response for the AAAA record, which resulted in a lookup failure. With this update, getaddrinfo has been fixed to return the valid response in such a case.
- Under certain rare circumstances, the pthreads utility terminated unexpectedly during stack unwinding on thread cancellation on the PowerPC architecture. The bug has been fixed and pthreads no longer crashes in the described case.
- Name lookup of internationalized domain names using the getaddrinfo utility occasionally caused the calling program to abort unexpectedly. This update fixes the getaddrinfo code to prevent the abort.
- Due to a bug in the thread local storage (TLS) initialization, the dlopen() function occasionally terminated unexpectedly with a segmentation fault. This bug has been fixed, and dlopen() no longer crashes.
- The order of relocations was incorrect during symbol dependency testing in the dynamic linker. Consequently, IFUNC resolvers terminated unexpectedly if the dependent symbols have not yet been relocated. This occurred when one of the environment variables LD_WARN or LD_TRACE_PRELINKING was set. This update ensures that relocations done during symbol dependency testing are performed in correct order, thus avoiding the crash.
- This update modifies certain code paths used by the C library's memory allocator "fastbins" feature to be thread-safe, which prevents segmentation faults previously caused by a corruption in the memory allocator.
- This update fixes the symbol lookup in the elf/dl-lookup.c function to return correct values.
- Previously, querying for a non-existent netgroup when the nscd daemon was running returned a spurious empty result and no error message. For example, executing 'getent netgroup foo' retured a spurious empty netgroup and exited successfully with status 0 even if no netgroup named 'foo' existed. This bug has been fixed, and the above command now exits with non-zero exit status, as expected.
- Due to problems with the buffer extension and reallocation, the nscd daemon terminated unexpectedly with a segmentation fault when processing long netgroup entries. With this update, the handling of long netgroup entries has been fixed, and nscd no longer crashes in the described scenario.
- The getaddrinfo() function returned an incorrect permanent error EAI_NONAME when the Domain Name System (DNS) server was unreachable or the DNS query timed out. Now, getaddrinfo() returns EAI_AGAIN to indicate a temporary failure in name resolution.
- This update fixes a bug in the nscd daemon that caused the sudo utility to deny access for valid users in permitted netgroups.
- This update prevents a memory corruption and a subsequent unexpected crash due to a segmentation fault in the nscd daemon when querying certain netgroups with nested members.
- When querying an empty netgroup, the nscd daemon occasionally became unresponsive. This has been fixed so that an appropriate error code is returned in the described case.
- This update fixes a bug in the gettimeofday() function's implementation of the Virtual Dynamic Shared Object (VDSO) that caused the gettimeofday() function to return an incorrect non-changing value.
- This update adds information about the malloc() function requests satisfied by the mmap system call to the output created by the malloc_info() function.
- This update adds Virtual Dynamic Shared Object (VDSO) indirect function support for the gettimeofday() system call on 64-bit PowerPC system to improve the performance of gettimeofday().
- When trying to mount a remote gluster share using the "backupvolfile-server" option, the process failed and returned an "Invalid argument" error message. A new mount point option, backup-volfile-servers, has been added to provide backward compatibility and allows remote gluster shares to be mounted successfully.
- Previously, when updating the gluster utility from Red Hat Enterprise Linux 6.5 to version 6.6, glusterfs-libs POSTIN scriptlet terminated unexpectedly. The underlying source code has been patched, and POSTIN no longer fails.
- Previously, if a search query was issued in the gnome-packagekit GUI before the list of packages in the left pane was populated, gnome-packagekit became unresponsive. With this update, gnome-packagekit has been modified so that it does not permit search queries before loading the package list. As a result, gnome-packagekit no longer hangs in the described case.
- Prior to this update, the "Install Updates" button in the gpk-update-viewer GUI was incorrectly re-enabled when the authentication dialog started. This bug has been fixed, and the button remains disabled when the authentication dialog appears.
- Due to insufficient checking, the "Switch User" button appeared in the logout dialog window even when user switching was disabled by the lock down configuration. A patch has been provided to fix this bug, and the "Switch User" button is now removed when the user logs out.
- BZ#785828, BZ#1069503
- Due to incorrect clean up of resources at shutdown, the "Startup Applications" GUI did not submit changes immediately. If the user closed the dialog window earlier than 2 seconds after making a change, the change failed to be committed. To fix this bug, the dialog window on shutdown has been deleted, so that its dispose handler commits pending changes immediately. As a result, the user can enable or disable additional startup programs and quickly close the dialog window without the risk of losing changes.
- Prior to this update, there were inadequate checks in the gnome-session utility for a preexisting gnome-session instance. Consequently, running gnome-session within a GNOME session started a nested broken session. With this update, a check for the SESSION_MANAGER environment variable has been added. As a result, if the user runs gnome-session within a preexisting session by mistake, an error message is returned.
- Previously, if the user accidentally clicked "Remember Running Applications" and was using the custom session selector, they could not proceed without saving. This update provides the close button for the session selector to enable the user to refrain from saving.
- Previously, the secret key management daemon for GnuPG, gpg-agent, failed to encode a new iteration count value when it created a new protected key or changed an existing key. As a consequence, the key could not be unprotected and gpg-agent thus did not properly interact with a number of programs that use key decryption, such as KMail or Kleopatra. With this update, the new iteration count is encoded properly and the decryption of keys created or modified by gpg-agent no longer fails.
- Prior to this update, the GnuPG encryption and signing tool, gpg2, by default used CAST5, an encryption algorithm not approved by FIPS standards. Consequently, when gpg2 was run in FIPS mode, data encryption and decryption failed and caused gpg2 to terminate unexpectedly. With this update, GnuPG uses AES, a FIPS-approved encryption algorithm, and gpg2 data encryption and decryption in FIPS mode work as intended.
- Previously, the GnuPG signature checking tool, gpgv2, did not correctly interact with the Libgcrypt library. As a consequence, when the gpgv command was used on a file, gpgv2 terminated unexpectedly. This update fixes the error and the gpgv command now functions correctly.
- Prior to this update, GnuPG did not check for availability of the RIPEMD-160 hash function digest. Because the RIPEMD-160 algorithm is not approved by FIPS standards, GnuPG therefore terminated unexpectedly when the "gpg --verify" command was used in FIPS mode to verify a signature that contained a RIPEMD-160 hash. With this update, GnuPG properly checks for RIPEMD-160 support and the crash no longer occurs.
- The PXE booting did not respect the specified boot order when multiple NICs of the same type were configured for a virtual machine. Instead, the gPXE image attempted to boot from all NICs supported by the loaded image in the PCI bus scan order. This resulted in boot delays, attempting to perform a PXE boot on unintended devices, as well as in booting from unintended devices in case of success. This update provides the gPXE boot image with the PCI address of the intended boot device, ensuring that the image only attempts to boot on the intended device.
- HTTP requests generated by gPXE set wrong TCP flag (SYN & PSH) in the first packet of a session. Consequently, when using a firewall, the TCP packet flow would be blocked and the HTTP module integrated with gPXE would not work. With this update, gPXE no longer set the PSH flag in the first packet of a session and the system now boots as expected.
- Previously, the grep utility did not request processing of UTF-8 from the Perl-compatible regular expressions (PCRE) library if a UTF-8 locale was in effect. As a consequence, Unicode symbols were not correctly matched if a Perl regular expression (the "-P" option) was used with a UTF-8 locale. This update adds a request for UTF-8 processing to the PCRE library, and grep now correctly handles Unicode symbols in the described situation.
- On some systems that are not case sensitive, the "bootx64" command incorrectly launched the GRUB shell instead of booting the GRUB installer. With this update, "bootx64" also checks for the existence of the GRUB booting file (BOOTX64), which allows for using "bootx64" to boot GRUB on systems which are not case sensitive.
- A regular expression in the grub-install program could not match multipath devices when the "user_friendly_name" option was set to "no". As a consequence, the user was not able to install the GRUB utility on a specified device. To fix this bug, the regular expression has been updated to match the requested device names. As a result, GRUB now installs successfully.
- Prior to this update, exiting the GRUB shell menu and rebooting the ISO file on an extensible firmware interface (EFI) system changed the boot device path, which in turn caused an assert error. As a consequence, GRUB sometimes failed to boot. This update prevents the boot device path from being changed, and as a result, exiting the GRUB shell and rebooting the ISO file now proceeds as expected.
- Previously, the biodisk function incorrectly returned "0" instead of the correct values of the read and write calls. Due to this bug, the kernel under some circumstances detected disk errors when booting, which caused the boot to fail. This update fixes the behavior of biodisk, and the boot failure no longer occurs.
- Previously, booting GRUB with trusted boot (tboot) enabled under some circumstances caused the tboot screen to be blue, making the text output impossible to read. This update adds a number of conditions for graphic initialization to GRUB, which ensure that the tboot screen displays in normal colors.
- Previously, the graphics_cls() and graphics_init() calls did not correctly co-operate with GRUB. As a consequence, booting an ISO file with disabled VGA caused the system to encounter an exception and automatically reboot. With this update, the behavior of the mentioned calls has been corrected and the system now successfully boots with disabled VGA.
- BZ#1094978, BZ#1074914, BZ#1048681
- When the "splashimage" option parameter was commented out or a serial console was enabled in the /boot/EFI/redhat/grub.cfg file, the kernel did not initialize the efifb graphic back end when booting an EFI system. As a consequence, VGA text consoles displayed a blank screen instead of the intended output. With this update, booting an EFI system uses efifb regardless of whether GRUB splash image or a serial console are used, and the content of VGA consoles now displays as expected.
- Prior to this update, if a splash image was not used when booting an EFI system, the serial console displayed a redundant grub_read() failure message during the boot process. With this update, the underlying code has been fixed and booting an EFI system without the GRUB splash image no longer generates redundant failure messages.
- Prior to this update, the Trusted Boot (tboot) module incorrectly used the tboot.gz multiboot image to search for a grub configuration file. As a consequence, running the "yum update" command led to grubby corrupting the grub.conf file when tboot was enabled and two or more kernels were updated. With this update, tboot uses specific kernel names to search for grub configuration, and corruption of grub.conf no longer occurs in the described scenario.
- Previously, enabling tboot caused the kernel configuration to not be displayed properly when running the "grubby --info=DEFAULT" command. With this update, multiboot module parameters have been included in the output of "grubby --info", and the configuration displays as expected when tboot is running.
- The gtk_cups_connection_test_new() function used the default IPP port instead of the real one. Consequently, the GTK print dialog failed to get printer information from remote CUPS servers with a non-standard port number. With this update, the correct port number is used and GTK no longer fails.
- The rsvg-convert utility of the librsvg2 library did not respect the width and height specified with the viewBox attribute in SVG files. As a consequence, avatar icons were smaller than they were supposed to be. With this update, the utility uses the correct width and height.
- BZ#1104681, BZ#1104684
- The gdk-pixbuf loaders were moved to a separate directory as part of the separation of the gdk-pixbuf2 library to its own package. This update moves the loaders present in the librsvg2 and libwmf libraries to the new directory.
- The newly-added GtkComboBoxText widget could cause applications that used it to terminate unexpectedly due to the incorrect initialization of one of the widget's properties. With this update, the initialization has been fixed and the applications no longer crash in the described scenario.
- Missing forward declarations for various functions caused the compiler to assume an implicit 32-bit integer return type. Consequently, the compiler terminated unexpectedly because the string pointer was truncated to 32-bits and then extended back to 64-bits. With this update, the "#include" lines for the appropriate headers have been added at the top of the affected source files. As a result, the compiler no longer crashes.
- Previously, the GTK+ print dialog failed to print to a file in the default directory due to an incorrect path generation of the file. The generation of the path has been fixed, and GTK+ prints to a file as intended.
- Previously, when several clients using the same home directory located on remote NFS (Network File System) modified the gvfs-metadata database files, a conflict could occur. In addition, GVFS produced heavy traffic on the remote NFS server. With this update, countermeasures for possible conflicts have been put in place and metadata journal files have been relocated to a temporary directory, and GVFS no longer produces heavy traffic on the NFS mount.
- Prior to this update, GVFS did not pass a mount prefix into the rename operation. Consequently, it was not possible to rename files on the WebDAV shares if mount prefix was specified, and the following message was displayed when attempting to do so:The item could not be renamed. Sorry, could not rename "dir1" to "dir2": Thespecified location is not mountedThis bug has been fixed and the mount prefix is now passed into the rename operation as expected. As a result, the rename operation works correctly on the WebDAV shares.
- When the GDesktopAppInfoLookup extension processed a URL scheme that contained invalid characters, for example from Thunderbird messages, a request for URL handlers was unsuccessful. Consequently, an error dialog notifying about the invalid character was shown. With this update, GDesktopAppInfoLookup has been modified to check the URL scheme for invalid characters before it is used. As a result, the aforementioned error no longer occurs.
- A previous GLib2 rebase
- Previously, GVFS used the select() function to communicate with the OpenSSH utility. Due to changes introduced with the OpenSSH update, select() could return incomplete results. Consequently, mounting of SFTP locations failed with the following message:Error mounting location: Error reading from unix: Input/output errorGVFS has been updated to use the poll() function instead of select(), thus fixing this bug.
- A previous GLib2 rebase
- Previously, the "-h" option of the zgrep command was absent from the source code of the gzip utility. As a consequence, the output of running the "zgrep -h" command was not parsed, and the file name was printed. With this update, the possibility to use the short "-h" option besides the "--no-filename" option has been added. As a result, running the zgrep command with the "-h" option now prints the correct lines and suppresses the prefixing of the file names on output when multiple files are searched.
- Prior to this update, the time stamp of an archive was set by the futimesat() or utime() system calls when using the gzip utility. Consequently, the archived file had a lower time stamp than expected because only microsecond resolution was enabled, and a nanosecond time stamp was not provided. The underlying source code has been modified to attempt to use the utimensat() or futimens() system calls for nanosecond resolution. As a result, the archived file has exactly the same time stamp as the original file.
- Prior to this update, the HAL daemon did not properly handle the hot plug addition and removal events. Consequently, the HAL daemon terminated unexpectedly with a segmentation fault during device probing. With this update, hot plug events are properly handled and the HAL daemon no longer crashes in the aforementioned scenario.
- Prior to this update, the /usr/libexec/hald-probe-smbios script, as well as certain other hald-probe scripts, terminated unexpectedly after they were manually started. This bug has been fixed and the aforementioned scripts can be started manually without complications.
- Previously, the HAL daemon did not recognize touchscreen monitors correctly. Consequently, these monitors were not added to the list of hot plugged devices in the Xorg window system. Support for touchscreen devices has been added to HAL and these devices are now recognized correctly.
- The .hmac files are used to check the kernel image at the boot time; if the check fails, the boot process is expected to be halted. Previously, the hmaccalc utility did not flag empty .hmac files as an error, allowing the system to boot even if the boot was supposed to fail. With this update, a patch has been provided to address this bug. As a result, the system is no longer allowed to boot in the described scenario.
- Previously, the udev rules files were not in the correct location on the file system. As a consequence, permissions on the device node after connecting a device were insufficient. This update moves the udev rules files to the correct location, and udev rules now work correctly in the described situation.
- Previously, the system did not initialize shared memory session cache when the Apache HTTP Server loaded the mod_ssl module for the first time during a configuration reload. As a consequence, the system terminated the httpd service unexpectedly in the described situation. With this update, the problem has been fixed, and httpd no longer crashes when loaded for the first time after a configuration reload.
- Previously, the bybusyness algorithm, contained in the mod_proxy_balancer module, did not balance the workload after a worker tried to send a request to a non-working node. Consequently, once the non-working node became working again, mod_proxy_balancer did not recover the worker that tried to send the request because it still considered the worker busy. With this update, the algorithm has been fixed and mod_proxy_balancer now uses the worker after a node recovery as expected.
- Prior to this update, the mod_proxy module did not ignore the EINTR return value of the poll() function. As a consequence, mod_proxy broke the connection during an attempt to send a request using the CONNECT method when the child process was terminated. A patch has been applied to fix this problem, and mod_proxy now ignores EINTR and continues with the CONNECT request as expected in the described situation.
- Previously, the mod_cgi module did not correctly handle the situation when a client failed to send a request before timeout. Consequently, the client received the "500 Internal Server Error" HTTP status code instead of the "408 Request Timeout" HTTP status code. With this update, the problem has been fixed, and the client now receives "408 Request Timeout" after a failed attempt to send a request before timeout.
- Previously, the Apache Portable Runtime (APR) library bucket brigade in the mod_proxy_http module contained objects allocated from another APR pool that could be freed before the APR bucket brigade. Consequently, trying to free already freed objects in an APR bucket brigade cleanup could cause the httpd service to terminate unexpectedly. With this update, the APR bucket brigade in mod_proxy_http is now destroyed sooner than the APR pool from which the objects stored in the APR bucket brigade are allocated. As a result, httpd no longer crashes in mod_proxy_http during an APR bucket brigade cleanup.
- Prior to this update, the mod_proxy_http module did not honor the ErrorLog directive defined in VirtualHost configuration for certain errors. As a consequence, the "proxy: error reading response" message could be logged into the global error log even though a VirtualHost-specific error log was configured. A patch has been applied to fix this bug, and mod_proxy_http now logs "proxy: error reading response" into the correct log file.
- Prior to this update, the status line of an HTTP response message from server did not, under certain circumstances, include the HTTP reason phrase if it contained the status code. As a consequence, the server displayed only the status code to the HTTP client. With this update, the bug has been fixed, and the status line issued to the HTTP client now contains both the status code and the reason phrase as expected.
- Previously, the mod_ssl module directives did not contain support for using the Transport Layer Security cryptographic protocol version 1.2 (TLSv1.2). As a consequence, the user could not set up mod_ssl to disable TLSv1.2. With this update, support for TLSv1.2 configuration options has been added to mod_ssl. As a result, it is now possible to set up mod_ssl to disable TLSv1.2.
- Prior to this update, the mod_ssl module did not support wildcard certificates with the SSLProxy directive. As a consequence, SSLProxy did not work when a wildcard certificate was used, and the user had to set the SSLProxyCheckPeerCN directive to "off" as a workaround. A patch has been applied to fix this bug, and mod_ssl now supports wildcard certificates with SSLProxy.
- Previously, the mod_ssl module stored all Certificate Revocation Lists (CRL) in cache, and the user could not disable the caching. Consequently, the httpd service could consume a lot of memory when a large amount of CRLs were stored in cache. To fix this problem, the DisableCRLCaching directive has been added to mod_ssl to disable CRL caching. As a result, mod_ssl can now be configured to no longer store CRLs in cache.
- Previously, a function handling dynamic groups, which is included in the mod_ldap module, contained an incorrect pointer assignment. As a consequence, the system caused the httpd service to terminate unexpectedly with a segmentation fault when multiple dynamic groups were used. A patch has been applied to fix this bug, and httpd no longer crashes when more than one dynamic group is used.
- BZ#1071883, 1100680
- Prior to this update, the mod_ssl module only supported ephemeral Diffie-Hellman (DH) keys of 512-bit and 1024-bit lengths. Consequently, Secure Sockets Layer (SSL) cipher suites using ephemeral DH keys could not be used in FIPS mode. With this update, mod_ssl uses ephemeral DH keys of key lengths up to 8192 bits. As a result, mod_ssl now works as expected in FIPS mode.
- Previously, when running the "apachectl status" command, the exit code failed to be changed when the httpd service was not running. As a consequence, "apachectl status" could return the exit code 0, indicating success, even when httpd was not running. A patch has been provided to fix this bug and "apachectl status" now exits with the correct exit code when httpd is not running.
- Prior to this update, the SSLProtocol directive exposed by the mod_ssl module did not allow control over whether the TLSv1.1 or TLSv1.2 protocols were enabled. Consequently, the user could not set mod_ssl to disable TLSv1.1 or TLSV1.2. With this update, support for TLSv1.2 and TLSv1.2 configuration options has been added to mod_ssl, and mod_ssl now supports TLSv1.1 and TLSv1.2 in the SSLProtocol Directive.
- Previously, the mod_cache module did not correctly handle requests to the back-end server due to a race condition between removing and renaming cached files and due to inconsistencies in generating the cache hash codes when handling the HTTP Range requests. Consequently, mod_cache could pass multiple requests to the back-end server to refresh the cache instead of a single request. With this update, the race condition has been fixed and hash codes for an object in cache are generated consistently even when handling Range requests. As a result, mod_cache now passes only a single request to the back-end server when refreshing the cache.
- Prior to this update, the %post script of the mod_ssl module used an RSA key hard-coded to a 1024-bit length. As a consequence, the user could not install mod_ssl in FIPS mode. To fix this bug, the mod_ssl %post script has been updated to use 2048-bit RSA key. As a result, it is now possible to install mod_ssl in FIPS mode.
- Previously, the mod_proxy module did not close the client connection when the back-end server connection was closed. Consequently, mod_proxy kept the client connection open until it timed out. A patch has been provided to fix this bug and mod_proxy now closes the client connection immediately after mod_proxy closes connection to the back-end server.
- This update introduces support for Elliptic Curve Cryptography (ECC) keys and Elliptic Curve Diffie-Hellman (ECDH) ciphers in Red Hat Enterprise Linux 6 because the OpenSSL toolkit in Red Hat Enterprise Linux 6 also supports ECDH.
- The PCI, USB, and vendor ID files have been updated with information about recently released hardware. Hardware utility tools that use these ID files are now able to correctly identify recently released hardware.
- The i2cdetect utility requires the i2c-dev module to be loaded so that it can detect devices present on a specified bus. Previously, this was not done automatically, and as a consequence, the user could be mistaken that no buses or devices existed when running i2cdetect. With this update, i2c-dev has been made automatically-loadable. Now, i2cdetect correctly scans an I2C bus for devices and outputs a table with detected devices as expected.
- Previously, indexing for the compose.db and latex.db files was handled by the post-installation script. As a consequence, running the "rpm -V" command returned an unnecessary warning that the SQLite database files had been changed since the installation. With this update, the indexed files are already included in the packages, and no warning messages are displayed in the described situation.
- Previously, certain network device drivers did not accept ethtool commands right after they appeared in the user-space. As a consequence, the current setting of the specified device driver was not applied and an error message was returned. This update adds the ETHTOOL_DELAY variable, which makes sure the ethtool utility waits for some time before it tries to apply the options settings, thus fixing the bug.
- When issuing a reboot or halt, the system sometimes killed the S01reboot process and never completed the reboot or shutdown. This update changes the regex for the sed utility to fix this bug, and the S01reboot process now completes successfully.
- Previously, the ipcalc utility handled netmask parameters incorrectly using the "-c" option. As a consequence, invalid CIDR was ignored and netmask in allowed format was not accepted. The updated "-c" option validates IP addresses for specified address families as expected, invalid CIDR is no longer ignored, and allowed formats of netmask are accepted.
- Due to a race condition, the "multicast_router" and "hash_max" BRIDGING_OPTS options failed to apply when creating the bridge. With this update, "multicast_router" and "hash_max" are applied after the bridge is up, and BRIDGING_OPTS options now work as intended.
- Prior to this update, the udev device manager called the hotplug script when a VLAN network was added. However, because the VLAN network has the same default hardware address as the default network adapter device, hotplug reverted the network adapter's IP configuration to the values in the /etc/sysconfig/network-scripts/ directory, and in some cases disconnected the network adapter. This update removes the triggering of the hotplug script for VLAN networks and, as a result, the network adapter now retains its IP address, and thus no longer fails.
- Previously, the only way to set up VLAN ID was through the name of the new virtual device (vlan10 or eth0.10). With this update, the ID can be specified by the VID option in ifcfg file.
- The saved seed size in the /etc/rc.sysinit file has been increased from 512 bytes to 4096 bytes to comply with the updated crypto requirements.
- BZ#1082765, BZ#1099486
- With this update, the user can set PRIO and AGEING options for bridges in ifcfg files, which allow ageing to be set in ifcfg-* scripts.
- Previously, the ipa-replica-install script tried to add the "A" and "PTR" records if the master managed Domain Name System (DNS). If the master did not manage the replica's zone, an error message "DNS zone not found" was returned, and the installation of a replica failed. With this update, the ipa-replica-install script has been fixed to properly handle the described situation, and the replica's installation now succeeds. Please note that the "A" and "PTR" records for the replica need to be added manually.
- Previously, when Identity Management Public Key Infrastructure (PKI) clone in Red Hat Enterprise Linux 7 was being installed, an access to the /ca/ee/ca/profileSubmit URI on the Identity Management server, from which it was replicating, was required. However, Identity Management in Red Hat Enterprise Linux 6 did not export this URI in the httpd proxy configuration. As a consequence, the installation of Identity Management replica with the PKI component in Red Hat Enterprise Linux 7 failed when installed against a Red Hat Enterprise Linux 6 master. With this update, the /ca/ee/ca/profileSubmit URI has been added to Red Hat Enterprise Linux 6 Identity Management proxy configuration and a replica installation now succeeds in this scenario.
- Prior to this update, disabling a sudo rule did not trigger the removal of its entry from the sudo compat tree in Lightweight Directory Access Protocol (LDAP). Consequently, the disabled sudo rules were still followed on clients using the sudo compat tree. This bug has been fixed, and the described problem no longer occurs.
- Previously, an Identity Management password policy was not applied to passwords changed using the Directory Manager or PassSync agent. As a consequence, the default expiration time (90 days) was always applied even if the Identity Management administrator had defined a different policy. The Identity Management Password Change Extended Operation Plug-in has been updated, and the password changes made by the Directory Manager or PassSync agent now respect the "max lifetime" field of the user password policy.
- Previously, an intermittent race condition happened when the ipa-server-install utility tried to read the "preop.pin" value from the CS.cfg file, which was still unwritten to the disk by the pkicreate utility. As a consequence, the Identity Management server installation failed. With this update, ipa-server-install has been modified to anticipate such a race condition. Now, when ipa-server-install is unable to read from CS.cfg, it waits until it times out or the file is written to the disk. Additionally, these events are now properly logged in the installation log if they occur.
- Prior to this update, a bug in the Python readline module caused a stray escape sequence to be prepended to the output of the script that the certmonger utility uses to acquire renewed certificates on the Certification Authority (CA) clones. Consequently, certmonger failed to parse the output of the script and the certificate was not renewed. A patch has been provided to address this bug and certmonger is now able to successfully parse the output of the script and complete the certificate renewal.
- The ipa-client-automount utility uses the Remote Procedure Call (RPC) interface to validate the automount location. Previously, the RPC interface only allowed clients whose API version was earlier than or the same as the server API version to validate the automount location. As a consequence, running ipa-client-automount with a client whose API version was later than the server's failed with an incompatibility error message. With this update, ipa-client-automount has been modified to report a fixed API version in the RPC call and ipa-client-automount now runs successfully when the client API version is later than the server's.
- Previously, the ipa-replica-manage utility contained a bug in the re-initialize command causing the MemberOf task to fail with an error message under certain circumstances. Consequently, when the ipa-replica-manage re-initialize command was run for a Windows Synchronization (WinSync) replication agreement, it succeeded in the re-initialization part, but failed during execution of the MemberOf task which was run after the re-initialization part. The following error message was returned:
Update succeeded Can't contact LDAP serverHowever, the error was harmless as running the MemberOf task was not required in this case. A patch has been applied and the error message is no longer returned in the described scenario.
- Users in Identity Management in Red Hat Enterprise Linux 7 can be added without the password policy explicitly defined in the "krbPwdPolicyReference" attribute in the user object. The User Lockout plug-in locks out users authenticating or binding through the LDAP interface after configured number of failed attempts. In Identity Management in Red Hat Enterprise Linux 7, the plug-in does not require this attribute to be present to correctly apply the lock-out policy. Previously, the Identity Management User Lockout plug-in in Red Hat Enterprise Linux 6 required this attribute to function properly. Consequently, the password lock-out policy was not applied to users created in Identity Management in Red Hat Enterprise Linux 7 that were replicated to Red Hat Enterprise Linux 6. Such users had an unlimited number of authentication attempts in the LDAP interface. The User Lockout plug-in has been updated to respect users without the defined custom policy and to properly fall back to the defined global password policy, and now only a defined number of authentication attempts are allowed to users in the LDAP interface.
- Previously, the validator in Identity Management did not allow slash characters in the DNS names. As a consequence, it was not possible to add reverse zones in the classless form. With this update, the DNS name validators allow slash characters where necessary, and thus the recommendations of RFC 2317 are now followed.
- Prior to this update, Identity Management installers could call the ldapmodify utility without explicitly specifying the authentication method. Consequently, the installer could fail when the authentication method was set in the ldapmodify user configuration. This bug has been fixed, the installer now always calls ldapmodify with the authentication method explicitly specified, and the described problem no longer occurs.
- Previously, when a Red Hat Enterprise Linux 6 master was being installed or upgraded, an extra default value was added to the "nsDS5ReplicaId" attribute of the LDAP entry "cn=replication,cn=etc". In Red Hat Enterprise Linux 7, Identity Management uses a stricter validation, which prevents installing a replica on such a system. As a consequence, after a Red Hat Enterprise Linux 6 master was installed or upgraded on a system with more than one master, installing a Red Hat Enterprise Linux 7 replica failed. This bug has been fixed, the extra value is no longer added, and Red Hat Enterprise Linux 7 replicas can be installed successfully in this scenario.
- Identity Management administration framework API contains two checks on the server side to verify that a request on its API can be passed further:
Prior to this update, the Identity Management server performed the checks in an incorrect order. First, the attribute and parameter check was done, then the API version check. As a consequence, when a client (for example, Red Hat Enterprise Linux 6.5) ran the ipa administration utility against a server with an earlier operating system (for instance, Red Hat Enterprise Linux 6.4), the command returned a confusing error message. For example, instead of stating API incompatibility, an error message regarding an unknown option was displayed. This bug has been fixed, the checks on the server are now performed in the correct order and a correct error message is displayed in this scenario.
- A check to see if the client API version is not higher than the server API version. If it is, the request is rejected.
- A check to see if the client API request does not use an attribute or a parameter unknown to the server. If it does, the request is rejected.
- Automated configuration of the sudo command has been added to the ipa-client-install utility. By default, ipa-client-install now configures sudo on Identity Management clients by leveraging the newly-added ipa provider in the sssd utility.
- A set of Apache modules has been added to Red Hat Enterprise Linux 6.6 as a Technology Preview. The Apache modules can be used by external applications to achieve tighter interaction with Identity Management beyond simple authentication.
- Previously, the ipmitool default timeout values signified a time period which was too short. As a consequence, during retries, the ipmitool utility could terminate unexpectedly with a segmentation fault, or could produce a nonsensical error message. With this update, the ipmitool options passed from environment variable are parsed correctly from IPMITOOL_OPTS and IPMI_OPTS variables, IPMITOOL_* taking precedence over IPMI_* variables. As a result, ipmitool no longer crashes in the described situation.
- The IPMI kernel code was missing aliases for the IPMI kernel modules. Consequently, not all of the IPMI kernel modules could be automatically loaded when the appropriate hardware was detected, and the hardware thus could not be used. To fix this problem, the module alias configuration file has been added to the /etc/modprobe.d/ directory, linking all of the separate IPMI modules to the IPI* device class alias. Note that the system must be rebooted for this change to take effect.
- To improve usage of ipmitool as a part of the software stack, certain environment variables were unified and several new variables were introduced to ipmitool, specifically:IPMITOOL_* variables now take precedence over IPMI_* variables.The IPMITOOL_KGKEY variable has been added to unify the name space usage.* Limited IPv6 support has been added to the ipmitool packages; the IPMI standard does not include the IPv6 data definitions, and therefore this change includes only IPv6 connectivity. The OEM-vendor-specific command values related to IPv6 are beyond the scope of this feature.
- Previously, information on "Read Intensive" disks did not display in the iprconfig menu. The underlying source code has been patched, and the disks information is now displayed correctly.
- Prior to this update, ipset initiation script which would load the ipset rules was missing. Consequently, security problems at system initiation could occur. This update provides all the files necessary to add an ipset systemd service, which starts up before iptables and stops afterwards. As a result, ipset rules can be started, stopped, and saved as intended.
- Previously, when alternative packages were removed manually, it was impossible to uninstall the iptables-ipv6 packages. The underlying source code has been patched, and iptables-ipv6 can now be uninstalled regardless of manually modified alternatives.
- When upgrading the Red Hat Enterprise Linux 6.5 minimal installation to version 7.0 using the redhat-upgrade-tool utility, the "%postun" scriptlet of iptables-ipv6 failed. Blocks preventing the old package from uninstalling have been removed, and iptables-ipv6 can now be uninstalled successfully.
- With this update, IPv6 support has been added to the ipset utility, and thus the user can now manage IPSets of IPv6 addresses.
- Previously, the ipvsadm tool did not handle printing of existing sync daemons correctly under certain circumstances. Consequently, the "ipvsadm --list --daemon" command did not report the existence of a backup sync daemon when only a backup sync daemon was running on a node. A patch has been applied to address this bug, and "ipvsadm --list --daemon" now correctly shows the backup sync daemon even if it is the only daemon running.
- Previously, the irqbalance daemon did not consider the NUMA node assignment for an interrupt request (IRQ) for the banned CPU set. Consequently, irqbalance set the affinity incorrectly when the IRQBALANCE_BANNED_IRQS variable was set to a single CPU. In addition, IRQs could be assigned to a node that had no eligible CPUs. Node assignment has been restricted to nodes that have eligible CPUs as defined by the unbanned_cpus bitmask, thus fixing the bug. As a result, irqbalance now sets the affinity properly, and IRQs are assigned to the respective nodes correctly.
- Prior to this update, the dependency of the irqbalance daemon was set incorrectly referring to a wrong kernel version. As a consequence, irqbalance could not balance IRQs on NUMA systems. With this update, the dependency has been fixed, and IRQs are now balanced correctly on NUMA systems. Note that users of irqbalance packages have to update the kernel to 2.6.32-358.2.1 or later in order to use the irqbalance daemon in the correct manner.
- Prior to this update, irqbalance could not accurately determine the NUMA node it was local to or the device to which an IRQ was sent. The kernel affinity_hint values were created to work around this issue. With this update, irqbalance is now capable of parsing all information about an IRQ provided by the sysfs() function. IRQ balancing now works correctly, and the affinity_hint values are now ignored by default not to distort the irqbalance functionality.
- BZ#0009299, BZ#1052361
- Due to changes in the addressing of inter-process communication (IPC) sockets, updating the isciadm administration utility caused it to be incompatible with the already-running iscsid processes. As a consequence, iscsiadm could no longer communicate with the running iscsid processes after the update. This update adds a retroactive compatibility IPC mode, which automatically triggers when a new IPC socket fails to connect. As a result, iscsiadm can now correctly be used to control pre-existing iscsid processes after an update.
- Prior to this update, the uip_reset() function was in some cases called with an invalid ustack address. As a consequence, the iscsiuio process was terminated unexpectedly with a segmentation fault. With this update, the ustack address calling uip_reset() has been fixed and the described crash no longer occurs.
- Prior to this update, the iscsid daemon could not handle more than 31 iSCSI asynchronous events. Consequently, when performing an iSCSI operation with 32 or more target protocol data units, iscsid entered an infinite loop and became unresponsive. With this update, iscsid can properly handle more than 31 iSCSI asynchronous events, and the described hang no longer occurs.
- A bug previously caused the LineBreakMeasurer class to produce the ArrayIndexOutOfBoundsException error when Java attempted to display certain characters in certain fonts. This update fixes the bug and Java now displays the affected characters correctly.
- Prior to this update, an application accessing an unsynchronized HashMap could potentially enter an infinite loop and consume an excessive amount of CPU resources. As a consequence, the OpenJDK server became unresponsive. This update prevents unsynchronized HashMap access from causing an infinite loop and as a result, the OpenJDK server no longer hangs in the described scenario.
- Shared Java libraries have been modified to allow users to run Java with the cap_net_bind_service, cap_net_admin, and cap_net_raw capabilities granted.
- CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519
- Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
- It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents.
- It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source.
- It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication.
- It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class.
- The TLS/SSL implementation in OpenJDK previously failed to handle Diffie-Hellman (DH) keys with more than 1024 bits. This caused client applications using JSSE to fail to establish TLS/SSL connections to servers using larger DH keys during the connection handshake. This update adds support for DH keys with size up to 2048 bits.
- Previously, the umbrello UML modeller used logic based on recursive calls. As a consequence if a user created a diagram that had dependency graph cycles, umbrello entered an infinite loop and terminated unexpectedly with a segmentation fault. With this update, the application logic has been changed to use stack-based parent resolution. As a result, umbrello no longer terminates in the described scenario.
- Prior to this update, the kompare utility hid underscore characters located at the bottom of a highlighted difference block when using certain fonts. This update fixes this bug. As a result, kompare correctly displays underscore characters in the described situation.
- Previously, the VRRP alert emails sent by the keepalived daemon did not contain the "to" header, which complicated filtering and sorting such messages by email software. With this update, keepalived has been modified to include the "to" header into email alerts as expected.
- Previously, when keepalived compared the local primary IP address with another IP address, these two addresses had different byte-ordering. Consequently, multiple routers were created in a master state. With this update, the local primary IP address is converted to network byte order before the comparison, thus fixing this bug.
- CVE-2015-1805, Important
- It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2015-3331, Important
- A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AES-GCM mode IPSec security association.
- CVE-2014-9419, Low
- An information leak flaw was found in the way the Linux kernel changed certain segment registers and thread-local storage (TLS) during a context switch. A local, unprivileged user could use this flaw to leak the user space TLS base address of an arbitrary process.
- CVE-2014-9420, Low
- It was found that the Linux kernel's ISO file system implementation did not correctly limit the traversal of Rock Ridge extension Continuation Entries (CE). An attacker with physical access to the system could use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service.
- CVE-2014-9585, Low
- An information leak flaw was found in the way the Linux kernel's Virtual Dynamic Shared Object (vDSO) implementation performed address randomization. A local, unprivileged user could use this flaw to leak kernel memory addresses to user-space.
- When repeating a Coordinated Universal Time (UTC) value during a leap second (when the UTC time should be 23:59:60), the International Atomic Time (TAI) timescale previously stopped as the kernel NTP code incremented the TAI offset one second later than expected. A patch has been provided, which fixes the bug by incrementing the offset during the leap second itself. Now, the correct TAI is set during the leap second.
- Due to a race condition, deleting a cgroup while pages belonging to that group were being swapped in could trigger a kernel crash. This update fixes the race condition, and deleting a cgroup is now safe even under heavy swapping.
- Previously, the open() system call in some cases failed with an EBUSY error if the opened file was also being renamed at the same time. With this update, the kernel automatically retries open() when this failure occurs, and if the retry is not successful either, open() now fails with an ESTALE error.
- Prior to this update, cgroup blocked new threads from joining the target thread group during cgroup migration, which led to a race condition against exec() and exit() functions, and a consequent kernel panic. This bug has been fixed by extending thread group locking such that it covers all operations which can alter the thread group - fork(), exit(), and exec(), and cgroup migration no longer causes the kernel to panic.
- The hrtimer_start() function previously attempted to reinsert a timer which was already defined. As a consequence, the timer node pointed to itself and the rb_insert_color() function entered an infinite loop. This update prevents the hrtimer_enqueue_reprogram() function from racing and makes sure the timer state in remove_hrtimer() is preserved, thus fixing the bug.
- Previously, the bridge device did not propagate VLAN information to its ports and Generic Receive Offload (GRO) information to the connected devices. This resulted in lower receive performance of VLANs over bridge devices because GRO was not enabled. An attempt to resolve this problem was made with BZ#858198 by introducing a patch that allows VLANs to be registered with the participating bridge ports and adds GRO to the bridge device feature set. However, this attempt introduced a number of regressions, which broke the vast majority of stacked setups involving bridge devices and VLANs. This update reverts the patch provided by BZ#858198 and removes support for this capability.
- Previously, the kernel initialized FPU state for the signal handler too early, right after the current state was saved for the sigreturn() function. As a consequence, a task could lose its floating-point unit (FPU) context if the signal delivery failed. The fix ensures that the drop_init_fpu() fuction is only called when the signal is delivered successfully, and FPU context is no longer lost in the described situation.
- On mounting a Common Internet File System (CIFS) share using kerberos authentication, the CIFS module uses the request_key mechanism to obtain the user's krb5 credentials. Once the key has been used and is no longer needed, CIFS revoked it. This caused key revoked errors to be returned when attempting to refetch the key. To fix this bug, the key_invalidate() call has been backported from the upstream code to discard the key. This call renders the discarded key invisible to further searches and wakes up the garbage collector immediately to remove the key from the keyrings and to destroy it. As a result, discarded keys are immediately cleared and are no longer returned on key searches.
- Previously, the fc_remote_port_del() call preceded the calls to re-establish the session with the Fibre Channel (FC) transport with the fc_remote_port_add() and fc_remote_port_rolechg() functiones. With this update, the fc_remote_port_del() call has been removed before re-establishing the connection, which prevents the race condition from occurring.
- Due to a race condition in the build_id_cache__add_s() function, system files could be truncated. This update fixes the race condition, and system files are no longer truncated in the aforementioned situation.
- Prior to this update, the "--queue-balance" option did not distribute traffic over multiple queues as the option ignored a request to balance among the given range and only used the first queue number given. As a consequence, the kernel traffic was limited to one queue. The underlying source code has been patched, and the kernel traffic is now balanced within the given range.
- CVE-2014-3215, Important
- A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support.
- CVE-2015-1421, Important
- A use-after-free flaw was found in the way the Linux kernel's SCTP implementation handled authentication key reference counting during INIT collisions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
- CVE-2014-3690, Moderate
- It was found that the Linux kernel's KVM implementation did not ensure that the host CR4 control register value remained unchanged across VM entries on the same virtual CPU. A local, unprivileged user could use this flaw to cause a denial of service on the system.
- CVE-2014-7825, Moderate
- An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's perf subsystem. A local, unprivileged user could use this flaw to crash the system.
- CVE-2014-7826, Moderate
- An out-of-bounds memory access flaw was found in the syscall tracing functionality of the Linux kernel's ftrace subsystem. On a system with ftrace syscall tracing enabled, a local, unprivileged user could use this flaw to crash the system, or escalate their privileges.
- CVE-2014-8171, Moderate
- It was found that the Linux kernel memory resource controller's (memcg) handling of OOM (out of memory) conditions could lead to deadlocks. An attacker able to continuously spawn new processes within a single memory-constrained cgroup during an OOM event could use this flaw to lock up the system.
- CVE-2014-9529, Moderate
- A race condition flaw was found in the way the Linux kernel keys management subsystem performed key garbage collection. A local attacker could attempt accessing a key while it was being garbage collected, which would cause the system to crash.
- CVE-2014-8884, Low
- A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge DEC USB device driver. A local user with write access to the corresponding device could use this flaw to crash the kernel or, potentially, elevate their privileges on the system.
- CVE-2014-9584, Low
- An information leak flaw was found in the way the Linux kernel's ISO9660 file system implementation accessed data on an ISO9660 image with RockRidge Extension Reference (ER) records. An attacker with physical access to the system could use this flaw to disclose up to 255 bytes of kernel memory.
- Due to a regression, when large reads which partially extended beyond the end of the underlying device were done, the raw driver returned the EIO error code instead of returning a short read covering the valid part of the device. The underlying source code has been patched, and the raw driver now returns a short read for the remainder of the device.
- Previously, a NULL pointer check that is needed to prevent an oops in the nfs_async_inode_return_delegation() function was removed. As a consequence, a NFS4 client could terminate unexpectedly. The missing NULL pointer check has been added back, and NFS4 client no longer crashes in this situation.
- A failure to leave a multicast group which had previously been joined prevented the attempt to unregister from the "sa" service. Multiple locking issues in the IPoIB multicast join and leave processing have been fixed so that leaving a group that has completed its join process is successful. As a result, attempts to unregister from the "sa" service no longer lock up due to leaked resources.
- Due to unbalanced multicast join and leave processing, the attempt to leave a multicast group that had not previously completed a join became unresponsive. This update resolves multiple locking issues in the IPoIB multicast code that allowed multicast groups to be left before the joining was entirely completed. Now, multicast join and leave failures or lockups no longer occur in the described situation.
- The kernel source code contained two definitions of the cpu_logical_map() function, which maps logical CPU numbers to physical CPU addresses. When translating the logical CPU number to the corresponding physical CPU number, the kernel used the second definition of cpu_logical_map(), which always used a one-to-one mapping of logical to physical CPU addresses. This mapping was, however, wrong after a reboot, especially if the target CPU was in the "stopped" state. Consequently, the system became unresponsive or showed unexpected latencies. With this update, the second definition of cpu_logical_map() has been removed. As a result, the kernel now correctly translates the CPU number to its physical address, and no unexpected latencies occur in this scenario.
- Previously, the kernel could under certain circumstances provide the tcp_collapse() function with a socket buffer (SKB) whose "headroom" was equal to the value of the PAGE_SIZE variable. Consequently, the copy value was zero in the loop, which could never exit because it was not making forward progress. To fix this problem, the loop has been rewritten to avoid the incorrect calculation. Instead, the loop copies either the value of the PAGE_SIZE variable or the size of the buffer, whichever is bigger. As a result, the tcp_collapse() function is no longer apt to get stuck in the loop, because the copy is always non-zero as long as long as the "end" differs from the "start".
- Prior to this update, when using the fibre channel driver, a race condition occurred in the rport scsi_remove_target() function. As a consequence, the kernel terminated unexpectedly when dereferencing an invalid address. To fix this bug, the changes to the reference counting infrastructure have been reverted, and the system no longer crashes.
- On older systems without the QCI instruction, all possible domains are probed via TAPQ instruction. Prior to this update, a specification exception could occur when this instruction was called for probing values greater than 16; for example, during the execution of the "insmod" command or the reset of the AP bus on machines without the QCI instruction (z10, z196, z114). zEC12 and newer systems were not affected. Consequently, loading the z90crypt kernel module caused a panic. Now, the domain checking function has been corrected to limit the allowed range if no QCI information is available. As a result, users are able to successfully load and perform cryptographic functions with the z90crypt device driver.
- Previously, KVM took a page fault with interrupts disabled. Consequently, the page fault handler tried to take a lock, but KSM sent an IPI while taking the same lock. Then KSM waited for the IPI to be processed, but KVM would not process it until it took the lock. KSM and KVM would eventually encounter a deadlock, each waiting for the other. With this update, the kernel avoids operations that can page fault while interrupts are disabled. As a result, KVM and KSM are no longer prone to a deadlock in the aforementioned scenario.
- The USB core uses the "hcpriv" member of the USB request block to determine whether a USB Request Block (URB) is active, but the ehci-hcd driver was not setting this correctly when it queued isochronous URBs. This in combination with a defect in the snd-usb-audio driver could cause URBs to be reused without waiting for them to complete. Consequently, list corruption followed by system freeze or a kernel crash occurred. To fix this problem, the ehci-hcd driver code has been updated to properly set the "hcpriv" variable for isochronous URBs, and the snd-usb-audio driver has been updated to synchronize pending stop operations on an endpoint before continuing with preparing the PCM stream. As a result, list corruption followed by system freeze or a crash no longer occurs.
- Previously, the Hewlett Packard Smart Array (HPSA) driver in conjunction with an older version of the HPSA firmware and the hp-snmp-agent monitoring software used the "system work queue" shared resource for an extensively long time. Consequently, random other tasks were blocked until the HPSA driver released the work queue, and messages such as the following were logged:
INFO: task sshd:6425 blocked for more than 120 seconds. INFO: task ptymonitor:22510 blocked for more than 120 seconds.With this update, the HPSA driver creates its own local work queue, which fixes this problem.
- Prior to this update, the GFS2 file system's "Splice Read" operation, which is used for functions such as sendfile(), was not properly allocating a required multi-block reservation structure in memory. As a consequence, when the GFS2 block allocator was called to assign blocks of data, it tried to dereference the structure, which resulted in a kernel panic. Now, GFS2's "Splice read" operation has been changed so that it properly allocates the necessary reservation structure in memory prior to calling the block allocator. As a result, sendfile() now works properly for GFS2.
- CVE-2014-7841, Important
- A flaw was found in the way the Linux kernel's SCTP implementation validated INIT chunks when performing Address Configuration Change (ASCONF). A remote attacker could use this flaw to crash the system by sending a specially crafted SCTP packet to trigger a NULL pointer dereference on the system.
- CVE-2014-4656, Moderate
- An integer overflow flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system.
- LVM2 thin provisioning is sensitive to I/Os within a full RAID stripe is issued to the controller's write-back cache in close proximity. This update improves LVM2 thin provisioning to work more efficiently on RAID devices.
- Previously, under a heavy I/O load, a timeout of an unresponsive task could occur while using LVM2 thin provisioning. With this update, various infrastructure used by LVM2 thin provisioning have been improved to be more efficient and correct. This includes the use of more efficient data structures, throttling worker threads to prevent an application from sending more I/O than can be handled, and pre-fetching metadata. This update also fixes the eviction logic used by the metadata I/O buffering layer, which ensures that metadata blocks are not evicted prematurely.
- Due to a malfunction in the USB controller driver, some data stream metadata was dropped. As a consequence, the integrated camera to failed to record with the following error message:
libv4l2: error turning on stream: No space left on deviceThis update fixes the data stream metadata handling, and the integrated camera works as expected.
- Before this update, a race condition occurred in the spin-lock logic on the PowerPC platform. Consequently, workloads caused heavy use of Inter-Process Communication (IPC), and the kernel could terminate unexpectedly. This update adds proper synchronization to the PowerPC spin-lock framework. As a result, the kernel no longer crashes under heavy use of IPC.
- Due to an overlooked piece of code that initializes the pre-operation change attribute, certain workloads could generate unnecessary cache invalidations and additional NFS read operations. This update fixes the initialization of the pre_change_attr field, which prevents unnecessarily cached data invalidation.
- Previously, under certain error conditions gfs2_converter introduced incorrect values for the on-disk inode's di_goal_meta field. As a consequence, gfs2_converter returned the EBADSLT error on such inodes and did not allow creation of the new files in directories or new blocks in regular files. The fix allows gfs2_converter to set a sensible goal value if a corrupt one is encountered and proceed with normal operations. With this update, gfs2_converter implicitly fixes any corrupt goal values, and thus no longer disrupts normal operations.
- Previously, under certain error conditions using the semaphore utility caused the kernel to become unresponsive. With update a patch has been applied to fix this bug. As a result, the the kernel hangs no longer occur while using semaphore.
- Before this update, due to a coding error in the e100 Ethernet driver update, physical layers (PHYs) did not initialize correctly. This could cause RX errors and decreased throughput, especially when using long UTP cabling. This update fixes the coding error, and as a result, the aforementioned scenario no longer occurs on the e100 Ethernet device.
- Before this update, a flaw in the duplicate reply cache in the NFS daemon allowed entries to be freed while they were still used. Consequently, a heavily loaded NFS daemon could terminate unexpectedly if an RPC call took a long time to process. The cache has been fixed to protect such entries from freeing, and the server now functions normally in the aforementioned scenario.
- Previously, external journal blocks were handled as blocks causing an increase of processor usage. Consequently, on the ext4 file systems configured with an external journal device, the df command could show negative values due to the subtraction of such journal blocks amount from the used blocks amount. With this update, the external journal blocks are handled properly, and therefore df no longer returns negative values.
- Before this update, raising the SIGBUS signal did not include a siginfo structure describing the cause of the SIGBUS exception. As a consequence, applications that use huge pages using the libhugetlbfs library failed. The PACKAGE_NAME has been updated to raise SIGBUS with a siginfo structure, to deliver BUS_ADRERR as si_code, and to deliver the address of the fault in the si_addr field. As a result, applications that use huge pages no longer fail in the aforementioned scenario.
- Previously, accessing a FUSE-based file system from kernel space could cause the kernel to become unresponsive during an inode look-up operation. To fix this bug, existing flags are verified before dereference occurs in the FUSE look-up handler. As a result, accessing a FUSE-based file system from kernel space works as expected.
- Previously, hot plugging of a USB EHCI controller could cause the kernel to become unresponsive. This update fixes the handling of a race condition in the EHCI error path during the hot-plugging event, and the kernel no longer hangs.
- Previously, the system functions semop() and semtimedop() did not update the time of the semaphore update located in the structure sem_otime, which was inconsistent with the function description in the man pages. With this update, a patch has been applied to fix this bug. As a result, semop() and semtimedop() now properly update the sem_otime structure.
- Before this update, when forwarding a packet, the iptables target TCPOPTSTRIP used the tcp_hdr() function to locate the option space. Consequently, TCPOPTSTRIP located the incorrect place in the packet, and therefore did not match options for stripping. With this update, TCPOPTSTRIP now uses the TCP header itself to locate the option space. As a result, the options are now properly stripped.
- Prior to this update, the ipset utility computed incorrect values of timeouts from an old IP set, and these values were then supplied to a IP new set. As a consequence, a resize on a IP set with a timeouts option enabled could supply corrupted data from an old IP set. This bug has been fixed by properly reading timeout values from an old set before supplying them to a new set.
- Previously, under certain conditions, a race condition between the semaphore creation code and the semop() function caused the kernel to become unresponsive. With this update, a patch has been applied, and the kernel hangs no longer occur.
- Prior to this update, a NULL pointer dereference could occur when then usb_wwan device driver was performing a disconnect operation. The usb_wwan disconnect procedure has been replaced with the port_remove procedure and, as a result, the kernel no longer hangs when removing a WWAN USB device.
- The usage of PCLMULQDQ instruction required the invocation of the kernel_fpu_begin() and kernel_fpu_end() functions. Consequently, the usage of the PCLMULQDQ instruction for the CRC32C checksum calculation incurred some increase of processor usage. With this update, a new function has been added in order to calculate the CRC32C checksum using the PCLMULQDQ instruction on processors that support this feature, which provides speedup over using the CRC32 instruction only.
- CVE-2014-5077, Important
- A NULL pointer dereference flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled simultaneous connections between the same hosts. A remote attacker could use this flaw to crash the system.
- CVE-2013-2596, Important
- An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.
- CVE-2013-4483, Moderate
- A flaw was found in the way the ipc_rcu_putref() function in the Linux kernel's IPC implementation handled reference counter decrementing. A local, unprivileged user could use this flaw to trigger an Out of Memory (OOM) condition and, potentially, crash the system.
- CVE-2014-0181, Moderate
- It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process.
- CVE-2014-3122, Moderate
- It was found that the try_to_unmap_cluster() function in the Linux kernel's Memory Managment subsystem did not properly handle page locking in certain cases, which could potentially trigger the BUG_ON() macro in the mlock_vma_page() function. A local, unprivileged user could use this flaw to crash the system.
- CVE-2014-3601, Moderate
- A flaw was found in the way the Linux kernel's kvm_iommu_map_pages() function handled IOMMU mapping failures. A privileged user in a guest with an assigned host device could use this flaw to crash the host.
- CVE-2014-4653, CVE-2014-4654, CVE-2014-4655, Moderate
- Multiple use-after-free flaws were found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use either of these flaws to crash the system.
- CVE-2014-5045, Moderate
- A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation.
- CVE-2014-4608, Low
- An integer overflow flaw was found in the way the lzo1x_decompress_safe() function of the Linux kernel's LZO implementation processed Literal Runs. A local attacker could, in extremely rare cases, use this flaw to crash the system or, potentially, escalate their privileges on the system.
- A bug in the megaraid_sas driver could cause the driver to read the hardware status values incorrectly. As a consequence, the RAID card was disabled during the system boot and the system could fail to boot. With this update, the megaraid_sas driver has been corrected so that the RAID card is now enabled on system boot as expected.
- Due to a ndlp list corruption bug in the lpfc driver, systems with Emulex LPe16002B-M6 PCIe 2-port 16Gb Fibre Channel Adapters could trigger a kernel panic during I/O operations. A series of patches has been backported to address this problem so the kernel no longer panics during I/O operations on the aforementioned systems.
- Previously, when using a bridge interface configured on top of a bonding interface, the bonding driver was not aware of IP addresses assigned to the bridge. Consequently, with ARP monitoring enabled, the ARP monitor could not target the IP address of the bridge when probing the same subnet. The bridge was thus always reported as being down and could not be reached. With this update, the bonding driver has been made aware of IP addresses assigned to a bridge configured on top of a bonding interface, and the ARP monitor can now probe the bridge as expected. Note that the problem still occurs if the arp_validate option is used. Therefore, do not use this option in this case until this issue is fully resolved.
- BZ#1063478, BZ#1065398, BZ#1065404, BZ#1043540, BZ#1096328
- Several concurrency problems, that could result in data corruption, were found in the implementation of CTR and CBC modes of operation for AES, DES, and DES3 algorithms on IBM S/390 systems. Specifically, a working page was not protected against concurrency invocation in CTR mode. The fallback solution for not getting a working page in CTR mode did not handle iv values correctly. The CBC mode used did not properly save and restore the key and iv values in some concurrency situations. All these problems have been addressed in the code and the concurrent use of the aforementioned algorithms no longer cause data corruption.
- A previous change in the Advanced Programmable Interrupt Controller (APIC) code caused a regression on certain Intel CPUs using a Multiprocessor (MP) table. An attempt to read from the local APIC (LAPIC) could be performed before the LAPIC was mapped, resulting in a kernel crash during a system boot. A patch has been applied to fix this problem by mapping the LAPIC as soon as possible when parsing the MP table.
- A miscalculation in the "radix_tree" swap encoding corrupted swap area indexes bigger than 8 by truncating lower bits of swap entries. Consequently, systems with more than 8 swap areas could trigger a bogus OOM scenario when swapping out to such a swap area. This update fixes this problem by reducing a return value of the SWP_TYPE_SHIFT() function and removing a broken function call from the read_swap_header() function.
- Previously some device mapper kernel modules, such as dm-thin, dm-space-map-metadata, and dm-bufio, contained various bugs that had adverse effects on their proper functioning. This update backports several upstream patches that resolve these problems, including a fix for the metadata resizing feature of device mapper thin provisioning (thinp) and fixes for read-only mode for dm-thin and dm-bufio. As a result, the aforementioned kernel modules now contain the latest upstream changes and work as expected.
- When an attempt to create a file on the GFS2 file system failed due to a file system quota violation, the relevant VFS inode was not completely uninitialized. This could result in a list corruption error. This update resolves this problem by correctly uninitializing the VFS inode in this situation.
- In Red Hat Enterprise Linux 6.5, the TCP Segmentation Offload (TSO) feature is automatically disabled if the corresponding network device does not report any CSUM flag in the list of its features. Previously, VLAN devices that were configured over bonding devices did not propagate its NETIF_F_NO_CSUM flag as expected, and their feature lists thus did not contain any CSUM flags. As a consequence, the TSO feature was disabled for these VLAN devices, which led to poor bandwidth performance. With this update, the bonding driver propagates the aforementioned flag correctly so that network traffic now flows through VLAN devices over bonding without any performance problems.
- Due to a bug in the mlx4_en module, a data structure related to time stamping could be accessed before being initialized. As a consequence, loading mlx4_en could result in a kernel crash. This problem has been fixed by moving the initiation of the time stamp mechanism to the correct place in the code.
- Due to a previous change that was refactoring the Generic Routing Encapsulation (GRE) tunneling code, the ip_gre module did not work properly. As a consequence, GRE interfaces dropped every packet that had the Explicit Congestion Notification (ECN) bit set and did not have the ECN-Capable Transport (ECT) bit set. This update reintroduces the ipgre_ecn_decapsulate() function that is now used instead of the IP_ECN_decapsulate() function that was not properly implemented. The ip_gre module now works correctly and GRE devices process all packets as expected.
- When removing an inode from a name space on an XFS file system, the file system could enter a deadlock situation and become unresponsive. This happened because the removal operation incorrectly used the AGF and AGI locks in the opposite order than was required by the ordering constraint, which led to a possible deadlock between the file removal and inode allocation and freeing operations. With this update, the inode's reference count is dropped before removing the inode entry with the first transaction of the removal operation. This ensures that the AGI and AGF locks are locked in the correct order, preventing any further deadlocks in this scenario.
- Previously, the for_each_isci_host() macro was incorrectly defined so it accessed an out-of-range element for a 2-element array. This macro was also wrongly optimized by GCC 4.8 so that it was executed too many times on platforms with two SCU controllers. As a consequence, the system triggered a kernel panic when entering the S3 state, or a kernel oops when removing the isci module. This update corrects the aforementioned macro and the described problems no longer occur.
- A previous change enabled receive acceleration for VLAN interfaces configured on a bridge interface. However, this change allowed VLAN-tagged packets to bypass the bridge and be delivered directly to the VLAN interfaces. This update ensures that the traffic is correctly processed by a bridge before it is passed to any VLAN interfaces configured on that bridge.
- The Completely Fair Scheduler (CFS) did not verify whether the CFS period timer is running while throttling tasks on the CFS run queue. Therefore under certain circumstances, the CFS run queue became stuck because the CFS period timer was inactive and could not be restarted. To fix this problem, the CFS now restarts the CFS period timer inside the throttling function if it is inactive.
- Due to a bug in the ixgbevf driver, the stripped VLAN information from incoming packets on the ixgbevf interface could be lost, and such packets thus did not reach a related VLAN interface. This problem has been fixed by adding the packet's VLAN information to the Socket Buffer (skb) before passing it to the network stack. As a result, the ixgbevf driver now passes the VLAN-tagged packets to the appropriate VLAN interface.
- Previous patches to the CIFS code introduced a regression that prevented users from mounting a CIFS share using the NetBIOS over TCP service on the port 139. This problem has been fixed by masking off the top byte in the get_rfc1002_length() function.
- Previously, the locking of a semtimedop semaphore operation was not fine enough with remote non-uniform memory architecture (NUMA) node accesses. As a consequence, spinlock contention occurred, which caused delays in the semop() system call and high load on the server when running numerous parallel processes accessing the same semaphore. This update improves scalability and performance of workloads with a lot of semaphore operations, especially on larger NUMA systems. This improvement has been achieved by turning the global lock for each semaphore array into a per-semaphore lock for many semaphore operations, which allows multiple simultaneous semop() operations. As a result, performance degradation no longer occurs.
- A rare race between the file system unmount code and the file system notification code could lead to a kernel panic. With this update, a series of patches has been applied to the kernel to prevent this problem.
- A bug in the bio layer could prevent user space programs from writing data to disk when the system run under heavy RAM memory fragmentation conditions. This problem has been fixed by modifying a respective function in the bio layer to refuse to add a new memory page only if the page would start a new memory segment and the maximum number of memory segments has already been reached.
- A bug in the qla2xxx driver caused the kernel to crash. This update resolves this problem by fixing an incorrect condition in the "for" statement in the qla2x00_alloc_iocbs() function.
- A previous change that introduced global clock updates caused guest machines to boot slowly when the host Time Stamp Counter (TSC) was marked as unstable. The slow down increased with the number of vCPUs allocated. To resolve this problem, a patch has been applied to limit the rate of the global clock updates.
- A previously backported patch to the XFS code added an unconditional call to the xlog_cil_empty() function. If the XFS file system was mounted with the unsupported nodelaylog option, that call resulted in access to an uninitialized spin lock and a consequent kernel panic. To avoid this problem, the nodelaylog option has been disabled; the option is still accepted but has no longer any effect. (The nodelaylog mount option was originally intended only as a testing option upstream, and has since been removed.)
- Due to a bug in the hrtimers subsystem, the clock_was_set() function called an inter-processor interrupt (IPI) from soft IRQ context and waited for its completion, which could result in a deadlock situation. A patch has been applied to fix this problem by moving the clock_was_set() function call to the working context. Also during the resume process, the hrtimers_resume() function reprogrammed kernel timers only for the current CPU because it assumed that all other CPUs are offline. However, this assumption was incorrect in certain scenarios, such as when resuming a Xen guest with some non-boot CPUs being only stopped with IRQs disabled. As a consequence, kernel timers were not corrected on other than the boot CPU even though those CPUs were online. To resolve this problem, hrtimers_resume() has been modified to trigger an early soft IRQ to correctly reprogram kernel timers on all CPUs that are online.
- A bug in the vmxnet3 driver allowed potential race conditions to be triggered when the driver was used with the netconsole module. The race conditions allowed the driver's internal NAPI poll routine to run concurrently with the netpoll controller routine, which resulted in data corruption and a subsequent kernel panic. To fix this problem, the vmxnet3 driver has been modified to call the appropriate interrupt handler to schedule NAPI poll requests properly.
- The Red Hat GFS2 file system previously limited a number of ACL entries per inode to 25. However, this number was insufficient in some cases, causing the setfacl command to fail. This update increases this limit to maximum of 300 ACL entries for the 4 KB block size. If the block size is smaller, this value is adjusted accordingly.
- The SCTP sctp_connectx() ABI did not work properly for 64-bit kernels compiled with 32-bit emulation. As a consequence, applications utilizing the sctp_connectx() function did not run in this case. To fix this problem, a new ABI has been implemented; the COMPAT ABI enables to copy and transform user data from a COMPAT-specific structure to a SCTP-specific structure. Applications that require sctp_connectx() now work without any problems on a system with a 64-bit kernel compiled with 32-bit emulation.
- Previously, if a hrtimer interrupt was delayed, all future pending hrtimer events that were queued on the same processor were also delayed until the initial hrtimer event was handled. This could cause all hrtimer processing to stop for a significant period of time. To prevent this problem, the kernel has been modified to handle all expired hrtimer events when handling the initially delayed hrtimer event.
- A previous change in the NFSv4 code resulted in breaking the sync NFSv4 mount option. A patch has been applied that restores functionality of the sync mount option.
- The code responsible for creating and binding of packet sockets was not optimized and therefore applications that utilized the socket() and bind() system calls did not perform as expected. A patch has been applied to the packet socket code so that latency for socket creating and binding is now significantly lower in certain cases.
- A race condition between completion and timeout handling in the block device code could sometimes trigger a BUG_ON() assertion, resulting in a kernel panic. This update resolves this problem by relocating a relevant function call and the BUG_ON() assertion in the code.
- The context of the user's process could not be previously saved on PowerPC platforms if the VSX Machine State Register (MSR) bit was set but the user did not provide enough space to save the VSX state. This update allows to clear the VSX MSR bit in such a situation, indicating that there is no valid VSX state in the user context.
- The kernel task scheduler could trigger a race condition while migrating tasks over CPU cgroups. The race could result in accessing a task that pointed to an incorrect parent task group, causing the system to behave unpredictably, for example to appear being unresponsive. This problem has been resolved by ensuring that the correct task group information is properly stored during the task's migration.
- Previously, when hot adding memory to the system, the memory management subsystem always performed unconditional page-block scans for all memory sections being set online. The total duration of the hot add operation depends on both, the size of memory that the system already has and the size of memory that is being added. Therefore, the hot add operation took an excessive amount of time to complete if a large amount of memory was added or if the target node already had a considerable amount of memory. This update optimizes the code so that page-block scans are performed only when necessary, which greatly reduces the duration of the hot add operation.
- Due to a bug in the SELinux socket receive hook, network traffic was not dropped upon receiving a peer:recv access control denial on some configurations. A broken labeled networking check in the SELinux socket receive hook has been corrected, and network traffic is now properly dropped in the described case.
- Recent changes in the d_splice_alias() function introduced a bug that allowed d_splice_alias() to return a dentry from a different directory than was the directory being looked up. As a consequence in cluster environment, a kernel panic could be triggered when a directory was being removed while a concurrent cross-directory operation was performed on this directory on another cluster node. This update avoids the kernel panic in this situation by correcting the search logic in the d_splice_alias() function so that the function can no longer return a dentry from an incorrect directory.
- When utilizing SCTP over the bonding device in Red Hat Enterprise Linux 6.5 and later, SCTP assumed offload capabilities on virtual devices where it was not guaranteed that underlying physical devices are equipped with these capabilities. As a consequence, checksums of the outgoing packets became corrupted and a network connection could not be properly established. A patch has been applied to ensure that checksums of the packages to the devices without SCTP checksum capabilities are properly calculated in software fallback. SCTP connections over the bonding devices can now be established as expected in Red Hat Enterprise Linux 6.5 and later.
- A previous change in the TCP code that extended the "proto" struct with a new function, release_cb(), broke integrity of the kernel Application Binary Interface (kABI). If the core stack called a newly introduced pointer to this function for a module that was compiled against older kernel headers, the call resulted in out-of-bounds access and a subsequent kernel panic. To avoid this problem, the core stack has been modified to recognize a newly introduced slab flag, RHEL_EXTENDED_PROTO. This allows the core stack to safely access the release_cb pointer only for modules that support it.
- A previous change removed the ZONE_RECLAIM_LOCKED flag from Linux memory management code in order to fix a NUMA node allocation problem in the memory zone reclaim logic. However, the flag removal allowed concurrent page reclaiming within one memory zone, which, under heavy system load, resulted in unwanted spin lock contention and subsequent performance problems (systems became slow or unresponsive). This update resolves this problem by preventing reclaim threads from scanning a memory zone if the zone does not satisfy scanning requirements. Systems under heavy load no longer suffer from CPU overloading but sustain their expected performance.
- NFSv4 incorrectly handled a situation when an NFS client received an NFS4ERR_ADMIN_REVOKED error after sending a CLOSE operation. As a consequence, the client kept sending the same CLOSE operation indefinitely although it was receiving NFS4ERR_ADMIN_REVOKED errors. A patch has been applied to the NFSv4 code to ensure that the NFS client sends the particular CLOSE operation only once in this situation.
- Due to recent changes in the Linux memory management, the kernel did not properly handle per-CPU LRU page vectors when hot unplugging CPUs. As a consequence, the page vector of the relevant offline CPU kept memory pages for memory accounting. This prevented the libvirtd daemon from removing the relevant memory cgroup directory upon system shutdown, rendering libvirtd unresponsive. To resolve this problem, the Linux memory management now properly flushes memory pages of offline CPUs from the relevant page vectors.
- An incorrectly placed function call in the cgroup code prevented the notify_on_release functionality from working properly. This functionality is used to remove empty cgroup directories, however due to this bug, some empty cgroup directories were remaining on the system. This update ensures that the notify_on_release functionality is always correctly triggered by correctly ordering operations in the cgroup_task_migrate() function.
- Previously, NFSv4 allowed an NFSv4 client to resume an expired or lost file lock. This could result in file corruption if the file was modified in the meantime. This problem has been resolved by a series of patches ensuring that an NFSv4 client no longer attempts to recover expired or lost file locks.
- Systems that use NFS file systems could become unresponsive or trigger a kernel oops due to a use-after-free bug in the duplicate reply cache (DRC) code in the nfsd daemon. This problem has been resolved by modifying nfsd to unhash DRC entries before attempting to use them and to prefer to allocate a new DRC entry from the slab instead of reusing an expired entry from the list.
- Inefficient usage of Big Kernel Locks (BKLs) in the ptrace() system call could lead to BKL contention on certain systems that widely utilize ptrace(), such as User-mode Linux (UML) systems, resulting in degraded performance on these systems. This update removes the relevant BKLs from the ptrace() system call, thus resolving any related performance issues.
- A bug in the ixgbe driver caused that IPv6 hardware filtering tables were not correctly rewritten upon interface reset when using a bridge device over the PF interface in an SR-IOV environment. As a result, the IPv6 traffic between VFs was interrupted. An upstream patch has been backported to modify the ixgbe driver so that the update of the Multimedia Terminal Adapter (MTA) table is now unconditional, avoiding possible inconsistencies in the MTA table upon PF's reset. The IPv6 traffic between VFs proceeds as expected in this scenario.
- Later Intel CPUs added a new "Condition Changed" bit to the MSR_CORE_PERF_GLOBAL_STATUS register. Previously, the kernel falsely assumed that this bit indicates a performance interrupt, which prevented other NMI handlers from running and executing. To fix this problem, a patch has been applied to the kernel to ignore this bit in the perf code, enabling other NMI handlers to run.
- Due to a bug in the mlx4 driver, Mellanox Ethernet cards were brought down unexpectedly while adjusting their Tx or Rx ring. A patch has been applied so that the mlx4 driver now properly verifies the state of the Ethernet card when the coalescing of the Tx or Rx ring is being set, which resolves this problem.
- Previously, hardware could execute commands send by drivers in FIFO order instead of tagged order. Commands thus could be executed out of sequence, which could result in large latencies and degradation of throughput. With this update, the ATA subsystem tags each command sent to the hardware, ensuring that the hardware executes commands in tagged order. Performance on controllers supporting tagged commands can now increase by 30-50%.
- When transferring a large amount of data over the peer-to-peer (PPP) link, a rare race condition between the throttle() and unthrottle() functions in the tty driver could be triggered. As a consequence, the tty driver became unresponsive, remaining in the throttled state, which resulted in the traffic being stalled. Also, if the PPP link was heavily loaded, another race condition in the tty driver could has been triggered. This race allowed an unsafe update of the available buffer space, which could also result in the stalled traffic. A series of patches addressing both race conditions has been applied to the tty driver; if the first race is triggered, the driver loops and forces re-evaluation of the respective test condition, which ensures uninterrupted traffic flow in the described situation. The second race is now completely avoided due to a well-placed read lock, and the update of the available buffer space proceeds correctly.
- Previously, the Huge Translation Lookaside Buffer (HugeTLB) unconditionally allowed access to huge pages. However, huge pages may be unsupported in some environments, such as a KVM guest on the PowerPC architecture when not backed by huge pages, and an attempt to use a base page as a huge page in memory would result in a kernel oops. This update ensures that HugeTLB denies access to huge pages if the huge pages are not supported on the system.
- The restart logic for the memory reclaiming with compaction was previously applied on the level of LRU page vectors. This could, however, cause significant latency in memory allocation because memory compaction does not require only memory pages of a certain cgroup but a whole memory zone. This performance issue has been fixed by moving the restart logic to the zone level and restarting the memory reclaim for all memory cgroups in a zone when the compaction requires more free pages from the zone.
- A bug in the mlx4 driver could trigger a race between the "blue flame" feature's traffic flow and the stamping mechanism in the Tx ring flow when processing Work Queue Elements (WQEs) in the Tx ring. Consequently, the related queue pair (QP) of the mlx4 Ethernet card entered an error state and the traffic on the related Tx ring was blocked. A patch has been applied to the mlx4 driver so that the driver does not stamp the last completed WQE in the Tx ring, and thus avoids the aforementioned race.
- When a page table is upgraded, a new top level of the page table is added for the virtual address space, which results in a new Address Space Control Element (ASCE). However, the Translation Lookaside Buffer (TLB) of the virtual address space was not previously flushed on page table upgrade. As a consequence, the TLB contained entries associated with the old ASCE which led to unexpected program failures and random data corruption. To correct this problem, the TLB entries associated with the old ASCE are now flushed as expected upon page table upgrade.
- A previous change in the Linux memory management on IBM System z removed the handler for the Address Space Control Element (ASCE) type of exception. As a consequence, the kernel was unable to handle ASCE exceptions, which led to a kernel panic. Such an exception was triggered, for example, if the kernel attempted to access user memory with an address that was larger than the current page table limit from a user-space program. This problem has been fixed by calling the standard page fault handler, do_dat_exception, if an ASCE exception is raised.
- Due to a bug in the mount option parser, prefix paths on a CIFS DFS share could be prepended with a double backslash ('\\'), resulting in an incorrect "No such file" error in certain environments. The mount option parser has been fixed and prefix paths now starts with a single backslash as expected.
- Due to a bug in the Infiniband driver, the ip and ifconfig utilities reported the link status of the IP over Infiniband (IPoIB) interfaces incorrectly (as "RUNNING" in case of "ifconfig", and as "UP" in case of "ip") even if no cable was connected to the respective network card. The problem has been corrected by calling the respective netif_carrier_off() function on the right place in the code. The link status of the IPoIB interfaces is now reported correctly in the described situation.
- An earlier patch to the kernel added the dynamic queue depth throttling functionality to the QLogic's qla2xxx driver that allowed the driver to adjust queue depth for attached SCSI devices. However, the kernel might have crashed when having this functionality enabled in certain environments, such as on systems with EMC PowerPath Multipathing installed that were under heavy I/O load. To resolve this problem, the dynamic queue depth throttling functionality has been removed from the qla2xxx driver.
- A bug in the Completely Fair Scheduler (CFS) could, under certain circumstances, trigger a race condition while moving a forking task between cgroups. This race could lead to a free-after-use error and a subsequent kernel panic when a child task was accessed while it was pointing to a stale cgroup of its parent task. A patch has been applied to the CFS to ensure that a child task always points to the valid parent's task group.
- When performing I/O operations on a heavily-fragmented GFS2 file system, significant performance degradation could occur. This was caused by the allocation strategy that GFS2 used to search for an ideal contiguous chunk of free blocks in all the available resource groups (rgrp). A series of patches has been applied that improves performance of GFS2 file systems in case of heavy fragmentation. GFS2 now allocates the biggest extent found in the rgrp if it fulfills the minimum requirements. GFS2 has also reduced the amount of bitmap searching in case of multi-block reservations by keeping track of the smallest extent for which the multi-block reservation would fail in the given rgrp. This improves GFS2 performance by avoiding unnecessary rgrp free block searches that would fail. Additionally, this patch series fixes a bug in the GFS2 block allocation code where a multi-block reservation was not properly removed from the rgrp's reservation tree when it was disqualified, which eventually triggered a BUG_ON() macro due to an incorrect count of reserved blocks.
- Due to a race condition in the cgroup code, the kernel task scheduler could trigger a use-after-free bug when it was moving an exiting task between cgroups, which resulted in a kernel panic. This update avoids the kernel panic by introducing a new function, cpu_cgroup_exit(). This function ensures that the kernel does not release a cgroup that is not empty yet.
- Due to a race condition in the cgroup code, the kernel task scheduler could trigger a kernel panic when it was moving an exiting task between cgroups. A patch has been applied to avoid this kernel panic by replacing several improperly used function calls in the cgroup code.
- The automatic route cache rebuilding feature could incorrectly compute the length of a route hash chain if the cache contained multiple entries with the same key but a different TOS, mark, or OIF bit. Consequently, the feature could reach the rebuild limit and disable the routing cache on the system. This problem is fixed by using a helper function that avoids counting such duplicate routes.
- NFS previously called the drop_nlink() function after removing a file to directly decrease a link count on the related inode. Consequently, NFS did not revalidate an inode cache, and could thus use a stale file handle, resulting in an ESTALE error. A patch has been applied to ensure that NFS validates the inode cache correctly after removing a file.
- Previously, the vmw_pwscsi driver could attempt to complete a command to the SCSI mid-layer after reporting a successful abort of the command. This led to a double completion bug and a subsequent kernel panic. This update ensures that the pvscsi_abort() function returns SUCCESS only after the abort is completed, preventing the driver from invalid attempts to complete the command.
- Due to several bugs in the IPv6 code, a soft lockup could occur when the number of cached IPv6 destination entries reached the garbage collector treshold on a high-traffic router. A series of patches has been applied to address this problem. These patches ensure that the route probing is performed asynchronously to prevent a dead lock with garbage collection. Also, the garbage collector is now run asynchronously, preventing CPUs that concurrently requested the garbage collector from waiting until all other CPUs finish the garbage collection. As a result, soft lockups no longer occur in the described situation.
- Due to a bug in the NFS code, the state manager and the DELEGRETURN operation could enter a deadlock if an asynchronous session error was received while DELEGRETURN was being processed by the state manager. The state manager became unable to process the failing DELEGRETURN operation because it was waiting for an asynchronous RPC task to complete, which could not have been completed because the DELEGRETURN operation was cycling indefinitely with session errors. A series of patches has been applied to ensure that the asynchronous error handler waits for recovery when a session error is received and the deadlock no longer occurs.
- The RPC client always retransmitted zero-copy of the page data if it timed out before the first RPC transmission completed. However, such a retransmission could cause data corruption if using the O_DIRECT buffer and the first RPC call completed while the respective TCP socket still held a reference to the pages. To prevent the data corruption, retransmission of the RPC call is, in this situation, performed using the sendmsg() function. The sendmsg() function retransmits an authentic reproduction of the first RPC transmission because the TCP socket holds the full copy of the page data.
- Due to a bug in the nouveau kernel module, the wrong display output could be modified in certain multi-display configurations. Consequently, on Lenovo Thinkpad T420 and W530 laptops with an external display connected, this could result in the LVDS panel "bleeding" to white during startup, and the display controller might become non-functional until after a reboot. Changes to the display configuration could also trigger the bug under various circumstances. With this update, the nouveau kernel module has been corrected and the said configurations now work as expected.
- When guest supports Supervisor Mode Execution Protection (SMEP), KVM sets the appropriate permissions bits on the guest page table entries (sptes) to emulate SMEP enforced access. Previously, KVM was incorrectly verifying whether the "smep" bit was set in the host cr4 register instead of the guest cr4 register. Consequently, if the host supported SMEP, it was enforced even though it was not requested, which could render the guest system unbootable. This update corrects the said "smep" bit check and the guest system boot as expected in this scenario.
- If a statically defined gateway became unreachable and its corresponding neighbor entry entered a FAILED state, the gateway stayed in the FAILED state even after it became reachable again. This prevented routing of the traffic through that gateway. This update allows probing such a gateway automatically and routing the traffic through the gateway again once it becomes reachable.
- Previously, certain network device drivers did not accept ethtool commands right after they were mounted. As a consequence, the current setting of the specified device driver was not applied and an error message was returned. The ETHTOOL_DELAY variable has been added, which makes sure the ethtool utility waits for some time before it tries to apply the options settings, thus fixing the bug.
- A system could enter a deadlock situation when the Real-Time (RT) scheduler was moving RT tasks between CPUs and the wakeup_kswapd() function was called on multiple CPUs, resulting in a kernel panic. This problem has been fixed by removing a problematic memory allocation and therefore calling the wakeup_kswapd() function from a deadlock-safe context.
- Previously, the e752x_edac module incorrectly handled the pci_dev usage count, which could reach zero and deallocate a PCI device structure. As a consequence, a kernel panic could occur when the module was loaded multiple times on some systems. This update fixes the usage count that is triggered by loading and unloading the module repeatedly, and a kernel panic no longer occurs.
- The IPv4 and IPv6 code contained several issues related to the conntrack fragmentation handling that prevented fragmented packages from being properly reassembled. This update applies a series of patches and ensures that MTU discovery is handled properly, and fragments are correctly matched and packets reassembled.
- The kernel did not handle environmental and power warning (EPOW) interrupts correctly. This prevented successful usage of the "virsh shutdown" command to shut down guests on IBM POWER8 systems. This update ensures that the kernel handles EPOW events correctly and also prints informative descriptions for the respective EPOW events. The detailed information about each encountered EPOW can be found in the Real-Time Abstraction Service (RTAS) error log.
- The bridge MDB RTNL handlers were incorrectly removed after deleting a bridge from the system with more then one bridge configured. This led to various problems, such as that the multicast IGMP snooping data from the remaining bridges were not displayed. This update ensures that the bridge handlers are removed only after the bridge module is unloaded, and the multicast IGMP snooping data now displays correctly in the described situation.
- A previous change to the SCSI code fixed a race condition that could occur when removing a SCSI device. However, that change caused performance degradation because it used a certain function from the block layer code that was returning different values compared with later versions of the kernel. This update alters the SCSI code to properly utilize the values returned by the block layer code.
- A previous change to the md driver disabled the TRIM operation for RAID5 volumes in order to prevent a possible kernel oops. However, if a MD RAID volume was reshaped to a different RAID level, this could result in TRIM being disabled on the resulting volume, as the RAID4 personality is used for certain reshapes. A patch has been applied that corrects this problem by setting the stacking limits before changing a RAID level, and thus ensuring the correct discard (TRIM) granularity for the RAID array.
- As a result of a recent fix preventing a deadlock upon an attempt to cover an active XFS log, the behavior of the xfs_log_need_covered() function has changed. However, xfs_log_need_covered() is also called to ensure that the XFS log tail is correctly updated as a part of the XFS journal sync operation. As a consequence, when shutting down an XFS file system, the sync operation failed and some files might have been lost. A patch has been applied to ensure that the tail of the XFS log is updated by logging a dummy record to the XFS journal. The sync operation completes successfully and files are properly written to the disk in this situation.
- There was an error in the tag insertion logic, and the bonding handled cases when a slave device did not have a hardware VLAN acceleration. As a consequence, network packets were tagged twice when passing through slave devices without hardware VLAN tag insertion, and network cards using a VLAN over a bonding device did not work properly. This update removes the redundant VLAN tag insertion logic, and the unwanted behavior no longer occurs.
- Due to a bug in the Emulex lpfc driver, the driver could not allocate a SCSI buffer properly, which resulted in severe performance degradation of lpfc adapters on 64-bit PowerPC systems. A patch addressing this problem has been applied so that lpfc allocates the SCSI buffer correctly and lpfc adapters now work as expected on 64-bit PowerPC systems.
- Previously, certain SELinux functions did not correctly handle the TCP synchronize-acknowledgment (SYN-ACK) packets when processing IPv4 labeled traffic over an INET socket. The initial SYN-ACK packets were labeled incorrectly by SELinux, and as a result, the access control decision was made using the server socket's label instead of the new connection's label. In addition, SELinux was not properly inspecting outbound labeled IPsec traffic, which led to similar problems with incorrect access control decisions. A series of patches that addresses these problems has been applied to SELinux. The initial SYN-ACK packets are now labeled correctly and SELinux processes all SYN-ACK packets as expected.
- A previous change to the Open vSwitch kernel module introduced a use-after-free problem that resulted in a kernel panic on systems that use this module. This update ensures that the affected object is freed on the correct place in the code, thus avoiding the problem.
- Previously, the GFS2 kernel module leaked memory in the gfs2_bufdata slab cache and allowed a use-after-free race condition to be triggered in the gfs2_remove_from_journal() function. As a consequence after unmounting the GFS2 file system, the GFS2 slab cache could still contain some objects, which subsequently could, under certain circumstances, result in a kernel panic. A series of patches has been applied to the GFS2 kernel module, ensuring that all objects are freed from the slab cache properly and the kernel panic is avoided.
- A bug in the RSXX DMA handling code allowed DISCARD operations to call the pci_unmap_page() function, which triggered a race condition on the PowerPC architecture when DISCARD, READ, and WRITE operations were issued simultaneously. However, DISCARD operations are always assigned a DMA address of 0 because they are never mapped. Therefore, this race could result in freeing memory that was mapped for another operation and a subsequent EEH event. A patch has been applied, preventing the DISCARD operations from calling pci_unmap_page(), and thus avoiding the aforementioned race condition.
- Due to a regression bug in the mlx4 driver, Mellanox mlx4 adapters could become unresponsive on heavy load along with IOMMU allocation errors being logged to the systems logs. A patch has been applied to the mlx4 driver so that the driver now calculates the last memory page fragment when allocating memory in the Rx path.
- When performing read operations on an XFS file system, failed buffer readahead can leave the buffer in the cache memory marked with an error. This could lead to incorrect detection of stale errors during completion of an I/O operation because most callers do not zero out the b_error field of the buffer on a subsequent read. To avoid this problem and ensure correct I/O error detection, the b_error field of the used buffer is now zeroed out before submitting an I/O operation on a file.
- Due to the locking mechanism that the kernel used while handling Out of Memory (OOM) situations in memory control groups (cgroups), the OOM killer did not work as intended in case that many processes triggered an OOM. As a consequence, the entire system could become or appear to be unresponsive. A series of patches has been applied to improve this locking mechanism so that the OOM killer now works as expected in memory cgroups under heavy OOM load.
- Due to a bug in the GRE tunneling code, it was impossible to create a GRE tunnel with a custom name. This update corrects behavior of the ip_tunnel_find() function, allowing users to create GRE tunnels with custom names.
- When the system was under memory stress, a double-free bug in the tg3 driver could have been triggered, resulting in a NIC being brought down unexpectedly followed by a kernel panic. A patch has been applied that restructures the respective code so that the affected ring buffer is freed correctly.
- If the BIOS returned a negative value for the critical trip point for the given thermal zone during a system boot, the whole thermal zone was invalidated and an ACPI error was printed. However, the thermal zone may still have been needed for cooling. With this update, the ACPI thermal management has been modified to only disable the relevant critical trip point in this situation.
- Due to a missing part of the bcma driver, the brcmsmac kernel module did not have a list of internal aliases that was needed by the kernel to properly handle the related udev events. Consequently, when the bcma driver scanned for the devices at boot time, these udev events were ignored and the kernel did not load the brcmsmac module automatically. A patch that provides missing aliases has been applied so that the udev requests of the brcmsmac module are now handled as expected and the kernel loads the brcmsmac module automatically on boot.
- Previously, KVM did not accept PCI domain (segment) number for host PCI devices, making it impossible to assign a PCI device that was a part of a non-zero PCI segment to a virtual machine. To resolve this problem, KVM has been extended to accept PCI domain number in addition to slot, device, and function numbers.
- Due to a bug in the EDAC driver, the driver failed to decode and report errors on AMD family 16h processors correctly. This update incorporates a missing case statement to the code so that the EDAC driver now handles errors as expected.
- Previous changes to the igb driver caused the ethtool utility to determine and display some capabilities of the Ethernet devices incorrectly. This update fixes the igb driver so that the actual link capabilities are now determined properly, and ethtool displays values as accurate as possible in dependency on the data available to the driver.
- Previously, devices using the ixgbevf driver that were assigned to a virtual machine could not adjust their Jumbo MTU value automatically if the Physical Function (PF) interface was down; when the PF device was brought up, the MTU value on the related Virtual Function (VF) device was set incorrectly. This was caused by the way the communication channel between PF and VF interfaces was set up and the first negotiation attempt between PF and VF was made. To fix this problem, structural changes to the ixgbevf driver have been made so that the kernel can now negotiate the correct API between PF and VF successfully and the MTU value is now set correctly on the VF interface in this situation.
- A chunk of a patch was left out when backporting a batch of patches that fixed an infinite loop problem in the LOCK operation with zero state ID during NFSv4 state ID recovery. As a consequence, the system could become unresponsive on numerous occasions. The missing chunk of the patch has been added, resolving this hang issue.
- The kernel previously did not reset the kernel ring buffer if the trace clock was changed during tracing. However, the new clock source could be inconsistent with the previous clock source, and the result trace record thus could contain incomparable time stamps. To ensure that the trace record contains only comparable time stamps, the ring buffer is now reset whenever the trace clock changes.
- When using Haswell HDMI audio controllers with an unaligned DMA buffer size, these audio controllers could become locked up until the next reboot for certain audio stream configurations. A patch has been applied to the Intel's High Definition Audio (HDA) driver that enforces the DMA buffer alignment setting for the Haswell HDMI audio controllers. These audio controllers now work as expected.
- A previous change to the virtual file system (VFS) code included the reduction of the PATH_MAX variable by 32 bytes. However, this change was not propagated to the do_getname() function, which had a negative impact on interactions between the getname() and do_getname() functions. This update modifies do_getname() accordingly and this function now works as expected.
- Previously, when removing an IPv6 address from an interface, unreachable routes related to that address were not removed from the IPv6 routing table. This happened because the IPv6 code used inappropriate function when searching for the routes. To avoid this problem, the IPv6 code has been modified to use the ip6_route_lookup() function instead of rt6_lookup() in this situation. All related routes are now properly deleted from the routing tables when an IPv6 address is removed.
- A bug in the statistics flow in the bnx2x driver caused the card's DMA Engine (DMAE) to be accessed without taking a necessary lock. As a consequence, previously queued DMAE commands could be overwritten and the Virtual Functions then could timeout on requests to their respective Physical Functions. The likelihood of triggering the bug was higher with more SR-IOV Virtual Functions configured. Overwriting of the DMAE commands could also result in other problems even without using SR-IOV. This update ensures that all flows utilizing DMAE will use the same API and the proper locking scheme is kept by all these flows.
- The bnx2x driver handled unsupported TLVs received from a Virtual Function (VF) using the VF-PF channel incorrectly; when a driver of the VF sent a known but unsupported TLV command to the Physical Function, the driver of the PF did not reply. As a consequence, the VF-PF channel was left in an unstable state and the VF eventually timed out. A patch has been applied to correct the VF-PF locking scheme so that unsupported TLVs are properly handled and responded to by the PF side. Also, unsupported TLVs could previously render a mutex used to lock the VF-PF operations. The mutex then stopped protecting critical sections of the code, which could result in error messages being generated when the PF received additional TLVs from the VF. A patch has been applied that corrects the VF-PF channel locking scheme, and unsupported TLVs thus can no longer break the VF-PF lock.
- When performing buffered WRITE operations from multiple processes to a single file, the NFS code previously always verified whether the lock owner information is identical for the file being accessed even though no file locks were involved. This led to performance degradation because forked child processes had to synchronize dirty data written to a disk by the parent process before writing to a file. Also, when coalescing requests into a single READ or WRITE RPC call, NFS refused the request if the lock owner information did not match for the given file even though no file locks were involved. This also caused performance degradation. A series of patches has been applied that relax relevant test conditions so that lock owner compatibility is no longer verified in the described cases, which resolves these performance issues.
- Due to a previous change that altered the format of the txselect parameter, the InfiniBand qib driver was unable to support HP branded QLogic QDR InfiniBand cards in HP Blade servers. To resolve this problem, the driver's parsing routine, setup_txselect(), has been modified to handle multi-value strings.
- Due to a race condition that allowed a RAID array to be written to while it was being stopped, the md driver could enter a deadlock situation. The deadlock prevented buffers from being written out to the disk, and all I/O operations to the device became unresponsive. With this update, the md driver has been modified so this deadlock is now avoided.
- Previously, recovery of a double-degraded RAID6 array could, under certain circumstances, result in data corruption. This could happen because the md driver was using an optimization that is safe to use only for single-degraded arrays. This update ensures that this optimization is skipped during the recovery of double-degraded RAID6 arrays.
- NFS previously allowed a race between "silly rename" operations and the rmdir() function to occur when removing a directory right after an unlinked file in the directory was closed. As a result, rmdir() could fail with an EBUSY error. This update applies a patch ensuring that NFS waits for any asynchronous operations to complete before performing the rmdir() operation.
- A deadlock between the state manager, kswapd daemon, and the sys_open() function could occur when the state manager was recovering from an expired state and recovery OPEN operations were being processed. To fix this problem, NFS has been modified to ignore all errors from the LAYOUTRETURN operation (a pNFS operation) except for "NFS4ERR_DELAY" in this situation.
- Previously, in certain environments, such as an HP BladeSystem Enclosure with several Blade servers, the kdump kernel could experience a kernel panic or become unresponsive during boot due to lack of available interrupt vectors. As a consequence, kdump failed to capture a core dump. To increase a number of available interrupt vectors, the kdump kernel can boot up with more CPUs. However, the kdump kernel always tries to boot up with the bootstrap processor (BSP), which can cause the kernel to fail to bring up more than one CPU under certain circumstances. This update introduces a new kernel parameter, disable_cpu_acipid, which allows the kdump kernel to disable BSP during boot and then to successfully boot up with multiple processors. This resolves the problem of lack of available interrupt vectors for systems with a high number of devices and ensures that kdump can now successfully capture a core dump on these systems.
- The ext4_releasepage() function previously emitted an unnecessary warning message when it was passed a page with the PageChecked flag set. To avoid irrelevant warnings in the kernel log, this update removes the related WARN_ON() from the ext4 code.
- Previously, user space packet capturing libraries, such as libcap, had a limited possibility to determine which Berkeley Packet Filter (BPF) extensions are supported by the current kernel. This limitation had a negative effect on VLAN packet filtering that is performed by the tcpdump utility and tcpdump sometimes was not able to capture filtered packets correctly. Therefore, this update introduces a new option, SO_BPF_EXTENSIONS, which can be specified as an argument of the getsockopt() function. This option enables packet capturing tools to obtain information about which BPF extensions are supported by the current kernel. As a result, the tcpdump utility can now capture packets properly.
- The RTM_NEWLINK messages can contain information about every virtual function (VF) for the given network interface (NIC) and can become very large if this information is not filtered. Previously, the kernel netlink interface allowed the getifaddr() function to process RTM_NEWLINK messages with unfiltered content. Under certain circumstances, the kernel netlink interface would omit data for the given group of NICs, causing getifaddr() to loop indefinitely being unable to return information about the affected NICs. This update resolves this problem by supplying only the RTM_NEWLINK messages with filtered content.
- When booting a guest in the Hyper-V environment and enough of Programmable Interval Timer (PIT) interrupts were lost or not injected into the guest on time, the kernel panicked and the guest failed to boot. This problem has been fixed by bypassing the relevant PIT check when the guest is running under the Hyper-V environment.
- The isci driver previously triggered an erroneous BUG_ON() assertion in case of a hard reset timeout in the sci_apc_agent_link_up() function. If a SATA device was unable to restore the link in time after the reset, the isci port had to return to the "awaiting link-up" state. However in such a case, the port may not have been in the "resetting" state, causing a kernel panic. This problem has been fixed by removing that incorrect BUG_ON() assertion.
- Due to several bugs in the network console logging, a race condition between the network console send operation and the driver's IRQ handler could occur, or the network console could access invalid memory content. As a consequence, the respective driver, such as vmxnet3, triggered a BUG_ON() assertion and the system terminated unexpectedly. A patch addressing these bugs has been applied so that driver's IRQs are disabled before processing the send operation and the network console now accesses the RCU-protected (read-copy update) data properly. Systems using the network console logging no longer crashes due to the aforementioned conditions.
- When a network interface is running in promiscuous (PROMISC) mode, the interface may receive and process VLAN-tagged frames even though no VLAN is attached to the interface. However, the enic driver did not handle processing of the packets with the VLAN-tagged frames in PROMISC mode correctly if the frames had no VLAN group assigned, which led to various problems. To handle the VLAN-tagged frames without a VLAN group properly, the frames have to be processed by the VLAN code, and the enic driver thus no longer verifies whether the packet's VLAN group field is empty.
- The dm-bufio driver did not call the blk_unplug() function to flush plugged I/O requests. Therefore, the requests submitted by dm-bufio were delayed by 3 ms, which could cause performance degradation. With this update, dm-bufio calls blk_unplug() as expected, avoiding any related performance issues.
- A previous change that modified the linkat() system call introduced a mount point reference leak and a subsequent memory leak in case that a file system link operation returned the ESTALE error code. These problems have been fixed by properly freeing the old mount point reference in such a case.
- When allocating kernel memory, the SCSI device handlers called the sizeof() function with a structure name as its argument. However, the modified files were using an incorrect structure name, which resulted in an insufficient amount of memory being allocated and subsequent memory corruption. This update modifies the relevant sizeof() function calls to rather use a pointer to the structure instead of the structure name so that the memory is now always allocated correctly.
- A previous patch to the kernel scheduler fixed a kernel panic caused by a divide-by-zero bug in the init_numa_sched_groups_power() function. However, that patch introduced a regression on systems with standard Non-Uniform Memory Access (NUMA) topology so that cpu_power in all but one NUMA domains was set to twice the expected value. This resulted in incorrect task scheduling and some processors being left idle even though there were enough queued tasks to handle, which had a negative impact on system performance. This update ensures that cpu_power on systems with standard NUMA topology is set to expected values by adding an estimate to cpu_power for every uncounted CPU.Task scheduling now works as expected on these systems without performance issues related to the said bug.
- Microsoft Windows 7 KVM guests could become unresponsive during reboot because KVM did not manage to inject an Non-Maskable Interrupt (NMI) to the guest while the guest was running in user mode. To resolve this problem, a series of patches has been applied to the KVM code, ensuring that KVM handles NMIs correctly during the reboot of the guest machine.
- Prior to this update, a guest-provided value was used as the head length of the socket buffer allocated on the host. If the host was under heavy memory load and the guest-provided value was too large, the allocation could have failed, resulting in stalls and packet drops in the guest's Tx path. With this update, the guest-provided value has been limited to a reasonable size so that socket buffer allocations on the host succeed regardless of the memory load on the host, and guests can send packets without experiencing packet drops or stalls.
- The turbostat utility produced error messages when used on systems with the fourth generation of Intel Core Processors. To fix this problem, the kernel has been updated to provide the C-state residency information for the C8, C9, and C10 C-states.
- The kernel now supports memory configurations with more than 1TB of RAM on AMD systems.
- Users can now set ToS, TTL, and priority values in IPv4 on per-packet basis.
- Several significant enhancements to device-mapper have been introduced in Red Hat Enterprise Linux 6.6:
- The dm-cache device-mapper target, which allows fast storage devices to act as a cache for slower storage devices, has been added as a Technology Preview.
- The device-mapper-multipath ALUA priority checker no longer places the preferred path device in its own path group if there are other paths that could be used for load balancing.
- The fast_io_fail_tmo parameter in the multipath.conf file now works on iSCSI devices in addition to Fibre Channel devices.
- Better performance can now be achieved in setups with a large number of multipath devices due to an improved way in which the device-mapper multipath handles sysfs files.
- A new force_sync parameter in multipath.conf has been introduced. The parameter disables asynchronous path checks, which can help limit the number of CPU contention issues on setups with a large number of multipath devices.
- Support for the next generation of Intel's mobile platform has been added to Red Hat Enterprise Linux 6.6, and the relevant drivers have been updated.
- A future AMD processor provides a new bank of Model Specific Registers (MSRs) for L2 events which are be used for critical event types. These L2 cache performance counters are highly beneficial in performance and debugging.
- The dm-crypt module has been modified to use multiple CPUs, which improves its encryption performance significantly.
- The qla2xxx driver has been upgraded to version 8.05.00.03.06.5-k2, which provides a number of bug fixes over the previous version in order to correct various timeout problems with the mailbox command.
- Keywords for the IPL device (ipldev) and console device (condev) on IBM System z has been enabled to ease the installation when the system uses the cio_ignore command to blacklist all devices at install time and does not have a default CCW console device number, has no devices other than the IPL device as a base to clone Linux guests, or with ramdisk based installations with no devices other than the CCW console.
- The cifs kernel module has been updated to handle FIPS mode cipher filtering efficiently in CIFS.
- Previously, if the system had configured two or more network interfaces, where one of the devices was configured with a default gateway, and another with a static route to a private network, kdump ignored the non-default static route. As a consequence, kdump failed to dump a core file over NFS or SSH because it did not configure the route to the private network. This bug has been fixed and now kdump successfully dumps the kernel over NFS or SSH as expected.
- Previously, booting the crash kernel with more than one CPUs occasionally caused some systems to become unresponsive when the crash happened on an Application Processor (AP) and not on the Boot Strap Processor (BSP). To fix this bug, the initialization scripts were modified to include the disable_cpu_apicid kernel option automatically which acts as the BSP ID. Additionally, the user has to modify the value of the nr_cpus option to specify the number of CPUs used on the system. With this fix, the user can now successfully use the crash kernel with more than one CPUs on the system.
- Due to a bug in the wait_for_multipath routine in the mkdumprd utility, kdump could fail to dump a core file on certain configurations with many multipath devices. This problem has been addressed with this update, and kdump now works as expected on systems with a large number of multipath devices.
- Previously, kdump was unable to capture a core file on IBM System z machines with a DASD FBA device specified as a kdump target. This problem has been fixed by adding the necessary support for the DASD FBA type device to kdump, and a core file can now be captured as expected on the above configuration.
- Due to an incorrect SELinux test condition in the mkdumprd utility, the kdump kernel could fail to load a SELinux policy and produce an unknown operand error. This update corrects the affected condition, and kdump now behaves as intended.
- The mkdumprd utility could previously emit spurious warning messages about non-existent ifcfg files under certain circumstances. This problem has been fixed and kdump no longer emits these warning messages.
- BZ#929312, BZ#823561, BZ#1035156
- The makedumpfile tool has been upgraded to version 1.5.6, which provides a number of bug fixes and enhancements over the previous version, including enhanced filtering and support for custom EPPIC macros in order to eliminate complex data structures, cryptographic keys, and any other specified sensitive data from dump files.
- As a part of support for the kdump_fence agent in cluster environment, the new options, fence_kdump_nodes and fence_kdump_args, have been introduced to the kdump.conf file. The fence_kdump_nodes option is used to list the hosts to send notifications from the kdump_fence agent to. The fence_kdump_args is used for passing command-line arguments to the kdump_fence agent.
- Previously, the "keyctl show" command incorrectly displayed an abbreviated tree of nested keyrings and therefore the keyring trees that were more than two keyrings deep were not fully displayed. This bug has been fixed and "keyctl show" now displays entire keyring trees as expected.Moreover, the "keyctl show" command did not expand the field width to show the full decimal key ID. With this update, the key ID field is expanded correctly.Also, the maximum size of input data for the "keyctl padd" command and other pipe-in commands has been increased to 1MB.Finally, the "keyctl padd" command as well as other pipe-in commands have been modified not to specially handle zero-value bytes in binary input.
- CVE-2013-1418, CVE-2013-6800
- It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request.
- A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
- A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind.
- CVE-2014-4341, CVE-2014-4342
- Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
- A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos.
- Previously, when connecting to a Key Distribution Center (KDC) over a Transmission Control Protocol (TCP) socket, the Kerberos client library was unable to detect cases when the server prematurely terminated the connection. Consequently, the client could stall, repeatedly attempting to read data from the closed connection's socket descriptor. This bug has been fixed, the client library now correctly detects connection failure and the processing continues as expected.
- Previously, when called to accept ticket-based authentication from a client, a server was able to decrypt a ticket which was encrypted with one encryption type (for example, des-cbc-crc) as long as its keytab contained a key of a sufficiently-compatible encryption type (for example, des-cbc-md5). Due to a regression, servers became unable to verify client tickets in these cases unless the encryption types were identical. With this update, a backported fix has been introduced to restore the aforementioned behavior. As a result, servers now verify clients' tickets when the key distribution center (KDC) issues a ticket using an encryption type with sufficient compatibility.
- Prior to this update, on systems which were configured to use the Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) extension, issuing the "kinit -k" command to obtain credentials using keys in a keytab could fail if the "pkinit_identities" variable was set in the /etc/krb5.conf file. The problem occurred when the directive resolved to a smart card protected by a PIN or to an encrypted PEM or PKCS#12 format file. The client's PKINIT plug-in could attempt to prompt the user for a password or smart card PIN, which the kinit utility was unable to handle. Consequently, the kinit utility terminated unexpectedly with a segmentation fault. A patch has been applied, the PKINIT plug-in now checks that the invoking application provides a way to prompt for passwords and smart card PINs before attempting to prompt the user for them, and kinit no longer crashes in this scenario.
- Prior to this update, the libkrb5 library sometimes attempted to free already freed memory when encrypting credentials intended for delegation. As a consequence, the calling process terminated unexpectedly with a segmentation fault. With this update, libkrb5 frees memory correctly, which allows the credentials to be encrypted appropriately, preventing the crash.
- Previously, using the ksu command without the "-n" or "-e" options caused ksu to discard the information about which principals were authorized to use it, as specified in the target user's .k5users file. Consequently, an "authorization failed" error message was displayed, even if the configuration indicated that user was authorized. This bug has been fixed and ksu no longer returns the incorrect error message in this situation.
- Previously, when using Domain Name System (DNS) to locate KDCs while following referrals, if the Kerberos client library determined that it needed to locate a master KDC for a given realm along a referral path, it attempted to contact only master KDCs for any realms further along that path. As a consequence, an attempt to get credentials could fail if the client library needed to follow referrals from one realm to another and one of the realms contacted along the way did not have its master KDCs specifically named in DNS. A patch has been applied and the described problem no longer occurs.
- The init script that launches the KDC runs a diagnostic helper first, attempting to diagnose a common upgrade-related error. Previously, when the default realm was configured only in the /etc/sysconfig/krb5kdc configuration file and not in the /etc/krb5.conf file, the realm was not passed to the helper. As a consequence, the attempt to start the KDC failed with an error message. With this update, the default realm set in /etc/sysconfig/krb5kdc file is correctly passed to the helper and the KDC is correctly started.
- Prior to this update, when attempting to locate Kerberos servers using the DNS service location, the Kerberos client library did not correctly recognize all return codes from the resolver libraries. Consequently, the client library misinterpreted certain non-fatal return codes as fatal errors, and failed to locate any servers. A patch has been applied, the client library interprets the return codes correctly, and locating servers now works as expected.
- Due to a regression, when using the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) with multiple object identifiers (OID), the server applications did not always respond to clients using the same OID that the clients had specified. As a consequence, GSSAPI clients that attempted to use mechanisms which can be identified using more than one OID could fail to authenticate to such servers. With this update, when generating replies to clients, the GSSAPI library uses the OID specified by the client in its request, and client authentication no longer fails in this scenario.
- Due to a race condition in the job list code, the ksh shell could terminate unexpectedly with a segmentation fault when the user had run custom scripts on their system. The race condition has been fixed, and ksh now works as expected when the users run custom scripts.
- Due to a regression bug, a command substitution containing a pipe could return a non-zero exit code even though the command did not fail. A patch has been provided to fix this bug, and these command substitutions now return correct exit codes.
- Previously, if a running function was unset by another function in a ksh script, ksh terminated unexpectedly with a segmentation fault. With this update, the ksh code skips resetting of the "running" flag if a function is unset, and ksh no longer crashes in the described scenario.
- Previously, using the typeset command in a function in ksh resulted in a memory leak. This bug has been fixed and ksh no longer leaks memory when using the typeset command in a function.
- Previously after upgrading ksh from version "ksh-20100621-19" to "ksh-20120801-10", the standard error output (stderr) got disconnected from the terminal, and the trace output in debug mode thus became invisible. As a consequence, the debugging of scripts on ksh was not always possible. This bug has been fixed and stderr now provides the correct output.
- Previously, a substitution command failed to execute in ksh if the standard input (stdin), the standard output (stdout), or standard error (stderr) were closed in a certain manner. As a consequence, reading a file using command substitution did not work correctly and the substituted text failed to display under some circumstances. A patch has been applied to address this bug, and command substitution now works as expected.
- Prior to this update, the compiler optimization dropped parts of the ksh job locking mechanism from the binary code. As a consequence, ksh could terminate unexpectedly with a segmentation fault after it received the SIGCHLD signal. This update ensures that the compiler does not drop parts of the ksh job locking mechanism and ksh works as expected.
- When running a command that output a lot of data, and then setting a variable from that output, the ksh could become unresponsive. To fix this problem, the combination of I/O redirection and synchronization mechanism has been changed. Now, ksh no longer hangs in this case and commands with large data output complete successfully.
- Previously, the ksh syntax analyzer did not parse command substitutions inside of here-documents correctly, which led to syntax error messages being reported on the syntactically correct code. A patch has been provided to fix this bug, and ksh now interprets substitutes as intended.
- Previously, ksh could skip setting of an exit code from the last command of a function. As a result, the function could sometimes return a wrong exit code. This update ensures that ksh always uses the exit code from the last command of a function, and functions in ksh now return the correct exit codes as expected.
- When rounding off a number smaller than 1, ksh incorrectly truncated too many decimals. As a consequence, numbers from the interval between 0.5 and 0.999 were incorrectly rounded to zero. This updated version of ksh ensures that all numbers are now rounded off correctly.
- Previously, ksh did not handle the brace expansion option correctly and ignored it in most cases. As a result, it was not possible to turn the brace expansion off and braces in file names had to be always escaped to prevent their expansion. The brace expansion code has been updated to take no action when the brace expansion option is turned off, and brace expansion in ksh can now be turned off and on as needed.
- Previously, ksh did not handle the reuse of low file descriptor numbers when they were not used for the standard input, output, or error output. As a consequence, when any of stdin, stdout, or stderr was closed and its file descriptor was reused in command substitution, the output from that substitution was empty. With this update, ksh has been updated to no longer reuse "low file descriptors" for command substitution. Command substitution in ksh now works correctly even if any of stdin, stdout or stderr is closed.
- Previously, ksh did not mask exit codes and sometimes returned a number that was too high and could be later interpreted as termination by a signal. Consequently, if ksh was started from the "su" utility and it exited with a high-number exit code, "su" incorrectly generated a core dump. To prevent confusion of a parent process, ksh has been updated to mask exit codes when terminating.
- Previously, after forking a process, ksh did not clear the argument list of the process properly. Consequently, when listing processes using the ps tool, the arguments field of the forked process could contain some old arguments. The code has been modified to always clear the unused space of the argument string, and the ps tool now prints correct arguments.
- Previously, ksh did not verify whether it had the execute permission for a given directory before attempting to change into it. Consequently, ksh always assumed it was operating inside that directory, even though the attempt to access the directory was in fact unsuccessful. With this update, ksh checks for the execute permission and reports an error as expected if the permission is missing.
- Ksh could set a wrong process group when running a script in monitor mode. As a consequence, when such a script attempted to read an input, the ksh process stopped the script. With this update, ksh has been fixed to use the correct process group and the script executes as expected in the described scenario.
- Previously, the lesspipe script returned incorrect exit status codes. As a consequence, the less utility failed to decompress empty files that had been compressed with the gzip utility, and an unwanted message was displayed. With this update, a pipe character ("|") has been added in front of the LESSOPEN environment variable to enforce a new default behavior of lesspipe. For backward compatibility, lesspipe has the same behavior if LESSOPEN remains unchanged. As a result, the less utility now detects and displays empty files correctly.
- Previously, the cgset command failed to assign value to multiple subsystem parameters at once. This behavior occurred only when using the -r option more than once to tune parameters of a single subsystem. Configuring different subsystems simultaneously worked correctly. This bug has been fixed, and cgset can now set multiple parameters of a single subsystem without complications.
- Previous libcgroup update introduced an unnecessary dependency on the redhat-lsb-core package. The redhat-lsb-core package subsequently pulled in a large number of other packages, which could cause problems on hardware with limited storage. With this update, the unnecessary dependency on the redhat-lsb-core package has been removed, and thus no unneeded packages are installed on system.
- Prior to this update, the /src/config.c file contained the incorrectly specified cgroup_copy_cgroup() function. Consequently, certain user-specific resource limits set in the /etc/cgconfig.conf configuration file were not applied. This update fixes the syntax of the aforementioned function in /src/config.c. As a result, all settings in /etc/cgconfig.conf are applied as expected.
- Previously applied patch that aimed to increase the performance of the pam_cgroup module contained a bug. Consequently, pam_cgroup failed to start and it did not produce an error message. With this update, the aforementioned patch has been reverted, and pam_cgroup now works as expected.
- The cgset utility did not process all memory subsystem parameters passed to the --copy-from command-line option correctly. Consequently, these control group parameters were not transferred successfully and no warning message was issued. With this update, cgset has been modified to correctly process parameters of memory subsystem passed to --copy-from option, thus fixing this bug.
- This update adds the /etc/cgconfig.d/ hierarchy designed to store configuration files applicable to various services.
- The blockdev_setbsz API has been deprecated as the underlying implementation ("blockdev --setbsz") is no longer considered useful.
- Prior to this update, the gdisk utility was not available as a dependency on the libguestfs library. Consequently, gdisk was not available, and thus guestfs_part_get_gpt_type and guestfs_part_set_gpt_type APIs were not usable. This update adds gdisk as a dependency, and thus is now available as well as the aforementioned APIs.
- Due to the fstrim feature marked as available, calling the fstrim API returned errors. As fstrim does not work with both the kernel and QEMU available in Red Hat Enterprise Linux 6, this update disables fstrim. Now, calling the fstrim API reports that fstrim is no longer available.
- Previously, when the virt-sparsify utility was run with a block or character device as output, the output device was overwritten by a file, or deleted. To fix this bug, if a block or character device is specified as output, virt-sparsify refuses to run.
- Due to wrong implementation of the Guestfs.new() constructor in the Ruby binding, creating a new Guestfs instance often resulted in an error. With this update, the implementation of Guestfs.new() has been rewritten, and Guestfs.new now works correctly.
- When running the tar-in guestfish command, or using the tar_in guestfs API, with a non-existing input tar or to a non-existing destination directory, the libguestfs appliance terminated unexpectedly. The error checking has been approved, and the tar-in now cleanly returns an error.
- Previously, the virt-sparsify utility did not check for free space available in the temporary directory. Consequently, virt-sparsify became unresponsive if the temporary directory lacked enough free space. With this update, virt-sparsify checks by default for available space before the sparsification operation, and virt-sparsify now works as intended.
- Previously, particular permission checks for the root user in the FUSE layer of the libguestfs library were missing. Consequently, mounting a disk image using guestmount and accessing a directory as root with permissions 700 and not owned by root failed with the "permission denied" error. With this update, permissions have been disabled, and root can now access any directory of a disk image mounted using guestmount.
- The previous version of libguestfs library was not closing all the open file descriptors when forking subprocesses such as QEMU. Consequently, if the parent process or any non-libguestfs library did not atomically set the O_CLOEXEC flag on file descriptors, the parent process leaked into QEMU, In OpenStack, this bug also caused deadlocks, because Python 2 is unable to set O_CLOEXEC atomically. With this update, libguestfs closes all the file descriptors before executing QEMU, and deadlocks no longer occur.
- Previously, the libguestfs library was skipping partitions with type 0x42, Windows Lightweight Device Mounter (LDM) volumes, when LDM was not available. Consequently, simple LDM volumes mountable as a single partition were ignored. With this update, the partition detection is not skipped if LDM is missing, and simple LDM volumes can now be recognized and mounted as plain NTFS partitions.
- The libnl3 packages have been introduced into Red Hat Enterprise Linux 6, which allows for improved functionality of the oVirt application. In addition, this ensures compatibility with other future applications, since the previous version of the Netlink protocol library, libnl1, is no longer being developed.
- Previously, the libproxy utility attempted to locate the /etc/proxy.conf file from the current working directory. Consequently, the configuration file was not always found. This bug has been fixed and libproxy now locates /etc/proxy.conf as expected.
- A flaw was found in the way libproxy handled the downloading of proxy auto-configuration (PAC) files. Consequently, programs using libproxy terminated unexpectedly with a segmentation fault when processing PAC files that contained syntax errors. With this update, the handling of PAC files has been fixed in libproxy, thus preventing the segmentation fault.
- Due to a bug in the libproxy packages, the "reporter-upload" command used by Automatic Bug Reporting Tool terminated unexpectedly if given an "scp" URL that did not contain a password. This bug has been fixed, and reporter-upload no longer crashes in the aforementioned scenario.
- Previously, after including an audio file in a LibreOffice Impress presentation, this file was displayed as a gray square. With this update, an upstream patch has been backported to fix this bug. As a result, audio files are no longer displayed as a gray square in Impress presentations.
- Prior to this update, when including an audio or video file to a LibreOffice Impress presentation, a message informing about a failed " rxAccessible.get() != NULL" assertion was displayed. Apart from this message, the file was imported correctly and the LibreOffice Impress application worked as expected. An upstream patch has been backported to correct this behavior, and the aforementioned message is no longer displayed.
- Previously, when typing into a text box in a LibreOffice Impress presentation using any Indic locale, the text was not displayed until pressing the Backspace key. This bug has been fixed, and Indic fonts are now displayed immediately as the text is inserted.
- For certain Indic locales, such as Odia, the drop-down lists from the main bar overlapped with the main menu bar, which restricted navigating LibreOffice applications. This bug has been fixed, and the aforementioned problem no longer occurs.
- In a previous release of Red Hat Enterprise Linux 6, the libreoffice packages no longer obsoleted the openoffice packages, which created several conflicts when trying to download both sets of packages. With this update, libreoffice has been modified to obsolete openoffice again, thus preventing the conflicts.
- Prior to this update, LibreOffice applications did not automatically recognize new printers created on a local print server while LibreOffice was running. With this update, the libreoffice packages have been modified, and now it is possible to work around this problem. To do so, open the "Printer settings" dialog window, and than close it. This operation refreshes the list of available printers.
- Previously, LibreOffice applications did not correctly render imported RTF files written in a non-English language. An upstream patch has been backported to fix this bug.
- Previously, the libreoffice packages incorrectly provided the liblcms2.so.2 package. With this update, libreoffice has been modified to provide the correct set of packages.
- Previously, LibreOffice applications did not correctly handle multiple UNO connections. Consequently, LibreOffice terminated unexpectedly when multiple Univarsal Network Object (UNO) connections were open. With this update, an upstream patch has been backported to fix this bug. As a result, LibreOffice no longer crashes when more UNO connections are open.
- Previously, LibreOffice applications failed to export charts to SVG format. Attempting to do so resulted in an empty SVG file. This bug has been fixed, and charts are now exported correctly from LibreOffice applications.
- When attempting to run the virt-manager utility over SSH X11 forwarding, SELinux prevented the D-Bus system from performing actions even if SELinux was in permissive mode. As a consequence, such attempts failed and an AVC denial message was logged. With this update, a patch has been provided to fix this bug, and SELinux in permissive mode no longer blocks D-Bus in the described scenario.
- Prior to this update, the selinux(8) manual page contained outdated information. This manual page has been updated, and SELinux is now documented correctly.
- The Name Server Caching Daemon (nscd) uses SELinux permissions to check if a connecting user is allowed to query the cache. However, two permissions, NSCD__GETNETGRP and NSCD__SHMEMNETGRP, were missing from the SELinux list of permissions. Consequently, the netgroup caching worked only when SELinux was running in permissive mode. The missing permissions have been added to the list, and the netgroup caching now works as expected.
- Previously, the matchpathcon utility did not handle non-existent files or directories properly; the "matchpathcon -V" command verified the files of directories instead of specifying that they did not exist. The underlying source code has been modified to fix this bug, and matchpathcon now correctly recognizes non-existent files or directories. As a result, an error message is returned when a file or directory do not exist.
- It was not possible to add a new user inside a Docker container because SELinux in enforcing or permissive mode incorrectly blocked an attempt to modify the /etc/passwd file. With this update, when the /selinux/ or /sys/fs/selinux/ directories are mounted as read-only, the libselinux library acts as if SELinux is disabled. This behavior stops SELinux-aware applications from attempting to perform SELinux actions inside a container, and /etc/passwd can now be modified as expected.
- Previously, the libtirpc library included the authgss_get_private_data() system call, but not the authgss_free_private_data() system call. As a consequence, private data were obtained but not freed afterwards. This caused the authgss_destroy_context() call to send an incorrect RPCSEC_GSS_DESTROY request, and the client was in turn not able to clear the state data on the server. With this update, authgss_free_private_data() has been added to libtirpc, and the data is now freed correctly. As a result, the client can now reset the server state as expected.
- Prior to this update, due to race conditions, using TI-RPC in the glibc library caused TI-RPC to terminate unexpectedly with a segmentation fault on some file operations, such as fclose() call and the endnetconfig() call. This update prevents the race conditions from occurring in the above scenario, and TI-RPC thus no longer crashes when used in glibc.
- Due to buffer overruns in libtrpc, the rpcbind utility sometimes terminated unexpectedly with a segmentation fault. With this update, buffer is allocated by the svcauth_gss_validate() call, which avoids the buffer overruns and thus prevents the rpcbind crashes.
- Previously, the libtirpc-devel RPM incorrectly installed the /lib64/libtirpc.a and /lib64/libtirpc.la static libraries, which caused compiling software that linked libtirpc to fail. This update removes libtirpc.a and libtirpc.la and compiling with libtirpc.so now works as expected.
- Due to a code error in libtirpc, the automount utility sometimes terminated unexpectedly with a segmentation fault when a RPC was rejected with an invalid rejection status. This update fixes this bug and automount no longer crashes when receiving an invalid server rejection.
- Previously, the logic behind using the
virshcommand with the
--configoption, which handles the virtual domain configuration, was incorrect. Consequently, block devices were attached to both the domain configuration and the running domain. Both the handling logic and relevant technical documentation have been fixed, and
--confignow behaves correctly, attaching the block device to the domain configuration only.
- Prior to this update, the libvirt Python bindings for querying block job status could not distinguish between returning an error and no status available. As a consequence, the code that was polling for the completion of a block job had to deal with a Python exception, and could not distinguish it from an actual error. With this update, the bindings now successfully determine if there is no job and return an empty dictionary when that is the case. As a result, the bindings can be used more reliably when managing block jobs.
- A previous update introduced an error where a
SIG_SETMASKargument was incorrectly replaced by a
SIG_BLOCKargument after the
poll()system call. Consequently, the
SIGCHLDsignal could be permanently blocked, which caused signal masks not to return to their original values and defunct processes to be generated. With this update, the original signal masks are restored as intended, and
poll()now functions correctly.
- When hot unplugging a virtual CPU (vCPU) from a guest using libvirt, the current Red Hat Enterprise Linux QEMU implementation does not remove the corresponding vCPU thread. Consequently, libvirt did not detect the vCPU count correctly after a vCPU was hot unplugged, and it was not possible to hot plug a vCPU after a hot unplug. In this update, information from QEMU is used to filter out inactive vCPU threads of disabled vCPUs, which allows libvirt to perform the hot plug.
- Prior to this update, the condition that checks whether QEMU successfully attached a new disk to a guest contained a typographical error. Due to the error, the
libvirtddaemon terminated unexpectedly if the monitor command was unsuccessful: for example, when a virtual machine failed or when attaching a guest disk drive was interrupted. In this update, the error has been corrected, and
libvirtdno longer crashes in the described circumstances.
- The libvirt library has limits on Remote Procedure Call (RPC) messages to prevent Denial of Service (DoS) attacks. Previously, however, the domain XML file could fail this limit test when it was encoded into an RPC message and sent to the target machine during migration. As a consequence, the migration failed even though the domain XML format was valid. To fix this bug, the RPC message limits have been increased, and the migration now succeeds, while libvirt stays resistant to DoS attacks.
- Due to a regression caused by a prior bug fix, attempting to perform a block copy while another block copy was already in progress could cause libvirt to reset the information about the block copy in progress. As a consequence, libvirt failed to recognize if the copied file format was raw, and performed a redundant format probe on the guest disk. This update fixes the regression and libvirt no longer performs incorrect format probes.
- The UUID (Universally Unique Identifier) is a string of characters which represents the virtual guest. Displaying the UUID on a screen requires correct APIs to present the strings in a user-readable format. Previously, printing unformatted UUID data caused exceptions or incorrectly formatted output. For Python scripts, exceptions that were not handled could cause unexpected failures. For other logging methods or visual displays, the characters in the output were jumbled. With this update, the UUID strings are properly formatted and printing them no longer causes unexpected exceptions or jumbled characters on output.
- When receiving NUMA (Non-Uniform Memory Access) placement advice, the current memory was used for the
amountparameter. As a consequence, domain placement was not as precise as it could have been if the current memory changed for the live domain. With this update, the advice is queried with the maximum memory as the
amountparameter, and the advised placement now fixes the domain even when the current memory changes for the live domain.
- Previously, libvirt reported success of the
device_delcommand even when the device was not successfully detached. With this update, libvirt always verifies whether
device_delsucceeded, and when the command fails, libvirt reports it accordingly.
- Prior to this update, using the
virsh pool-refreshcommand incorrectly caused libvirt to remove a storage pool if a storage volume was removed while the command was being processed. As a consequence, the storage pool became inactive, even though the NFS directory was mounted. With this update, refreshing a storage pool no longer removes a volume from it. As a result, libvirt does not cause the storage pool to become inactive.
- A new
pvpanicvirtual device can now be attached to the virtualization stack and a guest panic can cause libvirt to send a notification event to management applications.
- This update adds support for the following Broadwell microarchitecture processors' instructions: ADCX, ADOX, RDSEED, and PREFETCHW. This improves the overall performance of KVM.
libvirtdwill be restarted automatically.
- Due to incorrect string parsing, an attempt to access a store pool that contained a space in its name failed unexpectedly. This update provides a patch to fix this bug and such store pools can now be accessed as expected.
- Prior to this update, the libvirt-cim provider did not allow customization of the "machine" and "arch" properties for the "type" attribute of the "os" element for the domain XML file. As a consequence, a default value was provided, overwriting a possible customization for libvirt-cim. To fix this bug, the code has been adjusted to allow modifications of the "machine" and "arch" properties of the "type" attribute for the "os" element. As a result, it is now possible to set the fields as desired using the "ModifySystemSettings" method and adjusting the "SystemSettings" values for the KVM_VirtualSystemSettingData "machine" field.
- Previously, an incorrect variable was used when overwriting certain tags in domain XML files. Consequently, settings for the dumpCore attribute were ignored. With this update, a patch has been provided to fix this bug and the attribute is no longer ignored in the described scenario. In addition, the libvirt-cim provider now supports the dumpCore feature.
- Previously, due to multilib file conflicts between certain packages in the Optional repository on Red Hat Network, those packages could not have copies for both the primary and secondary architecture installed on the same machine. As a consequence, installation of the packages failed. A patch has been applied to resolve the file conflicts, and the packages can now be installed as expected in the described scenario.
- The ptp4l application can be configured to select the delay mechanism automatically. However, this configuration did not work with the P2P delay mechanism so that the delay timer was not reset and the utility did not make any peer delay measurements. This update provides a patch to address this bug and ptp4l now correctly measures the peer delay in the described scenario.
- Previously, the measured network delay was processed with a moving average algorithm, which is sensitive to outliers. This could for example negatively affect the time of recovery from an external clock step. This update adds a support for median filtering of the measured path delay. As a result, the algorithm that is used to process the measured delay can now be configured. The median filter, which is less sensitive to outliers, is set by default.
- When the phc2sys utility is used with a Pulse Per Second (PPS) device and the corresponding network interface or Precision Time Protocol (PTP) clock is not specified with the "-i" or "-s" option, the user has to enable the device manually by running the "echo 1 > /sys/class/ptp/ptp0/pps_enable" command before phc2sys starts. When the device is not enabled before phc2sys starts, the "failed to fetch PPS: Connection timed out" error is returned. However, this requirement was not properly documented, which could confuse the users. With this update, this information has been added to the phc2sys(8) manual page.
- Previously, the output from the lscfg command contained duplicate entries for various hardware components. This bug has been fixed and lscfg no longer returns duplicate entries.
- Previously, it was not possible to link code between the libsvpd and librtas libraries, because libsvpd is distributed under the GNU General Public License (GPL) whereas librtas is under commercial public license (CPL). This update grants a special permission to link part of the code for libsvpd against the librtas library and distribute linked combinations which include both libraries. You must obey the GNU General Public License in all respects for all of the code used other than librtas.
- This update adds support for the Firmware Entitlement Checking on IBM PowerPC server systems.
- Previously, the ltrace utility did not support the Position Independent Executables (PIE) binaries, which are linked similarly to shared libraries, and processes. Consequently, addresses found in images of those binaries needed additional adjustment for the actual address where the binary was loaded during the process startup. With this update, the support for the PIE binaries and processes has been added and ltrace now handles the additional processing for the PIE binaries correctly.
- When copying internal structures after cloning a process, the ltrace utility did not copy a string containing a path to an executable properly. This behavior led to errors in heap management and could cause ltrace to terminate unexpectedly. The underlying source code has been modified and ltrace now copies memory when cloning traced processes correctly.
- It was discovered that luci used
eval()on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci.This issue was discovered by Jan Pokorný of Red Hat.
- Previously, it was possible to use the following characters in the luci configuration file inside attribute values:
Using such characters inside the attribute values could cause several problems. With this update, when the user attempts to use these special characters inside the attribute value, a warning is returned.
- the less-than sign (<)
- the greater-than sign (>)
- the quotation mark (")
prefer_interfaceparameter was missing from the IP resource in the
luciapplication. This parameter is used for adding an IP address to a particular network interface if a cluster node has multiple active interfaces that have IP addresses on the same subnetwork. The missing parameter has been added to luci with this update.
- Previously, the
window_sizeconfiguration fields were missing from the luci configuration file when it was used in expert mode. This update adds the missing fields.
- The possibility to disable the Red Hat Resource Group Manager (
rgmanager) was missing from the luci configuration. With this update, it is now possible to disable
rgmanagerin luci expert mode.
- Previously, luci was missing the Kdump fencing agent. The agent has been added with this update.
- Zooming the luci web interface in the Chrome and Firefox web browsers could cause the Users and Permissions tab to be displayed incorrectly. This bug has been fixed with this update, and the tab is now displayed properly.
- In previous releases, the luci application has been fixed to parse the cluster resource names with a suffix delimited by the period symbol (
.) correctly. Due to this fix, the suffix was stripped off automatically. However, it is valid to specify a node name by referring to its IP address in the cluster configuration. When this was done, the node names ending with a suffix delimited by the period symbol, such as “.1” or “.sh”, were not shown properly and could not be edited. Also, such a node was indicated as not being a cluster member. This bug has been fixed, and such nodes are now handled properly in the described scenario.
- Previously, the luci application used the
10gtype as the default for the
typeattribute of the
oracledbresource agent. This behavior was incorrect because luci was supposed to use the original configuration and do not set its own. With this update, the type field is not arbitrarily specified by luci.
- Certain configurable parameters for the
fence_xvmagent were missing from the luci application. This update adds the missing attributes, such as
Timeoutfor expert and non-expert mode and
Path to Key File,
Multicast Retransmit Time,
Authentication Type, and
Packet Hash Typefor expert mode.
- When creating a new cluster, the
post_join_delayparameter in the cluster configuration was set to 3 or 6 seconds depending if the cluster was configured using the
cluster.conffile or the cluster software. With this update, this inconsistent approach has been fixed. When no value is specified for
post_join_delay, the value is not set in the
cluster.conffile but the cluster software specifies the value, which is set to 6 seconds.
- The name for the
fence_enegeraagent in the fence list was
Egenera SAN Controller. This name was outdated and thus misleading. With this update, the agent is listed correctly as
- Previously, the
self_fenceparameter was missing from the configuration of the
netfsresource agent. Also in the GUI, there was no checkbox entry for the Self-Fence If Unmount Fails option. This update adds the missing parameter.
- Due to previous changes in the luci application, SELinux no longer labeled the luci process with the confined
piranha_web_tSELinux context type. This behavior was incorrect, thus a new script has been added to the luci packages to address this bug. Also the SELinux policy has been modified accordingly. As a result, the luci process now runs as
- Previously, the luci application did not list virtual machine resource agents in the menu in the web UI. An attempt to manually add a virtual machine resource agent in the configuration file caused the error 500 to be returned. This update provides a patch to fix this bug and virtual machine resource agents are now correctly listed in the menu.
- The luci application has been enhanced to display global cluster resources and sort them alphabetically and numerically by the resource name, IP address, and other significant resource attributes.
- With this update, the luci application validates whether an
nfsclientresource is always associated with an
nfsexportresource. Now, an attempt to create a service with an
nfsclientresource that is not associated with an
nfsexportresource causes the following error to be returned:
nfsclient resources must have a parent nfsexport resource
- With this update, the luci application checks whether the
beaker.session.secretvalue consists of 20 or more characters. Therefore, the use of values containing less characters is not permitted to increase the security of the server-stored session data.
- This update enhances the luci application with the ability to configure the ciphers for SSL/TLS channel between luci and a connecting web browser, providing better security control for administrators.
- This update adds the ability to specify a
httpdbinary in the Apache resource configuration screen. This new feature allows the user to use the Multi-Processing Module (MPM) worker with the
httpddaemon in a cluster.
- With this update, the luci application has been modified to allow the user to set static ports for all NFS-related ports.
- With this enhancement, several changes have been made in the luci application:
- Support for configuring newly-added bind-mount resource agents has been added.
- Support for configuring the
retry_onattributes for the
fence_brocadeagent has been added.
- Support for the newly-added attribute
<rm>tag has been added. This attribute is used in the Red Hat Resource Group Manager (
rgmanager) to allow a service recovery when failing to fork a bash child process with a return code 254.
skip_undefinedattribute was no longer needed and it was removed from the fencing configuration in advanced mode.
- Support for configuring the new
startup_waitparameter for the
postgres-8resource agent has been added. This parameter allows users to configure the sleep time according to their needs.
- Support for the
ssh_optionsattribute for the
fence_rsaagents has been added.
- Support for the newly-added
no_killattribute for the virtual machine (VM) resource agent has been added. This attribute is used to prevent the
rgmanagerutility from killing VMs that did not shut down properly.
- Previously, proper handling of the "-A" ("--activevolumegroups") option for the vgdisplay utility was missing. Consequently, vgdisplay displayed inactive Volume Groups (VGs) even though "-A" was used displaying only active VGs, defined here as a VG that contains at least one active Logical Volume (LV). This update adds proper handling of "-A" for vgdisplay. Now, when using the "vgdisplay -A" command ("vgdisplay --activevolumegroups"), only active VGs are displayed.
- Prior to this update, concurrent activation of the same Logical Volume (LV) caused a race condition and the following error message to be returned:
Device or resource busyWith this update, concurrent activation and deactivation of LVs is prohibited and locking is performed, so that operations are now processed sequentially. As a result, the "lvchange -ay $lv" and "lvchange -an $lv" commands no longer cause this bug if issued concurrently.
- When using the lvmetad daemon, the dmeventd daemon took into consideration metadata that was not up-to-date at a time of a RAID LV repair. Based on the outdated information, the repair did not proceed. With this update, the repair code forces a metadata refresh for the Physical Volumes (PVs) that host the RAID volume, and automatic RAID volume repair using dmeventd and manual repair using "lvconvert --repair" now work as expected regardless of lvmetad being enabled or not.
- Previously, RAID LVs either activated or failed to activate depending on how badly their redundancy was compromised. A new "degraded" activation mode has been added to the lvchange and vgchange utilities to better handle activation of incomplete RAID LVs that still have sufficient level of redundancy. This activation mode is now used by default.
- If the lvm2app lvm_vg_reduce() function was called to remove most but not all physical volumes (PV) from a Volume Group (VG), it often destroyed the VG completely. Moreover, no error message was generated. With this update, lvm_vg_reduce() gains some additional validation, and lvm2app lvm_vg_reduce() now works as expected.
- If the user attempted to assign a clustered attribute to a Volume Group (VG) by running the "vgchange -cy VG" command, and the system was not yet properly configured for it, the user was not prompted to confirm the change. In addition, any subsequent LVM command skipped such clustered VG if system was not specifically configured for it. The bug has been fixed, and the lvm command now prompts and warns the user about enabling clustered attribute on VG provided that the clvmd daemon or cluster is not running. The user can also override this prompt by supplying the "--yes" argument.
- Previously, Logical Volume Management (LVM) utilities tried to connect to the lvmetad daemon even though the utilities were run with the "--sysinit" option denoting the early system initialization. Nevertheless, lvmetad did not have to be running yet, and thus error messages were issued multiple times during system initialization. This update adds a check whether a LVM utility is running during early system initialization by checking the use of the "--sysinit" option. Now, if lvmetad socket is not present in early system initialization when using "--sysinit", LVM utilities automatically fallback to non-lvmetad mode silently.
- When converting existing Logical Volume (LV) to a thin-pool LV, the lvm utility needed to open the volume temporarily to be initialized with zeroes at its start. However, this initialization step caused the WATCH udev rule to trigger. Consequently, all udev rules were reevaluated based on the WATCH rule, which caused subsequent scanning of the device for changes and LVM could try to close the device in parallel, which would end up with an error. With this update, lvm uses proper flags for temporary volumes which are used during conversions as intermediate step; these flags direct the udev utility to avoid setting the WATCH rule or initiate any scanning on such devices until they are properly initialized.
- The lvm utility uses lock files to prevent incompatible operations from running simultaneously. Prior to this update, when forking sub-processes, such as the fsadm utility using the "lvresize -r" command, lvm could incorrectly drop these locks and incorrectly permit commands to run in parallel. This update fixes the exec_cmd() function responsible for the wrong behavior. Now, running "lvresize -r" in parallel with other lvm commands works correctly, and all Logical Volumes (LVs) are correctly resized.
- Previously, the lvm2-cluster subpackage had a requirement of the same or higher version of the lvm2 package, but did not work unless the versions were exactly the same. As a consequence, lvm2-cluster did not work correctly. With this update, lvm2 and all its subpackages define strict version dependencies among themselves, including a dependency between the lvm2-cluster subpackage and the lvm2 packages. This way the lvm2-cluster subpackage always depends on the right lvm2 packages and incompatible versions of lvm2-cluster cannot thus be installed at the same time.
- Previously, information about Physical Volume (PV) availability could be out of date. Consequently, the status string in the output of the lvs command for a RAID LV could be different in identical situations depending on whether lvmetad was used or not. The dmeventd volume monitoring daemon now updates PV information in lvmetad for devices participating in a RAID array that have encountered an error. As a result, if dmeventd is active, which is recommended regardless of this bug, the lvs output is the same in both lvmetad and non-lvmetad cases. Note that when dmeventd is disabled, it is recommended to run the "lvscan --cache" command for faulty RAID arrays to ensure up-to-date information in the lvs output.
- The device-mapper packages are merged inside lvm2. However, prior dependencies were not strict, and the user could update device-mapper without updating lvm2, leading to a version mismatch. The lvm2 packages and all their subpackages now define strict version dependencies among themselves, so that after updating any of these lvm2 subpackages the user receives consistent update of the main lvm2 packages as well. As there is only one debuginfo package for lvm2 and all its subpackages, this fix also resolves the problem of the user receiving unusable debuginfo if one of the subpackages has been updated to a newer version.
- If a persistent filter was used, /etc/lvm/cache/.cache, and a new Physical Volume (PV) was created, filters were not reevaluated to acquire any changes that could correctly prevent the PV create process to succeed. Consequently, without up-to-date information, LVM could overwrite existing foreign signatures. With this update, filters are always reevaluated before PV creation. In addition, if a change is done outside the lvm utility after last filter evaluation, these changes are now properly considered before PV creation.
- When a RAID logical volume mirror was created and then one of the Physical Volume (PV) devices was removed, the "lvconvert --repair" command refused to restore the mirror leg with a PV that was already used partly by another LV. An upstream patch has been applied to fix this bug, and "lvconvert --repair" now accepts a few additional arguments including "--alloc" and "--force", and the mirror leg with a PV is now correctly restored using "lvconvert --repair".
- Previously, there was an incorrect check of the cluster status of non-clustered snapshot origin Logical Volume (LV) before local deactivation. Consequently, attempts to exclusively deactivate already inactive Logical Volume (LV) locally on a single host (non-clustered) led to the following incorrect error messages being issued:
With this update, the check is performed before local deactivation to properly check only clustered LVs, and misleading error messages no longer occur.
Cannot deactivate remotely exclusive device locally. (newer versions)
Cannot deactivate <lv name> locally. (older versions)
- Previously, the check handling the vgcreate utility while using disks for new Volume Group (VG) for which Physical Volumes (PVs) had not yet been created was incorrect. Consequently, vgcreate several times created PVs with the following misleading error message:
Physical volume <pv name> not foundThe check for existing PVs has been fixed in the vgcreate code not to issue any errors if the PV cannot be found, and is thus created by vgcreate.
- Due to an incorrect persistent filter, /etc/lvm/cache/.cache, generated when using the pvcreate utility, pvcreate tried to refresh cache if MD filter was switched on. As a consequence, if the pvcreate utility was run against a device with an existing MD signature, signature detected and wiped, the device could continue to be filtered out, as if the signature had not been deleted. This update changes the filters, and the device is now correctly made available for immediate use after the signature is deleted.
- When the volume_list configuration parameter was set to not allow activation of thin-pool and then a thin volume was created, the transaction_id parameter was moved forward, but the kernel target was not notified about it. As a consequence, future activation failures reporting a transaction ID mismatch could occur. The lvm2 metadata has been fixed, and the lvm utility no longer incorrectly expects that messages were sent to the kernel's thin pool driver when such interaction is forbidden due to activation of volume_list parameters.
- The lvm2 utility calculates maximum space that a snapshot can use and restricts the user-supplied snapshot size, so that it is never larger than the maximum usable space. However, lvm2 previously calculated snapshot space incorrectly, and under certain circumstances could allocate a snapshot that was too small. As a consequence, when such a snapshot was filled up, it overflowed with modified blocks from origin device, and all data in the snapshot became lost. With this update, lvm2 respects the size specified by the user, and the snapshot no longer overflows.
- In the cluster, the local activation of a volume was automatically converted into exclusive activation if the volume supported only exclusive mode. However this could cause that local activation activated the volume on a different (non-local) node in the cluster. With this update, automatic conversion has been fixed, and local activation is now converted into local-exclusive activation. In addition, if local activation is successful, the volume is now locally (and exclusively) active.
- With this update, a new command-line option, "--atomic", has been added to the pvmove utility. The "--atomic" option causes all identified Logical Volumes (LV) to be moved together. The commit that places each LV on its final destination is not performed unless the last LV is processed. Thus, the "pvmove abort" command ensures that all affected LVs remain on the source device.
- This update adds two manual pages to cover the Logical Volume (LVM) topics of thin-provisioning and caching, also called "tiered storage". These new man pages are lvmthin(7) and lvmcache(7).
- New reporting fields for each attribute from the original "lv_attr" field have been added. This update provides more descriptive and also more extensive information on logical volumes (LV) attributes. In addition, the attributes encoded in the original "lv_attr" field can now be reported independently.
- The "%FREE" argument can now be used to create RAID logical volumes (LVs); "%FREE" is used with the "-l" ("--extents") argument of the lvcreate command. The resulting size is approximately equal to the desired percentage including adjustments that need to be made for RAID metadata areas.
- With this update, the latest lvm2app library gains new functions to customize the parameters used to create Physical Volumes (PV), namely size, PV metadata copies, PV metadata size, data alignment and data alignment offset, and zeroing.
- With this update, the user is able to create Logical Volume Management (LVM) configuration profiles that contain settings related to LVM reporting. The user can apply these settings per each LVM command simply by using a the following schema: "<lvm command> --command_profile <profile_name>". Now, users are able to define LVM report formatting and settings for each usecase needed.
- This update adds support for erasing detected signatures on newly created Logical Volumes (LVs). When creating a new LV and a signature is detected, Logical Volume Management (LVM) tries to erase the signature first before properly activating the new LV. A prompt with a question has also been added for the user:
WARNING: <signature name> signature detected on <device name>. Wipe it? [y/n]This question confirms the deletion of the signature. In addition, a new lvm.conf option "allocation/wipe_signatures_when_zeroing_new_lvs" has been enabled by default to enable or disable this feature.
- This update provides criteria-based Logical Volume Management (LVM) reporting by adding the new "-S" ("--select SelectionCriteria") option to LVM reporting commands: pvs, vgs, lvs, pvdisplay, vgdisplay, lvdisplay, and lvm devtypes. SelectionCriteria are criteria constructed by using reporting field names, restricting field values by using comparison operators and creating more complex criteria by using grouping and logical operators.
- A new command-line parameter, "--readonly", has been added to Logical Volume Management (LVM) commands that report the state of Logical Volumes (LVs), Volume Groups (VGs) or Physical Volumes (PVs). The parameter uses a special read-only mode that accesses on-disk metadata without needing locks.
- Logical Volume Management (LVM) includes considerable improvements to the calculation of an appropriate amount of space to allocate when using percentages in commands such as "lvresize -l+50%FREE". The new behavior strives to be more intuitive; sizes specified are treated either as relating to Logical Extents or to Physical Extents as appropriate, and the new logical size desired for the Logical Volume (LV) is calculated. Rounding is then performed to make sure any parallel stripes or mirror legs are the same size.
- This update adds new "lv_layout" and "lv_role" Logical Volume Management (LVM) reporting fields. These new fields have been created as part of decoupling existing bits in the "lv_attr" reporting field into separate reporting fields. This separate form is more readable as LVM reports values in full words instead of single characters. It also better suits LVM report output handling in scripts as well as using these new fields within selection criteria (the new "--select" lvm command option).
- With this update, the dmsetup utility gains a new flag, "--deferred". If specified and the device is open, the flag schedules the device to be deleted later after being closed.
- This update of the man-pages-fr package adds a warning that the French man page for the xinetd service includes options that are out of date.
- The description of the syslog option in the Japanese version of the sudoers(5) manual page has been amended to correctly match the English version.
- The "Files" section in the Japanese version of the crontab(1) manual page has been amended to correctly match the English version.
- The Japanese version of the nfs(5) manual page has been updated to reflect the current English version more closely.
- The explanation of the sysconf(_SC_GETGR_R_SIZE_MAX) call in the getgrnam(3) manual page has been amended to describe the function of sysconf(_SC_GETGR_R_SIZE_MAX) clearly and correctly.
- The "-d", "-G", and "-U" options were removed from the rpc.idmapd command but were still presented in the rpc.idmapd(8) manual page. With this update, these unsupported options have been removed from the rpc.idmapd(8) manual page.
- Previously, an incorrect path to the implicit configuration file was presented in the vhostmd(8) manual page. The vhostmd(8) manual page has been updated to mention the correct path, "/etc/vhostmd/vhostmd.conf".
- Previously, the mailx(1) manual page contained incomplete information about unsetting environment variables, which could confuse the user. This update adds the complete information to the mailx(1) manual page.
- Prior to this update, the information in the nl_langinfo(3) and charsets(7) manual pages was incomplete. The nl_langinfo(3) manual page has been updated to state that the code set for the en_US language defaults to Latin1. Additionally, a note has been added to the charsets(7) manual page that the recommended encoding in all settings and locales is UTF-8.
- Previously, the core(5) manual page contained an incorrect default value for the coredump_filter value and incomplete descriptions of all bits. The core(5) manual page has been updated to include correct and complete information.
- The bash(1) manual page did not mention that 512-byte blocks are used for the "-c" and "-f" options in POSIX mode. This update adds the missing piece of information to bash(1).
- Previously, the xinetd(8) manual page contained incomplete information about what happens to services during the xinetd deamon reload. This update adds a paragraph about termination handling during the xinetd deamon reload to the xinetd(8) manual page.
- Prior to this update, an incorrect default value for the "persistent" service was documented in the nscd.conf(5) manual page. The nscd.conf(5) manual page has been updated to state that the default value for the "persistent" service is "yes".
- Previously, the rpm(8) manual page did not clearly state that the "--setperms" and "--setugids" options were mutually exclusive. The rpm(8) manual page has been updated to contain complete information.
- The host.conf(5) resolver library configuration manual page contained an incorrect default value for the "multi" value. The host.conf(5) manual page has been updated to state that the default value for "multi" is "on".
- Previously, the zsh(1) manual page contained incomplete description concerning emulation mode of the Z shell. This update adds the letter "b" to the list of possible first letters invoking emulation.
- Previously, the snmp_read(3) manual page was unavailable in Red Hat Enterprise Linux 6. This update adds the missing snmp_read(3) manual page.
- Prior to this update, the description of the "-l" option was missing in the makedeltarpm(8) manual page. This update adds the missing description to makedeltarpm(8).
- Previously, the ciphers(1) manual page did not describe the following Elliptic Curve Cryptography (ECC) cipher suite groups: Elliptic Curve Diffie–Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA), or Transport Layer Security (TLS) version 1.2 specific features. This update adds the missing description of the ECDH and ECDSA cipher groups and TLSv1.2 features to ciphers(1), and the documentation is now complete.
- Previously, no manual pages for the cracklib-packer and cracklib-unpacker utilities were available. This update adds the cracklib-format(8) manual page, which describes cracklib-packer and cracklib-unpacker.
- The pkcs_slot utility was removed from the opencryptoki package but the manual page was still available. With this update, the pkcs_slot(1) man page has been removed.
- Previously, the curl(1) and curl_easy_setopt(3) manual pages contained a link to the complete list of Network Security Services (NSS) ciphers that led to a non-existent page. This update adds the correct link to the curl(1) and curl_easy_setopt(3) manual pages.
- Previously, the "--rsyncable" option was not documented in the gzip(1) manual page. This update adds the description of "--rsyncable" and the documentation of the gzip utility is now complete.
- Previously, the manual pages for the pthread_mutex utility were not available in Red Hat Enterprise Linux 6. This update adds the pthread_mutex_consistent(3), pthread_mutexattr_getrobust(3), and pthread_mutexattr_setrobust(3) manual pages.
- The nscd.conf(5) manual page did not include information about netgroup caching. This update adds the description of netgroup caching to nscd.conf(5).
- Previously, the pcregrep(1) manual page did not mention the pcresyntax(3) manual page. With this update, a note about pcresyntax(3) has been added to the description and the "See Also" section in the pcregrep(1) manual page.
- Previously, a manual page about configuring the oddjobd-mkhomedir utility was unavailable in Red Hat Enterprise Linux 6. This update adds the oddjobd-mkhomedir.conf(5) manual page.
- Prior to this update, a number of manual pages in Russian language were unreadable due to a redundant re-encoding. This bug has been fixed, no re-encoding is performed as the source pages are provided in the UTF-8 encoding, and the manual pages are now correctly readable.
- The explanation of the sysconf(_SC_GETGR_R_SIZE_MAX) call in the getgrnam(3) manual page has been amended to describe the function of sysconf(_SC_GETGR_R_SIZE_MAX) clearly and correctly.
- The flock(2) manual page contained insufficient information about locking files over NFS. With this update, a more precise description of this topic has been added to flock(2).
- Previously, the documentation for the iconv utility was incomplete. This update adds the iconv(1) manual page.
- When the openssh package was updated, its man pages were overridden by the man-pages-overrides package. This update removes the ssh_config(5) manual page from man-pages-overrides. The fixed manual pages are now part of the openssh package.
- Prior to this update, log rotation for the /var/log/mcelog file was disabled, which could cause the file system to reach maximum capacity as the existing mcelog files could not be moved. The mcelog.logrotate file has been added to the mcelogd daemon, and the file system can no longer grow indefinitely.
- Previously, the mcelog packages did not specify mcelogd chkconfig levels. As a consequence, the mcelogd daemon could not be enabled using the ntsysv interface. Default chkconfig levels have been added to /etc/init.d/mcelog, and mcelogd can now be enabled using ntsysv. (BZ1006293)* Prior to this update, Intel Xeon E5 family processors were not identified uniquely, and the entry to the memory controller decode table was missing. A patch has been applied to fix this bug, and the mcelog packages have been updated to correctly identify Intel Xeon E5 family processors and to display corrected memory read errors.
- Previously, the select_intel_cputype() function did not work. As a consequence, the following error message was returned on Intel Xeon E6 family processors:mcelog: Family 6 Model 3f CPU: only decoding architectural errorsThe mcelog utility has been updated to support Intel Xeon E6 family processors. Now, decoding on the CPUs with this microarchitecture works properly.
- Previously, the mcelog packages included three files, intel.c.orig, intel.c.rej, and mcelog.c.orig which were copies of files used in development. The files are not required for the source to compile, or by the mcelog utility, and therefore have been removed.
- Previously, the mcelog utility required the use of the "--logfile" argument when specifying daemon mode in order to ensure that mcelog started with a logging mode. This configuration, however, prevented mcelog from starting with logging only to syslog. With this update, mcelog allows syslog only logging when "--logfile" is not specified.
- Previously, the permissions on the /etc/cron.d/raid-check file were not sufficiently strict. This update modifies the permissions, allowing only the administrator to read the script stored in /etc/cron.d/raid-check.
- Previously, the mdadm utility did not work correctly when a disk failed in an Intel Matrix Storage Manager (IMSM) RAID volume. Consequently, the failed disk was removed neither from the volume nor from the container, the volume was not in the "degraded" state, and the rebuild could not start. With this update, mdadm handles failed disks in RAID volumes properly.
- Previously, the mdadm utility did not apply the "path=*" directive from the /etc/mdadm.conf file when working with SATA devices. Consequently, mdadm searched for the /dev/disk/by-path/ directory that was not created by the udev utility. The bug has been fixed and mdadm no longer ignores the "path=*" directive for SATA devices.
- Prior to this update, the mdadm utility did not properly verify missing devices when creating an IMSM array. Consequently, when mdadm attempted to create an IMSM array with missing devices, it terminated unexpectedly with a segmentation fault. With this update, missing devices are verified correctly and creating an array with missing devices now works as intended.
- Previously, when the mdadm thread that monitored the reshaping operation of a disk array was terminated by the SIGTERM signal, it did not clear the suspended data region of the array. As a consequence, the data on the array could become corrupted. With this update, the mdadm thread terminates cleanly and can no longer cause data corruption.
- Previously, when installing on a system with only the second SATA controller having RSTe mode enabled in UEFI mode, mdadm would not detect the RAID volumes, and installation to them would not be possible. With this update, mdadm correctly detects the RAID volumes and installation to the volumes can happen.
- Prior to this update, the mdadm utility failed to create an Intel RAID volume when component size was larger than 100GiB. This problem occurred on RAID level 1, 5, and 10. This bug has been fixed and Intel RAID volumes can now be created successfully in the described case.
- Previously, when the mdadm utility was used to reshape RAID0 and RAID5 volumes created with the Intel Matrix Storage Manager (IMSM) utility, a race condition between the mdadm and mdmon utilities occurred. The reshape operation therefore failed to start. This update prevents the race condition and mdadn can now reshape IMSM modules without complications.
- RAIDs created with the Intel Matrix Storage Manager (IMSM) utility do not support spanning between different controllers. Under certain circumstances, the mdadm utility allows to fully assemble IMSM RAIDs with disks under different controllers. With this update, a warning message about Host Bus Adapter mismatch is displayed in such a case.
- Previously, if the system was rebooted or the Intel Matrix Storage Manager (IMSM) was restarted while reshaping an IMSM RAID, the reshape operation was not continued after reassembly. The following message was displayed:reshape info is not in native format - cannot continue.This bug has been fixed and reshape is now resumed after system reboot or after IMSM restart.
- Previously, the mip6d daemon wrote debugging log messages to the stderr output stream, especially during process termination. However, due to a bug in the code, mip6d wrote random data into the netlink socket instead of stderr. These netlink messages were rejected by the kernel and caused SELinux warnings about invalid netlink messages. This update fixes this bug and the described situation no longer occurs.
- Previously, the mksh shell worked with bytes instead of characters when looking for the common part of a file name. As a consequence, the common part of the file name could contain only the beginning part of the border character, and only a part of the character was printed. With this update, mksh works with whole characters when looking for the longest common prefix, and tab completion prints the correct common part as expected.
- Previously, the access point name (APN) string incorrectly contained a space at the end. As a consequence, a connection to the Israel Pelephone 3G provider could not be established. This update fixes the typographical error in the APN string, and the connection can now be established as expected.
- This update adds the missing description of the "KrbLocalUserMapping" option to the README file.
- Previously, the mod_auth_kerb module was not compatible with the way certain browsers, such as Mozilla Firefox, handled an expired Kerberos ticket. As a consequence, opening a Kerberos-protected page in these browsers with an expired Kerberos ticket caused mod_auth_kerb to fail. With this update, the error in mod_auth_kerb has been addressed and the mentioned problem no longer occurs.
- Due to a bug in the underlying source code, when the "S4U2Proxy" extension was configured, the mod_auth_kerb module did not renew tickets that were not valid yet. This update applies a patch to fix this bug and the tickets are now correctly renewed as expected.
- Previously, the nss_var_lookup_nss_cert_PEM() function from the nss_engine_vars.c file occasionally caused a memory error. This bug has been fixed and the memory error no longer occurs.
- Due to a bug in the nss-softokn package that is a dependency of the mod_nss package, the root process of the httpd daemon was occasionally terminated by a SIGTRAP signal. With this update, mod_nss has been updated to depend on a corrected version of nss-softokn and the root httpd process is no longer terminated by SIGTRAP.
- Due to a bug in the nss-softokn package that is a dependency of the mod_nss package, the httpd daemon sometimes terminated unexpectedly with a segmentation fault and the following message was returned:NSS_Initialize failed. Certificate database: /etc/httpd/aliasWith this update, mod_nss has been updated to depend on a corrected version of nss-softokn and httpd no longer crashes in the described case.
- When stopping the httpd daemon with the mod_wsgi module, a short race condition occurred right after its start, during which httpd could terminate unexpectedly with errors. This bug has been fixed and httpd no longer crashes in the described conditions.
- The modprobe utility did not previously recognize information about soft module dependencies in the modinfo section of the queried kernel modules. This update implements support for soft module dependencies, and the "modprobe --show-depends" command now returns this information as expected.
- Prior to this update, an internal hash referencing a specific subject in each envelope referenced a non-existent one. As a consequence, mutt terminated with a segmentation fault when the user attempted to synchronize mailbox after removing one or more messages in threaded mode. With this update, the subject hash updates correctly and the crash no longer occurs.
- Previously, the array that stores mutt message headers did not properly handle empty header entries. This could cause mutt to terminate unexpectedly with a segmentation fault when a change of message IDs occurred on the IMAP server, for example when the IMAP server was connected with multiple clients while removing messages through one of them. In this update, the handling of empty headers has been optimized and sorting messages in the array has been streamlined. As a result, multiple connected clients now synchronize correctly.
- Prior to this update, mutt did not correctly parse certificate files when accessing accounts through IMAP and POP3 protocols. Consequently, mutt terminated unexpectedly with a segmentation fault when attempting to access an IMAP or POP3 account. This update fixes the parsing process and accessing an IMAP or POP3 account now functions as intended.
- Previously, a bug prevented mutt's interactive certificate verification from working properly. As a consequence, mutt terminated unexpectedly with a segmentation fault when the user tried to send an e-mail message from the command line to a TLS server, for which mutt had not received the certificate yet. With this update, mutt's interactive certificate verification has been fixed and the described crash no longer occurs.
- The libvirtd service could terminate unexpectedly when retrieving a MAC address. This happened because the netcf code contained uninitialized data that could be accessed by libvirtd. With this update, netcf properly initializes this data and libvirtd no longer crashes in this case.
- Previously, netcf added an additional set of quotes to the value of the BONDING_OPTS parameter while attempting to create a bond interface. Consequently, the attempt failed with an error similar to the following:Error creating interface: 'Could not create interface: internal error failed to create (start) interface bond0: failed to execute external program - Running 'ifup bond0' failed with exit code 1: ./network-functions: line 457: /sys/class/net/bond0/bonding/'mode: No such file or directoryWith this update, additional quotes are no longer added to BONDING_OPTS and bonding devices can now be created as expected with this parameter specified.
- Prior to this update, netlabelctl, the NetLabel management tool, incorrectly handled multi-part netlink messages that limited the number of static labels displayed. Consequently, running the "netlabelctl unlbl list -p" command did not provide the correct output when a large number of static labels were configured. This bug has been fixed, and netlabelctl now works correctly and lists all the configured static labels as expected.
- Previously, netlabelctl did not allocate enough buffer space for large configuration messages from the kernel. In addition, netlabelctl could not adjust the buffer size in the cases where the buffer was not large enough. As a consequence, a large number of CIPSO level and category translations could not be used. With this update, the default message buffer has been increased, and the buffer is now increased dynamically as necessary. As a result, a large number of CIPSO level and category translations can be used as expected in this scenario.
- Prior to this update, the file with the licence text was not included in the binary packages. This update adds the license text in the packages.
- Prior to this update, the nfsiostat utility was run in the background with the stdout stream redirected to a file. As a consequence, the data was not displayed in a timely matter. This update clears stdout periodically to ensure the buffered output of nfsiostat does not get lost if the nfsiostat process is terminated.
- The nfs-utils packages were moved to an in-kernel keyring to store the ID mappings needed for NFSv4. However, the kernel key is too small for large enterprise environments. With this update, the nfsidmap utility, used by the kernel to do ID mapping, has been changed to use multiple keyrings.
- Previously, the rpc.idmapd name mapping daemon returned a warning message after failing to open communication with a client mount. As the warning message was harmless and unnecessary, rpc.idmapd now displays the message only if the user passes the "--verbose" option on the command line.
- The starting of the rpc.statd utility caused a creation of an extra privileged UDP socket. As a consequence, rpc.statd listened on a random port on all the interfaces, which is required only for internal communication with the rpc.lockd utility. With this update, rpc.statd no longer opens an extra socket in the described situation, and instead opens an extra random port on the loopback address only.
- The starting of the rpc.statd utility caused messages being flooded to the log. With this update, the socket is kept open until another one is found. As a result, the same port is not reused, and messages are no longer flooding the log in the described situation.
- When root squashing was enabled and world execute permissions were disabled, using the "-o remount" option of the mount utility caused the mount attempt to fail. This update fixes the chk_mountpoint() function, and the mount utility now checks only execute permissions for unprivileged users, thus fixing this bug.
- When the rpc.gssd daemon was started, a zero lifetime was sent to the kernel, which then guessed and used the default lifetime. To fix this bug, the correct lifetime is now passed to the kernel, which uses it for timeouts in GSS contexts.
- Previously, the rpcdebug utility did not work correctly when used with the NFS module and the "state" option. This update allows the "state" option to be used with the NFS module, and NFS state debugging can now be set as expected.
- Previously, machines with multiple disks made the rpc.mountd utility use 100% of the CPU for 30 to 40 minutes, needlessly scanning the disks. The libblkid daemon usage has been optimized, and rpc.mountd no longer causes downtime in this scenario.
- Due to a wrong indentation in its code, the nfsiostat utility failed to start. This update adds the correct indentation, and nfsiostat now starts as expected.
- This update enhances the nfsmount.conf file manual page to include syntax for mount options. Now, the reader has a better understanding on how to set variables in the configuration file.
- IPv6 is now a supported address type, and the exportfs utility can thus use IPv6 addresses to export file systems.
- This update adds descriptions on what each value of the column in the output of the nfsiostat utility means.
- Previously, when the chown utility was used on an NFSv4 mount, chown did not adhere to the no_root_squash option, and thus was not able to change the user and group ownership of each given file. With this update, libnfsidmap, a library to help mapping IDs mainly for NFSv4, has been patched, and chown now handles the user and group ownership as expected.* The rpc.idmapd daemon has been enhanced to be able to parse fully-qualified user names, such as "user@subdomain". Without this enhancement, the UID or GID mappings were failing and clients were incorrectly listed as owned by "nobody".
- Previously, the ncat utility printed debug messages even in verbose mode. As a consequence, after connecting through an HTTP proxy, a debug message was displayed together with the received data, which could interfere with the automated processing of standard output. With this update, ncat prints debug messages only in verbose mode as expected.
- The manual pages for the NSS security utilities were missing. This update adds the missing manual pages.
- Previously, the
curlutility failed to communicate with active FTP over Secure Sockets Layer (SSL) where both control and data connections were encrypted and authenticated by a client certificate with a password-protected private key. This was caused by the Privacy Enhanced Mail (PEM) module that pretended token removal whenever a key was being loaded from a file. Consequently, when the private key was loaded to authenticate the data connection, it caused the already authenticated control connection to fail with the following error code:
SSL_ERROR_TOKEN_INSERTION_REMOVAL.The underlying source code in the
NSS PEMmodule has been modified, and loading a single key multiple times no longer causes an SSL connection to fail.
- BZ#993441, BZ#1004105
- With this update, the
nss-softoknmodule has been submitted for a FIPS-140 revalidation.
- The code for removing token certificates from the cache caused a deadlock. Under certain conditions, when a server was processing multiple outgoing replication or windows sync agreements using TLS/SSL and processing incoming client requests that use TLS/SSL and Simple Paged Results, the server became unresponsive to new incoming client requests. With this update, the underlying source code has been modified to fix this bug and clients of NSS no longer become unresponsive in the described scenario.
- The NSS libraries did not check whether the
NSS_SDB_USE_CACHEenvironment variable was set to “yes” before calling the
sdb_measureAccess()function. Consequently, when using the
libcurllibraries that depend on NSS to make a HTTPS requests, there were many “access” system calls to paths, directories, and files that did not exist. This behavior led to excessive size of the directory entry cache. This update modifies NSS to avoid calling
NSS_SDB_USE_CACHEis set to “yes”, thus limiting the system calls to the non-existent paths. As a result,
cURLHTTPS requests no longer cause the cache to be too large.
- Previously, an incorrect
CHECK_FORK()call in the
nss-softoknmodule prevented the Admin Server component of Red Hat Directory Server from recovering after an improper shutdown. As a consequence, the Red Hat Directory Server parent process was unable to shut down NSS. Therefore, when Red Hat Directory Server was configured on an SSL port, the Admin Server component terminated unexpectedly with a segmentation fault. With this patch, the problematic
CHECK_FORK()calls have been removed and users can now start Red Hat Directory Server and use SSL-encrypted traffic as expected.
- BZ#1057224, BZ#1057226
- The section in the spec file that is used to set and export the
NSS_ECC_MORE_THAN_SUITE_Bbuild time environment variables was missing. Consequently, NSS was prevented from allowing external
pkcs #11cryptographic modules to support Elliptic Curve Cryptography (ECC) algorithms beyond those specified in suite B, thus preventing support for pluggable ECC. The mentioned spec file has been fixed and pluggable ECC are now supported as expected.
- Previously, the NSS libraries allowed users to disable the internal cryptographic module. When users set up an external cryptographic module, such as
opencryptoki, as the preferred module and disabled the internal cryptographic module, NSS could terminate unexpectedly with a segmentation fault. NSS has been modified to prevent users from disabling the internal module and therefore no longer fails in the described scenario.
- Due to a race condition in functions that manage user-defined slots, the
PK11_DoesMechanism()call failed on the Red Hat Directory Server. The code that manages the user-defined slots now checks if the slot is present and skips any reinitialization, cached present values, and locking. If the module is not thread-safe, as is the case with the Privacy Enhanced Mail (PEM) module, the slot
sessionLockis the same as the module reference lock and there is no need to use
sessionLock. As a result,
PK11_DoesMechanism()no longer crashes.
- Prior to this update, the numa_parse_cpustring() function added an unallowed CPU into its bitmask. As a consequence, only the bits the user has access to were set. Consequently, every time the function was used led to different outcomes. With this update, the numa_parse_cpustring() code sets all bits in the "cpustring" argument regardless of current task's CPU mask, and the aforementioned scenario no longer occurs.
- Previously, the compiler was enforcing libnuma to provide a constant within the "char*" parameter, which led to the following warning message being returned:testconst.c:10:45: warning: deprecated conversion from string constant to ‘char*’ [-Wwrite-strings]The underlying source code has been fixed so that the string is handled as a constant, and the user no longer receives warning messages.
- Previously, when the user set the affinity of the shell to be a subset of available CPUs and then attempted to use the numactl utility to bind to something absent from that affinity mask, the attempt failed. An upstream patch has been applied to fix this bug, and the numactl environment has been extended so that the user can choose whether to allow for the affinity mask to determine available CPUs or not.
- Due to incompatibilities emerging after the latest numactl packages update, virsh processes terminated unexpectedly when any virsh command was run. This bug has been fixed, and the virsh commands now work correctly.
- Previously, running the numad daemon on a system executing a process with very large resident memory, such as a Windows Server 2012 guest, could cause memory swapping. As a consequence, significant latencies under some circumstances occurred on the system, which could in turn lead to other processes, such as qemu-kvm, becoming unresponsive. With this update, numad no longer causes memory swapping in the above scenario, and the consequent latencies and hangs no longer occur.
- Prior to this update, when a process bound to a set of NUMA nodes depleted the system memory, the system started memory swapping instead of using other NUMA nodes for memory allocation. Consequently, the system experienced significant latencies or became unresponsive. With this update, numad unbinds memory nodes after moving the process memory, which allows for other nodes to be used for memory allocation, and thus prevents the described latencies and hangs.
- Previously, the numad daemon ignored existing control groups when localizing QEMU threads, and as a consequence, it incorrectly consolidated all running threads into a single control group. This update introduces numad support for multiple control groups, and numad therefore no longer moves QEMU threads into undesired control groups.
- Previously, on the IBM System z architecture, the opencryptoki Common Cryptographic Architecture (CCA) token was sending incorrect information to the CKA_ECDSA_PARAMS attribute when generating an EC key pair. As a consequence, opencryptoki failed to verify the public key. This bug has been fixed and the CCA token now sends the correct information to CKA_ECDSA_PARAMS, and public keys are verified successfully.
- Prior to this update, the IBM Crypto Accelerator (ICA) token did not handle the chunk size or tail calculation correctly in case of zero message sizes. As a consequence, an overflow occurred leading to a general protection fault (GPF). The underlying source code has been fixed, and GPFs no longer occur.
- BZ#869782, BZ#953938
- Prior to this update, the size set in the GeometryManager() function based on the XmFormConstraint "preferred_width" field was not updated when the label was changed and still contained the previous label length. Consequently, if the label text was modified while the window was smaller than the actual label width, the resulting size was incorrectly computed and the label text truncated. With this update, the values are updated and the fault no longer occurs in the described scenario.
- Previously, when the Motif Window Manager, or MWM, was used as the window manager and the Mwm*freezeOnConfig and Mwm*moveOpaque options were set to "False", only icons appeared while moving a window anywhere on the screen, and no frame border was drawn. Consequently, users were having problems navigating the applications on their touch screen monitors. A patch has been provided to fix this bug, and windows are now displayed correctly when being moved anywhere on the screen.
- Due to a bug in the underlying source code, an attempt to use the XmEXTENDED_SELECT policy could cause the Motif libraries to terminate unexpectedly with a segmentation fault. This update applies a patch to fix this bug and Motif no longer crashes in the described scenario.
- It was discovered that OpenSSH clients did not correctly verify DNS SSHFP records. A malicious server could use this flaw to force a connecting client to skip the DNS SSHFP record check and require the user to perform manual host verification of the DNS SSHFP record.
- It was found that OpenSSH did not properly handle certain AcceptEnv parameter values with wildcard characters. A remote attacker could use this flaw to bypass intended environment variable restrictions.
- Based on the SP800-131A information security standard, the generation of a digital signature using the Digital Signature Algorithm (DSA) with the key size of 1024 bits and RSA with the key size of less than 2048 bits is disallowed after the year 2013. After this update, ssh-keygen no longer generates keys with less than 2048 bits in FIPS mode. However, the sshd service accepts keys of size 1024 bits as well as larger keys for compatibility reasons.
- Previously, the openssh utility incorrectly set the oom_adj value to -17 for all of its children processes. This behavior was incorrect because the children processes were supposed to have this value set to 0. This update applies a patch to fix this bug and oom_adj is now properly set to 0 for all children processes as expected.
- Previously, if the sshd service failed to verify the checksum of an installed FIPS module using the fipscheck library, the information about this failure was only provided at the standard error output of sshd. As a consequence, the user could not notice this message and be uninformed when a system had not been properly configured for FIPS mode. To fix this bug, this behavior has been changed and sshd now sends such messages via the syslog service.
- When keys provided by the pkcs11 library were removed from the ssh agent using the "ssh-add -e" command, the user was prompted to enter a PIN. With this update, a patch has been applied to allow the user to remove the keys provided by pkcs11 without the PIN.
- With this update, ControlPersist has been added to OpenSSH. The option in conjunction with the ControlMaster configuration directive specifies that the master connection remains open in the background after the initial client connection has been closed.
- When the sshd daemon is configured to force the internal SFTP session, and the user attempts to use a connection other than SFTP, the appropriate message is logged to the /var/log/secure file.
- Support for Elliptic Curve Cryptography modes for key exchange (ECDH) and host user keys (ECDSA) as specified by RFC5656 has been added to the openssh packages. However, they are not enabled by default and the user has to enable them manually. For more information on how to configure ECDSA and ECDH with OpenSSH, see: https://access.redhat.com/solutions/711953
- Previously, cipher suites based on the single-DES and RC2 algorithms were on the default list of cipher suites used by the SSL or TLS client and by the server in the OpenSSL library. This allowed for suboptimal cipher suites to be negotiated between the OpenSSL client or server and a third party client or server. In addition, a higher amount of supported cipher suites in the TLS ClientHello request impaired the inter-operability of the OpenSSL TLS client. This update removes single-DES-based and RC2-based cipher suites from the default list of cipher suites, improving the security and compatibility of the OpenSSL TLS client.
- Cipher suites based on the Triple DES (3DES) algorithm had their bit strengths erroneously set to 168 bits when running under the SSL or TLS protocols. As a consequence, they were incorrectly sorted before cipher suites based on the AES-128 algorithm. This update sets the bit strength of 3DES-based cipher suites to 128 bits, and they will now be sorted after AES-128-based cipher suites as expected.
- In TLS client applications that use the SSLv2 protocol, the TLS extension giving the list of supported Elliptic Curve Cryptography (ECC)-based cipher suites could not be sent. This caused a TLS connection to a server which used an ECC-based cipher suite not supported by the OpenSSL client to abort. With this update, the ECC-based cipher suites are not sent in the SSLv2 ClientHello request, and TLS connections are no longer aborted in the above circumstances.
- The TLS extensions that were sent in the Datagram TLS (DTLS) ClientHello requests did not previously contain the list of the supported ECC-based cipher suites. As a consequence, the DTLS connections to servers using ECC cipher suites not supported by the OpenSSL client were aborted. With this update, the ECC-based cipher suite list is properly sent in the DTLS ClientHello requests, and DTLS connections are no longer aborted in the above circumstances.
- BZ#1002926, BZ#1039105, BZ#1002930, BZ#1015056
- The openssl packages have been enhanced to allow for FIPS-140-2 validation of the OpenSSL library as a FIPS cryptographic module.
- When connecting to a server using ECDHE-based or DHE-based cipher suites, the s_client utility now reports the size of ECDHE and DHE parameters selected by the server. This allows for easy verification whether the used configuration set is secure.
- When using the protoport option in combination with the type=passthrough setting to exclude traffic from encryption, an incorrect inverse policy was installed and the exclusion was not successful. Now, the correct policy is installed in the described situation.
- Starting multiple connections with the leftsubnets= or auto=start options led to a crypto overload and subsequent restart of Openswan. The pluto cryptohelper has been fixed to prevent the overload.
- The ikev2=insist setting was not enforced on the responder side, allowing an IKEv1 connection to be established instead. This bug has been fixed and ikev2=insist is no longer ignored.
- This update fixes multiple lingering states after reestablishing IKEv2 keys.
- This update enforces the limits set with esp, phase1alg, and andphase2alg options. Previously, any algorithm of the default set (aes, 3des, sha1, md5) was always allowed, regardless of the above options.
- IKEv2 delete payloads were not always properly delivered to the remote peer, leaving the remote endpoint with lingering unused connections. Now, IKEv2 delete payloads are delivered as expected.
- This update modifies the rightid=%fromcert option to load IDs from the local certificate when set for the local end, and from the certificate delivered by the remote peer when set for the peer end.
- The "ipsec ikeping" command did not recognize the --exchangenum option. This option is now recognized correctly.
- This update fixes a crash of the IKE pluto daemon when using the SHA2 encryption family with the ike= option with IKEv2.
- Openswan no longer drops various privileges too soon, which prevented it from reading configuration files in directories not owned by root.
- The IKE pluto daemon occasionally crashed and restarted when referencing missing IKEv2 payloads. The Openswan's state machine has been updated to reject packets with missing payloads.
- This update fixes the compatibility problems with older versions of Cisco VPN introduced in the previous update of the openswan packages.
- After restarting the remote endpoint, the sourceip option was not properly reset in the local route entry. This bug has been fixed.
- If there was no NSS database available, the IKE pluto daemon created a nonfunctional replacement. A missing NSS database is now created before the pluto daemon starts and in the %post phase of the package install, which fixes this bug.
- The "ipsec newhostkey" command did not return a correct non-zero exit code in case of failure, for example when generating keys of insufficient strength. Now, ipsec newhostkey returns the correct exit code.
- Configuring an AH algorithm for IKEv2, or various non-standard ESP algorithms for IKEv1 or IKEv2 (such as CAST, RIPEMD160 or CAMELLIA) caused the IKE pluto daemon to terminate unexpectedly and restart. This bug has been fixed and pluto no longer crashes when AH or ESP algorithms are configured.
- Using the "force_busy=yes" developer option to force anti-DDOS mode in IKEv2 caused the IKE pluto daemon to crash and restart. This bug has been fixed and pluto no longer crashes in the described situation.