Chapter 4. Package Updates

Important

The Red Hat Enterprise Linux 6 Technical Notes compilations for Red Hat Enterprise Linux 6.0, 6.1 and 6.2 have been republished.
Each compilation still lists all advisories comprising their respective GA release, including all Fastrack advisories.
To more accurately represent the advisories released between minor updates of Red Hat Enterprise Linux, however, some advisories released asynchronously between minor releases have been relocated.
Previously, these asynchronously released advisories were published in the Technical Notes for the most recent Red Hat Enterprise Linux minor upate. Asynchronous advisories released after the release of Red Enterprise Linux 6.1 and before the release of Red Hat Enterprise Linux 6.2 were published in the Red Hat Enterprise Linux 6.2 Technical Notes, for example.
Most of these asynchronous advisories were concerned with, or even specific to, the then extant Red Hat Enterprise Linux release, however.
With these republished Technical Notes, such advisories are now incorporated into the Technical Notes for the Red Hat Enterprise Linux release they are associated with.
Future Red Hat Enterprise Linux Technical Notes will follow this pattern. On first publication a Red Hat Enterprise Linux X.y Technical Notes compilation will include the advisories comprising that release along with the Fastrack advisories for the release.
Upon the GA of the succeeding Red Hat Enterprise Linux release, the Red Hat Enterprise Linux X.y Technical Notes compilation will be republished to include associated asynchronous advisories released since Red Hat Enterprise Linux X.y GA up until the GA of the successive release.

4.1. 389-ds-base

Updated 389-ds-base packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Bug Fixes

BZ#720458
If a server sent a response to an unbind request and the client simply closed the connection, Directory Server 8.2 logged "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)".
BZ#752155
An incorrect SELinux context caused AVC errors in /var/log/audit/audit.log.
BZ#697663, BZ#700665, BZ#711533, BZ#711241, BZ#726136, BZ#700215
A number of memory leaks and performance errors were fixed.
BZ#711266
The DS could not restart after a new object class was created which used the entryUSN attribute.
BZ#712167
The ns-slapd process segfaulted if suffix referrals were enabled.
BZ#711513
A high volume of TCP traffic could cause the slapd process to quit responding to clients.
BZ#714298
Attempting to delete a VLV index caused the server to hang.
BZ#720051
Connections to the DS by an RSA authentication server using simple paged results by default would timeout.
BZ#735217
Running a simple paged search against a subtree with a host-based ACI would hang the server.
BZ#733443
If the target attribute list for an ACI had syntax errors and more than five attributes, the server crashed.
BZ#734267
It was not possible to set account lockout policies after upgrading from RHDS 8.1.
BZ#720452
Adding an entry with an RDN containing a % caused the server to crash.
BZ#709868
Only FIPS-supported ciphers can be used if the server is running in FIPS mode.
BZ#711265
It is possible to disable SSLv3 and only allow TLS.
BZ#713317, BZ#713318
If the changelog was encrypted and the certificate became corrupt, the server crashed.
BZ#733434
If the passwordisglobalpolicy attribute was enabled on a chained server, a secure connection to the master failed.
BZ#714310
If a chained database was replicated, the server could segfault.
BZ#694571
Editing a replication agreement to use SASL/GSS-API failed with GSS-API errors.
BZ#742611
In replication, a msgid may not be sent to the right thread, which caused "Bad parameter to an LDAP routine" errors. This causes failures to propagate up and halt replication.
BZ#701057
Password changes were replicated among masters replication, but not to consumers.
BZ#717066
If an entry was modified on RHDS and the corresponding entry was deleted on the Windows side, the sync operation attempts to use the wrong entry.
BZ#734831
Some changes were not properly synced over to RHDS from Windows.
BZ#726273
RHDS entries were not synced over to Windows if the user's CN had a comma.
BZ#718351
Intensive update loads on master servers could break the cache on the consumer, causing it to crash.
BZ#699458
Syncing a multi-valued attribute could delete all the other instances of that attribute when a new value was added.
BZ#729817
If a synced user subtree on Windows was deleted and then a user password was changed on the RHDS, the DS would crash.

Enhancements

BZ#742382
The nsslapd-idlistscanlimit configuration attribute can be set dynamically, instead of requiring a restart.
BZ#742661
Separate resource limits can be set for paged searches, independent of resource limits for regular searches.
BZ#720459
The sudo schema has been updated.
BZ#739959
A new configuration attribute sets a different list of replicated attributes for a total update versus an incremental update.
BZ#733440
A new configuration option allows the server to be started with an expired certificate.
BZ#720461
New TLS/SSL error messages have been added to the replication error log level.
Users are advised to upgrade to these updated 389-ds-base packages, which resolve these issues and add these enhancements.
Updated 389-ds-base packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The 389-ds-base packages provide 389 Directory Server, which is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Bug Fixes

BZ#758682
When the LDAP server was under a heavy load, and the network was congested, client connections could experience problems. If there was a connection problem while the server was sending Simple Paged Result (SPR) search results to the client, the LDAP server called a cleanup routine incorrectly. This led to a memory leak and the server terminated unexpectedly. With this update, the underlying code has been modified to ensure that cleanup tasks are run correctly and memory leaks no longer occur. The LDAP server no longer crashes in this scenario.
BZ#758683
Previously, certain operations with the Change Sequence Number (CSN) were not very effective in 389 Directory Server. Therefore, performing a large number of the modrdn operations during Directory Server content replications led to poor performance, and the ns-slapd daemon consumed up to 100% CPU under these circumstances. With this update, the underlying code has been modified to use these CSN operations efficiently so that replications in Directory Server now work as expected in this scenario.
BZ#758688
Previously, allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method, when checking the Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. Memory leaks no longer occur and the LDAP server no longer crashes in this scenario.
BZ#771631
Previously, 389 Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. This implementation allowed deadlocks to occur if 389 Directory Server was under a heavy load, which caused the server to become unresponsive. With this update, 389 Directory Server now uses the POSIX implementation of the locking mechanism, and deadlocks no longer occur under a heavy load.
BZ#771632
Under a heavy load in replicated environments, 389 Directory Server did not handle the Entry USN index correctly. Consequently, the index could become out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the Entry USN plug-in and 389 Directory Server now handles the Entry USN index as expected.
All users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs.