Chapter 4. Notable Bug Fixes

This chapter describes bugs fixed in Red Hat Enterprise Linux 7.7 Beta that have a significant impact on users.

4.1. Authentication and Interoperability

`krb5' memory caches are now thread-safe

Previously, the memory caches of the Kerberos V5 login program (krb5) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.

(BZ#1605756)

krb5 configurations prohibited by FIPS-140-2 can now work again

Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (krb5) system increased compliance with FIPS-140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS-140-2 stopped working. With this update, the changes have been reverted, because krb5 only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS-140-2 can now work again.

Note that Red Hat Enterprise Linux 8 does not support these configurations at the moment.

(BZ#1645711)

SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups

The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.

(BZ#1194345)

Changing the shell with ypchsh no longer results in an overwritten password when NIS uses passwd.adjunct

Previously, when the NIS server was set up to support the passwd.adjunct map and the user changed the shell on a NIS client by using the ypchsh command, the yppasswdd daemon overwrote the user’s password hash inside passwd.adjunct with the ##username string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and yppasswdd no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running ypchsh.

(BZ#1624295)

4.2. Compiler and Tools

GDB breakpoint default source file works for symbolic links

Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as break 63. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.

(BZ#1639077)

The DNS stub resolver in glibc no longer rejects valid host names, such as hostname-.example.com

The DNS stub resolver in glibc rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as res hnok, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.

(BZ#1039304)

iconv no longer hangs when converting from certain IBM character sets

Previously, the glibc converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the iconv tool with the -c option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.

(BZ#1427734)

iconv can convert between the IBM273 and ISO-8859-1 character sets

Previously, the glibc implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character MACRON, instead it used the corresponding byte to represent the OVERLINE Unicode character, which has the same visual representation as a MACRON. As a consequence, using the iconv tool provided by glibc to convert IBM273 text containing an OVERLINE character to ISO-8859-1 or ISO-8859-1 text containing a MACRON character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its OVERLINE representation with MACRON. As a result, both character sets now use the MACRON Unicode character, are equivalent, and conversion from one to the other does not lead to an error.

(BZ#1591268)

getifaddrs calls can no longer unexpectedly terminate applications

Previously, the network interface list produced by the getifaddrs function in the glibc library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using getifaddrs could terminate unexpectedly in such situation. This has been fixed and getifaddrs now makes sure the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.

(BZ#1472832)

Makefiles containing explicit targets before implicit work again

Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the make build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets cound not be used. With this update, make can correctly parse situations where an explicit target is listed before an implicit target. However, implicit targets before explicit targets still result in an error. As a result, certain legacy Makefiles can now be used again without modification.

Note that mixing explicit and implicit targets in Makefiles is deprecated and should not be added to new Makefiles.

(BZ#1582545)

PCP reports all process details on large systems

Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details on very large systems in some cases. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.

(BZ#1600262)

strip no longer crashes with certain executable files

Previously, the strip tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate strip. The assumptions about structure have been changed such that this problem can no longer happen and strip works correctly.

(BZ#1644632)

Optimized CPU consumption by libdb

A previous update to the libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.

(BZ#1608749)

fixfiles no longer incorrectly fails

Previously, the fixfiles script failed if the /etc/selinux/fixfiles_exclude_dirs file contained at least one entry and the /etc/selinux/targeted/contexts/files/file_contexts.local file was not present. With this update, the requirement for existence of /etc/selinux/targeted/contexts/files/file_contexts.local has been removed, and fixfiles now works correctly in the described scenario.

(BZ#1647714)

4.3. Desktop

SystemTap Dyninst backend no longer needs the dyninst-devel package

Previously, the SystemTap Dyninst backend used by the stap --dyninst command did not work when the dyninst-devel package was not installed. As a consequence, SystemTap terminated unexpectedly in this situation, and users had to manually install dyninst-devel and run the ldconfig tool as a workaround. This bug has been fixed and SystemTap Dyninst backend can be used without the mentioned workaround.

(BZ#1498558)

X.org server no longer crashes during fast user switching

Previously, the X.Org X11 qxl video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update, qxl has been fixed, and the X.org server no longer crashes during fast user switching.

(BZ#1640918)

4.4. File Systems

Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system

Previously, the setquota utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system, setquota failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.

(BZ#1697605)

4.5. Installation and Booting

NVDIMM commands are added to kickstart script file anaconda-ks.cfg after installation

The installer creates a kickstart script equivalent to the configuration used for installation of the system. This script is stored in the file /root/anaconda-ks.cfg. Previously, when the interactive graphical user interface was used for installation, the nvdimm commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the kickstart file now contains the nvdimm commands as expected.

(BZ#1620109)

The graphical installation program no longer permits an invalid passphrase

Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.

(BZ#1489713)

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

With this update, the version and inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.

(BZ#1637112)

The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes

Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of 512 and 4096.

(BZ#1614049)

Cancelling a job initiated from cockpit-composer no longer fails

Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from cockpit-composer GUI using composer-cli compose cancel resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from cockpit-composer no longer fails.

(BZ#1659129)

The rpm command now supports the --setcaps and --restore options

This update introduces the --setcaps and --restore options for the rpm command.

The --setcaps option sets capabilities of files in a required package. The syntax is as follows:

rpm --setcaps _PACKAGE_NAME_

The --restore option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows:

rpm --restore _PACKAGE_NAME_

(BZ#1550745)

GRUB 2 regexp command is no longer missing

Previously, the module providing the regexp command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using regexp failed with the error: can’t find command `regexp` message. With this update, the module providing regexp is included in the GRUB2 EFI binary and works in the described situation.

(BZ#1630678)

4.6. Kernel

Netfilter now supports zero-length CIDR values in certain IP set types

Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in hash:net,port,net and hash:net6,port,net6 IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.

(BZ#1680426)

The intel_pstate driver loads on the Intel Skylake-X systems with HWP disabled

Previously, with the Intel Skylake-X systems, it was impossible to load the intel_pstate driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the acpi_cpufreq driver. This update fixes the problem and intel_pstate now loads correctly in the described scenario.

In the event that the user wants to use acpi_cpufreq (not recommended), the solution is to append the intel_pstate=disable parameter to the kernel command line.

(BZ#1698453)

Data corruption no longer occurs on RAID 10 reshape on top of VDO

Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.

(BZ#1528466)

write-behind in RAID1 no longer triggers a kernel panic

Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the write-behind function could not be used. This update fixes the problem and write-behind can now be used without triggering a kernel panic in the described scenario.

(BZ#1632575)

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and hash:mac IP set types

Previously, the kernel implementation of the bitmap:ipmac, hash:ipmac, and hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.

(BZ#1607252)

The kdump kernel is now able to boot after a CPU hot add or hot remove operation

When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with kdump enabled, the kdump crash kernel failed to boot if triggered by the kexec system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result, kdump kernel manages to boot in the described scenario.

(BZ#1549355)

4.7. Networking

The ipset service can now load sets which depends on other sets

Τhe ipset service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the ipset service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.

(BZ#1646666)

Error logging in the ipset service has been improved

Previously, the ipset service did not report configuration errors with a meaningful severity in the systemd logs. The severity level for invalid configuration entries was only informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset service’s configuration. With this update, ipset reports configuration issues as warnings in systemd logs and, if the service fails to start, it logs an entry with the error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset service.

(BZ#1649877)

The ipset service now ignores invalid configuration entries during startup

The ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.

(BZ#1650297)

firewalld rebased to version 0.6.3

The firewalld packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:

  • The firewalld service now only modifies ifcfg files for permanent configuration changes.
  • Untranslated strings in the firewall-config utility have been fixed, which caused that rich rules could not be modified in the UI.
  • The set-log-denied parameter now works correctly when used in combination with the icmp-block-inversion parameter.
  • The firewall-cmd utility now correctly checks the return value of the ipset command.
  • IP forwarding is no longer enabled when using port forwarding and the toaddr parameter is not specified.
  • The shell auto-complete feature no longer constantly asks for authentication.

(BZ#1637204)

4.8. Security

NSS now processes X.509 certificates for use with IPsec correctly

Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain serverAuth and clientAuth attributes, the Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.

(BZ#1212132)

scap-security-guide now correctly skips rules that are not applicable to containers and container images

SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result not applicable is reported when scanning containers and container images.

(BZ#1630739)

SELinux now allow gssd_t processes to access kernel keyrings of other processes

Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.

(BZ#1487350)

SELinux no longer blocks snapperd from managing all non-security directories

Prior to this update, an allow rule for the snapper daemon (snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows snapperd to manage all non-security directories.

(BZ#1619306)

sudo I/O logging function now works also for SELinux-confined users

Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the sudo utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.

(BZ#1564470)

sudo configured using LDAP now handles sudoRunAsGroup correctly

Previously, the sudo tool configured using LDAP did not correctly handle the case when the sudoRunAsGroup attribute was defined and the sudoRunAsUser attribute was not. As a consequence, the root user was used as the target user. With this update, the handling of sudoRunAsGroup has been fixed to match the behavior documented in the sudoers.ldap(5) man page, and sudo now works properly in the described scenario.

(BZ#1618702)

4.9. Servers and Services

chronyd no longer fails to synchronize with NTP servers after reboot

Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the chrony NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence, chronyd was prevented from synchronizing the system clock. With this update, the chrony dispatcher script ignores events that are not related to interfaces coming up or down. As a result, chronyd now synchronizes with NTP servers as expected under the described circumstances.

(BZ#1600882)

CUPS no longer denies access if SSSD running on the same server is configured with ignore_group_members = true

When System Security Services Daemon (SSSD) uses the ignore_group_members = true setting in the /etc/sssd/sssd.conf file, the getgrnam() function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only getgrnam() to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the getgrouplist() function, which returns group members even if SSSD is configured with ignore_group_members = true. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.

(BZ#1570480)

Running dbus-daemon no longer fails to activate a system service

With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The dbus-send executable was moved from the /bin directory to the /usr/bin directory; the dbus-daemon-launch-helper executable was moved from the libdir `directory to the `libexecdir directory. Consequently, if a scriptlet in a package called the dbus-send command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of dbus-daemon-launch-helper. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.

(BZ#1568856)

Teaming in the rescue system works correctly again

Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.

(BZ#1685166)

Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10

Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the tuned service configures parameters of the kvm-intel module, which prevents the described problem from occurring.

(BZ#1649408)

4.10. Storage

LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume

Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:

  • A physical volume (PV) was created with a non-default alignment. The default is 1MB.
  • An LVM command was modifying metadata at the tail end of the metadata region of the PV.
  • A user or a file system was modifying the same bytes (racing).

No cases of the data corruption have been reported.

With this update, the problem has been fixed, and LVM can no longer cause data corruption under these conditions.

(BZ#1643651)

System boot is no longer delayed by ndctl

Previously, a udev rule installed by the ndctl package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases, systemd displayed a message similar to the following:

INFO: task systemd-udevd:1554 blocked for more than 120 seconds.
...
nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm]
...

With this update, ndctl no longer installs the udev rule. As a result, ndctl does not delay the system boot.

(BZ#1635441)