The ErrorPolicy directive is now validated
The ErrorPolicy configuration directive was not validated on startup, and an unintended default error policy could be used without a warning. The directive is now validated on startup and reset to the default if the configured value is incorrect. The intended policy is used, or a warning message is logged.
CUPS now disables SSLv3 encryption by default
Previously, it was not possible to disable SSLv3 encryption in the CUPS scheduler, which left it vulnerable to attacks against SSLv3. To solve this issue, the
SSLOptions keyword has been extended to include two new options,
AllowSSL3, each of which enables the named feature in
cupsd. The new options are also supported in the
/etc/cups/client.conf file. The default is now to disable both RC4 and SSL3 for
cups now allows underscore in printer names
cups service now allows users to include the underscore character (_) in local printer names.
Unneeded dependency removed from the tftp-server package
Previously, an additional package was installed by default when installing the tftp-server package. With this update, the superfluous package dependency has been removed, and the unneeded package is no longer installed by default when installing tftp-server.
The deprecated /etc/sysconfig/conman file has been removed
Before introducing the
systemd manager, various limits for services could be configured in the
/etc/sysconfig/conman file. After migrating to
/etc/sysconfig/conman is no longer used and therefore it was removed. To set limits and other daemon parameters, such as LimitCPU=, LimitDATA=, or LimitCORE=, edit the
conman.service file. For more information, see the systemd.exec(5) manual page. In addition, a new variable LimitNOFILE=10000 has been added to the
systemd.service file. This variable is commented out by default. Note that after making any changes to the
systemd configuration, the
systemctl daemon-reload command must be executed for changes to take effect.
mod_nss rebase to version 1.0.11
The mod_nss packages have been upgraded to upstream version 1.0.11, which provides a number of bug fixes and enhancements over the previous version. Notably,
mod_nss can now enable TLSv1.2, and SSLv2 has been completely removed. Also, support for the ciphers generally considered to be most secure has been added.
The vsftpd daemon now supports DHE and ECDHE cipher suites
vsftpd daemon now supports cipher suites based on the Diffie–Hellman Exchange (DHE) and Elliptic Curve Diffie–Hellman Exchange (ECDHE) key-exchange protocol.
Permissions can now be set for files uploaded with sftp
Inconsistent user environments and strict
umask settings could result in inaccessible files when uploading using the
sftp utility. With this update, the administrator is able to force exact permissions for files uploaded using
sftp, thus avoiding the described issue.
LDAP queries used by ssh-ldap-helper can now be adjusted
Not all LDAP servers use a default schema as expected by the
ssh-ldap-helper tool. This update makes it possible for the administrator to adjust the LDAP query used by
ssh-ldap-helper to get public keys from servers using a different schema. Default functionality stays untouched.
createolddir directive in the logrotate utility
A new logrotate
createolddir directive has been added to enable automatic creation of the
olddir directory. For more information, see the logrotate(8) manual page.
Error messages from
/etc/cron.daily/logrotate are no longer redirected to
Error messages generated by the daily cronjob of
logrotate are now sent to the
root user instead of being silently discarded. In addition, the
/etc/cron.daily/logrotate script is marked as a configuration file in RPM.
SEED and IDEA based algorithms restricted in
The set of cipher suites enabled by default in the
mod_ssl module of the Apache HTTP Server has been restricted to improve security. SEED and IDEA based encryption algorithms are no longer enabled in the default configuration of
Apache HTTP Server now supports UPN
Names stored in the
subject alternative name portion of SSL/TLS client certificates, such as the Microsoft User Principle Name, can now be used from the SSLUserName directive and are now available in
mod_ssl environment variables. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the
REMOTE_USER environment variable or a similar mechanism in applications. As a result, users can now set
SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0 for authentication using UPN.
mod_dav lock database is now enabled by default in the
mod_dav lock database is now enabled by default if the Apache HTTP
mod_dav_fs module is loaded. The default location
ServerRoot/davlockdb can be overridden using the
DAVLockDB configuration directive.
mod_proxy_wstunnel now supports WebSockets
The Apache HTTP
mod_proxy_wstunnel module is now enabled by default and it includes support for SSL connections in the
wss:// scheme. Additionally, it is possible to use the
ws:// scheme in the
mod_rewrite directives. This allows for using WebSockets as a target to
mod_rewrite and enabling WebSockets in the proxy module.
A Tuned profile optimized for Oracle database servers has been included
oracle Tuned profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The
oracle profile is based on the
enterprise-storage profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off.