Chapter 4. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.7.
4.1. Authentication and Interoperability
SSSD now fully supports sudo rules stored in AD
The System Security Services Daemon (SSSD) now fully supports sudo rules stored in Active Directory (AD). This feature was first introduced in Red Hat Enterprise Linux 7.0 as a Technology Preview. Note that the administrator must update the AD schema to support sudo rules.
SSSD no longer uses the
fallback_homedir value from the
[nss] section as fallback for AD domains
Prior to RHEL 7.7, the SSSD
fallback_homedir parameter in an Active Directory (AD) provider had no default value. If
fallback_homedir was not set, SSSD used instead the value from the same parameter from the
[nss] section in the
/etc/sssd/sssd.conf file. To increase security, SSSD in RHEL 7.7 introduced a default value for
fallback_homedir. As a consequence, SSSD no longer falls back to the value set in the
[nss] section. If you want to use a different value than the default for the
fallback_homedir parameter in an AD domain, you must manually set it in the domain’s section.
Directory Server rebased to version 126.96.36.199
389-ds-base packages have been upgraded to upstream version 188.8.131.52, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating: 1.3.9 Release Notes.
The Directory Server Auto Membership plug-in can now be additionally invoked by modify operations
This update enhances the Auto Membership plug-in in Directory Server to work with modify operations. Previously, the plug-in was only invoked by
ADD operations. When an administrator changed a user entry, and that change impacted what Auto Membership groups the user belonged to, the user was not removed from the old group and only added to the new group. With the enhancement provided by this update, users can now configure that Directory Server removes the user from the old group in the mentioned scenario.
To enable the new behavior, set the
autoMemberProcessModifyOps attribute in the
cn=Auto Membership Plugin,cn=plugins,cn=config entry to
replicaLastUpdateStatusJSON status attribute has been added to replication agreements in Directory Server
This update introduces the
replicaLastUpdateStatusJSON status attribute to the
cn=<replication_agreement_name>,cn=replica,cn=<suffix_DN>,cn=mapping tree,cn=config entry. The status displayed in the
replicaLastUpdateStatus attribute was vague and unclear. The new attribute provides a clear status message and result code and can be parsed by other applications that support the JSON format.
IdM now provides a utility to promote a CA to a CRL generation master
With this enhancement, administrators can promote an existing Identity Management (IdM) certificate authority (CA) to a certificate revocation list (CRL) generation master or remove this feature from a CA. Previously, multiple manual steps were required to configure an IdM CA as CRL generation master, and the procedure was error-prone. As a result, administrators can now use the
ipa-crlgen-manage enable and
ipa-crlgen-manage disable commands to enable and disable CRL generation on an IdM CA.
A command to detect and remove orphaned automember rules has been added to IdM
Automember rules in Identity Management (IdM) can refer to a hostgroup or a group that has been deleted. Previously, the
ipa automember-rebuild command failed unexpectedly and it was difficult to diagnose the reason of the failure. This enhancement adds
ipa automember-find-orphans to IdM to IdM to identify and remove such orphaned automember rules.
IdM now supports IP addresses in the SAN extension of certificates
In certain situations, administrators need to issue certificates with an IP address in the Subject Alternative Name (SAN) extension. This update adds this feature. As a result, administrators can set an IP address in the SAN extension if the address is managed in the IdM DNS service and associated with the subject host or service principal.
IdM now supports renewing expired system certificates when the server is offline
With this enhancement, administrators can renew expired system certificates when Identity Management (IdM) is offline. When a system certificate expires, IdM fails to start. The new
ipa-cert-fix command replaces the workaround to manually set the date back to proceed with the renewal process. As a result, the downtime and support costs reduce in the mentioned scenario.
pki-core rebased to version 10.5.16
The pki-core packages have been upgraded to upstream version 10.5.16, which provides a number of bug fixes and enhancements over the previous version.
Certificate System can now create CSRs with SKI extension for external CA signing
With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the
pki_req_ski parameter in the configuration file passed to the
pkispawn utility to create a CSR with SKI extension.
Uninstalling Certificate System no longer removes all log files
Previously, Certificate System removed all corresponding logs when you uninstalled subsystems. With this update, by default, the pkidestroy utility no longer removes the logs. To remove the logs when you uninstall a subsystem, pass the new --remove-logs parameter to pkidestroy. Additionally, this update adds the --force parameter to pkidestroy. Previously, an incomplete installation left some files and directories, which prevented a complete uninstallation of a Certificate System instance. Pass --force to pkidestroy to completely remove a subsystem and all corresponding files of an instance.
pkispawn utility now supports using keys created in the NSS database during CA, KRA, and OCSP installations
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
Certificate System now preserves the logs of previous installations when reinstalling the service
pkispawn utility reported a name collision error when installing a Certificate System subsystem on a server with an existing Certificate System log directory structure. With this enhancement, Certificate System reuses the existing log directory structure to preserve logs of previous installations.
Certificate System now supports additional strong ciphers by default
With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers.
samba packages have been to version 4.9.1
samba packages have been upgraded to upstream version 4.9.1, which provides a number of bug fixes and enhancements over the previous version. The most notable changes include:
The Clustered Trivial Database (CTDB) configuration has been changed completely. Administrators must now specify parameters for the
ctdbservice and corresponding utilities in the
/etc/ctdb/ctdb.conffile in a format similar to the Samba configuration. For further details, see the
ctdb.conf(5)man page. Use the
/usr/share/doc/ctdb/examples/config_migrate.shscript to migrate the current configuration.
The default values of the following parameters in the
/etc/samba/smb.conffile have been changed as follows:
store dos attributes:
full_audit:success: Not set
full_audit:failure: Not set
net ads setspncommand has been added for managing Windows Service Principal Names (SPN) on Active Directory (AD). This command provides the same basic functionality as the
setspn.exeutility on Windows. For example, administrators can use it to add, delete, and list Windows SPNs stored in an AD computer object.
net ads keytab addcommand no longer attempts to convert the service class passed to the command into a Windows SPN, which is then added to the AD computer object. By default, the command now only updates the keytab file. The new
net ads add_update_adscommand has been added to preserve the previous behavior. However, administrators should use the new
net ads setspn addcommand instead.
Samba automatically updates its tdb database files when the "smbd", "nmbd", or "winbind" daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For further information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.9.0.html
Maximum size of a supported RHEL HA cluster increased from 16 to 32 nodes
With this release, Red Hat supports cluster deployments of up to 32 full cluster nodes.
Improved status display of fencing actions
The output of the
pcs status command now shows failed and pending fence actions.
4.3. Compiler and Tools
python3 packages are available in RHEL 7, which provide the Python 3.6 interpreter, as well as the
setuptools utilities. Previously, Python 3 versions were available only as a part of Red Hat Software Collections.
When installing, invoking, or otherwise interacting with Python 3, always specify the major version of Python. For example, to install Python 3, use the
yum install python3 command. All Python-related commands should also include the version, for example,
Note that Python 3 is the default Python implementation in RHEL 8, so it is advisable to migrate your Python 2 code to Python 3. For more information on how to migrate large code bases to Python 3, see The Conservative Python 3 Porting Guide.
compat-sap-c++-8 packages contain the
libstdc++ library named
compat-sap-c++-8.so, which is a runtime compatibility library needed for SAP applications. The
compat-sap-c++-8 packages are based on GCC 8.
elfutils packages have been rebased to version 0.176
elfutils packages have been upgraded to upstream version 0.176. Notable changes include:
- Various bugs related to multiple CVEs have been fixed.
libdwlibrary has been extended with the
dwelf_elf_begin()function which is a variant of
elf_begin()that handles compressed files.
eu-readelftool now recognizes and prints out GNU Property notes and GNU Build Attribute ELF Notes with the
--reloc-debug-sections-onlyoption has been added to the
eu-striptool to resolve all trivial relocations between debug sections in place without any other stripping. This functionality is relevant only for
ET_RELfiles in certain circumstances.
A new function
dwarf_next_lineshas been added to the
libdwlibrary. This function reads
.debug_linedata without CU.
dwarf_begin_elffunction from the
libdwlibrary now accepts ELF files containing only
gcc-libraries rebased to version 8.3.1
gcc-libraries packages have been updated to the upstream version 8.3.1 which brings a number of bug fixes.
Geolite2 Databases are now available
This update introduces Geolite2 Databases as an addition to the legacy Geolite Databases, provided by the
Geolite2 Databases are provided by multiple packages. The
libmaxminddb package includes the library and the
mmdblookup command line tool, which enables manual searching of addresses. The
geoipupdate binary from the legacy
GeoIP package is now provided by the
geoipupdate package, and is capable of downloading both legacy databases and the new Geolite2 databases.
GeoIP package, together with the legacy database, is no longer supported in upstream, and is not distributed with RHEL 8.
(BZ#1643472, BZ#1643470, BZ#1643464)
Date formatting updates for the Japanese Reiwa era
The GNU C Library now provides correct Japanese era name formatting for the Reiwa era starting on May 1st, 2019. The time handling API data has been updated, including the data used by the
strptime functions. All APIs will correctly print the Reiwa era including when
strftime is used along with one of the era conversion specifiers such as
SystemTap rebased to version 4.0
The SystemTap instrumentation tool has been upgraded to upstream version 4.0. Notable improvements include:
The extended Berkeley Packet Filter (eBPF) backend has been improved, especially for strings and functions. To use this backend, start SystemTap with the
- A new export network service for use with the Prometheus monitoring system has been added.
- The system call probing implementation has been improved to use the kernel tracepoints if necessary.
Valgrind rebased to version 3.14
The Valgrind packages have been upgraded to upstream version 3.14, which provides a number of bug fixes and enhancements over the previous version:
- Valgrind can now process integer and string vector instructions for the z13 processor of the IBM Z architecture.
--keep-debuginfo=no|yeshas been added to retain debugging information for unloaded code. This allows saved stack traces to include file and line information in more cases. For more information and known limitations, see the Valgrind user manual.
The Helgrind tool can now be configured to compute full history stack traces as deltas with the new
--delta-stracktrace=yes|nooption. As a result, keeping full Helgrind history with the
--history-level=fulloption can be up to 25% faster when
False positive rate in the Memcheck tool has been reduced on the AMD64 and 64-bit ARM architectures. Notably, you can use the
--expensive-definedness-checks=no|auto|yesoption to control analysis for the expensive definedness checks without loss of precision.
Performance Co-Pilot rebased to version 4.3.2
The Performance Co-Pilot (PCP) has been updated to upstream version 4.3.2. Notable improvements include:
pcp-dstattool now includes historical analysis and Comma-separated Values (CSV) format output.
- The log utilities can use metric labels and help text records.
pmdaperfeventtool now reports the correct CPU numbers at the lower Simultaneous Multi Threading (SMT) levels.
pmdapostgresqltool now supports Postgres series 10.x.
pmdaredistool now supports Redis series 5.x.
pmdabcctool has been enhanced with dynamic process filtering and per-process syscalls, ucalls, and ustat.
pmdammvtool now exports metric labels, and the format version is increased to 3.
pmdagfs2tool supports additional glock and glock holder metrics.
- Several fixes have been made to the SELinux policy.
pmcdutility now supports PMDA suspend and resume (fencing) without configuration changes.
- Pressure-stall information metrics are now reported.
- Additional VDO metrics are now reported.
pcp-atoptool now reports statistics for pressure stall information, infiniband, perf_event, and NVIDIA GPUs.
pmietools can now use
systemdtimers as an alternative to cron jobs.
ptp4l now supports team interfaces in active-backup mode
With this update, support for team interfaces in active-backup mode has been added into the
PTP Boundary/Ordinary Clock (ptp4l).
linuxptp rebased to version 2.0
linuxptp packages have been upgraded to upstream version 2.0, which provides a number of bug fixes and enhancements over the previous version.
The most notable features are as follows:
- Support for unicast messaging has been added
- Support for telecom G.8275.1 and G.8275.2 profiles has been added
- Support for the NetSync Monitor (NSM) protocol has been added
- Implementation of transparent clock (TC) has been added
DateTime::TimeZone Perl module is now aware of recent time zone updates
The Olson time zone database has been updated to version 2018i. Previously, applications written in the Perl language that use the
DateTime::TimeZone module mishandled time zones that changed their specifications since version 2017b due to the outdated database.
trace-cmd packages have been updated to version 2.7
The updated packages provide the latest bug fixes and upstream features. As a result, the Red Hat Enterprise Linux users can now use an up-to-date
vim rebased to version 7.4.629
vim packages have been upgraded to upstream version 7.4.629, which is in RHEL 6. This version provides a number of bug fixes and enhancements over the previous version.
Notable enhancements include the
breakindent feature. For more information about the feature, see
:help breakindent in Vim.
cups-filters packages, distributed in version 1.0.35, have been updated to provide the following enhancements:
cups-browseddaemon, which provides the functionality removed from CUPS since the version 1.5, has been rebased to version 1.13.4, excluding the support for CUPS temporary queues.
A new backend,
implicitclass, has been introduced to support high availability and load balancing.
Mutter now allows for mass-deployable homogenized display configuration
The Mutter window manager now makes it possible to deploy pre-set display configurations for all users on a system. As a result, Mutter no longer requires that the configuration for each user is copied to its own configuration directory, but it can use a system wide configuration file instead. This feature makes Mutter suitable for mass deployment of homogenized display configuration.
To set the configuration for a single user, create and populate the
~/.config/monitors.xml file. For the login screen in particular, use the
~/gdm/.config/monitors.xml file. For system-wide configurations, use the
4.5. File Systems
quota tool in non-verbose mode now distinguishes between a file system with no limits and a file system with limits but with no used resources. Previously,
none was printed for both use cases, which was confusing.
4.6. Installation and Booting
The graphical installation program now detects if SMT is enabled
Previously, the RHEL 7 graphical installation program did not detect if Simultaneous Multithreading (SMT) was enabled on a system. With this update, the installation program now detects if SMT is enabled on a system. If it is enabled, a warning message is displayed in the Status bar, which is located at the bottom of the Installation Summary window.
--g-libs option for the
This update introduces the new
--g-libs option for the
find-debuginfo.sh script. This new option is an alternative to previous
-g option, which instructed the script to remove only debugging symbols from both binary and library files. The new
--g-libs option works the same way as
-g, but only for library files. The binary files are stripped completely.
The Image Builder rebased to version 19.7.33 and fully supported
The Image Builder, provided by the
lorax-composer package in the RHEL 7 Extras Channel, has been upgraded to version 19.7.33.
Notable changes in this version include:
- The Image Builder, previously available as Technology Preview, is now fully supported.
- Cloud images can be built for Amazon Web Services, VMware vSphere, and OpenStack.
- A Red Hat Content Delivery Network (CDN) repository mirror is no longer needed.
- You can now set a host name and create users.
Boot loader parameters can be set, such as disabling Simultaneous Multi-Threading (SMT) with the
nosmt=forceoption. This is only possible from
composer-clitool on command line.
- The web console UI can now edit external repositories ("sources").
- The Image Builder can now run with SElinux in enforcing mode.
To access the Image Builder functionality, use a command-line interface in the
composer-cli utility, or a graphical user interface in the RHEL 7 web console from the
Kernel version in RHEL 7.7
Red Hat Enterprise Linux 7.7 is distributed with the kernel version 3.10.0-1062.
Live patching for the kernel is now available
Live patching for the kernel,
kpatch, provides a mechanism to patch a running kernel without rebooting or restarting any processes. Live kernel patches will be provided for selected minor release streams of RHEL covered under the Extended Update Support (EUS) policy to remediate Critical and Important CVEs.
To subscribe to the
kpatch stream for the RHEL 7.7 version of kernel, install the
kpatch-patch-3_10_0-1062 package provided by the RHEA-2019:2011 advisory.
For more information, see Applying patches with kernel live patching in the Kernel Administration Guide.
The IMA and EVM features are now supported on all architectures
The Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM) are now fully supported on all available architectures. In RHEL 7.6, they were supported only on the AMD64 and Intel 64 architecture.
IMA and EVM enable the kernel to check the integrity of files at runtime using labels attached to extended attributes. You can use IMA and EVM to monitor if files have been accidentally or maliciously altered.
ima-evm-utils package provides userspace utilities to interface between user applications and the kernel features.
Spectre V2 mitigation default changed from IBRS to Retpoline in new installations of RHEL 7.7
The default mitigation for the Spectre V2 vulnerability (CVE-2017-5715) for systems with the 6th Generation Intel Core Processors and its close derivatives  has changed from Indirect Branch Restricted Speculation (IBRS) to Retpoline in new installations of RHEL 7.7. Red Hat has implemented this change as a result of Intel’s recommendations to align with the defaults used in the Linux community and to restore lost performance. However, note that using Retpoline in some cases may not fully mitigate Spectre V2. Intel’s Retpoline document  describes any cases of exposure. This document also states that the risk of an attack is low.
For installations of RHEL 7.6 and prior, IBRS is still the default mitigation. New installations of RHEL 7.7 and later versions will have "spectre_v2=retpoline" added to the kernel command line. No change will be made for upgrades to RHEL 7.7 from earlier versions of RHEL 7.
Note that users can select which spectre_v2 mitigation will be used. To select Retpoline: a) Add the "spectre_v2=retpoline" flag to the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/retp_enabled"
To select IBRS: a) Remove the "spectre_v2=retpoline" flag from the kernel command line, and reboot. b) Alternatively, issue the following command at runtime: "echo 1 > /sys/kernel/debug/x86/ibrs_enabled"
If one or more kernel modules were not built with Retpoline support, the
/sys/devices/system/cpu/vulnerabilities/spectre_v2 file will indicate vulnerability and the
/var/log/messages file will identify the offending modules. See How to determine which modules are responsible for spectre_v2 returning "Vulnerable: Retpoline with unsafe module(s)"? for further information.
 "6th generation Intel Core Processors and its close derivatives" are what the Intel’s Retpoline document refers to as "Skylake-generation".
PMTU discovery and route redirection is now supported with VXLAN and GENEVE tunnels
Previously, the kernel in Red Hat Enterprise Linux (RHEL) did not handle Internet Control Message Protocol (ICMP) and ICMPv6 messages for Virtual Extensible LAN (VXLAN) and Generic Network Virtualization Encapsulation (GENEVE) tunnels. As a consequence, Path MTU (PMTU) discovery and route redirection was not supported with VXLAN and GENEVE tunnels. With this update, the kernel handles ICMP "Destination Unreachable" and "Redirect Message", as well as ICMPv6 "Packet Too Big" and "Destination Unreachable" error messages by adjusting the PMTU and modifying forwarding information. As a result, PMTU discovery and route redirection are now supported with VXLAN and GENEVE tunnels.
A new kernel command-line option to disable hardware transactional memory on IBM POWER
RHEL 7.7 introduces the
ppc_tm=off kernel command-line option. When the user passes
ppc_tm=off at boot time, the kernel disables hardware transactional memory on IBM POWER systems and makes it unavailable to applications. Previously, the RHEL 7 kernel unconditionally made the hardware transactional memory feature on IBM POWER systems available to applications whenever it was supported by hardware and firmware.
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.7. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel Omni-Path Architecture documentation, see: https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_7_7_RN_K65224.pdf
4.8. Real-Time Kernel
kernel-rt source tree now matches the latest RHEL 7 tree
kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
The RHEL 7 kernel-rt timer wheel has been updated to a non-cascading timer wheel
The current timer wheel has been switched to a non-cascading wheel which improves the timer subsystem and reduces the overheads on many operations. With the backport of the non-cascading timer wheel, kernel-rt is very close to the upstream kernel in enabling the backport of future improvements.
rpz-drop now prevents BIND for repetitive resolving of unreachable domain
The Berkeley Internet Name Domain (BIND) version distributed with RHEL 7.7 introduces the
rpz-drop policy, which enables to mitigate DNS amplification attacks. Previously, if an attacker generated a lot of queries for an irresolvable domain, BIND was constantly trying to resolve such queries, which caused considerable load on CPU. With
rpz-drop, BIND does not process the queries when the target domain is unreachable. This behavior significantly saves CPU capacity.
bind rebased to version 9.11
bind packages have been upgraded to upstream version 9.11, which provides a number of bug fixes and enhancements over the previous version:
- A new method of provisioning secondary servers called Catalog Zones has been added.
Domain Name System Cookies can now be sent by the
namedservice and the
- The Response Rate Limiting feature can now help with mitigation of DNS amplification attacks.
- Performance of response-policy zone (RPZ) has been improved.
A new zone file format called
maphas been added. Zone data stored in this format can be mapped directly into memory, which enables zones to load significantly faster.
A new tool called
delv(domain entity lookup and validation) for sending DNS queries and validating the results has been added. The tool uses the same internal resolver and validator logic as the
mdigcommand is now available. This command is a version of the
digcommand that sends multiple pipelined queries and then waits for responses, instead of sending one query and waiting for the response before sending the next query.
prefetchoption, which improves the recursive resolver performance, has been added.
in-viewzone option, which allows zone data to be shared between views, has been added. When this option is used, multiple views can serve the same zones authoritatively without storing multiple copies in memory.
max-zone-ttloption, which enforces maximum TTLs for zones, has been added. When a zone containing a higher TTL is loaded, the load fails. Dynamic DNS (DDNS) updates with higher TTLs are accepted but the TTL is truncated.
- New quotas have been added to limit queries that are sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
nslookuputility now looks up both IPv6 and IPv4 addresses by default.
namedservice now checks whether other name server processes are running before starting up.
When loading a signed zone,
namednow checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.
- Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
3 XMLschema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is provided by the HTTP interface. The legacy version
2 XMLschema is still the default format.
ipset rebased to version 7.1
ipset packages have been upgraded to upstream version 7.1, which provides a number of bug fixes and enhancements over the previous version:
ipsetprotocol version 7 introduces the
IPSET_CMD_GET_BYINDEXoperations. Additionally, the user space component can now detect the exact compatibility level that the kernel component supports.
- A significant number of bugs have been fixed, such as memory leaks and use-after-free bugs.
NetworkManager now supports VLAN filtering on bridge interfaces
With this enhancement, administrators can configure virtual LAN (VLAN) filtering on bridge interfaces in the corresponding
NetworkManager connection profiles. This enables administrators to define VLANs directly on bridge ports.
NetworkManager now supports configuring policy routing rules
Previously, users must set up policy routing rules outside of
NetworkManager, for example by using the dispatcher script provided by the
NetworkManager-dispatcher-routing-rules package. With this update, users can now configure rules as part of a connection profile. As a result,
NetworkManager adds the rules when the profile is activated and removes the rules when the profile is deactivated.
NSS now supports keys restricted to RSASSA-PSS
The Network Security Services (NSS) library now supports keys restricted to Rivest–Shamir–Adleman Signature Scheme with Appendix – Probabilistic Signature Scheme (RSASSA-PSS). The legacy signature scheme, Public Key Cryptography Standard #1 (PKCS#1) v1.5, permits the keys to be reused for encrypting data or keys. This makes those keys vulnerable to signature forging attacks published by Bleichenbacher. Restricting the keys to the RSASSA-PSS algorithm makes them resilient to attacks that utilize decryption.
With this update, NSS can be configured to support keys which are restricted to the RSASSA-PSS algorithm only. This enables the use of such keys included in X.509 certificates for both server and client authentication in TLS 1.2 and 1.3.
NSS now accepts signatures with the NULL object only when correctly included in PKCS#1 v1.5 DigestInfo
The first specification of PKCS#1 v1.5-compatible signatures used text that could be interpreted in two different ways. The encoding of parameters that are encrypted by the signer could include an encoding of a
NULL ASN.1 object or omit it. Later revisions of the standard made the requirement to include the NULL object encoding explicit.
Previous versions of Network Security Service (NSS) tried to verify signatures while allowing either encoding. With this version, NSS accepts signatures only when they correctly include the NULL object in the DigestInfo structure in the PKSC#1 v1.5 signature.
This change impacts interoperability with implementations that continue to create signatures that are not PKCS#1 v1.5-compliant.
OpenSC supports HID Crescendo 144K smart cards
With this enhancement, OpenSC supports HID Crescendo 144K smart cards. These tokens are not fully compatible with the Common Access Card (CAC) specification. The token also use some more advanced parts of the specification than CAC tokens issued by the government. The OpenSC driver has been enhanced to manage these tokens and special cases of the CAC specification to support HID Crescendo 144K smart cards.
AES-GCM ciphers are enabled in OpenSSH in FIPS mode
Previously, AES-GCM ciphers were allowed in FIPS mode only in TLS. In the current version, we clarified with NIST that these ciphers can be allowed and certified in OpenSSH, as well.
As a result, the AES-GCM ciphers are allowed in OpenSSH running in FIPS mode.
SCAP Security Guide supports Universal Base Image
SCAP Security Guide security policies have been enhanced to support Universal Base Image (UBI) containers and UBI images, including
ubi-minimal images. This enables configuration compliance scanning of UBI containers and images using the
atomic scan command. UBI containers and images can be scanned against any profile shipped in SCAP Security Guide. Only the rules that are relevant to secure configuration of UBI are evaluated, which prevents false positives and produces relevant results. The rules that are not applicable to UBI images and containers are skipped automatically.
scap-security-guide rebased to version 0.1.43
scap-security-guide packages have been upgraded to upstream version 0.1.43, which provides a number of bug fixes and enhancements over the previous version, most notably:
- Minimum supported Ansible version changed to 2.5
- New RHEL7 profile: VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)
tangd_port_t allows changes of the default port for Tang
This update introduces the
tangd_port_t SELinux type that allows the
tangd service run as confined with SELinux enforcing mode. That change helps to simplify configuring a Tang server to listen on a user-defined port and it also preserves the security level provided by SELinux in enforcing mode.
A new SELinux type:
A new SELinux type,
boltd, a system daemon for managing Thunderbolt 3 devices. As a result,
boltd now runs as a confined service in SELinux enforcing mode.
A new SELinux policy class:
A new SELinux policy class,
bpf, has been introduced. The
bpf class enables users to control the Berkeley Packet Filter (BPF) flow through SElinux, and allows inspection and simple manipulation of Extended Berkeley Packet Filter (eBPF) programs and maps controlled by SELinux.
shadow-utils rebased to version 4.6
shadow-utils packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the
newgidmap commands for manipulating the UID and GID namespace mapping.
4.11. Servers and Services
chrony rebased to version 3.4
chrony packages have been upgraded to upstream version 3.4, which provides a number of bug fixes and enhancements over the previous version, notably:
- The support for hardware time stamping has received improvements.
- The range of supported polling intervals has been extended.
- Burst and filter options have been added to NTP sources.
A pid file has been moved to prevent the
chronyd -qcommand from breaking the system service.
- An compatibility with NTPv1 clients has been fixed.
GNU enscript now supports ISO-8859-15 encoding
With this update, support for ISO-8859-15 encoding has been added into the GNU enscript program.
ghostscript rebased to version 9.25
ghostscript packages have been upgraded to upstream version 9.25, which provides a number of bug fixes and enhancements over the previous version.
libssh2 package rebased to version 1.8.0
This update rebases the
libssh2 package to version 1.8.0.
This version includes the following:
- Added support for HMAC-SHA-256 and HMAC-SHA-512
- Added support for diffie-hellman-group-exchange-sha256 key exchange
- Fixed many small bugs in the code
ReaR has been updated to a later version. Notable bug fixes and enhancements over the previous version include:
- Shared libraries provided by the system are now correctly added into the ReaR rescue system in cases where additional libraries of the same name are needed by the backup mechanism. Verification of NetBackup binaries is performed using the correct libraries, so the verification no longer fails when creating the rescue image. As a result, you can now use NetBackup as a backup mechanism with ReaR. Note that this applies only for NetBackup versions prior to NetBackup 8.0.0. Note that it is currently impossible to use NetBackup 8.0.0 and later versions due to other unresolved problems.
Creation of a rescue image in cases with large number of multipath devices now proceeds faster. Scanning of devices has been improved in the following ways:
- Scanning uses caching to avoid querying the multipath devices multiple times.
- Scanning queries only device-mapper devices for device-mapper specific information.
- Scanning avoids collecting information about FibreChannel devices.
Several bugs in ReaR affecting complex network configurations have been fixed:
The Link Aggregation Control Protocol (LACP) configuration is now correctly restored in the rescue system in cases when teaming, or bonding with the
SIMPLIFY_BONDINGoption, is used together with LACP.
ReaR now correctly restores the configuration of the interface in the rescue system in cases when a network interface is renamed from the standard name, such as
ethX, to a custom name.
- ReaR has been fixed to record a correct MAC address of the network interfaces in cases when bonding or teaming is used.
- The Link Aggregation Control Protocol (LACP) configuration is now correctly restored in the rescue system in cases when teaming, or bonding with the
- ReaR has been fixed to correctly report errors when saving the rescue image. Previously, such errors resulted only in creation of unusable rescue images. As a result of the fix, ReaR now fails in such cases, so the problem can be properly investigated.
- The computation of disk layout for disks with a logical sector size different from 512 bytes has been fixed.
- ReaR now properly sets the bootlist during a restore on IBM Power Systems that use more than one bootable disk.
ReaR now properly excludes its temporary directory from backup when an alternate temporary directory is specified using the
ReaR now depends on the
xorrisopackages instead of on the
genisoimagepackage for ISO image generation. This makes it possible to create an image with a file larger than 4 GB, which occurs especially when creating an image with an embedded backup.
tuned rebased to version 2.11
tuned packages have been upgraded to upstream version 2.11, which provides a number of bug fixes and enhancements over the previous version, notably:
- Support for boot loader specification (BLS) has been added. (BZ#1576435)
mssqlprofile has been updated. (BZ#1660178)
virtual-hostprofile has been updated. (BZ#1569375)
- A range feature for CPU exclusion has been added. (BZ#1533908)
Profile configuration now automatically reloads when the
tunedservice detects the hang-up signal (SIGHUP). (BZ#1631744)
For full list of changes see the upstream git log: https://github.com/redhat-performance/tuned/commits/v2.11.0
Xorriso is a program for creating and manipulating ISO 9660 images, and for writing CD-ROMs or DVD-ROMs. The program includes the
xorrisofs command, which is a recommended replacement for the
genisoimage utility. The
xorrisofs command has a compatible interface with
genisoimage, and provides multiple enhancements over
genisoimage. For example, with
xorrisofs, maximum file size is no longer limited to 4 GB. Xorriso is suitable for backups, and it is used by Relax-and-Recover (ReaR), a recovery and system migration utility.
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
scan_lvs configuration setting
lvm.conf configuration file setting,
scan_lvs, has been added and set to 0 by default. The new default behavior stops LVM from looking for PVs that may exist on top of LVs; that is, it will not scan active LVs for more PVs. The default setting also prevents LVM from creating PVs on top of LVs.
Layering PVs on top of LVs can occur by way of VM images placed on top of LVs, in which case it is not safe for the host to access the PVs. Avoiding this unsafe access is the primary reason for the new default behavior. Also, in environments with many active LVs, the amount of device scanning done by LVM can be significantly decreased.
The previous behavior can be restored by changing this setting to 1.
4.13. System and Subscription Management
The web console rebased to version 195
The web console, provided by the
cockpit packages, has been upgraded to version 195, which provides a number of new features and bug fixes.
cockpit packages distributed in the Base channel of RHEL 7 include the following features:
- You can now open individual ports for services in the firewall.
- The firewall page now enables adding and removing firewall zones and adding services to a specific zone.
- Cockpit can now help you with enabling certain security vulnerability mitigations, starting with the disabling SMT (Simultaneous Multi-Threading) option.
cockpit packages distributed in the Extras channel of RHEL 7 have been updated to version 151.1, which provides the following additional features:
- You can now add an iSCSI direct target as a storage pool for your virtual machines.
- Notifications about virtual machines have been streamlined and use a common presentation now.
- You can select encryption type separately from the file system.
With this update, support for the Internet Explorer browser has been removed from the RHEL 7 web console. Attempting to open the web console in Internet Explorer now displays an error screen with a list of recommended browsers that can be used instead.
virt-v2v can now convert SUSE Linux VMs
You can now use the
virt-v2v utility to convert virtual machines (VMs) that use SUSE Linux Enterprise Server (SLES) and SUSE Linux Enterprise Desktop (SLED) guest operating systems (OSs) from non-KVM hypervisors to KVM.
Note that the conversion is only supported for SLES or SLED guest OSs version 11 Service Pack 4 or later. In addition, SLES 11 and SLED 11 VMs that use X graphics need to be re-adjusted after the conversion for the graphics to work properly. To do so, use the sax2 distribution tool in the guest OS after the migration is finished.
virt-v2v can now use vmx configuration files to convert VMware guests
virt-v2v utility now includes the
vmx input mode, which enables the user to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, you also need access to the corresponding VMware storage, for example by mounting the storage using NFS. It is also possible to access the storage using SSH, by adding the
-it ssh parameter.
virt-v2v converts VMWare guests faster and more reliably
virt-v2v utility can now use the VMWare Virtual Disk Development Kit (VDDK) to convert a VMWare guest virtual machine to a KVM guest. This enables
virt-v2v to connect directly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.
Note that this conversion import method requires the external
nbdkit utility and its VDDK plug-in.
virt-v2v can convert UEFI guests for RHV
virt-v2v utility, it is now possible to convert virtual machines that use the UEFI firmware to run in Red Hat Virtualization (RHV).
virt-v2v removes VMware Tools more reliably
This update makes it more likely that the
virt-v2v utility automatically attempts to remove VMware Tools software from a VMware virtual machine that
virt-v2v is converting to KVM. Notably,
virt-v2v now attempts to remove VMWare Tools in the following scenarios:
- When converting Windows virtual machines.
- When VMMware Tools were installed on a Linux virtual machine from a tarball.
- When WMware Tools were installed as open-vm-tools.
4.15. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.
4.16. Red Hat Software Collections
Red Hat Software Collections is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARM architecture, IBM Z, and IBM POWER, little endian. Certain components are available also for all supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
scl utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.