Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7 that have a significant impact on users.
6.1. Authentication and Interoperability
Directory Server rebased to version 1.3.10
The 389-ds-base packages have been upgraded to upstream version 1.3.10, which provides a number of bug fixes over the previous version.
Directory Server now correctly logs the search base if the server rejects a search operation
Previously, when Directory Server rejected a search operation because of a protocol error, the server logged
base="(null)" instead of the actual search base. With this update, Directory Server passes the correct internal variable to the log operation. As a result, the server correctly logs the search base in the mentioned scenario.
Directory Server improved the logging of the
Previously, if an operation started and completed at the border of a second and the operation took less than one second, Directory Server logged an incorrectly calculated
etime value. As a consequence, the logged value was too big. This updates fixes the problem. As a result, the calculated
etime value is now closer to the start and end time stamp.
Directory Server now logs the correct
etime value in the access log
Previously, Directory Server incorrectly formatted the
etime field in the
/var/log/dirsrv/slapd-<instance_name>/access log file. As a consequence, the time value in nanoseconds was 10 times lower than the actual value. This update fixes the problem. As a result, Directory Server now logs the correct nanosecond value in the
The severity of a Directory Server log message has been changed
Previously, Directory Server incorrectly logged
Event <event_name> should not occur in state <state_name>; going to sleep messages as
error. This update changes the severity of this message to
Directory Server is RFC 4511-compliant when searching for the
1.1 and other attributes in one request
To retrieve only a list of matching distinguished names (DN), LDAP users can search for the
1.1 special attribute. According to RFC 4511, if an LDAP client searches for the
1.1. special attribute in combination with other attributes in one search request, the server must ignore the
1.1 special attribute.
Previously, when a Directory Server user searched for the
1.1 special attribute and other attributes in the same search request, the server returned no attributes. This update fixes the problem. As a result, Directory Server is RFC 4511-compliant in the mentioned scenario.
Directory Server returns password policy controls in the correct order
Previously, if the password of a user expired, Directory Server returned password policy controls in a different order depending on whether grace logins were exhausted or not. Consequently, this sometimes caused problems in LDAP clients compliant with the RFC 4511 standard. This update fixes the problem, and as a result, Directory Server returns password policy controls in the correct order.
Directory Server now also applies limits for maximum concurrent
cleanAllRUV tasks received from extended operations
Directory Server supports up to 64 concurrent
cleanAllRUV tasks. Previously, Directory Server applied this limit only to manually created tasks and not to tasks the server received from extended operations. As a consequence, more than 64 concurrent
cleanAllRUV tasks could run at the same time and slow down the server. This update adds a counter to track the number of clean tasks and abort threads. As a result, only up to 64 concurrent
cleanAllRUV tasks can run at the same time.
Importing large LDIF files to Directory Server databases with many nested-subtrees is now significantly faster
Previously, if the Directory Server database contained many nested sub-trees, importing a large LDIF file using the
ldif2db.pl utilities was slow. With this update, Directory Server adds the
ancestorid index after all entries. As a result, importing LDIF files to a database with many nested sub-trees is now significantly faster.
Directory Server now processes new operations only after a previous SASL bind fully initialized the connection
During a bind using the Simple Authentication and Security Layer (SASL) framework, Directory Server initializes a set of callback functions. Previously, if Directory Server received an additional operation on the same connection during a SASL bind, this operation could access and use the callback functions even if they were not fully initialized. Consequently, the Directory Server instance terminated unexpectedly. With this update, the server prevents operations from accessing and using the callback structure until the previous SASL bind is successfully initialized. As a result, Directory Server no longer crashes in this situation.
cl-dump utilities now remove temporary files after exporting the change log
cl-dump utilities in Directory Server created temporary LDIF files in the
/var/lib/dirsrv/slapd-<instance_name>/changelogdb/ directory. After the change log was exported, the utilities renamed the temporary files to
*.done. As a consequence, if the temporary files were large, this could result in low free disk space. With this update, by default,
cl-dump now delete the temporary files at the end of the export. Additionally, the
-l option has been added to both utilities to manually preserve the temporary files. As a result,
cl-dump free the disk space after exporting the change log or user can optionally enforce the old behavior by using the
IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica
Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server’s network security service (NSS) module. This update provides the following changes:
- When you set up a new server or replica, IdM only enables the strong TLS 1.2 protocol.
- On existing IdM servers and replicas, this update disables the weak TLS 1.0 and TLS 1.1 protocols.
As a result, new and updated IdM servers and replicas use only the strong TLS 1.2 protocol in the Apache web server’s NSS module.
IdM now correctly updates the certificate record in the
Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the
cn=CAcert,cn=ipa,cn=etc,<base_DN> entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in
cn=CAcert,cn=ipa,cn=etc,<base_DN>. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.
ipa-replica-install utility now verifies that the server specified in
--server provides all required roles
ipa-replica-install utility provides a
--server option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously,
ipa-replica-install did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update,
ipa-replica-install verifies that the specified server provides all required roles. As a result, if the administrator uses the
ipa-replica-install only replicates data from the specified server.
ipa sudorule-add-option no longer shows a false error when options are added to an existing sudo rule
Previously, when a sudo rule already contained hosts, hostgroups, users, or usergroups, the
ipa sudorule-add-option command incorrectly processed the sudo rule content. Consequently, the
ipa sudorule-add-option command used with the
sudooption argument returned an error despite completing successfully. This bug has been fixed, and
ipa sudorule-add-option now displays an accurate output in the described scenario.
IdM no longer drops all custom attributes when moving an account from preserved to stage
Previously, IdM processed only some of the attributes defined in a preserved account. Consequently, when moving an account from preserved to stage, all the custom attributes were lost. With this update, IdM processes all the attributes defined in a preserved account and the described problem no longer occurs.
Sub-CA key replication no longer fails
Previously, a change to the credential cache (ccache) behaviour in the Kerberos library caused lightweight Certificate Authority (CA) key replication to fail. This update adapts the IdM lightweight CA key replication client code to the changed ccache behaviour. As a result, the lightweight CA key replication now works correctly.
Certificate System now records audit events if the system acts as a client to other subsystems or to the LDAP server
Previously, Certificate System did not contain audit events if the system acted as a client to other subsystems or to the LDAP server. As a consequence, the server did not record any events in this situation. This update adds the
CLIENT_ACCESS_SESSION_TERMINATED events to Certificate System. As a result, Certificate System records these events when acting as a client.
python-kdcproxy library no longer drops large Kerberos replies
Previously, if an Active Directory Kerberos Distribution Center (KDC) split large Kerberos replies into multiple TCP packets, the
python-kdcproxy library dropped these packages. This update fixes the problem. As a result,
python-kdcproxy processes large Kerberos replies correctly.
6.2. Compiler and Tools
Socket::inet_aton() can now be used from multiple threads safely
Socket::inet_aton() function, used for resolving a domain name from multiple Perl threads, called the unsafe
glibc function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the
Socket::inet_aton() implementation has been changed to use the thread-safe
glibc function instead of
gethostbyname(). As a result, the
inet_aton() function from Perl
Socket module can be used from multiple threads safely.
sosreport now generates HTML reports faster
Previously, when the
sosreport utility collected tens of thousands of files, generation of HTML report was very slow. This update provides changes to the text report code, improving the report structure and formatting. Additionally, support for reports in the JSON file format has been added. As a result, HTML reports are now generated without delay.
32- and 64-bit fwupd packages can now be used together when installing or upgrading the system
/usr/lib/systemd/system/fwupd.service file in the fwupd packages was different for 32- and 64-bit architectures. Consequently, it was impossible to install both 32- and 64-bit fwupd packages or to upgrade a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version. This update fixes fwupd so that the
/usr/lib/systemd/system/fwupd.service file is same for both 32- and 64-bit architectures. As a result, installing both 32- and 64-bit fwupd packages, or upgrading a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version is now possible.
A memory leak in
libteam has been fixed
libteam library used an incorrect JSON API when a user queried the status of a network team. As a consequence, the
teamdctl <team_device> state command leaked memory. With this update, the library uses the correct API, and querying the status of a team no longer leaks memory.
6.4. Installation and Booting
The installation program correctly sets the connection type for Kickstart network team devices
Previously, the installation program used the
TYPE="Team" parameter instead of the
DEVICETYPE="Team" parameter to specify the connection type in the
ifcfg file that is created for Kickstart network team devices. As a consequence, any network team devices using
network service were not activated during the boot process. With this update, the installation program uses the
DEVICETYPE parameter to specify the connection type in the
ifcfg file. As a result, Kickstart network team devices are activated during the boot process even if the system is using
network service for network configuration, for example, the NetworkManager service is disabled.
The installation program correctly handles an exception when GTK is not installed
Previously, the installation program failed to handle an exception when the GTK GUI toolkit was not installed in the environment. As a consequence, the exception was not communicated to the user. With this update, the installation program correctly handles an exception when the GTK GUI toolkit is not installed, and the user is also notified of the exception.
The IBM Z systems no longer become unresponsive when using certain BCC tools
Previously, due to a bug in the kernel, running
slabratetop utilities from the
bcc-tools package caused the IBM Z systems to become unresponsive. This update fixes the problem and IBM Z systems no longer hang in the described scenario.
Virtual machines no longer enable unnecessary CPU vulnerability mitigation
MDS_NO CPU flags, which indicate that the CPU was not vulnerable to the Microarchitectural Data Sampling (MDS) vulnerability, were not exposed to guest operating systems when the virtual machine was using CPU host-passthrough. As a consequence, the guest operating system in some cases automatically enabled CPU vulnerability mitigation features that were not necessary for the host. This update ensures that the
MDS_NO flag is properly visible to the guest operating system when using CPU host-passthrough, which prevents the described problem from occurring.
Disabling logging in the
nf-logger framework has been fixed
Previously, when an admin used the
echo commands to turn off an assigned
netfilter logger, a
NUL-character was not added to the end of the
NONE string. Consequently, the
strcmp() function failed with a
No such file or directory error. This update fixes the problem. As a result, commands, such as
sysctl net.netfilter.nf_log.2=NONE work as expected and turn off logging.
Resuming from hibernation now works on the
Previously, when the
megaraid_sas driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.
Kdump no longer fails in the second kernel
Previously, the kdump
initramfs image could fail in the second kernel after a disk migration or installation of a new machine with a disk image. This update adds the
kdumpctl rebuild command for rebuilding the kdump
initramfs image. As a result, users can now rebuild
initramfs to ensure that kdump does not fail in the second kernel.
6.6. Real-Time Kernel
The latency for isolated CPU’s is now reduced by avoiding spurious
Previously, for a KVM-RT configured system, per-CPU
ktimersoftd kernel threads ran once every second even in absence of a timer. Consequently, an increased latency occurred on the isolated CPU’s. This update adds an optimization into the real-time kernel that does not wake the
ktimersoftd on every tick. As a result,
ktimersoftd is not raised on isolated CPU’s, which prevents the interference and reduces the latency.
tc filter show command now displays filters correctly when the handle is
Previously, a bug in the TC flower code caused an undesired integer overflow. As a consequence, dumping a flower rule that used
0xffffffff as a handle could result in an infinite loop. This update prevents the integer overflow on 64-bit architectures. As a result,
tc filter show no longer loops in this scenario, and filters are now shown correctly.
The kernel no longer crashes when attempting to apply an invalid TC rule
Previously, while attempting to replace a traffic control (TC) rule with a rule having an invalid
goto chain parameter, a kernel crash occurred. With this update, the kernel avoids a NULL dereference in the described scenario. As a result, the kernel no longer crashes, and an error message is logged instead.
The kernel now correctly updates PMTU when receiving ICMPv6
Packet Too Big message
In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6
Packet Too Big message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.
MACsec no longer drops valid frames
Previously, if the cryptographic context for AES-GCM was not completely initialized, decryption of incoming frames failed. Consequently, MACsec dropped valid incoming frames, and increased the
InPktsNotValid counter. With this update, the initialization of the cryptographic context has been fixed. Now, decryption with AES-GCM succeeds, and MACsec no longer drops valid frames.
The kernel no longer crashes when
goto chain is used as a secondary TC control action
Previously, when the
act gact and
act police traffic control (TC) rules used an invalid
goto chain parameter as a secondary control action, the kernel terminated unexpectedly. With this update, the kernel avoids using
goto chain with a NULL dereference and no longer crashes in the described scenario. Instead, the kernel returns an
-EINVAL error message.
Kernel no longer allows adding duplicate rules with
Previously, the kernel never checked the rule content when a new policy routing rule was added. Consequently, the kernel could have added two rules that were exactly the same. This complicated the rule set which could cause problems when NetworkManager tried to cache the rules. With this update, the
NLM_F_EXCL flag has been added to the kernel. Now, when a rule is added and the flag is set, the kernel checks the rule content, and returns an
EEXIST error if the rule already exists. As a result, kernel no longer adds duplicate rules.
ipset list command reports consistent memory for
hash set types
When you add entries to a
hash set type, the
ipset utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously,
ipset set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the
ip list command reported an inconsistent memory size. With this update,
ipset correctly calculates the in-memory size. As a result, the
ipset list command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for
hash set types.
firewalld no longer attempts to create IPv6 rules if the IPv6 protocol is disabled
Previously, if the IPv6 protocol was disabled, the
firewalld service incorrectly attempted to create rules using the
ip6tables utility, even though
ip6tables should not be usable. As a consequence, when
firewalld initialized the firewall, the service logged error messages. This update fixes the problem, and
firewalld now only initializes IPv4 rules if IPv6 is disabled.
--remove-rules option of
firewall-cmd now removes only direct rules that match the specified criteria
--remove-rules option of the
firewall-cmd command did not check the rules to remove. As a consequence, the command removed all direct rules instead of a subset rule. This update fixes the problem. As a result,
firewall-cmd now removes only direct rules that match the specified criteria.
firewalld rich rule with
forward-ports works now as expected
firewalld service incorrectly handled the deletion of rules with the
forward-ports setting. As a consequence, deleting a rich rule with
forward-ports from the runtime configuration failed. This update fixes the problem. As a result, deleting a rich rule with
forward-ports works as expected.
Packets no longer drift to other zones and cause unexpected behavior
Previously, when setting up rules in one zone, the
firewalld daemon allowed the packets to be affected by multiple zones. This behavior violated the
firewalld zone concept, in which packets may only be part of a single zone. This update fixes the bug and
firewalld now prevents packets from being affected by multiple zones.
Warning: This change may affect the availability of some service if the user was knowingly or unknowingly relying on the zone drifting behavior.
OpenSCAP HTML reports has been improved
Previously, an Accessible Rich Internet Applications (ARIA) parameter was incorrectly defined in
OpenSCAP HTML reports. As a consequence, rule details in the reports were not accessible to users of screenreading software. With this update, the template for report generation has been changed. As a result, users with screen readers can now navigate through rule details and interact with links and buttons.
SELinux policy now allows
sysadm_u users to use
Previously, SELinux policy was missing rules to allow users with the
sysadm_u label to use the
semanage command with the
sudo command. As a consequence,
sysadm_u users could not configure SELinux on the system. This update adds the missing rules, and SELinux users labeled as
sysadm_u can now change SELinux configurations.
6.9. Servers and Services
Manual initialization of MariaDB using
mysql_install_db no longer fails
Prior to this update, the
mysql_install_db script for initializing the MariaDB database called the
resolveip binary from the
/usr/libexec/ directory, while the binary was located in
/usr/bin/. Consequently, manual initialization of the database using
mysql_install_db failed. This update fixes
mysql_install_db to correctly locate
resolveip. As a result, manual initialization of MariaDB using
mysql_install_db no longer fails.
RHEL 7.8 introduces a number of updates to the Relax-and-Recover (
The build directory handling has been changed. Previously, the build directory was kept in a temporary location in case
ReaR encountered a failure. With this update, the build directory is deleted by default in non-interactive runs to prevent consuming disk space.
The semantics of the
KEEP_BUILD_DIR configuration variable has been enhanced to include a new
errors value. You can set the
KEEP_BUILD_DIR variable to the following values:
errorsto preserve the build directory on errors for debugging (the previous behavior)
true) to always preserve the build directory
false) to never preserve the build directory
The default value is an empty string with the meaning of
ReaR is being executed interactively (in a terminal) and
ReaR is being executed non-interactively. Note that
KEEP_BUILD_DIR is automatically set to
true in debug mode (
-d) and in debugscript mode (
-D); this behavior has not been changed.
Notable bug fixes include:
- Support for NetBackup 8.0 has been fixed.
ReaRno longer aborts with a bash error similar to
xrealloc: cannot allocateon systems with a large number of users, groups, and users per group.
bconsolecommand now shows its prompt, which enables you to perform a restore operation when using the Bacula integration.
ReaRnow correctly backs up files also in situations when the
dockerservice is running but no
dockerroot directory has been defined, or when it is impossible to determine the status of the
- Recovery no longer fails when using thin pools or recovering a system in Migration Mode.
Extremely slow rebuild of
initramfsduring the recovery process with LVM has been fixed.
SG_IO requests in
/dev/sg no longer cause data corruption
/dev/sg device driver was missing synchronization of kernel data. Concurrent requests on the same file descriptor accessed the same data at the same time in the driver.
As a consequence, the
ioctl system call sometimes erroneously used the payload of an
SG_IO request for a different command that was sent at the same time as the correct one. This led to disk corruption in certain cases. Red Hat observed this bug in Red Hat Virtualization (RHV).
With this release, concurrency protection has been added in
/dev/sg, and the described problem no longer occurs.
When an image is split off from an active/active cluster mirror, the resulting logical volume is now properly activated
Previously, when you split off an image from an active/active cluster mirror, the resulting new logical volume appeared active but it had no active component. With this fix, the new logical volume is properly activated.