Chapter 6. Notable Bug Fixes

Directory Server rebased to version 1.3.10

The 389-ds-base packages have been upgraded to upstream version 1.3.10, which provides a number of bug fixes over the previous version.

Directory Server now correctly logs the search base if the server rejects a search operation

Previously, when Directory Server rejected a search operation because of a protocol error, the server logged base="(null)" instead of the actual search base. With this update, Directory Server passes the correct internal variable to the log operation. As a result, the server correctly logs the search base in the mentioned scenario.

Directory Server improved the logging of the etime value

Previously, if an operation started and completed at the border of a second and the operation took less than one second, Directory Server logged an incorrectly calculated etime value. As a consequence, the logged value was too big. This updates fixes the problem. As a result, the calculated etime value is now closer to the start and end time stamp.

Directory Server now logs the correct etime value in the access log

Previously, Directory Server incorrectly formatted the etime field in the /var/log/dirsrv/slapd-<instance_name>/access log file. As a consequence, the time value in nanoseconds was 10 times lower than the actual value. This update fixes the problem. As a result, Directory Server now logs the correct nanosecond value in the etime field.

The severity of a Directory Server log message has been changed

Previously, Directory Server incorrectly logged Event <event_name> should not occur in state <state_name>; going to sleep messages as error. This update changes the severity of this message to warning.

Directory Server is RFC 4511-compliant when searching for the 1.1 and other attributes in one request

To retrieve only a list of matching distinguished names (DN), LDAP users can search for the 1.1 special attribute. According to RFC 4511, if an LDAP client searches for the 1.1. special attribute in combination with other attributes in one search request, the server must ignore the 1.1 special attribute.

Directory Server returns password policy controls in the correct order

Previously, if the password of a user expired, Directory Server returned password policy controls in a different order depending on whether grace logins were exhausted or not. Consequently, this sometimes caused problems in LDAP clients compliant with the RFC 4511 standard. This update fixes the problem, and as a result, Directory Server returns password policy controls in the correct order.

Directory Server now also applies limits for maximum concurrent cleanAllRUV tasks received from extended operations

Directory Server supports up to 64 concurrent cleanAllRUV tasks. Previously, Directory Server applied this limit only to manually created tasks and not to tasks the server received from extended operations. As a consequence, more than 64 concurrent cleanAllRUV tasks could run at the same time and slow down the server. This update adds a counter to track the number of clean tasks and abort threads. As a result, only up to 64 concurrent cleanAllRUV tasks can run at the same time.

Importing large LDIF files to Directory Server databases with many nested-subtrees is now significantly faster

Previously, if the Directory Server database contained many nested sub-trees, importing a large LDIF file using the ldif2db and ldif2db.pl utilities was slow. With this update, Directory Server adds the ancestorid index after all entries. As a result, importing LDIF files to a database with many nested sub-trees is now significantly faster.

Directory Server now processes new operations only after a previous SASL bind fully initialized the connection

During a bind using the Simple Authentication and Security Layer (SASL) framework, Directory Server initializes a set of callback functions. Previously, if Directory Server received an additional operation on the same connection during a SASL bind, this operation could access and use the callback functions even if they were not fully initialized. Consequently, the Directory Server instance terminated unexpectedly. With this update, the server prevents operations from accessing and using the callback structure until the previous SASL bind is successfully initialized. As a result, Directory Server no longer crashes in this situation.

The cl-dump.pl and cl-dump utilities now remove temporary files after exporting the change log

Previously, the cl-dump.pl and cl-dump utilities in Directory Server created temporary LDIF files in the /var/lib/dirsrv/slapd-<instance_name>/changelogdb/ directory. After the change log was exported, the utilities renamed the temporary files to *.done. As a consequence, if the temporary files were large, this could result in low free disk space. With this update, by default, cl-dump.pl and cl-dump now delete the temporary files at the end of the export. Additionally, the -l option has been added to both utilities to manually preserve the temporary files. As a result, cl-dump.pl and cl-dump free the disk space after exporting the change log or user can optionally enforce the old behavior by using the -l option.

IdM configures the Apache NSS module to use only TLS 1.2 when installing or updating an IdM server or replica

Previously, when an administrator installed an Identity Management (IdM) server or replica, the installer enabled the TLS 1.0, TLS 1.1, and TLS 1.2 protocols in the Apache web server’s network security service (NSS) module. This update provides the following changes:

IdM now correctly updates the certificate record in the cn=CAcert,cn=ipa,cn=etc,<base_DN> entry

Previously, after renewing the Identity Management (IdM) certificate authority (CA) certificate or modifying the CA certificate chain, IdM did not update the certificate record stored in the cn=CAcert,cn=ipa,cn=etc,<base_DN> entry. As a consequence, installations of IdM clients on RHEL 6 failed. With this update, IdM now updates the certificate record in cn=CAcert,cn=ipa,cn=etc,<base_DN>. As a result, installing IdM on RHEL 6 now succeeds after the administrator renews the CA certificate or updates the certificate chain on the IdM CA.

The ipa-replica-install utility now verifies that the server specified in --server provides all required roles

The ipa-replica-install utility provides a --server option to specify the Identity Management (IdM) server which the installer should use for the enrollment. Previously, ipa-replica-install did not verify that the supplied server provided the certificate authority (CA) and key recovery authority (KRA) roles. As a consequence, the installer replicated domain data from the specified server and CA data from a different server that provided the CA and KRA roles. With this update, ipa-replica-install verifies that the specified server provides all required roles. As a result, if the administrator uses the --server option, ipa-replica-install only replicates data from the specified server.

ipa sudorule-add-option no longer shows a false error when options are added to an existing sudo rule

Previously, when a sudo rule already contained hosts, hostgroups, users, or usergroups, the ipa sudorule-add-option command incorrectly processed the sudo rule content. Consequently, the ipa sudorule-add-option command used with the sudooption argument returned an error despite completing successfully. This bug has been fixed, and ipa sudorule-add-option now displays an accurate output in the described scenario.

IdM no longer drops all custom attributes when moving an account from preserved to stage

Previously, IdM processed only some of the attributes defined in a preserved account. Consequently, when moving an account from preserved to stage, all the custom attributes were lost. With this update, IdM processes all the attributes defined in a preserved account and the described problem no longer occurs.

Sub-CA key replication no longer fails

Previously, a change to the credential cache (ccache) behaviour in the Kerberos library caused lightweight Certificate Authority (CA) key replication to fail. This update adapts the IdM lightweight CA key replication client code to the changed ccache behaviour. As a result, the lightweight CA key replication now works correctly.

Certificate System now records audit events if the system acts as a client to other subsystems or to the LDAP server

Previously, Certificate System did not contain audit events if the system acted as a client to other subsystems or to the LDAP server. As a consequence, the server did not record any events in this situation. This update adds the CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE, CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS, and CLIENT_ACCESS_SESSION_TERMINATED events to Certificate System. As a result, Certificate System records these events when acting as a client.

The python-kdcproxy library no longer drops large Kerberos replies

Previously, if an Active Directory Kerberos Distribution Center (KDC) split large Kerberos replies into multiple TCP packets, the python-kdcproxy library dropped these packages. This update fixes the problem. As a result, python-kdcproxy processes large Kerberos replies correctly.

Socket::inet_aton() can now be used from multiple threads safely

Previously, the Socket::inet_aton() function, used for resolving a domain name from multiple Perl threads, called the unsafe gethostbyname() glibc function. Consequently, an incorrect IPv4 address was occasionally returned, or the Perl interpreter terminated unexpectedly. With this update, the Socket::inet_aton() implementation has been changed to use the thread-safe getaddrinfo() glibc function instead of gethostbyname(). As a result, the inet_aton() function from Perl Socket module can be used from multiple threads safely.

sosreport now generates HTML reports faster

Previously, when the sosreport utility collected tens of thousands of files, generation of HTML report was very slow. This update provides changes to the text report code, improving the report structure and formatting. Additionally, support for reports in the JSON file format has been added. As a result, HTML reports are now generated without delay.

32- and 64-bit fwupd packages can now be used together when installing or upgrading the system

Previously, the /usr/lib/systemd/system/fwupd.service file in the fwupd packages was different for 32- and 64-bit architectures. Consequently, it was impossible to install both 32- and 64-bit fwupd packages or to upgrade a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version. This update fixes fwupd so that the /usr/lib/systemd/system/fwupd.service file is same for both 32- and 64-bit architectures. As a result, installing both 32- and 64-bit fwupd packages, or upgrading a Red Hat Enterprise Linux 7.5 system with both 32- and 64-bit fwupd packages to a later version is now possible.

A memory leak in libteam has been fixed

Previously, the libteam library used an incorrect JSON API when a user queried the status of a network team. As a consequence, the teamdctl <team_device> state command leaked memory. With this update, the library uses the correct API, and querying the status of a team no longer leaks memory.

The installation program correctly sets the connection type for Kickstart network team devices

Previously, the installation program used the TYPE="Team" parameter instead of the DEVICETYPE="Team" parameter to specify the connection type in the ifcfg file that is created for Kickstart network team devices. As a consequence, any network team devices using network service were not activated during the boot process. With this update, the installation program uses the DEVICETYPE parameter to specify the connection type in the ifcfg file. As a result, Kickstart network team devices are activated during the boot process even if the system is using network service for network configuration, for example, the NetworkManager service is disabled.

The installation program correctly handles an exception when GTK is not installed

Previously, the installation program failed to handle an exception when the GTK GUI toolkit was not installed in the environment. As a consequence, the exception was not communicated to the user. With this update, the installation program correctly handles an exception when the GTK GUI toolkit is not installed, and the user is also notified of the exception.

The IBM Z systems no longer become unresponsive when using certain BCC tools

Previously, due to a bug in the kernel, running dcsnoop, runqlen, and slabratetop utilities from the bcc-tools package caused the IBM Z systems to become unresponsive. This update fixes the problem and IBM Z systems no longer hang in the described scenario.

Virtual machines no longer enable unnecessary CPU vulnerability mitigation

Previously, the MDS_NO CPU flags, which indicate that the CPU was not vulnerable to the Microarchitectural Data Sampling (MDS) vulnerability, were not exposed to guest operating systems when the virtual machine was using CPU host-passthrough. As a consequence, the guest operating system in some cases automatically enabled CPU vulnerability mitigation features that were not necessary for the host. This update ensures that the MDS_NO flag is properly visible to the guest operating system when using CPU host-passthrough, which prevents the described problem from occurring.

Disabling logging in the nf-logger framework has been fixed

Previously, when an admin used the sysctl or echo commands to turn off an assigned netfilter logger, a NUL-character was not added to the end of the NONE string. Consequently, the strcmp() function failed with a No such file or directory error. This update fixes the problem. As a result, commands, such as sysctl net.netfilter.nf_log.2=NONE work as expected and turn off logging.

Resuming from hibernation now works on the megaraid_sas driver

Previously, when the megaraid_sas driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.

Kdump no longer fails in the second kernel

Previously, the kdump initramfs image could fail in the second kernel after a disk migration or installation of a new machine with a disk image. This update adds the kdumpctl rebuild command for rebuilding the kdump initramfs image. As a result, users can now rebuild initramfs to ensure that kdump does not fail in the second kernel.

The latency for isolated CPU’s is now reduced by avoiding spurious ktimersoftd activation

Previously, for a KVM-RT configured system, per-CPU ktimersoftd kernel threads ran once every second even in absence of a timer. Consequently, an increased latency occurred on the isolated CPU’s. This update adds an optimization into the real-time kernel that does not wake the ktimersoftd on every tick. As a result, ktimersoftd is not raised on isolated CPU’s, which prevents the interference and reduces the latency.

The tc filter show command now displays filters correctly when the handle is 0xffffffff

Previously, a bug in the TC flower code caused an undesired integer overflow. As a consequence, dumping a flower rule that used 0xffffffff as a handle could result in an infinite loop. This update prevents the integer overflow on 64-bit architectures. As a result, tc filter show no longer loops in this scenario, and filters are now shown correctly.

The kernel no longer crashes when attempting to apply an invalid TC rule

Previously, while attempting to replace a traffic control (TC) rule with a rule having an invalid goto chain parameter, a kernel crash occurred. With this update, the kernel avoids a NULL dereference in the described scenario. As a result, the kernel no longer crashes, and an error message is logged instead.

The kernel now correctly updates PMTU when receiving ICMPv6 Packet Too Big message

In certain situations, such as for link-local addresses, more than one route can match a source address. Previously, the kernel did not check the input interface when receiving Internet Control Message Protocol Version 6 (ICMPv6) packets. Therefore, the route lookup could return a destination that did not match the input interface. Consequently, when receiving an ICMPv6 Packet Too Big message, the kernel could update the Path Maximum Transmission Unit (PMTU) for a different input interface. With this update, the kernel checks the input interface during the route lookup. As a result, the kernel now updates the correct destination based on the source address and PMTU works as expected in the described scenario.

MACsec no longer drops valid frames

Previously, if the cryptographic context for AES-GCM was not completely initialized, decryption of incoming frames failed. Consequently, MACsec dropped valid incoming frames, and increased the InPktsNotValid counter. With this update, the initialization of the cryptographic context has been fixed. Now, decryption with AES-GCM succeeds, and MACsec no longer drops valid frames.

The kernel no longer crashes when goto chain is used as a secondary TC control action

Previously, when the act gact and act police traffic control (TC) rules used an invalid goto chain parameter as a secondary control action, the kernel terminated unexpectedly. With this update, the kernel avoids using goto chain with a NULL dereference and no longer crashes in the described scenario. Instead, the kernel returns an -EINVAL error message.

Kernel no longer allows adding duplicate rules with NLM_F_EXCL set

Previously, the kernel never checked the rule content when a new policy routing rule was added. Consequently, the kernel could have added two rules that were exactly the same. This complicated the rule set which could cause problems when NetworkManager tried to cache the rules. With this update, the NLM_F_EXCL flag has been added to the kernel. Now, when a rule is added and the flag is set, the kernel checks the rule content, and returns an EEXIST error if the rule already exists. As a result, kernel no longer adds duplicate rules.

The ipset list command reports consistent memory for hash set types

When you add entries to a hash set type, the ipset utility must resize the in-memory representation to for new entries by allocating an additional memory block. Previously, ipset set the total per-set allocated size to only the size of the new block instead of adding the value to the current in-memory size. As a consequence, the ip list command reported an inconsistent memory size. With this update, ipset correctly calculates the in-memory size. As a result, the ipset list command now displays the correct in-memory size of the set, and the output matches the actual allocated memory for hash set types.

firewalld no longer attempts to create IPv6 rules if the IPv6 protocol is disabled

Previously, if the IPv6 protocol was disabled, the firewalld service incorrectly attempted to create rules using the ip6tables utility, even though ip6tables should not be usable. As a consequence, when firewalld initialized the firewall, the service logged error messages. This update fixes the problem, and firewalld now only initializes IPv4 rules if IPv6 is disabled.

The --remove-rules option of firewall-cmd now removes only direct rules that match the specified criteria

Previously, the --remove-rules option of the firewall-cmd command did not check the rules to remove. As a consequence, the command removed all direct rules instead of a subset rule. This update fixes the problem. As a result, firewall-cmd now removes only direct rules that match the specified criteria.

Deleting a firewalld rich rule with forward-ports works now as expected

Previously, the firewalld service incorrectly handled the deletion of rules with the forward-ports setting. As a consequence, deleting a rich rule with forward-ports from the runtime configuration failed. This update fixes the problem. As a result, deleting a rich rule with forward-ports works as expected.

Packets no longer drift to other zones and cause unexpected behavior

Previously, when setting up rules in one zone, the firewalld daemon allowed the packets to be affected by multiple zones. This behavior violated the firewalld zone concept, in which packets may only be part of a single zone. This update fixes the bug and firewalld now prevents packets from being affected by multiple zones.

Accessibility of OpenSCAP HTML reports has been improved

Previously, an Accessible Rich Internet Applications (ARIA) parameter was incorrectly defined in OpenSCAP HTML reports. As a consequence, rule details in the reports were not accessible to users of screenreading software. With this update, the template for report generation has been changed. As a result, users with screen readers can now navigate through rule details and interact with links and buttons.

SELinux policy now allows sysadm_u users to use semanage with sudo

Previously, SELinux policy was missing rules to allow users with the sysadm_u label to use the semanage command with the sudo command. As a consequence, sysadm_u users could not configure SELinux on the system. This update adds the missing rules, and SELinux users labeled as sysadm_u can now change SELinux configurations.

Manual initialization of MariaDB using mysql_install_db no longer fails

Prior to this update, the mysql_install_db script for initializing the MariaDB database called the resolveip binary from the /usr/libexec/ directory, while the binary was located in /usr/bin/. Consequently, manual initialization of the database using mysql_install_db failed. This update fixes mysql_install_db to correctly locate resolveip. As a result, manual initialization of MariaDB using mysql_install_db no longer fails.

ReaR updates

RHEL 7.8 introduces a number of updates to the Relax-and-Recover (ReaR) utility.

Concurrent SG_IO requests in /dev/sg no longer cause data corruption

Previously, the /dev/sg device driver was missing synchronization of kernel data. Concurrent requests on the same file descriptor accessed the same data at the same time in the driver.

When an image is split off from an active/active cluster mirror, the resulting logical volume is now properly activated

Previously, when you split off an image from an active/active cluster mirror, the resulting new logical volume appeared active but it had no active component. With this fix, the new logical volume is properly activated.