Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7.9 that have a significant impact on users.
6.1. Authentication and Interoperability
A deadlock no longer occurs when using SASL binds to Directory Server
Previously, a SASL bind to Directory Server could attempt using callbacks that were modified during the connection process. Consequently, a deadlock occurred, and Directory Server could terminated unexpectedly. With this update, the server uses a connection lock that prevents modifying IO layers and callbacks while they are in use. As a result, the deadlock no longer occurs when using SASL binds.
389-ds-base package now sets the required permissions on directories owned by the Directory Server user
If directories in the file system owned by the Directory Server user do not have the correct permissions, Directory Server utilities adjust them accordingly. However, if these permissions were different to the ones that were set during the RPM installation, verifying the RPM using the
rpm -V 389-ds-base command failed. This update fixes the permissions in the RPM. As a consequence, verifying the
389-ds-base package no longer complains about incorrect permissions.
A memory leak has been fixed in Directory Server when using
ip binding rules in an ACI with IPv6
The Access Control Instruction (ACI) context in Directory Server is attached to a connection and contains a structure for both the IPv4 and IPv6 protocol. Previously, when a client closed a connection, Directory Server removed the only IPv4 structure and the context. As a consequence, if an administrator configured an ACI with
ip binding rule, Directory Server leaked memory of the IPv6 structure. With this update, the server frees both the IPv4 and IPv6 structures at the end of a connection. As a result, Directory Server no longer leaks memory in the mentioned scenario.
Directory Server no longer leaks memory when using ACIs with an
ip bind rule
When a Directory Server Access Control Instruction (ACI) contains an
ip bind rule, the server stores the value of the
ip keyword as a reference while evaluating the ACI. Previously, when the evaluations were completed Directory Server did not free the
ip value. As a consequence, the server leaked around 100 bytes of memory each time the server evaluated an ACI with an
ip bind rule. With this update, Directory Server keeps track of the
ip value in the per-connection structure and frees the structure when the connection is closed. As a consequence, Directory Server no longer leaks memory in the mentioned scenario.
Directory Server no longer rejects wildcards in the
Previously, when an administrator tried to set a wildcard in the
rootdn-deny-ip parameters in the
cn=RootDN Access Control Plugin,cn=plugins,cn=config entry, Directory Server rejected the value. With this update, you can use wildcards when specifying allowed or denied IP addresses in the mentioned parameters.
Directory Server rejects update operations if retrieving the system time fails or the time difference is too large
Previously, when calling the system time() function failed or the function returned an unexpected value, Change Sequence Numbers (CSN) in Directory Server could become corrupted. As a consequence, the administrator had to re-initialize all replicas in the environment. With this update, Directory Server rejects the update operation if the time() function failed, and Directory Server no longer generates corrupt CSNs in the mentioned scenario.
Note that, if the time difference is greater than one day, the server logs a
INFO - csngen_new_csn - Detected large jump in CSN time message in the
/var/log/dirsrv/slapd-<instance_name>/error file. However, Directory Server still creates the CSN and does not reject the update operation.
Directory Server no longer hangs while updating the schema
Previously, during a mixed load of search and modify operations, the update of the Directory Server schema blocked all search and modify operations, and the server appeared to hang. This update adjusts the mutex locking during schema updates. As a result, the server does not hang while updating the schema.
Directory Server no longer leaks memory when using indirect COS definitions
Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.
Password expiration notifications sent to AD clients using SSSD
Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.
The Kerberos interface has been updated and expiration notices are now sent correctly.
KDCs now correctly enforce password lifetime policy from LDAP backends
Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.
pkidaemon tool now reports the correct status of PKI instances when
nuxwdog is enabled
pkidaemon status command would not report the correct status for PKI server instances that have the
nuxwdog watchdog enabled. With this update,
pkidaemon detects whether
nuxwdog is enabled and reports the correct status of the PKI server.
6.2. Compiler and Tools
strptime() method of the
Time::Piece Perl module now correctly parses Julian dates
Time::Piece Perl module did not correctly parse a day of the year (
%j) using the
strptime() method. Consequently, Julian dates were parsed incorrectly. This bug has been fixed, and the
strptime() method provided by the
Time::Piece module now handles Julian dates properly.
Documentation files from
perl-devel no longer have a write permission for a group
Previously, certain documentation files from the
perl-devel package had a write permission set for a group. Consequently, users in the root group could write into these files, which represented a security risk. With this update, the write bit for a group has been removed for the affected files. As a result, no documentation file from
perl-devel has a write permission set for a group.
Resuming from hibernation now works on the
Previously, when the
megaraid_sas driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.
Disabling logging in the
nf-logger framework has been fixed
Previously, when an admin used the
echo commands to turn off an assigned
netfilter logger, a
NUL-character was not added to the end of the
NONE string. Consequently, the
strcmp() function failed with a
No such file or directory error. This update fixes the problem. As a result, commands, such as
sysctl net.netfilter.nf_log.2=NONE work as expected and turn off logging.
XFS now mounts correctly even if the storage device reported invalid geometry at file system creation
In RHEL 7.8, an XFS file system failed to mount with the error
SB stripe unit sanity check failed if it was created on a block device that reported invalid stripe geometry to the
With this update, XFS now mounts the file system even if it was created based on invalid stripe geometry.
For details, see the following solution article: https://access.redhat.com/solutions/5075561.
The same zone file can now be included in multiple views or zones in BIND
BIND 9.11 introduced an additional check to ensure that no daemon writable zone file is used multiple times, which would result in creating errors in zone journal serialization. Consequently, configuration accepted by BIND 9.9 was no longer accepted by this daemon. With this update, the fatal error message in configuration file check is replaced by a warning, and as a result, the same zone file can now be included in multiple views or zones.
Note that using an in-view clause is recommended as a better solution.
A configuration parameter has been added to
firewalld to disable zone drifting
firewalld service contained an undocumented behavior known as "zone drifting". RHEL 7.8 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone,
firewalld denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.
By default, in RHEL 7.9, the new
AllowZoneDrifting parameter in the
/etc/firewalld/firewalld.conf file is set to
yes. Note that, if the parameter is enabled,
WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
firewalld log files
Previously, RHEL did not rotate
firewalld log files. As a consequence, the
/var/log/firewalld log file grew indefinitely. This update adds the
/etc/logrotate.d/firewalld log rotation configuration file for the
firewalld service. As a result, the
/var/log/firewalld log is rotated, and users can customize the rotation settings in the
Recursive dependencies no longer cause OpenSCAP crashes
systemd units can have dependent units, OpenSCAP scans could encounter cyclical dependencies that caused the scan to terminate unexpectedly. With this update, OpenSCAP no longer analyses previously analysed units. As a result, scans now complete with a valid result even if dependencies are cyclical.
OpenSCAP scanner results no longer contain a lot of SELinux context error messages
Previously, the OpenSCAP scanner logged the inability to get the SELinux context on the
ERROR level even in situations where it is not a true error. Consequently, scanner results contained a lot of SELinux context error messages and both the
oscap command-line utility and the
SCAP Workbench graphical utility outputs were hard to read for that reason. The
openscap packages have been fixed, and scanner results no longer contain a lot of SELinux context error messages.
audit_rules_privileged_commands now works correctly for privileged commands
Remediation of the
audit_rules_privileged_commands rule in the
scap-security-guide packages did not account for a special case in parsing command names. Additionally, the ordering of certain rules prevented successful remediation. As a consequence, remediation of certain combinations of rules reported they were fixed although successive scans reported the rule as failing again. This update improves regular expressions in the rule and the ordering of the rules. As a result, all privileged commands are correctly audited after remediation.
Updated rule descriptions in the SCAP Security Guide
Because default kernel parameters cannot be reliably determined for all supported versions of RHEL, checking kernel parameter settings always requires explicit configuration. The text in the configuration guide mistakenly stated that explicit settings were not needed if the default version was compliant. With this update, the rule description in the
scap-security-guide package correctly describes the compliance evaluation and the corresponding remediation.
configure_firewalld_rate_limiting now correctly rate-limits connections
configure_firewalld_rate_limiting rule, which protects the system from Denial of Service (DoS) attacks, previously configured the system to accept all traffic. With this update, the system correctly rate-limits connections after remediating this rule.
dconf_gnome_login_banner_text no longer incorrectly fails
Remediation of the
dconf_gnome_login_banner_text rule in the
scap-security-guide packages previously failed after a failure to scan the configuration. As a consequence, the remediation could not properly update the login banner configuration, which was inconsistent with expected results. With this update, Bash and Ansible remediations are more reliable and align with the configuration check implemented using the OVAL standard. As a consequence, remediations now work properly and the rule passes after remediation.
scap-security-guide Ansible remediations no longer include the
Prior to this update,
scap-security-guide Ansible remediations could contain the
follow argument in the
replace module. Because
follow was deprecated in Ansible 2.5, and will be removed in Ansible 2.10, using such remediations caused an error. With the release of the RHBA-2021:1383 advisory, the argument has been removed. As a result, Ansible playbooks by
scap-security-guide will work properly in Ansible 2.10.
Postfix-specific rules no longer fail if
postfix is not installed
Previously, SCAP Security Guide (SSG) evaluated Postfix-specific rules independently of the
postfix package installed on the system. As a result, SSG reported Postfix-specific rules as
fail instead of
notapplicable. With the release of the RHBA-2021:4781 advisory, SSG correctly evaluates Postfix-specific rules only if the
postfix package is installed, and reports
notapplicable if the
postfix package is not installed.
Service Disabled rules are no longer ambiguous
Previously, rule descriptions for the Service Disabled type in the SCAP Security Guide provided options for disabling and masking a service but did not specify whether the user should disable the service, mask it, or both.
With the release of the RHBA-2021:1383 advisory, rule descriptions, remediations, and OVAL checks have been aligned and inform users that they must mask a service to disable it.
Fixed Ansible remediations for
Previously, Ansible remediations for some rules covering the GNOME
dconf configuration systems were not aligned with the corresponding OVAL checks. Consequently, Ansible incorrectly remediated the following rules, marking them as
failed in subsequent scans:
With the update released in the RHBA-2021:4781 advisory, Ansible regular expressions have been fixed. As a result, these rules remediate correctly in the
SELinux no longer blocks PCP from restarting unresponsive PMDAs
Previously, a rule that allows
pcp_pmie_t processes to communicate with Performance Metric Domain Agent (PMDA) was missing in the SELinux policy. As a consequence, SELinux denied the
pmsignal process to restart unresponsive PMDAs. With this update, the missing rule has been added to the policy, and the Performance Co-Pilot (PCP) can now restart unresponsive PMDAs.
SELinux no longer prevents
auditd to halt or power off the system
Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a
systemd unit. Consequently,
auditd could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.
With this update, the missing rule has been added to the SELinux policy. As a result,
auditd can now halt or power off the system.
chronyd service can now execute shells in SELinux
chronyd process, running under
chronyd_t, was unable to execute the
chrony-helper shell script, because the SELinux policy did not allow
chronyd to execute any shell. In this update, the SELinux policy allows the
chronyd process to run a shell that is labeled
shell_exec_t. As a result, the
chronyd service starts successfully under the Multi-Level Security (MLS) policy.
Tang reliably updates its cache
When the Tang application generates its keys, for example, at first installation, Tang updates its cache. Previously, this process was unreliable, and the application cache did not update correctly to reflect Tang keys. This caused problems with using a Tang pin in Clevis, with the client displaying the error message
Key derivation key not available. With this update, key generation and cache update logic was moved to Tang, removing the file watching dependency. As a result, the application cache remains in a correct state after cache update.
6.6. Servers and Services
cupsd now consumes less memory during PPD caching
Previously, the CUPS daemon consumed a lot of memory when many print queues with extensive Postscript Printer Description (PPD) were created. With this update, CUPSD checks if a cached file exists and if it has newer or the same timestamp as the PPD file in
/etc/cups/ppd, then it loads the cached file. Otherwise it creates a new cached file based on the PPD file. As a result, the memory consumption lowers by 91% in the described scenario.
tuned no longer hangs on SIGHUP when a non-existent profile is selected
tuned service receives the SIGHUP signal, it attempts to reload the profile. Prior to this update,
tuned was unable to correctly handle situations when:
tunedprofile was set to a non-existent profile, or
- The automatic profile selection mode was active and the recommended profile was non-existent.
As a consequence, the
tuned service became unresponsive and had to be restarted. This bug has been fixed, and the
tuned service no longer hangs in the described scenarios.
Note that the
tuned behavior has changed with this update. Previously, when the user executed the
tuned-adm off command and restarted the
tuned tried to load the recommended profile. Now,
tuned loads no profile even if the recommended profile exists.
tuned no longer applies settings from
sysctl.d directories when the
reapply_sysctl option is set to
Previously, if the
reapply_sysctl configuration option was set to
tuned profile applied
sysctl settings from the
/usr/local/lib/sysctl.d directories after applying
sysctl settings from a
tuned profile. Consequently, settings from these directories would override
sysctl settings from the
tuned profile. With this update,
tuned no longer applies
sysctl settings from the mentioned directories when the
reapply_sysctl option is set to
Note that to re-apply
sysctl settings you need to move them from the mentioned directories to
/run/sysctl.d directories or to a custom
LVM volumes on VDO now shut down correctly
Previously, the stacking of block layers on VDO was limited by the configuration of the VDO systemd units. As a result, the system shutdown sequence waited for 90 seconds when it tried to stop LVM volumes stored on VDO. After 90 seconds, the system uncleanly stopped the LVM and VDO volumes.
With this update, the VDO systemd units have been improved, and as a result, the system shuts down cleanly with LVM on VDO.
Additionally, the VDO startup configuration is now more flexible. You no longer have to add special mount options in the
/etc/fstab file for most VDO configurations.
6.8. System and Subscription Management
microdnf no longer fails to retrieve GPG key for custom Satellite repository
librhsm library, used internally by
microdnf, incorrectly handled relative
gpgkey paths, which are used in custom repositories hosted by Satellite. Consequently, when the user ran the
microdnf command in a container to install a package signed with GNU Privacy Guard (GPG) from a custom repository through the host’s Satellite subscription,
microdnf failed with the following error:
GPG enabled: failed to lookup digest in keyring.
With this update, handling of relative
gpgkey paths has been fixed in
librhsm. As a result, the user can now successfully use the custom repository from Satellite inside containers.
YUM can now install RPM packages signed with GPG keys with revoked subkeys
Previously, the YUM utlity could not install RPM packages signed with GNU Privacy Guard (GPG) keys with revoked subkeys. Consequently, YUM failed with the following error message:
signature X doesn't bind subkey to key, type is subkey revocation
This update introduces a change in the code that checks revocation before checking binding signature. As a result, YUM can now install RPM packages signed with GPG keys with revoked subkeys.
6.9. RHEL in cloud environments
cloud-init to create virtual machines with XFS and swap now works correctly
Previously, using the
cloud-init utility failed when creating a virtual machine (VM) with an XFS root file system and an enabled swap partition. In addition, the following error message was logged:
kernel: swapon: swapfile has holes
This update fixes the underlying code, which prevents the problem from occurring.