Menu Close
Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
6.2 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux 6.2
Edition 2
Red Hat Engineering Content Services
Abstract
Preface
Note
Chapter 1. Technology Previews
1.1. Storage and File Systems
- Parallel NFS
- Parallel NFS (pNFS) is a part of the NFS v4.1 standard that allows clients to access storage devices directly and in parallel. The pNFS architecture eliminates the scalability and performance issues associated with NFS servers in deployment today.pNFS supports 3 different storage protocols or layouts: files, objects and blocks. The Red Hat Enterprise Linux 6.2 NFS client supports the files layout protocol.To automatically enable the pNFS functionality, create the
/etc/modprobe.d/dist-nfsv41.conf
file with the following line and reboot the system:alias nfs-layouttype4-1 nfs_layout_nfsv41_files
Now when the-o minorversion=1
mount option is specified, and the server is pNFS-enabled, the pNFS client code is automatically enabled.For more information on pNFS, refer to http://www.pnfs.com/. - Open multicast ping (Omping), BZ#657370
- Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the local network. This utility allows users to test IP multicast functionality and assists in the diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red Hat Enterprise Linux 6 Omping is provided as a Technology Preview.
- Matahari
- Matahari provides a set of Application Programming Interfaces (APIs) for operating systems management for remote access over QMF/QPID. Matahari in Red Hat Enterprise Linux 6.2 is fully supported only for Intel 64 and AMD64 architectures. Builds for other architectures are considered a Technology Preview.
- System Information Gatherer and Reporter (SIGAR)
- The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool for accessing operating system and hardware level information across multiple platforms and programming languages. In Red Hat Enterprise Linux 6.2, SIGAR is considered a Technology Preview package.
- fsfreeze
- Red Hat Enterprise Linux 6 includes fsfreeze as a Technology Preview. fsfreeze is a new command that halts access to a file system on a disk. fsfreeze is designed to be used with hardware RAID devices, assisting in the creation of volume snapshots. For more details on the fsfreeze utility, refer to the
fsfreeze(8)
man page. - DIF/DIX support
- DIF/DIX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat Enterprise Linux 6. DIF/DIX increases the size of the commonly used 512-byte disk block from 512 to 520 bytes, adding the Data Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by the Host Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum on receive, and stores both the data and the checksum. Conversely, when a read occurs, the checksum can be checked by the storage device, and by the receiving HBA.The DIF/DIX hardware checksum feature must only be used with applications that exclusively issue
O_DIRECT
I/O. These applications may use the raw block device, or the XFS file system inO_DIRECT
mode. (XFS is the only file system that does not fall back to buffered I/O when doing certain allocation operations.) Only applications designed for use withO_DIRECT
I/O and DIF/DIX hardware should enable this feature.For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage Administration Guide - File system in user space
- Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in user space.
- Btrfs, BZ#614121
- Btrfs is under development as a file system capable of addressing and managing more files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is designed to make the file system tolerant of errors, and to facilitate the detection and repair of errors when they occur. It uses checksums to ensure the validity of data and metadata, and maintains snapshots of the file system that can be used for backup or repair. The btrfs Technology Preview is only available on AMD64 and Intel 64 architectures.
Warning
Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to experiment with this file system. You should not choose Btrfs for partitions that will contain valuable data or that are essential for the operation of important systems. - LVM Application Programming Interface (API)
- Red Hat Enterprise Linux 6 features the new LVM application programming interface (API) as a Technology Preview. This API is used to query and control certain aspects of LVM.
- LVM RAID support, BZ#729712
- In Red Hat Enterprise Linux 6.2, support for MD's RAID personalities has been added to LVM as a Technology Preview. The following basic features are available: create, display, rename, use, and remove RAID logical volumes. Automated fault tolerance is not yet available.
- FS-Cache
- FS-Cache is a new feature in Red Hat Enterprise Linux 6 that enables networked file systems (e.g. NFS) to have a persistent cache of data on the client machine.
- eCryptfs File System
- eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file system and provides per-file granularity. eCryptfs is provided as a Technology Preview in Red Hat Enterprise Linux 6.
1.2. Networking
- vios-proxy, BZ#721119
- vios-proxy is a stream-socket proxy for providing connectivity between a client on a virtual guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.
- IPv6 support in IPVS
- The IPv6 support in IPVS (IP Virtual server) is considered a Technology Preview.
1.3. Clustering
- Support for redundant ring for standalone Corosync, BZ#722469
- Red Hat Enterprise Linux 6.2 introduces support for redundant ring with autorecovery feature as a Technology Preview. Refer to Section 2.7, “Clustering” for a list of known issues associated with this Technology Preview.
- corosync-cpgtool, BZ#688260
- The corosync-cpgtool now specifies both interfaces in a dual ring configuration. This feature is a Technology Preview.
- Disabling rgmanager in /etc/cluster.conf, BZ#723925
- As a consequence of converting the
/etc/cluster.conf
configuration file to be used by pacemaker, rgmanager must be disabled. The risk of not doing this is high; after a successful conversion, it would be possible to start rgmanager and pacemaker on the same host, managing the same resources.Consequently, Red Hat Enterprise Linux 6.2 includes a feature (as a Technology Preview) that forces the following requirements:- rgmanager must refuse to start if it sees the
<rm disabled="1">
flag in/etc/cluster.conf
. - rgmanager must stop any resources and exit if the
<rm disabled="1">
flag appears in/etc/cluster.conf
during a reconfiguration.
- pacemaker, BZ#456895
- Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red Hat cluster stack.
1.4. Security
- TPM
- TPM hardware can create, store and use RSA keys securely (without ever being exposed in memory), verify a platform's software state using cryptographic hashes and more. The user space libraries, trousers and tpm-tools, are considered a Technology Preview.
1.5. Devices
- Brocade BFA driver
- The Brocade BFA driver is considered a Technology Preview feature in Red Hat Enterprise Linux 6. The BFA driver supports Brocade FibreChannel and FCoE mass storage adapters.
- SR-IOV on the be2net driver, BZ#602451
- The SR-IOV functionality of the Emulex
be2net
driver is considered a Technology Preview in Red Hat Enterprise Linux 6.
1.6. Kernel
- Support for Fiber Channel over Ethernet (FCoE) target mode
- Red Hat Enterprise Linux 6.2 includes support for Fiber Channel over Ethernet (FCoE) target mode as a Technology Preview. This kernel feature is configurable via targetadmin, supplied by the fcoe-target-utils package. FCoE is designed to be used on a network supporting Data Center Bridging (DCB). Further details are available in the
dcbtool(8)
andtargetadmin(8)
man pages.Important
This feature uses the new SCSI target layer, which falls under this Technology Preview, and should not be used independently from the FCoE target support. This package contains the AGPL license. - Kernel Media support
- The following features are presented as Technology Previews:
- The latest upstream video4linux
- Digital video broadcasting
- Primarily infrared remote control device support
- Various webcam support fixes and improvements
- Remote audit logging
- The audit package contains the user space utilities for storing and searching the audit records generated by the
audit
subsystem in the Linux 2.6 kernel. Within the audispd-plugins subpackage is a utility that allows for the transmission of audit events to a remote aggregating machine. This remote audit logging application, audisp-remote, is considered a Technology Preview in Red Hat Enterprise Linux 6. - Linux (NameSpace) Container [LXC]
- Linux containers provide a flexible approach to application runtime containment on bare-metal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6.2 provides application level containers to separate and control the application resource usage policies via cgroup and namespaces. This release introduces basic management of container life-cycle by allowing creation, editing and deletion of containers via the libvirt API and the virt-manager GUI. Linux Containers are a Technology Preview.
- Diagnostic pulse for the fence_ipmilan agent, BZ#655764
- A diagnostic pulse can now be issued on the IPMI interface using the
fence_ipmilan
agent. This new Technology Preview is used to force a kernel dump of a host if the host is configured to do so. Note that this feature is not a substitute for theoff
operation in a production cluster. - EDAC driver support, BZ#647700
- Red Hat Enterprise Linux 6.2's EDAC driver support for the latest Intel chipset is available as a Technical Preview.
1.7. Virtualization
- System monitoring via SNMP, BZ#642556
- This feature provides KVM support for stable technology that is already used in data center with bare metal systems. SNMP is the standard for monitoring and is extremely well understood as well as computationally efficient. System monitoring via SNMP in Red Hat Enterprise Linux 6.2 allows the KVM hosts to send SNMP traps on events so that hypervisor events can be communicated to the user via standard SNMP protocol. This feature is provided through the addition of a new package: libvirt-snmp. This feature is introduced as a Technology Preview.
- Wire speed requirement in KVM network drivers
- Virtualization and cloud products that run networking work loads need to run wire speeds. Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which limits other features like memory overcommit and guest migrationThe macvtap/vhost zero-copy capabilities allows the user to use those features when high performance is required. This feature improves performance for any Red Hat Enterprise Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.
Chapter 2. Known Issues
2.1. Installation
anaconda
component, BZ#676025- Users performing an upgrade using the Anaconda's text mode interface who do not have a boot loader already installed on the system, or who have a non-GRUB boot loader, need to select
Skip Boot Loader Configuration
during the installation process. Boot loader configuration will need to be completed manually after installation. This problem does not affect users running Anaconda in the graphical mode (graphical mode also includes VNC connectivity mode). anaconda
component- Anaconda fails to install to partitions of size 2.2 TB and larger.
anaconda
component- On s390x systems, you cannot use automatic partitioning and encryption. If you want to use storage encryption, you must perform custom partitioning. Do not place the
/boot
volume on an encrypted volume. anaconda
component- The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example,
sdc
instead ofsda
).During installation, verify the storage device size, name, and type when configuring partitions and file systems. kernel
component- Dell systems based on a future Intel processor with graphics acceleration require the selection of the
install system with basic video driver
installation option. A future Red Hat Enterprise Linux 6.2.z Extended Update Support update will remove this requirement. -
kernel
component - Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically
em1
is used instead ofeth0
on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades. -
anaconda
component - The
kdump default on
feature currently depends on Anaconda to insert thecrashkernel=
parameter to the kernel parameter list in the boot loader's configuration file. firstaidkit
component- The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
anaconda
component, BZ#623261- In some circumstances, disks that contain a whole disk format (for example, a LVM Physical Volume populating a whole disk) are not cleared correctly using the
clearpart --initlabel
kickstart command. Adding the--all
switch—as inclearpart --initlabel --all
—ensures disks are cleared correctly. squashfs-tools
component- During the installation on POWER systems, error messages similar to:
attempt to access beyond end of device loop0: rw=0, want=248626, limit=248624
may be returned tosys.log
. These errors do not prevent installation and only occur during the initial setup. The file system created by the installer will function correctly. anaconda
component- When installing on the IBM System z architecture, if the installation is being performed over SSH, avoid resizing the terminal window containing the SSH session. If the terminal window is resized during the installation, the installer will exit and the installation will terminate.
yaboot
component, BZ#613929- The kernel image provided on the CD/DVD is too large for Open Firmware. Consequently, on the POWER architecture, directly booting the kernel image over a network from the CD/DVD is not possible. Instead, use yaboot to boot from a network.
anaconda
component- The Anaconda partition editing interface includes a button labeled Resize. This feature is intended for users wishing to shrink an existing file system and an underlying volume to make room for an installation of a new system. Users performing manual partitioning cannot use the Resize button to change sizes of partitions as they create them. If you determine a partition needs to be larger than you initially created it, you must delete the first one in the partitioning editor and create a new one with the larger size.
system-config-kickstart
component- Channel IDs (read, write, data) for network devices are required for defining and configuring network devices on IBM S/390 systems. However, system-config-kickstart—the graphical user interface for generating a kickstart configuration—cannot define channel IDs for a network device. To work around this issue, manually edit the kickstart configuration that system-config-kickstart generates to include the desired network devices.
dracut
component- During FCoE BFS installation, when an Ethernet interface goes offline after discovering the targets, FCoE link will never come up. This is because Anaconda creates an FCoE configuration file under
/etc/fcoe/
using biosdevname (new style interface naming scheme) for all the available Ethernet interfaces for FCoE BFS. However, it does not add theifname
kernel command line for the FCoE interface that stays offline after discovering FCoE targets during installation. Because of this, during subsequent reboots, the system tries to find the old style ethX interface name in the/etc/fcoe
directory, which does not match with the file created by Anaconda using biosdevname. Therefore, due to the missing FCoE configuration file, an FCoE interface is never created on the Ethernet interface.To avoid this problem, ensure that the Ethernet interface does not go offline during FCoE BFS installation.If the Ethernet interface does go offline during installation after discovering the targets, add the following parameter to the kernel command line:ifname=<biosdevname_interface_name>:<mac_address>
2.2. Entitlement
subscription manager
component- When registering a system with firstboot, the RHN Classic option is checked by default in the Subscription part.
2.3. Deployment
cpuspeed
component, BZ#626893- Some HP Proliant servers may report incorrect CPU frequency values in
/proc/cpuinfo
or/sys/device/system/cpu/*/cpufreq
. This is due to the firmware manipulating the CPU frequency without providing any notification to the operating system. To avoid this ensure that theHP Power Regulator
option in the BIOS is set toOS Control
. An alternative available on more recent systems is to setCollaborative Power Control
toEnabled
. releng
component, BZ#644778- Some packages in the Optional repositories on RHN have multilib file conflicts. Consequently, these packages cannot have both the primary architecture (for example, x86_64) and secondary architecture (for example, i686) copies of the package installed on the same machine simultaneously. To work around this issue, install only one copy of the conflicting package.
releng
component- The openmpi-psm and openmpi-psm-devel packages are not provided on architectures other than AMD64 and Intel 64 for Red Hat Enterprise Linux 6.2. If the openmpi-psm.i686 or/and openmpi-psm-devel.i686 packages are installed on a AMD64 or an Intel 64 system, remove these packages before you attempt to update Open MPI.
grub
component, BZ#695951- On certain UEFI-based systems, you may need to type
BOOTX64
rather thanbootx64
to boot the installer due to case sensitivity issues. grub
component, BZ#698708- When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package must be used. Using the glibc-static.x86_64 package will not meet the build requirements.
parted
component- The parted utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes (EAV) Direct Access Storage Devices (DASD) that have more than 65535 cylinders. Consequently, EAV DASD drives cannot be partitioned using parted, and installation on EAV DASD drives will fail. To work around this issue, complete the installation on a non EAV DASD drive, then add the EAV device after the installation using the tools provided in the s390-utils package.
PackageKit
component- If you are being asked repeatedly to enter your root password while using PackageKit to update your system via non-Red Hat repositories, you may be affected by the PackageKit issue described in Section 2.11, “Desktop”.
2.4. Virtualization
ovirt-node
component, BZ#747102- Upgrades from Beta to the GA version will result in an incorrect partitioning of the host. The GA version must be installed clean. UEFI machines must be set to legacy boot options for RHEV-H to boot successfully after installation.
kernel
component- When a system boots from SAN, it starts the
libvirtd
service, which enables IP forwarding. The service causes a driver reset on both Ethernet ports which causes a loss of all paths to an OS disk. Under this condition, the system cannot load firmware files from the OS disk to initialize Ethernet ports, eventually never recovers paths to the OS disk, and fails to boot from SAN. To work around this issue add thebnx2x.disable_tpa=1
option to the kernel command line of the GRUB menu, or do not install virtualization related software and manually enable IP forwarding when needed. kernel
component- Booting Red Hat Enterprise Linux 6.2 as an HVM guest with more than one vCPU on machines that support SMEP and using Red Hat Enterprise Linux 5.7 and earlier Xen Hypervisors fails. To work around this issue, boot the guest with the
nosmep
kernel command line option. vdsm
component- If the
/root/.ssh
directory is missing from a host when it is added to a Red Hat Enterprise Virtualization Manager data center, the directory is created with a wrong SELinux context, and SSH'ing into the host is denied. To work around this issue, manually create the/root/.ssh
directory with the correct SELinux context:~]#
mkdir /root/.ssh
~]#chmod 0700 /root/.ssh
~]#restorecon /root/.ssh
vdsm
component- VDSM now configures libvirt so that connection to its local read-write UNIX domain socket is password-protected by SASL. The intention is to protect virtual machines from human errors of local host administrators. All operations that may change the state of virtual machines on a Red Hat Enterprise Virtualization-controlled host must be performed from Red Hat Enterprise Virtualization Manager.
libvirt
component- In earlier versions of Red Hat Enterprise Linux, libvirt permitted PCI devices to be insecurely assigned to guests. In Red Hat Enterprise Linux 6, assignment of insecure devices is disabled by default by libvirt. However, this may cause assignment of previously working devices to start failing. To enable the old, insecure setting, edit the
/etc/libvirt/qemu.conf
file, set therelaxed_acs_check = 1
parameter, and restartlibvirtd
(service libvirtd restart
). Note that this action will re-open possible security issues. virtio-win
component, BZ#615928- The balloon service on Windows 7 guests can only be started by the Administrator user.
libvirt
component, BZ#622649- libvirt uses transient iptables rules for managing NAT or bridging to virtual machine guests. Any external command that reloads the iptables state (such as running system-config-firewall) will overwrite the entries needed by libvirt. Consequently, after running any command or tool that changes the state of iptables, guests may lose access the network. To work around this issue, use the
service libvirt reload
command to restore libvirt's additional iptables rules. virtio-win
component, BZ#612801- A Windows virtual machine must be restarted after the installation of the kernel Windows driver framework. If the virtual machine is not restarted, it may crash when a memory balloon operation is performed.
qemu-kvm
component, BZ#720597- Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than 4GB of RAM and more than one CPU from a DVD medium often crashes during the final steps of the installation process due to a system hang. To work around this issue, use the Windows Update utility to install the Service Pack.
qemu-kvm
component, BZ#612788- A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI Vendor/Device ID: 8086:10c9) cannot have both physical functions (PF's) device-assigned to a Windows 2008 guest. Either physical function can be device assigned to a Windows 2008 guest (PCI function 0 or function 1), but not both.
virt-v2v
component- In Red Hat Enterprise Linux 6.2, the default virt-v2v configuration is split into two files:
/etc/virt-v2v.conf
and/var/lib/virt-v2v/virt-v2v.db
. The former now contains only local customizations, whereas the latter contains generic configuration which is not intended to be customized. Prior to Red Hat Enterprise Linux 6.2, virt-v2v's-f
flag defaulted to/etc/virt-v2v.conf
. In Red Hat Enterprise Linux 6.2, it now defaults to both/etc/virt-v2v.conf
and/var/lib/virt-v2v/virt-v2v.db
. Data from both of these files is required during conversion.This change has no impact for most users. If a machine is upgraded from Red Hat Enterprise Linux 6.1 to Red Hat Enterprise Linux 6.2, the existing combined/etc/virt-v2v.conf
will not be updated. If a user explicitly specifies-f /etc/virt-v2v.conf
on the command line, the behavior will be identical to the one prior to update. If the user does not specify the-f
command line option, the configuration will use both/etc/virt-v2v.conf
and/var/lib/virt-v2v/virt-v2v.db
, with the former taking precedence.However, a freshly-installed Red Hat Enterprise Linux 6.2 machine with a default configuration no longer has all required data in/etc/virt-v2v.conf
. If the user explicitly specifies-f /etc/virt-v2v.conf
on the command line, virt-v2v will not be able to enable virtio support for any guests.To work around this issue, do use the-f
command line option, as this defaults to using both configuration files. If the-f
command line option is used, it must be specified twice: first for/etc/virt-v2v.conf
and second for/var/lib/virt-v2v/virt-v2v.conf
.If the virt-v2v command line cannot be altered, the/etc/virt-v2v.conf
file must contain a combined configuration file. This can be copied from a Red Hat Enterprise Linux 6.1 system, or created by copying all configuration elements from/var/lib/virt-v2v/virt-v2v.db
to/etc/virt-v2v.conf
. virt-v2v
component, BZ#618091- The virt-v2v utility is able to convert guests running on an ESX server. However, if an ESX guest has a disk with a snapshot, the snapshot must be on the same datastore as the underlying disk storage. If the snapshot and the underlying storage are on different datastores, virt-v2v will report a 404 error while trying to retrieve the storage.
virt-v2v
component, BZ#678232- The VMware Tools application on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. Consequently, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in errors. These errors usually manifest as error messages on start-up, and a "Stop Error" (also known as a BSOD) when shutting down the guest. To work around this issue, uninstall VMware Tools on Microsoft Windows guests prior to conversion.
spice-client
component- Sound recording only works when there is no application accessing the recording device at the client start-up.
2.5. Storage and File Systems
device-mapper-multipath
component- Multipath's
queue_without_daemon yes
default option queues I/O even though all iSCSI links have been disconnected when the system is shut down, which causes LVM to become unresponsive when scanning all block devices. As a result, the system cannot be shut down. To work around this issue, add the following line into thedefaults
section of/etc/multipath.conf
:queue_without_daemon no
initscripts
component- If the
/etc/fstab
file contains an NFS mount entry that has the file system check (fsck) enabled, the netfs service responsible for mounting and unmounting NFS file systems initializes the file system check. Because NFS is not a block-level file system, this operation fails, and subsequently also fails the system boot itself. To work around this problem, disable the file system check by setting the sixth vaule for NFS mount entries to0
. iscsi-initiator-utils
component, BZ#739843- iSCSI discovery via a TOE (TCP Offload Engine) interface fails when the
iscsiadm -m iface
has never been executed. This is due to theiscsiadm -m discovery
command not checking interface settings while theiscsiadm -m iface
does. To work around this issue, run theiscsiadm -m iface
command at least once after installing the iscsi-initiatio-utils package. Once the interface setting is updated, discoveries are performed with no errors. vdsm
component- Attempting to create/extend a storage domain on/with a device that exposes a block size different than 512 bytes such create/extend request to fail. To work around this issue, the storage must be configured to expose a block size of 512 bytes.
kernel
component, BZ#606260- The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using UDP and advertises NFSv4 over UDP with rpcbind. However, this configuration is not supported by Red Hat and violates the RFC 3530 standard.
lvm2
component- The dracut utility currently only supports one FiberChannel over Ethernet (FCoE) connection to be used to boot from the root device. Consequently, booting from a root device that spans multiple FCoE devices (for example, using RAID, LVM or similar techniques) is not possible.
-
lvm2
component - The
pvmove
command cannot currently be used to move mirror devices. However, it is possible to move mirror devices by issuing a sequence of two commands. For mirror images, add a new image on the destination PV and then remove the mirror image on the source PV:~]$
lvconvert -m +1 <vg/lv> <new PV>
~]$lvconvert -m -1 <vg/lv> <old PV>
Mirror logs can be handled in a similar fashion:~]$
lvconvert --mirrorlog core <vg/lv>
~]$lvconvert --mirrorlog disk <vg/lv> <new PV>
or~]$
lvconvert --mirrorlog mirrored <vg/lv> <new PV>
~]$lvconvert --mirrorlog disk <vg/lv> <old PV>
2.6. Networking
NetworkManager
component- To ensure that RFC3442-standard classless static routes provided by a DHCP server are processed correctly when using NetworkManager, the following lines should be placed into the
/etc/dhclient.conf
file or, if using per-interface DHCP options, the/etc/dhclient-<ifname>.conf
file:option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; option ms-classless-static-routes code 249 = array of unsigned integer 8; also request rfc3442-classless-static-routes; also request ms-classless-static-routes;
The above lines will ensure that RFC3442 classless static routes are requested from the DHCP server, and that they are properly processed by NetworkManager. iprutils
component- Users of the IBM PCI-E Gen2 6GB SAS RADI adapter (FC 5913) in Red Hat Enterprise Linux 6.2 may encounter the following issues:
- Updating firmware on a storage drawer that is connected to the adapter mentioned above using the
iprconfig
command fails. - Attempting to change the asymmetric access for an array results in a failure. Additionally, not specifying asymmetric access as an option to the
iprconfig
command results in a failure as well.
2.7. Clustering
corosync
component, BZ#722469- A double ring failure results in the spinning of the corosync process. Also, because DLM relies on SCTP, which is non-functional, many features of the cluster software that rely on DLM do not work properly.
luci
component, BZ#615898luci
will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node hasricci
version 0.12.2-14
2.8. Authentication
- Identity Management component
- When transitioning to a fully supported Identity Management version in Red Hat Enterprise Linux 6.2, uninstall any previous beta version of Identity Management or Technology Preview parts of Red Hat Enterprise Identity (IPA) available in the Red Hat Enterprise Linux 6.1 Technology Preview and install Identity Management again.
- Identity Management component
- When an Identity Management server is installed with a custom hostname that is not resolvable, the
ipa-server-install
command should add a record to the static hostname lookup table in/etc/hosts
and enable further configuration of Identity Management integrated services. However, a record is not added to/etc/hosts
when an IP address is passed as an CLI option and not interactively. Consequently, Identity Management installation fails because integrated services that are being configured expect the Identity Management server hostname to be resolvable. To work around this issue, complete one of the following:- Run the
ipa-server-install
without the--ip-address
option and pass the IP address interactively. - Add a record to
/etc/hosts
before the installation is started. The record should contain the Identity Management server IP address and its full hostname (thehosts(5)
man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is not resolvable. sssd
component, BZ#750922- Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
libldb
. This failure occurs when the SSSD cache contains internal entries whose distinguished name contains the\,
character sequence. The most likely example of this is for an invalidmemberUID
entry to appear in an LDAP group of the form:memberUID: user1,user2
memberUID
is a multi-valued attribute and should not have multiple users in the same attribute.If the upgrade issue occurs, identifiable by the following debug log message:(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still active in ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the/var/lib/sss/db/cache_<DOMAIN>.ldb
file and restart SSSD.Warning
Removing the/var/lib/sss/db/cache_<DOMAIN>.ldb
file purges the cache of all entries (including cached credentials). sssd
component, BZ#751314- When a group contains certain incorrect multi-valued
memberUID
values, SSSD fails to sanitize the values properly. ThememberUID
value should only contain one username. As a result, SSSD creates incorrect users, using the brokenmemberUID
values as their usernames. This, for example, causes problems during cache indexing. - Identity Management component, BZ#750596
- Two Identity Management servers, both with a CA (Certificate Authority) installed, use two replication replication agreements. One is for user, group, host, and other related data. Another replication agreement is established between the CA instances installed on the servers. If the CA replication agreement is broken, the Identity Management data is still shared between the two servers, however, because there is no replication agreement between the two CAs, issuing a certificate on one server will cause the other server to not recognize that certificate, and vice versa.
- Identity Management component
- The Identity Management (ipa) package cannot be build with a
6ComputeNode
subscription. - Identity Management component
- On the configuration page of the Identity Management WebUI, if the User search field is left blank, and the search button is clicked, an internal error is returned.
sssd
component, BZ#741264- Active Directory performs certain LDAP referral-chasing that is incompatible with the referral mechanism included in the openldap libraries. Notably, Active Directory sometimes attempts to return a referral on an LDAP bind attempt, which used to cause a hang, and is now denied by the openldap libraries. As a result, SSSD may suffer from performance issues and occasional failures resulting in missing information.To work around this issue, disable referral-chasing by setting the following parameter in the
[domain/DOMAINNAME]
section of the/etc/sssd/sssd.conf
file:ldap_referrals = false
2.9. Devices
kernel
component- The Red Hat Enterprise Linux 6.2 Emulex FC (lpfc) driver does not support firmware downloads for LPe1600x 16 Gbit/s Fibre Channel adapters. Please consult your OEM for instructions on how to download new firmware on these Fibre Channel adapters.
kernel
component- iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise Linux 6.2. These two new features, which have been added to the
bnx2i
andbnx2fc
Broadcom drivers in Red Hat Enterprise Linux 6.2, remain a Technology Preview until further notice. kexec-tools
component- Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core to the Brtfs file system. However, note that because the findfs utility in busybox does not support Btrfs yet,
UUID/LABEL
resolving is not functional. Avoid using theUUID/LABEL
syntax when dumping core to Btrfs file systems. kexec-tools
component, BZ#600575- The persistent naming of devices that are dynamically discovered in a system is a large problem that exists both in and outside of kdump. Normally, devices are detected in the same order, which leads to consistent naming. In cases where devices are not detected in the same order, device abstraction layers (for example, LVM) essentially resolve the issue, through the use of metadata stored on the devices to create consistency. In the rare cases where no such abstraction layer is in use, and renaming devices causes issues with kdump, it is recommended that devices be referred to by disk label or UUID in
kdump.conf
. trace-cmd
component- The
trace-cmd
service does start on 64-bit PowerPC and IBM System z systems because thesys_enter
andsys_exit
events do not get enabled on the aforementioned systems. trace-cmd
component- trace-cmd's subcommand,
report
, does not work on IBM System z systems. This is due to the fact that theCONFIG_FTRACE_SYSCALLS
parameter is not set on IBM System z systems. tuned
component- Red Hat Enterprise Linux 6.1 and later enter processor power-saving states more aggressively. This may result in a small performance penalty on certain workloads. This functionality may be disabled at boot time by passing the
intel_idle.max_cstate=0
parameter, or at run time by using the cpu_dma_latency pm_qos interface. libfprint
component- Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may cause the fingerprint reader daemon to crash. The following command returns the version of the device being used in an individual machine:
~]$
lsusb -v -d 147e:2016 | grep bcdDevice
kernel
component- The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise Linux 6 does not support DH-CHAP authentication. DH-CHAP authentication provides secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in compliance with the FC-SP specification. Note, however that the Emulex driver (
lpfc
) does support DH-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future Red Hat Enterprise Linux 6 releases may include DH-CHAP authentication. kernel
component- The recommended minimum HBA firmware revision for use with the
mpt2sas
driver is "Phase 5 firmware" (that is, with version number in the form05.xx.xx.xx
). Note that following this recommendation is especially important on complex SAS configurations involving multiple SAS expanders.
2.10. Kernel
kernel
component- When booted off a
qla4xxx
device, upgrading from Red Hat Enterprise Linux 6.1 to Red Hat Enterprise Linux 6.2 will cause the system to fail to boot up with the new kernel. There are various ways to work around this issue:- You have upgraded to Red Hat Enterprise Linux 6.2 and want the
qla4xxx
device firmware to manage discovering and logging in to iSCSI targets.- Boot up the system with the Red Hat Enterprise Linux 6.1 kernel.
- Disable SysfsBoot for the
qla4xxx
device:~]#
echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.conf
- Rebuild initramfs for the Red Hat Enterprise Linux 6.2 kernel by re-installing the kernel:
~]#
yum -y reinstall kernel
- You have not upgraded to Red Hat Enterprise Linux 6.2 and want the
qla4xxx
device firmware to manage discovering and logging in to iSCSI targets.- Boot up the system with the Red Hat Enterprise Linux 6.1 kernel.
- Disable SysfsBoot for the
qla4xxx
device:~]#
echo "options qla4xxx ql4xdisablesysfsboot=1" >> /etc/modprobe.d/qla4xxx.conf
- Proceed with the upgrade to Red Hat Enterprise Linux 6.2.
- You have upgraded to Red Hat Enterprise Linux 6.2 and want to use open-iscsi to manage the
qla4xxx
discovery and login process.- Boot up the system with the Red Hat Enterprise Linux 6.1 kernel.
- Install the iscsi-initiator-utils and dracut-network packages:
~]#
yum install -y dracut-network iscsi-initiator-utils
- Rebuild initramfs for the Red Hat Enterprise Linux 6.2 kernel by re-installing the kernel:
~]#
yum -y reinstall kernel
- Add the
iscsi_firmware
kernel option into GRUB's configuration:/boot/grub/menu.lst
(for LILO, the Linux Loader, modify the/etc/lilo.conf
file).
- You have not upgraded to Red Hat Enterprise Linux 6.2 and want to use open-iscsi to manage the
qla4xxx
discovery and login process.- Install the iscsi-initiator-utils and dracut-network packages:
~]#
yum install -y dracut-network iscsi-initiator-utils
- Proceed with the upgrade to Red Hat Enterprise Linux 6.2.
- Add the
iscsi_firmware
kernel option into GRUB's configuration:/boot/grub/menu.lst
(for LILO, the Linux Loader, modify the/etc/lilo.conf
file).
kernel
component, BZ#679262- In Red Hat Enterprise Linux 6.2, due to security concerns, addresses in
/proc/kallsyms
and/proc/modules
show all zeros when accessed by a non-root user. kernel
component- Red Hat Enterprise Linux 6.1 PCI-Express Adapters may fail to configure on October 2011 GA IBM Power 7 systems. For more information, refer to https://access.redhat.com/site/solutions/66231.
kernel
component- Superfluous information is displayed on the console due to a correctable machine check error occurring. This information can be safely ignored by the user. Machine check error reporting can be disabled by using the
nomce
kernel boot option, which disables machine check error reporting, or themce=ignore_ce
kernel boot option, which disables correctable machine check error reporting. -
kernel
component - The order in which PCI devices are scanned may change from one major Red Hat Enterprise Linux release to another. This may result in device names changing, for example, when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you refer to during installation, is the intended device.One way to assure the correctness of device names is to, in some configurations, determine the mapping from the controller name to the controller's PCI address in the older release, and then compare this to the mapping in the newer release, to ensure that the device name is as expected.The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC … kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add thepci=bfsort
parameter to the kernel command line, and check again. kernel
component- Enabling CHAP (Challenge-Handshake Authentication Protocol) on an iSCSI target for the
be2iscsi
driver results in kernel panic. To work around this issue, disable CHAP on the iSCSI target. kernel
component- Newer VPD (Vital Product Data) blocks can exceed the size the
tg3
driver normally handles. As a result, some of the routines that operate on the VPD blocks may fail. For example, thenvram
test fails when running theethtool –t
command on BCM5719 and BCM5720 Ethernet Controllers. kernel
component- Running the
ethtool -t
command on BCM5720 Ethernet controllers causes a loopback test failure because thetg3
driver does not wait long enough for a link. kernel
component- The
tg3
driver in Red Hat Enterprise Linux 6.2 does not include support for Jumbo frames and TSO (TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a result, the following error message is returned when attempting to configure, for example, Jumbo frames:SIOCSIFMTU: Invalid argument
kernel
component- The default interrupt configuration for the Emulex LPFC FC/FCoE driver has changed from INT-X to MSI-X. This is reflected by the
lpfc_use_msi
module parameter (in/sys/class/scsi_host/host#/lpfc_use_msi
) being set to2
by default, instead of the previous0
.Two issues provide motivation for this change: SR-IOV capability only works with the MSI-X interrupt mode, and certain recent platforms only support MSI or MSI-X.However, the change to the LPFC default interrupt mode can bring out host problems where MSI/MSI-X support is not fully functional. Other host problems can exist when running in the INT-X mode.If any of the following symptoms occur after upgrading to, or installing Red Hat Enterprise Linux 6.2 with an Emulex LPFC adapter in the system, change the value of thelpfc
module parameter,lpfc_use_msi
, to0
:- The initialization or attachment of the
lpfc
adapter may fail with mailbox errors. As a result, thelpfc
adapter is not configured on the system. The following message appear in/var/log/messages
:lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA length mbxStatus x0 lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd x9 CFG_RING, mbxStatus x0, ring 0 lpfc 0000:04:08.0: 0:1477 Failed to set up hba ACPI: PCI interrupt for device 0000:04:08.0 disabled
- While the
lpfc
adapter is operating, it may fail with mailbox errors, resulting in the inability to access certain devices. The following message appear in/var/log/messages
:lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0 x700 xffff81039ddd0a00 lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox timeout lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue Data: xd00 x2
- Performing a warm reboot causes any subsequent boots to halt or stop because the BIOS is detecting the
lpfc
adapter. The system BIOS logs the following messages:Installing Emulex BIOS ...... Bringing the Link up, Please wait... Bringing the Link up, Please wait...
kernel
component- The minimum firmware version for NIC adapters managed by
netxen_nic
is 4.0.550. This includes the boot firmware which is flashed in option ROM on the adapter itself. kernel
component- The kdump kernel occasionally panics on a DELL PowerEdge R810 system with the i686 architecture.
kernel
component- Running the LTP (Linux Testing Project) cgroup test suite on certain AMD systems causes NMI Watchdog to detect a hard LOCKUP and cause kernel panic.
kernel
component, BZ#683012- High stress on 64-bit IBM POWER series machines prevents kdump from successfully capturing the
vmcore
. As a result, the second kernel is not loaded, and the system becomes unresponsive. kernel
component- Loading and unloading
edac
modules in a loop on certain HP systems may cause kernel panic. kernel
component- If the storage driver is loaded before
multipathd
is started, I/O errors occur. To work around this issue, use one of the following kernel command line parameters which are consumed by dracut:rdloaddriver=scsi_dh_emc
orrdloaddriver=scsi_dh_rdac
orrdloaddriver=scsi_dh_emc,scsi_dh_rdac
The above command line parameters will cause thescsi_dh
module to load before multipath is started. kernel
component- Triggering kdump to capture a
vmcore
through the network using the Intel 82575EB ethernet device in a 32 bit environment causes the networking driver to not function properly in the kdump kernel, and prevent thevmcore
from being captured. kernel
component, BZ#701857- Attempting to hibernate certain laptops, including Lenovo ThinkPad T400 and Lenovo ThinkPad X200, can cause kernel panic.
kernel
component- On a system configured with an HP Smart Array controller, during the kdump process, the capturing kernel can become unresponsive and the following error message is logged:
NMI: IOCK error (debug interrupt?)
As a workaround, the system can be configured by blacklisting thehpsa
module in a configuration file such as/etc/modules.d/blacklist.conf
, and specifying thedisk_timeout
option so that saving thevmcore
over the network is possible. -
kernel
component - Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be incorrect following a suspend/resume cycle. This can cause graphics performance (specifically, scrolling) to slow considerably after a suspend/resume cycle.To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs around suspend/resume, for example:
#!/bin/sh # Disable hyper-threading processor cores on suspend and hibernate, re-enable # on resume. # This file goes into /etc/pm/sleep.d/ case $1 in hibernate|suspend) echo 0 > /sys/devices/system/cpu/cpu1/online echo 0 > /sys/devices/system/cpu/cpu3/online ;; thaw|resume) echo 1 > /sys/devices/system/cpu/cpu1/online echo 1 > /sys/devices/system/cpu/cpu3/online ;; esac
kernel
component- In Red Hat Enterprise Linux 6.2,
nmi_watchdog
registers with theperf
subsystem. Consequently, during boot, theperf
subsystem grabs control of the performance counter registers, blocking OProfile from working. To resolve this, either boot with thenmi_watchdog=0
kernel parameter set, or run the following command to disable it at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
To re-enablenmi-watchdog
, use the following commandecho 1 > /proc/sys/kernel/nmi_watchdog
kernel
component, BZ#603911- Due to the way ftrace works when modifying the code during start-up, the NMI watchdog causes too much noise and ftrace can not find a quiet period to instrument the code. Consequently, machines with more than 512 CPUs will encounter issues with the NMI watchdog. Such issues will return error messages similar to
BUG: NMI Watchdog detected LOCKUP
and have eitherftrace_modify_code
oripi_handler
in the backtrace. To work around this issue, disable NMI watchdog by setting thenmi_watchdog=0
kernel parameter, or using the following command at run time:echo 0 > /proc/sys/kernel/nmi_watchdog
kernel
component- On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a
vmcore
via NFS. To work around this issue, utilize other kdump facilities, for example dumping to the local file system, or dumping over SSH. kernel
component, BZ#587909- A BIOS emulated floppy disk might cause the installation or kernel boot process to hang. To avoid this, disable emulated floppy disk support in the BIOS.
kernel
component- The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either
nmi_watchdog=2
ornmi_watchdog=lapic
parameters. The parameternmi_watchdog=1
is not supported. -
kernel
component - The kernel parameter,
pci=noioapicquirk
, is required when installing the 32-bit variant of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change is not required when installing the 64-bit variant.
2.11. Desktop
PackageKit
component- Installing or updating packages signed with a GPG key not known or accessible to the system may throw PackageKit in a loop of password dialogues, repeatedly asking the user to confirm the installation of these packages from an untrusted source.This issue may occur if additional third party repositories are configured on the system for which the GPG public key is not imported into the RPM database, nor specified in the respective Yum repository configuration. Official Red Hat Enterprise Linux repositories and packages should not be affected by this issue.To work around this issue, import the respective GPG public key into the RPM database by executing the following command as root:
~]#
rpm --import <file_containing_the_public_key>
gnome-power-manager
component, BZ#748704- After resuming the system or re-enabling the display, an icon may appear in the notification area with a tooltip that reads:
Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor. Please see http://blogs.gnome.org/hughsie/2009/08/17/gnome-power-manager-and-blanking-removal-of-bodges/ for more information.
This error message is incorrect, has no effect on the system, and can be safely ignored. acroread
component- Running a AMD64 system without the sssd-client.i686 package installed, which uses SSSD for getting information about users, causes acroread to fail to start. To work around this issue, manually install the sssd-client.i686 package.
kernel
component, BZ#681257- With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau has corrected the Transition Minimized Differential Signaling (TMDS) bandwidth limits for pre-G80 nVidia chipsets. Consequently, the resolution auto-detected by X for some monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fprintd
component- When enabled, fingerprint authentication is the default authentication method to unlock a workstation, even if the fingerprint reader device is not accessible. However, after a 30 second wait, password authentication will become available.
evolution
component- Evolution's IMAP backend only refreshes folder contents under the following circumstances: when the user switches into or out of a folder, when the auto-refresh period expires, or when the user manually refreshes a folder (that is, using the menu item Folder → Refresh). Consequently, when replying to a message in the Sent folder, the new message does not immediately appear in the Sent folder. To see the message, force a refresh using one of the methods describe above.
anaconda
component- The clock applet in the GNOME panel has a default location of Boston, USA. Additional locations are added via the applet's preferences dialog. Additionally, to change the default location, left-click the applet, hover over the desired location in the Locations section, and click the Set... button that appears.
xorg-x11-server
component, BZ#623169- In some multi-monitor configurations (for example, dual monitors with both rotated), the cursor confinement code produces incorrect results. For example, the cursor may be permitted to disappear off the screen when it should not, or be prevented from entering some areas where it should be allowed to go. Currently, the only workaround for this issue is to disable monitor rotation.
Chapter 3. New Packages
Enhancement
- BZ#688194
- With this update, the libvirt-qmf package obsoletes the libvirt-qpid package, which provided similar functionality. The new package uses the matahari library to provide an interface consistent with that of other Matahari agents.Note: After installation, it is advisable to convert existing QMF consoles, that previously connected to libvirt-qpid, to use libvirt-qmf as their interface. Also, when creating a new QMF console, it is recommended to use libvirt-qmf to communicate with libvirt.
Important
Important
Important
Important
Chapter 4. Package Updates
Important
4.1. 389-ds-base
Bug Fixes
- BZ#720458
- If a server sent a response to an unbind request and the client simply closed the connection, Directory Server 8.2 logged "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)".
- BZ#752155
- An incorrect SELinux context caused AVC errors in /var/log/audit/audit.log.
- BZ#697663, BZ#700665, BZ#711533, BZ#711241, BZ#726136, BZ#700215
- A number of memory leaks and performance errors were fixed.
- BZ#711266
- The DS could not restart after a new object class was created which used the entryUSN attribute.
- BZ#712167
- The ns-slapd process segfaulted if suffix referrals were enabled.
- BZ#711513
- A high volume of TCP traffic could cause the slapd process to quit responding to clients.
- BZ#714298
- Attempting to delete a VLV index caused the server to hang.
- BZ#720051
- Connections to the DS by an RSA authentication server using simple paged results by default would timeout.
- BZ#735217
- Running a simple paged search against a subtree with a host-based ACI would hang the server.
- BZ#733443
- If the target attribute list for an ACI had syntax errors and more than five attributes, the server crashed.
- BZ#734267
- It was not possible to set account lockout policies after upgrading from RHDS 8.1.
- BZ#720452
- Adding an entry with an RDN containing a % caused the server to crash.
- BZ#709868
- Only FIPS-supported ciphers can be used if the server is running in FIPS mode.
- BZ#711265
- It is possible to disable SSLv3 and only allow TLS.
- BZ#713317, BZ#713318
- If the changelog was encrypted and the certificate became corrupt, the server crashed.
- BZ#733434
- If the passwordisglobalpolicy attribute was enabled on a chained server, a secure connection to the master failed.
- BZ#714310
- If a chained database was replicated, the server could segfault.
- BZ#694571
- Editing a replication agreement to use SASL/GSS-API failed with GSS-API errors.
- BZ#742611
- In replication, a msgid may not be sent to the right thread, which caused "Bad parameter to an LDAP routine" errors. This causes failures to propagate up and halt replication.
- BZ#701057
- Password changes were replicated among masters replication, but not to consumers.
- BZ#717066
- If an entry was modified on RHDS and the corresponding entry was deleted on the Windows side, the sync operation attempts to use the wrong entry.
- BZ#734831
- Some changes were not properly synced over to RHDS from Windows.
- BZ#726273
- RHDS entries were not synced over to Windows if the user's CN had a comma.
- BZ#718351
- Intensive update loads on master servers could break the cache on the consumer, causing it to crash.
- BZ#699458
- Syncing a multi-valued attribute could delete all the other instances of that attribute when a new value was added.
- BZ#729817
- If a synced user subtree on Windows was deleted and then a user password was changed on the RHDS, the DS would crash.
Enhancements
- BZ#742382
- The nsslapd-idlistscanlimit configuration attribute can be set dynamically, instead of requiring a restart.
- BZ#742661
- Separate resource limits can be set for paged searches, independent of resource limits for regular searches.
- BZ#720459
- The sudo schema has been updated.
- BZ#739959
- A new configuration attribute sets a different list of replicated attributes for a total update versus an incremental update.
- BZ#733440
- A new configuration option allows the server to be started with an expired certificate.
- BZ#720461
- New TLS/SSL error messages have been added to the replication error log level.
Bug Fixes
- BZ#758682
- When the LDAP server was under a heavy load, and the network was congested, client connections could experience problems. If there was a connection problem while the server was sending Simple Paged Result (SPR) search results to the client, the LDAP server called a cleanup routine incorrectly. This led to a memory leak and the server terminated unexpectedly. With this update, the underlying code has been modified to ensure that cleanup tasks are run correctly and memory leaks no longer occur. The LDAP server no longer crashes in this scenario.
- BZ#758683
- Previously, certain operations with the Change Sequence Number (CSN) were not very effective in 389 Directory Server. Therefore, performing a large number of the modrdn operations during Directory Server content replications led to poor performance, and the ns-slapd daemon consumed up to 100% CPU under these circumstances. With this update, the underlying code has been modified to use these CSN operations efficiently so that replications in Directory Server now work as expected in this scenario.
- BZ#758688
- Previously, allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method, when checking the Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. Memory leaks no longer occur and the LDAP server no longer crashes in this scenario.
- BZ#771631
- Previously, 389 Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. This implementation allowed deadlocks to occur if 389 Directory Server was under a heavy load, which caused the server to become unresponsive. With this update, 389 Directory Server now uses the POSIX implementation of the locking mechanism, and deadlocks no longer occur under a heavy load.
- BZ#771632
- Under a heavy load in replicated environments, 389 Directory Server did not handle the Entry USN index correctly. Consequently, the index could become out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the Entry USN plug-in and 389 Directory Server now handles the Entry USN index as expected.
4.2. abrt and libreport
Bug Fixes
- BZ#610603
- The abrt-gui application used to list plug-ins multiple times if they were configured in the configuration file. This is now fixed.
- BZ#627621
- In the previous version of ABRT, a daemon restart was required for any changes in the configuration to take effect. In the new version, most of the options in the configuration file no longer require a restart.
- BZ#653872
- Support for retrace server has been added. Refer to https://fedorahosted.org/abrt/wiki/AbrtRetraceServer for more information about this new feature.
- BZ#671354
- By default, ABRT stores all problem information in the /var/spool/abrt/ directory. Previously, this path was hard coded and could not be changed in the configuration. With this update, this path can be changed in the /etc/abrt/abrt.conf configuration file.
- BZ#671359
- The previous documentation failed to cover some customer use cases. This error has been fixed, and all of these use cases are now covered in the Red Hat Enterprise Linux 6 Deployment Guide.
- BZ#673173
- In ABRT version 1, it was not possible to use wildcards to specify that some action should happen for any user. ABRT version 2 adds support for this functionality.
- BZ#695416
- The lacking information about configuring a proxy has been added to the Red Hat Enterprise Linux 6 Deployment Guide.
- BZ#707950
- Previously, a bug in ABRT version 1 was preventing a local Python build to finish. This is now fixed.
- BZ#725660
- The previous report tool and report library have been obsoleted by abrt and libreport. Users can notice the change in the problem reporting user interface of Anaconda, setroubleshoot, and ABRT.
4.3. acl
Bug Fixes
- BZ#674883
- Prior to this update, the setfacl.1 man page was not intelligible in that it did not state that removing a non-existent ACL entry is not considered to be an error. With this update, the setfacl.1 man page has been updated so that its content is now intelligible and exactly specifies the aforementioned behavior with regard to removing a non-existent ACL entry.
- BZ#702638
- Prior to this update, the package specification did not reflect a change of the upstream project web page address. This update corrects the respective address in the package specification.
Enhancements
- BZ#720318
- Prior to this update, the ACL library did not provide any function to check for extended ACLs of a file without following symbolic links. The only available function, acl_extended_file(), used to cause unnecessary mounts of autofs. This update introduces a new function, acl_extended_file_nofollow(), that checks for extended ACLs of a file without following symbolic links.
- BZ#723998
- Previously, the ACL library was linked without support for RELRO (read-only relocations) flags. With this update, the library is now linked with partial RELRO support.
4.4. aide
Bug Fix
- BZ#811936
- Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0486 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.
4.5. alsa-lib
Bug Fix
- BZ#704772
- Prior to this update, the alsa output plugin for the Audacious Audio Player did not work correctly. As a result, Audacious could under certain circumstances fail to generate any sound and display error messages. With this update, alsa-lib is modified so that Audacious can now generate sound as expected.
4.6. anaconda
Bug Fixes
- BZ#641861
- Issues with "interactive" mode partitioning are fixed.
- BZ#731274
- The network command is parsed correctly.
- BZ#689996
- The /boot partition on EFI systems is handled correctly.
- BZ#705274
- Files that are necessary for libreport and SSL installation mode have been added.
- BZ#676404
- Symbolic links to LVM commands have been added to the rescue image.
- BZ#730650
- The /sbin/cio_ignore command is added to initrd.img for IBM System z.
- BZ#689029
- Support for dracut-style "rdloaddriver=" and "rdblacklist=" parameters is added.
- BZ#679108
- Support for static addresses in "ipv6=" is added.
- BZ#706099
- A testing framework for stub commands is added.
- BZ#699745
- Driver disks support multiple kernel versions and are also built for Red Hat Enterprise Linux 6.0 and 6.1.
- BZ#668570
- Network connection is brought up before saving a bug report.
- BZ#715130
- Errors in .treeinfo are detected.
- BZ#698282
- The xhost authentication is changed when performing live installation.
- BZ#664981, BZ#726804
- Debugging improvements in loader and package installation code have been made.
- BZ#679810
- The dialog box focus and initialization have been corrected.
- BZ#701220
- The iSCSI Login button is disabled when no nodes are selected.
- BZ#695362
- When a mount point is set to /boot, the file system type is no longer changed.
- BZ#728280, BZ#725777, BZ#723194, BZ#723344, BZ#694800, BZ#621175
- EDD handling improvements have been made, including Xen and CCISS.
- BZ#698429
- Extended partitions are handled correctly.
- BZ#681803
- Handling of "network --device=bootif" is corrected.
- BZ#750764
- Centering of the Anaconda window when an external display is present is corrected.
- BZ#605938
- Encrypted device lines written to kickstart files are corrected.
- BZ#618535
- zFCP multipath devices can be added in the user interface as expected.
- BZ#732380
- iSCSI discovery that returns no devices is handled correctly.
- BZ#704593
- Systems with more than 2147483647 kB of memory are handled properly.
- BZ#712487
- The header image is hidden on all but 800x600 displays.
- BZ#690058
- The "noprobe" parameter for driver disks is honored.
- BZ#713991
- The "linksleep=" boot parameter is honored.
- BZ#699640
- Installation sources (including NFS ISO storages) are mounted correctly.
- BZ#679397
- Processes in the anaconda process group are killed when the system is shut down.
- BZ#693271
- Partitioning alignment is corrected.
- BZ#616641
- Progress indicator improvements for device discovery and command line mode have been made.
- BZ#691817, BZ#690748
- Kickstart network failures and device name collisions are handled properly.
- BZ#691910
- The "crashkernel=" parameter in a kickstart file is handled properly.
- BZ#712195
- Support for the "ext4migrate" parameter has been removed.
- BZ#706675
- The language and keyboard selection screens are now skipped in stage2 when possible.
- BZ#614504
- Device capacity values are sorted as numbers, not characters.
- BZ#695740
- Swap partitions are handled correctly.
- BZ#676118
- The "--target" option is used in kickstart files for iSCSI devices.
- BZ#701371, BZ#696876, BZ#674241, BZ#734374, BZ#729716
- Various multipath and raid storage bugs are fixed.
- BZ#679073
- Anaconda verifies that devices specified with "part" can be partitioned.
Enhancements
4.7. apr
Bug Fix
- BZ#830265
- Previously, a bug in the handling of IPv6 sockets was present in the apr_mcast_hops() function. This bug could have prevented applications from successfully using multicast with IPv6 sockets. With this update, this bug has been fixed so that the applications now operate correctly.
4.8. at
Bug Fix
- BZ#783190
- Due to an error in the time-parsing routine, the "at" command incorrectly calculated the year when a job was scheduled by using days on input. For example: "at now + 10 days". This update fixes erroneous grammar so that "at" now schedules jobs correctly.
4.9. atlas
4.10. attr
Bug Fixes
- BZ#651119
- Prior to this update, the setfattr utility could not restore the original values of the attributes when the "getfattr -e text" or "getfattr --encoding=text" command was used to dump attributes with embedded null characters. This update fixes the encoding of these values in getfattr to prevent information loss.
- BZ#665049
- Prior to this update, the getfattr utility followed symbolic links to directories even if the "-h" or "--no-dereference" option was specified. Additionally, the description in the getfattr(1) man page that related to this functionality was misleading. This update fixes getfattr with the "-h" option so that it no longer follows the symbolic links and the related content of the getfattr(1) man page is now correct.
- BZ#665050
- Prior to this update, the getfattr utility did not return a non-zero exit code when an attribute specified in the "getfattr" command did not exist. This update fixes getfattr so that it now returns a non-zero exit code when an attribute does not exist.
- BZ#674870
- Prior to this update, supported methods for encoding values of the extended attributes were not properly described in the setfattr(1) man page. This update adds the appropriate descriptions of the encoding methods to the setfattr(1) man page.
- BZ#702639
- Prior to this update, the project web page address as stated in the package specification did not reflect the change of the upstream project web page address. This update corrects the project web page address in the package specification.
- BZ#727307
- Prior to this update, the attr library was built without support for read-only relocations (RELRO) flags. With this update, the library is now built with partial RELRO support.
4.11. audit
Bug Fixes
- BZ#715279
- Previously, the audit daemon was logging messages even when configured to ignore "disk full" and "disk error" actions. With this update, audit now does nothing if it is set to ignore these actions, and no messages are logged in the described scenario.
- BZ#715315
- Previously, the Audit remote logging client received a "disk error" event instead of "disk full" event from a server when the server's disk space ran out. This bug has been fixed and the logging client now returns the correct event in the described scenario.
- BZ#748124
- Prior to this update, the audit system was identifying the accept4() system call as the now deprecated paccept() system call. Now, the code has been fixed and audit uses the correct identifier for the accept4() system call.
- BZ#709345
- Previously, the "auditctl -l" command returned 0 even if it failed because of dropped capabilities. This bug has been fixed and a non-zero value is now returned if the operation is not permitted.
- BZ#728475
- When Kerberos support was disabled, some configuration options in the audisp-remote.conf file related to Kerberos 5 generated warning messages about GSSAPI support during boot. With this update, the options are now commented out in the described scenario and the messages are no longer returned.
- BZ#700005
- On i386 and IBM System z architectures, the "autrace -r /bin/ls" command returned error messages even though all relevant rules were added correctly. This bug has been fixed and no error messages about sending add rule data requests are now returned in the described scenario.
4.12. augeas
Bug Fix
- BZ#693539
- Previously, due to a bug in the source code, parsing invalid files failed silently without any error message. With this update, error messages are provided to inform users about the problem.
4.13. autofs
Bug Fixes
- BZ#704935
- The autofs utility did not reset the map entry status on a reload request. As a result, newly added map entries that had previously recorded a mount failure failed to work. With this update, autofs resets the map entry status on a reload request and map entries are mounted as expected.
- BZ#704939
- The autofs utility could have terminated with a segmentation fault when attempting certain mounts. This occurred due to a race condition between mount handling threads for mounts that had previously recorded a mount failure. The automount cache map entry is now verified to be valid.
- BZ#704940
- The automount(8) man page referred to a non-existent man page. This was caused by a typographical error in the code. With this update, the man page reference has been corrected and the man page is displayed as expected.
- BZ#704929
- Due to a deadlock, autofs could stop responding when attempting to mount map entries that were nested within maps. With this update, the underlying code has been changed and, where possible, nested map entries mount correctly.
- BZ#704933
- Prior to this update, automount could terminate unexpectedly with a pthreads error. This occurred because attempts to acquire the master map lock occasionally failed as the lock was held by another thread. With this update, the underlying code has been adapted to wait for a short time before failing.
- BZ#704928, BZ#704927
- When retrieving paged results from an LDAP (Lightweight Directory Access Protocol) server, autofs handled certain cases incorrectly, which caused the query to not obtain all results. This update adds the code that handles these additional cases.
- BZ#704937
- Prior to this update, if a key entry of an automount map began with an asterisk (*) sign, the daemon failed with a segmentation fault because the sign was not matched correctly. With this update, such asterisk signs are handled correctly.
- BZ#704228
- When using GSSAPI authentication, the fact that an incorrect authentication host name was being used caused the connection to fail. This update now gets the correct host name for the connection.
- BZ#692816
- automount was not performing sufficient sanity checks of server names in its configuration. This update corrects the configuration entry parsing.
- BZ#700136
- Error reporting for invalid mount locations was unclear. This update improves the error reporting.
- BZ#703332
- When an automount map key is present in a file map and is also present in an included map source, if the file map entry was removed and a lookup performed before a re-load was issued, the map lookup would have failed. This update corrects the logic used to determine if the lookup needs to continue into included maps.
- BZ#718927
- When reloading maps that include a combination of direct and indirect maps, it was possible for automount to deadlock due to incorrect lock ordering.
- BZ#
- There was inadvertent use of a small amount of GPLv3-licensed code from Samba in autofs. While this was permissible, it would have entailed explicitly relicensing autofs from "GPLv2 or later" to "GPLv3", which is not intended for autofs at this time. Therefore, the Samba-derived code has been replaced in order to maintain the "GPLv2 or later" licensing status of autofs.
Enhancements
- BZ#704416
- This update adds the "--dumpmaps" option to the automount command, which allows you to dump the maps from their source as seen by the automount daemon.
- BZ#704932
- This update adds simple Base64 encoding for LDAP and thus allows hashing of the password entries in the /etc/autofs_ldap_auth.conf configuration file.
Bug Fix
- BZ#787122
- A function to check validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.
4.14. autotrace
Bug Fix
- BZ#658057
- When installing autotrace-devel multilib RPM packages from the optional repository, file conflicts between these packages appeared, causing the installation transaction to abort. This problem has been fixed and the installation transaction now proceeds without conflicts.
4.15. bacula
Bug Fixes
- BZ#651776
- Prior to this update, the bacula packages were not distributed with the applybaculadate file. As a result, the logwatch cron script failed. The problem has been fixed by including the applybaculadate file in the bacula packages so that the logwatch cron script now works as expected.
- BZ#651780
- Prior to this update, the make_catalog_backup.pl script created a MySQL configuration file, which had the file permissions set to world-writeable and world-readable so that MySQL did not accept the configuration file with these permissions and the MySQL database login configuration was not used. As a result, it was not possible to complete a MySQL database dump. With this update, the configuration file is now created with correct permissions, and the MySQL database login configuration is used by MySQL so that it is now possible to complete the MySQL database dump as expected.
- BZ#651786
- Prior to this update, there was no option to change Bacula's runtime user. As a consequence, Bacula was always run under the root user. The problem has been fixed by adding support for the bacula-dir, bacula-fd, and bacula-sd files in the /etc/sysconfig/ directory; these files can be used for specifying a non-root user and group with the DIR_USER, FD_USER, SD_USER, and DIR_GROUP, FD_GROUP and SD_GROUP options, respectively. With this update, Bacula can be run under the specified user.
- BZ#651787
- Prior to this update, when creating a symbolic link to the "bscan" utility, the new link was erroneously named "dbcheck". As a result, the already existing "dbcheck" symbolic link was overwritten by the erroneous one. Thus the "dbcheck" command ran the "bscan" utility so that it was not possible to execute the "bscan" utility with the "bscan" command. The problem has been fixed in this update so that the "dbcheck" and "bscan" utilities now work as expected.
- BZ#657297
- Prior to this update, Bacula's default configuration missed a required option. As a result, the Bacula tray monitor component terminated unexpectedly. The problem has been fixed by adding the "Address" option to the "Director" section in the Bacula tray monitor configuration file so that the Bacula tray monitor now works as expected with the default configuration file. Note that this bug fix does not alter any existing Bacula tray monitor configuration file. As a consequence, the Bacula tray monitor can terminate unexpectedly if the existing Bacula tray monitor configuration is incorrect.
- BZ#689400
- Prior to this update, the backup size was computed incorrectly under certain circumstances. As a consequence, the reported size of the incremental backup could have been wrong. The problem has been fixed by correcting the backup size computation process so that the size of the incremental backup is now reported correctly.
- BZ#712794
- Prior to this update, the shadow-utils package was not listed among the package dependencies for Bacula. As a result, the bacula user and bacula group were not created when the shadow-utils package was not present on the system, and a warning message was displayed during the bacula packages installation. This bug has been fixed by adding shadow-utils to the package dependencies.
- BZ#712804
- Prior to this update, the chkconfig package, which contains the "alternatives" utility, was not listed among the package dependencies for Bacula. As a result, the bacula-dir and bacula-sd services were not configured, the "alternatives" utility was not found, and Bacula's symbolic links were not created. These problems have been fixed by adding chkconfig to the package dependencies.
4.16. bash
Bug Fix
- BZ#814271
- When a SIGCHLD signal was received in job control mode and a handler for the signal was installed, Bash called the trap handler within the signal handler itself. This was unsafe and could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation fault due to memory corruption. With this update, the trap handler is now called outside of the signal handler, and Bash no longer enters a deadlock, neither crashes in this scenario.
4.17. bfa-firmware
4.18. bind
Security Fixes
- CVE-2012-1667
- A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
- CVE-2012-1033
- A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Bug Fixes
- BZ#699951
- Prior to this update, the code in libdns which sends DNS requests was not robust enough and suffered from a race condition. If a race condition occurred, the "named" name service daemon logged an error message in the format "zone xxx.xxx.xxx.in-addr.arpa/IN: refresh: failure trying master xxx.xxx.xxx.xxx#53 (source xxx.xxx.xxx.xxx#0): operation canceled" even when zone refresh was successful. This update improves the code to prevent a race condition in libdns and the error no longer occurs in the scenario described.
- BZ#700097
- A command or script traditionally gives a non-zero exit status to indicate an error. Prior to this update, the nsupdate utility incorrectly returned the exit status "0" (zero) when the target DNS zone did not exist. Consequently, the nsupdate command returned "success" even though the update failed. This update corrects this error and nsupdate now returns the exit status "2" in the scenario described.
- BZ#725577
- Prior to this update, named did not unload the bind-dyndb-ldap plugin in the correct places in the code. Consequently, named sometimes terminated unexpectedly during reload or stop when the bind-dyndb-ldap plugin was used. This update corrects the code, the plug-in is now unloaded in the correct places, and named no longer crashes in the scenario described.
- BZ#693982
- A non-writable working directory is a long time feature on all Red Hat systems. Previously, named wrote "the working directory is not writable" as an error to the system log. This update changes the code so that named now writes this information only into the debug log.
- BZ#717468
- The named initscript lacked the "configtest" option that was available in earlier releases. Consequently, users of the bind initscript could not use the "service named configtest" command. This update adds the option and users can now test their DNS configurations for correct syntax using the "service named configtest" command.
Bug Fixes
- BZ#758669
- Prior to this update, errors arising on automatic updates of DNSSEC trust anchors were handled incorrectly. Consequently, the named daemon could become unresponsive on shutdown. With this update, the error handling has been improved and named exits on shutdown gracefully.
- BZ#758670
- Prior to this update, a race condition could occur on validation of DNSSEC-signed NXDOMAIN responses and the named daemon could terminate unexpectedly. With this update, the underlying code has been fixed and the race condition no longer occurs.
Bug Fix
- BZ#769366
- The multi-threaded named daemon uses the atomic operations feature to speed-up an access to shared data. This feature did not work correctly on the 32-bit and 64-bit PowerPC architectures. Therefore, the named daemon sometimes became unresponsive on these architectures. This update disables the atomic operations feature on the 32-bit and 64-bit PowerPC architectures, which ensures that the named daemon is now more stable, reliable and no longer hangs.
4.19. bind-dyndb-ldap
Security Fix
- CVE-2012-2134
- A flaw was found in the way bind-dyndb-ldap handled LDAP query errors. If a remote attacker were able to send DNS queries to a named server that is configured to use bind-dyndb-ldap, they could trigger such an error with a DNS query leveraging bind-dyndb-ldap's insufficient escaping of the LDAP base DN (distinguished name). This would result in an invalid LDAP query that named would retry in a loop, preventing it from responding to other DNS queries. With this update, bind-dyndb-ldap only attempts to retry one time when an LDAP search returns an unexpected error.
Bug Fixes
- BZ#742368
- Previously, the bind-dyndb-ldap plug-in could faile to honor the selected authentication method because it did not call the ldap_bind() function on reconnection. Consequently, the plug-in connected to the LDAP server anonymously. With this update, the ldap_bind() function is executed on reconnection and the plug-in uses the correct authentication method in the described scenario.
- BZ#707255
- The bind-dyndb-ldap plug-in failed to load new zones from the LDAP server runtime. This update adds the zone_refresh parameter to the plug-in which controls how often the zone check is performed.
- BZ#745045
- The bind-dyndb-ldap plug-in could fail to connect to the LDAP server. This happened when the LDAP server was using localhost and FreeIPA installation was using a name different from the machine hostname. This update adds to the plug-in the ldap_hostname option, which can be used to set the correct LDAP server hostname.
- BZ#727856
- The "named" process could have remained unresponsive due to a race condition in the bind-dyndb-ldap plug-in. With this update, the race condition has been resolved and the problem no longer occurs.
4.20. binutils
Bug Fixes
- BZ#664640
- Prior to this update, the readelf utility added
0x40
into a character in order to display a non-printing character but did not do so when processing a multibyte character. As a result, the readelf utility did not display a multibyte character in the ELF header correctly. The code has been corrected and readelf no longer displays garbled characters when processing multibyte, or non-ASCII, characters. - BZ#674925
- An unneeded patch to bineutils caused a large link time degradation when using the
binutils --build-id
command. This update removes that patch. - BZ#689829
- An Operating System (OS) Application Binary Interface (ABI) describes the low-level interface between a program and the operating system (OS/ABI). The indirect meta-function,
ifunc()
, whose value can be determined at load time, allows for architecture dependent optimization. Prior to this update, the OS/ABI preprocessor macro was erroneously set toUNIX - Linux
instead ofUNIX - System V
in an ELF header by a dynamic executable which usedifunc()
. This update applies a backported patch which corrects the code and the error no longer occurs. - BZ#698005
- Prior to this update, the binutils'
strip
command, which is run as part of the RPM build process, did not copy theEI_OSABI
value in the ELF file header properly, it set the value to zero. Consequently, if theEI_OSABI
field of the debug file had a value of3
(ABI tag for GNU/Linux), in the stripped file it was erroneously set to0
(UNIX - System V
). This update corrects the problem andstrip
now leaves the field intact. - BZ#701586
- On 64-bit PowerPC platforms, the position of
-ldl
in the list compiler options caused unexpected behavior when compiling C++ code. If-ldl
was not placed at the end of parameter list, the GNU C Compiler (GCC) failed with an error in the format:libtest.a(some_object_file.o): undefined reference to `.dlerror'
With this update, the code has been corrected and the GCC compiler functions as expected. - BZ#707387
- When compiling C source code using the GNU C Compiler (GCC), a Table Of Contents (TOC), is created for every executable file. Prior to this update, compiling C++ code using GCC for 64-bit PowerPC, using
-mcmodel=small -mno-minimal-toc
as options, GNU linker, (ld), erroneously decided that if a section did not make use of the TOC it could belong to any TOC group. Consequently, when a local function call was made from one section of code to another section in the same object file, due to the two sections being assigned to different TOC groups, a failure occurred and an error message in the following format was logged.libbackend.a(cse.o)(.text.unlikely+0x60): sibling call optimization to `.opd' does not allow automatic multiple TOCs; recompile with -mminimal-toc or -fno-optimize-sibling-calls, or make `.opd' extern
This update applies an upstream patch to improve the partitioning of sections of code, which make local function calls, into multiple TOC groups. As a result the error no longer occurs in the scenario described.Note
It is necessary to relink executables and shared libraries containing objects which were compiled with-mcmodel=small -mno-minimal-toc
. Therefore code should be recompiled by running these commands again after applying the update. - BZ#714824
- Prior to this update, after compiling a kernel from source code with debugging information, some debug information was missing. Consequently, when using the GNU Project's debugger (GDB) utility, if a user issued the command
l setup_arch
to determine the target architecture, the following error was displayed.No line number known for setup_arch
This update corrects the code and the GDB utility now correctly displays the architecture for which the code was compiled. - BZ#721079
- Compilers used for producing code optimized for 64-bit PowerPC platforms use the default Red Hat Enterprise Linux system linker, ld, provided with the operating system to produce executables and libraries. Some object code generated by the IBM XL compiler caused ld to terminate unexpectedly with a segmentation fault. Consequently, users were not able to produce optimized executables or libraries. With this update, a backported patch has been applied to correct the problem and ld no longer crashes in the scenario described.
- BZ#733122
- When linking FORTRAN programs with the IBM XL compiler and the default Red Hat Enterprise Linux 6.1 system linker, ld sometimes terminated unexpectedly with a segmentation fault. This updates applies an upstream patch to correct the problem and ld no longer crashes in the scenario described.
- BZ#747695
- The assembler, as, when generating a memory reference to a local symbol plus or minus an offset, did not include the constant offset when generating 32-bit x86 code. Consequently, when the local symbol being referenced was defined before the instruction using the symbol with an offset, an error would occur. This update corrects the code and the problem no longer occurs.
Enhancements
4.21. biosdevname
Bug Fixes
- BZ#700248
- When NPAR (NIC Partitioning) is enabled, the partition number should be appended as a suffix to the interface name. Previously, biosdevname did not add partition numbers to interface names, for example, instead of naming an interface "em3_1", the interface was named "em3". Consequently, partitioned network interfaces were missing the suffix necessary to describe the partition. Now, biosdevname correctly recognizes the VPD (Vital Product Data) suffix and full interface names are created correctly.
- BZ#700251
- When biosdevname ran in a guest environment, it suggested names to new network interfaces as if it was in a host environment. Consequently, affected network interfaces were incorrectly renamed. Now, biosdevname no longer suggests names in the described scenario.
- BZ#729591
- When biosdevname was reading VPD information to retrieve NPAR-related data, the read operations failed or became unresponsive on certain RAID controllers. Additionally, biosdevname sometimes attempted to read beyond the VPD boundary in the sysfs VPD file, which also resulted in a hang. This bug has been fixed and biosdevname now performs the read operation correctly in the described scenarios.
- BZ#739592
- Previously, the "--smbios" and "--nopirq" command-line parameters were missing in the biosdevname binary. Consequently, consistent network device naming could not be enabled because biosdevname exited without suggesting a name. This update adds support for these parameters and enables the device naming.
- BZ#740532
- Previously, NICs (Network Interface Cards) on biosdevname-compatible machines were given traditional "eth*" names instead of "em*" or "p*p*" names. This bug has been fixed and biosdevname now provides correct names for the NICs.
Enhancements
4.22. blktrace
Bug Fix
- BZ#705128
- Prior to this update, the blkparse code contained a misprint. As a result, blkparse used the wrong variable when printing the PC Writes Completed. This update modifies the code so that blkparse now prints the correct value for PC Writes Completed.
Enhancement
- BZ#736399
- This update adds FLUSH/FUA support to blktrace.
4.23. bltk
Bug Fixes
- BZ#618308
- Prior to this update, the bltk tree was corrupted. As a result, the bltk_report script failed. This update modifies the settings of the bltk root path. Now, the report script works as expected.
- BZ#679028
- Prior to this update, bltk could be installed without requiring the gnuplot binary. As a result, the bltk_plot script exited with an error message when the gnuplot package was not installed and the charts were shown from measured data. This update requires the gnuplot package for its installation. Now, the bltk_plot script no longer exits with an error.
4.24. cachefilesd
Bug Fixes
- BZ#660347
- Prior to this update, cachefilesd used the wrong log level for cull info messages. As a result, the /var/log/messages file could become overloaded. This update reduces the messages to the debug level. Now, /var/log/messages no longer becomes overloaded.
- BZ#723890
- Prior to this update, cachefilesd depended on a specific version of the SELinux policy package. As a result, only the nominated version was allowed. This update permits the nominated version and any later versions. Now, the SELinux policy dependency works as expected.
4.25. certmonger
Bug Fixes
- BZ#692766
- Previously, the certmonger service could access a Network Security Services (NSS) database without a password, despite being configured to use a password to access that database. This behavior was not recognized as an error. This update correctly diagnoses this inconsistency as an error.
- BZ#694184
- Previously, if the certmonger service could not generate a key pair in an NSS database because it did not have the password that was required for accessing the database, the certmonger service did not recover when it was subsequently given the correct password. This update handles this case correctly.
- BZ#697058
- Previously, the certmonger service did not correctly diagnose a missing token if the name of the token to use was specified when the service was instructed to generate a key pair for storage in an NSS database. This update corrects this error.
- BZ#712500
- Previously, the certmonger service encountered an assertion failure if the D-Bus message bus service was not already running when certmonger was started. This update modifies the certmonger service so that no more assertion problems occur in such a situation.
- BZ#721392
- Previously, when the getcert command needed to report an error message which it received from the certmonger service, it exited unexpectedly due to a logic error. This update corrects the logic so that the error message is correctly reported.
- BZ#727863
- Previously, the certmonger service was not fully compatible with newer versions of the xmlrpc-c and libcurl packages. As a result, credentials could not be delegated when using GSSAPI authentication with a CA that was accessed via XML-RPC. This update includes the necessary changes to continue to be able to delegate credentials when using GSSAPI authentication with a CA that is accessed using XML-RPC, such as IPA.
- BZ#699059, BZ#739903
- Previously, when the getcert request command was given a location for key or certificate storage using a relative path, and the location did not exist, the error was only reported after multiple warnings during which the command attempted to convert the relative path to an absolute path. This update suppresses these warnings.
- BZ#741262
- Previously, an incorrect error message was displayed if the getcert resubmit command was invoked with the -i flag to specify which request should be resubmitted to a CA but no request that matched the provided value was present. This update displays the correct error message.
- BZ#742348
- Due to a logic error, attempts to save a newly-obtained certificate to an NSS database could fail intermittently. This update corrects the error.
Enhancements
- BZ#698772
- Previously, the getcert list command only printed information about every certificate and enrollment request being managed by certmonger, and there was no way to narrow down the results. This update includes an updated version of the command which can narrow the result set if the invoking user provides information about the location of the certificate or key in which the user is interested
- BZ#750617
- This update now includes an HTTP "Referer:" header value when submitting requests to CAs which are accessed using XML-RPC, as is expected to be required by future releases of the IPA CA
4.26. chkconfig
Bug Fixes
- BZ#797847
- When installing multiple Linux Standard Base (LSB) services which only had LSB headers, the stop priority of the related LSB init scripts could have been miscalculated and set to "-1". With this update, the LSB init script ordering mechanism has been fixed, and the stop priority of the LSB init scripts is now set correctly.
- BZ#797846
- When an LSB init script requiring the "$local_fs" facility was installed with the "install_initd" command, the installation of the script could fail under certain circumstances. With this update, the underlying code has been modified to ignore this requirement because the "$local_fs" facility is always implicitly provided. LSB init scripts with requirements on "$local_fs" are now installed correctly.
4.27. cifs-utils
Bug Fixes
- BZ#676439
- Prior to this update, mount.cifs dropped the CAP_DAC_READ_SEARCH flag together with most of the other capability flags before it performed a mount. As a result, mounting onto a directory without execute permissions failed if mount.cifs was installed as a setuid program and the user mount was configured in the /etc/fstab file. This update reinstates the CAP_DAC_READ_SEARCH flag before calling mount. Now, mounting no longer fails.
- BZ#719363
- Prior to this update, several mount options were missing from the mount.cifs(8) man page. With this update, the man page documents all mount options.
4.28. cjkuni-fonts
Bug Fix
- BZ#682650
- Prior to this update, when viewing the U+4190 CJK character with the AR PL UMing font and the font size 10, this character was not displayed properly. This bug has been corrected in this update so that the character is now correctly displayed as expected.
4.29. cluster and gfs2-utils
Bug Fix
- BZ#849048
- Previously, it was not possible to specify start-up options to the dlm_controld daemon. As a consequence, certain features were not working as expected. With this update, it is possible to use the /etc/sysconfig/cman configuration file to specify dlm_controld start-up options, thus fixing this bug.
Bug Fixes
- BZ#707115
- The cluster and gfs2-utils packages have been upgraded to upstream version 3.0.12.1, which provides a number of bug fixes over the previous version.
- BZ#713977
- Previously, when a custom multicast address was configured, the configuration parser incorrectly set the default value of the time-to-live (TTL) variable for multicast packet to 0. As a consequence, cluster nodes were not able to communicate with each other. With this update, the default TTL value is set to 1, which fixes the problem.
- BZ#726777
- A section describing the "suborg" option for the fence_cisco_usc agent was not present in the RELAX NG schema which is used to validate the cluster.conf file. As a consequence, validation of cluster.conf failed even if the file was valid. The suborg section has been added to the RELAX NG schema and cluster.conf is now validated correctly.
- BZ#707091
- Building the resource group index for a new GFS2 file system using the mkfs.gfs2 utility used all the space allocated. If the file system filled up completely, no room was left to write a new rindex entry. As a consequence, the gfs2_grow utility was unable to expand the file system. The mkfs.gfs2 utility has been modified so that enough space is now allocated for the entire rindex file, and one extra rindex entry. The gfs2_grow source code has been modified to utilize the unused rindex space. As a result, gfs2_grow is now able to expand a completely full GFS2 file system.
- BZ#678585
- GFS2 POSIX (Portable Operating System Interface) lock operations (implemented in Distributed Lock Manager, also known as DLM) are not interruptible when they wait for another POSIX lock. Previously, processes that created a deadlock with POSIX locks could not be killed to resolve the problem, and one node had to be reset. DLM now uses a new kernel feature that allows the waiting process to be killed, and information about the killed process is now passed to the dlm_controld daemon to be cleaned up. Processes deadlocked on GFS2 POSIX locks can now be recovered by killing one or more of them.
- BZ#719135
- Prior to this update, boundaries for the locktable and label fields in the GFS2 superblock were not properly checked by the tunegfs2 tool. As a consequence, running the "gfs2_tool sb" command could terminate unexpectedly with buffer overflow. In addition, invalid characters could be printed when using tunegfs2 to change locktable or label to a minimum or maximum length (63 characters). The tunegfs tool has been modified to check the correct boundaries of the locktable and label fields. As a result, tunegfs2 no longer creates invalid locktables or labels, and therefore gfs2_tool prints the superblock values properly.
- BZ#740385
- When executing the cman utility by using the init script with enabled debugging, a file descriptor leaked. The file pointed to the file descriptor would continue to grow endlessly, filling up the /tmp file system. This update ensures that the file descriptor is closed after a successful cman startup. Space in /tmp is now released correctly.
- BZ#695795
- The cman utility implements a complex set of checks to configure the Totem protocol. One of the checks that copies the configuration data was incorrect and the transport protocol option was not handled correctly as a consequence. A patch has been applied to address this issue and cman now handles the transport option properly.
- BZ#679566
- When the user executed the "gfs2_edit savemeta" command to save the metadata for a target GFS2 file system, not all of the directory information was saved for large directories. If the metadata was restored to another device, the fsck.gfs2 tool found directory corruption because of a missing leaf block. This was due to gfs2_edit treating the directory leaf index (also known as the directory hash table) like a normal data file. With this update, gfs2_edit's savemeta function is modified to actually read all the data (the directory hash table) for large directories and traverse the hash table, saving all the leaf blocks. Now, all leaf blocks are saved properly.
- BZ#679080
- When the fsck.gfs2 tool was resolving block references and no valid reference was found, the reference list became empty. As a consequence, fsck.gfs2 check in pass1b terminated unexpectedly with a segmentation fault. With this update, pass1b is modified to check that the list is empty. The segmentation fault no longer occurs and fsck.gfs2 proceeds as expected.
- BZ#731775
- The dlm_controld daemon passed error results back to the kernel for POSIX unlock operations flagged with CLOSE. As a consequence, the kernel displayed the "dlm: dev_write no op" error messages, most of them when using non-POSIX locks, flocks. The dlm_controld daemon has been fixed to not pass error results to the kernel for POSIX unlock operations flagged with CLOSE. As a result, error messages no longer appear.
- BZ#729071
- Previously, the mount.gfs2 utility passed the "loop" option to the GFS2 kernel module which treated it as an invalid option. Mounting a GFS2 file system on loopback devices failed with an "Invalid argument" error message. With this update, mount.gfs2 is modified to avoid passing the "loop" option to the kernel. Mounting GFS2 systems on loopback devices now works as expected.
- BZ#728230
- Missing sanity checks related to the length of a cluster name caused the cman utility to fail to start. The correct sanity checks have been implemented with this update. The cman utility starts successfully and informs the user of the incorrect value of the cluster name, if necessary.
- BZ#726065
- The XML format requires special handling of certain special characters. Handling of these characters was not implemented correctly, which caused the cluster.conf file to not function as expected. Correct handling of the characters has been implemented and cluster.conf now works as expected.
- BZ#706141
- The exact device/mount paths were not compared due to incorrect logic in mount.gfs2 when trying to find mtab entries for deletion. The original entry was not found during remounts and therefore was not deleted. This resulted in double mtab entries. With this update, the realpath() function is used on the device/mount paths so that they match the content of mtab. As a result, the correct original mtab entry is deleted during a remount, and a replacement entry with the new mount options is inserted in its place.
- BZ#720668
- Previously, mkfs.gfs2 treated normal files incorrectly as if they were block devices. Attempting to create a GFS2 file system on a normal file caused mkfs.gfs2 to fail with a "not a block device" error message. Additional checks have been added so that mkfs.gfs2 does not call functions specific for block devices on normal files. GFS2 file systems can now be created on normal files. However, use of GFS2 in such cases is not recommended.
- BZ#719126
- The tunegfs2 command line usage message was not updated to reflect the available arguments which are documented in the man page. As a consequence, tunegfs2 printed an inaccurate usage message. The usage message has been updated and tunegfs2 now prints an accurate message.
- BZ#719124
- Previously, certain argument validation functions did not return error values, and tunegfs2 therefore printed confusing error messages instead of exiting quietly. Error handling has been improved in these validation functions, and tunegfs2 now exits quietly instead of printing the confusing messages.
- BZ#694823
- Previously, the gfs2_tool command printed the UUID (Universally Unique Identifier) output in uppercase. Certain applications expecting the output being in lowercase (such as mount) could have malfunctioned as a consequence. With this update, gfs2_tool is modified to print UUIDs in lowercase so that they are in a commonly accepted format.
- BZ#735917
- The qdisk daemon did not allow cman to upgrade the quorum disk device name. The quorum disk device name was not updated when the device was changed and, in very rare cases, the number of qdiskd votes would therefore not be correct. A new quorum API call has been implemented to update the name and votes of a quorum device. As a result, quorum disk device names and votes are updated consistently and faster than before.
- BZ#683104
- Prior to this update, the fsck.gfs2 utility used the number of entries in the journal index to look for missing journals. As a consequence, if more than one journal was missing, not all journals were rebuilt and subsequent runs of fsck.gfs2 were needed to recover all the journals. Each node needs its own journal; fsck.gfs2 has therefore been modified to use the "per_node" system directory to determine the correct number of journals to repair. As a result, fsck.gfs2 now repairs all the journals in one run.
- BZ#663397
- Previously, token timeout intervals of corosync were larger than the time it took a failed node to rejoin the cluster. Consequently, corosync did not detect that a node had failed until it rejoined. The failed node had been added again before the dlm_controld daemon asked corosync for the new member list, but dlm_controld did not notice this change. This eventually caused the DLM (Distributed Lock Manager) lockspace operations to get stuck. With this update, dlm_controld can notice that a node was removed and added between checks by looking for a changed incarnation number. Now, dlm_controld can properly handle nodes that are quickly removed and added again during large token timeouts.
- BZ#732991
- Previously, if a cluster was configured with a redundant corosync ring, the dlm_controld daemon would log harmless EEXIST errors, "mkdir failed: 17". This update removes these error messages so that they no longer appear.
Enhancements
- BZ#733345
- The corosync IPC port allows, when configured correctly, non-privileged users to access corosync services. Prior to this update, the cman utility did not handle such connections correctly. As a consequence, users were not able to configure unprivileged access to corosync when it was executed using cman. This update adds support to cman to configure unprivileged access. As a result, configured users and groups can now access corosync services without root privileges.
- BZ#680930
- This update introduces dynamic schema generation, which provides a lot of flexibility for end users. Users can plug into Red Hat Enterprise Linux High Availability Add-On custom resource and fence agents, and still retain the possibility to validate their cluster.conf file against those agents.
- BZ#732635, BZ#735912
- This update adds support for Redundant Ring Protocol, which aligns the default configuration of cman with corosync. Note that this enhancement is included as a Technology Preview.
- BZ#702313
- Previously, gfs2_edit saved GFS2 metadata uncompressed. Saved GFS2 metadata sets could have filled up a lot of storage space, and transferring them (for example, for support and debugging) would be slow. This update adds gzip compression to the metadata saving and restoring functions of gfs2_edit. GFS2 metadata sets are now compressed when saving and decompressed when restoring them. The user can specify the compression level with a command line option.
- BZ#704178
- With this update, the tunegfs2 utility replaces the superblock manipulating feature of gfs2_tool.
- BZ#673575
- Previously, the fence_scsi agent did not reboot a node when it was fenced. As a consequence, the node had to be rebooted manually before rejoining the cluster. This update provides a script for detecting loss of SCSI reservations. This can be used in conjunction with the watchdog package in order to reboot a failed host.
Bug Fix
- BZ#820357
- Prior to this update, the cmannotifyd did not correctly generate a cluster status notification message at first cluster startup. This update addresses the problem and now cmannotifyd will correctly trigger the notification hooks when the daemon is started.
4.30. clustermon
Bug Fix
- BZ#634373
- Previously, the clustermon tool failed to shut down nodes if the user had mounted a GFS2 file system that was not listed in the /etc/fstab file. This was caused by clustermon relying on the rgmanager tool and the GFS2 init scripts to unmount all file systems, but the cluster stack would not stop properly if the user mounted the file system manually. This has been fixed: clustermon now ensures that there are no cluster file systems mounted and then attempts to stop the cluster stack.
Enhancement
- BZ#724978
- The "get_cluster_schema" function call has been added to allow users to easily get the XML cluster schema content.
4.31. coolkey
Enhancements
- BZ#578690
- This update adds support for Personal Identity Verification (PIV) smart cards.
- BZ#700907
- Common Access Cards (CAC) are defined to have exactly three certificates. However, some cards that used the CAC interface supplied one or two certificates only, which may have caused the coolkey utility to fail. CAC smart cards that contain less than three certificates are now supported.
4.32. coreutils
Bug Fixes
- BZ#691292
- Prior to this update, SELinux appeared to be disabled when building coreutils in Mock. As a result, coreutils did not build. With this update, SELinux determines more precisely whether it is disabled or not. Now, the packages are built successfully.
- BZ#703712
- Previously, incorrect signal handling could cause various problems for tcsh users logging into the root shell using the su utility. Signal masking in the subshell called by the su utility has been modified to respect the SIGTSTP signal as well as the SIGSTOP signal.
- BZ#715557
- When using the "-Z/--context" option in the cp utility, the SELinux context of a file was not changed if the file destination already existed. The utility has been modified and the context is changed as expected. However, this option is not portable to other systems.
- BZ#720325
- Prior to this update, the acl_extended_file() function could cause unnecessary mounts of autofs when using the ls command on a directory with autofs mounted. This update adds the new acl function, acl_extended_file_nofollow(), to prevent unnecessary autofs mounts.
- BZ#725618
- The description of the "--sleep-interval" option in the tail(1) manual page has been improved to be clearer about the behavior and to match the upstream version of coreutils.
4.33. corosync
Bug Fix
- BZ#849553
- Previously, the corosync-notifyd daemon, with dbus output enabled, waited 0.5 seconds each time a message was sent through dbus. Consequently, corosync-notifyd was extremely slow in producing output and memory of the Corosync server grew. In addition, when corosync-notifyd was killed, its memory was not freed. With this update, corosync-notifyd no longer slows down its operation with these half-second delays and Corosync now properly frees memory when an IPC client exits.
Bug Fixes
- BZ#677583
- Prior to this update, the corosync-blackbox command could, under certain circumstances, produce a backtrace in the output and consequently terminate with a segmentation fault. With this update, Corosync creates correct fdata files and also corosync-fplay is more resistant when dealing with incorrect fdata files.
- BZ#677583
- Prior to this update, cpg did not use the "left_nodes" field in the downlist message. As a consequence, a node could miss a configuration change and report larger old_members than expected if one node was paused. This update modifies the downlist so that the "left_nodes" field is used. Now, the membership events are correct.
- BZ#692620
- Prior to this update, cpg did not use the "left_nodes" field in the downlist message. As a consequence, a node could miss a configuration change and report larger old_members than expected if one node was paused. This update modifies the downlist so that the "left_nodes" field is used. Now, the membership events are correct.
- BZ#696883
- Prior to this update, running Corosync could cause a segmentation fault on multiple nodes when executed via CMAN. This update modifies the code so that executing Corosync via CMAN no longer causes segmentation faults with the pacemaker test suite.
- BZ#696887
- Prior to this update, the reference counting on the configuration server in Corosync was incorrect. As a consequence, terminating the corosync-cfgtool -r command before completing caused a segmentation fault. This update adds the correct reference counting for each architecture. Now, Corosync no longer encounters segmentation faults in this situation.
- BZ#707860
- Prior to this update, Corosync could terminate with a segmentation fault if it ran out of available open files. This update handles the maximum number of open files more gracefully. Now, Corosync no longer crashes when going over open file limits.
- BZ#707867
- Prior to this update, corosync-objctl could not create a new object/key and display double or float values. This update adds float and double support to corosync-objctl. Now, corosync-objctl can display object values with double or float types.
- BZ#707873
- Prior to this update, Corosync could terminate with a segmentation fault if it encountered a negative value for the message type on systems where char is signed. This update improves the check of the message type for incoming messages.
- BZ#707875
- Prior to this update, an error message was wrongly displayed if files in the service.d directory differed from the service key. With this update, Corosync longer checks for sub parameters in files in the service.d directory. Now, files in service.d directory can contain every possible configuration option.
- BZ#709758
- Prior to this update, Corosync used a spinlock around I/O operations. As a consequence, Corosync consumed an extremely high portion of the central processing unit (CPU) when running a large amount of inter-process communication (IPC) operations because the spinlocks would spin during I/O. This update replaces the spinlock with a mutual exclusion (mutex), which releases the processor from spinning but enforces correct behavior.
- BZ#712115
- Prior to this update, an incorrect mutex in the internal confdb data storage system could, under certain circumstances, cause Corosync to terminate with a segmentation fault. This update corrects the mutex and objdb API iteration no longer causes Corosync to terminate with a segmentation fault.
- BZ#712188
- Prior to this update, Corosync became locked with contrived test cases when the tracking functionality of the internal object database was enabled if it was under heavy load. This update modifies Corosync so that the tracking functionality under heavy load no longer causes Corosync to lock up.
- BZ#725058
- Prior to this update, retransmit list errors could occur on slower hardware due to high multicast traffic and slow CPU usage. This update processes the multicast buffer queue more frequently and retransmit errors are now less probable.
- BZ#732698
- Prior to this update, Corosync sometimes terminated unexpectedly when Corosync ran the cman_tool join and cman_tool leave commands in a loop. This update modifies the code so that no more segmentation faults occur in such situations.
Enhancements
- BZ#529136
- Prior to this update, the protocol in Corosync unnecessarily copied memory on AMD64 and EM64T architectures to align data structures for architectures which do not handle alignment correctly. As a consequence, the utilization of the central processing unit (CPU) was increased. This update can conditionally avoid copies on unaligned safe architectures such as Intel 80386, AMD64, and EM64T architectures. Now the CPU utilization is reduced by around 20%.
- BZ#599327
- Prior to this update, no diagnostic message was available when the multicast was blocked. As a consequence, each partition lost quorum which never remerged. This update displays a diagnostic warning that the node can not exit the GATHER state when a local NIC (network interface card) fault occurs or the firewall prevents totem from forming a cluster. In addition, the runtime.totem.pg.mrp.srp.firewall_enabled_or_nic_failure key is now set to 1.
- BZ#667652
- Prior to this update, fenced nodes where not safely powered up due to issues with the boot sequence. As a consequence, users had to skip cluster services at boot to avoid problems such as long response times and fences in two-node clusters. With this update, setting the nocluster boot parameter prevents Corosync to start automatically.
- BZ#688260
- Prior to this update, configuring two rings with different IP subnets only duplicated the IP address data of one ring. This update adds support for the redundant ring functionality to Corosync as a Technology Preview.
- BZ#707876
- Prior to this update, the corosync init script did not depend on syslog. As a consequence, syslog logging did not work if the user turned off syslog. This update adds syslog as a dependency to the init script. Now, logging works in all cases.
- BZ#722469
- Prior to this update, configuring two rings with different IP subnets only duplicated the IP address data of one ring. This update adds support for the redundant ring functionality to Corosync as a Technology Preview.
Bug Fix
- BZ#791236
- Previously, the range condition for the update_aru() function could cause incorrect check of message IDs. Due to this, in rare cases, the corosync utility entered the "FAILED TO RECEIVE" state, and so failed to receive multicast packets. With this update, the range value in the update_aru() function is no longer checked for; the fail_to_recv_const constant performs such checks. Now, corosync does not fail to receive packets.
Bug Fix
- BZ#810917
- Previously, the underlying library of corosync did not delete temporary buffers used for Inter-Process Communication (IPC) that are stored in the /dev/shm shared memory file system. Therefore, if the user without proper privileges attempted to establish an IPC connection, the attempt failed with an error message as expected but memory allocated for temporary buffers was not released. This could eventually result in /dev/shm being fully used and Denial of Service. This update modifies the coroipcc library to let applications delete temporary buffers if the buffers were not deleted by the corosync server. The /dev/shm file system is no longer cluttered with needless data in this scenario and IPC connections can be established as expected.
Bug Fix
- BZ#828432
- Previously, it was not possible to activate or deactivate debug logs at runtime due to memory corruption in the objdb structure. With this update, the debug logging can now be activated or deactivated on runtime, for example with the command "corosync-objctl -w logging.debug=off".
Bug Fix
- BZ#929098
- When running applications which used the Corosync IPC library, some messages in the dispatch() function were lost or duplicated. This update properly checks the return values of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and ensures that the IPC client is correctly informed about the real number of messages in the ring buffer. Now, messages in the dispatch() function are no longer lost or duplicated.
4.34. cpufrequtils
Bug Fix
- BZ#675734
- Prior to this update, the cpufreq-aperf utility did not run on 32-bit systems due to an incorrect argument passed to the read() call. This problem has been fixed: the buffer size is now used instead of the size of the pointer and the cpufreq-aperf utility runs as expected.
4.35. crash
- BZ#710193
- The crash package has been upgraded to upstream version 5.1.8, which provides a number of enhancements and bug fixes over the previous version.
Bug Fixes
- BZ#705142
- Previously, compressed kdump dump files were handled incorrectly on AMD64 and Intel 64 architectures if a system contained more than 454 CPUs. In such a case, the crash session terminated during initialization with the "crash: compressed kdump: invalid nr_cpus value: [cpus]" error message. A patch has been provided to address this issue, and the compressed dump files are now handled properly, thus fixing this bug.
- BZ#716931
- When the first chunk of physical memory on a system was assigned to NUMA (Non-Uniform Memory Architecture) node 1 (typically it is assigned to NUMA node 0), the "kmem -s" or "kmem -S" command incorrectly showed all cache blocks allocated by the slab allocator as empty. This bug has been fixed, and the kmem command now shows populated kmem_cache slab data correctly.
- BZ#712214
- In a rare scenario, a non-crashing CPU received a shutdown NMI (non-maskable interrupt) immediately after receiving an interrupt from another source. Because the IRQ entry-point symbols "IRQ0x00_interrupt" through "IRQ0x##_interrupt" no longer existed, the bt command terminated with the "bt: cannot transition from exception stack to current process stack" error message on AMD64 and Intel 64 architectures. This bug has been fixed, and backtrace now properly transitions from the NMI stack back to the interrupted process stack.
Enhancements
- BZ#695413
- The crash.8 man page and the associated built-in "crash -h" output have been re-written. The crash.8 man page now clarifies the required invocation options, adds all of the rarely-used command line options that have proliferated over the years, and updates the ENVIRONMENT variables section. The "crash -h" output now closely mimics the relevant parts of the crash.8 man page.
- BZ#703467
- With this update, the new "--osrelease [dump_file]" command line option that displays the OSRELEASE vmcoreinfo string from a kdump dump file has been added.
4.36. crontabs
Bug Fix
- BZ#609544
- Prior to this update, an example included in the /etc/crontab file contained an omission. It did not state that defining a job in crontab requires a username to be defined. The missing information has been added to the /etc/crontab file in this update.
4.37. cryptsetup-luks
Bug Fixes
- BZ#713410
- When the cryptsetup or libcryptsetup utility was run in FIPS (Federal Information Processing Standards) mode, the "Running in FIPS mode." message was displayed during initialization of all commands. This sometimes caused minor issues with associated scripts. This bug has been fixed and the message is now displayed only in verbose mode.
- BZ#732179
- Prior to this update, several directives were missing in cryptsetup status command implementation. Therefore, the cryptsetup status command always returned the exit code 0 when verifying the status of a mapped device. To fix this issue, the code has been modified. The cryptsetup status command now returns the 0 value only if the device checked is active.
Enhancement
- BZ#701936
- Previously, the libcryptsetup crypt_get_volume_key() function allowed to perform an action not compliant with FIPS. To conform FIPS requirements, the function is now disabled in FIPS mode and returns an EACCES error code to indicate it. Note that the "luksDump --dump-master-key" command and the key escrow functionality of the volume_key package are also disabled in FIPS mode as a consequence of this update.
4.38. ctdb
Bug Fix
- BZ#728545
- Prior to this update, the ctdb daemon leaked a file descriptor to anon_inodefs. This update modifies ctdb so that this file discriptor can no longer leak.
Enhancement
- BZ#672641
- This update adds support for Clustered Samba on top of GFS2 as a Technology Preview.
4.39. cups
Security Fix
- CVE-2011-2896
- A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the CUPS GIF image format reader. An attacker could create a malicious GIF image file that, when printed, could possibly cause CUPS to crash or, potentially, execute arbitrary code with the privileges of the "lp" user.
Bug Fixes
- BZ#681836
- Previously CUPS was not correctly handling the language setting LANG=en_US.ASCII. As a consequence lpadmin, lpstat and lpinfo binaries were not displaying any output when the LANG=en_US.ASCII environment variable was used. As a result of this update the problem is fixed and the expected output is now displayed.
- BZ#706673
- Previously the scheduler did not check for empty values of several configuration directives. As a consequence it was possible for the CUPS daemon (cupsd) to crash when a configuration file contained certain empty values. With this update the problem is fixed and cupsd no longer crashes when reading such a configuration file.
- BZ#709896
- Previously when printing to a raw print queue, when using certain printer models, CUPS was incorrectly sending SNMP queries. As a consequence there was a noticeable 4-second delay between queueing the job and the start of printing. With this update the problem is fixed and CUPS no longer tries to collect SNMP supply and status information for raw print queues.
- BZ#712430
- Previously when using the BrowsePoll directive it could happen that the CUPS printer polling daemon (cups-polld) began polling before the network interfaces were set up after a system boot. CUPS was then caching the failed hostname lookup. As a consequence no printers were found and the error, "Host name lookup failure", was logged. With this update the code that re-initializes the resolver after failure in cups-polld is fixed and as a result CUPS will obtain the correct network settings to use in printer discovery.
- BZ#735505
- The MaxJobs directive controls the maximum number of print jobs that are kept in memory. Previously, once the number of jobs reached the limit, the CUPS system failed to automatically purge the data file associated with the oldest completed job from the system in order to make room for a new print job. This bug has been fixed, and the jobs beyond the set limit are now properly purged.
- BZ#744791
- The cups init script (/etc/rc.d/init.d/cups) uses the daemon function (from /etc/rc.d/init.d/functions) to start the cups process, but previously it did not source a configuration file from the /etc/sysconfig/ directory. As a consequence, it was difficult to cleanly set the nice level or cgroup for the cups daemon by setting the NICELEVEL or CGROUP_DAEMON variables. With this update, the init script is fixed.
Bug Fix
- BZ#803419
- Previously, empty jobs could be created using the "lp" command either by submitting an empty file to print (for example by executing "lp /dev/null") or by providing an empty file as standard input. In this way, a job was created but was never processed. With this update, creation of empty print jobs is not allowed, and the user is now informed that no file is in the request.
4.40. curl
Bug Fixes
- BZ#800903
- Previously, SSL connections could not be established with libcurl if the selected Network Security Services (NSS) database was broken or invalid. This update modifies the code of libcurl to initialize NSS without a valid database, which allows applications to establish SSL connections as expected in this scenario.
- BZ#800904
- The OpenLDAP suite was recently modified to use NSS instead of OpenSSL as the SSL back end. This change led to collisions between libcurl and OpenLDAP on NSS initialization and shutdown. Consequently, applications that were using both, libcurl and OpenLDAP, failed to establish SSL connections. This update modifies libcurl to use the same NSS API as OpenLDAP, which prevents collisions from occurring. Applications using OpenLDAP and libcurl can now connect to the LDAP server over SSL as expected.
4.41. cvs
Security Fix
- CVE-2012-0804
- A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client.
4.42. cyrus-imapd
Bug Fix
- BZ#818209
- Previously, the idled daemon incorrectly used signals for communication with the imapd daemon. This could cause a user's mailbox to become unresponsive. To prevent this problem, idled no longer uses signals to communicate with imapd; the AF_UNIX datagram sockets are now used instead.
4.43. cyrus-sasl
Bug Fixes
- BZ#720451
- Prior to this update, the ntlm plug-in did not work due to a code error. This update modifies the source code so that the plug-in now works as expected.
- BZ#730242
- Prior to this update, creating the user ID and the group ID of the saslauth daemon caused conflicts. This update corrects this behavior and now the saslauth daemon works as expected.
- BZ#730246
- Prior to this update, cyrus-sasl displayed redundant warnings during the compilation. With this update, cyrus-sasl has been modified and now works as expected.
Enhancement
- BZ#727274
- This update adds support of partial Relocation Read-Only (RELRO) for the cyrus-sasl libraries.
4.44. device-mapper-multipath
Bug Fixes
- BZ#677449
- DM Multipath removed a device if it failed to check the device status due to insufficient memory. This happened because the command checking if the device map existed failed as the system returned an error. With this update, Multipath no longer returns an error under these circumstances and no devices are removed if the system runs out of memory while checking device status.
- BZ#678673
- If a device-mapper-multipath device was open but all attached device paths had been lost, the device was unable to create a new table with no device paths. As a concequence the
multipath -ll
command returned output indicating that no paths to the device were available with confusing "failed faulty running" rows presenting the missing paths. Multipath devices now reload tables with no device paths correctly. - BZ#689504
- Device paths could fail even if unavailable only temporarily. This happened because the RDAC (Redundant Disk Array Controller) checker function did not recheck the status of hosts if it had received a temporary error code. The function now rechecks the path after it has received such error codes and the path failures are transient as expected.
- BZ#697386
- A previous bug fix introduced a race condition between the main thread and the thread running the checkerloop routine as the checkerloop thread was created with deferred cancellation type. The checkerloop thread continued running and attempted to access a property, which had been previously unallocated by the main thread. This caused the multipathd daemon to shutdown with a segmentation fault. Now the checkerloop thread checks if a shutdown is in progress and the deamon shuts down gracefully.
- BZ#700169
- The Multipath daemon failed to include some ghost paths when counting the number of active paths; however, when the ghost paths failed, they were subtracted from the number of active paths. This caused multipathd to fail IO requests even though some paths were still available. The Multipath daemon now counts ghost paths correctly and no longer fails IO requests while there are still active paths available.
- BZ#705854
- If the user set dev_loss_tmo to a value greater than 600 in
multipath.conf
without setting the fast_io_fail_tmo value, the multipathd daemon did not notify the user that fast_io_fail_tmo was not set. Multipath now issues a warning that fast_io_fail_tmo is not set under such circumstances. - BZ#706555
- On shared-storage multipath setups that set failback to
manual
, multipath could keep alternating from the failover pathgroup to the primary pathgroup infinitely. This happened because multipath was incorrectly failing back to the primary pathgroup whenever a path priority changed. With this update, multipath no longer fails back to the primary pathgroup when a path's priority changes under such circumstances. - BZ#707560
- If the multipath device was deleted while a path was being checked,
multipathd
did not abort the path check and terminated unexpectedly when trying to access the multipath device information. The Multipath daemon now aborts any path checks when the multipath device is removed and the problem no longer occurs. - BZ#714821
- The Multipath daemon was removing a multipath device twice. This could cause multipathd to access memory already used for another purpose, and caused the multipathd daemon to terminate unexpectedly. The multipathd daemon now removes the device once and the problem no longer occurs.
- BZ#719571
- The kpartx utility built partition devices for invalid GUID partition tables (GPT) because it did not validate the size of GUID partitions. The kpartx utility now checks the partition size, and does not build devices for invalid GPTs.
- BZ#723168
- Multipath previously returned an unclear error message when it failed to find rport_id. The returned message and its severity have been adjusted.
- BZ#725541
- Several upstream commits have been included in the device-mapper-multipath package providing a number of bug fixes and enhancements over the previous version.
- BZ#738298
- Anaconda failed to recognize an existing filesystem on a zSeries Linux fibre-channel adapter (zFCP) LUN and marked it as 'Unknown' when reinstalling the system. This happened due to an incorrect setting of the DM_UDEV_DISABLE_DISK_RULES_FLAG property. Filesystem on a multipath zFCP LUN is now correctly recognized during the installation.
- BZ#747604
- The asynchronous TUR path checker caused multipathd to terminate unexpectedly due to memory corruption. This happened if multipathd attempted to delete a path while the asynchronous TUR checker was running on the path. The asynchronous TUR checker code has been removed, and multipathd no longer crashes on path removal.
Enhancements
- BZ#636009
- Multipath now supports up to 8000 device paths.
- BZ#683616
- To provide support for Asymmetric Logical Unit Access (ALUA), the RDAC checker has been modified to work better with devices in IOSHIP mode. The checker now sets the Task Aborted Status (TAS) bit to 1 if the TAS bit is set to 0 and changeable on a LUN (Logical Unit Number) discovery. The function now also reports PATH_UP for both the path groups in the RDAC storage in IOSHIP mode.
- BZ#694602
- To run multipath on IBM BladeCenter S-series with RAIDed Shared Storage Module (RSSM) demanded a manual multipath configuration to enable RSSM. Multipath now configures the server automatically.
- BZ#699577
- The text in the
defaults multipaths devices
sections of themultipath.conf
man page has been improved to provide a better clarification. - BZ#713754
- The
rr_min_io_rq
option has been added to thedefault
,devices
, andmultipaths
sections of themultipath.conf
file. This option defines the number of I/O requests to route to a path before switching to the next path in the current path group. Note that therr_min_io
option is no longer used. - BZ#710478
- UID, GID, and mode owner settings defined in
/etc/multipath.conf
for a multipath device are ignored. These access permissions are now set with the udev rules.
Bug Fix
- BZ#802433
- Device-Mapper Multipath uses certain regular expressions in the built-in device configurations to determine a multipath device so that the correct configuration can be applied to the device. Previously, some regular expressions for the device vendor and product ID were set too broad. As a consequence, some devices could be matched with incorrect device configurations. With this update, the product and vendor regular expressions have been set more strict so that all multipath devices can now be properly configured.
4.45. DeviceKit-power
Enhancements
- BZ#625880
- To allow administrators easily disable the suspend and hibernate actions on the system, DeviceKit-power now checks the PolicyKit authorization before deciding whether an action can be completed.
- BZ#727544
- This update introduces a new sub-package DeviceKit-power-devel-docs, which contains developer's documentation for DeviceKit-power, so that it is now possible to install the DeviceKit-power-devel package on machines with multiple architectures without file conflicts.
4.46. dhcp
Security Fix
- CVE-2011-4539
- A denial of service flaw was found in the way the dhcpd daemon handled DHCP request packets when regular expression matching was used in "/etc/dhcp/dhcpd.conf". A remote attacker could use this flaw to crash dhcpd.
Bug Fixes
- BZ#694798
- Previously, when multiple DHCP clients were launched at the same time to handle multiple virtual interfaces on the same network interface card (NIC), the clients used the same seed to choose when to renew their leases. Consequently, these virtual interfaces for some clients could have been removed over time. With this update, the dhclient utility uses the Process Identifier (PID) for seeding the random number generator, which fixes the bug.
- BZ#694799
- If a system was rebooted while a network switch was inoperative, the network connection would recover successfully. However, it was no longer configured to use DHCP even if the dhclient utility had been running in persistent mode. With this update, the dhclient-script file has been modified to refresh the ARP (Address Resolution Protocol) table and the routing table instead of bringing the interface down, which fixes the bug.
- BZ#731990
- If the system included network interfaces with no hardware address, the dhcpd scan could have experienced a segmentation fault when scanning such an interface. As a consequence, the dhcpd daemon unexpectedly terminated. To prevent this issue, dhcpd now tests a pointer which represents the hardware address of the interface for the NULL value. The dhcp daemon no longer crashes.
- BZ#736999
- Previously, all source files were compiled with the "-fpie" or "fPIE" flag. As a consequence, the libraries used by dhcp could not have been used to build Perl modules. To fix this problem, all respective dhcp Makefiles have been modified to compile libraries with the "-fpic" or "-fPIC" flag. The libraries used by dhcp are now built without the previous restrictions.
- BZ#736194
- Previously, both dhcp and dhclient packages included the dhcp-options(5) and dhcp-eval(5) man pages. As a consequence, a conflict could have occurred when any of these man pages were updated, because dhcp and dhclient packages could have been upgraded separately. To prevent the problem from occurring in future updates, shared files of dhcp and dhclient packages have been moved to the dhcp-common package that is required by both dhcp and dhclient as a dependency.
Enhancements
- BZ#706974
- A feature has been backported from dhcp version 4.2.0. This feature allows the DHCPv6 server to be configured to identify DHCPv6 clients in accordance with their link-layer address and their network hardware type. With this update, it is now possible to define a static IPv6 address for the DHCPv6 client with a known link-layer address.
- BZ#693381
- Previously, the dhcpd daemon ran as root. With this update, new "-user" and "-group" options can be used with dhcpd. These options allow dhcpd to change the effective user and group ID after it starts. The dhcpd and dhcpd6 services now run the dhcpd daemon with the "-user dhcpd -group dhcpd" parameters, which means that the dhcpd daemon runs as the dhcpd user and group instead root.
4.47. dmidecode
4.48. dnsmasq
Bug Fixes
- BZ#584009
- Three changes were made to /etc/init.d/dnsmasq, the dnsmasq startup script:
- If dnsmasq was started or restarted by a non-privileged user, the startup script previously failed silently. With this update, the dnsmasq startup script now exits with a status code of 4 (user had insufficient privilege) and returns a "User has insufficient privilege" error to STD OUT when started or restarted by a non-privileged user.
- A "force-reload" option was added: The "service force-reload dnsmasq" command now forces dnsmasq to reload. Previously, it did nothing.
- If /etc/init.d/dnsmasq passed an invalid argument, previously the startup script exited with a status code of 1 (generic or unspecified error). With this update, the startup script now exits correctly, returning a status code of 2 (invalid or excess argument) in such a circumstance.
- BZ#704073
- If the virtual bridge interface (virbr0) was up and dnsmasq was started by default, dnsmasq could, in some circumstances, write a "DHCP packet received on eth(x) which has no address" message to /var/log/messages. Note: this message was not in error. The message was written if an actual interface (eg eth1) was up; did not have a configured IP address (eg was slaved to a logical bonded interface); and was in the same LAN as another host which generated a DHCP request. The message had little-to-no utility, however: it presented a warning where none was needed. With this update, this message is no longer written to /var/log/messages in these, and equivalent, circumstances.
4.49. dosfstools
Bug Fixes
- BZ#624596
- Previously, when the dosfsck and the dosfslabel utilities were executed on the IBM System z architecture using a FAT32 file system, they terminated with this error message: "Logical sector size is zero". This was caused by unaligned fields which were first byte-wise copied. With this fix, the fields are not pre-copied any more, but are accessed the same way as on the i686 architecture.
- BZ#677789
- The fsck.vfat utility terminated due to buffer overflow. This occurred when checking a device with the corrupted VFAT file system if there were any chains of orphaned clusters. The name of the newly created file that contained these clusters was printed directly into the name field, which led to an out of boundary write. The name is now printed into the buffer and individual parts are then correctly copied into the appropriate field.
- BZ#688128
- The dosfslabel utility displayed an error message when labeling the FAT32 file system due to some of its internal structures being initialized incorrectly. The dosfslabel utility now reads the FAT file system first, which fixes the problem.
- BZ#709266
- The mkfs.vfat utility did not correctly detect device partitions on RAID devices. As a consequence, formatting failed with an error message. This was caused by an invalid mask for the statbuf.st_rdev variable. The mask has been fixed to be at least four bytes long and the problem no longer occurs.
4.50. doxygen
Bug Fix
- BZ#690076
- Prior to this update, Doxygen required invalid BuildRequires on the qt-devel package. With this update, packages with BuildRequires dependencies on the qt-devel package have been fixed. Now, these packages explicitly require qt4-devel.
4.51. dracut
Bug Fix
- BZ#860350
- If the "/boot/" directory was not on a separate file system, dracut called the sha512hmac utility with a file name prefixed with "/sysroot/boot". Consequently, sha512mac searched for the file checksum in "/boot/", returned errors, and dracut considered the FIPS check to have failed. Eventually, a kernel panic occurred. With this update, dracut uses a symlink linking "/boot" to "/sysroot/boot", sha512mac can now access files in "/boot/", and FIPS checks now pass, allowing the system to boot properly in the described scenario.
Bug Fixes
- BZ#659076
- Previously, dracut incorrectly displayed that it loaded SELinux even if SELinux was disabled in the config file and "selinux=0" was not specified on the kernel command line. As a consequence, an error message could confuse the user when booting the system. With this update, the dracut utility is modified and the error message no longer appears.
- BZ#696980
- Due to an error in the dracut module script, the system could fail to find the root volume if a static IP address was specified. As a consequence, the system did not boot. With this update, the error is corrected, and the system is able to boot with a static IP address.
- BZ#698160
- When mounting the root device over the NFS (Network File System) protocol, the /var/lib/rpcbind directory created by initramfs was world-writable. The dracut tool has been modified to generate initramfs which now sets the ownership to the rpc user and the group.
- BZ#698165
- When auto-assembling an md RAID device, initramfs used an invalid parameter when calling the mdadm tool. This prevented the system from booting if the root device was on the RAID device. The invalid parameter has been removed and the system now boots properly.
- BZ#698215
- When auto-assembling an md RAID device, an error in the mdraid_start.sh script prevented the system from booting if the root device was on the RAID device. The error in the script has been fixed and the system now boots correctly.
- BZ#701309
- Prior to this update, the /var/lib/nfs/prc_pipefs partition could not be accessed on system boot. The problem occurred when booting the system with NFS set as the root partition with at least one separate /var partition. This was caused by initramfs mounting the /var partition over the existing rpc_pipefs partition. The initramfs file system now mounts entries in /etc/fstab.sys, which fixes the problem.
- BZ#707609
- The dm-mod and dm-crypt kernel modules were missing from the list of kernel modules, which are pre-loaded for the FIPS-140 check. These modules have been added to the list with this update.
- BZ#712254
- When loading SELinux from inside initramfs, the output of the SELinux commands could be garbled if the user used non-Latin locales. The initramfs file system has been modified to turn off localization for the SElinux commands, which results in readable messages.
- BZ#737134
- The QLogic qla4xxx iSCSI driver and the iSCSI (Internet Small Computer System Interface) transport layer now support iSCSI boot from Storage Area Network (SAN) using the iscsistart. With this update, dracut is modified to support these changes.
- BZ#737593
- If the user installed a system with rootfs on a RAID device where RAID members were encrypted, dracut failed to assemble the RAID device on reboot. As a consequence, the system did not boot. A patch has been applied to address this issue, and the RAID device is now assembled on every boot so that the system boots successfully.
- BZ#741430
- When applying SELinux labels for /dev in initramfs, the restorecon tool did not alter the MCS/MLS label only types. To fix this problem, the "-F" option has been added to all calls of restorecon.
- BZ#742920
- Prior to this update, the boot process timed out for network settings with DHCP involved. A patch has been applied to extend the timeout interval if DHCP is involved, which fixes the problem.
Enhancements
- BZ#701864
- This update adds support for iSCSI (Internet Small Computer System Interface) partial offload functionality for certain Broadcom network devices.
- BZ#740487
- This update adds the dracut-fips-aesni subpackage. Note that the package should be installed when using the aesni-intel module in FIPS mode.
- BZ#723548
- This update adds support for Logical Volume Management (LVM) mirror devices to serve as root devices. Additionally degraded mirrors are used after a certain timeout if the other half cannot be found at booting time.
- BZ#729573
- This update adds support for configuring an interface with automatic IPv6 and DHCP over IPv4 by using the "ip=[interface]:dhcp,auto6" command line parameter.
- BZ#736094
- With this update, the Broadcom FCoE (Fibre Channel over Ethernet) offload driver is now supported.
Bug Fixes
- BZ#790943
- When sourcing dracut modules, dracut did not check whether the "install" script for the module exists and is executable. Therefore, if the script was missing, an attempt to execute the script failed. As a consequence, dracut did not execute the "installkernel" script, and the module was not included in the initramfs image. This problem has been fixed, dracut now performs the check and only executes the "install" script when it exists. Then, the "installkernel" script is correctly executed and the module is installed in the initramfs image.
- BZ#791128
- Previously, dracut did not correctly handle a situation when booting a system with a degraded RAID array. In such a case, the initial RAM disk image (initramfs) was not able to start the array and the system did not boot. With this update, the initramfs forces the array to start and the system now boots as expected.
4.52. dump
Bug Fixes
- BZ#702593
- Prior to this update, the dump utility passed wrong arguments to the "clone(2)" system call. As a result, dump became unresponsive when executed on the S/390 or IBM System z architecture. This bug has been fixed in this update so that dump now passes correct arguments and no longer hangs.
- BZ#691434
- Under certain circumstances, the dump utility could have failed to detect holes in files correctly. When a user attempted to restore an erroneous backup using the "restore" command, an error message "Missing blocks at end of [path], assuming hole" could have been displayed. In such case, the backup could have not been restored properly. This bug has been fixed in this update so that dump now handles holes in files as expected.
- BZ#658890
- Prior to this update, the "dump -w" command did not recognize ext4 file systems as supported. With this update, the bug has been fixed so that "dump -w" now recognizes the ext4 file systems as supported.
4.53. e2fsprogs
Bug Fixes
- BZ#676465
- Running the "e2fsck" command on certain corrupted file systems failed to correct all errors during the first run. This occurred when a file had its xattr block cloned as a duplicate, but the block was later removed from the file because the file system did not contain the xattr feature. However, the block was not cleared from the block bitmaps. During the second run, e2fsck found the cloned xattr block as in use, but not owned by any file, and had to repair the block bitmaps. With this update, the processing of duplicate xattr blocks is skipped on non-xattr file systems. All problems are now discovered during the first run.
- BZ#679931
- On certain devices with very large physical sector size, the mke2fs utility set the block size to be as large as the size of the physical sector. In some cases, the size of the physical sector was larger than the page size. As a consequence, the file system could not be mounted and, in rare cases, the utility could even fail. With this update, the default block size is not set to be larger than the system's page size, even for large physical sector devices.
- BZ#683906
- Previously, multiple manual pages contained typos. These typos have been corrected with this update.
- BZ#713475
- This update modifies parameters of the "mke2fs" command to be consistent with the "discard" and "nodiscard" mount options for all system tools (like mount, fsck, or mkfs). The user is now also informed about the ongoing discard process.
- BZ#730083
- Previously, the libcomm_err libraries were built without the read-only relocation (RELRO) flag. Programs built against these libraries could be vulnerable to various attacks based on overwriting the ELF section of a program. To enhance the security, the e2fsprogs package is now provided with partial RELRO support.
Enhancements
- BZ#679892
- Previously, the tune2fs tool could not set "barrier=0" as the default option on the ext3 and ext4 file systems. With this update, users are now able to set this option when creating the file system, and do not have to maintain the option in the /etc/fstab file across all of the file systems and servers.
- BZ#713468
- Previously, raw e2image output files could be extremely large sparse files, which were difficult to copy, archive, and transport. This update adds support for exporting images in the qcow format. Images in this format are small and easy to manipulate.
4.54. emacs
Bug Fix
- BZ#769673
- Emacs did not properly terminate if it was started remotely and the remote client session was closed while Emacs was suspended. Under these conditions, Emacs entered an infinite loop in the code and gradually consumed all available computer resources, which caused the system to become unstable. With this update, Emacs has been modified, and it now terminates correctly when the remote session is closed.
Bug Fix
- BZ#796053
- In ispell mode, Emacs used the spell checkers in the following order: Ispell, Aspell, and Hunspell. However, Ispell is no longer available and Aspell does not have any dictionaries installed by default. Consequently, because Emacs found Aspell before the default Hunspell, the spell check failed and Emacs reported the following error message:
ispell-init-process: Error: No word lists can be found for the language "en_US".
With this update, Emacs has been modified to look for the spell checkers in the following order: Hunspell, Aspell, and Ispell. This ensures that Hunspell is used by default when it is available.
4.55. esc
Bug Fixes
- BZ#253077
- If the user resized an ESC window and closed it, the window did not preserve its size when opening it again. If the user wanted the window to be larger, for example, to make it easier to read, the user had to resize the window every single time when it was opened again. A patch has been applied to address this issue and the previous window size is now restored when opening ESC.
- BZ#682216
- Previously, during the shut down sequence of the escd daemon, the daemon reported a failure of certain instances. ESC terminated unexpectedly with a segmentation fault as a consequence. This update modifies the daemon to exit quietly. As a result, ESC no longer terminates unexpectedly.
- BZ#702683
- The esc-prefs.js file contains helpful commented settings designed to assist the user in trying rarely used settings if the situation warrants. A number of these settings in the file contained typos. The typos have been corrected with this update.
- BZ#704281
- Previously, ESC could have terminated with a segmentation fault after the user had inserted a new smart card into the reader. This was due to a bug in the code which helped to bring a pop-up window to the foreground. The code is no longer needed to assure window focus, therefore it is no longer being executed. As a result, ESC no longer terminates in the scenario described.
Bug Fixes
- BZ#807264
- The ESC utility did not start when the latest 10 series release of the XULRunner runtime environment was installed on the system. This update includes necessary changes to ensure that ESC works as expected with the latest version of XULRunner.
- BZ#807806
- After removing and replacing an enrolled token, ESC could terminate unexpectedly followed by a traceback. A patch has been applied to address this issue and ESC now displays the enrolled smart card details as expected.
4.56. expat
Security Fixes
- CVE-2012-0876
- A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
- CVE-2012-1148
- A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
4.57. fcoe-utils
Bug Fixes
- BZ#639466
- When stopping the fcoe service, the fcoe initscript did not properly clean up after itself as expected (did not remove FCoE devices, kill related processes and unload FCoE drivers). As a consequence, FCoE interfaces were not brought down and FCoE related threads were still running after the fcoe had been stopped. The "service fcoe stop" command is used to ensure safe after-update service restarts on FCoE dependent systems, therefore it cannot be used to remove FCoE devices and unload related kernel modules. Concerning this situation, the initscript has been modified to use the "stop force" command option to completely remove FCoE devices and unload related kernel modules. The fcoe service now should be stopped using the "service fcoe stop force" command.
- BZ#732485
- When removing a network interface with no fcoe port using the "fcoeadm -d" command, the fcoe port state machine set the removal operation incorrectly to wait without responding to fcoemon. This led to an internal error because fcoemon timed out waiting for the response. To resolve the problem, the code has been modified to return the code for no further action under these circumstances. The "fcoeadm -d" command now works for interfaces without the fcoe port as expected.
- BZ#732485
- The fcoemon service did not maintain any information about the relative state of a physical network interface and its dependent VLAN interfaces. As a consequence, the fcoe port of the VLAN interface could have been out of sync with the fcoe port of the physical device, resulting in undesired behavior, such as processing link events improperly. To fix this problem, a ready flag has been introduced. This flag is set to false when the physical port is disabled. Link events are now processed correctly for the vlan ports.
- BZ#732485
- When answering to an FCoE Initialization Protocol (FIP) VLAN Discovery request, some switches encapsulate FIP VLAN Discovery replies in a VLAN 0 tag which is wrapped around the packet's FIP frame header. Previously, when a packet containing such a reply reached a target network interface, some devices did not remove the VLAN tag before they started to process the FIP header. If the VLAN tag was not removed, the length of the processed header was larger than was expected, therefore the FIP parsing logic was not able to parse the FIP header correctly causing a loss of the packet. With this update, the parsing logic has been modified to skip over the VLAN header when necessary, and point to the correct start of the FIP header.
- BZ#743689
- The timeout for a kernel reply to fcoeadm operations was set to 5 seconds, which was not enough when processing an fcoeadm operation on a system with a large number of FCoE ports while a kernel was under heavy load. As a consequence, the "internal error" message was displayed even though the operation was finished successfully. To prevent this bug, the timeout for the kernel reply was increased to 30 seconds. No error message is now sent when an fcoeadm operation succeeds.
4.58. fence-agents
Bug Fixes
- BZ#731166
- Due to a change in REST API, the fence_rhevm utility incorrectly reported status "UP" as "RUNNING". Consequently, the "fence_rhevm -o status" command always reported "OFF". This bug has been fixed, and fence_rhevm now reports status correctly.
- BZ#718924
- The fence_drac5 agent failed to clear its SSH sessions on exit as expected by firmware. Consequently, the fence agent appeared to be still connected to the device, and once the connection limit was reached, further logins to the device were not allowed. This bug has been fixed, and fence_drac5 now clears its SSH sessions properly.
- BZ#693428
- The "monitor" and "status" commands of the fence_ipmilan agent returned chassis status instead of the fence device status. As a result, when a server chassis was powered off, the fence_ipmilan agent exited with the incorrect result code "2" when passed one of these commands. Now, fence_ipmilan returns the correct result code "0" in the described scenario.
- BZ#708052
- When a blade server was removed from a blade chassis and was fenced via the fence_bladecenter utility with the "--missing-as-off" option enabled, and was scheduled with the "reboot" action, the fence failed. This bug has been fixed, and fence_bladecenter no longer returns an error if a blade server is missing.
- BZ#718196
- A list operation on fence_drac5 agents resulted in unexpected termination of fence agents. A patch has been provided to address this issue, and fence_drac5 agents now work correctly in the described scenario.
- BZ#718207
- When the pyOpenSSL package was not present in the system, when an error occurred, the fence_ilo agent terminated with a generic error message, making it difficult to debug the problem. Now, fence_ilo reports that a dependent package is missing in the described scenario, thus fixing this bug.
- BZ#732372
- The verbose mode of the fence_ipmilan agent exposed user passwords when the whole command was logged by an IPMI tool. Now, the fence_ipmilan output has been changed, and passwords remain undisclosed in the described scenario.
- BZ#738384
- During simultaneous unfencing operations performed via the fence_scsi agent, all nodes launched their reservation commands at the same time. Consequently, some of the commands failed. Now, fence_scsi retries to unfence a node until its reservation command succeeds.
- BZ#734429
- A null dereference was discovered in the fence_kdump agent, when the strchr() function returned the NULL value. With this update, the dereference has been fixed in the code and no longer occurs.
Enhancements
- BZ#624673
- With this update, the new fence_vmware_soap() function has been provided to enable fencing of VMware guests in ESX environments.
- BZ#461948
- The fence_kdump utility has been updated to integrate fencing with the kernel dump environment.
- BZ#698365
- With this update, the RelaxNG schema generation for fence-agents has been updated with the rha:description and rha:name attributes in its output to fence attribute group elements.
- BZ#726571
- The fence_ipmilan agent has been updated to support the -L option of the ipmilan daemon, thus supporting fencing with user session privileges level.
Bug Fix
- BZ#785816
- The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "powering_up", "paused", "migrating", "unknown", "not_responding", "wait_for_launch", "reboot_in_progress", "saving_state", "restoring_state", "suspended", "image_illegal", "image_locked" or "powering_down". Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states although the machine was actually running. This allowed for successful fencing even before the machine was really powered off. With this update, the fence_rhevm agent detects power status of a cluster node more conservatively, and the "off" status is returned only if the machine is really powered off, it means in the "off" state.
Bug Fix
- BZ#811873
- Previously, the fence_vmware_soap fence agent did not expose the full path to a virtual machine that is required for fencing. With this update, fence_vmware_soap has been modified to support identification of virtual machines as expected.
Bug Fix
- BZ#814843
- Previously, fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmware fence agent running in a virtual machine on VMWare could fail with the following error message:
KeyError: 'config.uuid'
This was because the fence agent was not able to work with more than one hundred machines in a cluster. With this update, the underlying source code has been modified to support fencing of such clusters.
Bug Fix
- BZ#1012574
- Prior to this update, the fence agent for IPMI (Intelligent Platform Management Interface) could return an invalid return code when the "-M cycle" option was used. This invalid return code could cause invalid interpretation of success of a fence action, eventually causing the cluster to become unresponsive. This bug has been fixed and only predefined return codes are now returned in the described scenario.
4.59. fence-virt
Bug Fixes
- BZ#719645
- Prior to this update, the domain parameter was missing from the metadata. As a consequence, existing configurations utilizing the domain parameter did not function correctly when fencing. This update adds the domain parameter for compatibility. Now, existing configurations work as expected.
- BZ#720767
- Prior to this update, hash mismatches falsely returned successes for fencing. As a consequence, data corruption could occur in live-hang scenarios. This update corrects the hash handling of mismatches. Now, no more false successes are returned and the data integrity is preserved.
Enhancement
- BZ#691200
- With this update, the libvirt-qpid plugin now operates using QMF version 2.
Bug Fix
- BZ#807270
- Previously, the libvirt-qpid plug-in was linked directly against Qpid libraries instead of being linked only against QMFv2 libraries. As a consequence, newer versions of Qpid libraries could not be used with the libvirt-qpid plug-in. This update modifies the appropriate makefile so that libvirt-qpid is no longer linked directly against the Qpid libraries. The libvirt-qpid plug-in does not have to be re-linked to work with the newer Qpid libraries.
4.60. file
Bug Fixes
- BZ#676045, BZ#712992, BZ#712988
- Prior to this update, the file utility could have been unable to recognize RPM files for certain supported architectures. This update improves the file type recognition, and the RPM files for all supported architectures are now correctly identified as expected.
- BZ#688700
- Prior to this update, the file utility did not correctly recognized the IBM System z kernel images. This problem has been corrected so that the IBM System z kernel images are now correctly recognized as expected.
- BZ#692098
- Prior to this update, the file utility attempted to show information related to core dumps for binary files that were not core dumps. This undesired behavior has been fixed in this update so that information related to core dumps is showed only for core dumps and not for the binary files which are not core dumps.
- BZ#675691
- Prior to this update, file patterns for LaTeX checked only the first 400 bytes of a file to determine the pattern type. This caused an incorrect pattern type recognition as some files could have contained a larger number of comments at the beginning of the file. Furthermore, file patterns which matched a Python script were tried before the LaTeX patterns and this undesired behavior could have caused an incorrect pattern type recognition as LaTeX files could have included a source code written in Python. With this update, the aforementioned problems have been fixed by increasing the number of first bytes checked for a LaTeX file to 4096 bytes, and by trying the LaTeX patterns before the Python patterns.
- BZ#690801
- Prior to this update, there were several spelling mistakes contained in the magic(5) manual page. This update corrects the spelling mistakes in the respective manual page.
- BZ#716665
- Prior to this update, the file utility treated MP3 files as text files, and therefore was unable to recognize the MP3 files. This undesired behavior has been fixed in this update, and the file utility now treats the MP3 files as binary files and is able to properly recognize them.
4.61. filesystem
Bug Fix
- BZ#620063
- Prior to this update, certain locale subdirectories in the /usr/share/locale/ directory did not have any owner set. With this update, this bug has been fixed so that the filesystem package now owns the subdirectories of the following locales: bg_BG (Bulgarian), en_NZ (New Zealand English), fi_FI (Finnish), gl_ES (Galician), lv_LV (Latvian), ms_MY (Malaysian), sr_RS (Serbian), en@shaw (Shavian), zh_CN.GB2312 (Chinese Simplified), sr@ijekavian (Serbian Jekavian), and sr@ijekavianlatin (Serbian Jekavian Latin).
4.62. fipscheck
Enhancement
- BZ#727277
- Prior to this update, the fipscheck library was linked without support for read-only relocations (RELRO) flags. The updated fipscheck packages are now provided with partial RELRO support.
4.63. firefox
Security Fixes
- CVE-2011-3659
- A use-after-free flaw was found in the way Firefox removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0442
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0444
- A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0449
- A flaw was found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). A web page containing a malicious SVG image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2011-3670
- The same-origin policy in Firefox treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets.
Security Fixes
- CVE-2012-0461, CVE-2012-0462, CVE-2012-0464
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0456, CVE-2012-0457
- Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0455
- A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame.
- CVE-2012-0458
- It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox.
- CVE-2012-0459
- A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0460
- It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing.
- CVE-2012-0451
- A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw.
Bug Fixes
- BZ#729632
- When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox.
- BZ#784048
- Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash.
- BZ#799042
- The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6.
Security Fixes
- CVE-2011-3062
- A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential exploits in malformed OpenType fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0467, CVE-2012-0468, CVE-2012-0469
- A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0470
- A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0472
- A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0478
- A flaw was found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-0471
- A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-0473
- A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page containing malicious content could cause Firefox to crash.
- CVE-2012-0474
- A flaw in Firefox allowed the address bar to display a different website than the one the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks.
- CVE-2012-0477
- A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
- CVE-2012-0479
- A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Firefox to display the address of said content in the location bar, but not the content in the main window. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.
Security Fixes
- CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947
- Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
- CVE-2012-1944
- Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS).
- CVE-2012-1945
- If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems.
4.64. firstaidkit
Bug Fixes
- BZ#664876
- Previously, FirstAidKit's GRUB plug-in incorrectly reported failure if GRUB was installed into the Master Boot Record (MBR). Due to the plug-in being unreliable, it has been removed from the firstaidkit package.
- BZ#738563
- The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a consequence, in rare cases, the system upgrade operation may fail with unresolved dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before upgrading the system. However, in most cases, the system upgrade completes as expected.
4.65. firstboot
Bug Fixes
- BZ#700283
- Previously, the Traditional Chinese translation (zh_TW) of the Forward button on the welcome page was different from the action mentioned in the text, on the same page, referring to this button. This update provides the corrected translation.
- BZ#700305
- Previously, when running firstboot in Japanese locale and the user attempted to continue without setting up an account, an untranslated warning message appeared. With this update, the message is properly translated into Japanese.
4.66. freetype
Security Fixes
- CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144
- Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143
- Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.
4.67. fuse
Bug Fix
- BZ#723757
- Prior to this update, fusermount used an incorrect path to unmount. As a result, fusermount was unable to unmount mounted fuse file systems. This update, modifies fusermount to use the correct mount path. Now, mounted fuse file systems can be successfully unmounted with fusermount.
4.68. gcc
Bug Fixes
- BZ#696352
- The previous version of GCC incorrectly assumed that processors based on the AMD's multi-core architecture code named Bulldozer support the 3DNow! instruction set. This update adapts the underlying source code to make sure that GCC no longer uses the 3DNow! instructions on these processors.
- BZ#705764
- On the PowerPC architecture, GCC previously passed the V2DImode vector parameters using the stack and returned them in integer registers, which does not comply with the Application Binary Interface (ABI). This update corrects this error so that GCC now passes these parameters using the AltiVec parameter registers and returns them via the AltiVec return value register.
- BZ#721376
- Previously, GCC did not flush all pending register saves in a Frame Description Entry (FDE) before inline assembly instructions. This may have led to various problems when the inline assembly code modified those registers. With this update, GCC has been adapted to flush pending register saves in FDE before inline assembly instructions, resolving this issue.
- BZ#732802
- Prior to this update, the gcov test coverage utility sometimes incorrectly counted even opening brackets, which caused it to produce inaccurate statistics. This update applies a patch that corrects this error so that gcov ignores such brackets, as expected.
- BZ#732807
- When processing source code that extensively used overloading (that is, with hundreds or more overloads of the same function or method), the previous version of the C++ front end consumed a large amount of memory. This negatively affected the overall compile time and the amount of used system resources. With this update, the C++ front end has been optimized to use less resources in this scenario.
Enhancements
- BZ#696145
- This update adds support for new "-mfsgsbase", "-mf16c", and "-mrdrnd" command line options, as well as corresponding intrinsics to the immintrin.h header file. This allows for reading FS and GS base registers, retrieving random data from the random data generator, and converting between floating point and half-precision floating-point types.
- BZ#696370
- GCC now supports AMD's next generation processors. These processors can now be specified on the command line via the "-march=" and "-mtune=" command line options.
- BZ#696495
- GCC now supports Intel's next generation processor instrinsics and instructions for reading the hardware random number generator.
4.69. gdb
Bug Fixes
- BZ#669432
- Prior to this update, GDB could stop on error when trying to access the libpthread shared library before the library was relocated. Fixed GDB lets the relocations to be resolved first, making such program debuggable.
- BZ#669434
- The Intel Fortran Compiler records certain debug info symbols in uppercase but the gfortran compiler writes case-insensitive symbols in lowercase. As a result, GDB could terminate unexpectedly when accessing uppercase characters in the debug information from the Intel Fortran Compiler. With this update, GDB properly implements case insensitivity and ignores the symbols case in the symbol files.
- BZ#692386
- When the user selected the "-statistics" option with a negative number as a result, GDB printed the minus sign twice. This has been fixed and GDB now displays negative numbers with one minus sign only.
- BZ#697900
- On the PowerPC and the IBM System z architectures, GDB displayed only LWP (light-weight process) identifiers which matched the Linux TID (Thread Identifier) values for the threads found in the core file. GDB has been fixed to initialize the libthread_db threads debugging library when accessing the core file. GDB now correctly displays the pthread_t identifier in addition to the LWP identifier on the aforementioned architectures.
- BZ#702427
- Structure field offsets above 65535 described by the DWARF DW_AT_data_member_location attribute were improperly interpreted as a 0 value. GDB has been modified and can now handle also large structures and their fields.
- BZ#704010
- The difference between the very closely related "ptype" and "whatis" commands was not clearly defined in the gdb info manual. Detailed differences between these commands have been described in the manual.
- BZ#712117
- Prior to this update, the "info sources" subcommand printed only relative paths to the source files. GDB has been modified to correctly display the full path name to the source file.
- BZ#730475
- Modifying a string in the executable using the "-write" command line option could fail with an error if the executable was not running. With this update, GDB can modify executables even before they are started.
Enhancements
- BZ#696890
- With this update, Float16 instructions on future Intel processors are now supported.
- BZ#698001
- Debugged programs can open many shared libraries on demand at runtime using the dlopen() function. Prior to this update, tracking shared libraries that were in use by the debugged program could lead to overhead. The debugging performance of GDB has been improved: the overhead is now lower if applications load many objects.
- BZ#718141
- Prior to this update, GDB did not handle DWARF 4 .debug_types data correctly. Now, GDB can correctly process data in the DWARF 4 format.
4.70. gdm
Bug Fix
- BZ#860645
- When gdm was used to connect to a server via XDMCP (X Display Manager Control Protocol), another connection to a remote system using the "ssh -X" command resulted in wrong authorization with the X server. Consequently, applications such as xterm could not be displayed on the remote system. This update provides a compatible MIT-MAGIC-COOKIE-1 key in the described scenario, thus fixing this bug.
Bug Fixes
- BZ#661618
- GDM did not properly queue up multiple authentication messages so that messages could quickly be overwritten by newer messages. The queueing mechanism has been modified, and this problem no longer occurs.
- BZ#628462
- If a Russian keyboard layout was chosen during system installation, the login screen was configured to use Russian input for user names and passwords by default. However, GDM did not provide any visible way to switch between keyboard layouts, and pressing Left Shift and Right Shift keys did not cause the input to change to ASCII mode in GDM. Consequently, users were not able to log in to the system. With this update, GDM allows users to switch keyboard layout properly using the keyboard layout indicator, and users can now log in as expected.
- BZ#723515
- GDM did not properly release file descriptors used with XDMCP indirect queries. As a consequence, the number of file descriptors used by GDM increased with every XDMCP chooser restart, which, in some cases, led to memory exhaustion and a GDM crash. The underlying GDM code has been modified to manage file descriptors properly, and the problem no longer occurs in this scenario.
- BZ#670619
- In multi-monitor setups, GDM always displayed the login window on the screen that was determined as active by the mouse pointer position. This behavior caused unpredictable login window placement in dual screen setups when using the NVIDIA's TwinView Dual-Display Architecture because the mouse pointer initially appeared exactly between the monitors outside of the visible screen. GDM now uses new logic to ensure that the initial placement of the mouse pointer and the login window are consistently on one screen.
- BZ#645453
- The GDM simple greeter login window displayed "Suspend", "Restart" and "Shut Down" buttons even though the buttons were disabled in GDM configuration and the PolicyKit toolkit disallowed any stop, restart, suspend actions on the system. With this update, GDM logic responsible for setting up the greeter login window has been modified and these buttons are no longer displayed under these circumstances
- BZ#622561
- When authenticating to a system and the fingerprint authentication method was enabled, but no fingerprint reader was attached to the machine, GDM erroneously displayed authentication method buttons for a brief moment. With this update, GDM displays authentication method buttons only if the authentication method is enabled and a reading device is connected.
- BZ#708430
- GDM did not properly handle its message queue. Therefore, when resetting a password on user login, GDM displayed an error message from a previous unsuccessful attempt. The queueing mechanism has been modified, and this problem no longer occurs.
- BZ#688158
- When logging into a system using LDAP authentication, GDM did not properly handle LDAP usernames containing backslash characters. As a consequence, such usernames were not recognized and users were not able to log in even though they provided valid credentials. With this update, GDM now handles usernames with backslash characters correctly and users can log in as expected.
Enhancement
- BZ#799940
- Previously, X server audit messages were not included by default in the X server log. Now, those messages are unconditionally included in the log. Also, with this update, verbose messages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf file (by setting "Enable=true" in the [debug] section).
4.71. ghostscript
Security Fixes
- CVE-2009-3743
- An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code.
- CVE-2010-2055
- It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code.
- CVE-2010-4820
- Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default.
Note
The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). - CVE-2010-4054
- A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code.
4.72. glibc
Security Fixes
- CVE-2009-5064
- A flaw was found in the way the ldd utility identified dynamically linked libraries. If an attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary code execution with the privileges of the user running ldd.
- CVE-2011-1089
- It was found that the glibc addmntent() function, used by various mount helper utilities, did not handle certain errors correctly when updating the mtab (mounted file systems table) file. If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab file.
Bug Fixes
- BZ#676467
- The installation of the glibc-debuginfo.i686 and glibc-debuginfo.x86_64 packages failed with a transaction check error due to a conflict between the packages. This update adds the glibc-debuginfo-common package that contains debuginfo data that are common for all platforms. The package depends on the glibc-debuginfo package and the user can now install debuginfo packages for different platforms on a single machine.
- BZ#676591
- When a process corrupted its heap, the
malloc()
function could enter a deadlock while creating an error message string. As a result, the process could become unresponsive. With this update, the process uses themmap()
function to allocate memory for the error message instead of themalloc()
function. Themalloc()
deadlock therefore no longer occurs and the process with a corrupted heap now aborts gracefully. - BZ#692838
- India has adopted a new symbol for the Indian rupee leaving the currency symbol for its Unicode U20B9 outdated. The rupee symbol has been updated for all Indian locales.
- BZ#694386
- The
strncmp()
function, which compares characters of two strings, optimized for IBM POWER4 and POWER7 architectures could return incorrect data. This happened because the function accessed the data past the zero byte (\0) of the string under certain circumstances. With this update, the function has been modified to access the string data only until the zero byte and returns correct data. - BZ#699724
- The
crypt()
function could cause a memory leak if used with a more complex salt. The leak arose when the underlying NSS library attempted to call the dlopen() function from libnspr4.so with the RTLD_NOLOAD flag. With this update, the dlopen() with the RTLD_NOLOAD flag has been fixed and the memory leak no longer occurs. - BZ#700507
- On startup, the
nscd
daemon logged the following error into the log file if SELinux was active:rhel61 nscd: Can't send to audit system: USER_AVC avc: netlink poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?
This happened because glibc failed to preserve the respective capabilities on UID change in the AVC thread. With this update, the AVC thread preservers the respective capabilities after thenscd
startup. - BZ#703481, BZ#703480
- When a host was temporarily unavailable, the
nscd
daemon cached an error, which did not signalize that the problem was only transient, and the request failed. With this update, the daemon caches a value signalizing that the unavailability is temporary and retries to obtain new data after a set time limit. - BZ#705465
- When a module did not provide its own method for retrieving a user list of supplemental group memberships, the libc library's default method was used instead and all groups known to the module were examined to acquire the information. Consequently, applications which attempted to retrieve the information from multiple threads simultaneously, interfered with each other and received an incomplete result set. This update provides a module-specific method which prevents this interference.
- BZ#706903
- On machines using the Network Information Service (NIS), the
getpwuid()
function failed to resolve UIDs to user names when using the passwd utility in the compat mode with a big netgroup. This occurred because glibc was compiled without the -DUSE_BINDINGDIR=1 option. With this update, glibc has been compiled correctly andgetpwuid()
function works as expected. - BZ#711927
- A debugger could have been presented with an inconsistent state after loading a library. This happened because the ld-linux program did not relocate the library before calling the debugger. With this update, the library is relocated prior to the calling of the debugger and the library is accessed successfully.
- BZ#714823
- The getaddrinfo() function internally uses the simpler gethostbyaddr() functions. In some cases, this could result in incorrect name canonicalization. With this update, the code has been modified and the getaddrinfo() function uses the gethostbyaddr() functions only when appropriate.
- BZ#718057
- The getpwent() lookups to LDAP (Lightweight Directory Access Protocol) did not return any netgroup users if the NIS (Network Information Service) domain for individual users was not defined in
/etc/passwd
. This happened when the nss_compat mode was set as the mode was primarily intended for use with NIS. With this update, getpwent returns LDAP netgroup users even if the users have no NIS domain defined. - BZ#730379
- The
libresolv
library is now compiled with the stack protector enabled. - BZ#731042
- The pthread_create() function failed to cancel a thread properly if setting of the real time policy failed. This occurred the because __pthread_enable_asynccancel() function as a non-leaf function did not align the stack on the 16-byte boundary as required by AMD64 ABI (Application Binary Interface). With this update, the stack alignment is preserved accros functions.
- BZ#736346
- When calling the
setgroups
function after creating threads, glibc did not cross-thread signal and supplementary group IDs were set only for the calling thread. With this update, the cross-thread signaling in the function has been introduced and supplementary group IDs are set on all involved threads as expected. - BZ#737778
- The
setlocale()
function could fail. This happened because parameter values were parsed in the set locale. With this update, the parsing is locale-independent. - BZ#738665
- A write barrier was missing in the implementation of addition to linked list of threads. This could result in the list corruption after several threads called the fork() function at the same time. The barrier has been added and the problem no longer occurs.
- BZ#739184
- Statically-linked binaries that call the
gethostbyname()
function terminated because of division by zero. This happened because the getpagesize() function required the dl_pagesize field in the dynamic linker's read-only state to be set. However, the field was not initialized when a statically linked binary loaded the dynamic linker. With this update, the getpagesize() function no longer requires a non-zero value in the dl_pagesize field and falls back to querying the value through the syscall() function if the field value is not set.
Enhancements
- BZ#712248
- For some queries, the pathconf() and fpathconf() functions need details about each filesystem type: mapping of its superblock magic number to various filesystem properties that cannot be queried from the kernel. This update adds support for the Lustre file system to pathconf and fpathconf.
- BZ#695595
- The glibc package now provides functions optimized for the Intel 6 series and Intel Xeon 5600 processors.
- BZ#695963
- The glibc package now supports SSE2 (Streaming SIMD Extensions 2) instructions on the
strlen()
function for the AMD FX processors. - BZ#711987
- This update adds the f_flags field to support the
statvfs
output received from kernel. - BZ#738763
- The Linux kernel supports the UDP
IP_MULTICAST_ALL
socket option, which provides the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.
Security Fixes
- CVE-2009-5029
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
- CVE-2011-4609
- A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time.
Bug Fixes
- BZ#754116
- glibc had incorrect information for numeric separators and groupings for specific French, Spanish, and German locales. Therefore, applications utilizing glibc's locale support printed numbers with the wrong separators and groupings when those locales were in use. With this update, the separator and grouping information has been fixed.
- BZ#766484
- The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly parse groups with more than 126 members, resulting in applications such as "id" failing to list all the groups a particular user was a member of. With this update, group parsing has been fixed.
- BZ#769594
- glibc incorrectly allocated too much memory due to a race condition within its own malloc routines. This could cause a multi-threaded application to allocate more memory than was expected. With this update, the race condition has been fixed, and malloc's behavior is now consistent with the documentation regarding the MALLOC_ARENA_TEST and MALLOC_ARENA_MAX environment variables.
Security Fix
- CVE-2012-0864
- An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
Bug Fixes
- BZ#783999
- Previously, the dynamic loader generated an incorrect ordering for initialization according to the ELF specification. This could result in incorrect ordering of DSO constructors and destructors. With this update, dependency resolution has been fixed.
- BZ#795328
- Previously, locking of the main malloc arena was incorrect in the retry path. This could result in a deadlock if an sbrk request failed. With this update, locking of the main arena in the retry path has been fixed. This issue was exposed by a bug fix provided in the RHSA-2012:0058 update.
- BZ#799259
- Calling memcpy with overlapping arguments on certain processors would generate unexpected results. While such code is a clear violation of ANSI/ISO standards, this update restores prior memcpy behavior.
Bug Fixes
- BZ#802855
- Previously, glibc looked for an error condition in the wrong location and failed to process a second response buffer in the gaih_getanswer() function. As a consequence, the getaddrinfo() function could not properly return all addresses. This update fixes an incorrect error test condition in gaih_getanswer() so that glibc now correctly parses the second response buffer. The getaddrinfo() function now correctly returns all addresses.
- BZ#813859
- Previously, if the nscd daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying "A" or "AAAA" response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record. DNS entries are reloaded as expected in this scenario.
4.73. gmp
Bug Fix
- BZ#798771
- Previously, the interface provided by the gmp library was changed. This resulted in one exported symbol being absent in Red Hat Enterprise Linux 6 (when compared to the Red Hat Enterprise Linux 5 system). In addition, the symbol could have been reported as missing under certain circumstances. To fix this problem, this update adds the missing symbol back to the library.
4.74. gnome-power-manager
Bug Fix
- BZ#822946
- Previously, it was possible for the user to log out of the system or shut it down while the PackageKit update tool was running and writing to the RPM database (rpmdb). Consequently, rpmdb could become damaged and inconsistent due to the unexpected termination and cause various problems with subsequent operation of the rpm, yum, and PackageKit utilities. This update modifies PackageKit to not allow shutting down the system when a transaction writing to rpmdb is active, thus fixing this bug.
Bug Fix
- BZ#800267
- After resuming the system or re-enabling the display, an icon could appear in the notification area with an erroneous tooltip that read "Session active, not inhibited, screen idle. If you see this test, your display server is broken and you should notify your distributor." and included a URL to an external web page. This error message was incorrect, had no effect on the system and could be safely ignored. In addition, linking to an external URL from the notification and status area is unwanted. To prevent this, the icon is no longer used for debugging idle problems.
4.75. gnome-screensaver
Bug Fixes
- BZ#648850
- When the user locked the screen and the X Window System did not support the X Resize, Rotate (XRandR) or XF86VM gamma fade extensions, then the gnome-screensaver utility terminated with a segmentation fault. With this update, additional checks are made before calling the fade_setup() function, and gnome-screensaver no longer terminates.
- BZ#697892
- Prior to this update, the Unlock dialog box arbitrarily changed between the monitors in dual head setups, based on the position of the mouse pointer. The Unlock dialog box is now placed on a consistent monitor instead of where the mouse is located.
- BZ#719023
- Previously, when docking a laptop and using an external monitor, parts of the background got cut off due to incorrect logic for determining monitor dimensions. With this update, the source code is modified and the login screen is now displayed correctly.
- BZ#740892
- Previously, in rare cases, the screen saver entered a deadlock if monitors were removed during the fade up. The screen was locked as a consequence. This update modifies gnome-screensaver so that the screen saver responds as expected.
Enhancement
- BZ#677580
- Previously, there was no indicator of the keyboard layout when the screen was locked. Users who used more than one layout did not know which layout was active. Consequently, users could be forced to type the password several times. This update adds the missing keyboard layout indicator.
4.76. gnome-session
Bug Fix
- BZ#664516
- Prior to this update, the gnome-session utility may have improperly saved desktop sessions. As a consequence, when logging in, the running applications were incorrectly collapsed from multiple workspaces into the first workspace and their initial position was not restored. This has been fixed: applications are now restored in their original workspaces and correctly positionally placed.
Enhancement
- BZ#622849
- Prior to this update, users were not able to manage multiple custom GNOME sessions while being logged in. Now, multiple sessions can be managed under the Options tab of System -> Preferences -> Startup Applications.
4.77. gnome-system-monitor
Enhancement
- BZ#571597
- Previously, the CPU History graph could be hard to read if it displayed large numbers of CPUs. This update modifies the design: scrollbars were added for easier manipulation of the window and random color is now generated to each CPU.
4.78. gnome-terminal
Bug Fix
- BZ#655132
- Previously, the regular expression used to find URLs in the text was missing a colon character. As a consequence, the URL containing a colon was not interpreted correctly. With this update, a colon character has been added to the regular expression so that the URL is now properly interpreted.
4.79. gnutls
Security Fixes
- CVE-2012-1573
- A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer.
- CVE-2011-4128
- A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
4.80. gpm
Bug Fix
- BZ#684920
- Prior to this update, it was not possible to build the gpm packages on the supported platforms if the emacs package was installed. This problem has been resolved with this update and no longer occurs.
4.81. gpxe
Bug Fix
- BZ#743893
- Prior to this update, PXE failed to boot a virtual machine which used the virtio network interface card (NIC). An upstream patch, which incorporates the latest upstream gPXE paravirtualized network adapter (virtio-net) driver and removes the legacy Etherboot virtio-net driver, has been applied to fix this problem. Now, PXE can successfully boot virtual machines that use virtio NIC.
4.82. graphviz
Bug Fixes
- BZ#624658
- Several links in the Graphviz Documentation Index file led to nonexistent or incorrectly named files. This update fixes these links so that their targets resolve correctly.
- BZ#624690
- The graphviz test suite was disabled on the PowerPC, 64-bit PowerPC and SPARC64 architectures due to unexpected terminations with segmentation faults. The test code used in the test suite did not set the TextLayout plugin correctly, which led to the crash of the test suite. This has been fixed and the test suite passes on all architectures.
- BZ#640247
- Prior to this update, the About dialog box displayed "<unknown>" instead of the real name of the DotEdit utility. This has been fixed and the name is now displayed correctly.
- BZ#679715
- When using the graphviz utility with PHP, the gv.so module did not load and displayed the following error message:
/usr/lib64/php/modules/gv.so' - /usr/lib64/php/modules/gv.so: undefined symbol: zend_error_noreturn in Unknown on line 0
This was caused by the SWIG tool which used the zend_error_noreturn() function to build the PHP module. SWIG has been modified and the bug no longer occurs.
4.83. grub
Bug Fixes
- BZ#677468
- Due to an error in the underlying source code, previous versions of GRUB may have failed to boot in Unified Extensible Firmware Interface (UEFI) mode. This happened, because GRUB was making UEFI calls without aligning the stack pointer to a 16-byte boundary. With this update, a patch has been applied to correct this error, and GRUB now boots in UEFI mode as expected.
- BZ#736833
- Prior to this update, an attempt to install GRUB on a CCISS device may have caused the grub-install utility to report the following error:
expr: non-numeric argument
When this happened, grub-install failed to install GRUB on this device, but incorrectly reported success and returned a zero exit status. This update applies a patch that ensures that GRUB can now be successfully installed on such devices. - BZ#746106
- When looking for its configuration file, the previous versions of GRUB did not respect vendor-specific EFI device path. With this update, the underlying source code has been adapted to use the vendor-specific EFI-device path as expected.
Enhancements
- BZ#629408
- Prior to this update, the GRUB boot loader was unable to boot from boot drives that were larger than 2.2 TB. This update adds support for such devices on UEFI systems.
- BZ#671355
- On BIOS-based systems, previous versions of GRUB were only able to boot from first eight disk drives. This update allows GRUB to boot from up to 128 disk drives on these systems.
4.84. guile
Bug Fix
- BZ#659674
- Due to a problem in the build test suite, the guile package failed to build. The problem has been resolved in this update so that the guile package now builds properly.
4.85. httpd
Security Fix
- CVE-2011-3639, CVE-2011-4317
- It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI.
- CVE-2012-0053
- The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.
- CVE-2011-3607
- An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user.
- CVE-2012-0031
- A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.
Bug Fixes
- BZ#694939
- The Apache module "mod_proxy" implements a proxy or gateway for the Apache web server. The "ProxyErrorOverride On" option did not work if used with "mod_proxy_ajp", the AJP support module for mod_proxy. Consequently when accessing a 404 URL in the "/static" context, which was proxied with AJP, the 404 page from the proxy was displayed rather than the 404 page from Apache itself. This update corrects the code and accessing 404 URLs now works as intended, via Apache, as defined in "ErrorDocument".
- BZ#700074
- When a backend server sends data via SSL, and is using chunked transfer encoding, the backend splits the chunk between two different SSL blocks. Prior to this update, when transferring data via SSL through a reverse proxy implemented with Apache, "mod_proxy", and "mod_ssl", the end of the first SSL block was sometimes lost and the length of the next chunk was thus invalid. Consequently, files were sometimes corrupted during transfer via SSL. This updates implements a backported fix to this problem and the error no longer occurs.
- BZ#700075
- The "FilterProvider" directive of the "mod_filter" module was unable to match against non-standard HTTP response headers. Consequently, output content data was not filtered or processed as expected by httpd in certain configurations. With this update, a backported patch has been applied to address this issue, and the FilterProvider directive is now able to match against non-standard HTTP response headers as expected.
- BZ#700393
- In situations where httpd could not allocate memory, httpd sometimes terminated unexpectedly with a segmentation fault rather than terminating the process with an error message. With this update, a patch has been applied to correct this issue and httpd no longer crashes in the scenario described.
- BZ#714704
- Server Name Indication (SNI) sends the name of the virtual domain as part of the TLS negotiation. Prior to this enhancement, if a client sent the wrong SNI data the client would be rejected. With this update, in configurations where SNI is not required, "mod_ssl" can ignore the SNI hostname "hint".
- BZ# 720980
- Prior to this update, httpd terminated unexpectedly on startup with a segmentation fault when proxy client certificates were shared across multiple virtual hosts (using the SSLProxyMachineCertificateFile directive). With this update a patch has been applied and httpd no longer crashes in the scenario described.
- BZ#729585
- When the "SSLCryptoDevice" config variable in "ssl.conf" was set to an unknown or invalid value, the httpd daemon would terminate unexpectedly with a segmentation fault at startup. With this update the code has been corrected, httpd no longer crashes, and httpd will issue an appropriate error message in this scenario.
- BZ#737960
- If using mod_proxy_ftp, an httpd process could terminated unexpectedly with a segmentation fault when tests were made on an IPv6 localhost enabled machine. This update implements improvements to the code and the mod_proxy_ftp process no longer crashes in the scenario described.
- BZ#740242
- When using the "mod_cache" module, by default, the "CacheMaxExpire" directive is only applied to responses which do not specify their expiry date. Previously, it was not possible to limit the maximum expiry time for all resources. This update applies a patch which adapts the mod_cache module to provide support for "hard" as a second argument of the CacheMaxExpire directive, allowing a maximum expiry time to be enforced for all resources.
- BZ#676634
- The "mod_reqtimeout" module, when enabled, allows fine-grained timeouts to be applied during request parsing. The mod_reqtimeout module has been backported from upstream in this update.
4.86. hwdata
Enhancements
- BZ#682399
- The pci.ids database has been updated with information about HP Laptop WiFi chipsets.
- BZ#695798
- The pci.ids database has been updated with information about future Intel PCH (Platform Controller Hub) devices.
- BZ#712177
- The pci.ids database has been updated with correct information about QLogic IBA7322 InfiniBand devices.
- BZ#713070
- The pci.ids database has been updated with information about future Atheros wireless devices.
- BZ#739376
- The pci.ids database has been updated with information about future Broadcom wireless devices.
- BZ#728909
- The pci.ids database has been updated according to the latest upstream changes.
4.87. ibus
Bug Fix
- BZ#667031
- IBus did not work on a minimal installation of Red Hat Enterprise Linux 6 if no desktop environment, such as KDE or GNOME, was installed. This issue was caused by the missing dbus-x11 package, which IBus is dependent on. The dbus-x11 package is now included as a prerequisite for IBus in the IBus spec file, and IBus now works as expected.
4.88. ibus-anthy
Bug Fix
- BZ#661597
- Previously, when changing the Candidate Window Page Size setting of Other under the General tab, the im-chooser application had to be restarted for the changes to take effect. This problem has been fixed and the changes made to Candidate Window Page Size now apply immediately.
4.89. ibus-table-erbi
Bug Fixes
- BZ#712805
- Prior to this update, the ibus-table-erbi spec file contained a redundant line which printed the debug message "/usr/share/ibus-table/tables" at the end of installation. The line indicated the working directory of the post-install script and has been removed to fix the problem.
- BZ#729906
- Previously, the table index was updated when running the post-install script of the ibus-table-erbi package. This modified the size of the files, the MD5 Message-Digest Algorithm checksum and the access time of database files. As a consequence, the "rpm -V" command failed with false positive warnings of the aforementioned changes due to the changes not matching the values in the package metadata. This has been fixed: files that are expected to be modified when running the post-install script are now specified with correct verify flags in the spec file.
4.90. icedtea-web
Bug Fixes
- BZ#683479
- The Java Web Start window invoked by the "javaws -about" command contained out-of-date information and could not be closed correctly. The information was out-dated because the Java Network Launching Protocol (JNLP) XML file defined inadequate access permissions to access the about.jnlp file, which contained the update information. With this update, the about information has been moved to an accessible location. The window failed to close as the respective process thread became unresponsive. Now, the window contains up-to-date information and the thread closes correctly.
- BZ#718693
- MindTerm SSH Applet failed to work as it was using class netscape.security.PrivilegeManager, which was not present in icedtea-web. This update adds the class and the applet works as expected.
- BZ#731345, BZ#731358
- Java Web Start and IcedTea plug-in sometimes failed to run as they were calling a java binary with a JDK-based path instead of a JRE-based path. With this update, the package spec file contains the correct definition of the path construction and javaws and icedtea-plugin call the correct java binary.
- BZ#734081
- When running an application with javaws, javaws failed to use the proxy settings from Firefox even though the respective setting was enabled ("Use browser settings") and failed over to the "DIRECT" mode. This happened because javaws was looking for the DEFAULT profile in the Firefox configuration file to acquire the current proxy settings. If it failed to locate the section with the DEFAULT profile, the default "DIRECT" mode was applied. With this update, javaws uses the settings from the last section under these circumstances.
- BZ#741796
- Starting from version 10, Elluminate did not work with IcedTea-Web. This happened because Elluminate specified Class-Path elements in its manifest file which caused a conflict with the jnlp-specified JARs. With this update, the IcedTea-Web plug-in no longer honors the Class-Path elements (just as the Oracle implementation) and Elluminate works with IcedTea-Web as expected.
Note
4.91. icu
Security Fix
- CVE-2011-4599
- A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially-crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
4.92. ImageMagick
Security Fix
- CVE-2012-0247
- A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code.
- CVE-2012-0248
- A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
- CVE-2010-4167
- It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially-crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code.
- CVE-2012-0259
- An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash.
- CVE-2012-0260
- A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time.
- CVE-2012-1798
- An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially-crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash.
4.93. initscripts
Bug Fixes
- BZ#743222
- Previously, the
restorecon
utility did not change MLS (multi-level security) levels unless the-F
parameter was used. As a consequence, the/dev
and/dev/pts
filesystems were not correctly labelled after boot in systems with configured MLS policy. This bug has been fixed and therestorecon -F
command is now used for/dev
and/dev/pts
by default. - BZ#734987
- When an explicit configuration option, such as
crashkernel=128M
, was specified to reserve crash dump memory, thekexec-disable
upstart job unconditionally freed up the memory if thekdump
mechanism was not enabled. This action could not be reverted until a reboot. With this update,kexec-disable
job has been changed to not free reserved memory, unless thecrashkernel
parameter is set toauto
, thus fixing this bug. - BZ#675079
- Previously, when the
/etc/modprobe.d/bonding.conf
file or themodprobe.conf
file was used to set the bonding options, the bond0 interface never came up after a service restart because thearp_ip_target
module was not restored. This bug has been fixed andarp_ip_target
is now restored when configured in one of these files. - BZ#698520
- Previously, there was a bug in the
rc.sysinit
script that allowed to properly set a hostname when more than one IP address was passed to theipcalc
utility. Even though it was difficult to emulate such a scenario, therc.sysinit
script has been fixed to prevent this bug, andipcalc
is now always passed only a single IP address. - BZ#700184
- When a network interface was configured with the NetworkManager utility to statically assign an IP address or a prefix, then NetworkManager was stopped, and the interface was reset via the
ifdown
andifup
utilities, the interface lost its IP address. With this update, the network scripts have been fixed to properly read theIPADDR0
parameter in interface configuration files, and now IP addresses of such interfaces are preserved in the described scenario. - BZ#703475
- Previously, when two VLAN interfaces were bonded together, the
/etc/init.d/network
script got into a loop and became unresponsive, trying to resolve MAC addresses of the interfaces. As a result, the server was prevented from completing its start-up sequence. With this update,/etc/init.d/network
has been fixed, MAC addresses of VLAN interfaces are now resolved properly, and bonds between such interfaces now work as expected. - BZ#705367
- Previously, when the
PREFIX
option was specified for theifcfg
utility while theNETMASK
option was undefined, the netmask was calculated without regard to thePREFIX
value. With this update, theexpand_config()
function has been fixed to use thePREFIX
properly, and the netmask is now calculated correctly in the described scenario. - BZ#702814
- When a system needed to be restarted after an unexpected termination, root password was not accepted to run the emergency shell. With this update, the
rc.sysinit
script has been fixed to run the/bin/plymouth
command instead of/usr/bin/plymouth
, thus fixing this bug. Additionally, other relevant scripts have been updated to properly work with the separated/usr/
directory. - BZ#703210
- Due to a bug in the
/etc/init.d/halt
script, no mount point set up with the wordnfs
in its path could be unmounted at reboot or shut down. This bug has been fixed and such mount points are now unmounted properly. - BZ#681357
- In Red Hat Entreprise Linux 6, when the
emergency
parameter was appended to the kernel command line, the system failed to invoke the sulogin command. With this update, thercS-emergency
task, which is run before therc.sysinit
script ifemergency
is passed to the kernel, has been added, and sulogin is now properly invoked in the described scenario. - BZ#729359
- Due to a bug in the
/etc/sysconfig/network-scripts/ifdown-eth
script, the PID file name passed to thedhclient
utility during a shutdown procedure did not include the IP version prefix. Consequently, leases for IPv6 addresses could not be released. This bug has been fixed and the shut down procedure now works properly both with the IPv4 and IPv6 clients.
Enhancements
- BZ#692240
- Previously, the
ifup
andifdown
scripts explicitly ignored IPv6 configuration files that contained an alias. With this update, clients properly utilize aliases on IPv6 devices in Red Hat Enterprise Linux. - BZ#653630, BZ#672202
- There was a need to have a simple mechanism for troubleshooting network problems, integrated into existing log monitoring facilities. With this update, network scripts have been updated to report errors via the
syslog
utility, and the error messages now appear in configuredsyslog
channels. - BZ#680527
- Previously, configuration options for the
sysctl
utility could only be changed in the/etc/sysctl.conf
file. With this update, several scripts have been updated to also recognize additional configuration files located in the/etc/sysctl.d/
directory. - BZ#692410
- With this update, network start-up scripts have been enhanced to support all
ethtool
command options. These options can be set via theETHTOOL_OPTS
parameter in configuration files located in the/etc/sysconfig/network-scripts/
directory and take effect after reboot. - BZ#696788
- With this update, start-up network scripts have been enhanced to set up static ARP (Address Resolution Protocol) entries located in the
/etc/ethers
file, allowing to load these entries early in the system startup.
Bug Fix
- BZ#789056
- The previous version of initscripts did not support IPv6 routing in the same way as IPv4 routing. IPv6 addressing and routing could be achieved only by specifying the "ip" commands explicitly with the "-6" flag in the "/etc/sysconfig/network-scripts/rule-DEVICE_NAME" configuration file (where "DEVICE_NAME" is a name of the respective network interface). With this update, related network scripts have been modified to provide support for IPv6-based policy routing. IPv6 routing is now configured separately in the the "/etc/sysconfig/network-scripts/rule6-DEVICE_NAME" configuration file.
4.94. ipa
Security Fix
- CVE-2011-3636
- A Cross-Site Request Forgery (CSRF) flaw was found in Red Hat Identity Management. If a remote attacker could trick a user, who was logged into the management web interface, into visiting a specially-crafted URL, the attacker could perform Red Hat Identity Management configuration changes with the privileges of the logged in user.Due to the changes required to fix CVE-2011-3636, client tools will need to be updated for client systems to communicate with updated Red Hat Identity Management servers. New client systems will need to have the updated ipa-client package installed to be enrolled. Already enrolled client systems will need to have the updated certmonger package installed to be able to renew their system certificate. Note that system certificates are valid for two years by default.Updated ipa-client and certmonger packages for Red Hat Enterprise Linux 6 were released as part of Red Hat Enterprise Linux 6.2. Future updates will provide updated packages for Red Hat Enterprise Linux 5.
Bug Fixes
- BZ#705800
- When installation of Identity Management clients failed, the debugging information shown in the
/var/log/ipaclient-install.log
file did not provide enough information to determine the cause of the failure. With this update, the/var/log/ipaclient-install.log
file contains improved debugging messages that make it easier to debug a possible installation failure. - BZ#705794
- The Identity Management services were not started after a reboot when the server was installed with the
ipa-replica-install
command. With this update, after an installation of a replica withipa-replica-install
, theipa
service is enabled using the chkconfig utility so that the Identity Management services are started and available after a reboot. - BZ#704012
- Prior to this update, installing an Identity Management replica in a new IP subnet with an Identity Management-controlled DNS server failed. With this update, such operation no longer fails, although, the
bind
service needs to be restarted when a new reverse zone is added over LDAP. - BZ#703869
- Previously, Identity Management replication installations were missing configuration for managed entries. As a consequence, user-private groups and netgroups were not created for host groups if they were created on the replica. This update adds the missing configuration, and user and host group creation work as expected.
- BZ#723662
- Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new
CURLOPT_GSSAPI_DELEGATION
curl option. This option enables the credential delegation, thus fixing this bug. - BZ#698421
- An Identity Management replica would occasionally fail to install while trying to initialize replication with the remote Identity Management server. With this update, the
memberOf
attribute is rebuilt during installation, thus fixing this issue. Note that the 389 Directory Server (389-ds) may crash if it is restarted while this task is running. Wait for this task to complete before requesting a restart. - BZ#743253
- For NIS compatibility reasons, when a host group is created, a net group with the same name is created as well. However, when a host group is created, it was not checked whether there was a net group with the same name already existent. As a consequence, the host group was created, but the net group could not be created and the user was not notified of this. With this update, when a new host group is created, the Identity Management server checks whether a net group with the specified name exists already. If there is such a group, the operation is denied.
- BZ#743936
- Prior to this update, the Identity Management web user interface loaded the entire Identity Management API name space when it was being started. As a result, JSON requests returned large amount of data, which caused certain browsers to report the
script stack space quota is exhausted
message and prevent a user from accessing the Web UI. This update split the Web UI initialization to several smaller calls. Browsers no longer report errors and the Web UI works as expected. - BZ#719656
- Running the
ipa-nis-manage
command disabled the NIS listener and also removed the netgroup compatibility suffix. If NIS was disabled, the automatic creation of net groups was disabled as well. Thus, creating a host group would fail to automatically create a net group. With this update, disabling NIS has no effect on the automatic creation of net groups when host groups are created. - BZ#725433
- Adding an indirect automount map to a mount point that already exists returned an error, but created the map anyway. As a result, the map could not be removed with Identity Management tools. With this update, the addition of an indirect map requires the creation of a key to store the mount point. If the addition of a map fails because the key already exists, the map is removed.
- BZ#744264
- Prior to this update, the Web UI Password Policy interface was missing some of the password policy fields that are present in the command line version (specifically, Max failures, Failure reset interval, Lockout duration, and Priority). As a result, users could not set these parameters via the Web UI and had to use the CLI version. This update adds all the missing Password Policy fields to the Web UI.
- BZ#696193
- When an Identity Management server A was using a KDC on Identity Management server B, and server B does down, on server A it looked as if server B was still operational. This caused clients to fail to enroll. With this update, the underlying source code has been modified to address this issue, and client enrollment works as expected.
- BZ#742327
- Permission objects related to DNS were improperly formatted and added before the relevant DNS privileges (that they were members of) were added to LDAP. DNS related permissions contain just limited information. Additionally, the privilege objects, which they were members of, lacked
memberof
LDAP attributes pointing back to the permissions. Thus, a user could get an incorrect list of permissions that were members of a DNS related privilege. With this update, permission objects formatting has been fixed and the missingmemberof
LDAP attributes in the relevant DNS privileges are properly added. Users now get a valid list of permissions (containing all the needed information) when displaying a DNS related privilege. - BZ#691531
- A certificate not signed by the Identity Management Certificate Authority (CA) imported into Identity Management could not be managed by Identity Management. Performing any operations on a service or a host that would cause Identity Management to attempt to revoke a certificate would fail (for example, disabling or deleting a host or service). With this update, certificates issued by other CAs cannot be imported into an Identity Management host or a service record. Disabling and deleting hosts and services works as expected and correctly revokes certificates.
- BZ#741808
- An LDAP object migrated using the
migrate-ds
command could contain a multi-valued RDN attribute. However, themigrate-ds
process picked only the first value of the RDN attribute and did not respect the value that was present in the DN in the migrated LDAP object. With this update, the value that is used in the original LDAP object DN is used, rather than the first value of a multi-valued RDN. As a result, LDAP objects with a multi-valued RDN attribute are migrated without any errors. - BZ#741677
- When the
ipa-client-install
was run with the--password
option containing a bulk password for client enrollment, the password could be printed to Identity Management client install log in a plain-text format. This behavior has been fixed, and passwords are no longer logged in the install log file. - BZ#726943
- By default, the Identity Management Web UI adds a redirect from the web root to
/ipa/ui
. This makes it look like no other web resources may be used. With this update, during the installation process, the--no-ui-redirect
option can be used to disable the default Rewrite rule. This may also be commented out manually in the/etc/httpd/conf.d/ipa-rewrite.conf
. As a result, the web server root can point to any specified place. However,/ipa
must remain available to Identity Management. - BZ#745957
- The Identity Management Web UI did not take into account when a non-admin user was a member of an administrative role, which has more privileges than just performing self-service actions. With this update, non-admin users with an administrative role are shown the full administrative tabset as expected.
- BZ#746056
- Identity Management Web UI did not allow addition of an external user (that is, user that is not managed by Identity Management) as a RunAs user for a Sudo rule. An external RunAs user could be added to a Sudo rule via the command line only. With this update, adding an external user as a RunAs user is possible in the Web UI.
- BZ#726123
- The
automountkey-del
command includes a--continue
option which has no function and does not affect anything. With this update, the--continue
has been hidden, and will be deprecated in the next major release. - BZ#723622
- Prior to this update, the
ipa-getkeytab
command failed with Bind errors. If 32-bit packages were used on a 64-bit system, the 32-bit cyrus-sasl-gssapi package was required. This update adds architecture-specificRequires
to the RPM spec file, and retrieving of keytabs no longer fails. - BZ#707009
- Installing an Identity Management server signed by an external CA fails with the following error:
cannot concatenate 'str' and 'NoneType' objects
This was because the required information was not being passed so the installation failed when constructing the Kerberos principal name for the Dogtag 389-ds instance. This information is now provided by the installer, thus fixing this issue. - BZ#727282
- In the Identity Management Web GUI, attempting to view a certificate of a host returned the unknown command u'show' error message. Users could only use the command-line to view host certificates. The certificate buttons including Get, View, Revoke, and Restore for hosts and services have been fixed to use the correct entity name, and viewing of certificates in the Web UI works as expected.
- BZ#726526
- The number of ports that needed to be open between Identity Management replicas was too high. Managing such a number of ports required planning because new rules were needed for each replication agreement. With this update, Dogtag is now proxied via the existing Apache web server on ports 80 and 443, which already need to be open. Ports 944[3-6] no longer need to be open in the firewall.
- BZ#727921
- It is possible to add a host group as a member of a net group; however, that relationship did not appear when viewing a host group. With this update, net group membership is displayed when viewing a host group.
- BZ#726715
- When importing automaster maps, the
auto.direct
mount mounted on/-
was ignored because it was considered a duplicate. Consequently, direct maps needed to be added manually. This update adds an exception for the auto.direct map when importing so that its keys can be added, and importing direct maps works as expected. - BZ#728118
- The output of adding or showing a sudo rule with a runAsGroup included a reference to a
ipasudorunasgroup_group
attribute, making the output unclear. A proper label was added for runAsGroup and the sudo option, which makes the output more understandable. - BZ#728614
- Using the
ipa-replica-install
did not ensure that thedbus
service was running. Consequently, tracking certificates with certmonger returned an error and the installation failed. With this update, prior to starting certmonger, it is checked whether the dbus-daemon is running. - BZ#733436
- The Identity Management server installer and
ipactl
use two different methods to determine whether Identity Management is configured. If the Identity Management uninstallation was not complete,ipactl
may have claimed that the Identity Management server is not configured while the Identity Management server installer refused to continue because Identity Management was configured. With this update, a common function that checks whether the Identity Management server is configured has been added. During the uninstallation process of the Identity Management server, checks are run that report left-over files so that users can manually resolve these. - BZ#714238
- Prior to this update, the error message returned when setting an integer value that was too large on 64-bit systems was confusing. This update limits the integer values to 2147483647 on all platforms, making error messages consistent on 32 and 64-bit systems.
- BZ#729245
- Adding an option to a sudo rule with the
sudurole-add-option
command did not display a summary after the option was added. With this update, a summary is printed in the form ofAdded option 'x' to Sudo Rule 'y'
. - BZ#730436
- Under rare circumstances, certain operations may have caused the 389 Directory Server (389-ds) to crash or not function properly. This was because NSPR (Netscape Portable Runtime) read/write locks used by 389-ds were not re-entrant. These locks were replaced with POSIX thread read-write locks in the Identity Management 389-ds plugins, and the aforementioned crashes no longer occur.
- BZ#729246
- Removing an option from a sudo rule with the
sudurole-remove-option
command did not display a summary after the option was removed. With this update, a summary is printed in the form ofRemoved option 'x' to Sudo Rule 'y'
. - BZ#729377
- Installing an Identity Management server using the
--no-host-dns
option without a DNS resolvable host name caused the installation to fail with DNS errors. This update moves the no-host-dns test so that it is tested before any DNS lookups occur, and installations with the--no-host-dns
option do not perform any DNS validation. - BZ#732468
- When Identity Management client A/PTR DNS records did not match, the
ipa-getkeytab
andipa-join
commands did not operate properly, and the client could not be enrolled to the Identity Management server. As a result, client installations failed every time. With this update, matching client A/PTR DNS records are no longer a requirement foripa-getkeytab
andipa-join
, and client installations succeed even when the aforementioned records do not match. - BZ#730713
- Selecting a check box for users, groups, hosts, or host groups when deleting a list of objects in an HBAC rule in the Identity Management Web UI left the check box checked even when the operation was complete and the entry was re-edited. With this update, the selection is cleared when the page is refreshed.
- BZ#730751
- When editing an HBAC rule in the Identity Management Web UI, the delete button was enabled even when no selection was made. This update disables the delete button when nothing is selected.
- BZ#729089
- Removing an external host value by checking the update dns check box rendered the action successful even though the host was not removed. With this update, the host is removed successfully in the aforementioned scenario.
- BZ#728950
- If an 389-ds certificate expired, the Identity Management services did not start .This update adds new options for 389-ds which allow to control how 389-ds reacts to an expired certificate. The default setting is to warn the user and start the services.
- BZ#729665
- Checking/unchecking the Hide already enrolled check box when adding/removing members from a group had no effect. This update removes this check box.
- BZ#726725
- Passing an empty map name to the
automountmap
orautomountkey
command returned the following error:Map: ipa: ERROR: 'automountmapautomountmapname' is required
This was because Identity Management tries to hide the LDAP implementation and often provides a different value for options and errors than is actually used. It may also use contrived internal names for uniqueness. With this update, Identity Management returns the correct values depending on the context so that a more useful error message is returned. As a result, in the aforementioned scenario, the correct value,automountmap
, is now returned. - BZ#714600
- The default SSSD configuration did not store passwords if offline. Consequently, when a machine was disconnected from the network, SSSD was unable to authenticate any users. With this update, the
krb5_store_password_if_offline
parameter is set toTrue
in the/etc/sssd/sssd.conf
by default. Note that the--no-krb5-offline-passwords
option of theipa-client-install
command may be used if storing passwords for offline use is not desired. - BZ#726722
- Passing an empty location to the
automountmap
orautomountkey
command returned the following error:Location: ipa: ERROR: 'automountlocationcn' is required
This was because Identity Management tries to hide the LDAP implementation and often provides a different value for options and errors than is actually used. It may also use contrived internal names for uniqueness. With this update, Identity Management returns the correct values depending on the context so that a more useful error message is returned. As a result, in the aforementioned scenario, the correct value,automountlocation
, is now returned. - BZ#714919
- Prior to this update, the
ipa-client-install
command did not configure a hostname in the/etc/sysconfig/network
file. Consequently, when the--hostname
value was passed to the client installer, that value was used during enrollment. However, the system hostname did not match the name of the machine. With this update, the/etc/sysconfig/network
file is updated upon installation and/bin/hostname
is executed with the hostname of the machine. The name used in the enrollment process now matches the hostname of the machine. - BZ#715112
- Renaming users (via
ipa user-mod --setattr
) may have returned a Not Found error. Renaming the actual users was successful, but their user-private groups were not updated. With this update, the389-ds
plugin has been modified so that theipa_modrdn
plugin runs last. This plugin manages renaming of the Kerberos principal name of the user. Renaming a user now also renames the user-private group. - BZ#736684
- If an Identity Management client was installed and there was a too large of a time difference between the client and the Identity Management server, a KDC running on the Identity Management server may have refused any Kerberos authentication request from the client. Consequently, the installation process could fail as it could not get a valid Kerberos ticket. With this update, time is always synchronized with the NTP servers configured for the client domain or the Identity Management server itself. If the time synchronization succeeds, the time on the client machine is fixed and Kerberos authentication and the installation itself successfully continue.
- BZ#737048
- The
ipa-client-install
command always ran/usr/sbin/authconfig
to add thepam_krb5.so
entry to PAM configuration files in the/etc/pam.d/
directory. However, this entry was not needed when an Identity Management client is installed with SSSD support, which is the default behavior. As a result, an unnecessary record was added to the PAM configuration. With this update,/usr/sbin/authconfig
is not run if the Identity Management client is configured with SSSD support. - BZ#717724
- The certificate subject base was editable post-install which caused the change to not be propagated to the CA. With this update, the certificate subject base is read-only and the value cannot be modified post installation.
- BZ#737581
- Prior to this update, a new host could be added to an Identity Management server without proper validation. For example, a host with an invalid hostname or a hostname containing a whitespace character could be created. With this update, proper validation of hostnames for any host has been added, and only hosts with valid hostnames can now be added to an Identity Management server.
- BZ#717965
- The Identity Management configuration stored a value for Password Expiration Notification but did not display it by default (when using the
ipa config-show
command). This update adds Password Expiration Notification to the default list of attributes to shown by default when running theipa config-show
command. - BZ#745698
- Identity Management installation tools accepted invalid IP addresses in their
--forwarder
or--ip-address
options. Consequently, installation could eventually fail, for example because of an invalid name server configuration. With this update, all IP addresses passed to theipa-server-install
,ipa-replica-install
andipa-dns-install
commands are checked for validity. - BZ#739040
- When the
ipa-client-install
command detected that the client hostname was not resolvable, it tried to add a DNS record to the Identity Management server. However, it did not expect that the client could have been using an IPv6 machine, and the installation process failed. This update adds a check to make sure that the process for adding a DNS record to the Identity Management server works for both IPv4 and IPv6, and the Identity Management client installation works as expected. - BZ#739640
- When a new service was added via the Add New Service Web UI dialog box, the Web UI did not check if the service name field was filled in. When the dialog box was confirmed with the service name field empty, a new service named
undefined
was created. With this update, the service name field is required to be filled in. - BZ#693496
- Prior to this update, the ipa-nis-manage tool crashed with a python exception when attempting to use an LDAPI connection only. With this update, ipa-nis-manage correctly falls back to GSSAPI or a password-based authentication if the LDAPI connection fails.
- BZ#723233
- An attempt to create a rule with an invalid type returned an error which informed users that only
allow
anddeny
are accepted as types:ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
However, rules of the typedeny
are not allowed. With this update, thedeny
type was deprecated because SSSD determined that properly enforcing thedeny
type was extremely difficult and dependent on how other libraries present host information. - BZ#743680
- The
ipa-server-install
command did not update the system hostname when it was installed with a custom hostname. It passed the hostname to services using their own configurations. However, some services failed to function properly as they did not expect an Identity Management server to use a custom hostname and not a system hostname. With this update, the system hostname is updated to the value passed viaipa-server-install
's--hostname
option. The system hostname is also set in the system network configuration in/etc/sysconfig/network
so that it is properly set after a system reboot. Refer to Section 2.8, “Authentication” for a known limitation regarding Identity Management server installations with custom hostnames. - BZ#707001
- When installing an Identity Management server and using an external CA to sign it, the specified command line options were not properly validated. In such a case, the resulting CSR contained only the string
null
. This update adds better detection of whether the CA 389-ds instance has been installed to identify the current stage of the installation, thus fixing this issue. - BZ#723778
- When deleting an automount location, the command appeared to be successful, but there was no feedback provided on the output. With this update, a summary of all automount commands is shown.
- BZ#723781
- When adding an automount location, the command appeared to be successful, but there was no feedback provided on the output. With this update, a summary of all automount commands is shown.
- BZ#707133
- Prior to this update, the
ipa-nis-manage
command did not return an exit status of0
when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned. - BZ#737997
- When a new user was added, its login was normalized and lower-cased. However, its principal was not normalized and contained the original login. Consequently, if a new user with an uppercase letter in its login was added, a disconnect between a user login and its principal was created. The Identity Management server then refused to create a password for that user. This update normalizes both the new user long and its principal, thus fixing this issue.
- BZ#737994
- Certain Identity Management commands require a file to be passed. For example, a cert-request command requires a CSR file. If the command contains a validation rule for the required file, it needs to be executed before it can be processed. However, if the file was passed in the CLI command interactively (and not as a command option), the validation rule was applied to the file path and not the file contents. As a result, a validation rule could fail and the command then returned an error until the file was passed as a command option. With this update, a validation rule is applied to file contents only, and users can pass the required file on the command line both interactively and via a command option.
- BZ#726454
- Previously, there was no indicator in a host entry that a one-time password was set. This update adds a new output attribute for host entries,
has_password
, that is set when the host has a password set. Ifhas_password
is True, a password has been set on the host. However, there is no way to see what that password is once it has been set. - BZ#716287
- When a host is enrolled, the user that does the enrollment is stored in the attribute
enrolledBy
on the host. Prior to this update, an administrator was able to change this value by using theipa host-mod --setattr
. This action should not be allowed. This update fixes this behavior and write permissions have been removed from theenrolledBy
attribute. - BZ#714924
- When configuring an Identity Management client to use SSSD, if an error occurred while looking up users, the following error message was displayed:
nss_ldap is not able to use DNS discovery
This update modifies this error message to be more specific. - BZ#736617
- The
ipa-client-install
command did not configure /usr/sbin/ntpdate to use correct NTP servers in the/etc/ntp/step-tickers
. Additionally, theipa-client-install
did not store the state of thentpd
service before installation. Consequently, when an Identity Management client is installed, ntpdate may have used incorrect servers to synchronize with. When the Identity Management client was uninstalled, thentpd
may have been set to an incorrect state. With this updateipa-client-install
configures ntpdate to use the IPA NTP server for synchronization. When an IPA client is uninstalled, both ntpdate configuration andntpd
status are restored. - BZ#714597
- The IPA-generated
/etc/krb5.conf
file contained values which were not present in the standard configuration file (specifically:ticket_lifetime
,renew_lifetime
, andforwardable
in the[libdefaults]
section, and the entire[appdefaults]
section). This update removes these unnecessary values and sections. - BZ#680504
- DNS forward and reverse entries are stored discretely. Removing one does not remove the other unless specifically requested. Previously, it was unclear how to remove the required entries. This update adds a new interactive mode (via
ipa dnsrecord-del
) to the command line application which guides the user through the process of removing the required entries. - BZ#725763
- Summary data displayed when adding an automount key has been modified to include the map and the key.
- BZ#717625
- Updating values in the configuration tab in the Identity Management Web UI returned an error. This was because the Web UI was searching for a primary key configuration. With this update, it no longer searches for the key, and the configuration tab works as expected.
- BZ#717020
- When activating or deactivating a user in the Identity Management Web UI, the user is updated without having to click the Update button. With this update, a message box is displayed indicating that the change is going into effect immediately.
- BZ#716432
- If 389-ds debugging was enabled, superfluous content appeared in the
ipactl
output. With this update, the amount of information displayed in theipactl
output has been reduced. The previously reported data is not available in the 389-ds error log only. - BZ#714799
- The
ipa-client-install
did not successfully run on a client when a one-time password was set on a host in the Identity Management Web UI. Consequently, clients could not be enrolled using a one-time password if it was set in the Web UI. With this update, thekrbLastPwdChange
value is no longer set in the host entry when setting a host one-time password, thus fixing this issue. - BZ#713798
- Prior to this update, DNS lookups were not being forwarded if they originated in a subnet that was not managed by Identity Management. With this update, the Identity Management DNS is configured to allow recursion by default, thus fixing this issue.
- BZ#713481
- When removing a
runAsGroup
value from a sudo rule, the command appeared to be successful, but the group information data included in the output was not updated and did not show the proper membership. This update fixes this bug, and data is refreshed before being returned. - BZ#713380
- When removing a
runasuser
(viaipa sudorule-remove-runasuser
) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group torunasuser
is properly displayed. - BZ#713069
- Comma-separated values were not handled properly when the
--externaluser
option was specified for thesudorule-mod
command. As a result, erroneous values were stored in the entry. With this update, the--externaluser
option was removed from thesudorule-mod
command. It is advisable to use thesudorule-add-user
command instead. - BZ#731804
- Upgrading Identity Management from version 2.0.0-23 caused the 389-ds configuration to be modified to not accept requests. With this update, the upgrade process is more robust and always restores the 389-ds configuration. As a result, upgrading Identity Management no longer leaves the system in an inconsistent state.
- BZ#731805
- Different error types could cause various error messages to appear in the Identity Management Web UI. This update makes all error messages in the Web UI consistent.
- BZ#732084
- Disabling SELinux (
SELINUX=disabled
in/etc/selinux/config
) and attempting to restart theipa
service caused theipa
service to fail to start. This update ignores the value returned byrestorecon
, and theipa
service now starts as expected whether SELinux is enabled or disabled. - BZ#712889
- A request to set a certificate revocation reason to 7 would cause the request to fail and the certificate was not revoked. Reason 7 is not a valid revocation reason according to RFC 5280. With this update, an error message is returned to the user, informing of the fact that, when used, reason 7 is not a valid revocation reason.
- BZ#726028
- Previously, renaming an automount key did not work properly because DN of the key was being updated but not the value within the entry. Renaming an automount key now updates the DN and the stored key value, thus fixing this issue.
- BZ#711786
- When setting
runAsGroup
in a sudo role as a user, the name of that user is returned as the name of a group that may also be used as therunAsGroup
. As a result, the sudo rule was erroneous and referred to a non-existent group. This was because the search filter for determining the CN value was too generic. This update adds a test which assures user names no longer appear asrunAsGroup
values. - BZ#711761
- Prior to this update, removing a sudo rule option failed on the server because the code which handled sudo rule option removal was not robust enough and if the input did not exactly match the stored value, it failed. With this update, removing sudo rule options works as expected.
- BZ#711671, BZ#711667
- Previously, comma-separated values were not handled properly when using
sudorule-mod
's--runasexternaluser
or--runasexternalgroup
options. With this update, the aforementioned options have been deprecated. It is advisable to use thesudorule-add-runasuser
orsudorule-runasgroup
commands instead. - BZ#710601, BZ#710598, BZ#710592
- Prior to this update, leading and trailing spaces were allowed in some parameter values. This update adds a validator that disallows the use of leading and trailing spaces.
- BZ#710530
- Passing an empty password when prompted to by the
ipa-nis-manage
command did not display an error and did not exit the command. With this update, passing an empty password causes an error to appear (No password supplied
), and the command is exited with the status code1
. - BZ#710494
- The
ipa-nis-manage
command has an option,-y
, to specify the Directory Manager password in a file. This option caused the command to crash if the file did not exist. An exception handler around the password reader has been added, and a proper error message is displayed when the supplied password file is non-existent or is not readable. - BZ#710253
- When adding a
runasuser
(viaipa sudorule-add-runasuser
) and, consequently, defining a group, the RunAs Group value was not included in the output. This was because the label for the returned data was mislabeled and was not appearing in the output. With this update, the underlying source code has been modified to address this issue, and adding a group torunasuser
is properly displayed. - BZ#738693
- A user with a valid Kerberos ticket can change an IPA password with the
ipa passwd
command. Prior to this update, the command did not require entering the old password. Consequently, anyone with access to that user's shell could change his Identity Management password without knowing the old password. With this update, the old password is always required in order to change a user's password. The only exception is the administrator user. - BZ#710245
- A removed sudorule option appeared in the output when that option was removed. With this update, option values are refreshed before being returned, and the output of the delete command is consistent with the actual data.
- BZ#710240
- Adding a duplicate sudorule option did not generate any errors messages. With this update, rather than ignoring duplicate values, an error is returned when a duplicate sudorule option is added.
- BZ#739195
- When attempting to unprovision a host keytab in the Identity Management Web UI Unprovisioning Host dialog, there was no option to cancel the process. This update adds the Cancel button to the Unprovisioning Host dialog.
- BZ#709665, BZ#709645
- When removing external hosts from a sudorule, the output shown after the command completed contained the hosts that were removed. With this update, external host information is refreshed before it is returned to the client.
- BZ#707312
- Previously, new DNS zones were not available until the
bind
service was restarted. With this update, an updated bind-dyndb-ldap package added a zone refresh option that Identity Management uses to refresh the zone list in DNS. The default setting is 30 seconds. As a result, new DNS zones are not immediately available, but thebind
service does not have to be restarted anymore. - BZ#740320
- When a new group was being created via the Identity Management Web UI, unchecking the Posix check box was not taken into account and a posix group was created every time. With this update, the underlying source code has been modified to address this issue, and creating non-posix groups works as expected.
- BZ#707229
- The
--no-host-dns
option of theipa-server-install
command still checked that the forward and reverse DNS entries existed and matched. Installation of an Identity Management server using a host name that could not be resolved would then fail. This update removes any DNS validation when the--no-host-dns
option is used. - BZ#705804
- The subject name of a CA agent certificate used by Identity Management was not very specific. This update changes the subject name from
RA Subsystem
toIPA RA
. - BZ#702685
- If a remote LDAP server that was being used while migrating to Identity Management contained an LDAP search reference, the migration failed. With this update, the migration process logs any search references and skips them, assuring a successful migration.
- BZ#740885
- For an HBAC rule, you can choose to add a host in the Accessing section of the Identity Management Web UI. Clicking on Enroll without selecting a host did not return an error indicating that a host was not selected. With this update, the Enroll button is disabled until a host is chosen.
- BZ#740891
- For an HBAC rule, you can choose to delete a host in the Accessing section of the Identity Management Web UI. Clicking on Enroll without selecting a host did not return an error indicating that a host was not selected. With this update, the Enroll button is disabled until a host is chosen.
- BZ#741050
- The
ipa-client-install
command always checked the specified server whether it was a valid Identity Management server. However, if the Identity Management server was configured to restrict access for anonymous binds (via thensslapd-allow-anonymous-access
option), the check failed and the installation processes returned an error and ended. With this update, when theipa-client-install
command detects that the chosen server does not allow anonymous binds, it skips server verification, reports a warning, and lets the user join the Identity Management server. - BZ#701325
- The X509v3 certificate shown in a host or service record in the Identity Management Web UI was not properly formatted. This update converts the certificate from the base64 format to the PEM format.
- BZ#698219
- The Apache service communicates with 389-ds early on during the start-up (to attempt to retrieve the LDAP schema). Previously, if that communication failed, the Apache service would have to be restarted. This race condition could cause a restarted Identity Management server become unavailable. With this update, the communication between Apache and 389-ds is retried when it fails, thus fixing this issue.
- BZ#697878
- The Identity Management server installation could fail with an error informing of the fact that the LDAP server could not be reached. This was because the installation process did not wait for the 389-ds server to fully start after a restart. With this update, the installation process waits for the 389-ds server to be fully started.
- BZ#742875
- When an Identity Management server was installed, it did not properly check the system's static lookup table (
/etc/hosts
) for records which could interfere with its IP address or hostname, and cause forward or reverse DNS queries to be resolved to different values than expected. The installation process now always checks for any conflicting records in the/etc/hosts
file. - BZ#696282
- A certificate subject base with an incorrect format provided by the user could cause an installation process to fail in the CA step with a non-descriptive error. With this update, the subject base of a certificate is validated, and the installation no longer fails.
- BZ#696268
- Providing an IP address during the Identity Management server installation via the
--ip-address
option caused the installed server to not function properly. With this update, it is verified whether the provided IP address is a configured interface on the system. Providing an IP address that is not associated with a local network interface will return an error message. - BZ#743788
- The IPA Web UI was missing a title on several pages. This update adds the missing titles.
- BZ#693771
- Including non-ASCII characters in the
zonemgr
email address could cause an installation to fail with an unclear message. This update adds a validator which requires thezonemgr
to contain ASCII characters only. - BZ#681978
- Uninstalling an Identity Management client on a machine which has the Identity Management server installed on it as well caused the server to break. The client uninstaller now detects the installation state of an installed server. An attempt to uninstall a client from a machine which also contains the server will result in an error message. The client can be uninstalled when the server is uninstalled.
- BZ#744024
- Prior to this update, the
ipa-client-install
command did not return an exit status of0
when successful. With this update, the underlying source code has been modified to address this issue, and correct exit codes are returned. - BZ#744074
- Prior to this update, the Identity Management Web UI allowed a user to delete a global Password Policy. If a global Password Policy is deleted, any attempt to add a user with a Kerberos password fails. Additionally, neither the CLI nor the Web UI version of Identity Management could be used to add this policy back. With this update, deleting the global Password Policy is denied.
- BZ#692955
- Attempting to set the manager value of a user resulted in the following error message:
value #0 invalid per syntax: Invalid syntax.
This was because the value required a full LDAP DN syntax. With this update, when storing or retrieving the manager value, the value is automatically translated between a login name and a DN. Setting the manager value now requires a login name only. - BZ#744422
- During the installation of a Identity Management server, the
ipa-server-install
called kdb5_ldap_util to populate the directory with realm information. In the process of doing so, it passes the Kerberos master database password and the Kerberos directory password as parameters. As a result, a user could list all running processes during the IPA server installation and discover the aforementioned passwords. With this update, kdb5_ldap_util's interactive mode is used to pass the passwords instead of passing them via CLI parameters. - BZ#692950
- When setting up DNS during an interactive installation, a reverse zone was always created regardless of the
--no-reverse
option. This update fixes this behavior, and a reverse zone is not created unless specified. - BZ#745392
- When the
ipa-client-install
command attempted to auto-discover the Identity Management server in its domain, it did not use any timeout when a server was found and was being checked. If the found server was unresponsive during the auto-discovery, theipa-client-install
command got stuck and did not continue. This update adds a 30 second timeout to theipa-client-install
auto-discovery server check. - BZ#692144
- Using the
--no-sssd
option of theipa-client-install
command did not properly back up and restore the existing/etc/sssd/sssd.conf
file. With this update, the underlying source code has been modified to address this issue, and the--no-sssd
option works as expected. - BZ#690473
- Using the
--hostname
option to set a value outside an Identity Management-managed DNS domain did not return an error and did not add the host to DNS. The DNS updating utility, nsupdate, was modified to properly return an error when an update fails. - BZ#690185
- Uninstalling an Identity Management client did not restore certain files when that client was previously installed with the
--force
option. This was because the--force
option was able to re-install over an already installed system, causing the original saved files to be lost. This behavior is no longer permitted; the client must be first uninstalled and only then it can be re-installed. - BZ#689810
- Adding a duplicate user resulted in a generic error message which was not specific enough to discover the reason of the error. With this update, the object type and the primary key are returned in the error message, making the error message more understandable.
- BZ#689023
- When adding a new password policy, the Identity Management Web UI did not prompt for a required field, priority. This update requires the priority field to be filled in.
- BZ#688925
- The process of setting up an Identity Management replica became unresponsive if the master could not be reached. This update adds a new utility, ipa-replica-conncheck, which verifies that the replica and the master can communicate in both directions.
- BZ#688266
- If the domain did not match the realm, enrolling a client could fail with the following error:
Cannot resolve network address for KDC
This was because a temporary/etc/krb5.conf
file was used during enrollment to contact the Identity Management KDC. The process was always relying on DNS auto-discovery to find the correct KDC and not the values provided by the end-user. With this update, enrollment works even if the domain does not match the realm. - BZ#683641
- If a one-time password was set on a host, an administrator was unable to enroll it and the following error message would be returned:
No permission to join this host to the IPA domain.
A delegated administrator did not have permissions to write the Kerberos principal name. This update adds permissions for the delegated administrator to be able to add a one-time password, but not change or remove an existing one. - BZ#681979
- The
--on-master
lacked proper documentation. This update makes the option invisible and removes it from documentation entirely. - BZ#747443
- Realm-Domain mapping was not specified in a client's Kerberos configuration when the client was outside of an Identity Management domain. In such a case, Certmonger would fail to issue a host certificate. Realm-Domain mapping is now properly configured when the client is outside of the Identity Management domain.
- BZ#748754
- Arguments for the Kerberos KDC, contained in the
/etc/sysconfig/krb5kdc
file, were not formatted properly on multi-CPU systems. As a consequence, the KDC could not use the intended number of CPUs and reported an error when it was (re)started. With this update, the aforementioned arguments are now properly formatted, fixing this issue. - BZ#749352
- Prior to this update, the
ypcat
command's netgroup output did not show users in netgroup triples. Consequently, NIS-based authorization did not work as expected, and access was denied when it should have been allowed. This was caused by a syntax error in the triple rule. This update fixes this error, and users are now properly included in the netgroup triples. - BZ#736170
- The ipa package has been upgraded to upstream version 2.1.3 which provides a number of bug fixes and enhancements over the previous version.
4.95. ipa-pki-theme
Bug Fix
- BZ#712931
- IPA (Identity, Policy and Audit) is an identity and access management system. Prior to this update, Certificate System (CS), which is implemented in pki-core, required multiple ports to be open in a firewall for IPA to work. The number of open ports required has been reduced, and support for a proxy using Apache JServ Protocol (AJP) ports has been added, by enhancements made in pki-core. With this update, ipa-pki-theme has been changed to make use of the updates to CS, including adding the proxy-ipa.conf configuration file, and fixing broken links in certain user interface files. As a result, it is now possible for ipa-pki-theme to support running CS behind a proxy Apache server.
Important
4.96. ipmitool
Security Fix
- CVE-2011-4339
- It was discovered that the IPMI event daemon (ipmievd) created its process ID (PID) file with world-writable permissions. A local user could use this flaw to make the ipmievd init script kill an arbitrary process when the ipmievd daemon is stopped or restarted.
Bug Fixes
- BZ#675975
- Prior to this update, ipmitool's Serial Over LAN (SOL) module erroneously calculated the number of octets processed by the Baseboard Management Controller and could have resent already acknowledged chunks of serial communication, which could have corrupted the serial line with additional characters. Under certain circumstances, this could have also brought ipmitool into an endless loop or unexpected termination. With this update, ipmitool now correctly calculates the number of octets processed by the BMC and does not resend unwanted characters over the serial line.
- BZ#727314
- This update improves integration of the Linux Multiple Device (MD) driver with ipmitool to indicate the SCSI enclosure services (SES) status and drive activities for the PCIe SSD based solutions.
- BZ#726390
- This update adds the "channel setkg" subcommand to the "ipmitool" command, which allows for KG key configuration.
- BZ#726390
- This update adds the "-Y" option, which allows reading of the KG key from the terminal.
- BZ#731977
- A serial console connected to over the LAN and activated with the command "ipmitool sol activate" contained a memory leak, which could have consumed all available memory resources over time. This update fixes the problem.
- BZ#731718
- Invoking "ipmitool delloem powermonitor" did not properly convert values received over the network to integer numbers on big-endian systems (PowerPC, IBM System z). As a result, mostly random values were displayed when reporting power consumption. This update fixes the integer conversions in the "powermonitor" command so that the power consumption is now reported correctly on PowerPC and IBM System z architectures.
Bug Fix
- BZ#990960
- In cases of congested networks or slow-responding BMCs (Baseboard Management Controller), the reply operation timeout triggered the protocol command retry action. Consequently, the ipmitool utility could incorrectly process a LAN session protocol command with the reply from a previous protocol command. This update fixes handling of expected replies for each command alone and cleans up expected replies between commands. Now, the retried reply of the first command is correctly ignored while the later command, which is currently pending, is properly processed in the described scenario.
4.97. iproute
Bug Fixes
- BZ#692867
- Prior to this update, the "ip" utility lacked the "mode" parameter support for macvtap devices. As a consequence affected users could not create macvtap devices in "bridge" or "private" modes. With this update the "ip" utility now fully supports macvtap devices along with the "mode" parameter and its options, "bridge", "private", and "vepa" (default). As a result users can now utilize macvtap functionality via the iproute package.
- BZ#693878
- Prior to this update, the "ip" tool lacked the "passthru" mode parameter support for macvtap and macvlan devices. Consequently users could not create macvtap and macvlan devices in "passthru" mode. The "ip" tool now fully supports macvtap and macvlan devices along with the "mode" parameter and its options, "bridge", "private", "passthru", and "vepa" (default). As a result users can now utilize "passthru" mode as part of macvtap and macvlan functionality via the iproute package.
- BZ#709652
- Prior to this update, the "tc" utility ignored GRED (Generalized RED) queue options. Consequently "tc" users could not configure certain GRED queue related parameters. With this update the "tc" utility no longer accidentally overwrites the user specified options. As a result "tc" users can now reliably define all GRED parameters.
4.98. iprutils
Bug Fixes
- BZ#694756
- Due to a NULL pointer dereference, the iprconfig utility terminated unexpectedly with a segmentation fault when attempting to display hardware status. A patch has been applied to address this issue and hardware status is now displayed correctly.
- BZ#703255
- Previously, iprutils did not work correctly when performing RAID migration and asymmetric access functions on new adapters. With this update, array migration functionality is fixed. Now, iprutils can correctly perform the raid migration and asymmetric access functions.
- BZ#741835
- The find_multipath_vset routine used the ARRAY_SIZE() macro to calculate the length of the serial number. Previously, the length was calculated incorrectly, which could have led to false positives when looking for the corresponding vset. As a consequence, attempting to delete arrays failed: the target and the second array were set to be read/write protected, writing to both arrays was not possible, and the system had to be rebooted. To fix the problem, the IPR_SERIAL_NUM_LEN macro is now used instead of ARRAY_SIZE.
- BZ#741835
- With the maximum number of devices attached to one of the new Silicon Integrated Systems (SiS) 64-bit adapters, the configuration data could have grown over the buffer size. With this update, the buffer size has been increased, which fixes the problem and ensures room for any possible future growth.
4.99. iptables
Bug Fix
- BZ#786874
- The option parser of the iptables utility did not correctly handle the "-m mark" and "-m conmark" options in the same rule. Therefore, the iptables command failed when issued with both options. This update modifies behavior of the option parser so that iptables now works as expected with the "-m mark" and "-m conmark" options specified.
4.100. irqbalance
Bug Fix
- BZ#817873
- The irqbalance daemon assigns each interrupt source in the system to a "class", which represents the type of the device (for example Networking, Storage or Media). Previously, irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source class, which caused irqbalance to not recognize network interrupts correctly. As a consequence, systems using biosdevname NIC naming did not have their hardware interrupts distributed and pinned as expected. With this update, the device classification mechanism has been improved, and so ensures a better interrupts distribution.
4.101. iscsi-initiator-utils
Bug Fix
- BZ#715434
- The iscsiadm utility displayed the discovery2 mode in the help output but did not accept the mode as a valid one. This entry has been replaced with the valid discoverydb mode entry as displayed in the ISCSIADM(8) manual page.
Enhancements
- BZ#602959
- The brcm_iscsiuio daemon did not rotate its log file, /var/log/brcm-iscsi.log. As a consequence, the log file may have filled up the available disk space. The brcm_iscsiuio daemon now supports log rotation, which fixes the problem.
- BZ#696808
- The brcm_iscsiuio daemon has been updated to provide enhanced support for IPv6 (Internet Protocol version 6), VLAN (Virtual Local Area Network), and Broadcom iSCSI Offload Engine Technology. The daemon has been renamed to iscsiuio with this update.
- BZ#749051
- The bnx2i driver can now be used for install or boot. To install or boot to targets using this driver, turn on the HBA (Host Bus Adapter) mode in the card's BIOS boot setup screen.
4.102. isdn4k-utils
Bug Fixes
- BZ#618653
- Prior to this update, the isdn and capi init scripts were not LSB compatible. Due to this problem, the isdn and capi init scripts exited with incorrect or invalid exit statuses. This update modifies the init scripts so that they are LSB compatible. Now the init scripts exit with the correct exit status. (BZ#618549)
4.103. iwl1000-firmware
4.104. iwl6000g2a-firmware
4.105. jasper
Security Fix
- CVE-2011-4516, CVE-2011-4517
- Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer (such as Nautilus) to crash or, potentially, execute arbitrary code.
4.106. java-1.5.0-ibm
Security Fixes
- CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
- This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page.
4.107. java-1.6.0-ibm
Security Fixes
- CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
- This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page.
Security Fixes
- CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3561
- This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page.
4.108. java-1.6.0-openjdk
Security Fixes
- CVE-2012-0497
- It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions.
- CVE-2012-0505
- It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
- CVE-2011-3571
- The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions.
- CVE-2012-0503
- It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions.
- CVE-2011-5035
- The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200.
- CVE-2011-3563
- The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory.
- CVE-2012-0502
- A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information.
- CVE-2012-0506
- It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data.
- CVE-2012-0501
- An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened.
Note
Security Fixes
- CVE-2012-1711, CVE-2012-1719
- Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data.
- CVE-2012-1716
- It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
- CVE-2012-1713
- Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine.
- CVE-2012-1723, CVE-2012-1725
- Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
- CVE-2012-1724
- It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop.
- CVE-2012-1718
- It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.
- CVE-2012-1717
- It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files.
Note
- BZ#722310
- The java-1.6.0-openjdk package has been upgraded to the upstream version 1.10.4, which provides a number of bug fixes and enhancements over the previous version.
- BZ#708201
- Installing of OpenJDK or execution of a Java program, which was using other than terminal fonts, could have terminated unexpectedly with the following error:
Exception in thread "main" java.lang.Error: Probable fatal error:No fonts found.
This happened because the fontconfig library was not installed and the font enumeration failed. With this update, OpenJDK depends on fontconfig and the problem no longer occurs.
Bug Fix
- BZ#751730
- Prior to this update, security restrictions caused the RMI registry to stop working correctly. As a consequence, a remote RMI client could execute code on the RMI server with unrestricted privileges.This update adjusts the RMI registry so that it now works as expected.
Enhancements
4.109. java-1.6.0-sun
Security Fixes
- CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725
- This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page.
Security Fixes
- CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506
- This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page:
4.110. jss
4.110.1. RHBA-2011:1675 — jss bug fix update
Bug Fixes
- BZ#660436
- The java.net.SocketException was accompanied by a misleading error message because the exception definition was using a variable pointed to a wrong address. With this update, the underlying code has been modified and the exception now uses the correct error message.
- BZ#705947
- On Luna SA HSM in FIPS mode, Red Hat Certificate System failed to generate a certificate and threw an exception if ECC (Elliptic Curve Cryptography) algorithms was set to higher than SHA1withEC. This occurred because in FIPS mode, the SSL protocol requires ECDH (Elliptic Curve Diffie Hellman), which is not supported by Luna SA. With this update, the ECDH support has been provided by JSS/NSS, and certificates are created and used with SSL correctly.
- BZ#733551
- In FIPS mode, DRM (Data Recovery Manager) failed to recover keys because it failed to import the respective key. With this update, the key is generated on recovery and the recovery succeeds.
4.111. jwhois
Bug Fix
- BZ#682832
- Previously, when querying a domain with the name length near the allowed limit of 63 characters, and emitting command options to a whois server, the "whois" command failed because both the domain name and command options were given to a function responsible for translating Internationalized Domain Names (IDN) to ASCII. The length of such command was greater than the allowed limit. This update fixes this bug so that only the domain name is now translated after executing the command.
Enhancement
- BZ#664449
- Previously, jwhois did not contain the whois server details for the dotEmarat extension. As a result, whois queries for these extensions were incorrectly directed to whois.internic.net. With this update, the configuration file correctly directs queries for the dotEmarat domains to whois.aeda.net.ae.
4.112. kabi-whitelists
Enhancements
- BZ#680469
- The "pci_reset_function" symbol has been added to the Red Hat Enterprise Linux 6.2 kernel application binary interface (ABI) whitelists.
- BZ#690479
- The "aio_complete" and "aio_put_req" symbols have been added to the kernel ABI whitelists.
- BZ#700406
- The "__blk_end_request", "bdget_disk", "blk_limits_io_min", "blk_limits_io_opt", "blk_plug_device", "blk_queue_bounce", "blk_queue_max_discard_sectors", "blk_remove_plug", "blk_requeue_request", "jiffies_to_usecs", "prepare_to_wait_exclusive", "ipv6_ext_hdr", "lro_receive_frags", and "lro_vlan_hwaccel_receive_frags" symbols have been added to the kernel ABI whitelists.
- BZ#700432
- The "ipv6_ext_hdr", "lro_receive_frags", and "lro_vlan_hwaccel_receive_frags" symbols have been added to the kernel ABI whitelists.
- BZ#702675
- The "ipv6_ext_hdr", "lro_receive_frags", "lro_vlan_hwaccel_receive_frags", "netif_set_real_num_tx_queues", and "pci_find_ext_capability" symbols have been added to the kernel ABI whitelists. The only exception is "pci_find_ext_capability", which is not available for IBM System z.
- BZ#703125
- The "compat_alloc_user_space" symbol has been added to the kernel ABI whitelists.
- BZ#730410
- The "paca" symbol has been added to the kernel ABI whitelists for the 64-bit PowerPC architecture.
- BZ#748520
- The "dm_put_device", "enl_register_ops", "m_device_name", "m_unregister_target", "m_register_target", "m_table_get_mode", "m_table_get_md", "m_get_device", and "enl_register_family" symbols have been added to the kernel ABI whitelists.
4.113. kdeaccessibility
Bug Fix
- BZ#587897
- Prior to this update, the icon for the kttsmsg program incorrectly appeared in GNOME Application's Accessories menu. This bug has been fixed in this update so that the icon is now no longer displayed, as expected.
4.114. kdeadmin
Bug Fixes
- BZ#587904
- Prior to this update, the icon for the ksystemlog program did not appear correctly in GNOME Application's System Tools menu. This bug has been fixed in this update so that the icon is now displayed as expected.
- BZ#692737
- Prior to this update, the Network Settings component that was included in KDE's System Settings was not compatible with NetworkManager in Red Hat Enterprise Linux 6. As a result, the spurious message "Your Platform is Not Supported" was displayed in the aforementioned component's dialog window. Furthermore, no network interface controllers (NICs) were displayed in the dialog window. These problems have been resolved in this update by removing the Network Settings component from KDE's System Settings.
4.115. kdebase
Bug Fixes
- BZ#631481
- Prior to this update, when starting another instance of the konsole application in an already running konsole instance, the spurious "Undecodable sequence: \001b(hex)[?1034h" message was displayed. This bug has been fixed in this update and no longer occurs.
- BZ#609039
- Prior to this update, the System Settings application in KDE became unresponsive when entering a password in order to apply changes in the About Me dialog. With this update, the bug has been fixed so that entering a password works properly.
4.116. kdebase-workspace
Bug Fixes
- BZ#587917
- If the KDE and GNOME desktop environments were both installed on one system, two System Monitor utilities were installed as well. These, located in System Tools of the Applications menu, had the same icons and title, which may have confused the user. With this update, KDE icons are used for the ksysguard tool.
- BZ#639359
- Prior to this update, the ksysguard process terminated unexpectedly with a segmentation fault after clicking the OK button in the Properties dialog of the Network History tab, which is included in the ksysguard application. This bug has been fixed in this update so that ksysguard no longer crashes and works properly.
- BZ#649345
- Previously, when rebooting the system, the kdm utility terminated with a segmentation fault if auto-login was enabled. This was caused by a NULL password being sent to the master process, which has been fixed, and rebooting the system with auto-login enabled no longer causes kdm to crash.
- BZ#666295
- When clicking Help in the Battery Monitor Settings dialog of the Battery Monitor widget, the message "The file or folder help:/plasma-desktop/index.html does not exist" appeared instead of displaying the help pages. This update adds the missing help pages, which fixes the problem.
4.117. kdepim-runtime
Bug Fixes
- BZ#660581
- Prior to this update, it was not possible to build the kdepim-runtime package on Red Hat Enterprise Linux 6. This problem has been resolved in this update and no longer occurs.
- BZ#625121
- Prior to this update, Akonaditray, which is an application included in KDE, was incorrectly displayed in the GNOME Applications menu. This bug has been fixed in this update so that Akonaditray is no longer displayed in the aforementioned menu.
4.118. kdeutils
Bug Fix
- BZ#625116
- Prior to this update, the icon for the Sweeper utility did not appear correctly in GNOME Application's Accessories menu. This bug has been fixed in this update so that the icon is now displayed as expected.
4.119. kernel
Security Fixes
- CVE-2013-1773, Important
- A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the "utf8=1" option could use this flaw to crash the system or, potentially, to escalate their privileges.
- CVE-2012-1796, Important
- A flaw was found in the way KVM (Kernel-based Virtual Machine) handled guest time updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) crossed a page boundary. A privileged guest user could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the host kernel level.
- CVE-2013-1797, Important
- A potential use-after-free flaw was found in the way KVM handled guest time updates when the GPA (guest physical address) the guest registered by writing to the MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION and the allocated virtual memory reused, a privileged guest user could potentially use this flaw to escalate their privileges on the host.
- CVE-2012-1798, Important
- A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt Controller). A missing validation check in the ioapic_read_indirect() function could allow a privileged guest user to crash the host, or read a substantial portion of host kernel memory.
- CVE-2012-1848, Low
- A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file system implementation. A local user who is able to mount an ext3 file system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
Bug Fixes
- BZ#956294
- The virtual file system (VFS) code had a race condition between the unlink and link system calls that allowed creating hard links to deleted (unlinked) files. This could, under certain circumstances, cause inode corruption that eventually resulted in a file system shutdown. The problem was observed in Red Hat Storage during rsync operations on replicated Gluster volumes that resulted in an XFS shutdown. A testing condition has been added to the VFS code, preventing hard links to deleted files from being created.
- BZ#972578
- Various race conditions that led to indefinite log reservation hangs due to xfsaild "idle" mode occurred in the XFS file system. This could lead to certain tasks being unresponsive; for example, the cp utility could become unresponsive on heavy workload. This update improves the Active Item List (AIL) pushing logic in xfsaild. Also, the log reservation algorithm and interactions with xfsaild have been improved. As a result, the aforementioned problems no longer occur in this scenario.
- BZ#972597
- When the Active Item List (AIL) becomes empty, the xfsaild daemon is moved to a task sleep state that depends on the timeout value returned by the xfsaild_push() function. The latest changes modified xfsaild_push() to return a 10-ms value when the AIL is empty, which sets xfsaild into the uninterruptible sleep state (D state) and artificially increased system load average. This update applies a patch that fixes this problem by setting the timeout value to the allowed maximum, 50 ms. This moves xfsaild to the interruptible sleep state (S state), avoiding the impact on load average.
- BZ#972607
- When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVM guest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus to which the new device is being added. When reprogramming the hot plug parameters of a VGA or QXL graphics device, the graphics device emulation requests flushing of the guest's shadow page tables. Previously, if the guest had a huge and complex set of shadow page tables, the flushing operation took a significant amount of time and the guest could appear to be unresponsive for several minutes. This resulted in exceeding the threshold of the "soft lockup" watchdog and the "BUG: soft lockup" events were logged by both, the guest and host kernel. This update applies a series of patches that deal with this problem. The KVM's Memory Management Unit (MMU) now avoids creating multiple page table roots in connection with processors that support Extended Page Tables (EPT). This prevents the guest's shadow page tables from becoming too complex on machines with EPT support. MMU now also flushes only large memory mappings, which alleviates the situation on machines where the processor does not support EPT. Additionally, a free memory accounting race that could prevent KVM MMU from freeing memory pages has been fixed.
Security Fixes
- CVE-2013-0871, Important
- A race condition was found in the way the Linux kernel's ptrace implementation handled PTRACE_SETREGS requests when the debuggee was woken due to a SIGKILL signal instead of being stopped. A local, unprivileged user could use this flaw to escalate their privileges.
- CVE-2012-2133, Moderate
- A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
Bug Fixes
- BZ#911265
- The Intel 5520 and 5500 chipsets do not properly handle remapping of MSI and MSI-X interrupts. If the interrupt remapping feature is enabled on the system with such a chipset, various problems and service disruption could occur (for example, a NIC could stop receiving frames), and the "kernel: do_IRQ: 7.71 No irq handler for vector (irq -1)" error message appears in the system logs. As a workaround to this problem, it has been recommended to disable the interrupt remapping feature in the BIOS on such systems, and many vendors have updated their BIOS to disable interrupt remapping by default. However, the problem is still being reported by users without proper BIOS level with this feature properly turned off. Therefore, this update modifies the kernel to check if the interrupt remapping feature is enabled on these systems and to provide users with a warning message advising them on turning off the feature and updating the BIOS.
- BZ#913161
- A possible race between the n_tty_read() and reset_buffer_flags() functions could result in a NULL pointer dereference in the n_tty_read() function under certain circumstances. As a consequence, a kernel panic could have been triggered when interrupting a current task on a serial console. This update modifies the tty driver to use a spin lock to prevent functions from a parallel access to variables. A NULL pointer dereference causing a kernel panic can no longer occur in this scenario.
- BZ#915581
- Previously, running commands such as "ls", "find" or "move" on a MultiVersion File System (MVFS) could cause a kernel panic. This happened because the d_validate() function, which is used for dentry validation, called the kmem_ptr_validate() function to validate a pointer to a parent dentry. The pointer could have been freed anytime so the kmem_ptr_validate() function could not guarantee the pointer to be dereferenced, which could lead to a NULL pointer derefence. This update modifies d_validate() to verify the parent-child relationship by traversing the parent dentry's list of child dentries, which solves this problem. The kernel no longer panics in the described scenario.
- BZ#921959
- When running a high thread workload of small-sized files on an XFS file system, sometimes, the system could become unresponsive or a kernel panic could occur. This occurred because the xfsaild daemon had a subtle code path that led to lock recursion on the xfsaild lock when a buffer in the AIL was already locked and an attempt was made to force the log to unlock it. This patch removes the dangerous code path and queues the log force to be invoked from a safe locking context with respect to xfsaild. This patch also fixes the race condition between buffer locking and buffer pinned state that exposed the original problem by rechecking the state of the buffer after a lock failure. The system no longer hangs and kernel no longer panics in this scenario.
- BZ#922140
- A race condition could occur between page table sharing and virtual memory area (VMA) teardown. As a consequence, multiple "bad pmd" message warnings were displayed and "kernel BUG at mm/filemap.c:129" was reported while shutting down applications that share memory segments backed by huge pages. With this update, the VM_MAYSHARE flag is explicitly cleaned during the unmap_hugepage_range() call under the i_mmap_lock. This makes VMA ineligible for sharing and avoids the race condition. After using shared segments backed by huge pages, applications like databases and caches shut down correctly, with no crash.
- BZ#923849
- Previously, the NFS Lock Manager (NLM) did not resend blocking lock requests after NFSv3 server reboot recovery. As a consequence, when an application was running on a NFSv3 mount and requested a blocking lock, the application received an -ENOLCK error. This patch ensures that NLM always resend blocking lock requests after the grace period has expired.
- BZ#924836
- A bug in the anon_vma lock in the mprotect() function could cause virtual memory area (vma) corruption. The bug has been fixed so that virtual memory area corruption no longer occurs in this scenario.
Bug Fixes
- BZ#846831
- Previously, the TCP socket bound to NFS server contained a stale skb_hints socket buffer. Consequently, kernel could terminate unexpectedly. A patch has been provided to address this issue and skb_hints is now properly cleared from the socket, thus preventing this bug.
- BZ#847041
- On Intel systems with Pause Loop Exiting (PLE), or AMD systems with Pause Filtering (PF), it was possible for larger multi-CPU KVM guests to experience slowdowns and soft lock-ups. Due to a boundary condition in kvm_vcpu_on_spin, all the VCPUs could try to yield to VCPU0, causing contention on the run queue lock of the physical CPU where the guest's VCPU0 is running. This update eliminates the boundary condition in kvm_vcpu_on_spin.
- BZ#847944
- Due to a missing return statement, the nfs_attr_use_mounted_on_file() function returned a wrong value. As a consequence, redundant ESTALE errors could potentially be returned. This update adds the proper return statement to nfs_attr_use_mounted_on_file(), thus preventing this bug.
Enhancements
- BZ#847732
- This update adds support for the Proportional Rate Reduction (PRR) algorithms for the TCP protocol. This algorithm determines TCP's sending rate in fast recovery. PRR avoids excessive window reductions and improves accuracy of the amount of data sent during loss recovery. In addition, a number of other enhancements and bug fixes for TCP are part of this update.
- BZ#849550
- This update affects performance of the O_DSYNC flag on the GFS2 file system when only data (and not metadata such as file size) has been dirtied as a result of the write() system call. Prior to this update, write calls with O_DSYNC were behaving the same way as with O_SYNC at all times. With this update, O_DSYNC write calls only write back data if the inode's metadata is not dirty. This results in a considerable performance improvement for this specific case. Note that the issue does not affect data integrity. The same issue also applies to the pairing of the write() and fdatasync() system calls.
Bug Fixes
- BZ#840949
- Previously in the kernel, when the leap second hrtimer was started, it was possible that the kernel livelocked on the xtime_lock variable. This update fixes the problem by using a mixture of separate subsystem locks (timekeeping and ntp) and removing the xtime_lock variable, thus avoiding the livelock scenarios that could occur in the kernel.
- BZ#847365
- After the leap second was inserted, applications calling system calls that used futexes consumed almost 100% of available CPU time. This occurred because the kernel's timekeeping structure update did not properly update these futexes. The futexes repeatedly expired, re-armed, and then expired immediately again. This update fixes the problem by properly updating the futex expiration times by calling the clock_was_set_delayed() function, an interrupt-safe method of the clock_was_set() function.
Bug Fixes
- BZ#880083
- Previously, the IP over Infiniband (IPoIB) driver maintained state information about neighbors on the network by attaching it to the core network's neighbor structure. However, due to a race condition between the freeing of the core network neighbor struct and the freeing of the IPoIB network struct, a use after free condition could happen, resulting in either a kernel oops or 4 or 8 bytes of kernel memory being zeroed when it was not supposed to be. These patches decouple the IPoIB neighbor struct from the core networking stack's neighbor struct so that there is no race between the freeing of one and the freeing of the other.
- BZ#884421
- Previously, the HP Smart Array, or hpsa, driver used target reset. However, HP Smart Array logical drives do not support target reset. Therefore, if the target reset failed, the logical drive was taken offline with a file system error. The hpsa driver has been updated to use LUN reset instead of target reset, which is supported by these drives.
- BZ#891563
- Previously, the xdr routines in NFS version 2 and 3 conditionally updated the res->count variable. Read retry attempts after a short NFS read() call could fail to update the res->count variable, resulting in truncated read data being returned. With this update, the res->count variable is updated unconditionally, thus preventing this bug.
Security Fixes
- CVE-2011-1020, Moderate
- The proc file system could allow a local, unprivileged user to obtain sensitive information or possibly cause integrity issues.
- CVE-2011-3347, Moderate
- Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and also using the
be2net
driver could allow an attacker on the local network to cause a denial of service. - CVE-2011-3638, Moderate
- A flaw was found in the Linux kernel in the way splitting two extents in
ext4_ext_convert_to_initialized()
worked. A local, unprivileged user with access to mount and unmount ext4 file systems could use this flaw to cause a denial of service. - CVE-2011-4110, Moderate
- A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service.
Bug Fixes
- BZ#713682
- When a host was in recovery mode and a SCSI scan operation was initiated, the scan operation failed and provided no error output. This bug has been fixed and the SCSI layer now waits for recovery of the host to complete scan operations for devices.
- BZ#712139
- In a GFS2 file system, when the responsibility for deallocation was passed from one node to another, the receiving node may not have had a fully up-to-date inode state. If the sending node has changed the important parts of the state in the mean time (block allocation/deallocation) then this resulted in triggering an assert during the deallocation on the receiving node. With this update, the inode state is refreshed correctly during deallocation on the receiving node, ensuring that deallocation proceeds normally.
- BZ#712131
- Issues for which a host had older hypervisor code running on newer hardware, which exposed the new CPU features to the guests, were discovered. This was dangerous because newer guest kernels (such as Red Hat Enterprise Linux 6) may have attempted to use those features or assume certain machine behaviors that it would not be able to process because it was, in fact, a Xen guest. One such place was the intel_idle driver which attempts to use the MWAIT and MONITOR instructions. These instructions are invalid operations for a Xen PV guest. This update provides a patch, which masks the MWAIT instruction to avoid this issue.
- BZ#712102
- The 128-bit multiply operation in the pvclock.h function was missing an output constraint for EDX which caused a register corruption to appear. As a result, Red Hat Enterprise Linux 3.8 and Red Hat Enterprise Linux 3.9 KVM guests with a Red Hat Enterprise Linux 6.1 KVM host kernel exhibited time inconsistencies. With this update, the underlying source code has been modified to address this issue, and time runs as expected on the aforementioned systems.
- BZ#712000
- Prior to this update, the following message appeared in kernel log files:
[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected for Max BW - using 100 instead
The above message appeared on bnx2x interfaces in the multi-function mode which were not used and had no link, thus, not indicating any actual problems with connectivity. With this update, the message has been removed and no longer appears in kernel log files. - BZ#713730
- Previously, some enclosure devices with a broken firmware reported incorrect values. As a consequence, kernel sometimes terminated unexpectedly. A patch has been provided to address this issue, and the kernel crashes no longer occur even if an enclosure device reports incorrect or duplicate data.
- BZ#709856
- Xen guests cannot make use of all CPU features, and in some cases they are even risky to be advertised. One such feature is CONSTANT_TSC. This feature prevents the TSC (Time Stamp Counter) from being marked as unstable, which allows the sched_clock_stable option to be enabled. Having the sched_clock_stable option enabled is problematic for Xen PV guests because the sched_clock() function has been overridden with the xen_sched_clock() function, which is not synchronized between virtual CPUs. This update provides a patch, which sets all x86_power features to 0 as a preventive measure against other potentially dangerous assumptions the kernel could make based on the features, fixing this issue.
- BZ#623712
- RHEL6.2 backported the scalability improvement on creating many 'cpu' control groups (cgroups) on a system with a large number of CPUs. The creation process for large number of cgroups will no longer hog the machine when the control groups feature is enabled.In addition to the scalability improvement, a /proc tunable parameter, dd sysctl_sched_shares_window, has been added, and the default is set to 10 ms.
- BZ#719304
- Older versions of be2net cards firmware may not recognize certain commands and return illegal/unsupported errors, causing confusing error messages to appear in the logs. With this update, the driver handles these errors gracefully and does not log them.
- BZ#722461
- On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a memory shortage the first time, all pages on the active or inactive lists are considered referenced. This causes the memory management on IBM System z to do a full check over all page cache pages and start writeback for all of them. As a consequence, the system became temporarily unresponsive when the described situation occurred. With this update, only pages with active mappers are checked and the page scan now does not cause the hangs.
- BZ#722596
- This update fixes the inability of the be2net driver to work in a kdump environment. It clears an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel after a crash.
- BZ#705441
- A previously introduced update intended to prevent IOMMU (I/O Memory Management Unit) domain exhaustion introduced two regressions. The first regression was a race where a domain pointer could be freed while a lazy flush algorithm still had a reference to it, eventually causing kernel panic. The second regression was an erroneous reference removal for identity mapped and VM IOMMU domains, causing I/O errors. Both of these regressions could only be triggered on Intel based platforms, supporting VT-d, booted with the intel_iommu=on boot option. With this update, the underlying source code of the intel-iommu driver has been modified to resolve both of these problems. A forced flush is now used to avoid the lazy use after free issue, and extra checks have been added to avoid the erroneous reference removal.
- BZ#635596
- This update fixes two bugs related to Rx checksum offloading. These bugs caused a data corruption transferred over r8169 NIC when Rx checksum offloading was enabled.
- BZ#704401
- Prior to this update, kdump failed to create a vmcore file after triggering a crash on POWER7 systems with Dynamic DMA Windows enabled. This update provides a number of fixes that address this issue.
- BZ#703935
- Previously, auditing system calls used a simple check to determine whether a return value was positive or negative, which also determined the success of the system call. With an exception of few, this worked on most platforms and with most system calls. For example, the 32 bit mmap system call on the AMD64 architecture could return a pointer which appeared to be of value negative even though pointers are normally of unsigned values. This resulted in the success field being incorrect. This patch fixes the success field for all system calls on all architectures.
- BZ#703245
- When VLANs stacked on top of multiqueue devices passed through these devices, the queue_mapping value was not properly decremented because the VLAN devices called the physical devices via the ndo_select_queue method. This update removes the multiqueue functionality, resolving this issue.
- BZ#703055
- Prior to this update, Red Hat Enterprise Linux Xen (up to version 5.6) did not hide 1 GB pages and RDTSCP (enumeration features of CPUID), causing guest soft lock ups on AMD hosts when the guest's memory was greater than 8 GB. With this update, a Red Hat Enterprise Linux 6 HVM (Hardware Virtual Machine) guest is able to run on Red Hat Enterprise Linux Xen 5.6 and lower.
- BZ#702742
- Prior to this update, code was missing from the netif_set_real_num_tx_queues() function which prevented an increment of the real number of TX queues (the real_num_tx_queues value). This update adds the missing code; thus, resolving this issue.
- BZ#725711
- Previously, the inet6_sk_generic() function was using the obj_size variable to compute the address of its inner structure, causing memory corruption. With this update, the sk_alloc_size() is called every time there is a request for allocation, and memory corruption no longer occurs.
- BZ#702057
- Multiple GFS2 nodes attempted to unlink, rename, or manipulate files at the same time, causing various forms of file system corruption, panics, and withdraws. This update adds multiple checks for dinode's i_nlink value to assure inode operations such as link, unlink, or rename no longer cause the aforementioned problems.
- BZ#701951
- A kernel panic in the mpt2sas driver could occur on an IBM system using a drive with SMART (Self-Monitoring, Analysis and Reporting Technology) issues. This was because the driver was sending an SEP request while the kernel was in the interrupt context, causing the driver to enter the sleep state. With this update, a fake event is not executed from the interrupt context, assuring the SEP request is properly issued.
- BZ#700538
- When using certain SELinux policies, such as the MLS policy, it was not possible to properly mount the cgroupfs file system due to the way security checks were applied to the new cgroupfs inodes during the mount operation. With this update, the security checks applied during the mount operation have been changed so that they always succeed, and the cgroupfs file system can now be successfully mounted and used with the MLS SELinux policy. This issue did not affect systems which used the default targeted policy.
- BZ#729220
- When a SCTP (Stream Control Transmission Protocol) packet contained two COOKIE_ECHO chunks and nothing else, the SCTP state machine disabled output processing for the socket while processing the first COOKIE_ECHO chunk, then lost the association and forgot to re-enable output processing for the socket. As a consequence, any data which needed to be sent to a peer were blocked and the socket appeared to be unresponsive. With this update, a new SCTP command has been added to the kernel code, which sets the association explicitly; the command is used when processing the second COOKIE_ECHO chunk to restore the context for SCTP state machine, thus fixing this bug.
- BZ#698268
- The hpsa driver has been updated to provide a fix for hpsa driver kdump failures.
- BZ#696777
- Prior to this update, interrupts were enabled before the dispatch log for the boot CPU was set up, causing kernel panic if a timer interrupt occurred before the log was set up. This update adds a check to the scan_dispatch_log function to ensure the dispatch log has been allocated.
- BZ#696754
- Prior to this update, the interrupt service routine was performing unnecessary MMIO operation during performance testing on IBM POWER7 machines. With this update, the logic of the routine has been modified so that there are fewer MMIO operations in the performance path of the code. Additionally, as a result of the aforementioned change, an existing condition was exposed where the IPR driver (the controller device driver) could return an unexpected HRRQ (Host Receive Request) interrupt. The original code flagged the interrupt as unexpected and then reset the adapter. After further analysis, it was confirmed that this condition could occasionally occur and the interrupt can be safely ignored. Additional code provided by this update detects this condition, clears the interrupt, and allows the driver to continue without resetting the adapter.
- BZ#732706
- The ACPI (Advanced Control and Power Interface) core places all events to the kacpi_notify queue including PCI hotplug events. When the acpiphp driver was loaded and a PCI card with a PCI-to-PCI bridge was removed from the system, the code path attempted to empty the kacpi_notify queue which causes a deadlock, and the kacpi_notify thread became unresponsive. With this update, the call sequence has been fixed, and the bridge is now cleaned-up properly in the described scenario.
- BZ#669363
- Prior to this update, the /proc/diskstats file showed erroneous values. This occurred when the kernel merged two I/O operations for adjacent sectors which were located on different disk partitions. Two merge requests were submitted for the adjacent sectors, the first request for the second partition and the second request for the first partition, which was then merged to the first request. The first submission of the merge request incremented the in_flight value for the second partition. However, at the completion of the merge request, the in_flight value of a different partition (the first one) was decremented. This resulted in the erroneous values displayed in the /proc/diskstats file. With this update, the merging of two I/O operations which are located on different disk partitions has been fixed and works as expected.
- BZ#670765
- Due to an uninitialized variable (specifically, the isr_ack variable), a virtual guest could become unresponsive when migrated while being rebooted. With this update, the said variable is properly initialized, and virtual guests no longer hang in the aforementioned scenario.
- BZ#695231
- Prior to this update, the be2net driver was using the BE3 chipset in legacy mode. This update enables this chipset to work in a native mode, making it possible to use all 4 ports on a 4-port integrated NIC.
- BZ#694747
- A Windows Server 2008 32-bit guest installation failed on a Red Hat Enterprise Linux 6.1 Snap2 KVM host when allocating more than one virtual CPU (vcpus > 1) during the installation. As soon the installation started after booting from ISO, a blue screen with the following error occurred:
A problem has been detected and windows has been shut down to prevent damage to your computer.
This was because a valid microcode update signature was not reported to the guest. This update fixes this issue by reporting a non-zero microcode update signature to the guest. - BZ#679526
- Disk read operations on a memory constrained system could cause allocations to stall. As a result, the system performance would drop considerably. With this update, latencies seen in page reclaim operations have been reduced and their efficiency improved; thus, fixing this issue.
- BZ#736667
- A workaround to the megaraid_sas driver was provided to address an issue but as a side effect of the workaround, megaraid_sas stopped to report certain enclosures, CD-ROM drives, and other devices. The underlying problem for the issue has been fixed as reported in BZ#741166. With this update, the original workaround has been reverted, and megaraid_sas now reports many different devices as before.
- BZ#694210
- This update fixes a regression in which a client would use an UNCHECKED NFS CREATE call when an open system call was attempted with the O_EXCL|O_CREAT flag combination. An EXCLUSIVE NFS CREATE call should have been used instead to ensure that O_EXCL semantics were preserved. As a result, an application could be led to believe that it had created the file when it was in fact created by another application.
- BZ#692167
- A race between the FSFREEZE ioctl() command to freeze an ext4 file system and mmap I/O operations would result in a deadlock if these two operations ran simultaneously. This update provides a number of patches to address this issue, and a deadlock no longer occurs in the previously-described scenario.
- BZ#712653
- When a CPU is about to modify data protected by the RCU (Read Copy Update) mechanism, it has to wait for other CPUs in the system to pass a quiescent state. Previously, the guest mode was not considered a quiescent state. As a consequence, if a CPU was in the guest mode for a long time, another CPU had to wait a long time in order to modify RCU-protected data. With this update, the rcu_virt_note_context_switch() function, which marks the guest mode as a quiescent state, has been added to the kernel, thus resolving this issue.
- BZ#683658
- The patch that fixed BZ#556572 introduced a bug where the page lock was being released too soon, allowing the do_wp_page function to reuse the wrprotected page before PageKsm would be set in page->mapping. With this update, a new version of the original fix was introduced, thus fixing this issue.
- BZ#738110
- Due to the partial support of IPv6 multicast snooping, IPv6 multicast packets may have been dropped. This update fixes IPv6 multicast snooping so that packets are no longer dropped.
- BZ#691310
- While executing a multi-threaded process by multiple CPUs, page-directory-pointer-table entry (PDPTE) registers were not fully flushed from the CPU cache when a Page Global Directory (PGD) entry was changed in x86 Physical Address Extension (PAE) mode. As a consequence, the process failed to respond for a long time before it successfully finished. With this update, the kernel has been modified to flush the Translation Lookaside Buffer (TLB) for each CPU using a page table that has changed. Multi-threaded processes now finish without hanging.
- BZ#738379
- When a kernel NFS server was being stopped, kernel sometimes terminated unexpectedly. A bug has been fixed in the wait_for_completion_interruptible_timeout() function and the crashes no longer occur in the described scenario.
- BZ#690745
- Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network interfaces on some machines. As a result, the installer may use different names during an upgrade in certain scenarios (typically em1 is used instead of eth0 on new Dell machines). However, the previously used network interface names are preserved on the system and the upgraded system will still use the previously used interfaces. This is not the case for Yum upgrades.
- BZ#740465
- A scenario for this bug involves two hosts, configured to use IPv4 network, and two guests, configured to use IPv6 network. When a guest on host A attempted to send a large UDP datagram to host B, host A terminated unexpectedly. With this update, the ipv6_select_ident() function has been fixed to accept the in6_addr parameter and to use the destination address in IPv6 header when no route is attached, and the crashes no longer occur in the described scenario.
- BZ#693894
- Migration of a Windows XP virtual guest during the early stage of a boot caused the virtual guest OS to fail to boot correctly. With this update, the underlying source code has been modified to address this issue, and the virtual guest OS no longer fails to boot.
- BZ#694358
- This update adds a missing patch to the ixgbe driver to use the kernel's generic routine to set and obtain the DCB (Data Center Bridging) priority. Without this fix, applications could not properly query the DCB priority.
- BZ#679262
- In Red Hat Enterprise Linux 6.2, due to security concerns, addresses in /proc/kallsyms and /proc/modules show all zeros when accessed by a non-root user.
- BZ#695859
- Red Hat Enterprise Linux 6.0 and 6.1 defaulted to running UEFI systems in a physical addressing mode. Red Hat Enterprise Linux 6.2 defaults to running UEFI systems in a virtual addressing mode. The previous behavior may be obtained by passing the physefi kernel parameter.
- BZ#695966
- After receiving an ABTS response, the FCoE (Fibre Channel over Ethernet) DDP error status was cleared. As a result, the FCoE DDP context invalidation was incorrectly bypassed and caused memory corruption. With this update, the underlying source code has been modified to address this issue, and memory corruption no longer occurs.
- BZ#696511
- Suspending a system to RAM and consequently resuming it caused USB3.0 ports to not work properly. This was because a USB3.0 device configured for MSIX would, during the resume operation, incorrectly read its previous interrupt state. This would lead it to fall back to a legacy mode and appear unresponsive. With this update, the interrupt state is cached, allowing the driver to properly resume its previous state.
- BZ#662666
- Deleting the lost+found directory on a file system with inodes of size greater than 128 bytes and reusing inode 11 for a different file caused the extended attributes for inode 11 (which were set before a umount operation) to not be saved after a file system remount. As a result, the extended attributes were lost after the remount. With this update, inodes store their extended attributes under all circumstances.
- BZ#698023
- Prior to this update, in the __cache_alloc() function, the ac variable could be changed after cache_alloc_refill() and the following kmemleak_erase() function could receive an incorrect pointer, causing kernel panic. With this update, the ac variable is updated after the cache_alloc_refill() unconditionally.
- BZ#698625
- This update includes two fixes for the bna driver, specifically:
- A memory leak was caused by an unintentional assignment of the NULL value to the RX path destroy callback function pointer after a correct initialization.
- During a kernel crash, the bna driver control path state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.
- BZ#700165
- When an event caused the ibmvscsi driver to reset its CRQ, re-registering the CRQ returned H_CLOSED, indicating that the Virtual I/O Server was not ready to receive commands. As a consequence, the ibmvscsi driver offlined the adapter and did not recover. With this update, the interrupt is re-enabled after the reset so that when the Virtual I/O server is ready and sends a CRQ init, it is able to receive it and resume initialization of the VSCSI adapter.
- BZ#700299
- This update standardizes the printed format of UUIDs (Universally Unique Identifier)/GUIDs (Globally Unique Identifier) by using an additional extension to the %p format specifier (which is used to show the memory address value of a pointer).
- BZ#702036
- Prior to this update, the ehea driver caused a kernel oops during a memory hotplug if the ports were not up. With this update, the waitqueues are initialized during the port probe operation, instead of during the port open operation.
- BZ#702263
- While running gfs2_grow, the file system became unresponsive. This was due to the log not getting flushed when a node dropped its rindex glock so that another node could grow the file system. If the log did not get flushed, GFS2 could corrupt the sd_log_le_rg list, ultimately causing a hang. With this update, a log flush is forced when the rindex glock is invalidated; gfs2_grow completes as expected and the file system remains accessible.
- BZ#703251
- The Brocade BFA FC/FCoE driver was previously selectively marked as a Technology Preview based on the type of the adapter. With this update, the Brocade BFA FC/FCoE driver is always marked as a Technology Preview.
- BZ#703265
- The Brocade BFA FC SCSI driver (bfa driver) has been upgraded to version 2.3.2.4. Additionally, this update provides the following two fixes:
- A firmware download memory leak was caused by the release_firmware() function not being called after the request_firmware() function. Similarly, the firmware download interface has been fixed and now works as expected.
- During a kernel crash, the bfa I/O control state machine and firmware did not receive a notification of the crash, and, as a result, were not shut down cleanly.
- BZ#704231
- A previously released patch for BZ#625487 introduced a kABI (Kernel Application Binary Interface) workaround that extended struct sock (the network layer representation of sockets) by putting the extension structure in the memory right after the original structure. As a result, the prot->obj_size pointer had to be adjusted in the proto_register function. Prior to this update, the adjustment was done only if the alloc_slab parameter of the proto_register function was not 0. When the alloc_slab parameter was 0, drivers performed allocations themselves using sk_alloc and as the allocated memory was lower than needed, a memory corruption could occur. With this update, the underlying source code has been modified to address this issue, and a memory corruption no longer occurs.
- BZ#705082
- A scalability issue with KVM/QEMU was discovered in the idr_lock spinlock in the posix-timers code, resulting in excessive CPU resource usage. With this update, the underlying source code has been modified to address this issue, and the aforementioned spinlock no longer uses excessive amounts of CPU resources.
- BZ#723650
- When a NFS server returned more than two GETATTR bitmap words in response to the FATTR4_ACL attribute request, decoding operations of the nfs4_getfacl() function failed. A patch has been provided to address this issue and the ACLs are now returned in the described scenario.
- BZ#707268
- After hot plugging one of the disks of a non-boot 2-disk RAID1 pair, the md driver would enter an infinite resync loop thinking there was a spare disk available, when, in fact, there was none. This update adds an additional check to detect the previously mentioned situation; thus, fixing this issue.
- BZ#707757
- The default for CFQ's group_isolation variable has been changed from 0 to 1 (/sys/block/<device>/queue/iosched/group_isolation). After various testing and numerous user reports, it was found that having default 1 is more useful. When set to 0, all random I/O queues become part of the root cgroup and not the actual cgroup which the application is part of. Consequently, this leads to no service differentiation for applications.
- BZ#691945
- In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command for every bad command when a driver error handler reports success. When several bad commands pointed to a same device, the device was probed multiple times. When the device was in a state where the device did not respond to commands even after a recovery function returned success, the error handler had to wait for the commands to time out. This significantly impeded the recovery process. With this update, SCSI mid-layer error routines to send test commands have been fixed to respond once per device instead of once per bad command, thus reducing error recovery time considerably.
- BZ#696396
- Prior to this update, loading the FS-Cache kernel module would cause the kernel to be tainted as a Technology Preview via the mark_tech_preview() function, which would cause kernel lock debugging to be disabled by the add_taint() function. However, the NFS and CIFS modules depend on the FS-Cache module so using either NFS or CIFS would cause the FS-Cache module to be loaded and the kernel tainted. With this update, FS-Cache only taints the kernel when a cache is brought online (for instance by starting the cachefilesd service) and, additionally, the add_taint() function has been modified so that it does not disable lock debugging for informational-only taints.
- BZ#703728
- This update removes temporary and unneeded files that were previously included with the kernel source code.
- BZ#632802
- Previously removed flushing of MMU updates in the kmap_atomic() and kunmap_atomic() functions resulted in a dereference bug when processing a fork() under a heavy load. This update fixes page table entries in the kmap_atomic() and kunmap_atomic() functions to be synchronous, regardless of the lazy_mmu mode, thus fixing this issue.
- BZ#746570
- Previously fixed ABI issues in Red Hat Enterprise Linux 6.2 resulted in broken drivers that were built against the Red Hat Enterprise Linux 6.1 sources. This update adds padding to the net_device private structure so that the overruns resulting from an excessively-long pointer computed in the netdev_priv structure do not exceed the bounds of allocated memory.
- BZ#737753
- A previously introduced patch increased the value of the cpuid field from 8 to 16 bits. As a result, in some cases, modules built against the Red Hat Enterprise Linux 6.0 kernel source panicked when loaded into the new Red Hat Enterprise Linux 6.2 kernel. This update provides a patch which fixes this guaranteed backwards compatibility.
- BZ#745253
- KABI issues with additional fields in the "uv_blade_info" structure were discovered that prevented existing SGI modules from loading against the Red Hat Enterprise Linux 6.2 kernel. This update fixes the code in the "uv_blade_info" structure, and SGI modules load against the Red Hat Enterprise Linux 6.2 kernel as expected.
- BZ#748503
- Incorrect duplicate MAC addresses were being used on a rack network daughter card that contained a quad-port Intel I350 Gigabit Ethernet Controller. With this update, the underlying source code has been modified to address this issue, and correct MAC addresses are now used under all circumstances.
- BZ#728676
- Prior to this update, on certain HP systems, the hpsa and cciss drivers could become unresponsive and cause the system to crash when booting due to an attempt to read from a write-only register. This update fixes this issue, and the aforementioned crashes no longer occur.
- BZ#693930
- The cxgb4 driver never waited for RDMA_WR/FINI completions because the condition variable used to determine whether the completion happened was never reset, and this condition variable was reused for both connection setup and teardown. This caused various driver crashes under heavy loads because resources were released too early. With this update, atomic bits are used to correctly reset the condition immediately after the completion is detected.
- BZ#710497
- If a Virtual I/O server failed in a dual virtual I/O server multipath configuration, not all remote ports were deleted, causing path failover to not work properly. With this update, all remote ports are deleted so that path failover works as expected. For a single path configuration, the remote ports will enter the devloss state.
- BZ#713868
- When using the "crashkernel=auto" parameter and the "crashk_res.start" variable was set to 0, the existing logic automatically set the value of the "crashk_res.start" variable to 32M. However, to keep enough space in the RMO region for the first stage kernel on 64-bit PowerPC, the "crashk_res.start" should have been set to KDUMP_KERNELBASE (64M). This update fixes this issue and properly assigns the correct value to the "crashk_res.start" variable.
- BZ#743959
- Due to a delay in settling of the usb-storage driver, the kernel failed to report all the disk drive devices in time to Anaconda, when booted in Unified Extensible Firmware Interface (UEFI) mode. Consequently, Anaconda presumed that no driver disks were available and loaded the standard drivers. With this update, both Anaconda and the driver use a one second delay, all devices are enumerated and inspected for driver disks properly.
- BZ#690129
- Prior to this update, the remap_file_pages() call was disabled for mappings without the VM_CAN_NONLINEAR flag set. Shared mappings of temporary file storage facilities (tmpfs) had this flag set but the flag was not set for the shared mappings of the /dev/zero device or shared anonymous mappings. With this update, the code has been modified and the VM_CAN_NONLINEAR flag is set also on the shared mappings of the /dev/zero device and shared anonymous mappings.
- BZ#694309
- The NFS client iterates through individual elements of a vector and issues a write request for each element to the server when the writev() function is called on a file opened with the O_DIRECT flag. Consequently, the server commits each individual write to the disk before replying to the client and the request transfer for the NFS client to the NFS server causes performance problems. With this update, the larger I/Os from the client are submitted only if all buffers are page-aligned, each individual vector element is aligned and has multiple pages, and the total I/O size is less than wsize (write block size).
- BZ#699042
- Improper shutdown in the e1000e driver caused a client with Intel 82578DM Gigabit Ethernet PHY to ignore the Wake-on-LAN signal and attempt to boot the client failed. This update applies the upstream Intel patch which fixes the problem.
- BZ#703357
- The "ifconfig up" command allocates memory for Direct Memory Access (DMA) operations. The memory is released when the "ifconfig down" command is issued. Previously, if another "ifconfig up" command was issued after an ifconfig up/down session, it re-enabled the DMA operations before sending the new DMA memory address to the NIC and the NIC could access the DMA address allocated during the previous ifconfig up/down session. However, the DMA address was already freed and could be used by another process. With this update, the underlying code has been modified and the problem no longer occurs.
- BZ#729737
- The in-process I/O operations of the Chelsio iWARP (cxgb3) driver could attempt to access a control data structure, which was previously freed after a hardware error that disabled the offload functionality occurred. This caused the system to terminate unexpectedly. With this update, the driver delays the freeing of the data structure and the problem no longer occurs.
- BZ#734509
- Previously, the capabilities flag of the WHEA_OSC call was set to 0. This could cause certain machines to disable APEI (ACPI Platform Error Interface). The flag is now set to 1, which enables APEI and fixes the problem.
- BZ#748441
- Previously, the origin device was being read when overwriting a complete chunk in the snapshot. This led to a significant memory leak when using the dm-snapshot module. With this update, reading of the origin device is skipped, and the memory leak no longer occurs.
- BZ#750208
- When the user attempted to list the mounted GFS2 file systems, a kernel panic occurred. This happened if the file in the location which the user tried to list was at the same time being manipulated by using the "fallocate" command. With this update, page cache is no longer used; the block is zeroed out at allocation time instead. Now, a kernel panic no longer occurs.
- BZ#749018
- The queuecommand error-handling function could cause memory leaks or prevent the TUR command from finishing for SCSI device drivers that enabled the support for lockless dispatching (lockless=1). This happened because the device driver did not call the scsi_cmd_get_serial() function and the serial_number property of the command remained zero. Consequently, the SCSI command could not be finished or aborted as the error-handling function always returned success for "serial_number == 0". The check for the serial number has been removed and the SCSI command can be finished or aborted.
- BZ#750583
- A previous patch for the Ironlake graphics controller and memory controller hub (GMCH) with a workaround for Virtualization Technology for Directed I/O (VT-d) introduced recursive calls to the unmap() function. With this update, a flag, which prevents the recursion, was added to the call chain, which allows the called routines to prevent the recursion.
Enhancements
Note
- BZ#707287
- This update introduces a kernel module option that allows the disabling of the Flow Director.
- BZ#706167
- This update adds XTS (XEX-based Tweaked CodeBook) AES256 self-tests to meet the FIPS-140 requirements.
- BZ#635968
- This update introduces parallel port printer support for Red Hat Enterprise Linux 6.
- BZ#699865
- This update reduces the overhead of probes provided by kprobe (a dynamic instrumentation system), and enhances the performance of SystemTap.
- BZ#696695
- With this update, the JSM driver has been updated to support for enabling the Bell2 (with PLX chip) 2-port adapter on POWER7 systems. Additionally, EEH support has been added for to JSM driver.
- BZ#669739
- Memory limit for x86_64 domU PV guests has been increased to 128 GB: CONFIG_XEN_MAX_DOMAIN_MEMORY=128.
- BZ#662208
- In Red Hat Enterprise Linux 6.2, the taskstat utility (which prints ASET tasks status) in the kernel has been enhanced by the providing microsecond CPU time granularity to the top utility.
- BZ#708365
- Red Hat Enterprise Linux 6.2 introduced the multi-message send syscall, which is the send version of the existing recvmmsg syscall in Red Hat Enterprise Linux 6.The following is the syscall sendmmsg socket API:
struct mmsghdr { struct msghdr msg_hdr; unsigned msg_len; }; ssize_t sendmmsg(int socket, struct mmsghdr *datagrams, int vlen, int flags);
- BZ#647700
- Red Hat Enterprise Linux 6.2's EDAC driver support for the latest Intel chipset is available as a Technical Preview.
- BZ#599054
- In Red Hat Enterprise Linux 6.2, the ipset feature in the kernel is added to store multiple IP addresses or port numbers, and match against the collection by iptables.
Security Fix
- CVE-2011-4127, Important
- Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device.In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug 752375 for further details and a mitigation script for users who cannot apply this update immediately.
Bug Fixes
- BZ#750459
- Previously, idle load balancer kick requests from other CPUs could be serviced without first receiving an inter-processor interrupt (IPI). This could have led to a deadlock.
- BZ#751403
- This update fixes a performance regression that may have caused processes (including KVM guests) to hang for a number of seconds.
- BZ#755545
- When md_raid1_unplug_device() was called while holding a spinlock, under certain device failure conditions, it was possible for the lock to be requested again, deeper in the call chain, causing a deadlock. Now, md_raid1_unplug_device() is no longer called while holding a spinlock.
- BZ#756426
- In hpet_next_event(), an interrupt could have occurred between the read and write of the HPET (High Performance Event Timer) and the value of HPET_COUNTER was then beyond that being written to the comparator (HPET_Tn_CMP). Consequently, the timers were overdue for up to several minutes. Now, a comparison is performed between the value of the counter and the comparator in the HPET code. If the counter is beyond the comparator, the "-ETIME" error code is returned.
- BZ#756427
- Index allocation in the virtio-blk module was based on a monotonically increasing variable "index". Consequently, released indexes were not reused and after a period of time, no new were available. Now, virtio-blk uses the ida API to allocate indexes.
- BZ#757671
- A bug related to Context Caching existed in the Intel IOMMU support module. On some newer Intel systems, the Context Cache mode has changed from previous hardware versions, potentially exposing a Context coherency race. The bug was exposed when performing a series of hot plug and unplug operations of a Virtual Function network device which was immediately configured into the network stack, i.e., successfully performed dynamic host configuration protocol (DHCP). When the coherency race occurred, the assigned device would not work properly in the guest virtual machine. With this update, the Context coherency is corrected and the race and potentially resulting device assignment failure no longer occurs.
- BZ#758028
- The align_va_addr kernel parameter was ignored if secondary CPUs were initialized. This happened because the parameter settings were overridden during the initialization of secondary CPUs. Also, the align_va_addr parameter documentation contained incorrect parameter arguments. With this update, the underlying code has been modified to prevent the overriding and the documentation has been updated. This update also removes the unused code introduced by the patch for BZ#739456.
- BZ#758513
- Dell systems based on a future Intel processor with graphics acceleration required the selection of the install system with basic video driver installation option. This update removes this requirement.
Security Fix
- CVE-2012-0056, Important
- It was found that permissions were not checked properly in the Linux kernel when handling the /proc/[pid]/mem writing functionality. A local, unprivileged user could use this flaw to escalate their privileges. Refer to Red Hat Knowledgebase article 69124 for further information.
Bug Fixes
- BZ#768288
- The RHSA-2011:1849 kernel update introduced a bug in the Linux kernel scheduler, causing a "WARNING: at kernel/sched.c:5915 thread_return" message and a call trace to be logged. This message was harmless, and was not due to any system malfunctions or adverse behavior. With this update, the WARN_ON_ONCE() call in the scheduler that caused this harmless message has been removed.
- BZ#769595
- The RHSA-2011:1530 kernel update introduced a regression in the way the Linux kernel maps ELF headers for kernel modules into kernel memory. If a third-party kernel module is compiled on a Red Hat Enterprise Linux system with a kernel prior to RHSA-2011:1530, then loading that module on a system with RHSA-2011:1530 kernel would result in corruption of one byte in the memory reserved for the module. In some cases, this could prevent the module from functioning correctly.
- 755867
- On some SMP systems the tsc may erroneously be marked as unstable during early system boot or while the system is under heavy load. A "Clocksource tsc unstable" message was logged when this occurred. As a result the system would switch to the slower access, but higher precision HPET clock.The "tsc=reliable" kernel parameter is supposed to avoid this problem by indicating that the system has a known good clock, however, the parameter only affected run time checks. A fix has been put in to avoid the boot time checks so that the TSC remains as the clock for the duration of system runtime.
Security Fixes
- CVE-2011-4077, Moderate
- A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.
- CVE-2011-4081, Moderate
- Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service.
- CVE-2011-4132, Moderate
- A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.
- CVE-2011-4347, Moderate
- It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing.
- CVE-2011-4594, Moderate
- Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service.
- CVE-2011-4611, Moderate
- The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service.
- CVE-2011-4622, Moderate
- A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing.
- CVE-2012-0038, Moderate
- A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.
- CVE-2012-0045, Moderate
- A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest.
- CVE-2012-0207, Moderate
- A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service.
Bug Fixes
- BZ#789058
- Windows clients never send write requests larger than 64 KB but the default size for write requests in Common Internet File System (CIFS) was set to a much larger value. Consequently, write requests larger than 64 KB caused various problems on certain third-party servers. This update lowers the default size for write requests to prevent this bug. The user can override this value to a larger one to get better performance.
- BZ#788003
- In certain circumstances, the qla2xxx driver was unable to discover fibre channel (FC) tape devices because the ADISC ELS request failed. This update adds the new module parameter, ql2xasynclogin, to address this issue. When this parameter is set to "0", FC tape devices are discovered properly.
- BZ#787580
- Socket callbacks use the svc_xprt_enqueue() function to add sockets to the pool->sp_sockets list. In normal operation, a server thread will later take the socket off that list. Previously, on the nfsd daemon shutdown, still-running svc_xprt_enqueue() could re-add an socket to the sp_sockets list just before it was deleted. Consequently, system could terminate unexpectedly by memory corruption in the sunrpc module. With this update, the XPT_BUSY flag is put on every socket and svc_xprt_enqueue() now checks this flag, thus preventing this bug.
- BZ#787162
- When trying to send a kdump file to a remote system via the tg3 driver, the tg3 NIC (network interface controller) could not establish the connection and the file could not be sent. The kdump kernel leaves the MSI-X interrupts enabled as set by the crashed kernel, however, the kdump kernel only enables one CPU and this could cause the interrupt delivery to the tg3 driver to fail. With this update, tg3 enables only a single MSI-X interrupt in the kdump kernel to match the overall environment, thus preventing this bug.
- BZ#786022
- Previously, the cfq_cic_link() function had a race condition. When some processes, which shared ioc issue I/O to the same block device simultaneously, cfq_cic_link() sometimes returned the -EEXIST error code. Consequently, one of the processes started to wait indefinitely. A patch has been provided to address this issue and the cfq_cic_lookup() call is now retried in the described scenario, thus fixing this bug.
- BZ#783226
- When transmitting a fragmented socket buffer (SKB), the qlge driver fills a descriptor with fragment addresses, after DMA-mapping them. On systems with pages larger than 8 KB and less than eight fragments per SKB, a macro defined the size of the OAL (Outbound Address List) list as 0. For SKBs with more than eight fragments, this would start overwriting the list of addresses already mapped and would make the driver fail to properly unmap the right addresses on architectures with pages larger than 8 KB. With this update, the size of external list for TX address descriptors have been fixed and qlge no longer fails in the described scenario.
- BZ#781971
- The time-out period in the qla2x00_fw_ready() function was hard-coded to 20 seconds. This period was too short for new QLogic host bus adapters (HBAs) for Fibre Channel over Ethernet (FCoE). Consequently, some logical unit numbers (LUNs) were missing after a reboot. With this update, the time-out period has been set to 60 seconds so that the modprobe utility is able to recheck the driver module, thus fixing this bug.
- BZ#772687
- Previously, the remove_from_page_cache() function was not exported. Consequently, the module for the Lustre file system did not work correctly. With this update, remove_from_page_cache() is properly exported, thus fixing this bug.
- BZ#761536
- Due to a regression, the updated vmxnet3 driver used the ndo_set_features() method instead of various methods of the ethtool utility. Consequently, it was not possible to make changes to vmxnet3-based network adapters in Red Hat Enterprise Linux 6.2. This update restores the ability of the driver to properly set features, such as csum or TSO (TCP Segmentation Offload), via ethtool.
- BZ#771981
- Due to regression, an attempt to open a directory that did not have a cached dentry failed and the EISDIR error code was returned. The same operation succeeded if a cached dentry existed. This update modifies the nfs_atomic_lookup() function to allow fallbacks to normal look-up in the described scenario.
- BZ#768916
- On a system with an idle network interface card (NIC) controlled by the e1000e driver, when the card transmitted up to four descriptors, which delayed the write-back and nothing else, the run of the watchdog driver about two seconds later forced a check for a transmit hang in the hardware, which found the old entry in the TX ring. Consequently, a false "Detected Hardware Unit Hang" message was issued to the log. With this update, when the hang is detected, the descriptor is flushed and the hang check is run again, which fixes this bug.
- BZ#769208
- The CFQ (Completely Fair Queuing) scheduler does idling on sequential processes. With changes to the IOeventFD feature, traffic pattern at CFQ changed and CFQ considered everything a thread was doing sequential I/O operations. Consequently, CFQ did not allow preemption across threads in Qemu. This update increases the preemption threshold and the idling is now limited in the described scenario without the loss of throughput.
- BZ#771870
- A bug in the splice code has caused the file position on the write side of the sendfile() system call to be incorrectly set to the read side file position. This could result in the data being written to an incorrect offset. Now, sendfile() has been modified to correctly use the current file position for the write side file descriptor, thus fixing this bug.
Note
Note that in the following common sendfile() scenarios, this bug does not occur: when both read and write file positions are identical and when the file position is not important, for example, if the write side is a socket. - BZ#772884
- On large SMP systems, the TSC (Time Stamp Counter) clock frequency could be incorrectly calculated. The discrepancy between the correct value and the incorrect value was within 0.5%. When the system rebooted, this small error would result in the system becoming out of synchronization with an external reference clock (typically a NTP server). With this update, the TSC frequency calculation has been improved and the clock correctly maintains synchronization with external reference clocks.
Security Fixes
- CVE-2012-0879, Moderate
- Numerous reference count leaks were found in the Linux kernel's block layer I/O context handling implementation. This could allow a local, unprivileged user to cause a denial of service.
- CVE-2012-1090, Moderate
- A flaw was found in the Linux kernel's cifs_lookup() implementation. POSIX open during lookup should only be supported for regular files. When non-regular files (for example, a named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of service.
- CVE-2012-1097, Moderate
- It was found that the Linux kernel's register set (regset) common infrastructure implementation did not check if the required get and set handlers were initialized. A local, unprivileged user could use this flaw to cause a denial of service by performing a register set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request.
Bug Fixes
- BZ#805458
- Previously, if more than a certain number of qdiscs (Classless Queuing Disciplines) using the autohandle mechanism were allocated a soft lock-up error occurred. This update fixes the maximum loop count and adds the
cond_resched()
call in the loop, thus fixing this bug. - BZ#804961
- Concurrent look-up operations of the same inode that was not in the per-AG (Allocation Group) inode cache caused a race condition, triggering warning messages to be returned in the
unlock_new_inode()
function. Although this bug could only be exposed by NFS or thexfsdump
utility, it could lead to inode corruption, inode list corruption, or other related problems. With this update, theXFS_INEW
flag is set before inserting the inode into the radix tree. Now, any concurrent look-up operation finds the new inode withXFS_INEW
set and the operation is then forced to wait untilXFS_INEW
is removed, thus fixing this bug. - BZ#802430
- Previously, when isolating pages for migration, the migration started at the start of a zone while the
free
scanner started at the end of the zone. Migration avoids entering a new zone by never going beyond what thefree
scanner scanned. In very rare cases, nodes overlapped and the migration isolated pages without the LRU lock held, which triggered errors in reclaim or during page freeing. With this update, theisolate_migratepages()
function makes a check to ensure that it never isolates pages from a zone it does not hold the LRU lock for, thus fixing this bug. - BZ#802379
- An anomaly in the memory map created by the
mbind()
function caused a segmentation fault in Hotspot Java Virtual Machines with the NUMA-aware Parallel Scavenge garbage collector. A backported upstream patch that fixesmbind()
has been provided and the crashes no longer occur in the described scenario. - BZ#786873
- Previously, the
SFQ qdisc
packet scheduler class had nobind_tcf()
method. Consequently, if a filter was added with the classid parameter to SFQ, a kernel panic occurred due to a null pointer dereference. With this update, the dummy.unbind_tcf
and.put
qdisc class options have been added to conform with the behaviour of other schedulers, thus fixing this bug. - BZ#787764
- The kernel code checks for conflicts when an application requests a specific port. If there is no conflict, the request is granted. However, the port auto-selection done by the kernel failed when all ports were bound, even if there was an available port with no conflicts. With this update, the port auto-selection code has been fixed to properly use ports with no conflicts.
- BZ#789060
- Due to a race condition between the
notify_on_release()
function and task movement betweencpuset
or memory cgroup directories, a system deadlock could occur. With this update, thecgroup_wq
cgroup has been created and bothasync_rebuild_domains()
andcheck_for_release()
functions used for task movements use it, thus fixing this bug. - BZ#789061
- Previously, the
utime
andstime
values in the/proc/<pid>/stat
file of a multi-threaded process could wrongly decrease when one of its threads exited. A backported patch has been provided to maintain monotonicity ofutime
andstime
in the described scenario, thus fixing this bug. - BZ#801723
- The
vmxnet3
driver in Red Hat Enterprise Linux 6.2 introduced a regression. Due to an optimization, in which at least 54 bytes of a frame were copied to a contiguous buffer, shorter frames were dropped as the frame did not have 54 bytes available to copy. With this update, transfer size for a buffer is limited to 54 bytes or the frame size, whichever is smaller, and short frames are no longer dropped in the described scenario. - BZ#789373
- In the Common Internet File System (CIFS), the
oplock
break jobs andasync
callback handlers both use theSLOW-WORK
workqueue, which has a finite pool of threads. Previously, theseoplock
break jobs could end up taking all the running queues waiting for a page lock which blocks the callback required to free this page lock from being completed. This update separates theoplock
break jobs into a separate workqueueVERY-SLOW-WORK
, allowing the callbacks to be completed successfully and preventing the deadlock. - BZ#789911
- Previously, the
doorbell
register was being unconditionally swapped. If the Blue Frame option was enabled, the register was incorrectly written to the descriptor in the little endian format. Consequently, certain adapters could not communicate over a configured IP address. With this update, thedoorbell
register is not swapped unconditionally, rather, it is always converted to big endian before it is written to the descriptor, thus fixing this bug. - BZ#790007
- Previously, due to a bug in a graphics driver in systems running a future Intel processor with graphics acceleration, attempts to suspend the system to the S3/S4 state failed. This update resolves this issue and transitions to the suspend mode now work correctly in the described scenario.
- BZ#790338
- Prior to this update, the wrong size was being calculated for the
vfinfo
structure. Consequently, networking drivers that created a large number of virtual functions caused warning messages to appear when loading and unloading modules. Backported patches from upstream have been provided to resolve this issue, thus fixing this bug. - BZ#790341
- Previously, when a MegaRAID 9265/9285 or 9360/9380 controller got a timeout in the
megaraid_sas
driver, the invalidSCp.ptr
pointer could be called from themegasas_reset_timer()
function. As a consequence, a kernel panic could occur. An upstream patch has been provided to address this issue and the pointer is now always set correctly. - BZ#790905
- Previously, when pages were being migrated via NFS with an active requests on them, if a particular inode ended up deleted, then the VFS called the
truncate_inode_pages()
function. That function tried to take the page lock, but it was already locked whenmigrate_page()
was called. As a consequence, a deadlock occurred in the code. This bug has been fixed and the migration request is now refused if thePagePrivate
parameter is already set, indicating that the page is already associated with an active read or write request. - BZ#795326
- Due to invalid calculations of the
vruntime
variable along with task movement between cgroups, moving tasks between cgroups could cause very long scheduling delays. This update fixes this problem by setting thecfs_rq
andcurr
parameters after holding therq->lock
lock. - BZ#795335
- Due to a race condition, running the
ifenslave -d bond0 eth0
command to remove the slave interface from the bonding device could cause the system to terminate if a networking packet was being received at the same time. With this update, the race condition has been fixed and the system no longer crashes in the described scenario. - BZ#795338
- Previously, an unnecessary assertion could trigger depending on the value of the
xpt_pool
field. As a consequence, a node could terminate unexpectedly. Thexpt_pool
field was in fact unnecessary and this update removes it from thesunrpc
code, thus preventing this bug. - BZ#797241
- Due to a race condition, the
mac80211
framework could deauthenticate with an access point (AP) while still scheduling authentication retries with the same AP. If such an authentication attempt timed out, a warning message was returned to kernel log files. With this update, when deauthenticating, pending authentication retry attempts are checked and cancelled if found, thus fixing this bug. - BZ#801718
- Prior to this update, the
find_busiest_group()
function usedsched_group->cpu_power
in the denominator of a fraction with a value of0
. Consequently, a kernel panic occurred. This update prevents the divide by zero in the kernel and the panic no longer occurs. - BZ#798572
- When the
nohz=off
kernel parameter was set, kernel could not enter any CPU C-state. With this update, the underlying code has been fixed and transitions to CPU idle states now work as expected. - BZ#797182
- Under heavy memory and file system load, the
mapping->nrpages == 0
assertion could occur in theend_writeback()
function. As a consequence, a kernel panic could occur. This update provides a reliable check formapping->nrpages
that prevent the described assertion, thus fixing this bug. - BZ#797205
- Due to a bug in the
hid_reset()
function, a deadlock could occur when a Dell iDRAC controller was reset. Consequently, its USB keyboard or mouse device became unresponsive. A patch that fixes the underlying code has been provided to address this bug and the hangs no longer occur in the described scenario. - BZ#796828
- On a system that created and deleted lots of dynamic devices, the 31-bit Linux
ifindex
object failed to fit in the 16-bitmacvtap
minor range, resulting in unusablemacvtap
devices. The problem primarily occurred in alibvirt
-controlled environment when many virtual machines were started or restarted, and causedlibvirt
to report the following message:Error starting domain: cannot open macvtap tap device /dev/tap222364: No such device or address
With this update, themacvtap
's minor device number allocation has been modified so that virtual machines can now be started and restarted as expected in the described scenario. - BZ#799943
- The
dm_mirror
module can send discard requests. However, thedm_io
interface did not support discard requests and running an LVM mirror over a discard-enabled device led to a kernel panic. This update adds support for the discard requests to thedm_io
interface and kernel panics no longer occur in the described scenario. - BZ#749248
- When a process isolation mechanism such as LXC (Linux Containers) was used and the user space was running without the
CAP_SYS_ADMIN
identifier set, a jailed root user could bypass thedmesg_restrict
protection, creating an inconsistency. Now, writing todmesg_restrict
is only allowed when the root hasCAP_SYS_ADMIN
set, thus preventing this bug.
Enhancements
- BZ#789371
- With this update, the
igb
driver has been updated to the latest upstream version3.2.10-k
to provide up-to-date hardware support, features and bug fixes. - BZ#800552
- This update provides support for the
O_DIRECT
flag for files in FUSE (Filesystem in Userspace). This flag minimizes cache effects of the I/O to and from a file. In general, using this flag degrades performance, but it is useful in special situations, such as when applications do their own caching. - BZ#770651
- This update adds support for mount options to restrict access to
/proc/<PID>/
directories. One of the options is calledhidepid=
and its value defines how much information about processes is provided to non-owners. Thegid=
option defines a group that gathers information about all processes. Untrusted users, which are not supposed to monitor tasks in the whole system, should not be added to the group.
Security Fixes
- CVE-2011-4086, Moderate
- A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service.
- CVE-2012-1601, Moderate
- A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM host could use this flaw to crash the host.
Bug Fixes
- BZ#810454
- Previously, the
eth_type_trans()
function was called with theVLAN
device type set. If a VLAN device contained a MAC address different from the original device, an incorrect packet type was assigned to the host. Consequently, if the VLAN devices were set up on a bonding interface in Adaptive Load Balancing (ALB) mode, the TCP connection could not be established. With this update, theeth_type_trans()
function is called with the original device, ensuring that the connection is established as expected. - BZ#801329
- When short audio periods were configured, the ALSA PCM midlevel code, shared by all sound cards, could cause audio glitches and other problems. This update adds a time check for double acknowledged interrupts and improves stability of the
snd-aloop
kernel module, thus fixing this bug. - BZ#802852
- Previously, the
idmapper
utility pre-allocated space for all user and group names on an NFS client in advance. Consequently, page allocation failure could occur, preventing a proper mount of a directory. With this update, the allocation of the names is done dynamically when needed, the size of the allocation table is now greatly reduced, and the allocation failures no longer occur. - BZ#803881
- In a Boot-from-San (BFS) installation via certain iSCSI adapters, driver exported
sendtarget
entries in thesysfs
file system but theiscsistart
failed to perform discovery. Consequently, a kernel panic occurred during the first boot sequence. With this update, the driver performs the discovery instead, thus preventing this bug. - BZ#810322
- The SCSI layer was not using a large enough buffer to properly read the entire
BLOCK LIMITS VPD
page that is advertised by a storage array. Consequently, theWRITE SAME MAX LEN
parameter was read incorrectly and this could result in the block layer issuing discard requests that were too large for the storage array to handle. This update increases the size of the buffer that theBLOCK LIMITS VPD
page is read into and the discard requests are now issued with proper size, thus fixing this bug. - BZ#805457
- A bug in the
try_to_wake_up()
function could cause status change fromTASK_DEAD
toTASK_RUNNING
in a race condition with an SMI (system management interrupt) or a guest environment of a virtual machine. As a consequence, the exited task was scheduled again and a kernel panic occurred. This update fixes the race condition in thedo_exit()
function and the panic no longer occurs in the described scenario. - BZ#806205
- When expired user credentials were used in the
RENEW()
calls, the calls failed. Consequently, all access to the NFS share on the client became unresponsive. With this update, the machine credentials are used with these calls instead, thus preventing this bug most of the time. If no machine credentials are available, user credentials are used as before. - BZ#806859
- When the python-perf subpackage was installed, the debug information for the bindings were added to the debuginfo-common subpackage, making it unable to install the debuginfo-common package of a different version. With this update, a separate subpackage is used to store debug information for python-perf, thus fixing this bug.
- BZ#809388
- Due to the
netdevice
handler for FCoE (Fibre Channel over Ethernet) and the exit path blocking thekeventd
work queue, thedestroy
operation on an NPIV (N_Port ID Virtualization) FCoE port led to a deadlock interdependency and caused the system to become unresponsive. With this update, thedestroy_work
item has been moved to its own work queue and is now executed in the context of the user space process requesting the destroy, thus preventing this bug. - BZ#809372
- The
fcoe_transport_destroy
path uses a work queue to destroy the specified FCoE interface. Previously, thedestroy_work
work queue item blocked another single-threaded work queue. Consequently, a deadlock between queues occurred and the system became unresponsive. With this update,fcoe_transport_destroy
has been modified and is now a synchronous operation, allowing to break the deadlock dependency. As a result, destroy operations are now able to complete properly, thus fixing this bug. - BZ#809378
- During tests with active I/O on 256 LUNs (logical unit numbers) over FCoE, a large number SCSI mid layer error messages were returned. As a consequence, the system became unresponsive. This bug has been fixed by limiting the source of the error messages and the hangs no longer occur in the described scenario.
- BZ#807158
- When running
AF_IUCV
socket programs with IUCV transport, an IUCVSEVER
call was missing in the callback of a receiving IUCVSEVER
interrupt. Under certain circumstances, this could prevent z/VM from removing the corresponding IUCV-path completely. This update adds the IUCVSEVER
call to the callback, thus fixing this bug. In addition, internal socket states have been merged, thus simplifying theAF_IUCV
code. - BZ#809374
- Previously, the AMD IOMMU (input/output memory management unit) driver could use the MSI address range for DMA (direct memory access) addresses. As a consequence, DMA could fail and spurious interrupts would occur if this address range was used. With this update, the MSI address range is reserved to prevent the driver from allocating wrong addresses and DMA is now assured to work as expected in the described scenario.
- BZ#811299
- Due to incorrect use of the
list_for_each_entry_safe()
macro, the enumeration of remote procedure calls (RPCs) priority wait queue tasks stored in thetk_wait.links
list failed. As a consequence, therpc_wake_up()
andrpc_wake_up_status()
functions failed to wake up all tasks. This caused the system to become unresponsive and could significantly decrease system performance. Now, thelist_for_each_entry_safe()
macro is no longer used inrpc_wake_up()
, ensuring reasonable system performance. - BZ#809376
- The AMD IOMMU driver used wrong shift direction in the
alloc_new_range()
function. Consequently, the system could terminate unexpectedly or become unresponsive. This update fixes the code and crashes and hangs no longer occur in the described scenario. - BZ#809104
- Previously, a bonding device had always the UFO (UDP Fragmentation Offload) feature enabled even when no slave interfaces supported UFO. Consequently, the
tracepath
command could not return correct path MTU. With this update, UFO is no longer configured for bonding interfaces by default if the underlying hardware does not support it, thus fixing this bug. - BZ#807426
- Previously, when the PCI driver switched from MSI/MSI-X (Message Signaled Interrupts) to the INTx emulation while shutting down a device, an unwanted interrupt was generated. Consequently, interrupt handler of IPMI was called repeatedly, causing the system to become unresponsive. This update adds a parameter to avoid using MSI/MSI-X for PCIe native hot plug operations and the hangs no longer occur in the described scenario.
- BZ#811135
- On NFS, when repeatedly reading a directory, content of which kept changing, the client issued the same
readdir
request twice. Consequently, the following warning messages were returned to thedmesg
output:NFS: directory A/B/C contains a readdir loop.
This update fixes the bug by turning off the loop detection and letting the NFS client try to recover in the described scenario and the messages are no longer returned. - BZ#806906
- The Intelligent Platform Management Interface (IPMI) specification requires a minimum communication timeout of five seconds. Previously, the kernel incorrectly used a timeout of one second. This could result in failures to communicate with Baseboard Management Controllers (BMC) under certain circumstances. With this update, the timeout has been increased to five seconds to prevent such problems.
- BZ#804548
- Prior to this update, bugs in the
close()
andsend()
functions caused delays and operation of these two functions took too long to complete. This update adds theIUCV_CLOSED
state change and improves locking forclose()
. Also, thenet_device
handling has been improved insend()
. As a result, the delays no longer occur. - BZ#804547
- When
AF_IUCV
sockets were using the HiperSockets transport, maximum message size for such transports depended on the MTU (maximum transmission unit) size of the HiperSockets device bound to aAF_IUCV
socket. However, a socket program could not determine maximum size of a message. This update adds theMSGSIZE
option for thegetsockopt()
function. Through this option, the maximum message size can be read and properly handled byAF_IUCV
. - BZ#809391
- Previously, on a system where intermediate P-states were disabled, the
powernow-k8
driver could cause a kernel panic in thecpufreq
subsystem. Additionally, not all available P-states were recognized by the driver. This update modifies the drive code so that it now properly recognizes all P-states and does not cause the panics in the described scenario.
4.119.12. RHBA-2012:0124 — kernel bug fix update
Bug Fix
- BZ#781974
- An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the aforementioned calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
Security Fixes
- CVE-2012-0044, Important
- A local, unprivileged user could use an integer overflow flaw in
drm_mode_dirtyfb_ioctl()
to cause a denial of service or escalate their privileges. - CVE-2012-2119, Important
- A buffer overflow flaw was found in the
macvtap
device driver, used for creating a bridged network between the guest and the host in KVM (Kernel-based Virtual Machine) environments. A privileged guest user in a KVM guest could use this flaw to crash the host.Note
Note that this issue only affected hosts that have thevhost_net
module loaded with theexperimental_zcopytx
module option enabled (it is not enabled by default), and that also havemacvtap
configured for at least one guest. - CVE-2012-2123, Important
- When a set user ID (setuid) application is executed, certain personality flags for controlling the application's behavior are cleared (that is, a privileged application will not be affected by those flags). It was found that those flags were not cleared if the application was made privileged via file system capabilities. A local, unprivileged user could use this flaw to change the behavior of such applications, allowing them to bypass intended restrictions. Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise Linux is made privileged via file system capabilities.
- CVE-2012-2136, Important
- It was found that the
data_len
parameter of thesock_alloc_send_pskb()
function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. - CVE-2012-2137, Important
- A buffer overflow flaw was found in the
setup_routing_entry()
function in the KVM subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing entry was handled. A local, unprivileged user could use this flaw to cause a denial of service or, possibly, escalate their privileges. - CVE-2012-1179, Moderate
- A race condition was found in the Linux kernel's memory management subsystem in the way
pmd_none_or_clear_bad()
, when called withmmap_sem
in read mode, and Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest with the ballooning functionality enabled could potentially use this flaw to crash the host. A local, unprivileged user could use this flaw to crash the system. - CVE-2012-2121, Moderate
- A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user on a KVM host who has the ability to assign a device to a guest could use this flaw to crash the host.
- CVE-2012-2372, Moderate
- A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service.
- CVE-2012-2373, Moderate
- A race condition was found in the Linux kernel's memory management subsystem in the way
pmd_populate()
andpte_offset_map_lock()
interacted on 32-bit x86 systems with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial of service.
Bug Fixes
- BZ#823903
- Previously, if creation of an MFN (Machine Frame Number) was lazily deferred, the MFN could appear invalid when is was not. If at this point
read_pmd_atomic()
was called, which then called the paravirtualized__pmd()
function, and returned zero, the kernel could terminate unexpectedly. With this update, the__pmd()
call is avoided in the described scenario and the open-coded compound literal is returned instead, thus fixing this bug. - BZ#812953
- The
kdump
utility does not support Xen para-virtualized (PV) drivers on Hardware Virtualized Machine (HVM) guests in Red Hat Enterprise Linux 6. Therefore,kdump
failed to start if the guest had loaded PV drivers. This update modifies underlying code to allowkdump
to start without PV drivers on HVM guests configured with PV drivers. - BZ#816226
- Various problems were discovered in the
iwlwifi
driver happening in the 5 GHz band. Consequently, roaming between access points (AP) on 2.4 GHz and 5 GHz did not work properly. This update adds a new option to the driver that disables the 5 GHz band support. - BZ#816225
- The
ctx->vif
identifier is dereferenced in different parts of theiwlwifi
code. When it was set tonull
before requesting hardware reset, the kernel could terminate unexpectedly. An upstream patch has been provided to address this issue and the crashes no longer occur in the described scenario. - BZ#824429
- Previously, with a transparent proxy configured and under high load, the kernel could start to drop packets, return error messages such as
ip_rt_bug: addr1 -> addr2, ?
, and, under rare circumstances, terminate unexpectedly. This update provides patches addressing these issues and the described problems no longer occur. - BZ#819614
- Prior to this update, Active State Power Management (ASPM) was not properly disabled, and this interfered with the correct operation of the
hpsa
driver. Certain HP BIOS versions do not report a proper disable bit, and when the kernel fails to read this bit, the kernel defaults to enabling ASPM. Consequently, certain servers equipped with a HP Smart Array controller were unable to boot unless thepcie_aspm=off
option was specified on the kernel command line. A backported patch has been provided to address this problem, ASPM is now properly disabled, and the system now boots up properly in the described scenario. - BZ#799946
- When an adapter was taken down over the RoCE (RDMA over Converged Ethernet) protocol while a workload was running, kernel terminated unexpectedly. A patch has been provided to address this issue and the crash no longer occurs in the described scenario.
- BZ#818504
- Previously, network drivers that had Large Receive Offload (LRO) enabled by default caused the system to run slow, lose frame, and eventually prevent communication, when using software bridging. With this update, LRO is automatically disabled by the kernel on systems with a bridged configuration, thus preventing this bug.
- BZ#818503
- Due to a running cursor blink timer, when attempting to hibernate certain types of laptops, the
i915
kernel driver could corrupt memory. Consequently, the kernel could crash unexpectedly. An upstream patch has been provided to make thei915
kernel driver use the correct console suspend API and the hibernate function now works as expected. - BZ#817466
- The slave member of
struct aggregator
does not necessarily point to a slave which is part of the aggregator. It points to the slave structure containing the aggregator structure, while completely different slaves (or no slaves at all) may be part of the aggregator. Due to a regression, theagg_device_up()
function wrongly usedagg->slave
to find the state of the aggregator. Consequently, wrong active aggregator was reported to the/proc/net/bonding/bond0
file. With this update,agg->lag_ports->slave
is used in the described scenario instead, thus fixing this bug. - BZ#816271
- As part of mapping the application's memory, a buffer to hold page pointers is allocated and the count of mapped pages is stored in the
do_dio
field. A non-zerodo_dio
marks that direct I/O is in use. However,do_dio
is only one byte in size. Previously, mapping 256 pages overfloweddo_dio
and caused it to be set to0
. As a consequence, when large enough number of read or write requests were sent using thest
driver's direct I/O path, a memory leak could occur in the driver. This update increases the size ofdo_dio
, thus preventing this bug. - BZ#810125
- Previously, requests for large data blocks with the
ZSECSENDCPRB
ioctl()
system call failed due to an invalid parameter. A misleading error code was returned, concealing the real problem. With this update, the parameter for theZSECSENDCPRB
request code constant is validated with the correct maximum value. Now, if the parameter length is not valid, theEINVAL
error code is returned, thus fixing this bug. - BZ#814657
- While doing wireless roaming, under stressed conditions, an error could occur in the
ieee80211_mgd_probe_ap_send()
function and cause a kernel panic. With this update, the mac80211 MLME (MAC Layer Management Entity) code has been rewritten, thus fixing this bug. - BZ#816197
- Previously, secondary, tertiary, and other IP addresses added to bond interfaces could overwrite the
bond->master_ip
andvlan_ip
values. Consequently, a wrong IP address could be occasionally used, the MII (Media Independent Interface) status of the backup slave interface went down, and the bonding master interfaces were switching. This update removes themaster_ip
andvlan_ip
elements from the bonding andvlan_entry
structures, respectively. Instead, devices are directly queried for the optimal source IP address for ARP requests, thus fixing this bug. - BZ#818505
- Red Hat Enterprise Linux 6.1 introduced naming scheme adjustments for emulated SCSI disks used with paravirtual drivers to prevent namespace clashes between emulated IDE and emulated SCSI disks. Both emulated disk types use the paravirt block device
xvd
. Consider the example below:Table 4.1. The naming scheme example
Red Hat Enterprise Linux 6.0 Red Hat Enterprise Linux 6.1 or later emulated IDE
hda -> xvda unchanged emulated SCSI
sda -> xvda sda -> xvde, sdb -> xvdf, ... This update introduces a new module parameter,xen_blkfront.sda_is_xvda
, that provides a seamless upgrade path from 6.0 to 6.3 kernel release. The default value ofxen_blkfront.sda_is_xvda
is0
and it keeps the naming scheme consistent with 6.1 and later releases. Whenxen_blkfront.sda_is_xvda
is set to1
, the naming scheme reverts to the 6.0-compatible mode.Note
Note that when upgrading from 6.0 to 6.3 release, if a virtual machine specifies emulated SCSI devices and utilizes paravirtual drivers and uses explicit disk names such asxvd[a-d]
, it is advised to add thexen_blkfront.sda_is_xvda=1
parameter to the kernel command line before performing the upgrade. - BZ#809399
- Due to an off-by-one bug in
max_blocks
checks, on the 64-bit PowerPC architecture, thetmpfs
file system did not respect thesize=
parameter and consequently reported incorrect number of available blocks. A backported upstream patch has been provided to address this issue andtmpfs
now respects thesize=
parameter as expected.
4.119.14. RHBA-2013:1169 — kernel bug fix update
Bug Fixes
- BZ#977666
- A race condition between the read_swap_cache_async() and get_swap_page() functions in the Memory management (mm) code could lead to a deadlock situation. The deadlock could occur only on systems that deployed swap partitions on devices supporting block DISCARD and TRIM operations if kernel preemption was disabled (the !CONFIG_PREEMPT parameter). If the read_swap_cache_async() function was given a SWAP_HAS_CACHE entry that did not have a page in the swap cache yet, a DISCARD operation was performed in the scan_swap_map() function. Consequently, completion of an I/O operation was scheduled on the same CPU's working queue the read_swap_cache_async() was running on. This caused the thread in read_swap_cache_async() to loop indefinitely around its "-EEXIST" case, rendering the system unresponsive. The problem has been fixed by adding an explicit cond_resched() call to read_swap_cache_async(), which allows other tasks to run on the affected CPU, and thus avoiding the deadlock.
- BZ#982113
- The bnx2x driver could have previously reported an occasional MDC/MDIO timeout error along with the loss of the link connection. This could happen in environments using an older boot code because the MDIO clock was set in the beginning of each boot code sequence instead of per CL45 command. To avoid this problem, the bnx2x driver now sets the MDIO clock per CL45 command. Additionally, the MDIO clock is now implemented per EMAC register instead of per port number, which prevents ports from using different EMAC addresses for different PHY accesses. Also, boot code or Management Firmware (MFW) upgrade is required to prevent the boot code (firmware) from taking over link ownership if the driver's pulse is delayed. The BCM57711 card requires boot code version 6.2.24 or later, and the BCM57712/578xx cards require MFW version 7.4.22 or later.
- BZ#982467
- If the audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load on the audit queue. Previously, if the current audit process had any pending signals in such a situation, it entered a busy-wait loop for the duration of an audit backlog timeout because the wait_for_auditd() function was called as an interruptible task. This could lead to system lockup in non-preemptive uniprocessor systems. This update fixes the problem by setting wait_for_auditd() as uninterruptible.
- BZ#988225
- The kernel could rarely terminate instead of creating a dump file when a multi-threaded process using FPU aborted. This happened because the kernel did not wait until all threads became inactive and attempted to dump the FPU state of active threads into memory which triggered a BUG_ON() routine. A patch addressing this problem has been applied and the kernel now waits for the threads to become inactive before dumping their FPU state into memory.
- BZ#990080
- Due to hardware limits, the be2net adapter cannot handle packets with size greater than 64 KB including the Ethernet header. Therefore, if the be2net adapter received xmit requests exceeding this size, it was unable to process the requests, produced error messages and could become unresponsive. To prevent these problems, GSO (Generic Segmentation Offload) maximum size has been reduced to account for the Ethernet header.
- BZ#990085
- BE family hardware could falsely indicate an unrecoverable error (UE) on certain platforms and stop further access to be2net-based network interface cards (NICs). A patch has been applied to disable the code that stops further access to hardware for BE family network interface cards (NICs). For a real UE, it is not necessary as the corresponding hardware block is not accessible in this situation.
Security Fix
- CVE-2013-2094, Important
- This update fixes the following security issue:* It was found that the Red Hat Enterprise Linux 6.1 kernel update (RHSA-2011:0542) introduced an integer conversion issue in the Linux kernel's Performance Events implementation. This led to a user-supplied index into the perf_swevent_enabled array not being validated properly, resulting in out-of-bounds kernel memory access. A local, unprivileged user could use this flaw to escalate their privileges.
4.119.16. RHBA-2013:1397 — kernel bug fix update
Bug Fixes
- BZ#1004659
- Previously, the be2net driver failed to detect the last port of BE3 (BladeEngine 3) when UMC (Universal Multi-Channel) was enabled. Consequently, two of the ports could not be used by users and error messages were returned. A patch has been provided to fix this bug and be2net driver now detects all ports without returning any error messages.
- BZ#1005060
- When a copy-on-write fault happened on a Transparent Huge Page (THP), the 2 MB THP caused the cgroup to exceed the "memory.limit_in_bytes" value but the individual 4 KB page was not exceeded. Consequently, the Out of Memory (OOM) killer killed processes outside of a memory cgroup when one or more processes inside that memory cgroup exceeded the "memory.limit_in_bytes" value. With this update, the 2 MB THP is correctly split into 4 KB pages when the "memory.limit_in_bytes" value is exceeded. The OOM kill is delivered within the memory cgroup; tasks outside the memory cgroups are no longer killed by the OOM killer.
Security Fixes
- CVE-2012-4508, Important
- A race condition was found in the way asynchronous I/O and fallocate() interacted when using the ext4 file system. A local, unprivileged user could use this flaw to expose random data from an extent whose data blocks have not yet been written, and thus contain data from a deleted file.
- CVE-2013-4299, Moderate
- An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible.
Bug Fixes
- BZ#1017898
- When the Audit subsystem was under heavy load, it could loop infinitely in the audit_log_start() function instead of failing over to the error recovery code. This would cause soft lockups in the kernel. With this update, the timeout condition in the audit_log_start() function has been modified to properly fail over when necessary.
- BZ#1017902
- When handling Memory Type Range Registers (MTRRs), the stop_one_cpu_nowait() function could potentially be executed in parallel with the stop_machine() function, which resulted in a deadlock. The MTRR handling logic now uses the stop_machine() function and makes use of mutual exclusion to avoid the aforementioned deadlock.
- BZ#1020519
- Power-limit notification interrupts were enabled by default. This could lead to degradation of system performance or even render the system unusable on certain platforms, such as Dell PowerEdge servers. Power-limit notification interrupts have been disabled by default and a new kernel command line parameter "int_pln_enable" has been added to allow users to observe these events using the existing system counters. Power-limit notification messages are also no longer displayed on the console. The affected platforms no longer suffer from degraded system performance due to this problem.
- BZ#1021950
- Package level thermal and power limit events are not defined as MCE errors for the x86 architecture. However, the mcelog utility erroneously reported these events as MCE errors with the following message:kernel: [Hardware Error]: Machine check events loggedPackage level thermal and power limit events are no longer reported as MCE errors by mcelog. When these events are triggered, they are now reported only in the respective counters in sysfs (specifically, /sys/devices/system/cpu/cpu≶number>/thermal_throttle/).
- BZ#1024453
- An insufficiently designed calculation in the CPU accelerator could cause an arithmetic overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to using kexec to boot into a new kernel. This overflow led to a kernel panic on systems using the Time Stamp Counter (TSC) clock source, primarily systems using Intel Xeon E5 processors that do not reset TSC on soft power cycles. A patch has been applied to modify the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
Security Fixes
- CVE-2013-0311, Important
- This update fixes the following security issues:* A flaw was found in the way the vhost kernel module handled descriptors that spanned multiple regions. A privileged guest user in a KVM (Kernel-based Virtual Machine) guest could use this flaw to crash the host or, potentially, escalate their privileges on the host.
- CVE-2012-4461, Moderate
- A flaw was found in the way the KVM subsystem handled guests attempting to run with the X86_CR4_OSXSAVE CPU feature flag set. On hosts without the XSAVE CPU feature, a local, unprivileged user could use this flaw to crash the host system. (The "grep --color xsave /proc/cpuinfo" command can be used to verify if your system has the XSAVE CPU feature.)
- CVE-2012-4542, Moderate
- It was found that the default SCSI command filter does not accommodate commands that overlap across device classes. A privileged guest user could potentially use this flaw to write arbitrary data to a LUN that is passed-through as read-only.
- CVE-2013-1767, Low
- A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
Bug Fixes
- BZ#960409
- Previously, when open(2) system calls were processed, the GETATTR routine did not check to see if valid attributes were also returned. As a result, the open() call succeeded with invalid attributes instead of failing in such a case. This update adds the missing check, and the open() call succeeds only when valid attributes are returned.
- BZ#960418
- Previously, the fsync(2) system call incorrectly returned the EIO (Input/Output) error instead of the ENOSPC (No space left on device) error. This was due to incorrect error handling in the page cache. This problem has been fixed and the correct error value is now returned.
- BZ#960423
- In the RPC code, when a network socket backed up due to high network traffic, a timer was set causing a retransmission, which in turn could cause an even larger amount of network traffic to be generated. To prevent this problem, the RPC code now waits for the socket to empty instead of setting the timer.
- BZ#955502
- This update fixes a number of bugs in the be2iscsi driver for ServerEngines BladeEngine 2 Open iSCSI devices.
4.119.19. RHBA-2013:0584 — kernel bug fix update
Bug Fixes
- BZ#891862
- Previously, NFS mounts failed against Microsoft Windows 8 servers, because the Windows server contained support for the minor version 1 (v4.1) of the NFS version 4 protocol only, along with support for versions 2 and 3. The lack of the minor version 0 (v4.0) support caused Red Hat Enterprise Linux 6 clients to fail instead of rolling back to version 3 as expected. This update fixes this bug and mounting an NFS export works as expected.
- BZ#905433
- If Time Stamp Counter (TSC) kHz calibration failed, usually on a Red Hat Enterprise Linux 6 virtual machine running inside of QEMU, the init_tsc_clocksource() function divided by zero. This was due to a missing check to verify if the tsc_khz variable is of a non-zero value. Consequently, booting the kernel on such a machine led to a kernel panic. This update adds the missing check to prevent this problem and TSC calibration functions normally.
4.120. kexec-tools
Security Fixes
- CVE-2011-3588
- Kdump used the Secure Shell (SSH)
StrictHostKeyChecking=no
option when dumping to SSH targets, causing the target kdump server's SSH host key not to be checked. This could make it easier for a man-in-the-middle attacker on the local network to impersonate the kdump SSH target server and possibly gain access to sensitive information in the vmcore dumps. - CVE-2011-3589
- mkdumprd created initial RAM disk
(initrd)
files with world-readable permissions. A local user could possibly use this flaw to gain access to sensitive information, such as the private SSH key used to authenticate to a remote server when kdump was configured to dump to an SSH target. - CVE-2011-3590
- mkdumprd included unneeded sensitive files (such as all files from the
/root/.ssh/
directory and the host's private SSH keys) in the resultinginitrd
. This could lead to an information leak wheninitrd
files were previously created with world-readable permissions.Note
With this update, only the SSH client configuration, known hosts files, and the SSH key configured via the newly introduced sshkey option in/etc/kdump.conf
are included in theinitrd
. The default is the key generated when running theservice kdump propagate
command,/root/.ssh/kdump_id_rsa
.
Bug Fixes
- BZ#681796
- Kdump is a kexec based crash dumping mechanism for Linux. Root System Description Pointer (RSDP) is a data structure used in the ACPI programming interface. Kdump uses kexec to boot to a second kernel, the "dump-capture" or "crash kernel", when a dump of the system kernel's memory needs to be taken. On systems using Extensible Firmware Interface (EFI), attempting to boot a second kernel using kdump failed, the
dump-capture
kernel became unresponsive and the following error message was logged.ACPI Error: A valid RSDP was not found
With this update, a new parameter,acpi_rsdp
, has been added to thenoefi
kernel command. Now, if EFI is detected, a command is given to the second kernel, in the format,noefi acpi_rsdp=X
, not to use EFI and simultaneously passes the address of RSDP to the second kernel. The second kernel now boots successfully on EFI machines. - BZ#693025
- To reduce the size of the vmcore dump file, kdump allows you to specify an external application (that is, a core collector) to compress the data. The core collector was not enabled by default when dumping to a secure location via SSH. Consequently, if users had not specified an argument for
core_collector
in kdump.conf, when kdump was configured to dump kernel data to a secure location using SSH, it generated a complete vmcore, without removing free pages. With this update, the default core collector will be makedumpfile when kdump is configured to use SSH. As a result, the vmcore dump file is now compressed by default. - BZ#707805
- Previously, the mkdumprd utility failed to parse the
/etc/mdadm.conf
configuration file. As a consequence, mkdumprd failed to create an initial RAM disk file system (initrd
) for