Red Hat Enterprise Linux 5

5.5 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.5

Edition 5

Logo

Red Hat Inc.

Legal Notice

Copyright © 2010 Red Hat.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract

The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
Preface
1. Package Updates
1.1. acl
1.2. acpid
1.3. aide
1.4. anaconda
1.5. apr-util
1.6. at
1.7. audit
1.8. autofs
1.9. automake
1.10. avahi
1.11. bind
1.12. binutils
1.13. bogl
1.14. bootparamd
1.15. booty
1.16. brltty
1.17. checkpolicy
1.18. chkconfig
1.19. cman
1.20. cmirror
1.21. cmirror-kmod
1.22. conga
1.23. coolkey
1.24. coreutils
1.25. cpio
1.26. cpuspeed
1.27. crash
1.28. ctdb
1.29. cups
1.30. curl
1.31. cyrus-imapd
1.32. cyrus-sasl
1.33. dbus
1.34. dbus-python
1.35. device-mapper
1.36. device-mapper-multipath
1.37. dhcp
1.38. dhcpv6
1.39. dmidecode
1.40. dmraid
1.41. dogtail
1.42. dosfstools
1.43. dstat
1.44. e4fsprogs
1.45. elilo
1.46. elinks
1.47. esc
1.48. etherboot
1.49. ethtool
1.50. evince
1.51. exim
1.52. fetchmail
1.53. filesystem
1.54. firefox
1.55. firstboot
1.56. freeradius
1.57. gail
1.58. gcc
1.59. gd
1.60. gdb
1.61. gfs-kmod
1.62. gfs-utils
1.63. gfs2-utils
1.64. glibc
1.65. gnome-vfs2
1.66. gpart
1.67. gzip
1.68. hal
1.69. hmaccalc
1.70. httpd
1.71. hwdata
1.72. ia32el
1.73. iasl
1.74. inn
1.75. iproute
1.76. iprutils
1.77. iptables
1.78. iptstate
1.79. ipw2200-firmware
1.80. iscsi-initiator-utils
1.81. iwl3945-firmware
1.82. iwl4965-firmware
1.83. iwl5000-firmware
1.84. java-1.6.0-ibm
1.85. java-1.6.0-openjdk
1.86. java-1.6.0-sun
1.87. kdelibs
1.88. kernel
1.89. kexec-tools
1.90. krb5
1.91. ksh
1.92. ktune
1.93. kudzu
1.94. kvm
1.95. less
1.96. libXi
1.97. libXrandr
1.98. libXt
1.99. libaio
1.100. libcmpiutil
1.101. libevent
1.102. libgnomecups
1.103. libgtop2
1.104. libhugetlbfs
1.105. libsepol
1.106. libuser
1.107. libvirt
1.108. libvirt-cim
1.109. libvorbis
1.110. linuxwacom
1.111. lm_sensors
1.112. log4cpp
1.113. logwatch
1.114. lvm2
1.115. lvm2-cluster
1.116. man-pages
1.117. man-pages-ja
1.118. mcelog
1.119. mdadm
1.120. mesa
1.121. metacity
1.122. microcode_ctl
1.123. mkinitrd
1.124. module-init-tools
1.125. mtx
1.126. mysql
1.127. nautilus-open-terminal
1.128. neon
1.129. net-snmp
1.130. net-tools
1.131. NetworkManager
1.132. newt
1.133. nfs-utils
1.134. nspluginwrapper
1.135. nss_ldap
1.136. numactl
1.137. openCryptoki
1.138. openais
1.139. OpenIPMI
1.140. openib
1.141. openldap
1.142. openmotif
1.143. openoffice.org
1.144. openssh
1.145. openssl
1.146. openswan
1.147. oprofile
1.148. pam
1.149. pam_krb5
1.150. paps
1.151. parted
1.152. pax
1.153. pciutils
1.154. pcsc-lite
1.155. perl-Sys-Virt
1.156. perl-XML-SAX
1.157. pexpect
1.158. php
1.159. pidgin
1.160. piranha
1.161. pirut
1.162. policycoreutils
1.163. poppler
1.164. postgresql
1.165. ppc64-utils
1.166. procps
1.167. pykickstart
1.168. python-virtinst
1.169. PyXML
1.170. qspice
1.171. readahead
1.172. redhat-artwork
1.173. redhat-release
1.174. redhat-release-notes
1.175. rgmanager
1.176. rhn-client-tools
1.177. rhnlib
1.178. rhnsd
1.179. rhpxl
1.180. rsyslog
1.181. ruby
1.182. samba
1.183. samba3x
1.184. sblim
1.185. screen
1.186. scsi-target-utils
1.187. selinux-policy
1.188. sendmail
1.189. shadow-utils
1.190. sosreport
1.191. squid
1.192. squirrelmail
1.193. star
1.194. strace
1.195. sudo
1.196. sysklogd
1.197. system-config-cluster
1.198. system-config-lvm
1.199. system-config-securitylevel
1.200. system-config-services
1.201. systemtap
1.202. tar
1.203. taskjuggler
1.204. tcpdump
1.205. tcsh
1.206. tog-pegasus
1.207. util-linux
1.208. valgrind
1.209. vconfig
1.210. vino
1.211. virt-manager
1.212. vixie-cron
1.213. vsftpd
1.214. wdaemon
1.215. wget
1.216. wpa_supplicant
1.217. xen
1.218. xerces-j2
1.219. xmlsec1
1.220. xorg-x11-drivers
1.221. xorg-x11-drv-ast
1.222. xorg-x11-drv-evdev
1.223. xorg-x11-drv-fbdev
1.224. xorg-x11-drv-i810
1.225. xorg-x11-drv-mga
1.226. xorg-x11-drv-nv
1.227. xorg-x11-drv-qxl
1.228. xorg-x11-drv-vesa
1.229. xorg-x11-server
1.230. xorg-x11-xdm
1.231. xterm
1.232. yaboot
1.233. yp-tools
1.234. yum
1.235. yum-rhn-plugin
2. New Packages
2.1. RHEA-2010:0305: freeradius2
2.2. RHEA-2010:0240: gpxe
2.3. RHEA-2010:0199: gsl
2.4. RHEA-2010:0217: iwl1000-firmware
2.5. RHEA-2010:0220: iwl6000-firmware
2.6. RHEA-2010:0276: postgresql84
2.7. RHEA-2010:0268: python-dmidecode
2.8. RHEA-2010:0249: tunctl
2.9. RHEA-2010:0189: xz
3. Technology Previews
4. Capabilities and Limits
5. Known Issues
5.1. anaconda
5.2. cmirror
5.3. compiz
5.4. ctdb
5.5. device-mapper-multipath
5.6. dmraid
5.7. dogtail
5.8. firstboot
5.9. gfs2-utils
5.10. gnome-volume-manager
5.11. initscripts
5.12. iscsi-initiator-utils
5.13. kernel-xen
5.14. kernel
5.15. kexec-tools
5.16. krb5
5.17. kvm
5.18. less
5.19. libcmpiutil
5.20. libvirt
5.21. lvm2
5.22. mesa
5.23. mkinitrd
5.24. openib
5.25. openmpi
5.26. qspice
5.27. systemtap
5.28. virtio-win
5.29. xorg-x11-drv-i810
5.30. xorg-x11-drv-nv
5.31. xorg-x11-drv-vesa
5.32. yaboot
5.33. xen
A. Package Manifest
A.1. Added Packages
A.2. Dropped Packages
A.3. Updated Packages
B. Revision History

Preface

The Red Hat Enterprise Linux 5.5 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.4 and minor release Red Hat Enterprise Linux 5.5.
For system administrators and others planning Red Hat Enterprise Linux 5.5 upgrades and deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 5.5 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 5.5 Technical Notes provide details of what has changed in this new release.
The Technical Notes also include, as an Appendix, the Red Hat Enterprise Linux Package Manifest: a listing of every changed package in this release.

Chapter 1. Package Updates

1.1. acl
1.2. acpid
1.3. aide
1.4. anaconda
1.5. apr-util
1.6. at
1.7. audit
1.8. autofs
1.9. automake
1.10. avahi
1.11. bind
1.12. binutils
1.13. bogl
1.14. bootparamd
1.15. booty
1.16. brltty
1.17. checkpolicy
1.18. chkconfig
1.19. cman
1.20. cmirror
1.21. cmirror-kmod
1.22. conga
1.23. coolkey
1.24. coreutils
1.25. cpio
1.26. cpuspeed
1.27. crash
1.28. ctdb
1.29. cups
1.30. curl
1.31. cyrus-imapd
1.32. cyrus-sasl
1.33. dbus
1.34. dbus-python
1.35. device-mapper
1.36. device-mapper-multipath
1.37. dhcp
1.38. dhcpv6
1.39. dmidecode
1.40. dmraid
1.41. dogtail
1.42. dosfstools
1.43. dstat
1.44. e4fsprogs
1.45. elilo
1.46. elinks
1.47. esc
1.48. etherboot
1.49. ethtool
1.50. evince
1.51. exim
1.52. fetchmail
1.53. filesystem
1.54. firefox
1.55. firstboot
1.56. freeradius
1.57. gail
1.58. gcc
1.59. gd
1.60. gdb
1.61. gfs-kmod
1.62. gfs-utils
1.63. gfs2-utils
1.64. glibc
1.65. gnome-vfs2
1.66. gpart
1.67. gzip
1.68. hal
1.69. hmaccalc
1.70. httpd
1.71. hwdata
1.72. ia32el
1.73. iasl
1.74. inn
1.75. iproute
1.76. iprutils
1.77. iptables
1.78. iptstate
1.79. ipw2200-firmware
1.80. iscsi-initiator-utils
1.81. iwl3945-firmware
1.82. iwl4965-firmware
1.83. iwl5000-firmware
1.84. java-1.6.0-ibm
1.85. java-1.6.0-openjdk
1.86. java-1.6.0-sun
1.87. kdelibs
1.88. kernel
1.89. kexec-tools
1.90. krb5
1.91. ksh
1.92. ktune
1.93. kudzu
1.94. kvm
1.95. less
1.96. libXi
1.97. libXrandr
1.98. libXt
1.99. libaio
1.100. libcmpiutil
1.101. libevent
1.102. libgnomecups
1.103. libgtop2
1.104. libhugetlbfs
1.105. libsepol
1.106. libuser
1.107. libvirt
1.108. libvirt-cim
1.109. libvorbis
1.110. linuxwacom
1.111. lm_sensors
1.112. log4cpp
1.113. logwatch
1.114. lvm2
1.115. lvm2-cluster
1.116. man-pages
1.117. man-pages-ja
1.118. mcelog
1.119. mdadm
1.120. mesa
1.121. metacity
1.122. microcode_ctl
1.123. mkinitrd
1.124. module-init-tools
1.125. mtx
1.126. mysql
1.127. nautilus-open-terminal
1.128. neon
1.129. net-snmp
1.130. net-tools
1.131. NetworkManager
1.132. newt
1.133. nfs-utils
1.134. nspluginwrapper
1.135. nss_ldap
1.136. numactl
1.137. openCryptoki
1.138. openais
1.139. OpenIPMI
1.140. openib
1.141. openldap
1.142. openmotif
1.143. openoffice.org
1.144. openssh
1.145. openssl
1.146. openswan
1.147. oprofile
1.148. pam
1.149. pam_krb5
1.150. paps
1.151. parted
1.152. pax
1.153. pciutils
1.154. pcsc-lite
1.155. perl-Sys-Virt
1.156. perl-XML-SAX
1.157. pexpect
1.158. php
1.159. pidgin
1.160. piranha
1.161. pirut
1.162. policycoreutils
1.163. poppler
1.164. postgresql
1.165. ppc64-utils
1.166. procps
1.167. pykickstart
1.168. python-virtinst
1.169. PyXML
1.170. qspice
1.171. readahead
1.172. redhat-artwork
1.173. redhat-release
1.174. redhat-release-notes
1.175. rgmanager
1.176. rhn-client-tools
1.177. rhnlib
1.178. rhnsd
1.179. rhpxl
1.180. rsyslog
1.181. ruby
1.182. samba
1.183. samba3x
1.184. sblim
1.185. screen
1.186. scsi-target-utils
1.187. selinux-policy
1.188. sendmail
1.189. shadow-utils
1.190. sosreport
1.191. squid
1.192. squirrelmail
1.193. star
1.194. strace
1.195. sudo
1.196. sysklogd
1.197. system-config-cluster
1.198. system-config-lvm
1.199. system-config-securitylevel
1.200. system-config-services
1.201. systemtap
1.202. tar
1.203. taskjuggler
1.204. tcpdump
1.205. tcsh
1.206. tog-pegasus
1.207. util-linux
1.208. valgrind
1.209. vconfig
1.210. vino
1.211. virt-manager
1.212. vixie-cron
1.213. vsftpd
1.214. wdaemon
1.215. wget
1.216. wpa_supplicant
1.217. xen
1.218. xerces-j2
1.219. xmlsec1
1.220. xorg-x11-drivers
1.221. xorg-x11-drv-ast
1.222. xorg-x11-drv-evdev
1.223. xorg-x11-drv-fbdev
1.224. xorg-x11-drv-i810
1.225. xorg-x11-drv-mga
1.226. xorg-x11-drv-nv
1.227. xorg-x11-drv-qxl
1.228. xorg-x11-drv-vesa
1.229. xorg-x11-server
1.230. xorg-x11-xdm
1.231. xterm
1.232. yaboot
1.233. yp-tools
1.234. yum
1.235. yum-rhn-plugin

1.1. acl

1.1.1. RHBA-2009:1652: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1652
Updated acl packages that fix a bug are now available.
Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access control lists.
This update fixes the following bug:
* the "setfacl" command, which sets the access control lists for files, always returned an exit status of 0, even when the command failed and printed out error messages. With this update, setfacl exits with the correct exit status upon failure. (BZ#368451)
* running "setfacl -- --test" caused setfacl to segmentation fault. This has been fixed in this update. (BZ#430458)
* running the "setfacl" command with the '-P' flag, which is the short form of the '--physical' option, which is supposed to cause "setfacl" to skip over any symbolic links it encounters, did not work as expected: symbolic links were still followed. This update fixes this so that the '-P' flag works as expected and symbolic links are silently skipped over. (BZ#436070)
* the "setfacl" command failed to resolve relative symbolic links when it encountered them unless they were specified with a trailing forward-slash character (in the case of relative symbolic links to directories), or the script or shell prompt's working directory was the directory which contained the relative symbolic link(s). With this update, relative symbolic links are handled correctly by setfacl regardless of where they are encountered or what their target is. (BZ#500095)
* the "getfacl" and "setfacl" commands did not properly handle non-ASCII characters with the result that calling either command on a system with the correct locale settings still produced incorrect output, such as octal character representations. With this update, getfacl and setfacl are now able to produce correct output when using non-ASCII character sets. (BZ#507747)
All users of Access Control Lists should upgrade to these updated packages, which resolve this issue.

1.2. acpid

1.2.1. RHBA-2010:0004: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0004
An updated acpid package that fixes a bug is now available.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.
This updated acpid package fixes the following bug:
* the acpid package that was included with the Red Hat Enterprise Linux 5.4 update contained a package update script that returned a non-zero exit code when the the /var/log/acpid log file did not exist. However, if the acpid daemon had never been started on the system, and therefore /var/log/acpid did not exist, the faulty check caused the update process to fail, which could have resulted in two different acpid packages being installed on the same system and registered with the RPM database (rpmdb). This updated acpid package removes the spurious record from the rpmdb, thus resolving the problem. (BZ#548374)
All users of acpid are advised to upgrade to this updated package, which resolves this issue.

1.2.2. RHSA-2009:1642: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1642
An updated acpid package that fixes one security issue is now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
acpid is a daemon that dispatches ACPI (Advanced Configuration and Power Interface) events to user-space programs.
It was discovered that acpid could create its log file ("/var/log/acpid") with random permissions on some systems. A local attacker could use this flaw to escalate their privileges if the log file was created as world-writable and with the setuid or setgid bit set. (CVE-2009-4033)
Please note that this flaw was due to a Red Hat-specific patch (acpid-1.0.4-fd.patch) included in the Red Hat Enterprise Linux 5 acpid package.
Users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

1.3. aide

1.3.1. RHBA-2010:0036: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0036
An updated aide package that allows proper operation with the recently updated version of libgcrypt and makes minor man page changes is now available.
Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.
This updated aide package includes the following fixes:
* the current version of libcgrypt includes a version-checking initialization step that aide was not doing. Running "aide -i" logged the following message to /var/log/messages:
aide: Libgcrypt warning: missing initialization - please fix the application
With this update, aide now includes the version-checking step required by libgcrypt and the libgcrypt warning is, consequently, no longer written to /var/log/messages. Note: although based on a proposed upstream patch, this update leaves secure memory enabled, unlike the proposed upstream change. (BZ#530485)
* the FILES section of the aide man page previously listed the locations for aide.conf, aide.db.gz and aide.db.new.gz with a pre-pended "%prefix" variable. The updated aide man page removes this variable, listing the file locations as complete but plain paths (eg "/etc/aide.conf"). (No BZ#)
All aide users are advised to upgrade to this updated package, which includes this bug fix and man page change.

1.4. anaconda

1.4.1. RHBA-2010:0194: bug fix and enhancement update

Anaconda is the system installer.
This updated anaconda package provides fixes for the following bugs:
  • previously, when anaconda could not read the extended display identification data (EDID) of a monitor, it reverted to text mode. However, EDID information is frequently not available on systems connected to Keyboard–Video–Mouse (KVM) switches. Therefore, when installing Red Hat Enterprise Linux 5 on a system with a KVM switch, installation would be constrained to text mode. Anaconda no longer checks for bad or missing EDID, and allows graphical installation to proceed even when this information is unavailable. Graphical installation on machines attached to KVM switches therefore continues as if them monitor were connected directly to the graphics adapter. (BZ#445486)
  • previously, anaconda expected storage devices to be available immediately when it probed for the location of a kickstart file. On systems where USB storage might not be available immedately (for example, IBM BladeCenter systems), anaconda would not find the kickstart file and would prompt the user for its location. This interaction negated the usefulness of kickstart, since the installation could not then complete unattended. Anaconda now waits until it has probed five times or for more than 31 seconds before prompting the user for the location of a kickstart file. This allows USB storage enough time to respond and for kickstart to proceed unattended. (BZ#460566)
  • previously, some user interface elements in the the Malayalam translation of anaconda overlapped. The overlapping elements disabled some buttons in the screen where anaconda lets users to choose a partitioning scheme for the system, and prevented installation from continuing. The text of the Malayalam translation has been shortened so that the interface elements no longer overlap. The buttons on the partitioning scheme screen now work correctly and allow installation to continue. (BZ#479353)
  • during installation, anaconda automatically examines any storage device that has the label OEMDRV for driver updates and applies any updates that it finds there. Previously, anaconda searched for this label on the devices listed in /proc/partitions. However, /proc/partitions does not identify CD or DVD media, so anaconda overlooked optical disks that had the correct label. Anaconda now examines the devices listed in /sys/block. Therefore, anaconda correctly identifies CDs and DVDs labelled OEMDRV as driver discs and automatically applies any driver updates contained on them. (BZ#485060)
  • previously, if anaconda required network access early in an installation (for example, to retrieve a kickstart file or driver disk image), it temporarily saved information about the network configuration while it enabled access to the network. However, if anaconda required network access again for a separate reason, it would not attempt to configure network access again, but would not be able to connect to the network either, because it no longer retained the configuration information that it had already used. Therefore, anaconda could not download both a kickstart file and a driver disk image over a network. Anaconda now retains the network configuration that it obtains early in the installation process, and can reuse this information multiple times. Therefore, anaconda can use more than one resource obtained over a network during installation. (BZ#495042)
  • previously, while upgrading a system, anaconda did not check whether packages marked for installation as dependencies were already installed on the system. Consequently, many packages would be reinstalled during an upgrade, wasting time and, in the case of network installations, bandwidth. Now, when performing an upgrade, anaconda matches the packages to be installed against the packages that are already installed. Any packages with the same Name, Arch, Epoch, Version, Release (NAEVR) as a package already on the system are skipped and not reinstalled. (BZ#495796)
  • previously, anaconda did not specify a value for HOTPLUG when writing the system's networking configuration files, although it did write a value for ONBOOT. Because HOTPLUG is enabled by default, the effect of disabling ONBOOT was limited because any interface not activated at boot time would be enabled anyway whenever probed by the system. Anaconda now writes a value for HOTPLUG, setting it to the same value as ONBOOT. Therefore, any network interface not meant to be enabled at boot time will not be automatically enabled by probing either. (BZ#498086)
  • the part kickstart command accepts an option called --label that allows a label to be applied to a disk partition during a kickstart installation. However, the code that implemented this option was previously missing from anaconda. Any label specified in a kickstart file was therefore ignored. Anaconda now includes code to transfer the specified label from the kickstart file to the disk partition. Users can now label disk partitions during kickstart installations. (BZ#498856)
  • when running in rescue mode, anaconda previously lacked the ability to identify partitions on logical volumes if the partitions were identified in fstab by label rather than by device name. Therefore, if the root (/) partition were identified in this way, the usefulness of rescue mode would be limited. Anaconda in rescue mode now uses the getLabels() method to find partitions and therefore properly detects root partition even if it resides on a logical volume and is identified by label in fstab. (BZ#502178)
  • previously, the help text available while configuring NETTYPE for IBM System z systems did not mention HiperSockets. Users new to System z might therefore not have known to choose qeth to configure HiperSocket interfaces on their hardware. The help text has now been updated to indicate the correct choice and users can select the appropriate option. (BZ#511962)
  • when the RUNKS was set to 0 in the CMSCONFFILE file on IBM System z systems, anaconda should have performed an installation in interactive mode. However, a rewrite of linuxrc.s390 changed the behavior of RUNKS and led to anaconda ignoring this variable. Installation would therefore proceed in non-interactive mode regardless of what value was set in CMSCONFFILE. A new test is now included in the version of linuxrc.s390 in Red Hat Enterprise Linux 5.5 so that anaconda honors RUNKS=0 and performs an interactive install if this value is set. (BZ#513951)
  • by design, anaconda recognizes any block device with the label OEMDRV as a driver disc and searches it for a driver update. However, anaconda previously failed to examine dev nodes and therefore, it would not recognize this label on USB storage devices mounted as a partitionless block devices. Anaconda now examines dev nodes for the label OEMDRV and treats them the same as partitions with this label. It is therefore possible to use a partitionless device as a driver disc. (BZ#515437)
  • previously, anaconda did not reinitialize its record of the partition layout on a system when users clicked the back button from the partitioning screen. Therefore, when a user selected a partition layout, went back to an earlier screen, and then went forward again to choose a different partition layout, anaconda would attempt to implement the new partition layout over the previously-selected partition layout instead of the partition layout actually present on the system. This would sometimes result in a crash. Now, when users step backwards from the partitioning screen. anaconda reinitializes its record of the partitions present on the system. Users can therefore change their minds about partitioning options without crashing anaconda. (BZ#516715)
  • systems store information about iSCSI targets to which they are connected in the iSCSI Boot Firmware Table (iBFT) in BIOS. Previously, however, when anaconda installed Red Hat Enterprise Linux 5 from a local installation source such as a CD, DVD, or hard disk, it would not initialize network connections before asking users to configure storage on the system. Therefore, on systems with iSCSI storage, users would have to configure a network connection manually before proceding with installation, even when this information was already available to anaconda in the system BIOS. Now, when anaconda detects a valid iBFT present on a system, it automatically loads the network configuration specified there and does not requre users to enter this information. Installation from local media on systems with iSCSI storage is therefore simpler and more reliable. (BZ#517768)
  • due to faulty logic, anaconda previously did not parse IPv6 addresses correctly and attempted to read the final byte of the address as a port number. It was therefore not possible, for example, to install on an iSCSI target specified by in IPv6 address. The logic by which anaconda parses IP addresses has now been corrected, but now requires IPv6 addresses to be specified in the [address]:port form to comply with the relevant RFCs. This form removes ambiguity, since IPv6 addresses are still valid if they omit a sequence of bytes with zero values. When IPv6 addresses are specified in this format, anaconda parses them correctly and installation continues as normal. (BZ#525054)
  • comments in kickstart files are marked with a pound symbol (#) at the start of the line. However, anaconda did not previously account for the possibility that users might mark a comment with multiple pound symbols (for example, #####). Anaconda would therefore attempt to parse lines that started with multiple pound symbols and installation would fail. Anaconda now recognizes lines that start with multiple pound symbols as comments and does not attempt to parse them. Users can now safely mark comments in kickstart files in this way. (BZ#525676)
  • to avoid a circular dependency that exists between the ghostscript and ghostscript-fonts packages, anaconda ignored ghostscript's dependency on ghostscript-fonts. However, ghostscript-fonts was not explicitly installed as part of the Printing package group. The usefulness of Ghostscript as installed by anaconda was therefore limited. Anaconda still avoids the circular dependency, but now specifically installs ghostscript-fonts when users select the Printing package group. (BZ#530548)
  • previously, anaconda did not automatically instruct the kernel to check for multipath devices when installing on IBM System z systems. Therefore, unless users booted with the mpath boot option, iSCSI devices detected on more than one path would be represented in the installer multiple times, one for each path. Anaconda now automatically loads the mpath boot option and therefore represents multipath devices correctly. (BZ#538129)
  • Dell PowerEdge servers equipped with the SAS6i/R integrated RAID controller use BIOS Enhanced Disk Drive Services (EDD) to identify the storage device from which to boot the operating system. Previously, anaconda did not parse EDD to identify the correct boot device. Consequently, with a RAID 0 and RAID 1 configured on the system, anaconda would choose the wrong device and the system would not be bootable. Anaconda now parses EDD to support the SAS6i/R integrated RAID controller, so that it selects the correct boot device for systems that use this device. (BZ#540637)
  • previously, anaconda would always attempt to reconstruct pre-existing Logical Volume Management (LVM) devices during installation. Anaconda would attempt to recreate the LVM device even when a user cleared the LVM partitions from one or more of the disks that held partitions that formed part of a volume group. In this case, installation would fail. Now, anaconda no longer attempts to reconstruct incomplete LVM devices. Users can therefore safely re-allocate storage that was once part of a volume group and installation will proceed as expected. (BZ#545869)
  • when ksdevice=link is set in a kickstart file, anaconda should automatically select the first available network interface and use it during installation. This avoids the need for user input and allows installation to proceed unattended. However, if interfaces were in a state where anaconda could not determine their status, anaconda would revert to interactive more and prompt the user to select a network interface, thus making unattended installation impossible on systems where network interfaces could be in such a state. Anaconda now forces the network interfaces on the system into IFF_UP and IFF_RUNNING states before it attempts to obtain link status. Because the interfaces are now in a state where they can report their link status to anaconda, Anaconda can automatically choose one to use during installation and kickstart installations can proceed unattended. (BZ#549751)
  • previously, when installing on IBM System z systems, anaconda assumed that the network gateway was unreachable if its attempt to ping the gateway timed out after 10 seconds. Anaconda would then prompt the user to select a gateway. However, if IPADDR in the conf file has changed recently, network interfaces take longer to respond. Anaconda now prompts the user only when three pings have failed and therefore avoids prompting the user for gateway information that is already correctly specified in the conf file. (BZ#506742)
In addition, this updated package provides the following enhancements:
  • after transferring installation files to a z/VM guest, a user must execute a series of Conversational Monitor System (CMS) commands to IPL the zLinux installation. These commands can be scripted, but no such script was previously included with Red Hat Enterprise Linux 5. The lack of a readymade script made installation more difficult for users unfamiliar with CMS commands. The CMS script for starting the install process on z/VM is now included in the Red Hat Enterprise Linux 5 images, simplifying installation. (BZ#475343)
  • anaconda now loads the Brocade BNA Ethernet Controller driver, and supports Brocade Fibre Channel to PCIe Host Bus Adapters. (BZ#475707)
  • previously, anaconda did not offer users the opportunity to configure NFS options during interactive installation (although these could be configured in kickstart files). Users who needed to fine-tune NFS parameters for installation were therefore forced to run an unattended installation. Now, anaconda presents users who select NFS installation with a dialog in which they can configure NFS options to suit their needs. (BZ#493052)
  • previously, it was not possible to configure hypervisor parameters during a kickstart installation. As a result, users needed to specify hypervisor parameters manually after installation, negating the usefulness of kickstart as as a mechanism for unattended installations. Now, anaconda recognizes a new kickstart option, --hvargs and sets Hypervisor parameters accordingly. (BZ#501438)
  • previouisly, during a kickstart installation when multiple multipath LUNs were available, anaconda would automatically choose the LUN with the lowest ID number for the root device. Users had no ready way to customize this behavior. Now, anaconda supports a multipath kickstart command with --name and --device options that allow users to specify a LUN for root. (BZ#502768)
  • anaconda can retrieve kickstart files from FTP servers. Previously, however, anaconda did not support users specifying authentication credentials to access an FTP server. Therefore, if access to the server were protected by a passphrase, anaconda could not retrieve the kickstart file. Now, when specifying the location of a kickstart file with the ks= boot option, users can provide a passphrase to allow anaconda to retrieve the kickstart files fom a protected server. (BZ#505424)
  • previously, troubleshooting errors that occurred while running %pre and %post kickstart scriptlets was very difficult because anaconda did not log the behavior of these scriptlets. Anaconda now copies %pre and %post kickstart scriptlets to /tmp together with a log. These records make troubleshooting kickstart installations easier. (BZ#510636)
  • Reipl is a kernel feature that instructs IBM System z systems where to boot next, as these systems do not have a default boot location. Anaconda did not previously support Reipl, which meant that during installation, users had to specify a boot location manually between different phases of the installation. Anaconda now supports Reipl, so these reboots can happen automatically. (BZ#512195)
  • NPort ID Virtualization (NPIV) presents one physical Fibre Channel adapter port to the SAN as multiple WWNN/WWPN pairs. Anaconda now supports NPIV, which allows users on PowerPC systems to install to a NPIV LUN. (BZ#512237)
  • the Python executables that make up anaconda now all explicitly use the system Python (#! /usr/bin/python instead of #! /usr/bin/env python). This ensures that anaconda functions correctly when more than one Python stack is present on a system. (BZ#521337)
  • anaconda now supports the Emulex OneConnect iSCSI network interface card. (BZ#529442)
  • anaconda now supports PMC Sierra MaxRAID controller adapters. (BZ#532777)
  • although users have been able to specify package groups for installation in kickstart files, using the @ prefix, it was not possible to exclude package groups from installation, only individual packages. Anaconda now supports excluding package groups with the -@ prefix (BZ#558516)
  • anaconda now loads the xorg-x11-qxl-drv and xorg-x11-ast-drv X11 video drivers as required. xorg-x11-qxl-drv supports the qemu QXL video accelerator when installing Red Hat Enterprise Linux 5 as a guest operating system. xorg-x11-ast-drv supports ASPEED Technologies video hardware. (BZ#567666)

1.5. apr-util

1.5.1. RHEA-2010:0310: enhancement update

Updated apr-util packages that add support for MySQL are now available.
apr-util is a utility library used with the Apache Portable Runtime (APR). It aims to provide a free library of C data structures and routines. This library contains additional utility interfaces for APR; including support for XML, LDAP, database interfaces, URI parsing, and more.
In previous releases, the APR utility library DBD (database abstraction) interface did not include support for MySQL databases. This update adds the MySQL driver to the DBD interface.(BZ#252073, BZ#491342)
All users requiring MySQL support should install these newly released packages, which add this enhancement.

1.6. at

1.6.1. RHBA-2009:1654: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1654
An updated "at" package that adds and documents a configuration enhancement and corrects the -debuginfo build is now available.
"At" and "Batch" read commands from standard input or from a specified file. At allows you to specify that a command will be run at a particular time. Batch will execute commands when the system load levels drop to a particular level. Both commands use /bin/sh.
This update addresses the following issue:
* although "at" contains ELF objects, the at-debuginfo package was empty. With this update the -debuginfo package contains valid debugging information as expected. (BZ#500542)
This update also adds the following enhancements:
* previously, the atd daemon ran with hard-coded options and could only be configured at the command-line. The atd daemon now reads a configuration file, /etc/sysconfig/atd, when it starts up, enabling easier configuration, particularly for load options and multiprocessor systems. (BZ#232259)
* The DESCRIPTION section of the "at" man page has been updated to note the existence, location and purpose of the /etc/sysconfig/atd configuration file. Note: as the man page suggests, the sample configuration file included with this update is the primary source of information about atd configuration options. (BZ#537792)
Users are advised to upgrade to this updated package, which fixes this bug and adds these enhancements.

1.7. audit

1.7.1. RHBA-2010:0228: bug fix update

An updated audit package that fixes various bugs and provides an enhancement is now available.
The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.
This update includes the following fixes:
* The man page was ambiguous in explaining the structure of dates and the supplied examples often did not work because of different date formats in various locales. This caused some confusion amongst users. The page has been rewritten to clarify that the date format accepted by aureport and ausearch is influenced by the LC_TIME environmental variable, eliminating the confusion about this issue. (BZ#513974)
* The audit package's libauparse function had a bug that meant it could not interpret IPC (inter-process communication) mode fields. When it attempted to do so, a segmentation fault would occur. The audit package has now been patched so that IPC mode fields are interpreted by the software without crashes resulting. (BZ#519790)
This update also includes the following enhancement:
* The audit package has been rebased and, as a result, a number of new features have been added. These include:
1. Allowing ausearch/report to specify multiple node names (which are needed for remote logging). 2. auparse can now handle empty AUSOURCE_FILE_ARRAYs. 3. auditctl rules now allow a0-a3 to be negative numbers. 4. An audit.rules man page has been added. 5. auditd resets syslog warnings if disk space becomes available. 6. The != operator in audit_rule_fieldpair_data is now checked. 7. A tcp_max_per_addr option has been added to auditd.conf in order to limit concurrent connections. 8. Many improvements to remote logging code.
As a result, these enhancements are now available for system administrators, making auditing options much more flexible. (BZ#529851)

1.8. autofs

1.8.1. RHBA-2009:1468: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1468
An updated autofs package that fixes two bugs is now available.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.
This updated package fixes the following two autofs bugs:
* autofs was incorrectly using a non-thread-safe libxml2 function as though it was thread-safe. This sometimes resulted in autofs crashing. With this update the calls to xmlCleanupParser() and xmlInitParser() have been moved: these functions are now only called as autofs starts and exits, ensuring these libxml2 functions are not called more than once while autofs is running. (BZ#523188)
* a recent correction related to autofs master map entry updating introduced a regression whereby it was possible to deadlock when requesting a map re-load when an entry in a direct map had been removed. This update adds a check that ensures such map re-load requests do not cause a deadlock. (BZ#525431)
All autofs users should install this updated package which addresses these issues.

1.8.2. RHBA-2010:0265: bug fix update

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.
This updated package fixes the following bugs:
  • If an included map read failed, autofs returned an error and subsequent master map entries were not read. This update reports the failure in the log but master map reading no longer ceases. (BZ#506034)
  • autofs could segfault if it called xmlCleanupParser concurrently from multiple threads, as this function is not re-entrant. autofs has been changed to call this function only once from its main thread, when the application exits. (BZ#513289)
  • autofs could segfault at startup when using LDAP under certain circumstances. autofs would fail to try and retrieve a query dn if:
    • LDAP is being used to store autofs maps and...
    • The LDAP schema to be used for the maps is explicitly defined in the autofs configuration and...
    • No master map entries exist in LDAP.
    This set of conditions would return success instead of failure. This update fixes the get query dn failure. (BZ#572603)
  • If a master map entry is changed in any other way besides the map name (for example, map wide options) the system encountered two application data structures for the "same" map during a map re-read. If the contents of that map has also changed, a deadlock can occur.
    Having the duplicate data structure also caused entries in the problem map to be umounted. Since direct mount maps have a distinct autofs mount for each entry direct mount they appeared to stop working. This update corrects this behaviour. (BZ#514412)
  • autofs would block for several minutes when attempting to mount from a server that was not available. A new mount_wait parameter has been added to prevent this block. This update requires SELinux policy 255 or later. (BZ#517349)
  • The autofs parser objected to locations containing the characters '@' and '#' (Lustre and sshfs mounts) causing the mount request to fail. This update allows autofs to parse these characters and mount successfully. (BZ#520745)
  • Due to an incorrect system call an error message stating "Operation not permitted" would be returned when attempting to mount an unknown hostname. This call has been corrected and autofs now returns "hostname lookup failed" as would be expected. (BZ#533323)
  • A typing error in the usage text of the autofs service script has been corrected. (BZ#534012)
  • When changing the timed wait from using select(2) to poll(2) in the non-blocking TCP connection function, to overcome the 1024 file handle limit of select(2), the wait timeout was not correctly converted from seconds to milliseconds. This update corrects the problem. (BZ#539747)
  • autofs failed to mount locations whose path depended on another local auto-mounted mount. Dependent mounts are triggered by calling access(2) on the mount location path prior to mounting the location. The check for whether a location was a local path was restrictive and didn't cater for all cases. This has now been fixed. (BZ#537403)
  • Inter-operability between autofs and some non-open source LDAP servers was impaired when a SASL authenticated connection was used over muliple bind and unbind operations. autofs has been updated use distinct authentication connection for each server it binds to. (BZ#537793)
  • autofs failed to load its maps if all LDAP servers were down, or unreachable, when the daemon started. The dependency on an LDAP server being available at startup has been removed. This change resolved the issue of the map server being unreachable for some common usage cases. (BZ#543554)
  • The random selection option used with mount locations that have multiple servers was not being set correctly during the paring of master map entries. If specified as a mount option in master map entries the option is now used as has been requested. (BZ#548476)
  • Setting the expire timeout to 0 was causing autofs to constantly schedule expire runs leading to excessive resource usage and preature umounting of mounts. Setting the timeout to 0 should in fact disable expiry of mounts and this update fixes this incorrect behavior. (BZ#548277)
  • autofs would abort when using DIGEST-MD5 authentication under heavy concurrent access. This was caused by autofs not providing the locking functions required by the cyrus-sasl library. In addition the cyrus-sasl library locking functions contained a race which sometimes lead to a deadlock. This update adds the needed locking functions to autofs and passes them to cyrus-sasl at initialization. The bug in the cyrus-sasl library is fixed in cyrus-sasl-lib 2.1.22-5.el5.el5_4.3 and later which is required for the update to install if cyrus-sasl is also installed. (BZ#559430)
All autofs users should upgrade to this updated package, which resolves these issues.

1.9. automake

1.9.1. RHSA-2010:0321: Low security update

Updated automake, automake14, automake15, automake16, and automake17 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Automake is a tool for automatically generating Makefile.in files compliant with the GNU Coding Standards.
Automake-generated Makefiles made certain directories world-writable when preparing source archives, as was recommended by the GNU Coding Standards. If a malicious, local user could access the directory where a victim was creating distribution archives, they could use this flaw to modify the files being added to those archives. Makefiles generated by these updated automake packages no longer make distribution directories world-writable, as recommended by the updated GNU Coding Standards. (CVE-2009-4029)
Note: This issue affected Makefile targets used by developers to prepare distribution source archives. Those targets are not used when compiling programs from the source code.
All users of automake, automake14, automake15, automake16, and automake17 should upgrade to these updated packages, which resolve this issue.

1.10. avahi

1.10.1. RHBA-2010:0034: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0034
Updated avahi packages that address two bugs are now available.
Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zeroconf Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, see printers to print to, and find shared files on other computers.
This update fixes the following two bugs:
* previously, avahi published a static SSH-SFTP service by default, regardless of the machine and regardless of whether an ssh server was running or not. As a result, all Red Hat Enterprise Linux instances also running Avahi appeared in the LAN listings of file browsers and file managers (eg "Places > Network" in Nautilus or "Go > Network Folders" in Konquerer) even if they were not acting as file servers. This update still includes a static SSH-SFTP service but it now ships as a deactivated example service (ie, is not published by default). The static SSH-FTP service can be activated manually, but systems running Avahi no longer appear in file manager LAN listings by default. (BZ#219143)
* previously, running the Avahi init scripts with a "status" argument resulted in a return code of 0, regardless of whether the daemons are running or not. This update corrects that: a missing avahi daemon now results in a failure return code (1) as expected. (BZ#232161)
All avahi users should install these updated packages, which address these issues.

1.11. bind

1.11.1. RHSA-2010:0062: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0062
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was running as a DNSSEC-validating resolver, it could incorrectly cache NXDOMAIN responses, as if they were valid, for records proven by NSEC or NSEC3 to exist. A remote attacker could use this flaw to cause a BIND server to return the bogus, cached NXDOMAIN responses for valid records and prevent users from retrieving those records (denial of service). (CVE-2010-0097)
The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2010-0290)
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve these issues. After installing the update, the BIND daemon (named) will be restarted automatically.

1.11.2. RHSA-2009:1620: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1620
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.
Michael Sinatra discovered that BIND was incorrectly caching responses without performing proper DNSSEC validation, when those responses were received during the resolution of a recursive client query that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries. (CVE-2009-4022)
All BIND users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

1.12. binutils

1.12.1. RHBA-2010:0304: bug fix update

Updated binutils packages that fix various bugs are now available.
Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information about binary files), size (for listing the section sizes of an object or archive file), strings (for listing printable strings from files), strip (for discarding symbols), and addr2line (for converting addresses to file and line).
These updated binutils packages provide fixes for the following bugs:
* The readelf debugging utility was placing subject error messages in the middle of the .debug_str in the stderr output. This meant that location lists in the .debug._info section that were not in ascending order could not be handled correctly and the debugger could pick the wrong function, leading to dropped debug information. A patch has now been added and, as a result, the location lists can now be handled correctly, irrespective of order. As a result, the debugger now picks the right function when looking up symbols and debug information is no longer dropped. (BZ#499164,
* The strings command was not parsing files correctly. When used with a multi-digit <NUM> argument (such as strings -10 filename.txt) an "invalid integer argument" error would occur because it regarded each numeral as a separate argument. The parsing has now been corrected via a patch to strings.c.multidigit_input so that multi-digit numerals are regarded as parts of a single argument. As a result, files are now parsed correctly. (BZ#508765)
* There was a regression in binutils-devel that caused it to build "oprofile" files incorrectly. As a result, bfd_get_section_by_name() returned incorrect information about the debuginfo section and an "opreport" error would occur. The bfd.h header's API has now been fixed to match the BFD library's ABI. As a result, the per-symbol profile is now generated correctly and the opreport runs without error. (BZ#529028)
* There was a link failure whereby when a symbol in a comdat/linkonce section had a different level of visibility in different files, the linker could not merge the visibility. As a consequence, after the ld command was run, a "final link failed: Bad value" error would occur. A patch has been added to elflink.c.sym_visibility to make sure that the visibility is kept. As a result, ld now can now merge different levels of visibility without error. (BZ#531269)
Users are advised to upgrade to these updated binutils packages, which resolve these issues.

1.13. bogl

1.13.1. RHBA-2009:1593: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1593
Updated bogl packages that fix a bug are now available.
Ben's Own Graphics Library (BOGL) is a small graphics library for Linux kernel frame buffers. It supports only very simple graphics. The bogl packages also include bterm, a Unicode-capable terminal program for the Linux frame buffer.
These updated packages provide a fix for the following bug:
* when editing a file with vi from within the bterm console, a SIGSEGV error could occur, causing both vi and bterm to crash. This update adds a check that keeps "yorig" from equaling -1, which prevents the underlying memory reference error occurring. (BZ#517957)
All bogl users are advised to upgrade to these updated packages, which resolve this issue.

1.14. bootparamd

1.14.1. RHBA-2010:0057: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0057
An updated bootparamd package that fixes a bug is now available.
Bootparamd is a server process that provides information to diskless clients necessary for booting; consulting the /etc/bootparams file for required information.
When bootparamd is used for multihomed environment handling, it would previously evaluate the route to be returned to the first requesting client and re-evaluate the route to be returned for each client thereafter. Even though it re-evaluates what router IP to return for each following client, it would always send back the first route, due to it being the one that was cached. This updated package ensures that no re-evaluation occurs concerning the router IP to return for each client. (BZ#446108)
All users of bootparamd are advised to upgrade to this updated package, which resolves this issue.

1.15. booty

1.15.1. RHBA-2010:0185: bug fix and enhancement update

An updated booty package that fixes a bug and adds an enhancement is now available.
The booty package contains a python library which provides an interface for the creation of boot loader configuration files and the addition of stanzas to said configuration files. These boot loader configuration files are used by the anaconda installer.
This updated booty package fixes the following bug:
* early in the installation process, anaconda creates a ramdisk to hold files that it will need to complete the installation. Previously, when installing the debug kernel for Red Hat Enterprise Linux on IBM System z, the ramdisk was larger than the default memory address that ZIPL allocated to hold the ramdisk. Installation would therefore fail. The /etc/zipl.conf file that booty creates for anaconda now explicitly specifies a suitable address for the ramdisk so that ZIPL does not rely on the insufficient default address. With enough space to create the ramdisk, installation succeeds. (BZ#429906)
In addition, this updated package provides the following enhancement:
* previously, there was no way to configure hypervisor parameters during a kickstart installation. Therefore, these parameters would have to be configured manually after installation. Red Hat Enterprise Linux now includes a new option for the "bootloader" command in kickstart, "--hvargs", which sets hypervisor parameters in grub.conf during installation. It is now possible to automate this part of the installation process. Refer to the Red Hat Enterprise Linux 5 Installation Guide for a description of the "--hvargs" option. (BZ#552957)
Users of booty are advised to upgrade to this updated booty package, which resolves this issue and adds this enhancement.

1.16. brltty

1.16.1. RHSA-2010:0181: Low security and bug fix update

Updated brltty packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
brltty (Braille TTY) is a background process (daemon) which provides access to the Linux console (when in text mode) for a blind person using a refreshable braille display. It drives the braille display, and provides complete screen review functionality.
It was discovered that a brltty library had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run an application using brltty in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-3279)
These updated packages also provide fixes for the following bugs:
* the brltty configuration file is documented in the brltty manual page, but there is no separate manual page for the /etc/brltty.conf configuration file: running "man brltty.conf" returned "No manual entry for brltty.conf" rather than opening the brltty manual entry. This update adds brltty.conf.5 as an alias to the brltty manual page. Consequently, running "man brltty.conf" now opens the manual entry documenting the brltty.conf specification. ( BZ#530554 )
* previously, the brltty-pm.conf configuration file was installed in the /etc/brltty/ directory. This file, which configures Papenmeier Braille Terminals for use with Red Hat Enterprise Linux, is optional. As well, it did not come with a corresponding manual page. With this update, the file has been moved to /usr/share/doc/brltty-3.7.2/BrailleDrivers/Papenmeier/. This directory also includes a README document that explains the file's purpose and format. ( BZ#530554 )
* during the brltty packages installation, the message
Creating screen inspection device /dev/vcsa...done.
was presented at the console. This was inadequate, especially during the initial install of the system. These updated packages do not send any message to the console during installation. (BZ#529163)
* although brltty contains ELF objects, the brltty-debuginfo package was empty. With this update, the -debuginfo package contains valid debugging information as expected. (BZ#500545)
* the MAX_NR_CONSOLES definition was acquired by brltty by #including linux/tty.h in Programs/api_client.c. MAX_NR_CONSOLES has since moved to linux/vt.h but the #include in api_client.c was not updated. Consequently, brltty could not be built from the source RPM against the Red Hat Enterprise Linux 5 kernel. This update corrects the #include in api_client.c to linux/vt.h and brltty now builds from source as expected. (BZ#456247)
All brltty users are advised to upgrade to these updated packages, which resolve these issues.

1.17. checkpolicy

1.17.1. RHBA-2010:0184: bug fix update

An updated checkpolicy package that makes a man page correction, fixes help message and man page omissions and allows the unknown access flag to be specified is now available.
checkpolicy is the policy compiler for Security-Enhanced Linux (SELinux). The checkpolicy utility is required for building SELinux policies.
This updated checkpolicy package addresses the following issues:
* newer SELinux kernels have access checks that the shipping SELinux policy package does not understand. The kernel currently denies these access checks by default. This updated checkpolicy package can build an selinux-policy package that tells the kernel to "Allow" unknown access. (BZ#531229)
* the checkpolicy man page listed (but did not otherwise document) a "-m" switch. checkpolicy supports a "-M" switch but not a "-m" switch. This update removes the "-m" option from the checkpolicy SYNOPSIS. Note: the "-M" switch was and is documented in the OPTIONS section of the checkpolicy man page. (BZ#533790)
* checkmodule's "-d" switch (which switches the tool to debug mode) was documented in the checkmodule man page but not in the output of checkmodule's help message (ie the output of "checkmodule --help" or "checkmodule -h"). Also, the "-h" switch was not documented at all. With this update, the "-d" switch is now included in help message output and the "-h" switch is documented in both the checkmodule man page and the checkmodule help message. (BZ#533796)
All SELinux users should install this updated package which resolves these issues.

1.18. chkconfig

1.18.1. RHBA-2009:1628: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1628
Updated chkconfig packages that resolve several issues with the alternatives utility and provide various man page corrections are now available.
The basic system utility chkconfig updates and queries runlevel information for system services.
These updated chkconfig packages provide fixes for the following bugs:
* when the "alternatives" utility was run and an error occurred, no contextual information such as the line number of the error was provided. With this update, upon an error, "alternatives" now provides the line number where the error occurred in the relevant file in the /var/lib/alternatives directory, which helps to diagnose alternatives-related errors. (BZ#441443)
* using the "alternatives" utility and selecting the last available option and then uninstalling the program which provided that alternative did not result in the removal of the symbolic links for that option. Because the previously-set alternative was no longer available and the symbolic link remained, the program was then rendered unusable. With this update, when the aforementioned condition is met, the "alternatives" program now recognizes that the program is no longer available and removes the extraneous symbolic link, with the result that the next-best alternative is properly selected, and running the program works as expected. (BZ#525051)
* the chkconfig(8) man page contained a description of the syntax for running chkconfig that differed from the correct description presented when running "chkconfig --help". The man page has been corrected to correspond with the program's help information. (BZ#501225)
* the chkconfig(8) man page contained an incorrect reference to runlevel 7, which does not exist (runlevels extend from 0 to 6, inclusive). This update corrects the man page by removing all references to "runlevel 7". (BZ#466740)
* the ntsysv(8) man page referenced a non-existent man page, servicesconf. This reference has been removed. (BZ#516599)
All users of chkconfig are advised to upgrade to these updated packages, which resolve these issues.

1.19. cman

1.19.1. RHBA-2009:1435: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1435
Updated cman packages that fix a bug and add an enhancement are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
* in several places internally, cman assumed a transition message meant the node in question (or the sending node) was joining the cluster rather than just sending its current post-transition state. In some circumstances, this could lead to cman killing the wrong nodes. With this update, cman now checks the first_trans flag, which is set when a node first encounters another node in the cluster. Only if first_trans is set does cman now consider the node as joining the cluster. (BZ#518061)
Also, this update includes the following enhancement:
First, if a node was asked to remove a key (fence) for a device that it was not registered with, the node attempted to register with that device on-the-fly. With this update, when nodes are asked to remove a key from devices with which they are not registered, the fencing fails.
Second, for the common case of SAN environments with multiple Logical Unit Numbers (LUNs), the devices (LUNs) that can be unregistered must be ordered consistently on all nodes. Consistent ordering is not guaranteed by the Logical Volume Manager (LVM), however; device names can vary from node to node to prevent interleaving of fence operation among devices. With this update, the fence_scsi agent extracts the device name (pv_name) and Universally Unique Identifier (pv_uuid) and builds a hash keyed on the UUID (which is consistent on all nodes). This ensures devices are ordered consistently on each node.
Consequent to these two changes, the first node to fence removes the other node's key from the device or devices. The second node, now not registered with the device, is not able to fence the first. This allows fence_scsi to work in a 2-node cluster. (BZ#520823)
All cman users should install this updated package, which fixes this bug and enables users to use fence_scsi in a 2-node environment.

1.19.2. RHBA-2009:1516: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1516
Updated cman packages that fix a bug are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update applies the following bug fix:
Add support for power cycle command to fence_ipmi, which doesn't shut down the BMC controller.
Old behavior is still the default, so nothing changes without a configuration change. Now there is a new method option that can have the value "cycle", which uses the ipmi power cycle command.
Example of usage:...
<fencedevices> <fencedevice agent="fence_ipmilan_new" ipaddr="1.2.3.4" login="root" name="ipmifd1" passwd="password" method="cycle" /> ...
Users are advised to upgrade to these updated cman packages, which resolve this issue.

1.19.3. RHBA-2009:1598: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1598
Updated cman packages that resolve several issues are now available.
[Updated 4 Jan 2009] This update provides improved descriptions of both bug fixes included in this advisory, and especially the description for bug 529712. The packages included in this revised update have not been changed in any way from those included in the original advisory.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
These updated cman packages provide fixes for the following bugs:
* when using device-mapper-multipath devices, registrations were only sent to the active path, which meant that, in the event of path failure, the node would be unable to access the device via the secondary path or paths because the device would not be registered with the secondary path(s). With this update, the presence of device-mapper-multipath devices is detected correctly, the right paths are discovered, and each path is registered, including secondary paths. (BZ#529712)
* when running the /etc/init.d/scsi_reserve init script to check for errors, such as an incorrect cluster.conf configuration, among others, upon finding an error the script did not print "[FAILED]" to standard output, as is convention for system services which encounter startup errors. With this update, the scsi_reserve init script has been fixed so that it prints "[FAILED]" to standard output when an error is encountered, and "[OK]" otherwise. Any errors encountered are logged to the system log. (BZ#530400)
All users of cman are advised to upgrade to these updated packages, which resolve these issues.

1.19.4. RHBA-2009:1622: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1622
Updated cman packages that fix bugs are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
This update fixes the following bugs:
* qdiskd erroneously writes the message "qdiskd: read (system call) has hung for X seconds". (BZ 537157)
* Crash in fence_ipmilan when -M switch was not present on the command-line. (BZ 537157)
Users are advised to upgrade to these updated cman packages, which resolve these issues.

1.19.5. RHBA-2010:0266: bug fix and enhancement update

Updated cman packages that fix bugs and add enhancements are now available.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.
Changes in this update:
* fence_rsa fails to login with new RSA II firmware. (BZ#549473)
* fence_virsh reports vm status incorrectly. (BZ#544664)
* improve error messages from ccsd if there is a network problem. (BZ#517399)
* new fence agent for VMWare. (BZ#548577)
Note: this is a Tech Preview only.
* fence agent for HP iLO2 MP. (BZ#508722)
* fence agent for RSB ends with traceback. (BZ#545054)
* security feature for SNMP based agent: apc_snmp & ibmblade. (BZ#532922)
* change default timeout values for various fence agents. (BZ#549124)
* "Option -V" (show version) was not working in all fence agents. (BZ#549113)
* automatically configure consensus based on token timeout. (BZ#544482)
* add readconfig & dumpconfig to fence_tool. (BZ#514662)
* make groupd handle partition merges. (BZ#546082)
* groupd: clean up leaving failed node. (BZ#521817)
* scsi_reserve should always echo after failure. (BZ#514260)
* fence_scsi_test: add debug information. (BZ#516763)
* fence_scsi_test should not allow -c & -s options together. (BZ#528832)
* fix fence_ipmilan read from unitialized memory. (BZ#532138)
* make qdiskd stop crying wolf. (BZ#532773)
* fencing failed when used without telnet or ssh. (BZ#512343)
* APC changed product name (MasterSwitch -> Switched Rack PDU). (BZ#447481)
* fix invalid initalization introduced by retry-on option.
* broken device detection for DRAC3 ERA/O. (BZ#489809)
* fix case sensitivities in action parameter. (BZ#528938)
* fencing_snmp failed on all operations & traceback fix. (BZ#528916)
* accept unknown options from standard input. (BZ#532920)
* fence_apc unable to obtain plug status. (BZ#532916)
* timeout options added. (BZ#507514)
* better default timeout for bladecenter. (BZ#526806)
* the LOGIN_TIMEOUT value was too short for fence_lpar & the SSH login timed out before the connection could be completed. (BZ#546340)
* add missing-as-off option (missing blade/device is always OFF). (BZ#248006)
* make qdiskd "master-wins" node work. (BZ#372901)
* make qdisk self-fence system if write errors take longer than interval*tko. (BZ#511113)
* make service_cman.lcrso executable, so RPM adds it to the debuginfo pkg. (BZ#511346)
* don't check for xm command in cman init script: virsh is more appropriate. (BZ#516111)
* allow re-registering of a quorum device. (BZ#525270)
* fix fence_scsi, multipath & persistent reservations. (BZ#516625)
* cman_tool leave remove reduces quorum when no services are connected. (BZ#515446)
* fence_sanbox2 unable to retrieve status. (BZ#512947)
* gfs_controld: GETLK should free unused resource. (BZ#513285)
* allow IP addresses as node names. (BZ#504158)
* fence_scsi man page contains invalid option. (BZ#515731)
* fence_scsi support for 2 node clusters. (BZ#516085)
* Support for power cycle in fence ipmi. (BZ#482913)
* add option 'list devices' for fencing agents. (BZ#519697)
* add support for switching IPv4/IPv6. (BZ#520458)
* fence agent ends with traceback if option is missing. (BZ#508262)
* command line options to override default ports for different services, such as SSH & Telnet (i.e. -u option) were added. ( BZ#506928 )
Note: "-u" does not currently work with fence_wti. Other agents honor the port override command line options properly, however. ( BZ#506928 )
* force stdout close for fencing agents. (BZ#518622)
* support for long options. (BZ#519670)
* fix a situation where cman could kill the wrong nodes. (BZ#513260)
* fix support for >100 gfs & gfs2 file systems. (BZ#561892)
* fix a problem where 'dm suspend' would hang a withdrawn GFS file system. (BZ#570530)
* fix a problem where fence_snmp returned success when the operation failed. (BZ#573834)
* fencing support for the new iDRAC interface included with Dell PowerEdge R710 & R910 blade servers was added. (BZ#496748)
All cman users should install this update which makes these changes.

1.20. cmirror

1.20.1. RHBA-2010:0307: bug fix update

Updated cmirror packages that fix various bugs are now available.
The cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.
This update addresses the following issues:
* the cmirror init script was reporting false errors in some 'stop' instances. (BZ#520915)
* the cluster log daemon was unable to recover if the cluster was shutdown and restarted without also restarting the cluster log daemon. (BZ#518665)
* communication structure used between nodes was not in a mixed-architecture or upgrade friendly format. (BZ#488102)
* certain failure scenarios during cluster mirror device creation could lead to future kernel panics. (BZ#544253)
All cmirror users should install these updated packages which fix these bugs.

1.21. cmirror-kmod

1.21.1. RHBA-2010:0309: bug fix update

Updated kmod-cmirror packages that fix two bugs are now available.
The kmod-cmirror package is necessary for LVM-based mirroring (RAID1) in a cluster environment.
This update addresses the following issues:
* error processing logic failed to remove a list item before freeing the associated memory. ( BZ#544253 )
* added version number to the kernel/daemon communication structure. ( BZ#544253 )
All kmod-mirror users should install these updated packages, which fix these bugs.

1.22. conga

1.22.1. RHBA-2009:1623: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1623
Updated conga packages that fix a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4 are now available.
The Conga project is a management system for remote workstations. It consists of luci, a secure web-based front-end, and ricci, a secure daemon that dispatches incoming messages to the underlying management modules.
This update applies the following bug fix:
* the behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands for them to work correctly. The ricci component of conga runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a non-root user.
As a consequence, when run under Red Hat Enterprise Linux 5.4, running this command returned no information and the luci front-end did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command, in line with the changed behavior, and the web-based front end will provide options to add virtual machine services as expected. (BZ#537209)
All conga users are advised to upgrade to these updated packages, which resolve this issue.

1.22.2. RHBA-2010:0289: bug fix and enhancement update

Updated Conga packages that fix numerous bugs (including a regression introduced between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4) and add the ability to reset user passwords when logged in to luci as an administrator are now available.
The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front-end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.
This update applies the following bug fixes:
* The behavior of the virsh command changed between Red Hat Enterprise Linux 5.3 and Red Hat Enterprise Linux 5.4. In Red Hat Enterprise Linux 5.4, non-root users must add a "--read-only" flag to virsh commands. The ricci component runs the "virsh nodeinfo" command to determine whether a node can host a Virtual Machine service and it does so as a non-root user. As a consequence, when run under Red Hat Enterprise Linux 5.4, the "virsh nodeinfo" command returned no information and luci did not provide an "Add a virtual machine service" option to Services in the Cluster tab for clusters that were expected to offer such services. With this update, ricci now runs a "virsh nodeinfo --readonly" command in line with the changed behavior, and luci provides options to add Virtual Machine services as expected. (BZ#519252)
* luci failed to start. (BZ#469881)
* Conga doesn't run with SELinux. (BZ#476698)
* Conga does not add the name of the managed system when adding an "LPAR Fencing" fence device to a node. (BZ#508142)
* fs resource will remount itself if any configuration changes are made to cluster.conf. (BZ#514051)
* luci does not validate passwords and incorrect characters can be used. (BZ#519050)
* previously, the shebang lines in luci's python executables pointed to "/usr/bin/env python" rather than explicitly referencing the version of Python installed on the system. This broke those executables in the case where a user was installing an alternative Python version. With this update, all shebang lines point explicitly to the system version at /usr/bin/python. (BZ#521884)
* Conga does not properly handle HA LVM types. (BZ#530129)
This update adds the following enhancement:
* the ability to reset user passwords when logged in to luci as an administrator was added. (BZ#519268)
All Conga users are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.

1.23. coolkey

1.23.1. RHBA-2010:0068: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0068
Updated coolkey packages that resolve several issues are now available.
The coolkey packages contain driver support for CoolKey and Common Access Card (CAC) smart card products.
These updated coolkey packages provide fixes for the following bugs:
* the Department of Defense's alternative CAC tokens are now supported by CoolKey. (BZ#226790)
* the libcoolkeypk11.so shared object library, when it was not linked with the pthreads library, became unresponsive when the C_Initialize() function was called following a call to syslog(). This update ensures that libcoolkeypk11.so does not hang when it is not linked with the pthreads threading library and the aforementioned scenario occurs. ( BZ#245529 )
* CoolKey's PKCS#11 module failed to initialize when the C_Initialize() function was called and the CKF_OS_LOCKING flag was set. This issue is related to the fix for BZ#245529 . With this update, the PKCS#11 module successfully initializes. (BZ#443127)
* the Red Hat Enterprise Security Client (ESC) incorrectly identified CAC cards as CoolKey cards, and mistakenly opened the Phone Home dialog after doing so. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them.
With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. Finally, note that the RHBA-2010:0066 esc update must be installed in order to fully resolve this issue. (BZ#499976)
* CoolKeys is now able to recognize smart cards that use the T1 protocol, such as the SafeNet 330J, in addition to the T0-protocol cards supported previously. (BZ#514298)
* CoolKey now correctly handles cryptographic operations such as digital signing when using cards with 2048-bit keys. Previously, only 1024-bit keys were supported. (BZ#514299)
All users of coolkey are advised to upgrade to these updated packages, which resolve these issues.

1.24. coreutils

1.24.1. RHBA-2009:1511: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1511
An updated coreutils package that fixes a regression in the df command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.
This update fixes the following bug:
* the coreutils update included with Red Hat Enterprise Linux 5.4 introduced a regression in the df command. Running "df -l" with a specific device specified (for example, "df -l /dev/hda1") resulted in a "Permission denied" message for regular users. This update corrects the regression: specifying a device now works for regular users as it did previously. Note: running "df -l" to list all devices was not affected by this bug: it worked as expected previously and continues to do so subsequent to this update. (BZ#528641)
All coreutils users should upgrade to this updated package, which addresses this regression.

1.24.2. RHBA-2010:0120: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0120
An updated coreutils package that fixes a bug in the readlink command is now available.
The coreutils package contains core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages.
This update fixes the following bug:
* when a directory contained a symbolic link to itself, the readlink command, which displays the value of a symbolic link on standard output, incorrectly gave the following error message when attempting to read the value of the symbolic link (or the value of the symbolic links when recursing through the directory and its symlink): "Too many levels of symbolic links". With this update, readlink is once again able to correctly resolve and output the value of the recursive symbolic links to containing directories, or "directory loops", thus resolving the issue. (BZ#567545)
All coreutils users should upgrade to this updated package, which addresses this regression.

1.25. cpio

1.25.1. RHSA-2010:0144: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0144
An updated cpio package that fixes two security issues is now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
GNU cpio copies files into or out of a cpio or tar archive.
A heap-based buffer overflow flaw was found in the way cpio expanded archive files. If a user were tricked into expanding a specially-crafted archive, it could cause the cpio executable to crash or execute arbitrary code with the privileges of the user running cpio. (CVE-2010-0624)
Red Hat would like to thank Jakob Lell for responsibly reporting the CVE-2010-0624 issue.
A denial of service flaw was found in the way cpio expanded archive files. If a user expanded a specially-crafted archive, it could cause the cpio executable to crash. (CVE-2007-4476)
Users of cpio are advised to upgrade to this updated package, which contains backported patches to correct these issues.

1.26. cpuspeed

1.26.1. RHBA-2010:0035: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0035
An updated cpuspeed package that fixes some initscript exit statuses, avoids loading on problematic CPUs, and starts only after syslogd is now available.
The cpuspeed package configures CPU frequency scaling.
This update fixes the following bugs:
* some exit status codes from the initscript were not in line with LSB standards. The codes were updated, and are now compliant. (BZ#495049)
* where Intel Xeon Processor 7100 series processors were used with Hyper-Threading Technology enabled, cpuspeed loading could create system deadlocks. The cpuspeed settings were changed and system deadlocks no longer occur on this hardware. (BZ#449004)
* the cpuspeed initscript uses syslog to log important information about its status. However, cpuspeed was being started before syslog on boot, and log messages generated by the cpuspeed init script were not being captured. The cpuspeed init script now runs after the syslog init script, and all log messages are now being recorded. (BZ#516224)
Users should upgrade to this updated package, which resolves these issues.

1.27. crash

1.27.1. RHBA-2010:0230: bug fix update

Updated crash packages that fix various bugs and add enhancements are now available.
The crash package is a core analysis suite. It is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump, and kdump packages from Red Hat Linux, the mcore kernel patch offered by Mission Critical Linux, or the LKCD kernel patch.
* if a kdump NMI was issued and the task kernel stack was changed, the backtrace would in some cases fail and produce an error: "bt: cannot transition from exception stack to current process stack". The crash package was updated to report task inconsistencies and change the active task as appropriate. Additionally, a new set -a option was added to manually set tasks to be the active task on its CPU. (BZ#504952)
* if the kernel data structures in a non-matching vmlinux varied widely enough from the kernel that generated the vmcore, erroneous data could be read and consumed. Several new defensive mechanisms have been added and it now fails in a more reasonable manner. (BZ#508156)
* running the bt -a command against a Xen hypervisor resulted in a "cannot resolve stack trace" warning message if the CPU received its shutdown NMI while running in an interrupt handler. The bt command was changed and the error no longer occurs. (BZ#510505)
* added support for dumpfile format of virsh dump of KVM kernels. (BZ#510519)
* if a dump was collected when there were one or more cpus offline in the system, an initialization-time failure would occur and the crash would abort. A patch was backported from upstream and the failure no longer occurs. (BZ#520506)
* running the 64-bit bt command could potentially start the backtrace of an active non-crashing task on its per-cpu IRQ stack, cause a faulty transition back to the process stack, the dumping of a bogus exception frame and the message "bt: WARNING: possibly bogus exception frame". The bt command was changed and it now starts from the NMI exception stack, the error no longer occurs. (BZ#523512)
* when the cpu_possible_map contains more CPUs than the cpu_online_map, the set, bt, runq and ps commands would reflect the existing but unused swapper tasks on the non-existent CPUs. The 64-bit PowerPC CPU count determination was fixed and the commands now run as expected. (BZ#550419)
* when INIT-generated pseudo-tasks were running in user-space and the kernel was unable to modify the kernel stack, the backtrace would not identify the interrupted task and would display a "bt: unwind: failed to locate return link" error message. The Itanium backtraces were fixed, and the backtrace now offers information regarding the task that was interrupted. The error message is also suppressed. (BZ #553353)
* using dump to analyze very large xendump core files with ELF sections located beyond a file offset of 4GB resulted in errors. Changes were made to the xc_core_verify() initialization code and dump now works as expected. (BZ #561767)
* The crash utility was rebased. See the changelog linked to in the references section below for full details. (BZ#528184)
All users of crash are advised to upgrade to these updated packages, which resolve these issues.

1.28. ctdb

1.28.1. RHEA-2010:0320: enhancement update

The ctdb package is now available on the ClusterStorage channel.
CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.
This update makes the following change:
* CTDB was previously available in the Supplementary channel and is now available in the ClusterStorage channel. (BZ#558493)
Note that CTDB is included as a Technology Preview. Technology Preview features are included in Red Hat Enterprise Linux to provide the features with wide exposure, with the goal of supporting these features in a future release of Red Hat Enterprise Linux. Technology Preview features are not supported under Red Hat Enterprise Linux 5.5 subscription services, and may not be functionally complete. Red Hat welcomes customer feedback and suggestions for Technology Previews. Advisories will be provided for high-severity security issues in Technology Preview features.
All users requiring CTDB should install these newly released packages, which add this enhancement.

1.29. cups

1.29.1. RHBA-2010:0045: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0045
Updated cups packages that fix a severe memory leak in the CUPS scheduler are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX and Unix-like operating systems.
This update addresses the following issue:
* when adding or modifying many printer queues, cupsd, the CUPS scheduler leaked memory. For example, running "lpstat" after creating several thousand printer queues caused cupsd to use all available memory, eventually killing other processes and bringing the system down. With this update cupsd no longer leaks memory when adding or modifying large numbers of printer queues and the associated out-of-memory errors and crashes no longer occur. (BZ#552213)
All cups users should upgrade to these updated packages, which resolves this issue.

1.29.2. RHSA-2010:0129: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0129
Updated cups packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
It was discovered that the Red Hat Security Advisory RHSA-2009:1595 did not fully correct the use-after-free flaw in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could send specially-crafted queries to the CUPS server, causing it to crash. (CVE-2010-0302)
Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, the cupsd daemon will be restarted automatically.

1.29.3. RHSA-2009:1595: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1595
Updated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
[Updated 12th January 2010] The packages list in this erratum has been updated to include missing i386 packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553)
Several cross-site scripting (XSS) flaws were found in the way the CUPS web server interface processed HTML form content. If a remote attacker could trick a local user who is logged into the CUPS web interface into visiting a specially-crafted HTML page, the attacker could retrieve and potentially modify confidential CUPS administration data. (CVE-2009-2820)
Red Hat would like to thank Aaron Sigel of Apple Product Security for responsibly reporting the CVE-2009-2820 issue.
Users of cups are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.4. RHSA-2009:1513: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1513
Updated cups packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems. The CUPS "pdftops" filter converts Portable Document Format (PDF) files to PostScript.
Two integer overflow flaws were found in the CUPS "pdftops" filter. An attacker could create a malicious PDF file that would cause "pdftops" to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-3608, CVE-2009-3609)
Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608 issue.
Users of cups are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the update, the cupsd daemon will be restarted automatically.

1.29.5. RHBA-2010:0210: bug fix update

Updated cups packages that fix several bugs are now available.
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating systems.
These updated packages address the following bugs:
* landscape orientation jobs had incorrect page margins. This affects all landscape orientation PDF files, including any landscape job printed from Mac OS X. (BZ#447987)
* when running PHP files through the scheduler's web interface the wrong version PHP interpreter was used, causing missing header lines. (BZ#460898)
* the tmpwatch package is needed by cups but there was no package dependency on it. (BZ#487495)
* there was a memory leak in the scheduler's handling of "file:" device URIs. (BZ#496008)
* setting quota limits using the lpadmin command did not work correctly. (BZ#496082)
* there were several issues with CGI handling in the scheduler, causing custom CGI scripts not to work as expected. (BZ#497632, BZ#506316)
* the dependencies between the various sub-packages were not made explicit in the package requirements. (BZ#502205)
* jobs with multiple files could be removed from a disabled queue when it is re-enabled. (BZ#506257)
* the cups-lpd daemon, for handling RFC 1179 clients, could fail under load due to incorrect temporary file handling. (BZ#523152)
* the CUPS PDF input filter is no longer a separate PDF handling implementation, and instead uses the pdftops program from the poppler-utils package directly. (BZ#527429)
* adding or modifying many queues could cause the scheduler to leak large amounts of memory. (BZ#540646)
All cups users should upgrade to these updated packages, which resolve these issues.

1.30. curl

1.30.1. RHSA-2010:0273: Moderate security, bug fix and enhancement update

Updated curl packages that fix one security issue, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and DICT servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity.
Wesley Miaw discovered that when deflate compression was used, libcurl could call the registered write callback function with data exceeding the documented limit. A malicious server could use this flaw to crash an application using libcurl or, potentially, execute arbitrary code. Note: This issue only affected applications using libcurl that rely on the documented data size limit, and that copy the data to the insufficiently sized buffer. (CVE-2010-0734)
This update also fixes the following bugs:
* when using curl to upload a file, if the connection was broken or reset by the server during the transfer, curl immediately started using 100% CPU and failed to acknowledge that the transfer had failed. With this update, curl displays an appropriate error message and exits when an upload fails mid-transfer due to a broken or reset connection. (BZ#479967)
* libcurl experienced a segmentation fault when attempting to reuse a connection after performing GSS-negotiate authentication, which in turn caused the curl program to crash. This update fixes this bug so that reused connections are able to be successfully established even after GSS-negotiate authentication has been performed. (BZ#517199)
As well, this update adds the following enhancements:
* curl now supports loading Certificate Revocation Lists (CRLs) from a Privacy Enhanced Mail (PEM) file. When curl attempts to access sites that have had their certificate revoked in a CRL, curl refuses access to those sites. (BZ#532069)
* the curl(1) manual page has been updated to clarify that the "--socks4" and "--socks5" options do not work with the IPv6, FTPS, or LDAP protocols. (BZ#473128)
* the curl utility's program help, which is accessed by running "curl -h", has been updated with descriptions for the "--ftp-account" and "--ftp-alternative-to-user" options. (BZ#517084)
Users of curl should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. All running applications using libcurl must be restarted for the update to take effect.

1.31. cyrus-imapd

1.31.1. RHSA-2009:1459: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1459
Updated cyrus-imapd packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.
Multiple buffer overflow flaws were found in the Cyrus IMAP Sieve implementation. An authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user. (CVE-2009-2632, CVE-2009-3235)
Users of cyrus-imapd are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the update, cyrus-imapd will be restarted automatically.

1.32. cyrus-sasl

1.32.1. RHBA-2010:0151: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0151
Updated cyrus-sasl packages that resolve an issue are now available.
The cyrus-sasl packages contain the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
These updated cyrus-sasl packages fix the following bug:
* multithreaded programs which used the Cyrus SASL libraries could have become unresponsive after attempting to perform authentication routines. This was caused by a failure to release a mutex lock on a data structure in the Cyrus SASL code, which resulted in a race condition, thus causing the program using the library to hang. This race condition has been fixed so that it is thread-safe in this update. (BZ#568084)
All users of cyrus-sasl are advised to upgrade to these updated packages, which resolve this issue.

1.33. dbus

1.33.1. RHSA-2010:0018: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0018
Updated dbus packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service and as a per-user-login-session messaging facility.
It was discovered that the Red Hat Security Advisory RHSA-2009:0008 did not correctly fix the denial of service flaw in the system for sending messages between applications. A local user could use this flaw to send a message with a malformed signature to the bus, causing the bus (and, consequently, any process using libdbus to receive messages) to abort. (CVE-2009-1189)
Note: Users running any application providing services over the system message bus are advised to test this update carefully before deploying it in production environments.
All users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all running instances of dbus-daemon and all running applications using the libdbus library must be restarted, or the system rebooted.

1.33.2. RHBA-2010:0236: bug fix update

Updated dbus packages that fix a multilib conflict that could cause installation failure on 64-bit architectures are now available.
D-Bus is a system for sending messages between applications. It is used for the system-wide message bus service, and as a per-user-login-session messaging facility.
* the dbus api help files (installed to /usr/share/devhelp/books/dbus/api/ by default) included with the dbus-devel sub-package were previously automatically generated for each architecture. These auto-generated files contain different timestamps and internal links and, consequently, caused file conflicts with multilib that could prevent dbus-devel installation on 64-bit architectures. With this update, a pre-generated set of help files, dbus-1.1.2-pregen-doc-api-html.tar.bz2, has been added to the rpm. This removes the multilib file conflicts and allows installation of the dbus-devel sub-package in all circumstances. (BZ#471359)
All D-Bus users should install these updated packages which resolve this issue.

1.34. dbus-python

1.34.1. RHBA-2009:1559: bug fix available

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1559
Updated dbus-python packages that fix an issue with the puplet package updater are now available for Red hat Enterprise Linux 5.
The dbus-python package provides a Python binding to the D-Bus system message bus.
This updated dbus-python package fixes the following bug:
* the puplet icon in the GNOME Notification Area displays notifications when updated packages are available. However, due to an error in the dbus-python bindings, when updates were available, puplet failed to display a notification. This update corrects the dbus-python bindings with the result that puplet is once again able to notify the user of available updates. (BZ#532142)
All users are advised to upgrade to this updated package, which resolves this issue.

1.35. device-mapper

1.35.1. RHBA-2010:0296: bug fix and enhancement update

Updated device-mapper packages that include various bug fixes and enhancements are now available.
The device-mapper packages provide a library required by logical volume management utilities such as LVM2 and dmraid.
This update applies the following bug fixes(BZ#536814):
* Fixes crash when hash keys compared are different lengths.
* Restores umask when device node creation fails.
* Does not fork daemon when dmeventd cannot be found.
This update adds the following enhancements:
* Adds splitname command which splits given device name into subsystem constituents.
* Adds y|--yes option to dmsetup for default 'yes' answer to prompts.
* Adds subsystem, vg_name, lv_name, lv_layer fields to dmsetup reports.
* Adds crypt target handling to libdevmapper tree nodes.
All users of device-mapper should upgrade to these updated packages, which resolve these issues and include these enhancements.

1.36. device-mapper-multipath

1.36.1. RHBA-2009:1645: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1645
Updated device-mapper-multipath packages that fix two bugs are now available.
The device-mapper-multipath packages provide tools to manage multipath devices by giving the device-mapper multipath kernel module instructions on what to do, as well as by managing the creation and removal of partitions for device-mapper devices.
This update addresses the following bugs:
* the udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#537761)
* when LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#538463)
Users are advised to upgrade to these updated device-mapper-multipath packages, which resolve these issues.

1.36.2. RHBA-2010:0255: bug fix and enhancement update

Updated device-mapper-multipath packages that fix several bugs and add various enhancements are now available.
The device-mapper-multipath packages provide tools to manage multipath devices using the device-mapper multipath kernel module.
This update applies the following bug fixes:
* The kpartx utility creates device maps from partition tables. Device-mapper devices with minor numbers greater than 255 caused kpartx to use the UUID from the wrong device when trying to create partitions. If the device had pre-existing partitions, kpartx would fail to create the new partitions. With this update, kpartx is now able to handle device-mapper devices with minor numbers greater than 255. (BZ#526550)
* The udev rules for device-mapper-multipath were causing device-mapper to occasionally create multipath devices without using the user specified uid, gid, or mode. They have been replaced with equivalent rules that do not cause this issue. (BZ#518575)
* When LUNs were unmapped from LSI storage arrays, the multipath rdac path checker was not marking the paths as failed. This caused IO to the device to hang instead of fail. The rdac path checker now marks unmapped LUNs as failed. (BZ#531744)
* The failover path grouping policy was not ordering the paths by priority, causing multipath to failover to the wrong path for devices with manual failback. The multipath paths are now correctly ordered with the failover path grouping policy. (BZ#537977)
* On some storage devices, if a LUN is deleted from an existing multipathd device, and a new LUN is presented to the host, it may end up with the same LUN ID and name as the old LUN. In this case, multipath will assume that this is the old LUN and belongs to the existing multipath device. This cause cause corruption. A new path checker "hp_tur" has been added that verifies the WWID of the LUN when it checks the path, to avoid this problem. (BZ#437585)
* The "tur" path checker was marking paths in standby mode as "failed". It now correctly marks them as "ghost". (BZ#473039)
* Multipath wasn't correctly showing device renames in dry-run mode. This has been fixed. (BZ#501019)
* Multipath was incorrectly setting the hardware handler for HP StorageWorks devices.This has been fixed. (BZ#475967)
* On some storage devices, multipath would display incorrect path information the first time multipath listed the paths after recovery. This has been fixed. (BZ#499080)
* If a path is removed while it is still part of a multipath device, it was taking multipath minutes to mark it as failed. This should now happen immediately at the end of the next path checking interval. (BZ#527754)
* the multipathd daemon needs constant access to /var/lib and /var/run. However it was not allowing any devices mounted under /var to be removed. Now it only keeps open what it needs. (BZ#532424)
* the multipath checker functions were not using the default scsi timeouts. Instead, each checker set its own timeout. Now all checker functions with explicit timeouts use the scsi timeout set it /sys/block/sd<x>/device/timeout by default. This can be changed by setting the "checker_timeout" option in /etc/multipath.conf(BZ#553042)
* Multipathd was printing extraneous error messages. This has been fixed. (BZ#472171, BZ#502128, BZ#524178)
* The multipath man page had some mistakes and missing information. This has been fixed. (BZ#481239, BZ#510331, BZ#554830)
* A locking error could cause multipathd to deadlock if it failed to create a multipath device correctly. This has been fixed (BZ #537281)
This update adds the following enhancements:
* Default configurations were added for more IBM, HP, SUN, and DELL devices. (BZ#504619i, BZ#512243, BZ#515171, BZ#517896, BZ#540882,
* The kpartx utility now supports DASDs devices with more then 65520 cylinders. (BZ#524009)
All users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.37. dhcp

1.37.1. RHBA-2010:0042: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0042
A dhcp update that fixes one memory leak is now available.
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp package provides a relay agent and ISC DHCP service required to enable and administer DHCP on a network.
This update applies the following updates:
* a memory leak in the load_balance_mine() function caused dhcpd, the dhcp server, to leak approximately 20-30 octets per DHCPDISCOVER packet when the server was configured for failover and failover was in a normal state. This particular leak has been closed with this update. (BZ#552211)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.
All dhcp users should to apply this update which closes this memory leak.

1.37.2. RHBA-2010:0223: bug fix update

A dhcp update that fixes bugs is now available.
DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server.
These updated packages address the following issues:
* When a system running a dhclient received a very short lease (e.g a few seconds), it would constantly have to request a renewal of its lease. The system would spend so much time running the dhclient-script every time it made a request that it would become almost unresponsive. A patch has been added to the code, setting the minimum lease time to 60 seconds. By preventing very short lease times, the server no longer becomes unresponsive from an overload of renewal requests. (BZ#498658)
* When the $localClockFudge variable was empty, the /sbin/dhclient-script added an empty line to the /etc/ntp.conf file when renewing the DHCP lease. This caused the diff command to fail when there was no meaningful difference between the old and new files, thus restarting the NTP daemon unnecessarily. This put useless noise in the log files that get picked up by logwatch. This update provides a slight code change that configures the NTP daemon differently. The /etc/ntp.conf file now only runs if there is a useful value in the $localClockFudge variable. (BZ#532136)
* A memory leak in the load_balance_mine() function caused 20-30 octets per DHCPDISCOVER packet to be leaked when failover was in use and was in its normal state. This caused the performance of the server to be significantly diminished. This update fixes the memory leak in the load_balance_mine() function, allowing the server to perform correctly. (BZ#534117)
Note: depending on the specific DHCP setup on a given system, other memory leaks may still present. Please file a separate bug if DHCP appears to leak memory after applying this update.
* A syntax error was discovered in the code of the initscript for the dhcrelay. In the process of restarting, the service would shutdown, but the initscript would fail when attempting to start the service again. A patch has been added, correcting the syntax error in the code. This correction now allows the service to restart correctly. (BZ#555672)
Users are advised to upgrade to these updated dhcp packages which resolve these issues.

1.38. dhcpv6

1.38.1. RHBA-2010:0196: bug fix update

Updated dhcpv6 packages that resolve several issues are now available.
The dhcpv6 packages implement the Dynamic Host Configuration Protocol (DHCP) for Internet Protocol version 6 (IPv6) networks, in accordance with RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6). DHCP is a protocol that allows individual devices on an IP network to get their own network configuration information. It consists of: dhcp6c(8), the DHCPv6 client daemon; dhcp6s(8), the DHCPv6 server daemon; and dhcp6r(8), the DHCPv6 relay agent.
These updated packages fix the following bugs:
* previously, the DHCPv6 client was not removing the address assigned to an individual interface after it disconnected. Consequently, the interface kept the same IPv6 address after reconnection. In these updated packages a new IPv6 address is assigned to an interface after disconnecting and reconnecting. (BZ#466251)
* DHCPv6 request packets created by the DHCPv6 client did not contain the "IA" sub-field, which should contain the address advertised by the server. Consequently the DHCPv6 client might have encountered issues trying to interact with other DHCPv6 servers. With this update, the DHCPv6 client now correctly inserts the "IA" field, resolving this issue. (BZ#476974)
* previously, when the DHCPv6 client received the response after sending a "Confirm" message, the client decided if it needed to apply Duplicate Address Dectection (DAD) based on the type of the identity-association (IA) construct in the response. However, the reply from the DHCPv6 server does not always contain an IA in the reply message. Consequently, when running the DHCPv6 client for a second time, the client may have triggered a segmentation fault. In these updated packages, the DHCPv6 client now checks if the reply has an IA before deciding if DAD needs to be applied, resolving this issue. (BZ#515644)
All users of dhcpv6 are advised to upgrade to these updated packages, which resolve this issue.

1.39. dmidecode

1.39.1. RHEA-2009:1456: enhancement update

Note

This update has already been released (prior to the GA of this release) as errata RHEA-2009:1456
An updated dmidecode package that adds enhancements is now available.
The dmidecode package provides utilities for extracting x86 and ia64 hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package includes version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#520123)
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.39.2. RHEA-2010:0303: enhancement update

An updated dmidecode package that provides enhancements is now available.
The dmidecode package provides utilities for extracting x86 and Intel Itanium hardware information from the system BIOS or EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, and asset tag.
It also often includes usage status for the CPU sockets, expansion slots (such as AGP, PCI, and ISA) and memory module slots, and a list of input and output ports (such as serial, parallel and USB).
This updated package applies the following enhancement:
* the previous version of the dmidecode package was based on an upstream version (2.9), which lacked support for various new hardware items. This updated package provides version 2.10, which updates support for SMBIOS specification version 2.6 and improves DDR3 memory reporting. It adds support for LGA1366 socket devices, decoding PCI-E Gen 2 slot IDs, and for a variety of processors, including the Intel Core i7 and Dual-Core Celeron and Xeon Dual-, Quad- and Multi-Core 3xxx, 5xxx and 7xxx series processors. (BZ#518562)
Users of dmidecode are advised to upgrade to this updated package, which includes this enhanced support.

1.40. dmraid

1.40.1. RHBA-2010:0286: bug fix update

Updated dmraid packages that fix several bugs are now available.
The dmraid packages contain the ATARAID/DDF1 activation tool. The tool supports RAID device discovery and RAID set activation, and displays properties for ATARAID/DDF1-formatted RAID sets on Linux kernels using the device-mapper utility.
These updated dmraid packages fix the following bugs:
* the dmraid-events package was installing the dmevent_syslogpattern.txt file to the /etc/logwatch/scripts/services directory. The dmevent_syslogpattern.txt file is used by the logwatch service to record event logs. SELinux does not allow write access to the /etc/logwatch/scripts/services directory, and as a result the logwatch service was prevented from updating the log file. The dmraid-events package has now been updated to install the log file at /var/cache/logwatch/dmeventd/syslogpattern.txt, and the log file is updated as expected. (BZ#513402)
* after a hard disk drive rebuild has been completed using dmraid, the LED lights on each disk belonging to the rebuilt RAID volume should turn off. Previously, if the rebuild was initiated manually using the 'dmraid -R' command, the light on the spare disk would remain illuminated, incorrectly indicating that the disk was still being built. When rebuilding automatically with the libdmraid-events library, the light would not remain lit as expected. The dmraid packages have been updated to turn off the light correctly after a manual disk rebuild, and the drive light now correctly indicates the drive state. (BZ#514497)
* dmraid binaries in the /sbin directory previously relied on libraries in the /usr directory. Since the /sbin directory typically only contains programs executed by the root user, reliance on libraries in the /usr directory could result in reference conflicts. The dmraid packages have been updated to no longer rely on the /usr directory, and library references are now improved. (BZ#516852)
* the dmraid-events-logwatch tool would take ownership of directories that were already owned by the logwatch package. This included the following directories:
* /etc/logwatch/conf * /etc/logwatch/conf/services * /etc/logwatch/scripts * /etc/logwatch/scripts/services
As a consequence, the dmraid-events-logwatch tool and the logwatch package would conflict. The dmraid-events-logwatch package has been updated to own only /etc/logwatch/scripts/services/dmeventd directory, and the conflict no longer arises with the logwatch package. (BZ#545876)
* modifications to Intel support in the libdmraid tool caused the SONAME field to change. This caused compatibility issues in python-pyblock symbolic links. The version number in the libdmraid tool's file name has been updated, which caused the dependencies to be automatically re- generated during the build process. The symbolic link is now repaired and there are no compatibility issues between libdmraid and python-pyblock. (BZ#556254)
* the pthread_mutex_trylock symbol was not being exported against the libpthread tool. As a consequence, the libdmraid-events-isw.so object would not be loaded during activation of a RAID5 volume library, reporting that pthread_mutex_trylock was an undefined symbol. Linking has now been added to the libpthread tool, and pthread_mutex_trylock is successfully referenced in the libdmraid-events-isw.so object. (BZ#567922)
All dmraid users should upgrade to these updated packages, which resolve these issues.

1.41. dogtail

1.41.1. RHBA-2010:0009: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0009
An updated dogtail package that fixes two bugs is now available.
Dogtail is an automation framework that uses accessibility technologies to communicate with desktop applications. Dogtail exposes desktop elements in a hierarchical interface. The dogtail package includes the GUI tools Script Recorder (dogtail-recorder) and AT-SPI Browser (sniff). Script Recorder creates Python scripts based on user actions and AT-SPI Browser is a graphical browser of the desktop elements hierarchy exposed by Dogtail.
This updated dogtail package fixes the following bugs:
* the destroyAbout function was undefined in the previous Dogtail release. Consequently, the Close button in the AT-SPI Browser About window (Help > About) did not work. This function is now properly defined; the showAbout function calls this function when the Close button is clicked; and the About window closes. Note: the close box in the title bar of the About window worked in both the earlier and current release. (BZ#250219)
* previously, the shebang lines in Dogtail's python scripts pointed to "/usr/bin/env python" rather than explicitly referencing the system-installed Python. This broke these scripts in the case of a user installing an alternative version of Python. With this update, all Dogtail's python scripts point explicitly to the system version at /usr/bin/python. (BZ#521339)
All dogtail users should upgrade to this updated package, which resolves these issues.

1.42. dosfstools

1.42.1. RHBA-2010:0007: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0007
An updated dosfstools package that fixes two bugs is now available.
The dosfstools package includes the mkdosfs and dosfsck utilities, which respectively make and check File Allocation Table (FAT) file systems on hard drives or on floppies.
This updated package provides fixes for the following bugs:
* when a FAT file system was created on a device-mapper device, if the drive geometry was not reported correctly to mkdosfs, the command printed it was "unable to get drive geometry" and was using the default drive geometry (255/63) instead. Because of an error, it did not, in fact, do this. Consequently, dosfslabel could not set a label for the newly-created file system. With this update, the error in the mkdosfs command was corrected: when the drive geometry is not correctly reported, mkdosfs now sets the drive geometry to the default values as per its message to STD OUT. Consequently, FAT file systems created with mkdosfs are now correct and dosfslabel can set its label. (BZ#249067)
* although dosfstools contains ELF objects, the dosfstools-debuginfo package was empty. With this update the -debuginfo package contains valid debugging information as expected. (BZ#469842)
All dosfstools users should upgrade to this updated package, which resolves these issues.

1.43. dstat

1.43.1. RHSA-2009:1619: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1619
An updated dstat package that fixes one security issue is now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Dstat is a versatile replacement for the vmstat, iostat, and netstat tools. Dstat can be used for performance tuning tests, benchmarks, and troubleshooting.
Robert Buchholz of the Gentoo Security Team reported a flaw in the Python module search path used in dstat. If a local attacker could trick a local user into running dstat from a directory containing a Python script that is named like an importable module, they could execute arbitrary code with the privileges of the user running dstat. (CVE-2009-3894)
All dstat users should upgrade to this updated package, which contains a backported patch to correct this issue.

1.44. e4fsprogs

1.44.1. RHBA-2010:0239: bug fix and enhancement update

Enhanced e4fsprogs packages that fix a bug are now available.
The e4fsprogs packages contain a number of utilities for creating, checking, modifying, and correcting inconsistencies in fourth extended (ext4 and ext4dev) file systems. e4fsprogs contains e4fsck (used to repair file system inconsistencies after an unclean shutdown), mke4fs (used to initialize a partition to contain an empty ext4 file system), tune4fs (used to modify file system parameters), and most other core ext4fs file system utilities.
The e4fsprogs packages have been upgraded to upstream version 1.41.9 for Red Hat Enterprise Linux 5.5. These updated packages contain several bug fixes over the previous version.
Important: These packages are now designed and intended to be installed alongside the original e2fsprogs package in Red Hat Enterprise Linux. As such, certain binaries in the e4fsprogs packages have been given new names. For example, the utility that checks ext4 file systems for consistency has been renamed to "e4fsck", thus allowing the original "e2fsck" program from the e2fsprogs package to coexist on the same system.
These updated e4fsprogs packages also include a fix for the following bug:
* pygrub did not understand fourth extended (ext4) /boot partitions, and so was unable to paravirtualize guest domains. e4fsprogs-devel and ev4sprogs-libs packages are provided with this update for pygrub and other applications that require the new ext4 capable e2fsprogs libraries. (BZ#528055)
All users of e4fsprogs are advised to upgrade to these updated packages, which resolve this issue.

1.45. elilo

1.45.1. RHEA-2010:0302: enhancement update

An updated elilo package that adds validation checks and error messages to the boot manager is now available.
ELILO is a Linux boot loader for Extensible Firmware Interface (EFI)-based systems, such as those running an Itanium CPU.RHSA-2009:1341
This update add the following enhancement:
* previously ELILO's boot manager, efibootmgr, returned only two error codes: "0" for success and "1" for failure. There are multiple reasons for the boot manager to fail, however, and diagnosing such failures was difficult with only one all-purpose error code. This update adds validation checks and error messages to identify boot manager failures depending upon the error condition encountered. Error messages now returned when efibootmgr fails include "partition is not valid"; "Failed to open extra arguments"; "Invalid hex characters in boot order" and others. (BZ#250327)
All elilo users should upgrade to this updated package, which adds this feature.

1.46. elinks

1.46.1. RHSA-2009:1471: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1471
An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags.
An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially-crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224)
It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially-crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027)
All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.

1.47. esc

1.47.1. RHBA-2010:0066: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0066
An updated esc package that fixes various bugs is now available.
The esc package contains the Smart Card Manager tool, which allows users to manage security smart cards. The primary function of the tool is to enroll smart cards, so that they can be used for common cryptographic operations, such as secure email and website access.
This updated esc package includes fixes for the following bugs:
* The Enterprise Security Client incorrectly identified CAC cards as CoolKey cards and mistakenly opened the Phone Home connection dialog. With this update, CoolKey correctly identifies CAC cards and assigns the correct functionality to them. With this fix, it is still possible to view certificates and diagnostics for CAC cards, though the management functions are now disabled. RHBA-2010:9263, a CoolKey update, must also be installed to fully resolve this issue. (BZ#467011)
* The Enterprise Security Client did not open the Phone Home connection dialog when a blank token was inserted. (BZ#514053)
* Removing a smart card when the Enterprise Security Client was open could cause the Enterprise Security Client to terminate abnormally. With this update, removing smart cards should no longer cause the Enterprise Security Client to crash. (BZ#517414)
* When creating a password for the Enterprise Security Client, using certain characters, such as the dollar sign and exclamation point, could cause a failure to enroll when entering the password later. This update fixes this problem so that using such symbols when creating passwords does not fail when attempting to enroll. (BZ#549540)
* When the Enterprise Security Client was using an external user interface for enrollment and the UI page could not be downloaded because of a disconnected network or similar problem, then the user could neither enroll nor was made aware of the source of the problem. With this update, when such a situation occurs, a descriptive error message is sent to the user. (BZ#549542)
* Inserting a CAC card into the computer causes the Enterprise Security Client to display an enabled "Enroll" button to the user erroneously because all management functions should be disabled for CAC cards. With this update, when a CAC card is entered, all management functions are disabled, including the "Enroll" function. (BZ#553661)
All users of the Enterprise Security Client are advised to upgrade to this updated package, which resolves these issues.

1.48. etherboot

1.48.1. RHBA-2010:0227: bug fix update

Updated etherboot packages that fix several bugs are now available.
Etherboot is a software package for creating ROM images (zrom files) that can download code over an Ethernet network to be executed on an x86 computer. Many network adapters have a socket where a ROM chip can be installed. Etherboot is code that can be put in such a ROM.
* the zrom file for use with NE2000-compatible Ethernet cards used by etherboot when network booting using such a card failed to obtain an IP address. Consequently network booting a system with an NE2000-compatible Ethernet card failed, returning an error as follows:
Probing pci nic... Probing isa nic... [NE*000]
With this update the zrom file used by etherboot has been updated and network booting a KVM guest via PXE using NE2000 network card emulation now succeeds as expected. (BZ#511912)
* Change glibc32 BuildRequires to file-based BuildRequires. (BZ#521901)
* Use update-alternatives to provide the common /usr/share/qemu-pxe-roms directory. (BZ#546016)
* Use 0644 permission on all rom files. (BZ#547773)
All etherboot users should install this update which addresses these issues.

1.49. ethtool

1.49.1. RHBA-2010:0279: bug fix and enhancement update

An enhanced ethtool package that fixes a number of minor issues is now available.
The ethtool utility allows the querying and changing of specific settings on network adapters. These settings include speed, port, link auto-negotiation settings and PCI locations.
This updated package adds the following enhancements:
* ethtool can now display all NIC speeds, not just 10/100/1000. (BZ#450162)
* the redundant INSTALL file has been removed from the package. (BZ#472034)
* the ethtool usage message has been fixed to not state that -h requires a DEVNAME. (BZ#472038)
* ethtool now recognizes 10000 as a valid speed and includes it as a supported link mode. (BZ#524241, BZ#529395)
All ethtool users should upgrade to this updated package which provides these enhancements.

1.50. evince

1.50.1. RHBA-2010:0195: bug fix update

An updated evince package that resolves various issues is now available.
evince is a GNOME-based document viewer.
This updated package resolves the following issues:
* fullscreen mode allows a user to view (in a maximized window) just the document and a single navigation toolbar. Previously, the function that handles the timeout of fullscreen mode was only made aware of the window, rather than the workspace. Consequently, if a user switched to a different workspace while fullscreen mode was enabled, the fullscreen toolbar would persist the top of the screen. With this update, the evince fullscreen toolbar no longer remains after changing workspaces, resolving this issue. (BZ#229173)
* when searching for a string in a document, evince may have miscalculated the scope of the search if a string appeared more than once on a single page. Consequently, if a user was stepping though the search results using the "Find Next" button, evince would not step past the page with multiple matches. With this update, evince now correctly searches the whole document, resolving this issue. (BZ#469379)
* previously, evince classified a single error dialog as a full running instance. Consequently, if an instance of evince contained only an error dialog, any document opened would appear that instance. This may have confused users, as documents were displayed in the workspace where the error dialog is located, rather than the current workspace. In this updated package, evince no longer treats a single error dialog as an opened document, resolving this issue. (BZ#504334)
* when rendering a page of a PDF document, evince displays a blank page, with just the text "Loading..." visible until the page is ready to be viewed. Previously, evince was not checking if the drawing area for the loading page could be allocated. Consequently, if a PDF document with large page dimensions was opened evince may have crashed, returning a segmentation fault. With this update, the drawing area for the loading page is now correctly allocated, resolving this issue. (BZ#499676)
All evince users are advised to upgrade to this updated package, which resolves these issues.

1.51. exim

1.51.1. RHBA-2009:1627: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1627
Updated exim packages that resolve several issues are now available.
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail.
These updated exim packages provide fixes for the following bugs:
* The exim init script would return with error code 0 regardless of if the service had actually been started. An incorrect return code would be issued concerning the exim init script because of an unimplemented feature of the script. These bugs concerning the exim init script have been corrected by modifying it to return a value of 2 on an unsupported command, a return of 1 when the $NETWORKING parameter is set to no, returning the correct status error to the user and forcing the script to restart (using condrestart) when the status is not equal to 0.
* The default configuration referred to an undefined domain list causing errors when trying to relay email. The correct domain list of relay_to_domains is now utilized.
* Exim listened on all interfaces by default, whereas Sendmail and Postfix only listen on loopback by default. Administrators who would assume exim had default settings configured the same as Sendmail and Postfix may have introduced a security hole when installing exim. To correct this the code segment local_interfaces = <; 127.0.0.1 ; ::1; has been added to the default configuration; allowing Administrators to treat exim default settings the same as Sendmail and Postfix.
* Exim used to attempt generation of the certificate on installation instead of the first start, which could cause the installation to fail when the certificate could not be generated. Certificate generation is now undertaken upon the first start of exim after installation, allowing the installation to succeed.
All users of exim are advised to upgrade to these updated packages, which resolve these issues.

1.52. fetchmail

1.52.1. RHSA-2009:1427: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1427
An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections.
It was discovered that fetchmail is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666)
A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565)
A flaw was found in fetchmail. When fetchmail is run in double verbose mode ("-v -v"), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ("-d"). (CVE-2008-2711)
Note: when using SSL-enabled services, it is recommended that the fetchmail "--sslcertck" option be used to enforce strict SSL certificate checking.
All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the "fetchmail --quit" command to stop the fetchmail process).

1.53. filesystem

1.53.1. RHBA-2009:1481: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1481
An updated filesystem package that corrects the owners of certain directories is now available for Red Hat Enterprise Linux 5.
The filesystem package is one of the basic packages that is installed on a Red Hat Linux system. Filesystem contains the basic directory layout for the Linux operating system, including the correct permissions for directories.
This updated filesystem package fixes the following bug:
* a number of file system directories were unowned. This update corrects the ownership of the following directories: /usr/src/debug, /usr/src/kernels, several directories in /usr/share/man, /usr/share/locale and, under it, the LC_MESSAGES subdirectory for several locales. In addition, for the sake of consistency this updated filesystem package now owns, but does not create, the locale-specific man page directories located under /usr/share/man/[locale]. (BZ#487568)
All users of filesystem are advised to upgrade to this updated package, which resolves this issue.

1.54. firefox

1.54.1. RHSA-2010:0112: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0112
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
A use-after-free flaw was found in Firefox. Under low memory conditions, visiting a web page containing malicious content could result in Firefox executing arbitrary code with the privileges of the user running Firefox. (CVE-2009-1571)
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2010-0159, CVE-2010-0160)
Two flaws were found in the way certain content was processed. An attacker could use these flaws to create a malicious web page that could bypass the same-origin policy, or possibly run untrusted JavaScript. (CVE-2009-3988, CVE-2010-0162)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.18. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.18, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.2. RHSA-2009:1674: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1674
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3979, CVE-2009-3981, CVE-2009-3986)
A flaw was found in the Firefox NT Lan Manager (NTLM) authentication protocol implementation. If an attacker could trick a local user that has NTLM credentials into visiting a specially-crafted web page, they could send arbitrary requests, authenticated with the user's NTLM credentials, to other applications on the user's system. (CVE-2009-3983)
A flaw was found in the way Firefox displayed the SSL location bar indicator. An attacker could create an unencrypted web page that appears to be encrypted, possibly tricking the user into believing they are visiting a secure page. (CVE-2009-3984)
A flaw was found in the way Firefox displayed blank pages after a user navigates to an invalid address. If a user visits an attacker-controlled web page that results in a blank page, the attacker could inject content into that blank page, possibly tricking the user into believing they are viewing a legitimate page. (CVE-2009-3985)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.16. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.16, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.3. RHSA-2009:1530: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1530
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
A flaw was found in the way Firefox handles form history. A malicious web page could steal saved form data by synthesizing input events, causing the browser to auto-fill form fields (which could then be read by an attacker). (CVE-2009-3370)
A flaw was found in the way Firefox creates temporary file names for downloaded files. If a local attacker knows the name of a file Firefox is going to download, they can replace the contents of that file with arbitrary contents. (CVE-2009-3274)
A flaw was found in the Firefox Proxy Auto-Configuration (PAC) file processor. If Firefox loads a malicious PAC file, it could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3372)
A heap-based buffer overflow flaw was found in the Firefox GIF image processor. A malicious GIF image could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3373)
A heap-based buffer overflow flaw was found in the Firefox string to floating point conversion routines. A web page containing malicious JavaScript could crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-1563)
A flaw was found in the way Firefox handles text selection. A malicious website may be able to read highlighted text in a different domain (e.g. another website the user is viewing), bypassing the same-origin policy. (CVE-2009-3375)
A flaw was found in the way Firefox displays a right-to-left override character when downloading a file. In these cases, the name displayed in the title bar differs from the name displayed in the dialog body. An attacker could use this flaw to trick a user into downloading a file that has a file name or extension that differs from what the user expected. (CVE-2009-3376)
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3374, CVE-2009-3380, CVE-2009-3382)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.15. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.15, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.54.4. RHSA-2009:1430: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1430
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Mozilla Firefox is an open source Web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. nspr provides the Netscape Portable Runtime (NSPR).
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075)
A use-after-free flaw was found in Firefox. An attacker could use this flaw to crash Firefox or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3077)
A flaw was found in the way Firefox handles malformed JavaScript. A website with an object containing malicious JavaScript could execute that JavaScript with the privileges of the user running Firefox. (CVE-2009-3079)
Descriptions in the dialogs when adding and removing PKCS #11 modules were not informative. An attacker able to trick a user into installing a malicious PKCS #11 module could use this flaw to install their own Certificate Authority certificates on a user's machine, making it possible to trick the user into believing they are viewing a trusted site or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2009-3076)
A flaw was found in the way Firefox displays the address bar when window.open() is called in a certain way. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-2654)
A flaw was found in the way Firefox displays certain Unicode characters. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site. (CVE-2009-3078)
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.0.14. You can find a link to the Mozilla advisories in the References section of this errata.
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.0.14, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

1.55. firstboot

1.55.1. RHBA-2010:0314: bug fix update

Updated firstboot packages that fix a bug are now available.
The firstboot utility runs after installation. It guides the user through a series of steps that allows for easier configuration of the machine.
These updated packages address the following issue:
* Clicking [Change Network Configuration] from firstboot's network configuration page launched a separate network configuration window. If the user then clicked [Forward] on the still-visible main window, the separate configuration window became hidden behind the full-screen main window.
Further mouse-clicks would be ineffectual and it could appear to the user that the system had become unresponsive. It was necessary to use the alt+tab keys to reveal the hidden configuration window.
Code has been added to the networking.py source file to modify the behavior of the network configuration and main windows. Now the configuration window will stay on top if the user clicks outside its boundary. (BZ#511984)
Users are advised to upgrade to these updated packages, which resolve this issue.

1.56. freeradius

1.56.1. RHSA-2009:1451: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1451
Updated freeradius packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.
An input validation flaw was discovered in the way FreeRADIUS decoded specific RADIUS attributes from RADIUS packets. A remote attacker could use this flaw to crash the RADIUS daemon (radiusd) via a specially-crafted RADIUS packet. (CVE-2009-3111)
Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.

1.56.2. RHBA-2009:1678: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1678
Updated freeradius packages that fix a bug are now available.
FreeRADIUS is an Internet authentication daemon, which implements the RADIUS protocol, as defined in RFC 2865 (and others). It allows Network Access Servers (NAS boxes) to perform authentication for dial-up users. There are also RADIUS clients available for Web servers, firewalls, Unix logins, and more. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the amount of re-configuration which has to be done when adding or deleting new users.
This update addresses the following bug:
* an error in the EAP authentication module could cause memory corruption. Running the radeapclient utility would typically expose the problem. An error message including text such as this
*** glibc detected *** radeapclient: free(): invalid pointer:
presented and radeapclient would then abort abnormally. This update corrects the error in the EAP authentication module. The module no longer corrupts memory and applications such as radeapclient that use this module work as expected. (BZ#476513)
All freeradius users should install these updated packages, which fix this problem.

1.57. gail

1.57.1. RHBA-2009:1594: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1594
Updated gail packages that resolve an issue are now available.
GAIL, the GNOME Accessbility Implementation Library, implements the abstract interfaces found in the Accessibility Toolkit (ATK) for GTK+ and GNOME libraries, and thereby enables accessibility technologies such as AT-SPI (the Assistive Technology Service Provider Interface) to access GUI elements.
These updated gail packages fix the following bug:
* when starting a GNOME application at the shell prompt, the GAIL library incorrectly printed the following spurious error message when the "GNOME_ACCESSIBILITY" environment variable was set to "0", which disables GNOME accessibility support: "GTK Accessibility Module initialized". With this update, this message no longer appears when the "GNOME_ACCESSIBILITY" environment variable is set to "0". (BZ#506561)
All users of gail are advised to upgrade to these updated packages, which resolve this issue.

1.58. gcc

1.58.1. RHBA-2009:1533: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1533
A gcc update that resolves an option handling bug where only the last "-fno-builtin-*" option specified on the command line was honored is now available.
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.
This update fixes the following bug:
* if multiple "-fno-builtin-*" options were specified on the command line (for example, "-fno-builtin-iswalpha -fno-builtin-iswalnum") only the last option was honored (in the example, -fno-builtin-iswalnum). With this update, joined switches are no longer pruned, ensuring all such options are honored, as expected. (BZ#526421)
Users are advised to install this gcc update, which applies this fix.

1.58.2. RHSA-2010:0039: Moderate and gcc4 security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0039
Updated gcc and gcc4 packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gcc and gcc4 packages include, among others, C, C++, and Java GNU compilers and related support libraries. libgcj contains a copy of GNU Libtool's libltdl library.
A flaw was found in the way GNU Libtool's libltdl library looked for libraries to load. It was possible for libltdl to load a malicious library from the current working directory. In certain configurations, if a local attacker is able to trick a local user into running a Java application (which uses a function to load native libraries, such as System.loadLibrary) from within an attacker-controlled directory containing a malicious library or module, the attacker could possibly execute arbitrary code with the privileges of the user running the Java application. (CVE-2009-3736)
All gcc and gcc4 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running Java applications using libgcj must be restarted for this update to take effect.

1.58.3. RHBA-2010:0232: bug fix update

A gcc update that resolves several compiler bugs is now available.
The gcc packages include C, C++, Java, Fortran, Objective C, and Ada 95 GNU compilers, along with related support libraries.
This update applies the following bug fixes:
* when compiling a debug version of a C++ program, it was possible for gcc to lose debug information for some local variables in C++ constructors or destructors. This was because gcc incorrectly released information on abstract functions (specifically, contents of the DECL_INITIAL() function), which are needed for creating debug information. With this release, nodes containing abstract functions are flagged accordingly to prevent gcc from prematurely discarding needed debug information. (BZ#513184)
* when issuing multiple -fno-builtin-* switches to gcc, gcc only registered the last switch. With this release, gcc can now register multiple -fno-builtin-* switches correctly. (BZ#515799)
* in some cases, aggregates returned by value could cause reload failures in the caller function, resulting in an internal compiler error. This was caused by a bug in the combining code that incorrectly lengthens the lifetime of a hard register. This update applies a patch to expand_call function in gcc/calls.c that resolves the issue. (BZ#516028)
* using g++ to compile code containing virtual inheritances could result in a segmentation fault. This was because the dynamic_cast code in gcc did not use src2dst hints as expected; as a result, g++ could search an unnecessarily large address list for possible bases. With this release, the dynamic_cast code now uses src2dst hints; this allows g++ to defer searching bases that don't overlap with a virtual inheritance's address. (BZ#519519)
* On PowerPC, it was possible for DWARF access to function parameters to fail. This was caused by a bug in the GCC instruction set for PowerPC, where compiling with -mno-sched-prolog could discard debug location lists. This update fixes the bug, ensuring consistent DWARF access to function parameters on PowerPC. (BZ#528792)
* The libgcc undwinder now supports DW_OP_swap handling. This update also fixes bugs in the way unwinding code handled unwind information from DW_OP_{gt,ge,lt,le} and DW_CFA_{remember,restore}_state. (BZ#555731)
All GCC users are advised to install this update.

1.59. gd

1.59.1. RHSA-2010:0003: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0003
Updated gd packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gd packages provide a graphics library used for the dynamic creation of images, such as PNG and JPEG.
A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546)
Users of gd should upgrade to these updated packages, which contain a backported patch to resolve this issue.

1.60. gdb

1.60.1. RHBA-2010:0285: bug fix update

An updated gdb package that fixes various bugs is now available.
The GNU Project debugger, GDB, debugs programs written in C, C++, and other languages by executing them in a controlled fashion, and then printing out their data.
With this update, GDB is now re-based to upstream version 7.0.1 (BZ#526533). This applies several bug fixes and enhancements not listed here. For a full description of this version, refer to the following link: http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/NEWS.diff?cvsroot=src&r1=t ext&tr1=1.259.2.1&r2=text&tr2=1.331.2.2&f=u
This update applies the following bug fixes:
* Printing values from a debugged program by dereferencing a pointer to an object of dynamic type printed out an error stating "Cannot resolve DW_OP_push_object_address for a missing object". Such pointers are produced by an unsupported iFort compiler, not by gfortran. With this update, GDB can now dereference pointers to objects of dynamic type, thereby correctly printing the dynamic Fortran arrays dereferenced from such pointers (as produced by the iFort compiler). (BZ#514287)
* Debugging a program with thousands of set breakpoints was unacceptably slow. This was because a previous patch introduced a mechanism that hid breakpoint instructions and returned "shadow" content whenever target_read_memory() accessed memory. The aforementioned patch was implemented upstream to be used with a "breakpoint always-inserted" option, which was not implemented in Red Hat Enterprise Linux version of GDB. But Red Hat Enterprise Linux version backported it to solve a problem on Itanium where instruction (and thus even breakpoint instruction) boundaries are not byte-aligned. This update reimplements the shadowing functionality using more optimal log(n) algorithm instead, which consequently prevents any unnecessary slowdown when processing programs with numerous set breakpoints. (BZ#520618)
* GDB incorrectly skipped OpenMP parallel sections (instead of entering them as expected) when using the "next" command. This was caused by missing DWARF annotations from GCC that made it possible for OpenMP parallel sections to be incorrectly classified as function calls. To address this, GDB contains special instructions to make OpenMP parallel sections indifferent to normal code, allowing GDB to step into parallel sections with "next" correctly. (BZ#533176)
* The GDB version banner now correctly displays "Red Hat Enterprise Linux" instead of "Fedora". (BZ#537788)
* GDB no longer obsoletes the pstack package. (BZ#550786)
* Loading symbols in STABS debug format could crash GDB. The STABS format is no longer supported, as Red Hat Enterprise Linux uses the debug format DWARF. With this update, loading symbols in STABS format no longer crashes GDB; instead, such symbols are simply loaded incorrectly. (BZ#553672)
* Adding GDB support for Fortran modules in previous releases introduced a regression which prevented GDB from setting breakpoints on a Fortran program's name. This was caused by a bug in the search routines used when "set language fortran" is enabled. This update fixes the regression. (BZ#559291)
* The Red Hat Enterprise Linux 5.5 version of GDB also contains a fix for an upstream GDB regression that prevented users from setting rwatch and awatch breakpoints before a program starts. This version of GDB implements a compatibility fix from GDB 6.8 to address the regression. (BZ#562770)
* A "break-by-name on inlined functions" feature introduced in Fedora GDB made it possible for parameters of inlined functions to be incorrectly hidden. Whenever this occurred during debugging, GDB printed "<optimized out>" in backtraces or upon entering such functions. In some cases, stepping through inlined functions could also abort GDB with an internal error. This release resolves the issue by removing the "break-by-name on inlined functions" feature altogether. (BZ#565601)
All GDB users should apply this update.

1.61. gfs-kmod

1.61.1. RHSA-2010:0291: Moderate security, bug fix and enhancement update

Updated gfs-kmod packages that fix one security issue, numerous bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.5, kernel release 2.6.18-194.el5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The gfs-kmod packages contain modules that provide the ability to mount and use GFS file systems.
A flaw was found in the gfs_lock() implementation. The GFS locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727)
These updated gfs-kmod packages are in sync with the latest kernel (2.6.18-194.el5). The modules in earlier gfs-kmod packages failed to load because they did not match the running kernel. It was possible to force-load the modules. With this update, however, users no longer need to.
These updated gfs-kmod packages also fix the following bugs:
* when SELinux was in permissive mode, a race condition during file creation could have caused one or more cluster nodes to be fenced and lock the remaining nodes out of the GFS file system. This race condition no longer occurs with this update. (BZ#471258)
* when ACLs (Access Control Lists) are enabled on a GFS file system, if a transaction that has started to do a write request does not have enough spare blocks for the operation it causes a kernel panic. This update ensures that there are enough blocks for the write request before starting the operation. (BZ#513885)
* requesting a "flock" on a file in GFS in either read-only or read-write mode would sometimes cause a "Resource temporarily unavailable" state error (error 11 for EWOULDBLOCK) to occur. In these cases, a flock could not be obtained on the file in question. This has been fixed with this update so that flocks can successfully be obtained on GFS files without this error occurring. (BZ#515717)
* the GFS withdraw function is a data integrity feature of GFS file systems in a cluster. If the GFS kernel module detects an inconsistency in a GFS file system following an I/O operation, the file system becomes unavailable to the cluster. The GFS withdraw function is less severe than a kernel panic, which would cause another node to fence the node. With this update, you can override the GFS withdraw function by mounting the file system with the "-o errors=panic" option specified. When this option is specified, any errors that would normally cause the system to withdraw cause the system to panic instead. This stops the node's cluster communications, which causes the node to be fenced. (BZ#517145)
Finally, these updated gfs-kmod packages provide the following enhancement:
* the GFS kernel modules have been updated to use the new generic freeze and unfreeze ioctl interface that is also supported by the following file systems: ext3, ext4, GFS2, JFS and ReiserFS. With this update, GFS supports freeze/unfreeze through the VFS-level FIFREEZE/FITHAW ioctl interface. (BZ#487610)
Users are advised to upgrade to these latest gfs-kmod packages, updated for use with the 2.6.18-194.el5 kernel, which contain backported patches to correct these issues, fix these bugs, and add this enhancement.

1.62. gfs-utils

1.62.1. RHBA-2010:0290: bug fix update

Updated gfs-utils packages that fix various bugs are now available.
The gfs-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS file systems.
The updated gfs-utils packages apply the following bug fixes:
* GFS: gfs_fsck sometimes needs to be run twice (BZ#509225) * gfs_fsck cannot repair rindex problems when directly on block device (BZ#512722) * gfs_fsck -n always returns 0 even if error is found (BZ#508978)
All users of gfs-utils should upgrade to these updated packages, which resolve these issues.

1.63. gfs2-utils

1.63.1. RHBA-2010:0287: bug fix update

Updated gfs2-utils packages that fix various bugs are now available.
The gfs2-utils packages provide the user-space tools necessary to mount, create, maintain and test GFS2 file systems.
The updated gfs2-utils packages apply the following bug fixes:
gfs2_edit segfault (BZ#503485) gfs2_edit produces unaligned access (BZ#503530) fsck.gfs2: Message printed to stderr instead of stdout (BZ#506682) gfs2_tool man page incorrectly references gfs2_mount (BZ#514939) GFS2: fsck.gfs2 sometimes needs to be run twice (BZ#500483) "fsck.gfs2: invalid option -- a" on boot when mounting root formatted as gfs2 (BZ#507596) GFS2: gfs2_fsck bugs found in rindex repair code (BZ#514018) GFS2: gfs2_edit fixes for 5.5 (BZ#503529) gfs2-utils fails rebuild test (BZ#515370) gfs2_edit -p block# shows wrong height/offset on gfs1 and segfaults on gfs2 (BZ#506343) fsck.gfs2 unable to fix some rindex corruption for block size < 4K (BZ#520762) GFS2: gfs2_edit savemeta not saving all extended attribute data (BZ#527770) GFS2: fsck.gfs2 should fix the system statfs file (BZ#539337) GFS2: gfs2_edit savemeta bugs (BZ#528786) quota file size not a multiple of struct gfs2_quota(BZ#536902) interrupted rgrp conversion does not allow re-converts (BZ#548585) Conversion of inodes that are of different metatree heights in gfs and gfs2 is incorrect (BZ#548588) Allow fsck.gfs2 to check RO mounted file systems (BZ#557128) GFS2: gfs2_convert should fix statfs file (BZ#556961) gfs2_convert doesn't convert jdata files correctly (BZ#545602) GFS2: fatal: invalid metadata block after gfs2_grow (BZ#546683)
All users of gfs2-utils should upgrade to these updated packages, which resolve these issues.

1.64. glibc

1.64.1. RHBA-2009:1634: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1634
Updated glibc packages that resolve several issues are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contains the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
These updated glibc packages provide fixes for the following bugs:
* when a thread calls the setuid() function, the change of credentials needs to be performed in every thread as per POSIX requirements. This update corrects the implementation to avoid a race condition which occurred when a thread terminated or a new thread was created while the credential change was performed. (BZ#533213)
* the implementation of the seg_timedwait() function, in assembler, incorrectly decremented the number of waiting threads stored in a block of memory when an invalid nanosecond value was passed through its second argument. This error is corrected in this update. (BZ#540475)
All users of glibc are advised to upgrade to these updated packages, which resolve these issues.

1.64.2. RHBA-2010:0050: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0050
Updated glibc packages that fix a race condition while loading shared libraries are now available
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contains the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
These updated glibc packages provide a fix for the following bug:
* a rarely-encountered and difficult-to-reproduce race condition existed between resolving dynamic symbols and loading shared libraries that could have resulted in library dependencies not being resolved. This update provides a fix that avoids the potential race condition. (BZ#548692)
All users are advised to upgrade to these updated packages, which resolve this issue.

1.64.3. RHBA-2010:0306: bug fix and enhancement update

Updated glibc packages that fix several bugs and add an enhancement are now available.
The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, the Linux system cannot function properly.
This update applies the following bug fixes:
* a race condition with seteuid() occured between the threads that run on starting the program, presenting the error "EUID is already set!" within 10 to 15 seconds. These updates provide exclusive processes running with no error on startup. (BZ#491995 and BZ#522528)
* assembler implementation of sem_timedwait() on x86/x86_64 wrongly decrements the number of waiting threads stored in block of memory pointed to by (sem_t *) when an invalid nanosecond argument is used. This fix allows the correct nanosecond argument to be passed through the second argument. (BZ#529997)
* a race condition in glibc, between _dl_lookup_symbol_x() and dlopen/dlclose/etc, resulted in a failure in resolving dependencies. These updates provide for processes that are exclusive. (BZ#547631)
This update also adds the following enhancement:
* glibc: incorporates a number of tests to detect corruption in data structures used for heap memory allocation (malloc/free). This corruption can be caused deliberately by attackers exploiting buffer overflow vulnerabilities. This enhancement provides additional corruption tests. (BZ#530107)
All users are advised to upgrade to this updated package, which resolves these issues and adds this enhancement.

1.65. gnome-vfs2

1.65.1. RHBA-2010:0317: bug fix update

An updated gnome-vfs2 package that fixes a bug is now available.
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture and ships with several modules that implement support for file systems, http, ftp, and others. It provides a URI-based API, backend supporting asynchronous file operations, a MIME type manipulation library, and other features.
* the gnome-vfs2 package would only work correctly on a system running Samba 3.0 packages, and could not be installed on a system running Samba 3.3 packages. The version of gnome-vfs provided with this advisory depends only on a small Samba subpackage, which is independent from other Samba packages. The gnome-vfs2 package can now be installed on a system running Samba 3.3 packages. (BZ#555642)
Users are advised to check the parallel Samba advisory RHBA-2009:9287.
Users are advised to upgrade to this updated gnome-vfs2 package, which resolves this issue.

1.65.2. RHBA-2010:0032: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0032
Updated gnome-vfs2 packages that resolve several issues are now available.
GNOME VFS is the GNOME virtual file system. It is the foundation of the Nautilus file manager. It provides a modular architecture, and ships with several modules that implement support for file systems and protocols such as HTTP and FTP, among others.
These updated gnome-vfs2 packages provide fixes for the following bugs:
* an unresolved symbol in the gnome-vfs2 library caused the system-config-network GUI application to be unable to start. (BZ#247522)
* client applications which used the gnome-vfs2 library were unable to search for certain paths because the search process ended as soon as it encountered a file or directory which it was unable to read. This update fixes this bug in gnome-vfs2 so that searches skip over unreadable files or directories and continue as expected.
Note: a future nautilus update will be released that properly fixes this bug in the Nautilus file manager. (BZ#432764)
* when attempting to move one or more files between two NFS mounts, the Nautilus file manager displayed a dialog box that stated: Error: "Not on the same file system." This error was caused by an EXDEV error in the gnome-vfs2 file module due to rename semantics. With this update, moving a file from one NFS mount to another succeeds as expected due to the implementation of a proper copy-and-delete fallback routine. (BZ#438116)
* attempting to open a supported document type represented by a symbolic link on an NFS share with the Evince document viewer failed with the following error message:
Unable to open document Unhandled MIME type: “application/octet-stream”
This update improves this behavior with a symbolic link check so that Evince is now able to successfully open a link to a supported document type when both the link and actual file are located on an NFS share. (BZ#481593)
* the gnome-vfs-daemon service reads the list of mounted devices at /proc/mounts upon startup. If one of the device paths was not valid UTF-8, gnome-vfs-daemon was disconnected by D-Bus when it attempted to communicate the path over the system message bus, at which time it exited. However, other GNOME applications would then attempt to restart gnome-vfs-daemon, at which time the same sequence of events reoccurred, leading to a potentially infinite loop and much extraneous CPU usage. With this update, gnome-vfs-daemon correctly converts the information provided by /proc/mounts into valid UTF-8 before communicating it via D-Bus, which prevents the possibility of gnome-vfs-daemon being disconnected, exiting, and being restarted in a continuous fashion. (BZ#486286)
* accessing a WebDAV share which contained a comma in its path name with the Nautilus file manager resulted in a "File not found" error. This update ensures that reserved characters in path names are properly escaped, and thus Nautilus is able to access such paths as expected. (BZ#503112)
All GNOME users are advised to upgrade to these updated packages, which resolve these issues. Running GNOME sessions must be restarted for the update to take effect.

1.66. gpart

1.66.1. RHBA-2009:1606: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1606
A gpart update that fixes a bug in the -debuginfo package is now available.
Gpart is a small tool which tries to guess what partitions are on a PC type harddisk in case the primary partition table was damaged.
This update addresses the following issue:
* although gpart contains ELF objects, the gpart-debuginfo package was empty. With this update the -debuginfo package contains valid debugging information as expected. (BZ#500598)
gpart users needing the gpart debuginfo package should install this upgraded package which fixes this problem.

1.67. gzip

1.67.1. RHSA-2010:0061: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0061
An updated gzip package that fixes one security issue is now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The gzip package provides the GNU gzip data compression program.
An integer underflow flaw, leading to an array index error, was found in the way gzip expanded archive files compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. If a victim expanded a specially-crafted archive, it could cause gzip to crash or, potentially, execute arbitrary code with the privileges of the user running gzip. This flaw only affects 64-bit systems. (CVE-2010-0001)
Red Hat would like to thank Aki Helin of the Oulu University Secure Programming Group for responsibly reporting this flaw.
Users of gzip should upgrade to this updated package, which contains a backported patch to correct this issue.

1.68. hal

1.68.1. RHBA-2010:0256: bug fix update

Updated hal packages that fix various bugs are now available.
HAL is a daemon for collecting and maintaining information relating to hardware from several system sources.
The updated packages fix the following bugs:
* a sanity check in the HAL init script was incorrectly exiting with error code 0 when the script could not locate /usr/sbin/hald. The updated packages now contain a stronger sanity check, which returns the correct error code for a given condition. (BZ#238113)
* a missing FDI quirk parameter for IBM X31 laptops prevented the laptop monitor from switching off during suspension. The updated packages add an extra "merge" element to the X40/X30 FDI definition, which correctly sets the dpms_suspend power management attribute. (BZ#395991)
* a suspend hotkey combination (Fn+F1) used on Dell Latitude hardware was not mapped correctly. While the keycode sequence could be set manually, owners of Dell Latitude equipment experienced unnecessary inconvenience when attempting to suspend using the hotkey combination. The updated packages add the correct mapping rules, which enable the Fn+F1 key combination. (BZ#450326)
* when HAL checked for ttyS devices, it would abend if /sys/class/tty/ttyS* existed but /dev/ttyS* was removed or modified. Customers using two or more PCI serial port boards (with port extension) often implemented scripts to rename the port labels on the hardware to match the /dev/ttyS* node. HAL checks did not correctly cater for this scenario. The updated packages check whether serial device nodes have been manually removed. (BZ#486427)
* a missing HAL video quirk setting prevented IBM 4838-310 POS units from resuming correctly from S3 suspend state. The updated packages include a vbe_post quirk that corrects the suspend issue. (BZ#501726)
* an incorrect parameter in /etc/udev/rules.d/90-dm.rules prevented LUKS-formatted (encrypted) USB disks from automounting using GNOME. Customers had to mount the drive manually, or comment out the ignore_device line in 90-dm.rules to effect the change. The updated packages fully implement this workaround solution. (BZ#519645)
* a missing HAL suspend quirk parameter prevented owners of Lenovo ThinkPad T400 laptops (product key 2768A96) suspending and resuming a session from a previously suspended system. The issue presented on laptops with ATI Mobility Radeon HD 3400 Series chipsets (1002:95c4), or Intel Mobile 4 Series chipsets (8086:2a42). The updated packages fix the suspend issue by correctly specifying the --quirk-vbe-post option for T400 machines. (BZ#571925)
All hal users are advised to upgrade to these updated packages, which resolve these issues.

1.69. hmaccalc

1.69.1. RHBA-2010:0055: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0055
An updated hmaccalc package that fixes a self-test bug related to binary prelinking is now available.
The hmaccalc package contains tools to calculate HMAC (Hash-based Message Authentication Code) values for files. The names and interfaces were designed to mimic those of the sha1sum, sha256sum, sha384sum and sha512sum tools provided by the coreutils package.
This updated hmaccalc package fixes the following bug:
* each time one of the tools in the hmaccalc package is used, it performs a self-test by comparing the checksum of its own binary with the value which was computed when the binary package was built. However, if an hmaccalc binary had been prelinked using the "prelink" command, and that command was not located in one of the directories listed in the PATH environment variable, then that binary would be unable to use the prelink tool to verify the checksum against an unmodified copy of itself. This update contains a backported fix that allows hmaccalc to remember the location of the prelink command that was available at build time, and to be able to use it if necessary.
Note that this fix is required in order to build the Linux kernel with FIPS-compliance (Federal Information Processing Standards) enabled. (BZ#512275)
All users of hmaccalc are advised to upgrade to this updated package, which resolves this issue.

1.70. httpd

1.70.1. RHSA-2010:0168: Moderate security and enhancement update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0168
Updated httpd packages that fix two security issues and add an enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The Apache HTTP Server is a popular web server.
It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed requests, which caused the back-end server to be marked as failed in configurations where mod_proxy is used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period (60 seconds by default) by sending specially-crafted requests. (CVE-2010-0408)
A use-after-free flaw was discovered in the way the Apache HTTP Server handled request headers in subrequests. In configurations where subrequests are used, a multithreaded MPM (Multi-Processing Module) could possibly leak information from other requests in request replies. (CVE-2010-0434)
This update also adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl will refuse to renegotiate a TLS/SSL connection with an unpatched client that does not support RFC 5746. This update adds the "SSLInsecureRenegotiation" configuration directive. If this directive is enabled, mod_ssl will renegotiate insecurely with unpatched clients. (BZ#567980)
Refer to the following Red Hat Knowledgebase article for more details about the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.2. RHSA-2009:1579: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1579
Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
The Apache HTTP Server is a popular Web server.
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation. (CVE-2009-3555)
Note: This update does not fully resolve the issue for HTTPS servers. An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information: http://kbase.redhat.com/faq/docs/DOC-20491
A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094)
A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095)
All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.70.3. RHBA-2010:0252: bug fix and enhancement update

Updated httpd packages that fix bugs and add enhancements are now available.
The Apache HTTP Server is a popular and freely-available Web server.
These updated httpd packages provide fixes for the following bugs:
* the mod_authnz_ldap module did not allow other modules to handle authorization if no LDAP-specific requirements were used in the "Require" directive. (BZ#448350)
* the httpd "init" script did not work correctly if the PidFile directive was removed from httpd.conf. (BZ#505002)
* mod_ssl would fail to complete a handshake if more the 85 CAs were configured using SSLCACertificateFile and/or SSLCACertificatePath. (BZ#510515)
* the "X-Pad" header used for compatibility with old browser implementations has been removed. (BZ#526110)
* mod_proxy_ajp could fail if uploading large files. (BZ#528640)
* .NET clients using the "Expect: 100-continue" header could cause spurious responses. (BZ#533407)
* the OID() function supported in mod_ssl's SSLRequire directive could not evaluate some extension types. (BZ#552942)
The following enhancements have also been made:
* the "DiscardPathInfo" flag (or "DPI") has been added to mod_rewrite. (BZ#517500)
* the AuthLDAPRemoteUserAttribute directive has been added to mod_authnz_ldap. (BZ#520838)
* the AuthLDAPDynamicGroups directive has been added to mod_authnz_ldap, to enable support for dynamic groups. (BZ#252038)
* the mod_substitute module is now included. (BZ#539256)
All Apache users should install these updated packages which address these issues.

1.71. hwdata

1.71.1. RHEA-2010:0197: enhancement update

An updated hwdata package that adds various enhancements is now available.
The hwdata package contains tools for accessing and displaying hardware identification and configuration data.
This updated package adds entries for the following devices to the Red Hat Enterprise Linux 5.4 pci.ids and usb.ids databases:
* Brocade 10G PCIe Ethernet Controller. (BZ#475712)
* Sequel Imaging Calibrator. (BZ#512050)
* Intel SerDes Gigabit Network Connection. (BZ#517100)
* Intel 10 Gigabit Dual Port Backplane Connection. (BZ#517131)
* Emulex OneConnect 10Gb iSCSI Initiator. (BZ#529449)
* Emulex OneConnect 10Gb NIC. (BZ#529453)
* Emulex OneConnect 10Gb FCoE Initiator. (BZ#529455)
* Mellanox Infiniband NICs. (BZ#529458)
* Intel Cougar Point. (BZ#566852)
* NC375T PCI Express Quad Port Gigabit Server Adapter. (BZ#569910)
Users of hwdata are advised to upgrade to this updated package, which adds these enhancements.

1.72. ia32el

1.72.1. RHBA-2010:0250: bug fix update

An ia32el update that fixes several bugs is now available.
ia32el is the IA-32 Execution Layer platform, which allows the emulation of IA-32 binaries on IA-64.
This updated package addresses the following issues:
* When using the -D_FILE_OFFSET_BITS=64 compile option, the platform would try to call syscall statfs64 (syscall id=268). Unfortunately, this was unsupported by the previous package. Instead, the platform would resort to statfs(), and the case would fail. This package adds support for syscall statfs64. The platform no longer resorts to statfs(), and works correctly. (BZ#514938)
* When SIGALRM invokes the signal handler, the ia32el application that installed the signal handler stops executing system calls in the correct order. This package adds a patch to the code that changes the conditions for the order of executing system calls, preventing the signal handler from affecting it. (BZ#515165)
* The ia32el did not pass the second, third and fourth offset arguments of the fadvise64() or fadvise64_64() system call methods to the kernel correctly because it was unable to handle 64-bit arguments for that system call. This meant that the offset arguments were not recognized as valid by the kernel. Support for 64-bit arguments has now been added. ( BZ#528590 )
* The clock_nanosleep() system call method's fourth argument (remaining time) retained old values when interrupted by signal (EINTR). This caused invalid values to return for this argument. This patch adds a validity check before the values are returned. ( BZ#528590 )
* The ia32el would not perform operations on the third argument of the sendfile() system call method correctly. As a result, after a successful system call, the offset argument would not be set to the value of the byte following the last byte read. This updated package contains a patch to correctly set the offset argument (during the system call). (BZ#528596)
* The ia32el previously broke the arguments of the sync_file_range() syscall. When the syscall was run, it would respond with an 'Invalid argument' error. A patch has been created that fixes the syntax error in the code. The ia32el now reads the sync_file_range() arguments correctly. (BZ#528597)
* When a NULL pointer was specified for the 2nd argument of the timer_create() syscall, the ia32el would pass the kernel a non-NULL pointer to uninitialized data instead, and the syscall would fail. This package provides a patch that adjusts the syntax of the code for the timer_create() syscall, so that the ia32el correctly interprets the NULL pointer. (BZ#528598)
* The NOTE offset and filesize of some core dumps of i386 processes running under ia32el were greater than the first LOAD offset according to 'readelf -l'. When this happened, the gdb couldn't read the core file. This package includes a patch that adjusts the size of the offset to greater than that of the NOTE offset and filesize. The gdb can now succesfully read the core file. (BZ#533269)
Users are advised to upgrade to this updated ia32el package which resolves these issues.

1.73. iasl

1.73.1. RHBA-2010:0226: bug fix and enhancement update

An updated iasl package that fixes a bug and introduces a feature enhancement is now available.
iasl compiles ASL (ACPI Source Language) into AML (ACPI Machine Language), which is suitable for inclusion as a DSDT in system firmware. It also can disassemble AML, for debugging purposes.
* the default version of iasl was old, and could not properly decode DMAR tables. This sometimes resulted in incorrect decoding. Updating to the latest version of the iasl package has corrected this behavior, and DMAR tables are now decoded correctly. (BZ#518109)
* the iasl package has been updated to the latest version. (BZ#518209)
Users are advised to upgrade to this updated iasl package, which resolves this issue.

1.74. inn

1.74.1. RHBA-2009:1509: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1509
Updated inn packages that resolve an issue are now available.
INN (InterNetNews) is a complete system for serving Usenet news and private newsfeeds. INN includes innd, an NNTP (NetNews Transport Protocol) server, and nnrpd, a newsreader that is spawned for each client. Both innd and nnrpd vary slightly from the NNTP protocol, but not in ways that are easily noticed.
These updated packages address the following issue:
* a PID file -- /var/run/news/innd.pid -- is created by the Internet News NNTP server, innd, at startup. If this file was not present when an attempt to stop innd was made, the service did not stop. With this update, the innd init script adds logic to stop innd with the killproc command if a "service innd stop" command is issued and innd.pid cann to be found. The updated init script also returns a message, "Stopping INND service (PID not found, the hard way)", in this case. (BZ#464916)
All inn users are advised to upgrade to these updated packages, which resolve this issue.

1.75. iproute

1.75.1. RHBA-2009:1520: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1520
An updated iproute package that fixes a bug is now available.
The iproute package contains networking utilities such as ip and rtmon, which use the advanced networking capabilities of the Linux 2.4 and 2.6 kernels.
This update addresses the following problem:
* if IPv6 was disabled, running the "ss" command resulted in a segmentation fault. A workaround was to run "ss -f inet". With this update the return value checks for net_*_open were fixed and the workaround is no longer necessary. The ss command again returns socket statistics as expected. (BZ#493578)
All iproute users are advised to upgrade to this updated package, which resolves this issue.

1.76. iprutils

1.76.1. RHEA-2010:0229: enhancement update

An enhanced iprutils package is now available.
The iprutils package provides utilities to manage and configure SCSI devices that are supported by the ipr SCSI storage device driver.
This package upgrades iprutils to version 2.2.18, which includes:
* support for the Generation 2 SAS (serial attached SCSI) PCI-E card with SSD (solid-state drive) has been added to systems with the PowerPC 64 architecture. (BZ#512246)
* iprconfig is a utility for configuring and recovering IBM Power RAID storage adapters. The iprconfig utility previously reported an incorrect firmware level for enclosures when called from a command line on systems with the PowerPC 64 architecture. The firmware level was reported correctly in the iprconfig graphical user interface (GUI). The iprconfig utility has been updated to handle SES (SCSI enclosure services) devices the same in both the command line and GUI, and the firmware level for enclosures is now reported correctly. (BZ#532544)
Users with PowerPC 64 systems are advised to upgrade to this updated iprutils package, which adds these enhancements.

1.77. iptables

1.77.1. RHBA-2009:1539: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1539
Updated iptables packages that fix a bug are now available.
The iptables utility controls the network packet filtering code in the Linux kernel.
These updated packages fix the following bug:
* the memory alignment of ipt_connlimit_data was incorrect on x86-based systems. This update adds an explicit aligned attribute to the ipt_connlimit_data struct to correct this. (BZ#529687)
Users are advised to upgrade to these updated iptables packages, which resolve this issue.

1.78. iptstate

1.78.1. RHBA-2009:1676: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1676
An updated iptstate package that resolves an issue is now available.
The iptstate utility displays the states held by your stateful firewall in a top-like manner.
This updated iptstate package fixes the following bug:
* iptstate used a curses output function in single-run mode where curses is not used. Running "ipstate -s -S [address] -D [address]" caused ipstate to crash with a Segmentation Fault error. Note: running the command without the single-run mode switch (-s) did not crash. With this update, the bug is fixed and iptstate runs in single-run mode correctly, as expected. (BZ#474381)
All iptstate users should upgrade to this updated package, which resolves this issue.

1.79. ipw2200-firmware

1.79.1. RHEA-2010:0218: enhancement update

An enhanced ipw2200-firmware package is now available.
The ipw2200-firmware package contains the firmware files required by Intel PRO/Wireless 2200 network adapters.
The enhancement contains new open source 802.11a/bg drivers, which are compatible with ipw2200 drivers in the latest Red Hat Enterprise Linux kernels. (BZ#494492)
Users with hardware containing Intel PRO/Wireless 2220 network adapters are advised to install this enhancement.

1.80. iscsi-initiator-utils

1.80.1. RHBA-2010:0078: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0078
An updated iscsi-initiator-utils package that fixes a bug is now available.
The iscsi-initiator-utils package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
This updated iscsi-initiator-utils package fixes the following bug:
* removing the bnx2i module from the kernel, or running ifdown on the network interface being used by the bnx2i driver, and then reloading the kernel module or running ifup, did not result in automatic reconnection to SCSI sessions. As a workaround, the iscsid service had to be stopped and then restarted. With this update, SCSI sessions are automatically reconnected to after removing and reloading the bnx2i kernel module, or bringing the network interface down and then up again with ifdown and ifup. (BZ#549629)
All users of iscsi-initiator-utils are advised to upgrade to this updated package, which resolves this issue.

1.80.2. RHBA-2010:0293: bug fix and enhancement update

An updated iscsi-initiator-utils package that fixes various bugs and provides new enhancements is now available.
The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
The following bugs have been fixed in this release:
* There was a problem with the discovery mechanism when iSCSI ifaces were used with different initiator names. The sendtarget discovery feature was using the default name (/etc/iscsi/initiatorname.iscsi) instead of the iname in the iface. As a consequence, the wrong name was being used. The discovery mechanism has now been fixed so that it uses the iname in the iface. As a result, they are discovered correctly and the right names are used. (BZ#504666)
* chkconfig was being run on service start to enable and disable services. This was causing a number of problems, as it was broken on read-only root systems and it also recalculated dependencies, causing a change of ordering in /etc/rc whilst the system is running. To fix this issue, chkconfig has been removed from the package so these issues will no longer occur as a result. (BZ#511271)
* Removing the bnx2 modules or running ifdown on the network interface being used by bnx2i driver would result in the iSCSI sessions being disconnected. Reloading the module or running ifup would not reconnect the SCSI sessions. A patch has been added and, as a result, the iSCSI session now recovers after iconfig is brought down and back up. (BZ#514926)
* The iscsi initiator would fail to connect to a target when the bnx2i transport was being used. As a consequence, the log-in attempt would time out and fail. A fix has been made to the way in which MAC addresses are handled. As a result, users can now successfully log in. (BZ#520508)
* There was a small typographical error in the /usr/session_info.c print out, where "REOPEN" was incorrectly spelled as "REPOEN". This has now been corrected and the correctly spelled version of the word is output as a result. (BZ#531748).
The following enhancements have also been added in this release:
* The Broadcom iSCSI user-space components have been updated to support ipv6 and 10G components. As a result, a broader range of hardware is now supported. (BZ#517380)
* The /etc/init.d/iscsid file has been patched in order to support the ServerEngines be2iscsi driver As a result, this hardware is now available for utilization. (BZ#556984)
Users are advised to upgrade to this updated iscsi-initiator-utils package, which resolve these issues.

1.81. iwl3945-firmware

1.81.1. RHEA-2010:0219: enhancement update

An enhanced iwl3945-firmware package that works with the iwlwifi-3945 driver in the latest Red Hat Enterprise Linux kernel to enable support for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter is now available.
iwlwifi-3945 is a kernel driver module for the Intel PRO/Wireless 3945ABG/BG Network Connection Adapter (aka iwl3945 hardware). The iwlwifi-3945 driver requires firmware loaded on the device in order to function. The iwl3945-firmware package provides the iwl3945 driver with this required firmware and enables the driver to function correctly with iwl3945 hardware.
This updated iwl3945-firmware package adds the following enhancement:
* it is best to pair equivalent versions of these components in order to provide maximum compatibility between them. This update brings the firmware into line with the kernel driver included in the latest Red Hat Enterprise Linux kernel. (BZ#534100)
Intel PRO/Wireless 3945ABG/BG Network Connection Adapter users using the iwl3945 driver should upgrade to this updated package, which adds this enhancement.

1.82. iwl4965-firmware

1.82.1. RHEA-2010:0215: enhancement update

An enhanced iwl4965-firmware package is now available.
This package contains the firmware required by the iwl4965 driver for Linux.
* The firmware package has been enhanced to synchronize it with the latest version of the upstream Intel Wireless Wi-Fi Link 4965AGN driver (version 228.61.2.24). This upgrade brings about the following new functionality:
More graceful handling of Rx hangs (NMI) More reliable scanning A ten second pauses after association before power-down Receiver is now reset via re-tune after it misses beacons TGK measurement is now disabled when it receives a packet More reliable Tx with ACK/BA/CTS
As a result, the driver is now more reliable in a range of areas, scanning more efficiently and handling problems and interruptions better. (BZ#510757)
Users are advised to upgrade to this updated iwl4965-firmware package, which resolves this issue.

1.83. iwl5000-firmware

1.83.1. RHEA-2010:0216: enhancement update

An updated iwl5000-firmware package is now available.
The iwl5000-firmware package provides the iwlagn wireless driver with the firmware it requires in order to function correctly with iwlagn hardware.
This updated iwl5000-firmware package adds the following enhancement:
* the iwlagn driver and the iwl5000 firmware work together to provide proper wireless functionality. It is best to pair equivalent versions of these components in order to provide maximum compatibility between them, which this updated package provides. (BZ#501609)
Users of wireless devices which use iwl5000 firmware are advised to upgrade to this updated package, which adds this enhancement.

1.84. java-1.6.0-ibm

1.84.1. RHBA-2010:0327: bug fix update

Updated java-1.6.0-ibm packages that fix an issue with time zone information are now available for Red Hat Enterprise Linux 5 Supplementary.
IBM's 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.
These updated java-1.6.0-ibm packages fix a bug where the IBM Java 6 Runtime Environment did not recognize several time zones. (BZ#569623)
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, which contain new time zone data and therefore resolve this issue.

1.85. java-1.6.0-openjdk

1.85.1. RHSA-2009:1584: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1584
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users need to run applications written using the Java programming language.
An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image files. An untrusted applet or application could use these flaws to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874)
An information leak was found in the JRE. An untrusted applet or application could use this flaw to extend its privileges, allowing it to read and write local files, as well as to execute local applications with the privileges of the user running the applet or application. (CVE-2009-3881)
It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409)
A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an attacker using forged digital signatures to bypass authentication checks. (CVE-2009-3875)
Two denial of service flaws were found in the JRE. These could be exploited in server-side application scenarios that process DER-encoded (Distinguished Encoding Rules) data. (CVE-2009-3876, CVE-2009-3877)
An information leak was found in the way the JRE handled color profiles. An attacker could use this flaw to discover the existence of files outside of the color profiles directory. (CVE-2009-3728)
A flaw in the JRE with passing arrays to the X11GraphicsDevice API was found. An untrusted applet or application could use this flaw to access and modify the list of supported graphics configurations. This flaw could also lead to sensitive information being leaked to unprivileged code. (CVE-2009-3879)
It was discovered that the JRE passed entire objects to the logging API. This could lead to sensitive information being leaked to either untrusted or lower-privileged code from an attacker-controlled applet which has access to the logging API and is therefore able to manipulate (read and/or call) the passed objects. (CVE-2009-3880)
Potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. (CVE-2009-3882, CVE-2009-3883)
An information leak was found in the way the TimeZone.getTimeZone method was handled. This method could load time zone files that are outside of the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe the local file system. (CVE-2009-3884)
Note: The flaws concerning applets in this advisory, CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881 and CVE-2009-3884, can only be triggered in java-1.6.0-openjdk by calling the "appletviewer" application.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

1.86. java-1.6.0-sun

1.86.1. RHBA-2010:0072: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0072
Updated java-1.6.0-sun packages are now available for Red Hat Enterprise Linux 5.4 Supplementary.
The java-1.6.0-sun packages include the Sun Java 6 Runtime Environment, Sun Java 6 Software Development Kit (SDK), the source code for the Sun Java class libraries, the Sun Java browser plug-in and Web Start, the Sun JDBC/ODBC bridge driver, and demonstration files for the Sun Java 6 SDK.
These updated java-1.6.0-sun packages upgrade Sun's Java 6 SDK from version 1.6.0_17 to version 1.6.0_18, which provides fixes for a number of bugs. To view the release notes for the bug fixes included in this update, refer to the URL provided in the "References" section of this errata. (BZ#557418)
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which resolve these issues.

1.87. kdelibs

1.87.1. RHBA-2009:1464: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1464
Updated kdelibs packages that fix the bugs are now available.
The kdelibs packages contain a set of common libraries used by all applications written for the K Desktop Environment (KDE). kdelibs includes kdecore (KDE core library); kdeui (user interface); kfm (file manager); khtmlw (HTML widget); kio (input/output and networking); kspell (spelling checker); jscript (javascript); kab (addressbook); and kimgio (image manipulation).
This update addresses the following issue:
* the kde.sh shell script used the keyword "source". The pdksh (Public Domain Korn SHell) package, a new package in Red Hat Enterprise Linux 5.4, does not recognize the "source" keyword in shell scripts. Consequently, if pdksh was used as the shell on systems with KDE installed, the following error message was returned in login shells:
ksh: /etc/profile.d/kde.sh[7]: source: not found
The kde.sh shell script in this update has been edited with "source" replaced by "." The full stop keyword (.) is an alias for "source" in Bourne-compatible shells, including pdksh. Once installed, KDE users running the pdksh shell will no longer get the above error message. (BZ#523968)
Note: this bug was a known issue at the release of Red Hat Enterprise Linux 5.4 and a manual version of the fix included in this update was documented in the Red Hat Enterprise Linux 5.4 Technical Notes:
http://redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technical_No tes/Known_Issues-pdksh.html
If /etc/profile.d/kde.sh already exists, the new version included with this update is installed as /etc/profile.d/kde.sh.rpmnew.
Therefore, on systems where an extant kde.sh has been manually edited as per the Red Hat Enterprise Linux 5.4 Technical Notes, the manual fix is retained.
On systems where kde.sh already exists and the workaround has not been applied, however, installing this update does not, of itself, implement the fix. After installation on such systems, renaming kde.sh and kde.sh.rpmnew as follows will implement the fix:
cp /etc/profile.d/kde.sh /etc/profile.d/kde.sh.bak cp /etc/profile.d/kde.sh.rpmnew /etc/profile.d/kde.sh
All KDE and pdksh users should install this updated package which fixes this bug.

1.87.2. RHSA-2009:1601: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1601
Updated kdelibs packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
The kdelibs packages provide libraries for the K Desktop Environment (KDE).
A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689)
Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

1.88. kernel

1.88.1. RHSA-2011:0004: Important: kernel security, bug fix, and enhancement update

Important

This update has already been released as the security errata RHSA-2011:0004.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes:

  • A flaw was found in sctp_packet_config() in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could use this flaw to cause a denial of service. (CVE-2010-3432, Important)
  • A missing integer overflow check was found in snd_ctl_new() in the Linux kernel's sound subsystem. A local, unprivileged user on a 32-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3442, Important)
  • A heap overflow flaw in the Linux kernel's Transparent Inter-Process Communication protocol (TIPC) implementation could allow a local, unprivileged user to escalate their privileges. (CVE-2010-3859, Important)
  • An integer overflow flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-3865, Important)
  • A flaw was found in the Xenbus code for the unified block-device I/O interface back end. A privileged guest user could use this flaw to cause a denial of service on the host system running the Xen hypervisor. (CVE-2010-3699, Moderate)
  • Missing sanity checks were found in setup_arg_pages() in the Linux kernel. When making the size of the argument and environment area on the stack very large, it could trigger a BUG_ON(), resulting in a local denial of service. (CVE-2010-3858, Moderate)
  • A flaw was found in inet_csk_diag_dump() in the Linux kernel's module for monitoring the sockets of INET transport protocols. By sending a netlink message with certain bytecode, a local, unprivileged user could cause a denial of service. (CVE-2010-3880, Moderate)
  • Missing sanity checks were found in gdth_ioctl_alloc() in the gdth driver in the Linux kernel. A local user with access to "/dev/gdth" on a 64-bit system could use this flaw to cause a denial of service or escalate their privileges. (CVE-2010-4157, Moderate)
  • The fix for Red Hat Bugzilla bug 484590 as provided in RHSA-2009:1243 introduced a regression. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4161, Moderate)
  • A NULL pointer dereference flaw was found in the Bluetooth HCI UART driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4242, Moderate)
  • It was found that a malicious guest running on the Xen hypervisor could place invalid data in the memory that the guest shared with the blkback and blktap back-end drivers, resulting in a denial of service on the host system. (CVE-2010-4247, Moderate)
  • A flaw was found in the Linux kernel's CPU time clocks implementation for the POSIX clock interface. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-4248, Moderate)
  • Missing initialization flaws in the Linux kernel could lead to information leaks. (CVE-2010-3876, CVE-2010-4083, Low)
Red Hat would like to thank Dan Rosenberg for reporting CVE-2010-3442, CVE-2010-4161, and CVE-2010-4083; Thomas Pollet for reporting CVE-2010-3865; Brad Spengler for reporting CVE-2010-3858; Nelson Elhage for reporting CVE-2010-3880; Alan Cox for reporting CVE-2010-4242; and Vasiliy Kulikov for reporting CVE-2010-3876.
Bug Fixes:
BZ#651811
Kernel panic could occur when the gfs2_glock_hold function was called within the gfs2_process_unlinked_inode function. This was due to the fact that gfs2_glock_hold was being called without a reference already held on the inode in question. This update, resolves this problem by changing the order in which it acquires references to match that of the NFS code, thus, kernel panic no longer occurs.
BZ#651805
Running certain tests (exploiting the reclaiming of unlinked dinodes) could cause a livelock to occur which resulted in a GFS2 hang. This update fixes the problems with inodes getting stuck in certain states, thus, the hangs no longer occur.
BZ#646765
The HP ProLiant DL580 G5 Server is in the bfsort whitelist, however the HP ProLiant DL580 G7 Server was not. This caused the scripts running under HP ProLiant DL580 G7 Server to not work properly. With this update, the HP ProLiant DL580 G7 Server has been added to the bfsort whitelist.
BZ#652561
When removing a slave tg3 driver interface with vlan support from bond, a "scheduling while atomic" error (i.e. a thread has called the schedule() function during an operation which is supposed to be atomic, i.e uninterrupted) occurred and, consequently, the system encountered a deadlock. With this update, the aforementioned error no longer occurs and removing a slave tg3 driver interface works as expected.
BZ#651818
Loading a kernel module invokes various kstopmachine threads which repeat acquiring and releasing of each spinlock of their local run queue by calling the yield() function. If an interruption occurs at that time and its handler requires one of those spinlocks, the operation fails to acquire the lock and the system hangs up. With this update, run queue spinlock starvation is avoided, thus, the system no longer hangs.
BZ#643339
If an Intel 82598 10 Gigabit Ethernet Controller was configured in a way that caused peer-to-peer traffic to be sent to the Intel X58 I/O hub (IOH), a PCIe credit starvation problem occurred. As a result, the system would hang. With this update, the system continues to work and does not hang.
BZ#657028
Handling ALUA (Asymmetric Logical Unit Access) transitioning states did not work properly due to a faulty SCSI (Small Computer System Interface) ALUA handler. With this update, optimized state transitioning prevents the aforementioned behavior.
BZ#657029
Due to a null pointer dereference in the qla24xx_queuecommand function, a Red Hat Enterprise Linux 5.5.z QLogic Fibre Channel host would panic during I/O with controller faults. This update fixes the null pointer dereference, thus, the system no longer panics.
BZ#658934
Prior to this update, Red Hat Enterprise Linux 5 with the qla4xxx driver and FC (Fibre Channel) drivers using the fc class, a device might have been put in the offline state due to a transport problem. Once the transport problem was resolved, the device was not usable until a user manually corrected the state. This update enables the transition from the offline state to the running state, thus, fixing the problem.
BZ#657319
System could have crashed when the uhci_irq() function was called between the uhci_stop() and free_irq() functions. This update avoids the aforementioned crash and the system works as expected.
BZ#649255
On some bnx2-based devices, frames could drop unexpectedly. This was shown by the increasing rx_fw_discards values in the ethtool --statistics output. With this update, frames are no longer dropped and all bnx2-based devices work as expected.
BZ#647681
Prior to this update, balance-rr bonding did not work properly. This resulted in non-functioning network interfaces unless the the bond0 interface had the promiscuous mode enabled. With this update, network balance-rr bonding works as expected, thus, preventing the aforementioned issue.
BZ#658857
Prior to this update, the global dentry unused counter (nr_unused) failed to update properly. As a result, the counter would contain negative values. When trying to reference the counter, dcache would loop indefinitely. With this update, the nr_unused counter has been updated, thus, it now works properly and no longer causes indefinite loops.
BZ#653335
Previously, both GFS and GFS2 file systems performed poorly when compared to, for example, the ext3 file system. With this update, steps have been taken to ensure the best performance possible with the aforementioned file systems.
BZ#643344
Prior to this update, the execve utility exhibited the following flaw. When an argument and any environment data were copied from an old task's user stack to the user stack of a newly-execve'd task, the kernel would not allow the process to be interrupted or rescheduled. Therefore, when the argument or environment string data was (abnormally) large, there was no "interactivity" with the process while the execve() function was transferring the data. With this update, fatal signals (like CTRL-c) can now be received and handled and a process is allowed to yield to higher priority processes during the data transfer.
BZ#643347
A typographical error in the create_by_name() function tested an error pointer (ERR_PTR) against dentry instead of *dentry. If "*dentry" was an ERR_PTR, it would be dereferenced in either the mkdir() function or the create() function which could cause kernel panic. With this update, the typographical error has been fixed, thus, kernel panic no longer occurs in the aforementioned case.
BZ#658378
Updated partner qualification injecting target faults uncovered a flaw where the Emulex lpfc driver would incorrectly panic due to a null pnode dereference. This update addresses the issue and was tested successfully under the same test conditions without the panic occurring.
BZ#658864, BZ#658379
Updated partner qualification injecting controller faults uncovered a flaw where the Emulex lpfc driver panicked during error handling. With this update, kernel panic no longer occurs.
BZ#658079
Updated partner qualification injecting controller faults uncovered a flaw where Fibre Channel ports would go offline while testing with Emulex LPFC controllers due to a faulty LPFC heartbeat functionality. This update changes the default behavior of the LPFC heartbeat to off.
BZ#643345
Prior to this update, the netback driver failed to transition from the InitWait state to the Connected state after it was closed once. This was due to the fact that at the moment the netdev_state_change function was called, the interface was still down, so the NETDEV_CHANGE event was not called. This update makes sure the interface is up (via the NETDEV_UP event) and correctly changes the states.
BZ#648938
AMD64 hosts on Intel Xeon processor 7500 series machines panicked when installing a Red Hat Enterprise Linux 4.8 KVM guest. This was due to a faulty value being generated in the gso_size variable that did not conform to the specification. With this update, faulty values are no longer generated and kernel panic no longer occurs.
BZ#664416
Reading an empty file on an optional mount sync/noac of NFSv4 could cause kernel panic. This problem did not occur when an optional mount was set as a default. The kernel panic was caused by improperly setting the lock_context field in nfs_writepage_sync. With this update, the aforementioned issue has been fixed and kernel panic no longer occurs.
BZ#663353
Running certain tests, the system could crash due to an error in nfs_flush_incompatible. This was caused by problematic calls to the nfs_clear_context function. With this update, calls to the nfs_clear_context function work as expected and the system no longer crashes.
BZ#663381
Writing to a file on optional mount sync/noac of NFSv4 could cause kernel panic. This problem did not occur when an optional mount was set as a default. The kernel panic was caused by the lock_context field being added to the nfs_writedata but missing the functionality to be filled out in the nfs_writepage_sync codepath. With this update, a new function was added to properly handle the lock_context field, thus, kernel panic no longer occurs.
Enhancement:
BZ#658520
The sfc driver adds support for the Solarstorm SFC9000 family of Ethernet controllers.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.2. RHSA-2010:0839: Moderate: kernel security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0839
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* a NULL pointer dereference flaw was found in the io_submit_one() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-3066, Moderate)
* a flaw was found in the xfs_ioc_fsgetxattr() function in the Linux kernel XFS file system implementation. A data structure in xfs_ioc_fsgetxattr() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3078, Moderate)
* the exception fixup code for the __futex_atomic_op1, __futex_atomic_op2, and futex_atomic_cmpxchg_inatomic() macros replaced the LOCK prefix with a NOP instruction. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2010-3086, Moderate)
* a flaw was found in the tcf_act_police_dump() function in the Linux kernel network traffic policing implementation. A data structure in tcf_act_police_dump() was not initialized properly before being copied to user-space. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3477, Moderate)
* a missing upper bound integer check was found in the sys_io_submit() function in the Linux kernel asynchronous I/O implementation. A local, unprivileged user could use this flaw to cause an information leak. (CVE-2010-3067, Low)
Red Hat would like to thank Tavis Ormandy for reporting CVE-2010-3066, CVE-2010-3086, and CVE-2010-3067, and Dan Rosenberg for reporting CVE-2010-3078.
Bug fixes:
* previously, using 802.3ad link aggregation did not work properly when using the ixgbe driver. This was caused due to an inability to form 802.3ad-based bonds. With this update, the issue causing 802.3ad link aggregation to not work properly has been fixed. (BZ#644822)
* in an active/backup bonding network interface with vlans on top of it, when a link failed over, it took a minute for the multicast domain to be rejoined. This was caused by the driver not sending any IGMP join packets. With this update, the driver sends IGMP join packets and the multicast domain is rejoined immediately. (BZ#640973)
* in a two node cluster, the lock master of two folders can move 100 files from one folder to the other in less than 1 second. If a server is not the lock master for that folder, it would take that server 3-5 seconds to perform the same task on GFS1 (Global File System 1), and 30-50 seconds on GFS2 (Global File System 2). With this update, the aforementioned task takes less than 1 second on GFS1 and about 3 seconds on GFS2. (BZ#639073)
* previously, migrating a hardware virtual machine (HVM) guest with both, UP and PV drivers, may have caused the guest to stop responding. With this update, HVM guest migration works as expected. (BZ#630989)
* running the Virtual Desktop Server Manager (VDSM) and performing an lvextend during an intensive Virtual Guest power up caused this operation to fail. Since lvextend was blocked, all components became non-responsive: vgs and lvs commands froze the session, Virtual Guests became Paused or Not Responding. This was caused by a faulty use of a lock. With this update, performing an lvextend operation works as expected. (BZ#632255)
* previously, system board iomem resources, which were enumerated using the PNP Motherboard resource descriptions, were not recognized and taken into consideration when gathering resource information. This could have caused MMIO-based requests to receive allocations that were not valid. With this update, system board iomem resources are correctly recognized when gathering resource information. (BZ#629861)
* previously, disks were spinning up for devices in an Active/Passive array on standby path side. This caused long boot up times which resulted in SD devices to be all created before multipath was ready. With this update, a disk is not spun up if returning NOT_READY on standby path. (BZ#634977)
* a race in the PID generation caused PIDs to be reused immediately. This caused problems such as signaling or killing wrong processes accidentally, resulting in various application faults. With this update, the reuse of PIDs is detected and is no longer allowed. (BZ#638866)
* previously, Connectathon test cases performed on a z/OS NFSv4 server were regularly failing. While the file was being closed prior to the unlink call, the client did not wait for the close to complete before proceeding. This caused it to perform an inappropriate rename instead of unlinking the file, even though it was not required. With this update, removals on NFSv4 mounts should wait for outstanding close calls to complete before proceeding. (BZ#642628)
* previously, writing multiple files in parallel could result in uncontrollable fragmentation of the files. With this update, the methods of controlling fragmentation work as expected. (BZ#643571)
* a bug was found in the way the megaraid_sas driver (for SAS based RAID controllers) handled physical disks and management IOCTLs (Input/Output Control). All physical disks were exported to the disk layer, allowing an oops in megasas_complete_cmd_dpc() when completing the IOCTL command if a timeout occurred. One possible trigger for this bug was running mkfs. This update resolves this issue by updating the megaraid_sas driver to version 4.31. (BZ#619365)
* the RELEASE_LOCKOWNER operation has been implemented for NFSv4 in order to avoid an exhaustion of NFS server state IDs, which could result in an NFS4ERR_RESOURCE error. Furthermore, if the NFS4ERR_RESOURCE error is returned by the NFS server, it is now handled correctly, thus preventing a possible reason for the following error:
NFS: v4 server returned a bad sequence-id error!
* kernel panic occurred on a Red Hat Enterprise Linux 5.5 FC host with a QLogic 8G FC adapter (QLE2562) while running IO with target controller faults. With this update, kernel panic no longer occurs in the aforementioned case. (BZ#643135)
* recently applied patch introduced a bug, which caused the Xen guest networking not to work properly on 64-bit Itanium processors. However, this bug also revealed an issue, which may have led to a data corruption. With this update, both errors have been fixed, and Xen virtual guest networking now works as expected. (BZ#637220)
* an attempt to create a VLAN interface on a bond of two bnx2 adapters in two switch configurations resulted in a soft lockup after a few seconds. This was caused by an incorrect use of a bonding pointer. With this update, soft lockups no longer occurs and creating a VLAN interface works as expected. (BZ#630540)
* a Red Hat Enterprise Linux 4, 5, and 6 Xen HVM guest that uses PM timer for time keeping had the time drift backwards about 5 seconds per minute. This was caused by small inaccuracies in truncating in the pmt_update_time() function. With this update, time is kept accurately and no longer drifts backwards. (BZ#641915)
* various dasd_sleep_on functions use a global wait queue when waiting for a CQR (Channel Queue Request). Previously, the wait condition checked the status and devlist fields of the CQR to determine if it is safe to continue. This evaluation may have returned true, although the tasklet did not finish processing the CQR and the callback function had not been called yet. When the callback was finally called, the data in the CQR could have already been invalid. With this update, the sleep_on wait condition has a safe way to determine if the tasklet has finished processing, thus, preventing the aforementioned behavior. (BZ#638579)
* previously, receiving 8 or more different types of ICMP packets corrupted the kernel memory. This was caused by a flaw in net/ipv4/proc.c. With this update, kernel memory is no longer corrupted when receiving 8 or more different types of ICMP packets. (BZ#634976)
* on certain ThinkPad models, reading video output controls could lead to a hard-crash of X.org. This update restricts access permissions to /proc/acpi/ibm/video in order to prevent the aforementioned crash. (BZ#629241)
* under certain circumstances, an attempt to dereference a NULL pointer in the lpfc_nlp_put() function may have caused the system to crash. With this update, several changes have been made to ensure the correct reference count, resolving this issue. (BZ#637727)
* previously, running the dd command on an iSCSI device with the qla3xxx driver may have caused the system to crash. This error has been fixed, and running the dd command on such device no longer crashes the system. (BZ#637206)
* previously, a forward time drift was observed on 64-bit Red Hat Enterprise Linux 5 virtual guests which were using a PM timer based kernel tick accounting and running on KVM or HYPER-V hypervisor. Virtual guests that were booted with the divider=x kernel parameter set to a value greater than 1 and that showed the following line of text in the kernel boot messages were the subject of the aforementioned behavior:
time.c: Using 3.579545 MHz WALL PM GTOD PM timer
With this update, the fine grained accounting for the PM timer is introduced which eliminates the time difference issues. However, this flaw also uncovered a bug in the Xen hypervisor, possibly causing backward time drift. If Xen HVM guests are using the PM timer, it is suggested that the host uses the kernel-xen-2.6.18-194.21.1.el5 package or a newer version. (BZ#637069)
* with this update, the upper limit of log_mtts_per_seg was increased from 5 to 7, increasing the amount of memory that can be registered. Machines with larger memory are now able to register more memory. (BZ#643806)
* performing a Direct IO write operation to a file on an NFS mount did not work. With this update, the minor error in the source code was fixed and the Direct IO operation works as expected. (BZ#647601)
* a vulnerability was discovered in the 32-bit compatibility code for the VIDIOCSMICROCODE IOCTL (Input/Output Control) in the Video4Linux implementation. It does not affect Red Hat Enterprise Linux 5, but as a preventive measure, this update removes the code. Red Hat would like to thank Kees Cook for reporting this vulnerability. (BZ#642465, BZ#642470)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.3. RHSA-2010:0504: Important: kernel security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0504
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives detailed severity rating, is available from the CVE link after the description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* a NULL pointer dereference flaw was found in the Fast Userspace Mutexes (futexes) implementation. The unlock code path did not check if the futex value associated with pi_state->owner had been modified. A local user could use this flaw to modify the futex value, possibly leading to a denial of service or privilege escalation when the pi_state->owner pointer is dereferenced. (CVE-2010-0622, Important)
* a NULL pointer dereference flaw was found in the Linux kernel Network File System (NFS) implementation. A local user on a system that has an NFS-mounted file system could use this flaw to cause a denial of service or escalate their privileges on that system. (CVE-2010-1087, Important)
* a flaw was found in the sctp_process_unk_param() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to an SCTP listening port on a target system, causing a kernel panic (denial of service). (CVE-2010-1173, Important)
* a flaw was found in the Linux kernel Transparent Inter-Process Communication protocol (TIPC) implementation. If a client application, on a local system where the tipc module is not yet in network mode, attempted to send a message to a remote TIPC node, it would dereference a NULL pointer on the local system, causing a kernel panic (denial of service). (CVE-2010-1187, Important)
* a buffer overflow flaw was found in the Linux kernel Global File System 2 (GFS2) implementation. In certain cases, a quota could be written past the end of a memory page, causing memory corruption, leaving the quota stored on disk in an invalid state. A user with write access to a GFS2 file system could trigger this flaw to cause a kernel crash (denial of service) or escalate their privileges on the GFS2 server. This issue can only be triggered if the GFS2 file system is mounted with the "quota=on" or "quota=account" mount option. (CVE-2010-1436, Important)
* a race condition between finding a keyring by name and destroying a freed keyring was found in the Linux kernel key management facility. A local user could use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2010-1437, Important)
* a flaw was found in the link_path_walk() function in the Linux kernel. Using the file descriptor returned by the open() function with the O_NOFOLLOW flag on a subordinate NFS-mounted file system, could result in a NULL pointer dereference, causing a denial of service or privilege escalation. (CVE-2010-1088, Moderate)
* a missing permission check was found in the gfs2_set_flags() function in the Linux kernel GFS2 implementation. A local user could use this flaw to change certain file attributes of files, on a GFS2 file system, that they do not own. (CVE-2010-1641, Low)
Red Hat would like to thank Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for responsibly reporting CVE-2010-1173; Mario Mikocevic for responsibly reporting CVE-2010-1436; and Dan Rosenberg for responsibly reporting CVE-2010-1641.
Bug fixes:
* hot-adding memory to a system with 4 GB of RAM caused problems with 32-bit DMA devices, which led to the system becoming unresponsive. With this update, the user is warned that more than 4 GB of RAM is being added to the system; however, memory exceeding 4 GB is not registered by the system. (BZ#587957)
* running two or more simultaneous write operations with the O_DIRECT flag, on two separate partitions of a single disk, resulted in the performance of each write being reduced. This could have caused a write slowdown of approximately 25% when running two simultaneous dd oflag=direct commands on two different partitions. This regression has been fixed in this update so that O_DIRECT write performance does not incur a performance penalty. (BZ#588219)
* the ethtool utility is used to display or change Ethernet card settings. It was not possible to enable Wake-on-LAN for network devices using the Intel PRO/1000 Linux driver which had Wake-on-LAN disabled in their EEPROM memory. With this update, the ethtool utility is able to enable Wake-on-LAN for Intel PRO/1000 network devices. (BZ#591493)
* the virtio balloon driver was able to access the virtual guest's kernel's reservation pools in order to satisfy a balloon request, which could have caused a kernel of the virtual guest to run out of memory when attempting to satisfy the host operating system's request to donate free memory pages. This has been fixed so that virtual guests do not run out of memory when guest memory usage is high. (BZ#591611)
* on the PowerPC architecture, the tg3 driver for Broadcom Corporation NetXtreme NICs that try to enable MSI failed to fall back to INTx mode when MSI initialization failed. With this update, the tg3 driver is able to fall back to INTx mode with cards that attempt to initialize MSI. (BZ#592844)
* when the power_meter module was unloaded or its initialization failed, a backtrace message was written to /var/log/dmesg that warned about a missing release() function. This error was harmless, and no longer occurs with this update. (BZ#592846)
* when an SFQ (Stochastic Fair Queuing) qdisc that limited the queue size to two packets was added to a network interface (for example, via tc qdisc add), sending traffic through that interface resulted in a kernel crash. With this update, such a qdisc no longer results in a kernel crash when sending traffic. (BZ#594054)
* when a system was configured using channel bonding in "mode=0" (round-robin balancing) with multicast, IGMP traffic was transmitted via a single interface. If that interface failed (due to a port, NIC or cable failure, for example), IGMP was not transmitted via another port in the group, thus resulting in packets for the previously-registered multicast group not being routed correctly. (BZ#594057)
* on NFS, the read(2) system call could have returned an unexpected EIO (input/output error) value. (BZ#594061)
* when an NFS server exported a file system with an explicit fsid=file_system_ID, an NFS client mounted that file system on one mount point and a subdirectory of that file system on a separate mount point, then if the server re-exported that file system after un-exporting and unmounting it, it was possible for the NFS client to unmount those mount points and receive the following error message: VFS: Busy inodes after unmount... Additionally, it was possible to crash the NFS client's kernel in this situation. (BZ#596384)
* Large-Receive Offload (LRO) is a performance optimization that enables the kernel to fetch and process, as a unit, more than one received packet from a network device. It was previously not possible to dynamically disable LRO for devices in a forwarding mode. This has been fixed with this update so that the kernel is able to dynamically disable LRO for devices in a forwarding state, or which had LRO turned on manually. (BZ#596385)
* when the Stream Control Transmission Protocol (SCTP) kernel code attempted to check a non-blocking flag, it could have dereferenced a NULL file pointer due to the fact that in-kernel sockets created with the sock_create_kern() function may not have a file structure and descriptor allocated to them. The kernel would crash as a result of the dereference. With this update, SCTP ensures that the file is valid before attempting to set a timeout, thus preventing a possible NULL dereference and consequent kernel crash. (BZ#598355)
* the e1000 and e1000e drivers for Intel PRO/1000 network devices were updated with an enhanced algorithm for adaptive interrupt modulation in the Red Hat Enterprise Linux 5.1 release. When InterruptThrottleRate was set to 1 (thus enabling the new adaptive mode), certain traffic patterns could have caused high CPU usage. This update provides a way to set InterruptThrottleRate to 4, which switches the mode back to the simpler and non-adaptive algorithm. Doing so may decrease CPU usage by the e1000 and e1000e drivers depending on traffic patterns. Note: You can change the InterruptThrottleRate setting using the ethtool utility by running the ethtool -C ethX rx-usecs 4 command. (BZ#599332)
* the Red Hat Enterprise Linux 5.5 kernel contained a fix for Red Hat Bugzilla number 548657 which introduced a regression in file locking behavior that presented with the General Parallel File System (GPFS). This update removes the redundant locking code. (BZ#599730)
* the Microsoft Server Virtualization Validation Test contains an IsVM component, which directs that applications should be able to determine if they are running inside a virtualized environment by performing a CPUID check. With this update, applications running on a Windows operating system are able to determine whether they are running inside a virtualized environment. (BZ#599734)
* issuing the sysctl -w vm.drop_caches=1 command on a system running a database backed by HugePages caused memory corruption errors. This update fixes this issue by ensuring that the HugePages "dirty bit" is properly set, with the result that corruption no longer occurs when dropping the virtual memory caches. (BZ#599737)
* input/output errors can occur due to temporary failures, such as multipath errors or losing network contact with an iSCSI server. In these cases, virtual memory attempts to retry the readpage() function on the memory page. However, the do_generic_file_read() function did not clear PG_error, which resulted in the system being unable to use the data in the page cache page, even if subsequent readpage() calls succeeded. With this update, the do_generic_file_read() function properly clears PG_error so that the page cache can be utilized in the case of input/output errors. (BZ#599739)
* calling the service iptables stop command causes the iptables init script to unload the netfilter modules. Because a clean-up code path was not taken, an endless loop occurred, which resulted in the init script becoming unresponsive. This update ensures that the clean-up code path is correctly taken, with the result that stopping the iptables service now works as expected. (BZ#600215)
* Red Hat Enterprise Linux 5.4 SMP guests running on the Red Hat Enterprise Virtualization Hypervisor may have experienced inconsistent time, such as the clock drifting backwards. This could have caused some applications to become unresponsive. (BZ#601080)
* the timer_interrupt() routine did not scale lost real ticks to logical ticks correctly. This could have caused time drift for 64-bit Red Hat Enterprise Linux 5 KVM (Kernel-based Virtual Machine) guests that were booted with the divider=x kernel parameter set to a value greater than 1. On the affected guest systems, warning: many lost ticks messages may have been logged. (BZ#601090)
* upon startup, the bnx2x network driver experienced a panic dump when more than one network interface was configured to start up at boot time. With this update, statistics counter initialization for function IDs greater than "1" has been disabled, with the result that bnx2x no longer panic dumps when more than one interface has the ONBOOT=yes directive set. (BZ#607087)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.4. RHSA-2010:0046: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0046
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* an array index error was found in the gdth driver. A local user could send a specially-crafted IOCTL request that would cause a denial of service or, possibly, privilege escalation. (CVE-2009-3080, Important)
* a flaw was found in the FUSE implementation. When a system is low on memory, fuse_put_request() could dereference an invalid pointer, possibly leading to a local denial of service or privilege escalation. (CVE-2009-4021, Important)
* Tavis Ormandy discovered a deficiency in the fasync_helper() implementation. This could allow a local, unprivileged user to leverage a use-after-free of locked, asynchronous file descriptors to cause a denial of service or privilege escalation. (CVE-2009-4141, Important)
* the Parallels Virtuozzo Containers team reported the RHSA-2009:1243 update introduced two flaws in the routing implementation. If an attacker was able to cause a large enough number of collisions in the routing hash table (via specially-crafted packets) for the emergency route flush to trigger, a deadlock could occur. Secondly, if the kernel routing cache was disabled, an uninitialized pointer would be left behind after a route lookup, leading to a kernel panic. (CVE-2009-4272, Important)
* the RHSA-2009:0225 update introduced a rewrite attack flaw in the do_coredump() function. A local attacker able to guess the file name a process is going to dump its core to, prior to the process crashing, could use this flaw to append data to the dumped core file. This issue only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value is 0). (CVE-2006-6304, Moderate)
The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable set to 2, the core file will not be recorded if the file already exists. For example, core files will not be overwritten on subsequent crashes of processes whose core files map to the same name.
* an information leak was found in the Linux kernel. On AMD64 systems, 32-bit processes could access and read certain 64-bit registers by temporarily switching themselves to 64-bit mode. (CVE-2009-2910, Moderate)
* the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support in the qla2xxx driver, resulting in two new sysfs pseudo files, "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete". These two files were world-writable by default, allowing a local user to change SCSI host attributes. This flaw only affects systems using the qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)
* permission issues were found in the megaraid_sas driver. The "dbg_lvl" and "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable permissions. This could allow local, unprivileged users to change the behavior of the driver. (CVE-2009-3889, CVE-2009-3939, Moderate)
* a NULL pointer dereference flaw was found in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with access to /dev/fw* files could issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default, and if enabled, only root has access to the files noted above by default. (CVE-2009-4138, Moderate)
* a buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls". (CVE-2009-4020, Low)
Bug fix documentation for this update will be available shortly from www.redhat.com/docs/en-US/errata/RHSA-2010-0046/Kernel_Security_Update/ index.html
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.5. RHSA-2010:0147: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0147
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* a NULL pointer dereference flaw was found in the sctp_rcv_ootb() function in the Linux kernel Stream Control Transmission Protocol (SCTP) implementation. A remote attacker could send a specially-crafted SCTP packet to a target system, resulting in a denial of service. (CVE-2010-0008, Important)
* a missing boundary check was found in the do_move_pages() function in the memory migration functionality in the Linux kernel. A local user could use this flaw to cause a local denial of service or an information leak. (CVE-2010-0415, Important)
* a NULL pointer dereference flaw was found in the ip6_dst_lookup_tail() function in the Linux kernel. An attacker on the local network could trigger this flaw by sending IPv6 traffic to a target system, leading to a system crash (kernel OOPS) if dst->neighbour is NULL on the target system when receiving an IPv6 packet. (CVE-2010-0437, Important)
* a NULL pointer dereference flaw was found in the ext4 file system code in the Linux kernel. A local attacker could use this flaw to trigger a local denial of service by mounting a specially-crafted, journal-less ext4 file system, if that file system forced an EROFS error. (CVE-2009-4308, Moderate)
* an information leak was found in the print_fatal_signal() implementation in the Linux kernel. When "/proc/sys/kernel/print-fatal-signals" is set to 1 (the default value is 0), memory that is reachable by the kernel could be leaked to user-space. This issue could also result in a system crash. Note that this flaw only affected the i386 architecture. (CVE-2010-0003, Moderate)
* missing capability checks were found in the ebtables implementation, used for creating an Ethernet bridge firewall. This could allow a local, unprivileged user to bypass intended capability restrictions and modify ebtables rules. (CVE-2010-0007, Low)
Bug fixes:
* a bug prevented Wake on LAN (WoL) being enabled on certain Intel hardware. (BZ#543449)
* a race issue in the Journaling Block Device. (BZ#553132)
* programs compiled on x86, and that also call sched_rr_get_interval(), were silently corrupted when run on 64-bit systems. (BZ#557684)
* the RHSA-2010:0019 update introduced a regression, preventing WoL from working for network devices using the e1000e driver. (BZ#559335)
* adding a bonding interface in mode balance-alb to a bridge was not functional. (BZ#560588)
* some KVM (Kernel-based Virtual Machine) guests experienced slow performance (and possibly a crash) after suspend/resume. (BZ#560640)
* on some systems, VF cannot be enabled in dom0. (BZ#560665)
* on systems with certain network cards, a system crash occurred after enabling GRO. (BZ#561417)
* for x86 KVM guests with pvclock enabled, the boot clocks were registered twice, possibly causing KVM to write data to a random memory area during the guest's life. (BZ#561454)
* serious performance degradation for 32-bit applications, that map (mmap) thousands of small files, when run on a 64-bit system. (BZ#562746)
* improved kexec/kdump handling. Previously, on some systems under heavy load, kexec/kdump was not functional. (BZ#562772)
* dom0 was unable to boot when using the Xen hypervisor on a system with a large number of logical CPUs. (BZ#562777)
* a fix for a bug that could potentially cause file system corruption. (BZ#564281)
* a bug caused infrequent cluster issues for users of GFS2. (BZ#564288)
* gfs2_delete_inode failed on read-only file systems. (BZ#564290)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.6. RHSA-2010:0019: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0019
Updated kernel packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
This update fixes the following security issues:
* a flaw was found in the IPv6 Extension Header (EH) handling implementation in the Linux kernel. The skb->dst data structure was not properly validated in the ipv6_hop_jumbo() function. This could possibly lead to a remote denial of service. (CVE-2007-4567, Important)
* a flaw was found in each of the following Intel PRO/1000 Linux drivers in the Linux kernel: e1000 and e1000e. A remote attacker using packets larger than the MTU could bypass the existing fragment check, resulting in partial, invalid frames being passed to the network stack. These flaws could also possibly be used to trigger a remote denial of service. (CVE-2009-4536, CVE-2009-4538, Important)
* a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. Receiving overly-long frames with network cards supported by this driver could possibly result in a remote denial of service. (CVE-2009-4537, Important)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.7. RHSA-2009:1670: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1670
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* NULL pointer dereference flaws in the r128 driver. Checks to test if the Concurrent Command Engine state was initialized were missing in private IOCTL functions. An attacker could use these flaws to cause a local denial of service or escalate their privileges. (CVE-2009-3620, Important)
* a NULL pointer dereference flaw in the NFSv4 implementation. Several NFSv4 file locking functions failed to check whether a file had been opened on the server before performing locking operations on it. A local user on a system with an NFSv4 share mounted could possibly use this flaw to cause a denial of service or escalate their privileges. (CVE-2009-3726, Important)
* a flaw in tcf_fill_node(). A certain data structure in this function was not initialized properly before being copied to user-space. This could lead to an information leak. (CVE-2009-3612, Moderate)
* unix_stream_connect() did not check if a UNIX domain socket was in the shutdown state. This could lead to a deadlock. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2009-3621, Moderate)
Knowledgebase DOC-20536 has steps to mitigate NULL pointer dereference flaws.
Bug fixes:
* frequently changing a CPU between online and offline caused a kernel panic on some systems. (BZ#545583)
* for the LSI Logic LSI53C1030 Ultra320 SCSI controller, read commands sent could receive incorrect data, preventing correct data transfer. (BZ#529308)
* pciehp could not detect PCI Express hot plug slots on some systems. (BZ#530383)
* soft lockups: inotify race and contention on dcache_lock. (BZ#533822,
* priority ordered lists are now used for threads waiting for a given mutex. (BZ#533858)
* a deadlock in DLM could cause GFS2 file systems to lock up. (BZ#533859)
* use-after-free bug in the audit subsystem crashed certain systems when running usermod. (BZ#533861)
* on certain hardware configurations, a kernel panic when the Broadcom iSCSI offload driver (bnx2i.ko and cnic.ko) was loaded. (BZ#537014)
* qla2xxx: Enabled MSI-X, and correctly handle the module parameter to control it. This improves performance for certain systems. (BZ#537020)
* system crash when reading the cpuaffinity file on a system. (BZ#537346)
* suspend-resume problems on systems with lots of logical CPUs, e.g. BX-EX. (BZ#539674)
* off-by-one error in the legacy PCI bus check. (BZ#539675)
* TSC was not made available on systems with multi-clustered APICs. This could cause slow performance for time-sensitive applications. (BZ#539676)
* ACPI: ARB_DISABLE now disabled on platforms that do not need it. (BZ#539677)
* fix node to core and power-aware scheduling issues, and a kernel panic during boot on certain AMD Opteron processors. (BZ#539678, BZ#540469,
* APIC timer interrupt issues on some AMD Opteron systems prevented achieving full power savings. (BZ#539681)
* general OProfile support for some newer Intel processors. (BZ#539683)
* system crash during boot when NUMA is enabled on systems using MC and kernel-xen. (BZ#539684)
* on some larger systems, performance issues due to a spinlock. (BZ#539685)
* APIC errors when IOMMU is enabled on some AMD Opteron systems. (BZ#539687)
* on some AMD Opteron systems, repeatedly taking a CPU offline then online caused a system hang. (BZ#539688)
* I/O page fault errors on some systems. (BZ#539689)
* certain memory configurations could cause the kernel-xen kernel to fail to boot on some AMD Opteron systems. (BZ#539690)
* NMI watchdog is now disabled for offline CPUs. (BZ#539691)
* duplicate directories in /proc/acpi/processor/ on BX-EX systems. (BZ#539692)
* links did not come up when using bnx2x with certain Broadcom devices. (BZ#540381)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.8. RHSA-2009:1548: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1548
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fixes:
* a system with SELinux enforced was more permissive in allowing local users in the unconfined_t domain to map low memory areas even if the mmap_min_addr restriction was enabled. This could aid in the local exploitation of NULL pointer dereference bugs. (CVE-2009-2695, Important)
* a NULL pointer dereference flaw was found in the eCryptfs implementation in the Linux kernel. A local attacker could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2908, Important)
* a flaw was found in the NFSv4 implementation. The kernel would do an unnecessary permission check after creating a file. This check would usually fail and leave the file with the permission bits set to random values. Note: This is a server-side only issue. (CVE-2009-3286, Important)
* a NULL pointer dereference flaw was found in each of the following functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could be released by other processes before it is used to update the pipe's reader and writer counters. This could lead to a local denial of service or privilege escalation. (CVE-2009-3547, Important)
* a flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel. pci_unmap_single() presented a memory leak that could lead to IOMMU space exhaustion and a system crash. An attacker on the local network could abuse this flaw by using jumbo frames for large amounts of network traffic. (CVE-2009-3613, Important)
* missing initialization flaws were found in the Linux kernel. Padding data in several core network structures was not initialized properly before being sent to user-space. These flaws could lead to information leaks. (CVE-2009-3228, Moderate)
Bug fixes:
* with network bonding in the "balance-tlb" or "balance-alb" mode, the primary setting for the primary slave device was lost when said device was brought down. Bringing the slave back up did not restore the primary setting. (BZ#517971)
* some faulty serial device hardware caused systems running the kernel-xen kernel to take a very long time to boot. (BZ#524153)
* a caching bug in nfs_readdir() may have caused NFS clients to see duplicate files or not see all files in a directory. (BZ#526960)
* the RHSA-2009:1243 update removed the mpt_msi_enable option, preventing certain scripts from running. This update adds the option back. (BZ#526963)
* an iptables rule with the recent module and a hit count value greater than the ip_pkt_list_tot parameter (the default is 20), did not have any effect over packets, as the hit count could not be reached. (BZ#527434)
* a check has been added to the IPv4 code to make sure that rt is not NULL, to help prevent future bugs in functions that call ip_append_data() from being exploitable. (BZ#527436)
* a kernel panic occurred in certain conditions after reconfiguring a tape drive's block size. (BZ#528133)
* when using the Linux Virtual Server (LVS) in a master and backup configuration, and propagating active connections on the master to the backup, the connection timeout value on the backup was hard-coded to 180 seconds, meaning connection information on the backup was soon lost. This could prevent the successful failover of connections. The timeout value can now be set via "ipvsadm --set". (BZ#528645)
* a bug in nfs4_do_open_expired() could have caused the reclaimer thread on an NFSv4 client to enter an infinite loop. (BZ#529162)
* MSI interrupts may not have been delivered for r8169 based network cards that have MSI interrupts enabled. This bug only affected certain systems. (BZ#529366)
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.9. RHSA-2009:1455: Moderate security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1455
Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
[Updated 23rd February 2010] This update adds references to two KBase articles that includes greater detail regarding some bug fixes that could not be fully documented in the errata note properly.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security fix:
* a NULL pointer dereference flaw was found in the Multiple Devices (md) driver in the Linux kernel. If the "suspend_lo" or "suspend_hi" file on the sysfs file system ("/sys/") is modified when the disk array is inactive, it could lead to a local denial of service or privilege escalation. Note: By default, only the root user can write to the files noted above. (CVE-2009-2849, Moderate)
Bug fixes:
* a bug in nlm_lookup_host() could lead to un-reclaimed file system locks, resulting in umount failing & NFS service relocation issues for clusters. (BZ#517967)
* a bug in the sky2 driver prevented the phy from being reset properly on some hardware when it hung, preventing a link from coming back up. (BZ#517976)
* disabling MSI-X for qla2xxx also disabled MSI interrupts. ( BZ#519782 )
* performance issues with reads when using the qlge driver on PowerPC systems. A system hang could also occur during reboot. (BZ#519783)
* unreliable time keeping for Red Hat Enterprise Linux virtual machines. The KVM pvclock code is now used to detect/correct lost ticks. (BZ#520685)
* /proc/cpuinfo was missing flags for new features in supported processors, possibly preventing the operating system & applications from getting the best performance. (BZ#520686)
* reading/writing with a serial loopback device on a certain IBM system did not work unless booted with "pnpacpi=off". (BZ#520905)
* mlx4_core failed to load on systems with more than 32 CPUs. ( BZ#520906 )
* on big-endian platforms, interfaces using the mlx4_en driver & Large Receive Offload (LRO) did not handle VLAN traffic properly (a segmentation fault in the VLAN stack in the kernel occurred). (BZ#520908)
* due to a lock being held for a long time, some systems may have experienced "BUG: soft lockup" messages under heavy load. (BZ#520919)
* incorrect APIC timer calibration may have caused a system hang during boot, as well as the system time becoming faster or slower. A warning is now provided. (BZ#521238)
* a Fibre Channel device re-scan via 'echo "---" > /sys/class/scsi_host/ host[x]/scan' may not complete after hot adding a drive, leading to soft lockups ("BUG: soft lockup detected"). (BZ#521239)
* the Broadcom BCM5761 network device could not to be initialized properly; therefore, the associated interface could not obtain an IP address via DHCP or be assigned one manually. (BZ#521241)
* when a process attempted to read from a page that had first been accessed by writing to part of it (via write(2)), the NFS client needed to flush the modified portion of the page out to the server, & then read the entire page back in. This flush caused performance issues. (BZ#521244)
* a kernel panic when using bnx2x devices & LRO in a bridge. A warning is now provided to disable LRO in these situations. (BZ#522636)
* the scsi_dh_rdac driver was updated to recognize the Sun StorageTek Flexline 380. (BZ#523237)
* in FIPS mode, random number generators are required to not return the first block of random data they generate, but rather save it to seed the repetition check. This update brings the random number generator into conformance. (BZ#523289)
* an option to disable/enable the use of the first random block is now provided to bring ansi_cprng into compliance with FIPS-140 continuous test requirements. (BZ#523290)
* running the SAP Linux Certification Suite in a KVM guest caused severe SAP kernel errors, causing it to exit. (BZ#524150)
* attempting to 'online' a CPU for a KVM guest via sysfs caused a system crash. (BZ#524151)
* when using KVM, pvclock returned bogus wallclock values. (BZ#524152)
* the clock could go backwards when using the vsyscall infrastructure. (BZ#524527)
See References for KBase links re BZ#519782 & BZ#520906 .
Users should upgrade to these updated packages, which contain backported patches to correct these issues. Reboot the system for this update to take effect.

1.88.10. RHSA-2010:0178: Important Red Hat Enterprise Linux 5.5 kernel security and bug fix update

Updated kernel packages that fix three security issues, address several hundred bugs, and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the fifth regular update.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
This update fixes the following security issues:
* a race condition was found in the mac80211 implementation, a framework used for writing drivers for wireless devices. An attacker could trigger this flaw by sending a Delete Block ACK (DELBA) packet to a target system, resulting in a remote denial of service. Note: This issue only affected users on 802.11n networks, and that also use the iwlagn driver with Intel wireless hardware. (CVE-2009-4027, Important)
* a flaw was found in the gfs2_lock() implementation. The GFS2 locking code could skip the lock operation for files that have the S_ISGID bit (set-group-ID on execution) in their mode set. A local, unprivileged user on a system that has a GFS2 file system mounted could use this flaw to cause a kernel panic. (CVE-2010-0727, Moderate)
* a divide-by-zero flaw was found in the ext4 file system code. A local attacker could use this flaw to cause a denial of service by mounting a specially-crafted ext4 file system. (CVE-2009-4307, Low)
These updated packages also include several hundred bug fixes for and enhancements to the Linux kernel. Space precludes documenting each of these changes in this advisory and users are directed to the Red Hat Enterprise Linux 5.5 Release Notes for information on the most significant of these changes:
All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which address these vulnerabilities as well as fixing the bugs and adding the enhancements noted in the Red Hat Enterprise Linux 5.5 Release Notes and Technical Notes. The system must be rebooted for this update to take effect.

1.88.10.1. Bug Fixes

The following is a list of the bugs that have been addressed in this kernel release, including causes, consequences, and fix results.
1.88.10.1.1. Generic Kernel Features
  • Add IRONLAKE support to AGP/DRM drivers. BZ#547908
  • PCI AER: HEST FIRMWARE FIRST support. BZ#547762
  • Extend tracepoint support. BZ#534178
  • Update ibmvscsi driver with upstream multipath enhancements. BZ#512203
    This update provides improved support for the ibmvscsi driver, including support for fastfail mode and improved multipathing support.
    This update is 64-bit PowerPC-specific.
  • amd64_edac: Add and detect ddr3 support. BZ#479070
  • Add scsi and libfc symbols to whitelist_file. BZ#533489
  • Extend KABI to support symbols that are not part of the current KABI. BZ#526342
  • libfc bug fixes and improvements. BZ#526259
  • Implement smp_call_function_[single|many] in x86_64 and i386. BZ#526043
    A number of updates now depend on the smp_call_function_single() and smp_call_function_many() functions. This update provides a single function that can refer to the appropriate function as required, thereby simplifying the creation of further updates.
  • Support the single-port Async device on p7 Saturn. BZ#525812
  • Backport open source driver for Creative X-Fi audio card. BZ#523786
  • [Intel 5.5 FEAT] Update PCI.IDS for B43 graphics controller. BZ#523637
  • Support physical CPU hotplug. BZ#516999
    This feature provides the functionality to add and remove CPU resources physically while the system is running.
    This feature applies to 32-bit x86, 64-bit Intel 64 and AMD64, and 64-bit Itanium2 architectures.
  • Include core WMI support and Dell-WMI driver. BZ#516623
  • [kabi] Add scsi_nl_{send_vendor_msg,{add,remove}_driver}. BZ#515812
  • Enable ACPI 4.0 power metering. BZ#514923
  • Add AER software error injection support. BZ#514442
  • Add support for Syleus chip to fschmd driver. BZ#513101
  • Implement support for DS8000 volumes. BZ#511972
  • Support Lexar ExpressCard. BZ#511374
  • Disable ARB_DISABLE on platforms where it is not needed. BZ#509422
    ARB_DISABLE is a NOP on all of the recent Intel platforms. For such platforms, this update reduces contention on the c3_lock by skipping the fake ARB_DISABLE.
    This lock is held on each deep C-state entry and exit and with 16, 32, and 64 logical CPUs in NHM EP, NHM EX platforms, this contention can become significant. Specifically on distributions that do not have tickless feature and where all CPUs may wake up around the same time.
  • Add zfcp parameter to dynamically adjust scsi_queue_depth size. BZ#508355
  • Add HP ipmi message handling to Red Hat Enterprise Linux 5. BZ#507402
  • Backport CONFIG_DETECT_HUNG_TASK to Red Hat Enterprise Linux 5. BZ#506059
    In some circumstances, tasks in the kernel may permanently enter the uninterruptible sleep state (D-State), making the system impossible to shut down. This update adds the Detect Hung Task kernel thread, providing the ability to detect tasks permanently stuck in the D-State.
    This new feature is controlled by the "CONFIG_DETECT_HUNG_TASK=" kernel flag. When set to "y", tasks stuck in the D-State are detected; when set to "n" it is off. The default value for the "CONFIG_DETECT_HUNG_TASK" flag is "y".
    Additionally, the "CONFIG_BOOTPARAM_HUNG_TASK_PANIC" flag has been added. When set to "y", a kernel panic is triggered when a task stuck in the D-State is detected. The default value for the "CONFIG_BOOTPARAM_HUNG_TASK_PANIC" flag is "n".
  • Add ability to access Nehalem uncore configuration space. BZ#504330
    Systems that don't use MMCONFIG have trouble when allocating resources by using a legacy PCI probe. As a result, the machine will hang during boot if the Disk PCI device is not properly initialized.
    This update reverts a patch that improves the PCI ID detection in order to detect the new PCI devices found on Nehalem machines. Consequently, the kernel will not hang on such machines. A different patch will be needed, however, when adding any driver that needs to see the non-core set of PCI devices on Nehalem.
  • When booted with P-state limit, limit can never be increased BZ#489566
  • Add do_settimeofday and __user_walk_fd BZ#486205
  • A bug was discovered where closing the lid on an HP6510b caused the system to crash. This was due to the system failing to run on CPU0. A patch was created to enable ACPI workqueues to run on CPU0, and this has been tested successfully. BZ#485016
  • Some applications (e.g., dump and nfsd) try to improve disk I/O performance by distributing I/O requests to multiple processes or threads by using the Completely Fair Queuing (CFQ) I/O scheduler. This application design negatively affected I/O performance, causing a large drop in performance under certain workloads on real queuing devices.
    The kernel can now detect and merge cooperating queues. Further, it can also detect if the queues stop cooperating, and split them apart again. I/O performance is no longer negatively affected by using the CFQ scheduler. BZ#427709 BZ#456181 BZ#448130
  • Enable CONFIG_DETECT_HUNG_TASK by default, but disable BOOTPARAM_xx by default
  • Only prompt for network configuration when required. BZ#506898
    Due to an unexpected side effect of a kernel change in Red Hat Enterprise Linux 5.4, the installer will prompt for the network configuration, regardless of whether these parameters appear in the PARM or CONF files.
    This flaw was addressed by removing the annotation of cmdline as __initdata. The installer no longer prompts for network configuration when not required.
1.88.10.1.2. Kernel Platform Enablement
1.88.10.1.2.1. BX-EX/MC Enablement Features
  • [Intel 5.5 FEAT] Make suspend-resume work on systems with lots of logical CPUs (Boxboro-EX). BZ#499271
  • [Intel 5.5 FEAT] Add ability to access Nehalem uncore config space 504330/539675
  • [AMD 5.5 Feat] Support Magny-cours topology 513684/539678
  • Red Hat Enterprise Linux 5.5: Power-aware Scheduler changes to support multiple node processors 513685/539680
  • Fix kernel panic while booting Red Hat Enterprise Linux 5 32-bit kernel on Magny-cours. BZ#522215
  • [Intel 5.5 FEAT] Oprofile: Add support for arch perfmon - kernel component BZ#523479
  • EXPERIMENTAL EX/MC: Xen NUMA broken on Magny-cours system Z. BZ#526051
  • [Intel 5.5 FEAT] Fix spinlock issue which causes performance impact on large systems. BZ#526078
  • EXPERIMENTAL EX/MC: Magny-cours topology fixes. BZ#526315
  • EXPERIMENTAL MC/EX: Issue when bringing CPU offline and online with 32-bit kernel. BZ#526770
  • EXPERIMENTAL MC/EX: Incorrect memory setup can cause Xen crash. BZ#526785
  • Fix AMD erratum - server C1E BZ#519422
  • EXPERIMENTAL EX/MC: AMD IOMMU Linux driver with latest BIOS has IO PAGE FAULTS 531469/539689
  • [Intel 5.5 BUG] NMI and Watchdog are not disabled on CPU when CPU is taken offline. BZ#532514
  • Boxboro-EX: multiple equal directory entries in /proc/acpi/processor BZ#537395
1.88.10.1.2.2. x86-specific Updates
  • Fix AMD Magny-Cours boot inside Xen on pre-5.5 hypervisor. BZ#560013
    A problem was found where Beta 1 of Red Hat Enterprise Linux 5.5 would fail to boot as a Xen guest on AMD Magny-Cours systems using a hypervisor other than the one included in Red Hat Enterprise Linux 5.5.
    This update provides a fix for this issue.
  • Support always running local APIC. BZ#496306
  • kvm: Mark kvmclock_init as cpuinit. BZ#523450
  • Fix stale data in shared_cpu_map cpumasks. BZ#541953
    This update was necessary to avoid possible kernel panic when performing frequent CPU online/offline operations.
1.88.10.1.2.3. x86_64-specific Updates
  • k8: Do not mark early_is_k8_nb as __init. BZ#567275
    This update addresses a problem with CPU hotplugging identified on AMD Magny-Cours machines.
  • Avoid deadlocks during MCE broadcasts. BZ#562866
  • Wire up compat sched_rr_get_interval. BZ#557092
    A problem was found where if a program that calls sched_rr_get_interval() is compiled on x86 and is executed on x86_64, it will destroy the user stack. This problem is solved by calling sys32_sched_rr_get_interval() instead of sys_sched_rr_get_interval() when sched_rr_get_interval() is called.
    This update includes a backport of an upstream patch to correct this problem.
  • Disable vsyscall in kvm guests. BZ#542612
    A problem was found on Red Hat Enterprise Linux 5.4 guests with PV clock enabled, where there is a large difference between the time returned by clock_gettime(CLOCK_REALTIME) and the time returned by gettimeofday(), even if a program executes one call right after the other.
    This update addresses the problem, which was traced to the use of vsyscall in kvm guests.
  • Resolve issue with SCTP messages arriving out of order. BZ#517504
    A problem was found where, under the right conditions, it was possible for packets to become re-ordered prior to the assignment of a Transmission Sequence Number (TSN) value. The conditions which caused this are the fact that multiple interfaces were used in transmission, where each had differing Path Maximum Transmission Unit (pmtu) values.
    This update addresses the problem with the SCTP stack that allowed this reordering to occur.
  • Cap kernel at 1024G on x86_64 systems.
  • Fix kernel crash when 1TB of memory and NUMA is used. BZ#523522
  • kvm: Allow kvmclock to be overwritten. BZ#523447
  • glibc should call pselect() and ppoll() on Itanium kernels. BZ#520867
  • Force Altix drivers to use 64-bit addressing. This update is Altix-specific. BZ#517192
    This update applies to the 64-bit Itanium2 architecture.
  • vsmp: Fix bit-wise operator and compile issue. BZ#515408
  • Fix hugepage memory tracking. BZ#518671
1.88.10.1.2.4. IBM S/390-specific Updates
  • qeth: Set default BLKT settings by OSA hw level. BZ#559621
    A problem was found where new hardware was being configured with values for old hw levels, because BLKT settings were not being set according to different hw levels.
    This update ensures that the BLKT settings are applied after the hw level has been probed.
  • Clear high-order bits after switching to 64-bit mode. BZ#546302
  • Fix single stepping on svc 0. BZ#540527
    A problem was found where if a system call number > 256 is single-stepped or svc 0 is single-stepped then the system call would not be executed. This update provides a solution to this problem.
  • DASD: Support DIAG access for read-only devices. BZ#537859
  • IUCV: Use correct output register in iucv_query_maxconn(). BZ#524251
    A problem was found where the system log contained kernel messages reporting that the IUCV "pathid" was greater than max_connections. This is because the wrong output register was used when querying the maximum number of IUCV connections.
    This update ensures that the correct output register is used, and this problem no longer occurs.
  • cio: Fix set online/offline processing failures. BZ#523323
    A problem was found where the set online or set offline routines failed for a DASD device. Afterwards this device could neither be set online nor offline.
    The set online, set offline, and related rollback and error routines are only processed if the device is in a FINAL or DISCONNECTED state.
  • DASD: Fail requests when device state is less then ready. BZ#523219
    A problem was found where in certain device mapper multipath/PPRC setups a DASD device gets quiesced and then set to the "basic" state to flush its queue and return all already queued requests back to the device mapper. It was possible that a request was queued after the device's state was set to basic, and so that request stayed queued, was not processed, and the device mapper was blocked waiting for it.
    This update ensures that all requests that arrive in such a state are returned as failed.
  • Set preferred IBM S/390 console based on conmode. BZ#520461
    A problem was found where if conmode was set to 3270 to enable the 3270 terminal device driver, kernel console messages were not displayed in the console view. This is because the default preferred console is set to "ttyS". For the 3270 terminal device driver, the preferred console must be set to "tty3270".
    This update introduces a new function to set the preferred console based on the specified conmode.
  • Optimize storage key operations for anonymous pages. BZ#519977
    A problem was found where removal of anonymous mappings resulted in poor performance. This update optimizes the instructions that are used for these operations.
  • CIO: set correct number of internal I/O retries. BZ#519814
    A problem was found where if a device has n paths and that device is not path-grouped, and an internal I/O command fails, then the control unit presents the error sense n times on each different path. Because CIO only performs five retries, devices with five or more paths run out of retries before their functional status can be correctly determined.
    This update increases the number of retries to 10 to prevent this problem from occurring.
  • Add module signing to IBM S/390 kernels. BZ#483665
  • Make CIO_* macros safe if dbfs are not available. BZ#508934
  • qeth: Improve no_checksumming handling for layer3. BZ#503238
  • qeth: Handle VSwitch Port Isolation error codes. BZ#503232
  • Implement AF_IUCV SOCK_SEQPACKET support. BZ#512006
    This update offers AF_IUCV datagram stream-oriented sockets in addition to the existing AF_IUCV byte stream-oriented sockets. SOCK_SEQPACKET provides a sequenced, reliable, two-way connection-based data transmission path for datagrams of fixed maximum length; a consumer is required to read an entire packet with each input system call.
  • Kernel parameters vmhalt, vmpanic, vmpoff and vmreboot are ignored. BZ#518229
    A problem was found where an obsolete function (__setup()) was being called twice. This update removes those function calls, and the affected kernel parameters now behave as expected.
1.88.10.1.2.5. Other Updates
  • [PowerPC] Fix "scheduling while atomic" error in alignment handler. BZ#543637
  • [powerpc] Handle SLB resize during migration. BZ#524112
  • Export additional CPU flags in /proc/cpuinfo BZ#517928
    Previously, /proc/cpuinfo only showed the original set of flags supported from the base kernel release. It did not include new features present in supported CPUs. This update addresses this problem, and applies to both x86 and x86_64 architectures.
  • This feature provides the ability for user level software monitoring the system for disabled cache indices and to explicitly disable them. BZ#517586
    This update applies to 32-bit x86 and 64-bit Intel 64 and AMD64 architectures.
  • Update ALSA HDA, snd-hda-intel driver. BZ#525390
  • Add Hudson-2 sb900 i2c driver. BZ#515125
  • Add fcocee npiv support to ibmvfc driver. BZ#512192
  • Add i3200 edac driver support. BZ#469976
1.88.10.1.3. Virtualization Updates
  • Fix module loading for virtio-balloon module. BZ#564361
  • VT-d: Ignore unknown DMAR entries. BZ#563900
  • kvm: Fix double registering of pvclock on i386. BZ#557095
  • Fix frequency scaling on Intel platforms. BZ#553324
  • Update to enable VF in Dom0. BZ#547980
  • Xen IOMMU fix for AMD M-C platforms with SATA set to IDE combined mode. BZ#544021
    AMD M-C systems, that is, Maranello platforms, have several SATA settings, for example, IDE, SATA AHCI, and SATA IDE combined mode. A problem was found with IOMMU when the SATA drive is in IDE combined mode that could prevent Red Hat Enterprise Linux 5.4 from booting properly when IOMMU is enabled. In some cases the SATA drive was not detected.
    This update implements a global interrupt remapping table, which is shared by all devices and provides better compatibility with certain old BIOSes, and prevents this problem from occurring.
  • Ensure a new xenfb thread is not created on every save/restore. BZ#541325
    A problem was found where an initial two xenfb threads were created for a save/restore operation for a live migration, followed by another two every time the guest was live migrated, or saved and restored.
    This update avoids creating further threads if one already exists.
  • PV guest crash on poweroff. BZ#540811
  • Call trace error when resuming from suspend to disk. BZ#539521
  • Add BL2xx and DL7xx to the list of ProLiant systems in xen/arch/x86/ioport_emulate.c in the Xen variants of Red Hat Enterprise Linux 5. BZ#536677
  • Mask out extended topology CPUID feature. BZ#533292
    On Intel Nehalem (55xx) dom0 hosts, booting Windows 2008 R2 64-bit domU resulted in a hang. This was caused by incomplete emulation of the CPUID instruction in hvm/xvm support.
    Because Xen guests do not need to know about extended topology, this update masks out that topology to prevent this problem from occurring.
  • Fix timedrift on VM with pv_clock enabled. BZ#531268
  • Use upstream kvm_get_tsc_khz() BZ#531025
  • Whitespace updates in Xen scheduler. BZ#529271
  • Xen panic in msi_msg_read_remap_rte with acpi=off. BZ#525467
  • Backport interrupt rate limiting. BZ#524747
  • RHEV: SAP SLCS 2.3 fails during install/import in a RHEV-H/KVM guest with PV KVM clock. BZ#524076
  • Mask out xsave and osxsave to prevent boot hang when installing HVM DomU. BZ#524052
    Attempting to boot a fully virtualized DomU with rawhide's 2.6.31-14.fc12.x86_64 for installation hangs almost immediately. A 32-bit HVM booted and installed successfully on a 32-bit host.
    This update masks out the xsave and osxsave bits to prevent this problem from occurring.
  • Enable display of the ida flag on Xen kernels. BZ#522846
    The ida flag, which indicates the presence of the Turbo Boost feature, was not seen in the cpuflags section of /proc/cpuinfo on Xen kernels. This occurred on both 32-bit and 64-bit Xen kernels.
    This update ensures that this flag is displayed when the Turbo Boost feature is present on Xen kernels.
  • Xen fails to boot on Itanium with > 128GB memory. BZ#521865
    A problem was found where attempting to boot a Xen kernel on Itanium systems with more than 128GB of RAM would result in a Xen panic. This problem was traced to a miscalculation of the Xen heap size.
    This update includes support for the xenheap_megabytes hypervisor option to address this problem. For example, if the installed memory exceeds 64GB, it is suggested to set the option to a value equal to the memory size in gigabytes. For example, on a system with 128GB of memory, the elilo.conf file should include the directive: append="xenheap_megabytes=128 --"
  • Fix SRAT check for discontiguous memory. BZ#519225
    A problem was found where Xen could ignore valid SRAT tables because it expects completely contiguous memory ranges, where the sum of the node memory is approximately equal to the address of the highest memory page. This is an incorrect assumption and prevents NUMA support from being enabled on some systems. This update addresses this assumption and prevents this problem from occurring.
  • Allow booting with broken serial hardware. BZ#518338
  • Fix for array out-of-bounds in blkfront. BZ#517238
  • Enable Xen to build on gcc 4.4. BZ#510686
  • Handle x87 opcodes in TLS segment fixup. BZ#510225
  • Implement fully preemptible page table teardown. BZ#510037
  • Fix timeout with PV guest and physical CDROM. BZ#506899
  • Fix SR-IOV function dependency link problem. BZ#503837
  • F-11 Xen 64-bit domU cannot be started with > 2047MB of memory. BZ#502826
  • x86: Make NMI detection work. BZ#494120
  • netback: call netdev_features_changed. BZ#493092
  • Invalidate dom0 pages before starting guest. BZ#466681
  • AMD IOMMU Xen pass-through support. BZ#531469
  • Add balloon driver for KVM guests. BZ#522629
  • Add AMD node ID MSR support. BZ#530181 BZ#547518
  • Provide pass-through MSI-X mask bit acceleration V3. BZ#537734
  • CD-ROM drive does not recognize new media. BZ#221676
  • kvmclock: fix incorrect wallclock value. BZ#519771
  • KMP for Xen kernel cannot be applied. BZ#521081
    A problem was found when creating KMP that includes the driver that uses the "pci_enable_msi/pci_disable_msi" function for the Xen kernel and applying it, error messages are printed out and KMP cannot be applied. This problem occurred on both i386 and x86_64 architectures.
    This update addresses this problem and these error messages no longer appear.
1.88.10.1.4. Network Device Drivers
  • mlx4: pass attributes down to vlan interfaces BZ#573098
  • r8169: fix assignments in backported net_device_ops BZ#568040
  • virtio_net: refill rx buffer on out-of-memory BZ#554078
  • be2net: critical bugfix from upstream BZ#567718
  • tg3: fix 5717 and 57765 asic revs panic under load BZ#565964
  • bnx2x: use single tx queue BZ#567979
  • igb: fix WoL initialization when disabled in eeprom BZ#564102
  • igb: fix warning in igb_ethtool.c BZ#561076
  • s2io: restore ability to tx/rx vlan traffic BZ#562732
  • ixgbe: stop unmapping DMA buffers too early BZ#568153
  • e1000e: disable NFS filtering capabilites in ICH hw BZ#558809
  • bnx2: update firmware and version to 2.0.8 BZ#561578
  • mlx4: fix broken SRIOV code BZ#567730
  • mlx4: pass eth attributes down to vlan interfaces BZ#557109
  • ixgbe: initial support of ixgbe PF and VF drivers BZ#525577
  • bnx2x: update to 1.52.1-6 firmware BZ#560556
  • ixgbe: prevent speculatively processing descriptors BZ#566309
  • tg3: fix 57765 LED BZ#566016
  • tg3: fix race condition with 57765 devices BZ#565965
  • forcedeth: fix putting system into S4 BZ#513203
  • netfilter: allow changing queue length via netlink BZ#562945
  • e1000e: fix deadlock unloading module on some ICH8 BZ#555818
  • Wireless fixes from 2.6.32.2, 2.6.32.3, 2.6.32.4, & 2.6.32.7 BZ#559711
  • be2net: latest bugfixes from upstream for Red Hat Enterprise Linux 5.5 BZ#561322
  • cxgb3: add memory barriers BZ#561957
  • igb: fix msix_other interrupt masking BZ#552348
  • niu: fix deadlock when using bondin BZ#547943
  • sky2: fix initial link state error BZ#559329
  • iptables: fix routing of REJECT target packets BZ#548079
  • niu: fix the driver to be functional with vlans BZ#538649
  • igb: update driver to support End Point DCA BZ#513712
  • tg3: update to version 3.106 for 57765 asic support BZ#545135
  • bonding: fix alb mode locking regression BZ#533496
  • e1000e: fix broken wol BZ#557974
  • fixup problems with vlans and bonding BZ#526976
  • ixgbe: upstream update to include 82599-KR support BZ#513707
  • be2net: multiple bug fixes BZ#549460
  • virtio_net: fix tx wakeup race condition BZ#524651
  • Add support for send/receive tracepoints. BZ#475457
  • wireless: fix build when using O=objdir BZ#546712
  • update tg3 driver to version 3.100 BZ#515312
  • e1000e: support for 82567V-3 and MTU fixes BZ#513706
  • bonding: add debug module option BZ#546624
  • ipv4: fix possible invalid memory access BZ#541213
  • s2io: update driver to current upstream version BZ#513942
  • wireless: report reasonable bitrate for 802.11n BZ#546281
  • mac80211: report correct signal for non-dBm values BZ#545899
  • wireless: Remove some unnecessary warning messages. mac80211: avoid uninit pointer dereference in ieee80211. BZ#545121
  • wireless: avoid deadlock when enabling rfkill BZ#542593
  • wireless: updates of mac80211 etc from 2.6.32 and wireless support updates from 2.6.32 BZ#456943, BZ#474328, BZ#514661 & BZ#516859
  • bnx2: update to version 2.0.2 BZ#517377
  • cnic: Update driver for Red Hat Enterprise Linux 5.5 BZ#517378
  • bnx2x: Update to 1.52.1-5, add support for bcm8727 phy, add support for bcm8727 phy, add mdio support, add firmware version 5.2.7.0 and update to 1.52.1. BZ#515716 & BZ#522600
  • mdio: Add mdio module from upstream and ethtool. Add more defines for mdio to use. Add the sfc (Solarflare) driver. BZ#448856
  • r8169: update to latest upstream for Red Hat Enterprise Linux 5.5 BZ#540582
  • benet: update driver to latest upstream for Red Hat Enterprise Linux 5.5 BZ#515269
  • e1000e: update and fix WOL issues BZ#513706, BZ#513930, BZ#517593 & BZ#531086
  • e1000: update to latest upstream for Red Hat Enterprise Linux 5.5 BZ#515524
  • mlx4: update to recent version with SRIOV support BZ#503113, BZ#512162, BZ#520674, BZ#527499, BZ#529396 & BZ#534158
  • ipv4: fix an unexpectedly freed skb in tcp BZ#546402
  • bnx2: fix frags index BZ#546326
  • netxen: further p3 updates for Red Hat Enterprise Linux 5.5 BZ#542746
  • netxen: driver updates from 2.6.31 and 2.6.32 BZ#516833
  • igb: update igb driver to support barton hills BZ#513710
  • enic: update to upstream version 1.1.0.100 BZ#519086
  • ipvs: synchronize closing of connections BZ#492942
  • cxgb3: fix port index issue and correct hex/decimal error BZ#516948
  • mlx4_en: add a pci id table BZ#508770
  • resolve issues with vlan creation and filtering BZ#521345
  • gro: fix illegal merging of trailer trash BZ#537876
  • ixgbe: add and enable CONFIG_IXGBE_DCA BZ#514306
  • ixgbe: update to upstream version 2.0.44-k2 BZ#513707, BZ#514306 & BZ#516699
  • call cond_resched in rt_run_flush BZ#517588
  • igb: add support for 82576ns serdes adapter BZ#517063
  • qlge: updates and fixes for Red Hat Enterprise Linux 5.5 BZ#519453
  • igb: fix kexec with igb controller BZ#527424
  • qlge: fix crash with kvm guest device passthrough BZ#507689
  • igb: set vf rlpml must take vlan tag into account BZ#515602
  • fix race in data receive/select BZ#509866
  • augment raw_send_hdrinc to validate ihl in user hdr BZ#500924
  • bonding: introduce primary_reselect option and ab_arp use std active slave select code BZ#471532
  • use netlink notifications to track neighbour states and introduce generic function __neigh_notify BZ#516589
  • sched: fix panic in bnx2_poll_work BZ#526481
  • bnx2i/cnic: update driver version for Red Hat Enterprise Linux 5.5 BZ#516233
  • cxgb3: bug fixes from latest upstream version BZ#510818
  • sunrpc: remove flush_workqueue from xs_connect BZ#495059
  • lvs: adjust sync protocol handling for ipvsadm -2 and for timeout values BZ#524129
  • igb and e100: return PCI_ERS_RESULT_DISCONNECT on failure BZ#514250
  • bnx2: apply BROKEN_STATS workaround to 5706/5708 BZ#527748
  • syncookies: support for TCP options via timestamps and tcp: add IPv6 support to TCP SYN cookies BZ#509062
  • e1000e: return PCI_ERS_RESULT_DISCONNECT on fail BZ#508387
  • e100: add support for 82552 BZ#475610
  • netfilter: honour source routing for LVS-NAT BZ#491010
  • Update r8169 driver to avoid losing MSI interrupts. BZ#514589
  • e1000 and ixgbe: return PCI_ERS_RESULT_DISCONNECT on fail BZ#508388 & BZ#508389
  • ipt_recent: sanity check hit count BZ#523982
  • ipv4: ip_append_data handle NULL routing table BZ#520297
  • fix drop monitor to not panic on null dev BZ#523279
  • ipv6: do not fwd pkts with the unspecified saddr BZ#517899
  • igbvf: recognize failure to set mac address BZ#512469
  • sunrpc client: IF for binding to a local address and set rq_daddr in svc_rqst on socket recv BZ#500653
  • tcp: do not use TSO/GSO when there is urgent data BZ#502572
  • vxge: new driver for Neterion 10Gb Ethernet and Makefile, Kconfig and config additions BZ#453683
  • 8139too: RTNL and flush_scheduled_work deadlock BZ#487346
  • icmp: fix icmp_errors_use_inbound_ifaddr sysctl BZ#502822
  • bonding: allow bond in mode balance-alb to work BZ#487763
  • rtl8139: set mac address on running device BZ#502491
  • tun: allow group ownership of TUN/TAP devices BZ#497955
  • tcp: do not use TSO/GSO when there is urgent data BZ#497032
  • A problem was found where if you set /proc/sys/net/ipv4/route/secret_interval to 0, you could not reset it to another value, and /bin/bash would hang on the echo.
    The timer reschedule path was updated to ensure that the rtnl lock is always released. The /proc/sys/net/ipv4/route/secret_interval can now be set to 0 and successfully reset to another value without causing /bin/bash to hang. BZ#510067
  • sky2: revert some phy power refactoring changes BZ#509891
  • bonding: tlb/alb: set active slave when enslaving BZ#499884
  • tg3: refrain from touching MPS BZ#516123
  • qlge: fix hangs and read performance BZ#517893
  • mlx4_en fix for vlan traffic BZ#514141
  • mlx4_en device multi-function patch BZ#500346
  • mlx4_core: fails to load on large systems BZ#514147
  • add DSCP netfilter target BZ481652#
1.88.10.1.5. Filesystem and Storage Management Updates
1.88.10.1.5.1. NFS-specific Updates
  • Fix a deadlock in the sunrpc code. BZ#548846
  • Ensure dprintk() macro works everywhere. BZ#532701
  • Fix stale nfs_fattr being passed to nfs_readdir_lookup() BZ#531016
  • Update nfs4_do_open_expired() to prevent infinite loops. BZ#526888
    A problem was found with nfs4_do_open_expired() that could lead to the reclaimer thread going into an infinite loop. This bug was triggered when the client received an NFS4ERR_DELAY from the server, and the exception.retry bit was set, enforcing a timeout. This bit was never reset to zero (0) when the server recovered, leading to an infinite loop.
    This update checks for server recovery and resets the exception.retry bit when appropriate, preventing the creation of this infinite loop.
  • nfsnobody == 4294967294 causes idmapd to stop responding BZ#519184
  • statfs on NFS partition always returns 0 BZ#519112
    A problem was found where statfs on NFS partitions always returned a zero (0) value, regardless of success or fail. On fail, statfs should return a negative number.
    This update corrects the problem so that statfs behaves as expected.
  • Read/Write NFS I/O performance was severely degraded by NFS synchronous write RPCs (FILE_SYNC) that occur when an application has a file open O_RDWR and is reading dirty pages. This read() system call triggered a flush of the dirty page to the server, using a 4096-byte synchronous write. The remote filesystem is mounted with an explicit async mount option, and the application does not open the file with O_SYNC or O_DSYNC flags.
  • Mounting with a rsize/wsize of 2048 (less than the 4096 page size) eliminates these synchronous writes, and dramatically improves I/O. BZ#498433
  • knfsd: query fs for v4 getattr of FATTR4_MAXNAME BZ#469689
  • Bring nfs4acl into line with mainline code BZ#479870
  • Add an nfsiod workqueue BZ#489931
  • nfsv4: Distinguish expired from stale stateID BZ#514654
  • Do an exact check of attribute specified BZ#512361
    In case ACLs are not supported in the underlying filesystem, this update enables the NFSv4 server to return NFS4ERR_ATTRNOTSUPP when ACL attributes are specified when creating a file.
  • Fix regression in nfs_open_revalidate BZ#511278
  • Fix cache invalidation problems in nfs_readdir BZ#511170
1.88.10.1.5.2. GFS-specific Updates
  • Fix kernel BUG when using fiemap. BZ#569610
  • Use correct GFP for allocating page on write. BZ#566221
    Allocation of memory during the write system call can trigger memory reclaim. This update ensures that the VM does not call back into the filesystem, resulting in a kernel OOPS. This problem is only seen in times of memory shortage on a node.
  • Filesystem mounted with ecryptfs_xattr option could not be written. BZ#553670
  • Filesystem consistency error in gfs2_ri_update. BZ#553447
  • Update O_APPEND to behave as expected. BZ#544342
    Previously, when using GFS2, if two nodes concurrently updated the same file, each node would overwrite the other node's data, as the file position for such a file was not being updated correctly. This issue only occurred when using open() with the O_APPEND flag, and then issuing a write() without first performing another operation on the inode, such as stat() or read().
  • Fix glock reference count issues. BZ#539240
  • Fix rename locking issue. BZ#538484
  • Enhance statfs and quota usability. BZ#529796
  • Cluster failures due to invalid metadata blocks. BZ#519049
    A problem was found with gfs2 filesystems where clusters would fail as a result of fatal filesystem withdrawal. This update provides a solution to that problem.
  • gfs2_delete_inode failing on RO filesystem. BZ#501359
  • Fix potential race in glock code. BZ#498976
  • GFS2 ">>" will not update ctime and mtime after appending to the file. BZ#496716
  • After gfs2_grow, new size is not seen immediately. BZ#482756
  • Add '-o errors=withdraw|panic' to GFS2 mount option. BZ#518106
  • mount.gfs hangs forever if concurrent umount of different gfs filesystems are performed. BZ#440273
1.88.10.1.5.3. CIFS-specific Updates
  • CIFS filesystem update, including: BZ#562947
    • Fix length calculation for converted Unicode readdir names.
    • Fix dentry hash calculation for case-insensitive mounts.
    • Do not make mountpoints shrinkable.
    • Ensure maximum username length check in session setup matches.
  • NULL out pointers when chasing DFS referrals. BZ#544417
  • Protect GlobalOplock_Q with its own spinlock to prevent crash in small_smb_init. BZ#531005
  • Add new options to disable overriding of ownership. BZ#515252
  • cifs: Enable dfs submounts to handle remote referrals. BZ#513410
  • httpd Sendfile problems reading from a CIFS share. BZ#486092
  • Don't use CIFSGetSrvInodeNumber BZ#529431
  • CIFS filesystem update, including: BZ#500838
    • Fix artificial limit on reading symlinks
    • Copy struct *after* setting port, not before
    • Add addr= mount option alias for ip=
    • Free nativeFileSystem before allocating new one
    • Fix read buffer overflow
    • Fix potential NULL deref in parse_DFS_referrals
    • Fix memory leak in ntlmv2 hash calculation
    • Fix broken mounts when an SSH tunnel is used
    • Avoid invalid kfree in cifs_get_tcp_session
1.88.10.1.5.4. Cluster-specific Updates
  • dlm: Fix connection close handling. BZ#521093
    A problem was found where a cluster would hang after a node rejoins from a simulated network outage. This update addresses the connection close handling problem that was the cause of the issue, and clusters now behave as expected in this situation.
1.88.10.1.5.5. Other Updates
  • Fix randasys crashes x86_64 systems regression. BZ#562857
  • proc: Make errno values consistent when race occurs. BZ#556545
  • Fix performance regression introduced by eventfd support. BZ#548565
    OLTP-type runs regressed by 0.5% due to the additional overhead in the aio_complete() code path.
    This update uses a bit in ki_flags to address this problem.
  • Fix possible inode corruption on unlock. BZ#545612
  • xfs: Fix fallocate error return sign. BZ#544349
    When issuing an fallocate call on xfs which results in insufficient space to complete, XFS returns "28" instead of "ENOSPC" - xfs uses positive errnos internally, and flips them before returning, but in this case it was missed.
    This update ensures the error number is inverted before being returned.
  • Skip inodes without pages to free in drop_pagecache_sb(). BZ#528070
  • Fix soft lockup problem with dcache_lock. BZ#526612
  • ext3: Replace lock_super with explicit resize lock. BZ#525100
    A problem was found where performing an online resize of an ext3 filesystem would fail. This update cross-ports a change developed for ext4 to address a similar problem.
  • Update MPT fusion 3.4.13rh BZ#516710
    The mtp base driver for devices using LSI Fusion MPT firmware has been updated to version 3.4.13rh. This update fixes many issues, most notably:
    • The serial attached SCSI (SAS) topology scan has been restructured, adding expander, link status and host bus adapter (HBA) events.
    • Intermittent issues caused by SAS cable removal and reinsertion have been fixed.
    • An issue where SATA devices received different SAS addresses has been fixed.
    • The device firmware now reports the queue full event to the driver and the driver handles the queue full event using the SCSI mid-layer.
  • Update MPT2SAS to 02.101.00.00 BZ#516702
    The mpt2sas driver that supports the SAS-2 family of adapters from LSI has been updated to version 02.101.00.00. This update fixes many issues, most notably:
    • Sanity checks have been added when volumes are added and removed, ignoring events for foreign volumes.
    • The driver is now legacy I/O port free.
    • An issue that may have resulted in a kernel OOPS at hibernation or resume has been fixed.
  • Fix online resize bug while using resize2fs BZ#515759
  • ENOSPC during fsstress leads to filesystem corruption on ext2, ext3, and ext4 BZ#515529
  • Bring putpubfh handling inline with upstream BZ#515405
  • Address file write performance degradation on ext2 file systems BZ#513136
    When file write performance is measured using the iozone benchmark test, the performance of Red Hat Enterprise Linux 5.4 GA Snapshot1 is about 40% lower than the performance of Red Hat Enterprise Linux 5.3 GA in some cases. File read performance of 5.4 GA Snapshot1 is almost the same as 5.3 GA.
    This problem occured on both i386 and x86_64, however i386 performance degradation seemed to be worse compared to x86_64.
    This update converts ext2 to the new aops.
  • getdents() reports /proc/1/task/1/ as DT_UNKNOWN BZ#509713
  • Do not return invalidated nlm_host BZ#507549
  • Make NR_OPEN tunable BZ#507159
  • Free journal buffers on ext3 and ext4 file systems after releasing private data belonging to a mounted filesystem BZ#506217
  • Prevent Genesis from getting stuck in a loop writing to an unlinked file BZ#505331
  • Fix inode_table test in ext{2,3}_check_descriptors BZ#504797
  • Support origin size < chunk size BZ#502965
  • smbd proccess hangs with flock call BZ#502531
  • inotify: fix race BZ#499019
  • Don't allow setting ctime over v4 BZ#497909
  • AVC denied 0x100000 for a directory with eCryptFS and Apache BZ#489774
  • Don't zero out pages array inside struct dio BZ#488161
  • File truncations when both suid and write permissions are set BZ#486975
  • Fix stripping SUID/SGID flags when chmod/chgrp directory BZ#485099
  • Sanitize invalid partition table entries BZ#481658
  • DIO write returns -EIO on try_to_release_page fail BZ#461100
  • Batch AIO requests BZ#532769
  • Add eventd support. BZ#493101
  • Update ext4 to latest upstream codebase BZ#528054
  • If a non-root setuid binary is run as root, its /proc/<pid>/smaps file cannot be read because the file's permissions only allow access from a task with the original root UID value.
    The /proc/<pid>/smaps file is now created with S_IRUGO permissions (-r--r--r--), which means it can be read even when running a setuid binary. BZ#322881
  • Correctly recognize the logical unit (LU) of Hitachi-made storage. BZ#430631
    The LU of Hitachi-made storage was not correctly recognized in Red Hat Enterprise Linux 5. The LU was correctly recognized using a combination of Red Hat Enterprise Linux 4, Hitachi-made storage, and the Qlogic-made HBA driver. Further, Red Hat Enterprise Linux 5 did recognize an LU that did not exist in the storage. The storage is used with SCSI-2.
    Red Hat Enterprise Linux 5 now issues a SCSI command (REPORT_LUN) when recognizing the logical unit in the SCSI layer. The LU is now correctly recognized when using a combination of Red Hat Enterprise Linux 5, Hitachi storage, and the Qlogic-made HBA driver.
1.88.10.1.6. Storage and Device Driver Updates
1.88.10.1.6.1. PCI Updates
  • AER: Disable advanced error reporting by default. BZ#559978
  • Prevent PCIe AER errors being reported multiple times. BZ#544923
    A problem was found where not all PCIe AER uncorrectable status bits were cleaned up after an uncorrectable/non-fatal or uncorrectable/fatal error was triggered. As a result, subsequent errors would sometimes display a previously reported error.
    This update ensures that errors are only reported once.
  • Add base AER driver support. BZ#517093
    This feature provides the advanced error handling (diagnosis and recovery) for PCI-Express devices by adding AER (Advanced Error Reporting) support.
    PCIe AER provides the finer resolution of error source and error severity, as well as the ability to reset the slot to re-initialize the device.
    This update applies to 32-bit x86 and 64-bit Intel 64 and AMD64 architectures.
  • Enable acs p2p upstream forwarding. BZ#518305
1.88.10.1.6.2. SCSI Updates
  • mpt2sas: Fix missing initialization. BZ#565637
  • Update fnic and libfc to address FIP crash and hang issues. BZ#565594
  • be2iscsi: Fix scsi eh callouts and add support for new chip to be2iscsi driver. BZ#564145
  • device_handler: Add netapp to ALUA device list. BZ#562080
  • qla2xxx: Return FAILED if abort command fails. BZ#559972
  • lpfc: Update driver to 8.2.0.63.3p FC/FCoE. BZ#564506
  • lpfc: Update driver to 8.2.0.63.2p FC/FCoE. BZ#557792
  • lpfc: Update driver to 8.2.0.63.1p FC/FCoE. BZ#555604
  • be2iscsi: Upstream driver refresh for Red Hat Enterprise Linux 5.5. BZ#554545
  • qla2xxx: Correct timeout value calculation for CT pass-through commands. BZ#552327
  • qla2xxx driver updates. BZ#550148
  • Update arcmsr driver to better match upstream. BZ#521203
  • Re-enable "mpt_msi_enable" option. BZ#520820
  • Kernel panics from list corruption when using a tape drive connected through cciss adapter. BZ#520192
  • lpfc: Update version from 8.2.0.52 to 8.2.0.59. BZ#516541 BZ#529244
  • megaraid: Make driver legacy I/O port free. BZ#515863
  • Update Emulex lpfc 8.2.0.x FC/FCoE driver. BZ#515272
  • scsi_transport_fc: fc_user_scan correction to prevent scsi_scan looping forever. BZ#515176
  • Update qla2xxx qla4xx driver. BZ#519447
  • Update for HighPoint RocketRAID hptiop driver. BZ#519076
  • Errata 28 fix on LSI53C1030. BZ#
  • Add kernel (scsi_dh_rdace) support for Sun 6540 storage arrays. BZ#518496
  • Disable state transition from OFFLINE to RUNNING. BZ#516934
    This feature prevents a timeout from occurring on the same device repeatedly by disabling the state transition of the SCSI device from OFFLINE to RUNNING in the unblock function of the SCSI layer.
    This update applies to 32-bit x86, 64-bit Intel 64 and AMD64, and 64-bit Itanium2 architectures.
  • Add be2iscsi driver. BZ#515284
  • Add emc clarion support to scsi_dh modules. BZ#437107
  • scsi_dh_rdac driver update. BZ#524335
  • qla2xxx: Allow use of MSI when MSI-X disabled. BZ#517922
    On Red Hat Enterprise Linux 5 the MSI-X disable option for this driver also disables MSI. This update adds another state to the variable to allow the user to specify either MSI or MSI-X.
1.88.10.1.6.3. Other Updates
1.88.10.1.7. Block Device Updates
  • cfq-iosched: Fix sequential read performance regression. BZ#571818
  • cfq: Kick busy queues without waiting for merged req. BZ#570814
  • raid45: Fix for kernel OOPS resulting from constructor error path. BZ#565494
  • Fix deadlock at suspending mirror device. BZ#555120
  • Fix I/O errors while accessing loop devices or file-based Xen images from GFS volume. BZ#549397
  • Correct issue with MD/DM mapping in blktrace. BZ#515551
  • Fix install panic with xen iSCSI boot device. BZ#512991
  • Allow more flexibility for read_ahead_kb store. BZ#510257
  • Add device ID for 82801JI sata controller. BZ#506200
  • Fix a race in dm-raid1. BZ#502927
  • raid: deal with soft lockups during resync. BZ#501075
  • blktrace stops working after a trace-file-directory replacement. BZ#498489
  • I/O scheduler setting via elevator kernel option is not picked up by Xen guest. BZ#498461
  • Fix rcu accesses in partition statistics code. BZ#493517
  • Fix iosched batching fairness and reset batch for ordered requests. BZ#462472
1.88.10.1.8. Multiple Device Updates
  • Fix kernel panic releasing bio structure after recovery failed. BZ#555171
  • Lock snapshot while reporting status. BZ#543307
    A problem was found where, in the snapshot_status() function, the counts were being read without holding the lock. This could result in invalid intermediate values being reported.
    This update is a backport of a previous patch that locks the snapshot while reporting status.
  • Fix deadlock in device mapper multipath when removing a device. BZ#543270
  • Snapshots of the same origin with differing chunk sizes causes corruption. BZ#210490
    The kernel driver dm-snapshot handles multiple snapshots with different chunk sizes incorrectly. It occasionally dispatches write requests to the origin volume prior to copying the data to all the snapshots. As a consequence, the snapshots are not static and writes to the origin are occasionally reflected to the snapshots. When there are multiple snapshots of the same origin volume with different chunk sizes, and you write to the origin volume, the data in the snapshots may be corrupted.
    This update ensures that the kernel driver always waits until all the chunks in all the snapshots are reallocated before dispatching a write request to the origin device.
  • raid5: Mark cancelled readahead BIOS with -EIO. BZ#512552
1.88.10.1.9. Wireless Infrastructure and Driver Updates
  • iwlwifi: Fix dual-band N-only use on IWL5x00. BZ#566696
  • rt2x00: Fix work cancel race conditions. BZ#562972
  • Update old static regulatory domain rules. BZ#543723
  • Puma Peak wireless support. BZ#516859
    This update contains support for the iwl6000 hardware from Intel. Devices in this hardware line support 802.11a, 802.11b, 802.11g, and 802.11n protocols. This update also includes support for the iwl1000 hardware line. Support for iwl5000, iwl4965, and iwl3945 was also updated.
    In order to support the features of these drivers, the mac80211 and cfg80211 subsystems were updated. Further, all existing mac80211-based drivers were refreshed to match the updated mac80211 subsystem.
  • Support Realtek RTL8187B wireless driver. BZ#514661
  • Update Intel wireless driver (iwlagn) for iwl4965 / iwl5000. BZ#474328
  • Add support for Atheros wireless ATH9k driver. BZ#456943
    The update of the mac80211 enabled support of the ath9k driver. This supports the full line of 802.11n wireless LAN adapters from Atheros.
  • mac80211: fix reported wireless extensions version. BZ#513430
1.88.10.1.10. Memory Management Updates
  • [Xen] mmap() with PROT_WRITE on Red Hat Enterprise Linux 5 was incompatible with Red Hat Enterprise Linux 4. BZ#562761
  • munmap() fails when mm_struct.map_count temporarily reaches max_map_count BZ#552648
    A problem was found where munmap() would fail with an ENOMEM error if:
    • the number of VMAs = VMA limit - 1, and
    • it does not unmap an entire VMA but only part of a VMA.
    This update implements further checks to handle partial unmappings to avoid this problem.
  • Update ioremap to prevent kernel hang when using recent NVIDIA display drivers. BZ#549465
    A problem was found where attempting to run a recent NVIDIA display driver on 32-bit Red Hat Enterprise Linux 5.3 or 5.4 would cause the kernel to hang. This was due to hitting a BUG() call in the __change_page_attr() routine.
    This update provides the necessary changes to address this problem.
  • Prevent hangs during memory reclaim on large systems. BZ#546428
  • Call vfs_check_frozen() after unlocking the spinlock. BZ#541956
  • Display UID as well as PID in OOM killer output. BZ#520419
  • AMD-IOMMU: Support more IOMMU parameters and rework interrupt remapping according to IOMMU spec 1.26. BZ#518474 BZ#526766
  • Add a tracepoint for kernel pagefault events. BZ#517133
    This feature provides a tracepoint to trace kernel pagefault events. The argument should include the IP (instruction pointer) and the faulted virtual address.
    This update applies to 32-bit x86 and 64-bit Intel 64 and AMD64 architectures.
  • Memory mapped files not updating timestamps. BZ#452129
  • Prevent hangs or long pauses when zone_reclaim_mode=1. BZ#507360
1.88.10.1.11. Audit and Security Updates
1.88.10.1.11.1. Audit Updates
  • Fix breakage and leaks in audit_tree.c BZ#549750
    A problem was found where if a user ran auditctl -R audit.rules which unloads and then loads rules that include (for exeample) "-F dir=/var/log/audit" or "-F dir=/lib", it would result in a kernel OOPS.
    This update provides a fix for this issue.
  • Correct the record length of execve. BZ#509134
1.88.10.1.11.2. Cryptography Updates
  • IBM S/390: Permit weak keys unless REQ_WEAK_KEY is set. BZ#504667
1.88.10.1.11.3. SELinux Updates
  • Update audit_update_watch() to prevent system crashes while running usermod. BZ#526819
  • Allow preemption between transition permission checks in order to prevent CPU soft lockup BZ#516216
    A problem was found where the kernel would sometimes go into a soft lockup for 10s at .context_struct_compute_av+0x214/0x39c. This update changes the way transition checks are performed in order to avoid this problem.
1.88.10.1.12. Miscellaneous Updates
  • power_meter: Avoid OOPS on driver load. BZ#566575
  • hvc_iucv: Allocate IUCV send/receive buffers in DMA zone. BZ#566202
  • f71805f: Fix sio_data to platform_device_add_data(). BZ#564399
  • Fix 32-bit Machine Check Exception Handler. BZ#562862
  • Fix APIC and TSC reads for guests. BZ#562006
  • zcrypt: Do not remove coprocessor in case of error 8/72. BZ#561067
  • smsc47m1: Fix data to platform_device_add_data(). BZ#560944
  • it87: Fix sio_data to platform_device_add_data(). BZ#559950
  • w83627hf: Fix data to platform_device_add_data(). BZ#557172
  • Power Now driver: fix crash on AMD family 0x11 processors. BZ#555180
  • EDAC driver fix for non-MMCONFIG systems. BZ#550123
  • khungtaskd not stopped during suspend. BZ#550014
  • Do not evaluate WARN_ON condition twice. BZ#548653
  • Fix NULL pointer panic in acpi_run_os. BZ#547733
  • Implement public pci_ioremap_bar function. BZ#546244
  • Fix PTRACE_KILL hanging in 100% CPU loop. BZ#544138
  • Fix compile warnings in eeh code. BZ#538407
    This update was necessary to address a compile problem in PowerPC introduced by a change in the PCI AER code.
  • [infiniband] Fix bitmask handling from QP control block. BZ#561953
  • [infiniband] Fix issue with sleep in interrupt ehca handler. BZ#561952
  • [infiniband] Rewrite SG handling for RDMA logic. BZ#540686
    After dma-mapping an SG list provided by the SCSI midlayer, iser must ensure the mapped SG is "aligned for RDMA", in the sense that it is possible to produce one mapping in the HCA IOMMU which represents the whole SG. Next, the mapped SG is formatted for registration with the HCA.
    This update provides the necessary rewrites to achieve the above.
  • [infiniband] init neigh->dgid.raw on bonding events. BZ#538067
    This update was necessary to address an issue found where, using IPoIB, connectivity would be lost with a single host but maintained with other hosts.
  • USB driver update. BZ#537433
    This driver update avoids USB 1.1 device failures that may occur due to requests from USB OHCI controllers being overwritten if the latency for any pending request by the USB controller is very long (in the range of milliseconds).
  • Add qcserial module to Red Hat Enterprise Linux 5 kernel. BZ#523888
    This module was added to support the Qualcomm WWAN cards used by some laptops.
  • sysctl: Require CAP_SYS_RAWIO to set mmap_min_addr. BZ#534018
  • Enable msi-x correctly on qlogic 2xxx series. BZ#531593
    This update enables the FC and FCoE drivers to use MSI-X or MSI interrupts when they are available. The ql2xenablemsix can be used to override this:
    0 = enable traditional pin-based interrupt mechanism
    1 = enable MSI-X interrupt mechanism
    2 = enable MSI interrupt mechanism
  • Implement futex priority-based wakeup. BZ#531552
    A problem was found where the threads waiting on the futex_q queue list would acquire the mutex lock in the order they were queued rather than by priority. This update addresses that problem.
  • Make scsi_dh_activate() asynchronous to address the slower LUN failovers with large numbers of LUNs. BZ#537514
  • [scsi] Fix inconsistent usage of max_lun BZ#531488
  • Fix dlm_recv deadlock under memory pressure while processing GFP_KERNEL locks. BZ#530537
  • [scsi] Panic at .ipr_sata_reset after device reset. BZ#528175
  • [scsi] Export scsilun_to_int symbol. BZ#528153
    This symbol is needed by some drivers, and without this update they each tend to use their own copy of the entire function.
  • Ensure pci_dev->is_enabled is set. BZ#527496
    Failure to set this may cause suspend/resume to fail on some devices.
  • Fix a bug in rwsem_is_locked() function. BZ#526092
  • [scsi] cciss: Ignore stale commands after reboot. BZ#525440
  • Fix a mistake in ACPI debug statement that prevents kernel compilation. BZ#524787
  • Fix panic in cpufreq_get on DL785-G6. BZ#523505
    A problem was found in cpufreq_get which sometimes causes a kernel panic on HP DL785-G6 machines running Red Hat Enterprise Linux 5.3 and 5.4.
    This update addresses the problem that was occurring and this kernel panic no longer occurs.
  • [FIPS140-2] Provide option to disable/enable use of the first random block. BZ#523259
  • [FIPS140-2] Do not use the first n-bit block generated after power-up, initialization, or reset. BZ#522860
  • thinkpad_acpi: Disable ecnvram brightness. BZ#522745
    The brightness of the screen needed to be manually set using the "Fn + Home" key combination every time you reboot an IBM T43 laptop, using the Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 03). This problem was traced to the fact that the thinkpad_acpi CMOS NVRAM (7) and EC (5) did not agree on the display brightness level.
    This update addresses this problem and the screen now always starts at the highest brightness setting.
  • pciehp: Fix PCI-E hotplug slot detection. BZ#521731
    A problem was found where the PCI-E hotplug slot was not detected by the pciehp driver on some platforms. The cause of this problem was traced to a bug in the pciehp driver. This update addresses this bug and PCI-E hotplug slots are now detected correctly.
  • Fix NULL pointer dereference in pci_bus_show_cpuaffinity() BZ#519633
    A problem was found where reading /sys/class/pci_bus/0000:ff/cpuaffinity (using cat or a similar function) would cause the kernel to crash and the system to reboot. This update provides a solution to this problem.
  • Fix device detach and hotplug with iommu=pt BZ#516811 BZ#518103
    A problem was found with iommu=pt mode for intel_iommu where if you are using iommu=pt and you assign a device to a KVM guest and then de-assign it,the result is a device which is not usable in the host. It can be re-assigned to other guests again, but not directly used in the host.
    There is also an issue where with iommu=pt any PCI devices that are hot-plugged in the host cannot be used.
    This update provides a solution to the above problems.
  • [firewire] fw-ohci: Fix IOMMU resource exhaustion. BZ#513827
  • Support AMD Magny-Cours power-aware scheduler fix. BZ#513685
  • Fix CPU llc_shared_map information. BZ#513684
  • [cpufreq] Add option to avoid smi while calibrating. BZ#513649
    The CPU frequency (cpu_khz) was infrequently calculated as larger value than the CPU's specification in both Red Hat Enterprise Linux 5.1(x86) and 5.2(x86). This also contributed to the system time being gradually delayed. This update adds an option to avoid this problem.
  • [cpufreq] Don't set policy for offline CPUs. BZ#511211
  • Add CPU hotplug notifiers to support suspend-to-disk and suspend-to-RAM while using KVM. BZ#510814
  • Better FASYNC handling on file close. BZ#510746
  • fd leak if pipe() is called with an invalid address. BZ#509625
  • Kernel panic occurs when adding nosmp option and booting the system. BZ#509581
  • Increase hibernate timeout. BZ#507331
  • Hang on boot due to wrong APIC timer calibration. BZ#503957
  • DASD failfast flag cannot be set on. BZ#503222
  • wacom: add Intuos4 support. BZ#502708
  • st: display current settings of option bits. BZ#501030
  • psmouse: reenable mouse on shutdown. BZ#501025
  • Relocate initramfs to increase vmalloc space. BZ#499253
  • Fix undefined reference to `__udivdi3'. BZ#499063
  • Add Oprofile support for Nehalem-EP processors. BZ#498624
  • Multiple device failure renders dm-raid1 unfixable. BZ#498532
  • Don't oomkill when hugepage alloc fails on node. BZ#498510
  • Prevent tmpfs from going readonly during oom kills. BZ#497257
  • documentation: fix file-nr definition in fs.txt. BZ#497200
  • Conditional flush in flush_all_zero_pkmaps. BZ#484683
  • Fix corrupted intel_rng kernel messages. BZ#477778
  • Use KVM pvclock code to detect/correct lost ticks. BZ#476075
  • Fix mcp55 apic routing. BZ#473404
  • Fix snapshot crash on invalidation. BZ#461506
  • Add pci_domain_nr. BZ#450121
  • hwmon: Update to latest upstream for Red Hat Enterprise Linux 5.5. BZ#467994 BZ#250561 BZ#446061
  • LRO (Large Receive Offload) is a network technology that offloads some of the overhead associated with receiving high-volume traffic from a single host. Though there is a performance benefit to LRO it cannot be used in environments where the host will take the incoming traffic and forward it to another device on the system (internal or external). In such environments, the host will panic when LRO is enabled on an interface and that interface is placed into a bridge on the host.
    A check was placed in an additional portion of the bridge forwarding code and the following message (or similar) will be printed to the console or logs when a device with LRO enabled is placed into a bridge on the host or has routing enabled: "eth0: received packets cannot be forwarded while LRO is enabled". BZ#483646
  • jbd slab cache creation/deletion is racey. BZ#496847
  • In some cases, kernel panics while calling SysRQ-C. The printk warning about long delays was removed, and the kernel no longer hangs when SysRQ-C is called. BZ#497195
  • Fix serial ports on IBM Point-of-Sale hardware. BZ#506799
  • Add support for Intel multi-APIC-cluster systems. BZ#507333
  • A bug was found in ia64_mca_modify_original_stack (arch/ia64/kernel/mca.c) where if INIT was issued while the kernel was in fsys-mode, the register was not saved in the stack. Consequently, the kdump corefile could not be backtraced in IA64. Registers in the stack are now restored on init. BZ#515753
  • Add a tracepoint for the coredump event to the kernel. The new tracepoint provides tracing tools with pointers to the coredump filename string, and to the coredump_params data structure. BZ#517115
  • Add four new signal-related tracepoints to the kernel. These tracepoints provide tracing tools which can deliver significant amounts of data. Refer to the bug report for full details. BZ#517121
  • Add support for Nehalem-EX (Beckton) processors in Oprofile. BZ#521992

1.88.11. RHSA-2010:0610: Important kernel security and bug fix update

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each flaw description below.
This update fixes the following security issues:
* instances of unsafe sprintf() use were found in the Linux kernel Bluetooth implementation. Creating a large number of Bluetooth L2CAP, SCO, or RFCOMM sockets could result in arbitrary memory pages being overwritten. A local, unprivileged user could use this flaw to cause a kernel panic (denial of service) or escalate their privileges. (CVE-2010-1084, Important)
* a flaw was found in the Xen hypervisor implementation when using the Intel Itanium architecture, allowing guests to enter an unsupported state. An unprivileged guest user could trigger this flaw by setting the BE (Big Endian) bit of the Processor Status Register (PSR), leading to the guest crashing (denial of service). (CVE-2010-2070, Important)
* a flaw was found in the CIFSSMBWrite() function in the Linux kernel Common Internet File System (CIFS) implementation. A remote attacker could send a specially-crafted SMB response packet to a target CIFS client, resulting in a kernel panic (denial of service). (CVE-2010-2248, Important)
* buffer overflow flaws were found in the Linux kernel's implementation of the server-side External Data Representation (XDR) for the Network File System (NFS) version 4. An attacker on the local network could send a specially-crafted large compound request to the NFSv4 server, which could possibly result in a kernel panic (denial of service) or, potentially, code execution. (CVE-2010-2521, Important)
* a flaw was found in the handling of the SWAPEXT IOCTL in the Linux kernel XFS file system implementation. A local user could use this flaw to read write-only files, that they do not own, on an XFS file system. This could lead to unintended information disclosure. (CVE-2010-2226, Moderate)
* a flaw was found in the dns_resolver upcall used by CIFS. A local, unprivileged user could redirect a Microsoft Distributed File System link to another IP address, tricking the client into mounting the share from a server of the user's choosing. (CVE-2010-2524, Moderate)
* a missing check was found in the mext_check_arguments() function in the ext4 file system code. A local user could use this flaw to cause the MOVE_EXT IOCTL to overwrite the contents of an append-only file on an ext4 file system, if they have write permissions for that file. (CVE-2010-2066, Low)
Red Hat would like to thank Neil Brown for reporting CVE-2010-1084, and Dan Rosenberg for reporting CVE-2010-2226 and CVE-2010-2066.
This update also fixes the following bugs:
* when loading a USB mass storage driver under kernel-debug, a possible circular locking dependency detected warning was triggered. With this update, the warning is no longer displayed and the loading of a USB mass storage driver under kernel-debug works as expected. BZ#607483
* when TPA (Transparent Packet Aggregation) was used with a bnx2x network driver (10 Gb), TCP bandwidth problems occurred, causing transfer rate slowdowns (down to 400 Kb) and network delays. The network traces shown that the reason for the TCP bandwidth problems were TCP delayed ACK mechanisms. This update improves the packet-handling code so that network ACKs are not delayed when using TPA, GRO (Generic Receive Offload), or LRO (Large Receive Offload) with the bnx2x driver, thus leading to increased networking performance. BZ#613900
* a host with a QLogic 8G FC adapter (QLE2562) regularly displayed firmware dump errors in the /var/log/messages directory during IO runs. With this update, the firmware dump errors no longer appear in the /var/log/messages directory. BZ#613688
* in a CNIC driver, occasionally, data structures were freed when the device was down. If at that moment an ISCSI netlink message was received, a crash occurred. With this update, the crash no longer occurs. BZ#615260
* when a hot-swap was conducted, the addition of a Serial Attached SCSI (SAS) disk failed because of a timeout. With this update, the addition of a SAS disk completes without a timeout and no longer fails. BZ#612539
* when no hotpluggable PCIe slots were present on a machine, loading the acpiphp module (using the /sbin/modprobe command) on a Intel Xeon processor 7500 series system caused kernel panic. With these updates, an error message is produced when the aforementioned case occurs and the machine does not panic. BZ#607486
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.88.12. RHSA-2010:0723: Important kernel security and bug fix update

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links after each flaw description below.
This update fixes the following security issues:
* A buffer overflow flaw was found in the ecryptfs_uid_hash() function in the Linux kernel eCryptfs implementation. On systems that have the eCryptfs netlink transport (Red Hat Enterprise Linux 5 does) or where the /dev/ecryptfs file has world writable permissions (which it does not, by default, on Red Hat Enterprise Linux 5), a local, unprivileged user could use this flaw to cause a denial of service or possibly escalate their privileges. (CVE-2010-2492, Important)
* A miscalculation of the size of the free space of the initial directory entry in a directory leaf block was found in the Linux kernel Global File System 2 (GFS2) implementation. A local, unprivileged user with write access to a GFS2-mounted file system could perform a rename operation on that file system to trigger a NULL pointer dereference, possibly resulting in a denial of service or privilege escalation. (CVE-2010-2798, Important)
* A flaw was found in the Xen hypervisor implementation when running a system that has an Intel CPU without Extended Page Tables (EPT) support. While attempting to dump information about a crashing fully-virtualized guest, the flaw could cause the hypervisor to crash the host as well. A user with permissions to configure a fully-virtualized guest system could use this flaw to crash the host. (CVE-2010-2938, Moderate)
* Information leak flaws were found in the Linux kernel's Traffic Control Unit implementation. A local attacker could use these flaws to cause the kernel to leak kernel memory to user-space, possibly leading to the disclosure of sensitive information. (CVE-2010-2942, Moderate)
* A flaw was found in the Linux kernel's XFS file system implementation. The file handle lookup could return an invalid inode as valid. If an XFS file system was mounted via NFS (Network File System), a local attacker could access stale data or overwrite existing data that reused the inodes. (CVE-2010-2943, Moderate)
* An integer overflow flaw was found in the extent range checking code in the Linux kernel's ext4 file system implementation. A local, unprivileged user with write access to an ext4-mounted file system could trigger this flaw by writing to a file at a very large file offset, resulting in a local denial of service. (CVE-2010-3015, Moderate)
* An information leak flaw was found in the Linux kernel's USB implementation. Certain USB errors could result in an uninitialized kernel buffer being sent to user-space. An attacker with physical access to a target system could use this flaw to cause an information leak. (CVE-2010-1083, Low)
Red Hat would like to thank Andre Osterhues for reporting CVE-2010-2492; Grant Diffey of CenITex for reporting CVE-2010-2798; Toshiyuki Okajima for reporting CVE-2010-3015; and Marcus Meissner for reporting CVE-2010-1083.
This update also fixes the following bugs:
* Previously, the kernel could panic because system locks and interrupt requests (IRQ) in the ips driver were handled incorrectly. This update replaces the problematic msleep() calls with the MDELAY() macro and handles the locking properly. BZ#620661
* Previously, MSI resulted in PCI bus writes to mask and unmask the MSI IRQ. These unnecessary PCI bus writes could lead to poor performance. This update adds a new kernel boot parameter, msi_nolock, which allows for better simultaneous processing of MSIs. BZ#621940
* Previously, optimization to initialize page tables with ZERO_PAGE for the mmap() or munmap() function on /dev/zero decreased the performance on multiple threads. This update allows the user to switch off the optimization by typing echo 0 > /proc/sys/vm/vm_devzero_optimization at a shell prompt as superuser. BZ#623141
* Previously, starting communication between two systems with bonding devices and adaptive load balancing (ALB) caused endless loop of ARP replies. With this update, and the communication between such systems now works as expected. BZ#623143
* Previously, certain CPU flags were missing in /proc/cpuinfo when running a kernel-xen kernel. This has been fixed, and /proc/cpuinfo now contains all CPU flags as expected. BZ#624365
* Previously, patch for BZ#584658 introduced an issue that commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 fixed. This update backports this fix. BZ#624369
* Previously, ccw_device_set_options() in dasd_generic_probe() unset the CWDEV_ALLOW_FORCE flag set in dasd_eckd_probe() and the unconditional reserve was not allowed on ECKD dasds. This update sets flags only in discipline specific probe functions. BZ#627194
* Previously, allocating fallback cqr for DASD reserve/release ioctls failed because it used the memory pool of the respective device. This update preallocates sufficient memory for a single reserve/release request. BZ#627195
* This update adds code to detect and recover parity errors from the T3 adapter. BZ#630978
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

1.89. kexec-tools

1.89.1. RHBA-2009:1600: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1600
An updated kexec-tools package that fixes various bugs is now available.
kexec-tools provides the /sbin/kexec binary that facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot. This package contains the /sbin/kexec binary and ancillary utilities that together form the user-space component of the kernel's kexec feature.
This updated kexec-tools package includes fixes for the following bugs:
* when the bonding network driver was configured on a system running as dom0 with the kernel-xen kernel, sending a vmcore file via the bonded interface failed due to a mkdumprd misconfiguration, resulting in a loss of the core. With this update, sending a vmcore file on a dom0 system with kdump configured to send it via the bonded interface works as expected, and the resulting core is transferred successfully. (BZ#532030)
* kdump could create a truncated or zero-length vmcore file on large-memory systems. This was due to the amount of system RAM causing the creation of more than thirty-two E820 map entries in the BIOS, which in turn led kexec to truncate that list, thus causing memory to be ignored during kdump boot, and eventually resulting in truncated or zero-length vmcore files. With this update, kdump is now aware of this potential situation on large-memory systems, with the result that vmcore files are created correctly, without being truncated or zero in length. (BZ#533793)
All users of kexec-tools are advised to upgrade to this updated package, which resolves these issues.

1.89.2. RHBA-2010:0179: bug fix update

An updated kexec-tools package that fixes numerous bugs is now available.
kexec-tools provides kexec binary that facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot, together with ancillary utilities that form the userspace component of the kernel's kexec feature
This update addresses the following issues:
* previously, the kdump kernel command line supported a "mem=" parameter that limited the memory that was dumped. When this parameter was set, the dump would result in an I/O error. The "mem=" parameter has been removed from kexec to ensure that core dumps succeed. (BZ#239791)
* previously kdump waited indefinitely for all devices in its critical_disks list to be available before it performed a dump. Kexec-tools now has a disk_timeout parameter that limits how long kdump will wait for storage to respond. (BZ#500741)
* a logical flaw meant that the presence of files with certain names in current directory of mkdumprd would prevent a dump. The code used to evaluate the remote server name has been corrected. (BZ#509404)
* host names specified in the kdump.conf script needs to be entered as fully-qualified domain names to allow for DNS changes. The documentation for kdump has been revised to make this requirement clear. (BZ#510816)
* previously, the vmcore file created by starting kdump with an initscript used the "--sparse=always" option when copying, resulting in a smaller file. The same option has now been added as a default value in the kdump.conf configuration file, ensuring that the default behavior is consistent. (BZ#511003)
* previously, faulty logic in the code that cleans up files used by kdump in /tmp meant that files were sometimes left behind in /tmp. This has been corrected to ensure that files in /tmp are cleaned up. (BZ#512098)
* previously, the order in which kdump loaded storage drivers meant that USB-attached storage was sometimes not correctly detected. The USB driver is now loaded later in the boot sequence, so that device enumeration is correct and that dumps takes place successfully. (BZ#513608)
* Makedumpfiles can now accept kdump compressed dumps, therefore allowing users to transfer smaller files. (BZ#516877)
* previously, the code used by kdump to find network interfaces could not correctly identify slaves in a Xen environment when the dom0 was configured for bonding. The code has now been updated so that it recognizes this type of interface. (BZ#516907)
* Previously, the sample grub.conf file provided in the kexec-kdump-howto.txt omitted the "crashkernel" parameter. The sample file now describes a correctly configured grub.conf. (BZ#531244)
* Kexec now supports Enhanced Disk Drive Services (EDD) and up to 128 memory ranges from BIOS, so dumps on recent Intel 64-bit platforms now complete successfully. (BZ#531340)
* previously, kdump did not test to see whether an NFS location was writeable before commencing a dump. If the location was unwritable, kdump would therefore start the dump anyway, which would inevitably fail. Kdump now checks that NFS locations are writeable. (BZ#533565)
* previously, mkdumprd resolved hostnames for NFS locations specified in kdump.conf and stored their IP addresses. Mkdumprd now stores the hostnames instead and can therefore find the hosts successfully even if their IP addresses change. (BZ#545980)
* kexec-tools now pulls in nsslibs and using the settings in /etc/resolv.conf, can therefore perform DNS lookups and find NFS locations specified in kdump.conf. (BZ#549946)
* a reference to libc.so.6 has now been removed for Itanium systems. This avoids a potentially confusing warning message. (BZ#559126)
* a recent reorganization of the library directories on PowerPC systems placed glibc in /lib/power6x, although libnss files expected it to be in /lib. The correct path is now explicitly provided in mkdumprd, so DNS lookups work on PowerPC systems. (BZ#569119)
All kexec-tools users should upgrade to this updated package, which resolves these issues.

1.90. krb5

1.90.1. RHSA-2010:0029: Critical security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0029
Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5, and Red Hat Enterprise Linux 4.7, 5.2, and 5.3 Extended Update Support.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC).
Multiple integer underflow flaws, leading to heap-based corruption, were found in the way the MIT Kerberos Key Distribution Center (KDC) decrypted ciphertexts encrypted with the Advanced Encryption Standard (AES) and ARCFOUR (RC4) encryption algorithms. If a remote KDC client were able to provide a specially-crafted AES- or RC4-encrypted ciphertext or texts, it could potentially lead to either a denial of service of the central KDC (KDC crash or abort upon processing the crafted ciphertext), or arbitrary code execution with the privileges of the KDC (i.e., root privileges). (CVE-2009-4212)
All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.

1.91. ksh

1.91.1. RHBA-2009:1686: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1686
An updated ksh package that fixes two bugs is now available.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language which is also compatible with "sh", the original Bourne Shell.
This updated ksh package includes fixes for the following bugs:
* when a ksh script included multibyte characters, ksh's script parser then failed to parse the script and printed a "syntax error" message. This updated package corrects this error: ksh's script parser now correctly handles multibyte characters and no error is returned when they are found. (BZ#543447)
* the ksh shell uses a special variable, "$!", which contains the process ID (pid) of the last background job or background function. However, the $! variable did not contain the correct pid when it was called within a ksh function (defined with the "function" syntax). With this update, referencing the $! special variable works as expected and the correct process ID of the last background job or function is returned, even when it is referenced from within a ksh script function. (BZ#544974)
All KornShell users are advised to upgrade to this updated package, which resolves these issues.

1.91.2. RHBA-2010:0234: bug fix and enhancement update

An updated Ksh package that fixes various bugs is now available.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories -- a shell programming language upwards-compatible with "sh" (the Bourne Shell).
This updated ksh package upgrades ksh to the more recent 2010-02-02 upstream version (release ksh93t+) In addition, this updated ksh package addresses the following bugs:
* running ksh scripts for a long time on an overloaded system resulted in a race condition caused by an inner linear job list getting looped. This resulted in ksh utlising 100 % of the cpu capacity. Some operations on the job list were reordered to prevent this race condition occuring, allowing ksh scripts to be run normally on the system. (BZ#435159)
* when .profile executed a return command, some new processes were executed without working stdin, because it was already closed. This version correctly restores the shell state after return was used in .profile making stdin available for new processes. (BZ#506790)
* ksh returned an incorrect exit code of one when unsetting a variable that was already unset. Ksh now returns zero exit code. (BZ#508869)
* when a parent of a background process was completed, ksh did not wait for output of the background process. Ksh now waits for the output of the background process so preventing the loss of data. (BZ#509326)
* when emacs editing mode was used and an alias was set, it was sometimes evaluated too early causing a syntax error. Aliases are evaluated later in the process now which prevents false positive syntax errors. (BZ#513967)
* ksh indicated commands in the man page that are not available. Man page is now amended to indicate that these commands are not available on Linux systems. (BZ#514485)
* the ksh shell uses a special variable, "$!", which contains the process ID (pid) of the last background job or background function. However, the $! variable did not contain the correct pid when it was called within a ksh function (defined with the "function" syntax). With this update, referencing the $! special variable works as expected and the correct process ID of the last background job or function is returned, even when it is referenced from within a ksh script function. (BZ#520383)
* when a ksh script included multibyte characters, the ksh script parser sometimes failed to parse the script and printed a syntax error message. This updated package corrects this error: the ksh script parser now correctly handles multibyte characters and no error is returned when they are found. (BZ#538655)
* when the built-in ksh typeset function was used with the array variable, it was affecting the size of the array by appending one empty value. This is now corrected and typeset does not unintentionally affect size of arrays. (BZ#538857)
* some upstream behavioural changes of ksh were not sufficiently documented, specifically parenthesis which was supported in ksh-93r or older. ksh Now ships Release and ChangeLog documents wherein important changes are documented. (BZ#541654)
* when evaluating a non-number variable that contains a point in a numeric comparison, ksh crashed with a segmentation fault. With this update, ksh checks whether the point has numerical or parent separator meaning, and produces only an error message when appropriate. (BZ#548519)
* when the array variable was declared using the built-in 'set', but not defined, this declaration did not take effect. The built-in 'set' included in the updated ksh declares array variables correctly. (BZ#553611)
All users of ksh are advised to upgrade to this updated package, which resolves these issues.

1.92. ktune

1.92.1. RHBA-2009:1422: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1422
An updated ktune package that fixes a bug is now available.
The ktune package includes settings for server performance-tuning.
This updated ktune package fixes the following bug:
* when running a Red Hat Enterprise Linux KVM guest under heavy load, the guest's system clock had the tendency to drift by an amount correlated with the system load. This ktune update provides an interactive Bourne shell script, fix_clock_drift.sh, which, when run as the superuser, inspects various system parameters to determine if the guest on which it is run is susceptible to clock drift under load and, if so, then creates a new "grub.conf.kvm" file in the /boot/grub/ directory. This file contains a kernel boot line with additional kernel parameters that allow the kernel to account for and prevent significant clock drift on the KVM guest. Note also that the ntpd service must be running on the KVM guest for the clock drift to be corrected.
Important: after running fix_clock_drift.sh as the superuser, and once the script has created the "grub.conf.kvm" file, then the guest's current "grub.conf" file should be backed up manually by the system administrator, the new "grub.conf.kvm" file should be manually inspected to ensure that it is identical to "grub.conf" with the exception of the additional boot line parameters, the "grub.conf.kvm" file should finally be renamed "grub.conf", and the guest should be rebooted. (BZ#518039)
Users of Red Hat Enterprise Linux KVM guests that are affected by significant clock drift are advised to upgrade to this updated package, which resolves this issue.

1.92.2. RHBA-2010:0238: bug fix and enhancement update

An updated ktune package that fixes a clock drift bug in Red Hat Enterprise Linux guests and adds support for the ktune.d directory is now available.
The ktune package includes settings for server performance-tuning.
This updated ktune package fixes the following bug:
* when running a Red Hat Enterprise Linux KVM guest under heavy load, the guest's system clock had the tendency to drift by an amount correlated with the system load. This ktune update provides an interactive Bourne shell script, fix_clock_drift.sh, which, when run as with root privileges, inspects various system parameters to determine if the guest on which it is run is susceptible to clock drift under load and, if so, creates a new "grub.conf.kvm" file in the /boot/grub/ directory. This file contains a kernel boot line with additional kernel parameters that allow the kernel to account for and prevent significant clock drift on the KVM guest. (BZ#516652)
Note: the ntpd service must be running on the KVM guest for the clock drift to be corrected.
Important: this script does not replace the existing grub.conf file. If running fix_clock_drift.sh creates the file "grub.conf.kvm" the system administrator must set the new file up manually as follows: back up the guest's current "grub.conf" file; inspect "grub.conf.kvm" and ensure it is identical to "grub.conf" with the exception of the additional boot line parameters; re-name "grub.conf.kvm" to "grub.conf"; reboot the guest.
This update also adds the following enhancement:
* support for ktune.d directory has been added to load additional sysctl profiles. Each profile could also provide a script for settings which can not be done with sysctl. The script will get an option which will be start or stop according to the ktune service command used for ktune. (BZ#496940)
Users of Red Hat Enterprise Linux KVM guests, especially those affected by significant clock drift, are advised to upgrade to this updated package, which resolves this issue and adds this enhancement.

1.93. kudzu

1.93.1. RHBA-2010:0191: bug fix and enhancement update

Updated kudzu packages that fix several bugs and add various enhancements are now available.
The updated packages fix the following bugs: - Kudzu would corrupt network configuration information in the presence of some dual and quad-port Chelsio adapters (BZ#571657) - Kudzu did not properly recognize some USB DVD drives (BZ#581799)
Also, support for IBM Virtual Fiber Channel devices on the POWER platform has been added. (BZ#503235)
It is recommended that all users upgrade to the new packages.

1.94. kvm

1.94.1. RHBA-2009:1423: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1423
Updated kvm packages that resolve an issue are now available.
KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware.
These updated kvm packages fix the following bug:
* rebooting a KVM guest domain could cause the guest to fail to receive keyboard and mouse input following the reboot. This has been fixed by reinitializing keyboard and mouse state in the guest after it reboots, which resolves the issue. (BZ#517855)
Note: after installing these updated packages, the following procedure should be carried out to ensure that the fix takes effect:
1. Stop all KVM guest virtual machines (VMs).
2. Either reboot the hypervisor machine, or, as the superuser, remove (using "modprobe -r [module]") and reload (using "modprobe [module]") all of the following modules which are currently running (determined using "lsmod"): kvm, ksm, kvm-intel or kvm-amd.
3. Restart the KVM guest VMs.
All users of kvm are advised to upgrade to these updated packages, which resolve this issue.

1.94.2. RHBA-2009:1488: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1488
Updated kvm packages that resolved two issues are now available.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. KVM can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc.
These updated packages fix the following bugs:
* the pthread_cond_timedwait time out was not properly handled. Consequently, under some loads, some KVM guests stopped responding to commands from the management interface. (Note: the reproducer was a host running around 300 KVM guests with each guest consuming around 50% of their virtual CPU. On this setup, some guests became non-responsive after several hours.) With this update the time outs are handled properly and KVM guests remain responsive, as expected. (BZ#526244)
* some Linux-based guests that used virtio virtual block devices aborted during installation, returning the error message: "unhandled vm exit: 0x31 vcpu_id 0".
Using an interface other than virtio for the guest virtual disk was a work around documented in the Red Hat Enterprise Linux 5.4 Technical Notes Known Issues for KVM. The work around was associated with BZ#518081, the original Bugzilla report for this issue.
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Technica l_Notes/Known_Issues-kvm.html
With this update, the underlying issue (stale EPTP-tagged mappings possibly being used when a virtual CPU or vcpu migrated to a different Physical CPU or pcpu) has been addressed and the work around is no longer necessary: Linux-based guests using virtio virtual block devices no longer abort during installation. (BZ#527192)
All users of kvm are advised to upgrade to these updated packages, which resolve this issue.

1.94.3. RHBA-2010:0158: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0158
Updated kvm packages that resolved two issues are now available.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. KVM can run multiple unmodified, virtualized guest Windows and Linux operating systems.
These updated packages fix the following bug:
* high loads could cause Microsoft Windows 7 32 bit guests to crash with a Blue Screen error that contained the "HAL_RTC_IRQF_WILL_NOT_CLEAR" error code. The updated package resolves this issue and Windows 7 32 bit guests should not crash under high loads.
All KVM users should upgrade to these updated packages, which contain backported patches to resolve these issues. Note that the procedure in the Solution section must be performed before this update takes effect.

1.94.4. RHSA-2010:0271: Important security, bug fix and enhancement update

Updated kvm packages that fix one security issue, multiple bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.
A flaw was found in the way QEMU-KVM handled erroneous data provided by the Linux virtio-net driver, used by guest operating systems. Due to a deficiency in the TSO (TCP segment offloading) implementation, a guest's virtio-net driver would transmit improper data to a certain QEMU-KVM process on the host, causing the guest to crash. A remote attacker could use this flaw to send specially-crafted data to a target guest system, causing that guest to crash. (CVE-2010-0741)
  • Setting the cpu_set variable to 1 online in the qemu Monitor and then shutting down the guest would cause the host or the guest to crash. The updated package resolves this issue and prevents the host or guest from crashing in this scenario. (BZ#487857)
  • The KVM configure script would not abort if the correct options were not enabled. The KVM configure script now verifies features are enabled or disabled by the configure script and aborts if the features was not loaded as requested. (BZ#489900)
  • The para-virtualized network drivers (virtio-net) lacked non-maskable interrupt (NMI) injection masking on AMD-based hosts. This caused Windows XP guests using the para-virtualized network driver could fail with a Blue Screen error during certain tests. The updated packages resolve this issue. (BZ#492290)
  • Timer events were processed before entering guest mode. This meant that certain timer events may not have been processed. Timer events are now processed in the main VCPU event loop so timer events are processed while the VCPU is halted. Timer events may inject interrupts or non-maskable interrupt (NMI) which will then unhalt the VCPU. This fixes the issue of unconditionally unhalting the VCPU. (BZ#492663)
  • If one or more VCPUs was disabled, VCPUs would appear in Windows Server 2008 Device Manager as devices with the ! symbol indicating an error. Windows does not handle CPUs marked as present (bit 0 in ACPI spec), but not enabled (bit 1), which causes this issue.
    However, there are situations where Linux expects CPUs to be present but not enabled. This is a heuristic test used by Linux to determine if a CPU is hot-pluggable.
    The updated package fixes virtualized CPU detection for Windows but breaks the ability to hot-add CPUs into Linux guests. (BZ#495844)
  • Using the numeric keypad of a keyboard with or without Num Lock produced erroneous input on guests accessed with VNC through the QEMU monitor application. The number pad keys should now work for input on guests accessed with VNC. (BZ#497507)
  • An unhandled interrupt from the kvm_vcpu_block() call unhalted a VCPU outside of the interrupt window. As a consequence, when the "there is no bootable disk" error presented the qemu process used 100% of the available CPUs. The updated packages resolve this issue and the interrupt is now handled correctly. (BZ#502086)
  • Windows Server 2008 R2 guests would hang after a restart if the guest was created with multiple VCPUs. This was caused by not properly filtering non-maskable interrupts (NMIs) from the guests during the restart procedure. The updated packages fix this issue and Windows Server 2008 R2 guests can successfully use multiple VCPU. (BZ#502543 BZ#503322)
  • Migrating a paused guest caused the guest to resume at the destination. Paused guests now remain paused after a migration. (BZ#503367)
  • Multiple virtualized guests using the hypercall device resulted in one or more of the guests using 100% of their assigned CPUs or becoming unresponsive. The updated packages fix the hypercall device, preventing this issue. (BZ#503759)
  • VCPUs were not reported correctly to Windows XP guests. On the Windows XP guest the number for CPUs listed in Task Manager was lower than the number of CPUs assigned to the guest. Windows XP guests should now use and display the number of VCPUs assign if the guest can handle that number of CPUs. (BZ#508040)
  • A segmentation fault occurred when a guest used a i82551 emulated network interface card was used. The segmentation fault is fixed in the packages. (BZ#510706)
  • Creating guests that use both 64k and 4k image block cluster sizes and virtualized IDE as the storage device driver would cause a segmentation fault in the qemu-kvm process. The updated packages resolve this issue. (BZ#542923)
  • Running the migrate_set_speed command in the QEMU console after running migrate_cancel causes segmentation fault in KVM. The updated packages fix this issue and the code causing the segmentation fault is fixed. (BZ#522887)
  • A segmentation fault occurred when using the qemu-img rebase command to rebase an image snapshot. (BZ#563141)
  • The qemu-img rebase command failed with an "Operation not supported" error message when it was run on locally-attached block devices. (BZ#569762)
  • The qemu-img command failed to copy a RAW image to a Fibre Channel storage device. The qemu-image command can now copy, convert and create images on Fibre Channel storage devices. (BZ#511072)
  • Storage I/O errors were processed out of order causing the guest to change state or crash unexpectedly. The guest state handlers now process storage I/O errors in the proper order. (BZ#514522)
  • A guest would occasionally not accept keystrokes or mouse clicks after rebooting. The updated package resolves this issue and user interactions are accepted after repeatedly rebooting guests. (BZ#515275)
  • In rare instances, certain virtualized guests could lock up while requesting a raw_pread system call. The offset was larger than the file size of the read failures which causes the system to infinitely loop I/O requests. This could, in certain circumstances lead to file system corruption on virtualized guests. The updated pacakges add a result test which prevents the infinite request loop. (BZ#515655)
  • The guest could change the QXL device ROM which could result in memory corruption. The updated packages prevent the guest from modifying the QXL device ROM. (BZ#537888)
  • The MRS storage array (msrs) in kvm_arch_save_regs() function. The array was sized too small for the function and may cause stack corruption. (BZ#528917)
  • Incorrectly handled I/O errors could cause guests file system corruption when using the para-virtualized block drivers and IDE emulation of NFS storage. The updated packages resolve this issue and host I/O errors will pause the guest instead of causing file system corruption. (BZ#531827)
  • With Red Hat Enterprise Virtualization, the virtio_blk_dma_restart_bh() function previously handled write errors. The function was not updated for this, causing read errors to be resubmitted as writes. This caused guest image corruption in some cases.
    Additionally, the return values of the bdrv_aio_write() and bdrv_aio_read() functions were ignored. If an immediate failure occurred in one of these functions, errors would be missed and the guest could hang or read corrupted data. (BZ#552487)
  • with Red Hat Enterprise Virtualization, guests continued to run after encountering disk read errors. This could have caused guest file systems to corrupt (but not the host's), notably in environments that use networked storage. With this update, the qemu-kvm command's -drive "werror=stop" option now applies not only to write errors but also to read errors. When using this option, guests will pause on disk read and write errors.
    By default, guests managed by Red Hat Enterprise Virtualization use the "werror=stop" option. This option is not used by default for guests managed by libvirt. (BZ#533390)
  • KVM would crash or fail to boot when attempting to assign 64GB of memory to 32-bit guests using PAE. KVM now supports addressing up to 48 bits of physical memory with PAE. (BZ#516545)
  • Windows Server 2003 32-bit guests assigned more than 4GB of RAM would crash after rebooting the guest. The updated packages resolve this issue and Windows Server 2003 32-bit guests can be assigned more than 4GB of RAM. 32-bit guests may not be able to use more than 4GB of RAM, refer to the guest operating system's documentation. (BZ#516762)
  • 64-bit guests would hang on an AMD host if one or more of the guest's VCPUs were changed from offline to online. This issue is resolved in the updated package. (BZ#525699 and BZ#517223)
  • When using the virtual vm8086 mode, bugs in the emulated hardware task switching implementation may have caused older guest operating systems to malfunction. (BZ#517324)
  • An "unhandled vm exit: 0x31 vcpu_id 0" error message could appear when installing certain guest operating systems, such as SUSE Linux Enterprise Server 11, using a para-virtualized block device (virtio-blk). The updated packages resolve this issue and installation with the para-virtualized drivers is supported and working. (BZ#518081)
  • The __kvm_mmu_free_some_pages list was not verified empty before it was used. The updated package verifies the __kvm_mmu_free_some_pages list is empty before attempting to look at list entries. (BZ#519397)
  • Windows Server 2008 64 bit guests use a cr8 call which executed a vmexit call. This caused performance issues for Windows Server 2008 guests. The updated packages use a different call method to handle cr8 calls which significantly improves the performance of Windows Server 2008 64 bit guests. (BZ#520285)
  • When attempting to resume from hibernate with Windows Server 2003 guests, KVM would attempt to stop the QEMU emulated audio device which was not activated. This caused a "snd_playback_stop: ASSERT playback_channel->base.active failed" error message to appear and the resume process to fail and the guest to crash. The updated package resolves this issue. (BZ#520394)
  • Time drift may have occurred in Windows guests that use the IOAPIC interrupt for timing. The updated packages resolve this issue and Windows guests should now keep time accurately. (BZ#521025)
  • Windows Server 2003 (32-bit and 64-bit) guests may have experienced time drift. (BZ#543137)
  • On AMD hosts, Window Server 2008 R2 Datacenter guests would stop during the installation at the step "Setup will continue after restarting your computer". This issue is resolved and Windows Server 2008 R2 Datacenter guests now successfully install. (BZ#521749)
  • Resetting the PCI status of a para-virtualized network device (virtio-net) would cause KVM to crash. This issue is resolved the the updated packages. (BZ#521829)
  • The German keyboard map was missing some keys in when accessing a guest with VNC. The German keyboard map now contains all keys when accessing guests with VNC. (BZ#521835)
  • When a guest issued an Inter-processor Interrupt (IPI) call, the call would cause KVM to issue a global IPI call on the host. The global IPI call interrupts all processors instead of just those assigned to the guest. The updated packages resolve the issue by using the kernel's IPI handling functions instead of emulating the IPI handler. (BZ#524970)
  • KVM and virtualized guests would become unresponsive due to waiting infinitely for an aio threads to return. The updated packages resolve this issue by correctly timing out threads which do not return. (BZ#525114)
  • The host KVM process could crash or use 100% of the allocated CPUs when a guest with more than one VCPU received high volumes of network traffic through a device using the para-virtualized network drivers (virtio-net). This issue is resolved in the updated packages. (BZ#525323)
  • KVM did not change the pacakge address of the etherboot .zrom file. KVM would always used the default, the ne.zrom file. Guests could not get an IP address or access PXE servers. The updated packages resolve this issue and guests can access PXE server when using non-default network devices. (BZ#526124)
  • KVM could generate invalid memory types in Memory Type Range Registers (MTRR) and Page Attribute Tables (PAT). This could be used by guests running random code to possibly store (and later use) a random MTRR type. The updated package prevent these invalid memory types from being created. (BZ#526837)
  • An error in the Makefile prevented users from using the source RPM to install KVM. (BZ#527722)
  • Linux guest initrd images greater than 4GB would cause the guest to crash. KVM now limits the size of initrd images to less than 4GB. (BZ#529694)
  • If the qemu-kvm command's -net user option was used, unattended Windows XP installations would not receive an IP address after rebooting. The guest requests a second DHCP address which makes the list of free DHCP addresses run out much quicker. This issue is fixed by reassigning the same addressed requested with DHCP to the guest after the guest reboots. (BZ#531631)
  • The para-virtualized clock (pvclock) Mode-specific register values were not preserved after a migration. This issue also affected the para-virtualized clock when a guest was saved and restored. These drivers not being saved could cause the guest's time keeping to become significantly skewed after restoring or migrating the guest. In the updated packages, the MSR values are preserved when a guest is saved and restored, and for migrations. (BZ#531701)
  • Installing Windows Server 2008 R2 from an ISO image could result in a blue screen "BAD_POOL_HEADER" stop error. (BZ#531887)
  • Running certain test functions on Windows 7 guests caused a blue screen "HAL_RTC_IRQF_WILL_NOT_CLEAR" stop error. (BZ#556455)
  • Windows Server 2003 R2 Service Pack 2 32-bit guests using the para-virtualized block drivers could crash with an unhandledvm exit error during reboot. The hypervisor now handles this error, resolving the issue. (BZ#532086)
  • After restoring a migrated Windows Server 2008 R2 guest, a race condition caused the guest to hang during the shut down sequence. The updated packages resolve this issue and Windows Server 2008 R2 guests will successfully shut down when requested after a migration. (BZ#533090)
  • a bug in the grow_refcount_table() error handling caused infinite recursion in some cases. This caused the qemu-kvm process to hang and eventually crash. (BZ#537075)
  • Full I/O error codes were not passed up to the host or the Red Hat Enterprise Virtualization Manager. Accurate I/O error codes are now forwarded to the user and management tools. (BZ#537077)
  • There was a regression in the qemu-img command, Fibre Channel devices could not be formatted using RAW or use preallocated RAW devices. The qemu-img command is updated to handle Fibre Channel devices in the RAW format. (BZ#537655)
  • Guests could not eject CD-ROMs from physical CD-ROM drives attached to the guest. The updated packages resolve this issue and guests can now eject CD-ROMs from physical CD-ROM drives. (BZ#539250)
  • The qcow2 file format unnecessarily rounded up the length of the backing format string to the next multiple of 8. The array in BlockDriverState can only store 15 characters, causing backing formats with 9 characters or more to fail. This issue effected devices using the host_device format. The updated packages resolve this issue by determining the length of the backing format of qcow2 devices. (BZ#540893)
  • Migrations could fail due to invisible physical CPU states. A new set of IOCTL exports report user-invisible states related to exceptions, interrupts, and Non-Maskable Interrupts (NMIs). These functions allow management tools to prevent this type of failed migration. (BZ#541084)
  • Guests could not PXE boot with gPXE and an emulated e1000 network interface card. The updated packages fix this issue and guests can boot images using gPXE and the emulated e1000 driver. (BZ#543979 and BZ#550265)
  • The KVM process could become non-responsive if a networked or local connect to the QXL driver was lost while the driver was running. This cause a "qxl_display_update: waiting for command" error message to be printed in the logs. The updated packages resolve this issue. (BZ#544785)
  • The qemu-kvm man page incorrectly described the qcow2 default as cache=writeback. The default is cache=none for qcow2 images and cache=writethrough for all other disk types. The man page for qemu-kvm has been updated to reflect this. (BZ#545194)
  • KVM did not verify if barriers were required for migration. KVM now verifies if barriers are required for guest migration and disables barriers if they are not required. (BZ#549938)
  • The hypercall driver for Windows guests did not reset the device when the guest was shut down or rebooted. This occasionally caused the driver to use 100% of the CPU and cause the guest to hang. (BZ#550755)
  • The kvm-qemu-img command failed to convert sparse RAW image files to qcow2 sparse snapshot image files. (BZ#558195)
  • Migration with the -M rhel5.5.0 parameter did not work for migration to or from Red Hat Enterprise Linux 5.5. Migration with the -M parameter is now supported and functional. (BZ#559163)
  • Removed a warning message which appeared when the -initrd option was used. (BZ#512672)
  • The KVM kernel module would panic if the paging64_sync_page() call was executed on a system using PCI passthrough devices. This kernel panic error could occur if a guest with an attached PCI device was started. The updated packages resolve this issue. (BZ#566385)
  • Various issues with compiling the KVM modules and packages. (BZ#533453,BZ#533059, BZ#539589 and BZ#533197)
  • Removed a debugging message qemu_popen: returning result of qemu_fopen_ops that displayed when saving a virtualized guest state into a compressed file. (BZ#530533)
These updated packages add the following enhancements:
  • Support for migration and image compatibility between Red Hat Enterprise Linux 5.4.4 and Red Hat Enterprise Linux 5.5 hosts. (BZ#553187 and BZ#557327)
  • The KVM hypervisor does not accept MSR_KERNEL_GS_BASE intercept calls for Windows Server 2008 guests. This improves performance of Windows Server 2008 guests under heavy loads. (BZ#488130)
  • qcow2 now uses 64Kb as the default block cluster size instead of 4Kb blocks which improves performance for guests using qcow2. (BZ#502809)
  • Various unsupported features of the qemu-kvm command are now compiled out of the kvm pacakges. (BZ#516672)
  • Support for migration from older hypervisors which use versions of savevm with additional fields which are not supported by newer versions. This feature is required for migrations from older hypervisors to newer versions of KVM. (BZ#541731)
  • Significantly improved performance of qcow2 devices using the cache=off parameter. (BZ#518169)
  • Support for guest access to advanced CPU extensions, including: SSE4.1, SSE4.2 and SSE4a. (BZ#518090)
  • SMBIOS table 4 data is now generated for Windows guests. (BZ#537178)
  • The cache flushing command was changed from fsync to fdatasync. This allows write caches to be exposed to guests and allows the guest to request for flushing I/O buffers. This improves I/O performance for some guests. (BZ#537646)
  • KVM can now use gPXE or etherboot roms stored in the /usr/share/qemu-pxe-roms directory. (BZ#546019 and BZ#550053)
  • Support for changing the file format of an in-place backing file. (BZ#530134)
  • Support for Red Hat Enterprise Linux 3.9 guests running the para-virtualized drivers. (BZ#536749)
  • The QXL driver now supports setting resolutions of 1024x576 and 1024x600. (BZ#552240)
All KVM users should upgrade to these updated packages, which resolve this issue as well as fixing the bugs and adding the enhancements noted in the Technical Notes. Note: The procedure in the Solution section must be performed before this update will take effect.

1.95. less

1.95.1. RHBA-2010:0214: bug fix and enhancement update

A re-based less package that also fixes two bugs is now available.
The less utility is a text file browser that resembles more, but with more capabilities ("less is more"). The less utility allows users to move backwards in the file as well as forwards. Because less need not read the entire input file before it starts, less starts up more quickly than text editors (vi, for example).
This update re-bases less from version 394 to version 436. Notes regarding the changes introduced by this re-base can be found at the upstream release notes links listed in the References field below.
This update also addresses to specific issues as follows:
* a previous less update, released as RHBA-2009-0413 and addressing
BZ#441691, introduced a regression: when scrolling line-by-line, some lines were truncated and some lines were duplicated. This update corrects the regression and scrolling line-by-line through a file now displays text as expected. (BZ#509553)
* the "--old-bot" switch (a switch which forces less to revert to its original bottom of screen behavior when scrolling forward through a file) was not documented in the less man page. This update adds appropriate documentation of this switch. (BZ#510724)
All less users should upgrade to this re-based package, which resolves these issues.

1.96. libXi

1.96.1. RHBA-2010:0127: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0127
Updated libXi packages that resolve an issue are now available.
libXi is the X.Org XInput runtime library.
These updated libXi packages fix the following bug::
* the XInitThreads() function initializes Xlib support for concurrent threads. Calling the XInitThreads() function could have caused deadlock with the result that the calling program became unresponsive. With this update, programs which call XInitThreads() in the correct manner do not suffer from deadlock and do not hang, thus resolving the issue. (BZ#563120)
All users of libXi are advised to upgrade to these updated packages, which resolve this issue.

1.97. libXrandr

1.97.1. RHBA-2009:1608: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1608
An updated libXrandr package that fixes a dependency bug is now available.
libXrandr is the runtime library for the X11 RandR extension.
This update addresses the following issue:
* the libXrandr-devel package requires libXext-devel to work but the package's spec file was missing the necessary "Requires" line. If libXrandr-devel was installed separately (for example, by running "yum install libXrandr-devel") and libXext-devel was not already installed, libXrandr-devel did not work. This dependency has been added to the spec file with this update: installing the libXrandr-devel package now pulls down all required dependencies, ensuring libXrandr-devel works as expected. (BZ#498044)
Users are advised to upgrade to this updated libXrandr package, which resolves this problem.

1.98. libXt

1.98.1. RHBA-2010:0192: bug fix update

An updated libXt package that fixes a bug which prevented C++ code from building is now available.
libXt is the X toolkit intrinsics runtime library.
* conflicting declarations in several header files meant C++ code could not be compiled against libXt. With this update, these conflicts have been resolved and C++ applications can, once again, build against the libXt library. (BZ#487354)
Users are advised to upgrade to this updated package, which resolve this problem.

1.99. libaio

1.99.1. RHBA-2010:0277: bug fix update

An enhanced libaio package is now available.
The Linux-native asynchronous I/O facility ("async I/O" or "aio") has a richer API and capability set than the simple POSIX asynchronous I/O facility. This library, libaio, provides the Linux-native API for asynchronous I/O. The POSIX asynchronous I/O facility requires this library in order to provide kernel-accelerated asynchronous I/O capabilities, as do applications which require the Linux-native asynchronous I/O API.
Red Hat Enterprise Linux lacked support for eventfd, which generates file descriptors. These descriptors are used to provide an event wait/notify mechanism for userspace applications. eventfd has now been added to the API and integrated with Asynchronous Input/Output (AIO). It eliminates the need to use pipes to signal events, reducing kernel overhead as it does not consume two file descriptors each time, as the previous method did. eventfd also offers an fd-bridge and can be used to signal the readiness of interfaces that would otherwise be incompatible with the Linux kernel. (BZ#540626)
Users are advised to upgrade to this updated libaio package, which adds this enhanced functionality. [Kernel update needed: RHBA-2009:9260]

1.100. libcmpiutil

1.100.1. RHBA-2010:0222: bug fix and enhancement update

An updated libcmpiutil package that fixes bugs and introduces feature enhancements is now available.
libcmpiutil provides a convenient API for performing common tasks with different CMPI providers.
* the libcmpiutil package is used by the libvirt-cim package. An update to the libvirt-cim package requires this update. (BZ#540843)
Users are advised to upgrade to this updated libcmpiutil package, which resolves these issues and adds these enhancements.

1.101. libevent

1.101.1. RHEA-2010:0244: enhancement update

An updated libevent package that rebases to the current stable upstream release is now available.
The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. libevent is meant to replace the asynchronous event loop found in event driven network servers. An application just needs to call event_dispatch() and can then add or remove events dynamically without having to change the event loop.
This update rebases the libevent library included with Red Hat Enterprise Linux from version 1.1a to the current stable upstream release, version 1.4.13. (BZ#476557)
For details on the changes between these two versions see the upstream Changelogs available on the libevent home page:
All users of libevent or applications that use the libevent library should install this updated package.

1.102. libgnomecups

1.102.1. RHBA-2009:1577: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1577
Updated libgnomecups packages that resolve an issue are now available.
The libgnomecups library integrates CUPS (the Common Unix Printing System) with the GNOME desktop
These updated libgnomecups packages fix the following bug:
* previously, the .lpoptions file in the user's home directory contained the default user-specific print queue options. For CUPS version 1.2, this file changed locations to the ~/.cups/lpoptions file. These updated packages make libgnomecups aware that the new location for user-specific print queue options is the ~/.cups/lpoptions file. (BZ#509064)
All CUPS users are advised to upgrade to these updated packages, which resolve this issue.

1.103. libgtop2

1.103.1. RHBA-2010:0099: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0099
Updated libgtop2 packages that resolve an issue are now available.
The libgtop2 package contains a library that enables access to information related to system statistics such as CPU, memory and disk usage, active processes, PIDs, and more.
These updated libgtop2 packages fix the following bug:
* stat files live under the /sys/block directory; for example, /sys/block/sda/sda1/stat would be the stat file corresponding to the first partition on the first (non-IDE) drive. These stat files provide several statistics about the state of a block device. However, libgtop2 parsed the line of information supplied by stat files on recent versions of Red Hat Enterprise Linux incorrectly, which caused, for example, the GNOME System Monitor utility to display graphs which used incorrect colors and/or values. This update ensures that the stat files are parsed correctly and thus supply correct information to applications which make use of libgtop2. (BZ#548693)
* libgtop2 was unable to correctly parse /proc/[pid]/smaps files to determine memory usage information due to the fact that a field for swap usage was added to smaps files. This update fixes the parser so that it is once again able to correctly parse smaps files. (BZ#562817)
All users are advised to upgrade to these updated packages, which resolve this issue.

1.104. libhugetlbfs

1.104.1. RHEA-2010:0056: enhancement update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHEA-2010:0056
An updated libhugetlbfs package that adds a script to simplify huge page setup is now available.
The libhugetlbfs library interacts with the Linux hugetlbfs to make large pages available to applications in a transparent manner.
This update adds the following enhancement.
* previously, huge pages worked well once configured but setting them up was a complicated, multi-step, potentially error-prone process. This updated package includes a script -- huge_page_setup_helper -- that asks for three pieces of data and then sets up huge pages for use based on the answers provided. The three data points required by the script are the memory to allocate to huge pages and the group and users who should be allowed access to the huge pages. (BZ#523346)
All huge pages users should install this updated package which includes this enhancement.

1.105. libsepol

1.105.1. RHBA-2010:0183: bug fix update

An updated libsepol package that resolves a policy issue is now available.
libsepol provides an API for the manipulation of SELinux binary policies. It is used by checkpolicy (the policy compiler) and similar tools, and programs such as load_policy, which must perform specific transformations on binary policies (for example, customizing policy boolean settings).
This updated libsepol package addresses the following issue:
* newer SELinux kernels have access checks that the shipping SELinux policy package does not understand. The kernel currently denies these access checks by default. This updated libsepol package allows the checkpolicy and selinux-policy packages to build policy that tells the kernel to "Allow" unknown access. (BZ#531228)
All SELinux users should install this updated package which resolves this issue.

1.106. libuser

1.106.1. RHBA-2009:1525: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1525
Updated libuser packages that fix a bug are now available.
The libuser library implements a standardized interface for manipulating and administering user and group accounts. Applications that are modeled after applications from the shadow password suite are included in these packages.
These updated libuser packages fix the following bug:
* nscd, the name service caching daemon, provides a cache for common name service requests. The libuser utilities were unable to signal to nscd that its cache should be refreshed, which caused name service delays after changing user account information. For example, after adding a new user with the luseradd utility, the newly-added user was not available until ncsd invalidated and subsequently rebuilt its cache. With this update, the libuser utilities are once again able to signal to nscd that it should rebuild its cache, with the effect that changes that affect the name service take effect more quickly. (BZ#528644)
All users of libuser are advised to upgrade to these updated packages, which resolve this issue.

1.107. libvirt

1.107.1. RHBA-2009:1424: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1424
Updated libvirt packages that resolve an issue are now available.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remotely managing virtualized systems.
These updated libvirt packages fix the following bug:
* the PIT clock is the programmable interrupt timer clock, which triggers interrupts at certain counts, and is the default clock for Red Hat Enterprise Linux KVM guests. Guests which used the PIT experienced clock drift due to interrupt re-injection. The "-no-kvm-pit-reinject" option has now been added to the KVM command line, which solves potential clock drift on Red Hat Enterprise Linux KVM guests. (BZ#517903)
All libvirt users are advised to upgrade to these updated packages, which resolve this issue.

1.107.2. RHBA-2010:0205: bug fix and enhancement update

Updated libvirt packages that fix several bugs and introduce feature enhancements are now available for Red Hat Enterprise Linux 5.
These updated packages fix the following bugs:
  • On Xen guests, the netfront and RTL8192 network drivers could run concurrently, bringing up two network interfaces where only one was configured. The two interfaces would share the same MAC address and could cause networking difficulties. Support for a netfront interface model has been added, meaning only the single netfront interface is configured.
  • The storage pool deletion routine did not distinguish between files and directories when removing data. As a result, inactive storage pools could not be deleted. With this update, files and directories are removed appropriately, allowing inactive storage pools to be deleted.
  • When adding a new physical host PCI device, libvirt would not attempt to reset the PCI bus if other functions or devices were present on the same bus. Some PCI devices could not utilized for virtualization as a result. Attempts to reset the PCI bus will now be made, allowing affected devices to be used for virtualization.
  • Devices attached to a guest in managed mode were not automatically re-attached to the host OS when the guest shut down. Manual intervention was required to use these devices again when the guest is re-started. Managed mode devices will now be re-attached to the host when the guest shuts down, allowing them to be automatically used when the guest is re-started..
  • The Xen driver was not checking that guest domains with the same UUID also had the same name. Using the virsh edit command to change the name of a Xen domain would make a new copy of the configuration file with the new name, but not alter the original configuration file. UUIDs and names for guest domains are now checked to ensure they match. Attempting to change the name of a domain using the virsh edit command will now return an error message and not make any change to the system.
  • Valid values for the credit scheduler parameter are in the range 0-65534. A value of 65535 was being accepted as valid, but would not alter the scheduler configuration. With this release, only values within the valid range are accepted.
  • Using the info command to change memory values on a KVM guest showed that inactive KVM guest memory was not being reported correctly. Memory reporting for unused domains was corrected in the qemu driver and the info command now returns the correct value.
  • Running the command virsh vol-key volname was sometimes resulting in a segmentation fault. A change was made to the way pool objects are handled and the key lookup no longer crashes.
  • Using the pool parameter with the virsh vol-path command would result in errors. The virsh vol-path command was altered to support the pool parameter and the errors no longer occur.
  • The virsh find-storage-pool-sources command failed to find any dir/nfs/netfs pool sources and failed with unknown failure. The error reporting was fixed and the command now works as expected.
  • The virsh nodedev-create command resulted in an out of memory error. This was found to be a false positive. The checks were updated, and the error now only occurs if there is an actual memory problem.
  • Two different methods were using the same name for different libvirt entry points, which created a device error when creating nodes. One of the methods was renamed and node creation now works as expected.
  • Running the virsh nodedev-destroy command to destroy a NIC interface caused libvirtd to hang indefinitely. The locking issue was found and rectified and the libvirtd crash no longer occurs.
  • Running the virsh vol-delete command produced a failed to connect to the hypervisor error and libvirtd needed to be restarted. The code was altered to refresh allocation and permissions information, but not capacity information, and the command now works as expected.
  • When an XML configuration file was generated using virsh dumpxml for a running virtual machine, it contained parameters used for backwards compatibility with previous versions. virt-xml-validate would report that the generated file was not valid because of these legacy parameters. The validate program was altered to accept the parameters used in the generated XML file, which now validates correctly.
  • Running concurrent TLS connections under the libvirt python wrapper caused libvirt to crash. Changes were made to the way that GNUTLS handles threading and the crash no longer occurs.
  • libvirt was not reporting current vCPU and pCPU placement or the vCPU execution time counter accurately. The behavior was changed so that libvirt doesn't find out the affinity when set with taskset, but does when set with virsh vcpupin. The reporting is now correct.
  • Creating npiv devices works as expected, but puts error messages into the /var/log/messages file. The Opened WWN path /sys/class/fc_host//host5/port_name for reading message was updated and the error messages no longer appear in the log file.
  • The virsh man page described most operations as being asynchronous, which is not the case. The man page was updated to state that most operations are synchronous except creation and shutdown of domains.
  • Guests that use the default source clock try to compensate for lost ticks by reading the TSC as well. This can cause the guest clock to go out of synchronization. All Red Hat Enterprise Linux guests now unconditionally add --no-kvm-pit-reinjection to the qemu command line, and the guest no longer falls out of synchronization.
  • libvirt would not perform a power management reset if there were other functions on the device. The PCI Power Management reset only affects individual functions, and not the whole device. The check for other functions was removed, so that where both are available, the whole device reset is preferred over individual function resets.
  • When a migration was performed to a virtual machine that had been paused, the virtual machine would no longer be paused after the migration had completed. The behavior of qemu-kvm was changed so that it no longer 'forgets' the virtual machine is paused, and it will now stay paused during a migration.
  • libvirt was ordering disks unecessarily. When a new disk was added, it would sometimes shift the boot disk later in the list, causing the user to be unable to boot. The sorting algorithm was changed, and will now insert a new disk as far to the end of the list as possible, while being ordered correctly with other disks on the same bus. This resolved booting errors caused by disk ordering.
  • A typographical error in an XML domain file caused libvirtd to suffer a segmentation fault. A check was added, and a typing mistake will now cause libvirtd to fail gracefully and produce a meaningful error report.
  • Devices that are assigned below a non-ACS switch can cause transactions to bypass the VT-d hardware and the validation process. libvirt now successfully blocks devices between non-ACS switches, unless the user specifies the permissive='yes' attribute for <hostdev>, so all transactions now undergo validation by default.
  • When querying Xen remotely virsh would sometimes raise an "unknown failure" error. The semantics were modified and where possible, the error is now more informative.
  • When using xen+ssh:// to connect to a host, sometimes an RPC entry point would not be available and dominfo would raise an uninformative error: unknown procedure error. The error reporting was changed and it now reports as an unsupported entry point.
  • When a network created a bridge, it would only be enabled if the host had an IP on that bridge. This would cause the bridge creation to fail quietly, and packets would not be passed as expected. The error messages were improved for bridge creation and deletion, and if a failure occurs, it will now produce an informative error.
  • HVM VT-d PCI passthrough attach and detach was not working correctly and devices could not be hotplugged. The attach and detach code now has additional checks and hotplugging functions as expected.
  • When virt-manager tried to attach a PCI device to a Xen guest, it called virNodeDeviceReset and subsequently crashed. The Xen driver was updated, and it now checks if a given PCI device is assigned to another guest, so that PCI devices can be attached as expected.
  • When the host was running the KVM hypervisor, the libvirtd process was occasionally unable to connect to the hypervisor. In this case, qemu-kvm failed to start, and gave a false NUMA out of memory error. The error handling was changed so that NUMA errors are now non-fatal. Errors are now logged, and connection progresses as expected.
  • libvirt was found to be incorrectly detecting machine types supported by KVM. This meant that KVM guests which did not specify any machine type could not be created. This also caused some rare problems that would cause /distribution/virt/install to fail. libvirt was updated to correctly detect and identify KVM-supported machine types.
These updated packages add the following enhancements:
  • Support has been added for assigning Single Root I/O Virtualization (SR-IOV) devices to qemu guests.
  • Implementation of the virsh dump command for QEMU/KVM guests is included in this release.
  • Support was added to libvirt for KVM PCI device assignment hotplug.
  • Added -mem-prealloc to the KVM command line when using hugepage.
  • libvirt now allows the creation of more than 256 guests, and more than 150 DHCP leases.
  • The -M rhel5.4 arguments are now passed by default when launching qemu-kvm. This improves backward migration ability.
Users of libvirt are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.108. libvirt-cim

1.108.1. RHBA-2009:1421: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1421
An updated libvirt-cim package that fixes a bug is now available.
The libvirt-cim package is a Common Manageablity Programming Interface (CMPI) CIM provider that implements the Distributed Management Task Force's (DMTF's) System Virtualization, Partitioning and Clustering (SVPC) virtualization model. This package supports most of the features of libvirt and enables management of multiple platforms with a single provider.
This updated libvirt-cim package fixes the following bug:
* during installation, when the libvirt-cim package was selected in the KVM group, the xen package was installed as a dependency. This update removes the dependency on the xen package so that installing libvirt-cim does not cause the xen package to be installed. This is useful for customers who wish to use KVM virtualization with libvirt and libvirt-cim. (BZ#517817)
All users of libvirt-cim are advised to upgrade to this updated package, which resolves this issue.

1.108.2. RHBA-2010:0206: bug fix and enhancement update

An updated libvirt-cim package which fixes a dependency error, adds support for domain console and network and storage pools in Red Hat Enterprise Linux 5.5 and re-bases the package from version 0.5.5 to version 0.5.8 is now available.
Libvert-cim is a Common Manageability Programming Interface (CMPI) based Common Information Model (CIM) provider. It supports most libvirt virtualization features and allows for the management of multiple libvirt-based platforms.
This update addresses the following bug:
* the libvirt-cim.spec file included a "Requires: xen" line. Consequently, selecting the libvirt-cim package in the KVM group during installation installed the xen package as a dependency. For this update, that line was removed and Xen is no longer installed automatically when libvirt-cim is installed. (BZ#517579)
Note: libvirt-cim is an optional package in the KVM group and will not be installed if only the KVM group is selected. The package has to be selected manually from the optional packages list to be installed.
Note: a workaround for this issue existed. It required not selecting libvirt-cim during installation and, after installation and registration of the system to the Red Hat Network (RHN), installing an updated libvirt-cim package from RHN. This workaround is no longer necessary.
This update also re-bases the package from version 0.5.5 to version 0.5.8. This re-base addresses several minor bugs as noted in the ChangeLog included in libvirt-cim.spec (available as part of the source rpm). The re-base also adds the following enhancement:
* guest domain console support as well as support for storage pools and network pools was added. (BZ#512233)
All users of virtualization tools that interact with libvirt, especially those using CMPI and CIM, should install this updated package which addresses this problem and adds this enhancement.

1.109. libvorbis

1.109.1. RHSA-2009:1561: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1561
Updated libvorbis packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio format.
Multiple flaws were found in the libvorbis library. A specially-crafted Ogg Vorbis media format file (Ogg) could cause an application using libvorbis to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3379)
Users of libvorbis should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.

1.110. linuxwacom

1.110.1. RHEA-2010:0325: enhancement update

An enhanced linuxwacom package is now available.
The Linux Wacom Project manages the drivers, libraries, and documentation for configuring and running Wacom tablets under the Linux operating system. It contains diagnostic applications as well as X.org XInput drivers
* support was added for the Intuos 4 tablet. (BZ#566602)
All users requiring Intuos 4 tablet support should install this new package, which adds this enhancement.

1.111. lm_sensors

1.111.1. RHBA-2010:0186: bug fix and enhancement update

Updated lm_sensors packages that fix a bug and add various enhancements are now available.
The lm_sensors package includes a collection of modules for general SMBus access and hardware monitoring.
These updated lm_sensors packages fix the following bug:
* running the "sensors-detect" utility while redirecting input from /dev/null resulted in the following error message: "Use of uninitialized value in pattern match.../usr/sbin/sensors-detect". This spurious error message was caused by the referencing of an uninitialized variable, and has been fixed in this update. (BZ#474383)
In addition, these updated packages provide the following enhancements:
Important: the kernel update for Red Hat Enterprise Linux 5.5 includes updated hwmon kernel drivers that are necessary to enable newly-enabled sensor types. The Red Hat Enterprise Linux 5.5 kernel should therefore be installed along with this update.
* lm_sensors now contains support for the fschmd driver, which means that the FSC Syleus chip is now supported. (BZ#513099)
* the following devices are now supported (BZ#473119, BZ#448223,
Analog Devices ADM1022, ADM1028 and ADM1029 Analog Devices ADT7470 Asus F71882FG and F71883FG FSC Heimdal Fintek F75373S/SG and F75375S/SP Fujitsu Technology Solutions Heracles, Hermes, Poseidon and Scylla Intel Core family thermal sensors Maxim MAX6650 and MAX6651 National Semiconductor LM93 and PC87427 SMSC DMF1737 SMSC SCH3112, SCH3114 and SCH3116 SMSC SCH5027D-NW and SCH5127 Texas Instruments THMC50 VIA VT1211 Winbond W83L786 NR/NG/R/G Winbond W83793 and R/G
Users of lm_sensors are advised to upgrade to these updated packages along with the Red Hat Enterprise Linux 5.5 kernel update. Doing so resolves this issue and add these enhancements.

1.112. log4cpp

1.112.1. RHEA-2010:0313: enhancement update

Updated log4cpp packages that add support for 32-bit x86 platforms are now available.
log4cpp is a library of C++ classes for flexible logging to files, syslog, IDSA and other destinations. It is modeled after the Log for Java library (http://www.log4j.org), staying as close to their API as is reasonable.
* Only the 64-bit x86 version of log4cpp was provided previously. This updated package includes both 32-bit and 64-bit x86 platform versions of the library. (BZ#552566)
* Installing both the 32-bit and 64-bit versions of the library in parallel caused a multilib conflict when the HTML documentation was built as part of the installation process. This prevented the installation of both versions on a single machine.
The HTML documentation was extracted to a separate package to allow multilib installation. (BZ#502679)
Users who wish to install both 32-bit and 64-bit versions for x86 platforms are advised to upgrade to these packages.

1.113. logwatch

1.113.1. RHBA-2010:0033: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0033
An updated logwatch package that fixes various bugs and adds an enhancement is now available.
LogWatch is a customizable log analysis system. LogWatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require.
This updated logwatch package includes fixes for the following bugs:
* .hdr files are headers for RPM packages; they are essentially metadata. LogWatch's HTTP service parser emitted warnings for .hdr files, even when the "Detail" parameter was set to "Low". With this update, .hdr files are now parsed as archives, which removes spurious warnings about .hdr files. (BZ#465212)
* the following missing directories have been added under the /etc/logwatch/scripts/ directory: "logfiles", "services" and "shared". This mirrors the subdirectory structure of the /usr/share/logwatch/scripts/ directory, and also corresponds to the existing documentation. (BZ#489490)
* LogWatch attempted to interpret certain compressed log files as plain text log files, which resulted in binary information being written to LogWatch output. With this update, LogWatch correctly decompresses these compressed log files before attempting to read and interpret them. (BZ#511928)
In addition, this updated logwatch package provides the following enhancement: * LogWatch is now able to parse several new and previously-unmatched entries in the postfix, dovecot and up2date application logs. (BZ#460993, BZ#424031, BZ#466455)
All users of logwatch are advised to upgrade to this updated package, which resolves these issues and provides this enhancement.

1.114. lvm2

1.114.1. RHBA-2009:1476: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1476
Updated lvm2 packages that fix bugs are now available.
The lvm2 packages contain support for Logical Volume Management (LVM).
This update applies the following bug fixes:
* Adds new option prioritise_write_locks in lvm.conf. Without enabling this option, whenever there are competing read-only and read-write access requests for a volume group's metadata, the write access may be stalled by a high volume of read-only requests.
NOTE: This option only affects locking_type 1 (local file-based locking).
* Make all tools use consistent lock ordering. This fixes vgextend command to block instead of failing when requested Volume Group is locked read-only.
* Use read-only instead or write lock for lvchange --refresh.
* Adds global/wait_for_locks to lvm.conf so blocking for locks can be disabled.
* Fixes bug where non-blocking file locks could be granted in error.
All users of lvm2 are advised to upgrade to these updated packages, which resolve these issues.

1.114.2. RHBA-2009:1538: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1538
Updated lvm2 packages that fix a bug are now available.
The lvm2 packages contain support for Logical Volume Management (LVM).
This update applies the following bug fix:
* Fix default device mode permissions when using static lvm.
All users of lvm2 are advised to upgrade to these updated packages, which resolve this issue.

1.114.3. RHBA-2010:0298: bug fix and enhancement update

Updated lvm2 packages that fix several bugs and add enhancements are now available.
The lvm2 packages contain support for Logical Volume Management (LVM).
This update applies the following bug fixes:
* Fixes crash in dmevnetd if both snapshot and mirror monitoring is used.
* Fixes several memory locking problems which could lead to deadlocks.
* Uses read-only instead or write lock for lvchange --refresh.
* Fixes bug where non-blocking file locks could be granted in error.
* Uses fixed buffer to prevent stack overflow in persistent filter dump.
* Fixes default device mode permissions when using static lvm.
* Fixes return code of info call for query by uuid.
* Allows vgremove of a VG with PVs missing.
* Drops metadata cache after device was autorepaired and removed from VG.
* Removes missing flag in metadata if PV reappeared and is empty.
* Fixes unlocking of Volume Group in pvresize and toollib error paths.
* Removes log volume from metadata if initial deactivation fails.
* Fixes several memory leaks in pvs and pvdisplay commands.
* Dumps persistent device filter after every full scan.
* Refreshes device filters before full device rescan.
* Returns error status if vgchange fails to activate some volume.
* Restricts vgchange to activate only visible LVs.
* Fixes pvmove region_size overflow for very large PVs.
* Fixes lvcreate and lvresize %PVS argument always to use sensible total size.
* Delays announcing mirror monitoring to syslog until initialisation succeeded.
* Doesn't attempt to deactivate an LV if any of its snapshots are in use.
* Fixes pvcreate string termination in duplicate uuid warning message.
* Makes lvchange --refresh only take a read lock on volume group.
* Makes lvconvert honour log mirror options combined with downconversion.
* Makes all tools use consistent lock ordering obtaining VG_ORPHAN lock second.
* Fixes memory leak in vgsplit when re-reading the vg.
* Fixes crash in vg_release.
* Explicitly requests fallback to default major number in device mapper.
* Rounds up requested readahead to at least one page and print warning.
* Fixes mirror convert polling to ignore LV with different UUID.
As well, this update adds the following enhancements:
* Uses lvconvert --repair instead of vgreduce in mirror dmeventd and introduces to use mirror image and log policies. In the event of a failure, the policy specified in lvm.conf will be used to determine what happens (for exact description see using mirror_log_fault_policy and mirror_image_fault_policy comments in lvm.conf).
* Updates man pages, including lvcreate,lvconvert to explain PhysicalVolume parameter, document --all option, clarify use of PE ranges, mention --repair in lvconvert and document size units uniformly.
* Adds new option prioritise_write_locks in lvm.conf. This option only affects locking_type 1 (local file-based locking).
* Introduces new read-only locking as locking type 4.
* Adds wait_for_locks option to lvm.conf so blocking for locks can be disabled.
* Adds an API version number, LVM_LIBAPI, to the VERSION string for liblvm.
* Handles metadata with unknown segment types more gracefully.
* Adds --pvmetadatacopies for pvcreate, vgcreate, vgextend, vgconvert.
* Adds implict pvcreate support to vgcreate and vgextend.
* Recognises DRBD devices and handle them like MD mirror devices.
* Checks MD devices for a partition table during device scan.
* Adds extended device (blkext) and md partition (mdp) types to filters.
* Distinguishes between powers of 1000 and powers of 1024 in unit suffixes (si_unit_consistency lvm.conf option).
* Introduces automatic data_alignment detection and adds devices/data_alignment_detection to lvm.conf.
* Adds --dataalignmentoffset to pvcreate to shift start of aligned data area.
* Updates 'md_chunk_alignment' to use stripe-width to align PV data area.
Users of lvm2 are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.115. lvm2-cluster

1.115.1. RHBA-2009:1475: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1475
Updated lvm2-cluster packages that fix several bugs are now available.
The lvm2-cluster packages contain support for Logical Volume Management (LVM) in a clustered environment.
This update applies the following bug fixes:
* Make all tools use consistent lock ordering. This fixes vgextend command to block instead of failing when requested Volume Group is locked read-only.
* Use read-only instead or write lock for lvchange --refresh.
* Adds global/wait_for_locks to lvm.conf so blocking for locks can be disabled.
* Fixes bug where non-blocking file locks could be granted in error.
Users of lvm2-cluster are advised to upgrade to these updated packages, which resolve these issues.

1.115.2. RHBA-2010:0299: bug fix and enhancement update

Updated lvm2-cluster packages that fix several bugs and add enhancements are now available.
The lvm2-cluster packages contain support for Logical Volume Management (LVM) in a clustered environment.
This update ensures that the bugs fixed by the lvm2 advisory are also fixed in a clustered environment.
This update applies the following bug fixes:
* Fixes pvmove abort to be cluster-aware when temporary mirror activation fails.
* Always query active device by using uuid only in cluster.
* Unlocks shared lock in clvmd if device activation call failed.
* Fixes clvmd to never scan suspended devices.
* Never uses distributed lock for LV in non-clustered VG.
* Fixes clvmd memory leak in lv_info_by_lvid.
* Fixes clvmd segfault when refresh_toolcontext fails.
* Makes clvmd return 0 on success rather than 1.
This update adds the following enhancements:
* Propagates commit and revert metadata notifications to other nodes in cluster.
* Allows implicit convert to the same cluster lock mode.
* Adds LSB standard headers and functions to clvmd initscript.
Users of lvm2-cluster are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.116. man-pages

1.116.1. RHBA-2009:1574: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1574
An updated man-pages package that corrects numerous documentation errors and omissions is now available for Red Hat Enterprise Linux 5.
The man-pages package provides man (manual) pages from the Linux Documentation Project.
This updated man-pages package addresses the following issues:
* some shells (including bash, the default Red Hat Enterprise Linux shell) have a built-in "time" command. The time man page, however, documents /usr/bin/time, which provides options not available using the shell keyword equivalent. Previously, the time man page did not note this distinction. The time manual's DESCRIPTION section now notes both the existence of built-in time commands and that the man page documents /usr/bin/time and not these built-in shell keywords. (BZ#443059)
* the proc pseudo file system includes a series of process status information directories at /proc/[number]/stat (where [number] is the Process ID or PID). There are 42 status parameters but the proc man page did not document the 42nd, delayacct_blkio_ticks. This parameter, which returns aggregated block I/O delays, is now documented. (BZ#452290)
* the proc man page referenced two external files incorrectly. In the Description section, Memory Type Range Registers (/proc/mtrr) details were referenced to /usr/src/linux/Documentation/mtrr.txt. The See Also section, referenced proc.txt to /usr/src/linux/Documentation/filesystems/. The referenced files are in /usr/share/doc/kernel-doc-2.6.18/Documentation/ and the proc man page now reflects this. (BZ#456219)
* the POSIX man pages -- in /usr/share/man/man0p/, /usr/share/man/man1p/ and /usr/share/man/man3p/ -- document applications that are not necessarily included with Red Hat Enterprise Linux but the documentation did not note this. These pages now have a boilerplate PROLOG section added that notes this explicitly. (BZ#468897)
* the syslog facility, LOG_KERN, specified the kernel as the message source but did not note that this facility can be generated only by the kernel. The syslog man page now notes the LOG_KERN facility cannot be generated from user processes. (BZ#471176)
* the pthread_setaffinity_np (part of pthread.h) man page was not included in the man-pages package. It now is. (BZ#474238)
* the /proc/sys/fs/file-nr description in the proc man page still reflected file-nr's use by version 2.4.x of the Linux kernel. This description has been updated to reflect the file's use in version 2.6 of the kernel. (BZ#497197)
* the gai.conf man page included a repeated mis-spelling in its EXAMPLE section: precendence. This has been corrected to "precedence". (BZ#515346)
* zdump, a tool which returns the time in each timezone listed on the command line, includes a "--version" switch which returns zdump's version. The zdump man page did not list this option. The switch is now listed in the SYNOPSIS section as expected. (BZ#517309)
* the statfs man page has been completely updated. As well, "man statfs64" now displays the statfs documentation rather than the statfs64 page, which has been removed. This latter change removes a significant error in the previous (and prototype) statfs64 SYNOPSIS section. (BZ#518984)
* the aliases description in the nsswitch.conf man page was easily misconstrued to suggest aliases were not used at all. A re-written description makes it clear this database is used and clarifies the default SendMail configuration on Linux (which, by default, uses an alias resolution system independent of /etc/nsswitch.conf). (BZ#522761)
* the SOCKET OPTIONS section of the ip man page listed IP_MULTICAST_IF as taking ip_mreqn or ip_addr arguments. This is incorrect: IP_MULTICAST_IF takes arguments with ip_mreqn or in_addr structures. This update corrects the error. (BZ#524246)
* /proc/sys/fs/file-max defines a system-wide limit on the number of open files for all processes. This limit does not, however, apply to a root user (or any user with CAP_SYS_ADMIN privileges). This latter fact was not documented in the proc man page: it now is. (BZ#527196)
All man page users should upgrade to this updated package, which resolves these issues.

1.117. man-pages-ja

1.117.1. RHBA-2009:1630: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1630
An updated man-pages-ja package that fixes documentation errors and typos is now available.
The man-pages-ja package contains Japanese translations of the Linux Documentation Project man pages.
This updated package corrects errors and fixes typos as follows:
* the mkfs man page stated a file system could be built on a device (eg /dev/hda1) or the mount point for the file system (eg /usr or /home). The latter statement is incorrect: a file system can not be built on a file system's mount point. The English language version of the mkfs man page was corrected previously. With this update, the Japanese version has also been corrected. (BZ#486655)
* the Japanese version of the less man page noted the application can identify Japanese character encodings from the LANG environment variable. This is not correct: with older versions of less, when LANG was set to Shift JIS (ja_JP.SJIS) and less was run on a file that contains SJIS mult-byte characters, a "may be a binary file. See it anyway?" message was returned. To run less on files containing SJIS multi-byte characters, in addition to setting the appropriate LANG environment variable, the LESSCHARSET environment variable had to be set to "dos". This update removes documentation related to Japanese-specific features of older version of less (including the details noted above). (BZ#509048)
* the strings command takes a "--byte=min-len" option but the Japanese strings man page presented this option as "-byte=min-len" (ie, with a missing initial hyphen). This error has been corrected. Note: attempting to run strings with, in effect, a "-b" option returns an "invalid option -- b" error, along with help text noting the "--bytes=[number]" option. (BZ#515467)
* the chgrp command's "--dereference" option is the default, and is documented as such in the English languae chgrp man page. Previously, however, the Japanese translation erroneously listed "-h" or "--no-dereference" as the default. This error has been corrected and the Japanese chgrp man page now correctly lists "--dereference" as the default option. BZ#527638
* the SOCKET OPTIONS section of the ip man page listed IP_MULTICAST_IF as taking ip_mreqn or ip_addr arguments. This is incorrect: IP_MULTICAST_IF takes arguments with ip_mreqn or in_addr structures. This update corrects the error. Note: the same error was present in the original English man page. The English-language error was corrected in Red Hat Enterprise Linux 5 via the man pages bug fix update, RHBA-2009-1574. (BZ#537103)
* the previous release of man-pages-ja contained an older version of the hostname man page which did not document all available command options. This has been corrected: this new man-pages-ja release includes an up-to-date man page which documents all of the hostname command's options. (BZ#533782)
* the elvtune command is deprecated for Linux kernel version 2.6 and it is not shipped with Red Hat Enterprise Linux 5. the elvtune man page was still included in the man-pages-ja package, however. With this update, the elvtune man page has been removed to avoid confusion. (BZ#519707)
All man-pages-ja users should upgrade to this updated package, which resolves these issues.

1.118. mcelog

1.118.1. RHBA-2010:0247: bug fix update

An updated mcelog package that restricts mcelog operation on para-virtualized guests running under the Xen hypervisor is now available.
mcelog is a daemon that collects and decodes Machine Check Exception data on AMD64- and Intel 64-based systems.
This update addresses the following issue:
* in some circumstances, mcelog can run on para-virtualized guest operating systems (domU) running under the Xen hypervisor (dom0). This results in near 100% cpu usage on the guest, with the mcelog process blocking all other proccesses. This update adds a check to /etc/cron.hourly/mcelog.cron: if the check finds it is running on a para-virtualized guest, it exits, ensuring mcelog does not execute in such circumstances. (BZ#522827)
All mcelog users should install this this new mcelog package, which adds the check to resolve this issue.

1.119. mdadm

1.119.1. RHBA-2010:0006: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0006
An updated mdadm package that fixes a bug is now available.
mdadm is used to create, manage, and monitor Linux MD (software RAID) devices. It provides similar functionality to the raidtools package.
This updated package fixes the following bug:
* the previous mdadm update added a data scrubbing cron job, /etc/cron.weekly/99-raid-check, that looks for bad sectors on drives in redundant arrays and fixes the bad sectors using data from other drives to reconstruct sectors that return read errors. The script only performs checks on idle, healthy arrays but, previously, it initiated each check operation in turn, and switched idle arrays to active as it went. Consequently, if different arrays shared the same physical drive, the raid-check script only checked one of the arrays on that drive. With this update the raid-check script now gets the the state from all arrays on all drives before initiating the first check operation. Multiple arrays on a single device are now checked by the raid-check script as expected. (BZ#523000)
All mdadm users are advised to upgrade to this updated package, which resolves these issues and adds this feature.

1.120. mesa

1.120.1. RHBA-2010:0261: bug fix update

Updated mesa packages that fix a bug in xorg-x11-server are now available.
Mesa provides a 3D graphics API that is compatible with OpenGL. It also provides hardware-accelerated drivers for many popular graphics chips.
This update addresses the following issue:
* the OpenGL Extension to the X Window system (GLX) provides OpenGL functions to X Windows-based applications. Previously, when a so-called 'GLX window' (ie a window drawn by an X Windows-based application containing OpenGL rendered data) was re-sized horizontally on a system with Mobile Intel 945GM Express video hardware, the X session segfaulted. As well, re-sizing such a window vertically and then maximizing and restoring the window also caused X to segfault. This updated mesa package includes a fix to the frambuffer code that properly signals the changed buffer state to the driver, ensuring the driver updates its clipping and does not, as a consequence, cause X to crash. (BZ#536868)
Note: due to the unusual build process for this package, the code fix is applied to the mesa packages, but the resulting compiled code is in the xorg-x11-server package (see BZ#435963 for the bug as raised against xorg-x11-server).
All users compiling their own xorg-x11-server packages should upgrade to these updated mesa packages, which resolves this issue.

1.121. metacity

1.121.1. RHBA-2009:1610: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1610
An updated metacity package that fixes a raising windows bug and corrects a crash with remotely displayed applications is now available.
Metacity is the default window manager for the GNOME desktop.
This errata fixes two bugs in the metacity package:
* some applications, mostly older Tcl/Tk and Java applications, use the old XRaiseWindow call rather than _NET_ACTIVE_WINDOW to raise a window above the currently focused window. Metacity allows XRaiseWindow when the same application keeps focus but defines an application by its window group. Some of these older applications also do not set the window group and, consequently, metacity did not honor window-raising requests from such applications. With this update, metacity expands its checking to allow the same X client (defined as having the same client ID) to raise windows above the currently focused window using the old XRaiseWindow call. Older Tcl/Tk and Java applications, in particular, should now behave as expected. (BZ#537023)
* Incorrectly placed error traps meant, when an application window running on a remote computer with its display forwarded to the local system was closed, metacity sometimes crashed with an "Unexpected X error: BadWindow (invalid Window parameter)" error. The error trap has been moved in this update and closing forwarded windows now closes the remote application as expected. (BZ#537024)
Users are advised to upgrade to this updated metacity package which resolves these issues.

1.121.2. RHBA-2010:0245: bug fix and enhancement update

An updated metacity package that fixes numerous bugs and adds several enhancements is now available
Metacity is the default window manager for the GNOME desktop.
This update fixes the following bugs:
* if a modal dialog box was open, its associated window could not be moved to another workspace. The dialog box would stay on the current desktop but the main window would vanish as it moved and then returned but no longer displayed correctly. The meta_workspace_focus_default_window() has been modified so that windows can now be dragged to other workspaces even if a modal dialog box is open. (BZ#237158)
* dragging a maximized window between monitors on a system configured to use a Xinerama dual-screen configuration caused flickering. Metacity has been modified to allow one to move maximized windows meaning they can be dragged between monitors without flickering. (BZ#495939)
* Metacity was preventing applications such as Maya from stacking windows correctly. This was caused by the focus-stealing prevention mechanism. A patch has been added to allow stacking to occur, meaning module windows for tools like Maya now work in the expected fashion. (BZ#503522)
* the /apps/metacity/general/strict_focus_mode option can be activated via GConf to prevent focus from being stolen from a terminal window. On x86_64 systems, terminals were sometimes not recognized as this function was incorrectly implemented: it was looking for res_name instead of res_class. Metacity now checks the res_class to determine if a window is a terminal and focus is no longer lost. (BZ#504223)
* if the user switched between workspaces, any open KDE applications would start to flash in GNOME as Metacity mistakenly marked them as needing user intervention. Metacity now checks the window to determine if it has a "startup ID" and sets the initial_timestamp and initial_workspace properties accordingly. As a result KDE applications no longer flash in these circumstances. (BZ#506537)
* Metacity could not handle closing application windows run remotely via X. A BadWindow error would occur. A patch has been added to trap this error. As a result, the error message no longer appears. (BZ#523777)
* when the /apps/metacity/general/raise_on_click GConf key was set to "false" this option incorrectly combined the ability to intercept user clicks with the intended use of intercepting calls coming from applications. Consequently, windows for many non-EWMH (Extended Window Manager Hints) compliant applications could not be raised or lowered. This issue has now been rectified so that, if the key is set to false, older applications not yet using net_window_activate can be raised and lowered. (BZ#526045)
This update also adds the following enhancements:
* in Metacity's "mouse" and "sloppy" focus modes, it is possible to have the pointer hover over a window without it becoming focused. This happens, for example, if another window steals focus away. Previously, it was necessary to move the mouse out of the window and then back into it, or to click on it, to give it focus. (BZ#530261)
* the /apps/metacity/general/place_on_current_monitor feature was added. If this option is set to "true", new windows will always be placed on the current monitor, rather than be placed on any monitor with free space. (BZ#523841)
* if an application displays a window without setting its appropriate properties, it steals focus from the current window and thereby steal the user's keystrokes. (This usually happens with older applications written without modern toolkits.) The new no_focus_windows option allows one to specify which windows should not be given the keyboard's focus. (BZ#530262)
* when a new window is not given keyboard focus, it is placed underneath the current window and entry flashes. When the new /apps/metacity/general/new_windows_always_on_top key is set to "true", windows are always placed on top, iirespective of keyboard focus. (BZ#530263)
Users are advised to upgrade to this updated Metacity package, which resolve these issues and adds these enhancements.

1.122. microcode_ctl

1.122.1. RHEA-2010:0243: enhancement update

An updated microcode_ctl package that provides the latest version of the Intel microcode is now available.
microcode_ctl provides utility code and the microcode data itself -- supplied by Intel -- to assist the kernel in updating the CPU microcode at system boot time. This microcode supports all current Intel x86- and Intel 64-based CPU models and takes advantage of the mechanism built-in to Linux that allows microcode to be updated after system boot. When loaded, the updated microcode corrects the behavior of various Intel processors, as described in processor specification updates issued by Intel for those processors.
This update provides the following enhancement:
* this package contains the 2009-09-27 update to Intel's microcode. As of 2010-01-22, this is the most recent version of the microcode available from Intel. (BZ#526802)
All users running systems based on Intel processors are encouraged to install this update, which adds the most up-to-date microcode data from Intel to /etc/firmware as required. Note: a system reboot is necessary for the this update to take effect.

1.123. mkinitrd

1.123.1. RHBA-2010:0295: bug fix and enhancement update

The mkinitrd utility creates file system images for use as initial ramdisk (initrd) images.
These updated packages address the following bugs:
  • booting a Storage Area Network (SAN) from a replicated Logical Unit Number (LUN) following a loss of the primary site would fail when doing array-based synchronous data replication to a remote site. This was due to the fact that the initrd on the replicated LUN is configured to see the World Wide Identifier (WWID) of the primary LUN only. A patch has been applied that allows for the creation of all multipath devices so that the replicated LUN is visible for booting. It should be noted that some manual configuration is required following the installation of the updated package:
    1. ensure that multipath.conf has the correct stanzas for both multipath devices.
    2. run mkinitrd again.
    A replicated LUN will now successfully boot provided:
    1. the multipath.conf in the initrd does not blacklist the new LUN and;
    2. /var/lib/multipath/bindings in the initrd is either empty or contains an entry binding mpath0 (or the device originally installed to) to the replicated LUN's WWID.
  • scsi_model devflag options appended to /etc/modprobe.conf can be of the form: options scsi_mod dev_flags="HITACHI:OPEN-9     -SUN:0x240 to specify more than one SCSI model. These strings are written as arguments to the insmod command within the initrd script. The leading spaces of the second model name in the above example were incorrectly read as a single space by the nash command resulting in the /proc/scsi/device_info file containing invalid strings. A user specifying a SCSI model in this way would have to manually edit the /proc/scsi/device_info file as a result. A patch has been applied to nash.c to correctly handle the quoted string following the dev_flag argument. The string is now written to the /proc/scsi/device_info file in the correct format. (BZ#467850)
  • mkinitrd uses a global variable rootdev to store the name of the root device. This is either auto-detected or passed in via the command line --rootdev= parameter. Changes applied to mkinitrd to support boot from multipath introduced the local rootdev variable. This variable overrides the global variable resulting in an incorrect root device, such as a component SCSI device, being written to the /init script preventing the system from booting. The local variable has been renamed to avoid the conflict. Running mkinitrd on a multipath boot system now results in a successful boot of the system. (BZ#503567)
  • mkinitrd runs nash on each logical volume. The block_find_fs_by_key() method calls the nashDmGetDevName() method for each logical volume. The nash command does not run to completion in a reasonable time-frame as the nashDmGetDevName() recurses through all devices each time it is called. This update allows nashDmGetDevName() to cache its results, so nash no longer uses 100% of the CPU when installing RPMs. (BZ#516047)
  • mkinitrd copied the lvm.conf file verbatim to the initrd without parsing it properly. If the logical volume manager (LVM) was configured to use host tags, Red Hat Enterprise Linux would not boot because a host name could not be set at initrd time. lvm --dumpconfig is now used to retrieve the LVM configuration file. (BZ#517868)
  • mkinitrd attempted to explicitly activate the subsets of a nested RAID 10 set. Error messages would then be printed to the log during boot. These messages could safely be ignored. They have now been removed to avoid confusion. (BZ#526246)
  • mkinitrd copied the symbolic link of a bootpath driver instead of the actual bootpath driver. This caused kernel panic due to an unavailable driver on first boot of the operating system. mkinitrd now checks the full path of symbolically linked drivers. (BZ#540641)
  • when the root file system was on the logical volume manager (LVM), as is the default installation option, nash received a segmentation fault reference if some modules did not load during post-installation reboot. This caused unwarranted kernel panic. Kernel panic no longer occurs as a result of the non-loading of modules. (BZ#560567)
  • several virtio modules were missing from the previous version of mkinitrd. This meant that mkinitrd built incorrectly upon installation if virtio block or network devices were used within the Kernel Based Virtual Machine (KVM). The final result was kernel panic. These updated packages contain the required modules which allow mkinitrd to build and install correctly. (BZ#560672)
As well, these updated packages add the following enhancements:
  • the scsi_dh_rdac module is needed to support many LSI Engenio based (IBM and non-IBM) storage devices. With the inclusion of a module such as the scsi_dh_rdac module in initrd, the time to boot a system with multiple rdac devices is minimized. A patch has been applied to mkinitrd to load every scsi_dh_* module in the event that multipath devices are detected. The patch currently succeeds in loading xscsi_dh_rdac modules for installations on DS4K storage and further work is being undertaken to ensure the successful loading of modules independent of the host device. (BZ#460899)
  • mkinitrd is responsible for ensuring that all drivers, applications, and configuration information needed to mount the root filesystem are packaged into each kernel's initrd. Unlike the Logical Volume Manager (LVM) component of mkinitrd, multipath operates on only the logical volume associated with the root filesystem and not the volume group containing the root filesystem. As a consequence, when installing a system with multipath devices, only disks currently in use by the root's logical volume have multipath configured within the initrd. A patch has been applied that wraps the find_mpath_deps in a loop that iterates through every primary volume in the root volume group. Non-LVMs are handled in a separate case by runnning find_mpath_deps against the root device. Installing a system with multipath devices will now result in the primary volumes in the root virtual group being on multipath devices. (BZ#501535)
Users of mkinitrd are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.124. module-init-tools

1.124.1. RHBA-2010:0242: bug fix update

Update module-init-tools packages that fix several bugs are now available.
The module-init-tools package includes various programs needed for automatic loading and unloading of modules under 2.6 and later kernels, as well as other module management programs. Device drivers and filesystems are two examples of loaded and unloaded modules.
The updated packages fix the following bugs:
* on Xen systems with more than one detected serial device, a race condition could occur between simultaneously executed modprobe module loading utilty commands if the Xen Hypervisor was blocking access or was misconfigured. The updated packages implement a read-only filesystem locking mechanism that prevents modprobe race conditions from occurring. (BZ#430942)
* on systems where a driver update was removed and no compatible driver update exists after the removal, the weak-module post-installation scripts created symbolic links to the location of the deleted driver. This caused problems with driver updates, and using the weak-module utility. The updated packages ensure post-installation scripts create valid symbolic links to installed drivers. (BZ#477089)
* on systems running Xen hypervisor compatible kernels, where the kernel is used as a guest kernel (Dom0) and not as a host kernel (DomU), the scripts that perform module post-install checks could re-generate an incorrect bootloader entry for the system. In some cases, this prevented the sytem from booting. The updated packages implement revised post-install checks, which prevent this scenario from occurring. (BZ#509568)
All module-init-tools users are advised to upgrade to these updated packages, which resolve these issues.

1.125. mtx

1.125.1. RHBA-2009:1607: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1607
An updated mtx package that fixes one bug is now available.
The mtx package contains utilities that control single or multi-drive SCSI media changers such as tape changers, autoloaders, tape libraries, or optical media jukeboxes. It can also be used with media changers that use the ’ATTACHED’ API, presuming that they properly report the MChanger bit as required by the SCSI T-10 SMC specification.
This updated package provides a fix for the following bug:
* if the scsitape utility was run with an unknown command-line option (eg "-h", a switch option not used by scsitape), the application crashed with a Segmentation fault error. This update adds a termination entry to the end of the pertinent scsitape array. When an unknown command-line option is used, scsitape now exits cleanly and returns usage documentation to std out. (BZ#513984)
All mtx users should upgrade to this updated package, which resolves this issue.

1.126. mysql

1.126.1. RHBA-2009:1693: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1693
Updated mysql packages that fix a bug are now available.
MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries.
These updated mysql packages fix a bug which occurred after updating the mysql packages from version 5.0.45, which was released as a part of Red Hat Enterprise Linux 5.2, to version 5.0.77, which was released as part of the Red Hat Enterprise Linux 5.4 update. A MySQL slave server could crash during replication if a DATE or DATETIME type was compared to the result of the NAME_CONST() function, which commonly happens when stored procedures are used alongside replication. Also, following such a crash, the slave server would be restarted, perform crash recovery, and then crash again once it reached the same point where it performs the comparison, and repeat this cycle continuously. This has been fixed in these updated packages so that the slave server does not crash during replication if a DATE or DATETIME type is compared with the result of the NAME_CONST() function. (BZ#538731)
All mysql users, and especially those using replication, are advised to upgrade to these updated packages, which resolve this issue.

1.126.2. RHSA-2010:0109: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0109
Updated mysql packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.
It was discovered that the MySQL client ignored certain SSL certificate verification errors when connecting to servers. A man-in-the-middle attacker could use this flaw to trick MySQL clients into connecting to a spoofed MySQL server. (CVE-2009-4028)
Note: This fix may uncover previously hidden SSL configuration issues, such as incorrect CA certificates being used by clients or expired server certificates. This update should be carefully tested in deployments where SSL connections are used.
A flaw was found in the way MySQL handled SELECT statements with subqueries in the WHERE clause, that assigned results to a user variable. A remote, authenticated attacker could use this flaw to crash the MySQL server daemon (mysqld). This issue only caused a temporary denial of service, as the MySQL daemon was automatically restarted after the crash. (CVE-2009-4019)
When the "datadir" option was configured with a relative path, MySQL did not properly check paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. (CVE-2009-4030)
Note: Due to the security risks and previous security issues related to the use of the DATA DIRECTORY and INDEX DIRECTORY directives, users not depending on this feature should consider disabling it by adding "symbolic-links=0" to the "[mysqld]" section of the "my.cnf" configuration file. In this update, an example of such a configuration was added to the default "my.cnf" file.
All MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

1.127. nautilus-open-terminal

1.127.1. RHBA-2009:1483: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1483
An updated nautilus-open-terminal package that fixes a bug is now available.
The nautilus-open-terminal extension provides a right-click "Open Terminal" option for Nautilus users who prefer that option.
This updated nautilus-open-terminal package fixes the following bug:
* right-clicking on the GNOME desktop and selecting "Open Terminal" from the context menu always caused a new terminal window to open on the primary screen, even if "Open Terminal" was chosen on the second screen of a dual-monitor setup. With this update, newly-opened terminal windows correctly appear on the screen on which the "Open Terminal" unction is selected. (BZ#509878)
All users of nautilus-open-terminal are advised to upgrade to this updated package, which resolves this issue.

1.128. neon

1.128.1. RHSA-2009:1452: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1452
Updated neon packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
neon is an HTTP and WebDAV client library, with a C interface. It provides a high-level interface to HTTP and WebDAV methods along with a low-level interface for HTTP request handling. neon supports persistent connections, proxy servers, basic, digest and Kerberos authentication, and has complete SSL support.
It was discovered that neon is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse an application using the neon library into accepting it by mistake. (CVE-2009-2474)
A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. A remote attacker (malicious DAV server) could provide a specially-crafted XML document that would cause excessive memory and CPU consumption if an application using the neon XML parser was tricked into processing it. (CVE-2009-2473)
All neon users should upgrade to these updated packages, which contain backported patches to correct these issues. Applications using the neon HTTP and WebDAV client library, such as cadaver, must be restarted for this update to take effect.

1.129. net-snmp

1.129.1. RHBA-2009:1437: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1437
Updated net-snmp packages that resolve several issues are now available.
The Simple Network Management Protocol (SNMP) is a protocol used for network management. The net-snmp packages include various SNMP tools:an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl MIB browser.
These updated net-snmp packages provide fixes for the following bugs:
* snmpd, the SNMP daemon, did not expect the packet counters in the /proc/net/snmp and /proc/net/snmp6 directories to be 64-bit on 64-bit systems. When these counters exceeded 32 bits in size, which would occur when the Linux kernel sent or received greater than 4,294,967,296 (2^32) packets, then the snmpd daemon would terminate abnormally. With this update, the snmpd daemon no longer crashes when it encounters a packet counter in the directories listed above that is greater than 32 bits in size, thus resolving the issue. (BZ#516183)
* snmpd, the SNMP daemon, contained several memory leaks in the ipNetToMediaTable module. These leaks caused snmpd to leak memory relatively slowly, but at a rate which could cause problems on machines with multi-month uptimes. These memory leaks have been plugged in these updated packages so that snmpd no longer leaks memory slowly. (BZ#517041)
All users of net-snmp are advised to upgrade to these updated packages, which resolve these issues.

1.129.2. RHBA-2010:0253: bug fix and enhancement update

Updated net-snmp packages that fix various bugs and add enhancements are now available.
The Simple Network Management Protocol (SNMP) is a protocol used for network management. The net-snmp packages include various SNMP tools: an extensible agent; an SNMP library; tools for requesting or setting information from SNMP agents; tools for generating and handling SNMP traps; a version of the netstat command which uses SNMP; and a Tk/Perl MIB browser.
These updated net-snmp packages provide fixes for the following bugs:
* when two default routes with the same content existed in the machine's routing table, the snmpd daemon could have entered an endless loop and logged the following error to syslog: "error on subcontainer 'dr_index' insert(-1)". Processing of the routing table has been improved in this update so that snmpd no longer enters an endless route when this occurs. (BZ#504742)
* on 64-bit systems experiencing very high network traffic, the snmpd daemon periodically logged the following message to syslog: "truncating integer value > 32 bits". With this update, snmpd correctly adjusts reported counters and no error is logged. (BZ#507528)
* the snmpd daemon did not expect the packet counters in the /proc/net/snmp and /proc/net/snmp6 directories to be 64-bit on 64-bit systems. When these counters exceeded 32 bits in size, which occurred when the Linux kernel sent or received greater than 4,294,967,296 (2^32) packets, then the snmpd daemon would terminate abnormally. With this update, the snmpd daemon no longer crashes when it encounters a packet counter in the directories listed above that is greater than 32 bits in size, thus resolving the issue. (BZ#514703)
* the snmpd daemon contained several memory leaks in the ipNetToMediaTable, mteEventSetTable and ipAddressPrefixTable objects. These slow memory leaks could have caused problems on machines with multi-month uptimes. These memory leaks have been plugged in these updated packages. (BZ#518633,
* this update ensures that the snmpd daemon is able to process and respond to broadcast UDP requests. (BZ#521175)
* header files contained within the net-snmp-devel package differed according to the architecture of the system, i386 or Itanium, they were installed on. Because net-snmp is a multilib package, this update moves architecture-dependent header files into separate files, thus allowing development packages for different architectures to be installed on the same system. (BZ#521820)
* the libnetsnmp shared object library maintains cached data in the /usr/share/snmp/mibs/.index file. Because this file did not have the proper SELinux context, SELinux denied applications write access to this file. This update ensures that this .index file is properly labeled with the correct SELinux context so that applications are permitted to access it. (BZ#523249)
* the snmpd daemon was unable to process requests to create a new User-Based Security Model (USM) veiw with Object ID components larger than 255. With ths update, snmpd is able to create new USM views with all valid OIDs. (BZ#527364)
* SNMP applications such as snmpget and snmpwalk reported "truncating unsigned value to 32 bits" errors on 64-bit achitectures when they received invalid SNMP responses from legacy systems. With this update, SNMP programs suppress these error messages when the received SNMP response can still be parsed. (BZ#528164)
* the snmpd daemon assumed that network interface hardware addresses were always 6 bytes in length. Hardware such as InfiniBand network cards can have addresses of a different size, in which case snmpd reported "ioctl 35123 returned -1" to syslog. With this update, snmpd does not make the 6-byte assumption, and this error is no longer logged. (BZ#543499)
* the snmpd daemon reported IP addresses in the ipCidrRouteTable object as 8 bytes on 64-bit hardware. This update ensures that snmpd reports IPv4 addresses as 4 bytes. (BZ#547698)
All SNMP users are advised to upgrade to these updated net-snmp packages, which resolve these issues and add these enhancements.

1.130. net-tools

1.130.1. RHBA-2009:1677: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1677
An updated net-tools package that fixes several bugs and corrects errors in the arp and ifconfig man pages is now available.
The net-tools package contains basic networking tools, including ifconfig, netstat, route, and others.
This updated net-tools package includes fixes for the following bugs:
* the OPTIONS section of the arp man page includes documentation for the "-s" switch (used to manually create ARP address mapping entries). Entries supplied with this switch are permanently stored in the ARP cache if the temp flag is not specified and the original English man page notes this. The German man page, however, noted "so werden die erzeugten Eintrage nicht dauerhaft... eingetragen", which is incorrect. This update corrects this, with the German man page now correctly noting "Der Eintrag wird permanent im ARP-Cache gespeichert" if the temp flag is not specified. (BZ#322901)
* the ifconfig "tunnel" option creates a new Simple Internet Transition (SIT) or IPv6-in-IPv4 device and this option expects an IPv6-style address as a parameter. If an IPv4 address is used, the command fails. The ifconfig man page, however, listed the option and parameter as "tunnel aa.bb.cc.dd" which did not make it clear the IPv4 address must be provided in IPv6 notation. This update clarifies the man page notation. It now reads "tunnel ::aa.bb.cc.dd", making it clear IPv6-style address notation is required. (BZ#453918)
* running netstat with the "-o" switch adds information about working TCP timers to the command ouput. TCP timers for a connection can include "on", "off", "keepalive" and "timewait". When network load is very high (ie when the TCP Window Size is zero) the probe timer should be listed. Previously, however, "unkn-4" was presented instead. With this update, if the probe timer is working in the kernel, it will now, correctly, be listed in the output of "netstat -o". (BZ#466845)
* when setting the MULTICAST mode on and off, ifconfig was showing an unnecessary "Warning: Interface [interface name] still in ALLMULTI mode." message. With this update, the message no longer presents. (BZ#477876)
* a fixed length, 1024 byte buffer in the statistics.c:process_fd() function caused "netstat -s" to fail with a "error parsing /proc/net/netstat: Success" error. The buffer has been increased to 2048 bytes and the command now displays summary statistics for each protocol as expected. (BZ#493314)
All net-tools users should install this updated package, which makes these corrections and addresses these issues.

1.131. NetworkManager

1.131.1. RHSA-2010:0108: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0108
Updated NetworkManager packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times.
A missing network certificate verification flaw was found in NetworkManager. If a user created a WPA Enterprise or 802.1x wireless network connection that was verified using a Certificate Authority (CA) certificate, and then later removed that CA certificate file, NetworkManager failed to verify the identity of the network on the following connection attempts. In these situations, a malicious wireless network spoofing the original network could trick a user into disclosing authentication credentials or communicating over an untrusted network. (CVE-2009-4144)
An information disclosure flaw was found in NetworkManager's nm-connection-editor D-Bus interface. If a user edited network connection options using nm-connection-editor, a summary of those changes was broadcasted over the D-Bus message bus, possibly disclosing sensitive information (such as wireless network authentication credentials) to other local users. (CVE-2009-4145)
Users of NetworkManager should upgrade to these updated packages, which contain backported patches to correct these issues.

1.131.2. RHBA-2010:0263: bug fix update

Updated NetworkManager packages that resolve several issues are now available.
NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times.
These updated NetworkManager packages provide fixes for the following bugs:
* creating a new wired connection which uses 802.1x security and then attempting to use that connection during the same desktop session resulted in NetworkManager being unable to establish that connection. As a workaround, logging out of the current desktop session and logging back in allowed the secure connection to be used. With this update, wired connections using 802.1x security can be used as soon as they are created. (BZ#477061)
* due to a coding error, NetworkManager rejected WPA passkeys of exactly 63 ASCII characters in length, even though such a passkey is valid according to the standard. This was caused by a coding error which has been fixed in this update, thus correctly permitting 63-character passkeys. (BZ#532723)
* NetworkManager failed to initialize certain Option NV mobile broadband (3G) devices. Much-improved support has been added for newer mobile broadband devices manufactured by Option NV, such as AT&T Quicksilver modems. (BZ#536897)
All users of NetworkManager are advised to upgrade to these updated packages, which resolve these issues.

1.132. newt

1.132.1. RHSA-2009:1463: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1463
Updated newt packages that fix one security issue are now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Newt is a programming library for color text mode, widget-based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, and so on, to text mode user interfaces.
A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially-crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. (CVE-2009-2905)
Users of newt should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, all applications using the newt library must be restarted for the update to take effect.

1.132.2. RHBA-2009:1482: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1482
Updated newt packages that resolve several issues are now available.
Newt is a programming library for color text-mode, widget-based user interfaces. Newt can be used to add stacked windows, entry widgets, check boxes, radio buttons, labels, plain text fields, and so on, to text mode user interfaces.
These updated newt packages provide fixes for the following bugs:
* the whiptail(1) man page was missing from the newt package, and is now included. (BZ#456307)
* newt did not recognize the escape sequence "\E[Z" as the Shift+Tab key combination on VT320 terminals, and incorrectly interpreted it as "Escape". With these updated packages, newt correctly interprets "\E[Z" as Shift+Tab. (BZ#468046)
All users of newt are advised to upgrade to these updated packages, which resolve these issues.

1.133. nfs-utils

1.133.1. RHBA-2010:0284: bug fix update

An updated nfs-utils package that fixes two bugs is now available.
The nfs-utils package provides a daemon for the kernel NFS (Network File System) server and related tools, which provides better performance than the traditional Linux NFS server. This package also contains the mount.nfs, umount.nfs and showmount programs. Showmount queries the mount daemon on a remote host for information about the NFS server on the remote host. For example, showmount can display the clients which are mounted on that host.
This update addresses the following bugs:
* nfsnobody == 4294967294 causes idmapd to stop responding. (BZ#523285)
* inconsistent default anonuid/anongid values. (BZ#497551)
All nfs-utils users should install this updated package, which addresses these issues.

1.134. nspluginwrapper

1.134.1. RHBA-2010:0187: bug fix update

An updated nspluginwrapper package that fixes various bugs is now available.
nspluginwrapper is a utility which allows 32-bit plug-ins to run in a 64-bit browser environment (a common example is Adobe's browser plug-in for presenting proprietary Flash files embedded in web pages). It includes the plug-in viewer and a tool for managing plug-in installations and updates.
The nspluginwrapper package has been upgraded to version 1.3.0-8.el5.
This update contains fixes for the following bugs:
* The nspluginwrapper package contained a bug that restricted expected functionality with PDF files viewed in the Firefox web browser. Limitations included the inability to search a PDF document because the Find bar was unable to get focus to enable a user to input a search term and unable to use the keyboard shortcuts F8, Ctrl+Shift+F8 and Ctrl+E. A user is now able to search a PDF document loaded in Firefox and all predefined keyboard shortcuts work correctly. (BZ#435838, BZ#455218)
* When the previous version of the nspluginwrapper package was used with Adobe Flash 10 and Firefox was run from the terminal window, critical error messages would present in the terminal even though the software worked as expected. The error messages do not appear in the terminal window with this latest upgrade. (BZ#466547)
* If the umask of the user that invoked /usr/bin/mozilla-plugin-config was 0077, the files in /usr/lib/mozilla/plugins-wrapped/ would be given permissions based on the users umask. This could have lead to the files becoming unreadable. With this package update, nspluginwrapper does not use the umask or group inherited from the invoking user. (BZ#521948, BZ#523814)
Users of nspluginwrapper should upgrade to this updated package, which resolves these issues.

1.135. nss_ldap

1.135.1. RHBA-2009:1527: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1527
An updated nss_ldap package is now available for Red Hat Enterprise Linux 5.
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a plugin for the standard C library which allows applications to look up information about users and groups using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.
This update fixes the following bug in the nss_ldap module:
* a NULL value was incorrectly assigned to an ldap_parse_result argument if the bind operation timed out. Consequently, if the nss_ldap module was configured to encrypt traffic to the directory server using the "ssl start_tls" option and TLS negotiation took longer than the "bind_timelimit" value set in /etc/ldap.conf, the client module would crash with an Assertion error. With this update, the ldap_parse_result argument is not set to NULL if the bind operation times out and the Assertion error no longer occurs. (BZ#529376)
Note: The default bind_timelimit is 30 seconds and this bug did not normally trigger unless the value was set to less than this default. Further, it was possible to workaround this issue by increasing the bind_timelimit (for example, to 60 seconds). This only masked the underlying issue, however.
All nss_ldap users are advised to upgrade to this updated package, which resolves this issue.

1.135.2. RHBA-2010:0260: bug fix update

An updated nss_ldap package that fixes various bugs is now available.
The nss_ldap package includes two LDAP access clients: nss_ldap and pam_ldap. nss_ldap is a plug-in for the standard C library which allows applications to look up information about users and groups using a directory server. The pam_ldap module is a Pluggable Authentication Module (PAM) which provides for authentication, authorization and password changing against LDAP servers.
This package addresses the following bugs:
* The nss_ldap package did not support case sensitive text. This could cause group membership not to be matched to the users. To correct this name resolution for users, group, and shadow information can now be forced to be performed in a case sensitive manner by setting "nss_check_case yes" in /etc/ldap.conf. The default setting remains as "nss_check_case no". This fix results in group membership being matched to the correct users. (BZ#518911)
* When running commands, sometimes the nss_ldap library would produce assertion errors, leading to application failure. To fix this bug the nss_ldap package has been modified to allow for bind_timeout in /etc/ldap.conf to be set to a low value (for example, 2). If the bind performed does time out it now performs a debug request instead of producing assertion errors. (BZ#499302)
* By setting the value 'bind_policy soft' in the /etc/ldap.conf file and configuring hostname resolution to only use 'ldap', it becomes impossible to resolve any information about the server without first contacting it. This meant that when using the command getent -s 'ldap' passwd, a segmentation fault would occur. This updated nss_ldap package ensures that no segmentation fault occurs, however the correct way to access the server information in the outlined case would be to use the command getent -s 'passwd:ldap' passwd. (BZ#448883)
* When LDAP was listed before DNS in the nsswitch.conf file and the hostname was not in the /etc/hosts file, the nss_ldap package caused segmentation faults. Segmentation faults occurred with nscd, getent and any process that used the library when communicating with the secondary OpenLDAP servers. This package update ensures that nss_ldap does not produce any segmentation faults when interacting with OpenLDAP servers. (BZ#472920)
* The nss_ldap package would write to a socket that was not connected to an LDAP server. This resulted in an EPIPE error being returned and all shell commands ceasing to work when logged in as an LDAP user. To fix this bug the sigpipe is now unblocked when closing the connection in the child element. This allows for shell commands to continue to function. (BZ#454315)
All nss_ldap users are advised to upgrade to this updated package, which resolves these issue.

1.136. numactl

1.136.1. RHBA-2010:0319: bug fix update

An updated numactl package that fixes a bug is now available
numactl adds simple Non-Uniform Memory Access (NUMA) policy support. It consists of a numactl program to run other programs with a specific NUMA policy and a libnuma to do allocations with NUMA policy in applications.
This updated package addresses the following issue:
* libvirt tools reported unnecessary warning messages to stderror during execution. This caused problems with scripts calling these tools. Those warning messages have been repressed, and the scripts are no longer affected. (BZ#555805)
Users are advised to upgrade to this updated numactl package which resolves this issue.

1.136.2. RHBA-2009:1626: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1626
Updated numactl packages that resolve several issues are now available.
numactl is Simple NUMA policy support. It consists of a numactl program to run other programs with a specific NUMA policy, and the libnuma library, which performs allocations with NUMA policy in applications.
These updated numactl packages provide fixes for the following bugs:
* systems with NUMA nodes which were not ordered contiguously caused numactl to return incorrect and therefore invalid NUMA data. With this update, numactl shows correct and valid data for systems with NUMA nodes which are discontiguous in addition to those which are contiguous. (BZ#491689)
* the "numactl" command possesses an '-H' short option that corresponds to the long option, '--hardware', which is used to show the inventory of available nodes on the system. However, numactl did not recognize the short '-H' option. With this update, numactl now recognizes the '-H' option, which once again has the same affect as '--hardware'. (BZ#502241)
All users of numactl are advised to upgrade to these updated packages, which resolve these issues.

1.137. openCryptoki

1.137.1. RHBA-2009:1685: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1685
Updated openCryptoki packages that resolve several issues are now available.
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).
These updated openCryptoki packages provide fixes for the following bugs:
* after initializing a hardware cryptographic token, attempting to unwrap an AES key failed and caused openCryptoki to return a "CKR_TEMPLATE_INCOMPLETE" error code. With this update, AES key unwrapping now succeeds as expected. (BZ#540471)
* the openCryptoki API enables programs to offload the computation of the message authentication code (MAC) to the Central Processor Assist for Cryptographic Function (CPACF) of cryptographic hardware. When using PKCS#11 for the acceleration of cryptographic instructions, openCryptoki returned an error code of "411", indicating that the MAC was unable to be verified. With this update, the MAC is now computed successfully after being offloaded to the CPACF. (BZ#540474)
* openCryptoki was not properly recognizing that secure-key crypto support was installed, and so the "CCA" token was not being enabled for use. (BZ#545379)
All users of openCryptoki are advised to upgrade to these updated packages, which resolve these issues.

1.138. openais

1.138.1. RHBA-2009:1474: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1474
An updated openais package that fixes a bug is now available for Red Hat Enterprise Linux 5.4.
The Application Interface Specification (AIS) is an API and set of policies for developing applications that maintain service during faults. The OpenAIS Standards Based Cluster Framework is an OSI-certified implementation of the Service Availability Forum AIS. The openais package contains the openais executive, openais service handlers, default configuration files and init script.
This update addresses the following issue:
* an invalid assertion caused MTUs of 9000 bytes to generate a SIGABRT signal and dump core when inside totem running heavy loads. With this update, the assertion has been corrected (and the MTU increased to 10000 bytes). (BZ#521098)
All openais users should install this update which fixes this bug.

1.138.2. RHBA-2010:0180: bug fix update

Updated openais packages that fix several defects are now available for Red Hat Enterprise Linux 5.5.
The Open Application Interface Specification (OpenAIS) is an API and a set of policies for developing applications that maintain service during faults. The OpenAIS Standards-Based Cluster Framework is an OSI-certified implementation of the Service Availability Forum AIS. The openais packages contain the openais executive, openais service handlers, default configuration files, and init script.
This update addresses the following issues:
* Resolve a segfault if the ais group doesn't exist. Note the ais group is installed by the package but may be removed by the user later. This resolution prints an error in that condition. (BZ#509180)
* Properly shut down service engines when the INTR signal or QUIT signal is sent to the aisexec process. (BZ#526069)
* Resolve a race condition in the cpg service which could result in failures during recovery of cpg services. (BZ#474400)
* A random error code was returned by saCkptCheckpointOpen if the internal IPC operation failed. Now the proper SA_AIS_ERR_LIBRARY error code is returned in this condition. (BZ#520164)
* An invalid assertion caused MTUs of 9000 bytes to generate a SIGABRT signal and dump core when inside totem running heavy loads. With this update, the assertion has been corrected (and the MTU increased to 10000 bytes). (BZ#520012)
* Resolve a problem where checkpoint iteration and discovery can happen during synchronization of new data structures. This results in the GFS POSIX locking feature appearing to leave leftover locks on nodes that no longer exist. (BZ#515159)
* Resolve a stack overflow that results in a stack protector assertion. (BZ#525280)
* Resolve a defect when calling saClmTrackStart more then one time can trigger a segfault in library clients to the clm service. (BZ#529054)
* Resolve a defect where cpg can use a variable after it has been freed. (BZ#540267)
* Resolve a defect where the bindnetaddr does not follow the specifications outlined by the man pages for operation because it uses the interface's broadcast address instead of its local address for binding. (BZ#540490)
* Resolve a defect where originating 206 messages in the recovery phase triggers totem to block until a processor is stopped or started. (BZ#544680)
* Resolve a defect where a buffer overflow can occur in a string buffer used when the "debug: on" option is used in the configuration. (BZ#544682)
* Resolve a defect where an internal totem operating flag is not set properly. (BZ#545151)
* Resolve a defect where an invalid assertion in single-node operation can trigger an assertion. (BZ#547828)
* Resolve a defect where the IPC limit was 477k instead of 1MB as it should be. (BZ#515590)
* Resolve a defect where IPC would indicate the outbound ipc queue was empty when the IPC queue is fully consumed by data. (BZ#560313)
* Resolve a defect where errant code calls pthread_cond_wait in an atexit() handler, resulting in lockup of the aisexec daemon 1% of the time on shutdown. (BZ#566467)
All openais users should install this update, which fixes these bugs.

1.139. OpenIPMI

1.139.1. RHBA-2009:1487: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1487
Updated OpenIPMI packages that resolve an issue are now available
OpenIPMI (Intelligent Platform Management Interface) provides command line tools and utilities to access platform information, allowing system administrators to monitor system health and manage systems.
This update addresses the following problem:
* some IPMI-enabled hardware uses UDP ports 623 (ASF Remote Management and Control Protocol) and 664 (ASF Secure Remote Management and Control Protocol), which can conflict with other traffic on these ports. The previous OpenIPMI release added a configuration file -- /etc/xinetd.d/rmcp -- for a dummy rmcp service and introduced an xinetd service dependency to bind UDP ports 623 and 664 and prevent other services from using them.
Because the xinetd service is started by default, the update resulted in a new xinetd daemon running on systems after OpenIPMI was updated. This daemon is not necessary for OpenIPMI operation.
This update removes the dependency on xinetd but leaves the dummy rmcp service configuration file in place. (BZ#527474)
All OpenIPMI users are advised to upgrade to these updated packages which remove this dependency. If the previous OpenIPMI update started an unnecessary xinetd service, stopping and removing this service is also recommended.

1.139.2. RHBA-2009:1629: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1629
Updated OpenIPMI packages that resolve several issues are now available.
OpenIPMI (Intelligent Platform Management Interface) provides command line tools and utilities to access platform information, allowing system administrators to monitor system health and manage systems.
This update addresses the following problem:
* the ipmitool man page did not contain descriptions of the "hpm" and "fwum" commands. In addition, the man page did not document the "noguard" parameter of the "sol set" command. These commands and parameters are properly described in the updated ipmitool man page. (BZ#514215, BZ#513609)
* the ipmievd init script did not properly implement the "condrestart" action. This could result in the ipmievd daemon not being restarted after a package update. The condrestart action in the ipmievd init script is fixed in this update. (BZ#532445)
* on some IPMI-enabled hardware, especially hardware with an on-board IPMI watchdog supported by the i6300esb driver or an Intel TCO Watchdog Timer device supported by the iTCO_wdt driver, the /dev/watchdog device is created directly by the kernel during boot. If the ipmi service with enabled watchdog was then started, the init script did not recognize the existing watchdog device and tried to instantiate new one. This resulted in an error which was not reported to the user. The updated ipmi init script now returns a "/dev/watchdog already exists [FAILED]" message in this circumstance. (BZ#514678)
* some IPMI-enabled hardware uses UDP ports 623 (ASF Remote Management and Control Protocol) and 664 (ASF Secure Remote Management and Control Protocol), which can conflict with other traffic on these ports. The previous OpenIPMI release added a configuration file -- /etc/xinetd.d/rmcp -- for a dummy rmcp service and introduced an xinetd service dependency to bind UDP ports 623 and 664 and prevent other services from using them.
Because the xinetd service is started by default, the update resulted in a new xinetd daemon running on systems after OpenIPMI was updated. This daemon is not necessary for OpenIPMI operation.
This update removes the dependency on xinetd but leaves the dummy rmcp service configuration file in place. (BZ#522524)
All OpenIPMI users are advised to upgrade to these updated packages. If the previous OpenIPMI update started an unnecessary xinetd service, stopping and removing this service is also recommended.

1.140. openib

1.140.1. RHBA-2010:0292: bug fix and enhancement update

Updated openib packages that fix various bugs and add various enhancements are now available.
Red Hat Enterprise Linux includes a collection of Infiniband and iWARP utilities, libraries and development packages for writing applications that use Remote Direct Memory Access (RDMA) technology.
The following general upgrade has been performed:
* this update brings a number of packages in line with their latest upstream versions. (BZ#518218)
Also, these updated packages fix the following bugs:
* even simple test code could not be compiled using mvapich if mvapich was installed but certain other libraries were not. To correct this, the mvapich rpm now Requires all libraries necessary to build an mpi program. (BZ#479940, BZ#568449)
* when running openmpi jobs, many warnings would present related to udapl. The issue is corrected by removing udapl support from openmpi. (BZ#479941, BZ#526138, BZ#543453)
* openmpi did not support the latest Chelsio devices. This release corrects that. (BZ#515567)
* a bug in IPoIB bonding could cause the kernel to panic during the reboot of a system. The openibd init script has been modified to correct this bug. (BZ#540992)
* in the update to openmpi-1.3.2, upstream changed the default value of SGE support from enabled to disabled, which caused Red Hat's version of the openmpi package to regress. These updated packages restore SGE support in Red Hat's openmpi packages. (BZ#541660)
* the srp_daemon.conf configuration file was not in the "/etc" directory where srp_daemon requires it to be. During installation the srp_daemon.conf file was being placed in the incorrect directory of "/etc/ofed". This issue is fixed by ensuring the srp_daemon.conf file is placed in the "/etc" directory during installation. (BZ#552915)
* a regression was introduced in openmpi-1.3.3-6 that caused allreduce to hang. This regression is now corrected with these updated packages and allreduce functions as expected. (BZ#555159)
* a pseudo requirement has been added to the libibverbs package so that it will automatically pull in the various libibverbs driver packages when using yum to install libibverbs. (BZ#559789)
* Libmlx4 was missing device IDs that were present in the Red Hat Enterprise Linux kernel. The missing device IDs have now been added to libmlx4. These IDs are for MT26438 and MT26488. (BZ#569175)
the following enhancements were also added:
* Openmpi now supports iWARP devices. (BZ#515565)
* the OpenFabrics Alliance (OFED) drivers which support Mellanox MT25408 ConnectX series Infiniband devices were added. (BZ#511190)
All openib users should upgrade to these updated packages which resolves these issues and adds these enhancements.

1.141. openldap

1.141.1. RHSA-2010:0198: Moderate security and bug fix update

Updated openldap packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.
A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767)
This update also fixes the following bugs:
* the ldap init script did not provide a way to alter system limits for the slapd daemon. A variable is now available in "/etc/sysconfig/ldap" for this option. (BZ#527313)
* applications that use the OpenLDAP libraries to contact a Microsoft Active Directory server could crash when a large number of network interfaces existed. This update implements locks in the OpenLDAP library code to resolve this issue. (BZ#510522)
* when slapd was configured to allow client certificates, approximately 90% of connections froze because of a large CA certificate file and slapd not checking the success of the SSL handshake. (BZ#509230)
* the OpenLDAP server would freeze for unknown reasons under high load. These packages add support for accepting incoming connections by new threads, resolving the issue. (BZ#507276)
* the compat-openldap libraries did not list dependencies on other libraries, causing programs that did not specifically specify the libraries to fail. Detection of the Application Binary Interface (ABI) in use on 64-bit systems has been added with this update. (BZ#503734)
* the OpenLDAP libraries caused applications to crash due to an unprocessed network timeout. A timeval of -1 is now passed when NULL is passed to LDAP. (BZ#495701)
* slapd could crash on a server under heavy load when using rwm overlay, caused by freeing non-allocated memory during operation cleanup. (BZ#495628)
* the ldap init script made a temporary script in "/tmp/" and attempted to execute it. Problems arose when "/tmp/" was mounted with the noexec option. The temporary script is no longer created. (BZ#483356)
* the ldap init script always started slapd listening on ldap:/// even if instructed to listen only on ldaps:///. By correcting the init script, a user can now select which ports slapd should listen on. (BZ#481003)
* the slapd manual page did not mention the supported options -V and -o. (BZ#468206)
* slapd.conf had a commented-out option to load the syncprov.la module. Once un-commented, slapd crashed at start-up because the module had already been statically linked to OpenLDAP. This update removes "moduleload syncprov.la" from slapd.conf, which resolves this issue. (BZ#466937)
* the migrate_automount.pl script produced output that was unsupported by autofs. This is corrected by updating the output LDIF format for automount records. (BZ#460331)
* the ldap init script uses the TERM signal followed by the KILL signal when shutting down slapd. Minimal delay between the two signals could cause the LDAP database to become corrupted if it had not finished saving its state. A delay between the signals has been added via the "STOP_DELAY" option in "/etc/sysconfig/ldap". (BZ#452064)
* the migrate_passwd.pl migration script had a problem when number fields contained only a zero. Such fields were considered to be empty, leading to the attribute not being set in the LDIF output. The condition in dump_shadow_attributes has been corrected to allow for the attributes to contain only a zero. (BZ#113857)
* the migrate_base.pl migration script did not handle third level domains correctly, creating a second level domain that could not be held by a database with a three level base. This is now allowed by modifying the migrate_base.pl script to generate only one domain. (BZ#104585)
Users of OpenLDAP should upgrade to these updated packages, which resolve these issues.

1.142. openmotif

1.142.1. RHBA-2010:0132: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0132
Updated openmotif packages that resolve several issues are now available.
The openmotif packages include the Motif shared libraries needed to run applications which are dynamically linked against Motif, as well as mwm, the Motif Window Manager.
These updated openmotif packages provide fixes for the following bugs:
* redisplaying a Label or LabelGadget widget could have caused a BadDrawable X error and resulted in an invisible label. This update resolves the issue with unspecified pixmaps so that labels do not become invisible and BadDrawable errors are not incurred. (BZ#569906)
* selecting an item in a MultiList widget resulted in that item becoming invisible due to the same color being used for both foreground and background colors. The same problem occurred with "insensitive" labels, buttons, icons and list entries. With this update, foreground and background colors in widgets have been differentiated so that they do not become invisible during operation. (BZ#569907)
* attempting to use a keyboard accelerator such as Ctrl+S failed to achieve the intended effect when the Caps Lock, Scroll Lock or NumLock keys were activated. This was caused by missing support for the X11R6 modifiers scheme. Support for the modifiers scheme has been implemented in this update so that keyboard accelerators can be used as expected even when modifiers such as Caps Lock, Scroll Lock or NumLock have been activated. (BZ#569908)
All users of openmotif are advised to upgrade to these updated packages, which resolve these issues.

1.143. openoffice.org

1.143.1. RHBA-2010:0274: bug fix and enhancement update

OpenOffice.org is a multi-platform office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editor and drawing program, with a user interface and feature set similar to other office suites. Sophisticated and flexible, OpenOffice.org also works transparently with a variety of file formats, including Microsoft Office.
These updated packages fix the following bugs:
  • a nested table would be removed from the defined nesting structure when rendered in Web Layout view causing OpenOffice.org to crash. A patch has been applied to ensure the correct rendering of nested tables. (BZ#469157) (BZ#469157)
  • using OpenOffice.org Impress in a dual monitor configuration and selecting Slide ShowSlide Show would cause the application to crash as the application was configured to return a default screen. A patch has been applied to detect and return the monitor upon which the slide show will be displayed. (BZ#476949)
  • when saving a html document containing cells which are merged across rows, OpenOffice.org Writer would insert an additional cell in each row of the spanned set. When the document was rendered, the cells would appear to be misaligned due to the creation of the additional cells. A patch has been applied to retain the original table row span configuration. (BZ#491357)
  • enabling the Mozilla plugin in OpenOffice.org and opening a .odt file in Firefox would generate a segmentation fault, causing Firefox to crash on x86_64 architectures. A patch has been applied to define the uint32 and int32 variables as the appropriate type of int or long depending on the architecture. (BZ#496033)
  • when performing an EditFind & Replace operation in OpenOffice.org Impress, the Find All button was visible but inactive. A patch has been applied to remove the Find All button from the interface as this is not a supported OpenOffice.org Impress feature. (BZ#504109)
  • when attempting to merge a .sxi or .odt file into an OpenOffice.org Calc document, the application would crash due to the SfxMedium* pMed pointer in ScDocShell::DialogClosedHdl() being set to NULL. A patch has been applied to the docsh4.cxx file to test the state of this variable prior to affecting the merge. (BZ#504551)
  • when using OpenOffice.org Calc with spell check enabled, if a misspelt word was entered in a cell and the EditRepeat:Insert operation was attempted from within a new cell, the misspelt word will would not be inserted. The viewfunc.cxx file has been updated to ensure that the insert operation is functional even if the original cell contents are misspelt. (BZ#504967)
  • in OpenOffice.org Calc, the DataGroup and OutlineAutoOutline command would not work for any cell that contained a formula specifying a cell range as a list (for example: =SUM(A1;A2;A3)). To fix this bug the cell.hxx file has been modified to simplify a list range (for example: the list A2;A1;A3 would become A1:A3). By condensing the list, the DataGroup and OutlineAutoOutline command now works as expected. (BZ#504971)
  • building RPMs for OpenOffice.org would fail when a Java version above version 1.4 was installed. This occurred because the ANT scripts used to build some of the components were not configured to generate version 1.4 compatible bytecode upon which OpenOffice.org is dependent. This bug has since been fixed by enforcing RPMs to be built with the GNU Compiler for Java (GCJ) or the Eclipse Compiler for Java (EJC). GJC specific options have been omitted as these are not recognized by EJC. This ensures that OpenOffice.org RPMs are generated without error when using the rpmbuild command. (BZ#506036)
  • when printing, OpenOffice.org would sometimes crash. This was due to the code that processes Postscript Printer Description (PPD) keys from CUPS inserting a value of None as the first value for each newly inserted key. Under these circumstances the second insertion returns a NULL pointer and the following statement causes the crash by dereferencing the pointer. To correct this bug the jobset.cxx file has been modified to only insert a value of None as the first value for each newly inserted key if it is not already present. (BZ#515488)
  • when zooming in over 128% on a document in the OpenOffice.org Writer, any inserted note would no longer be viewable. By upgrading the OpenOffice.org suite to 3.1.1-19.5 this issue is no longer presented. (BZ#521006)
  • bulleted lists in an OpenOffice.org Writer version 3 document would not render when opened in OpenOffice.org Writer version 2.3.0. By upgrading the OpenOffice.org suite to 3.1.1-19.5 this issue is no longer presented. (BZ#527933)
  • the OpenOffice.org Calc application would crash when custom colors were created. These updated packages fix an improperly declared variable that caused the bug. Custom colors can now be created successfully. (BZ#530355)
As well, these updated packages add the following enhancement:
  • the OpenOffice.org package prior to version 3.1.1 did not support Microsoft 2007 Office Open XML (OOXML) file formats resulting in the inability to open files of this type. The OpenOffice.org 3.1.1-19.5 suite provides the necessary support to open OOXML file formats including pptx, xlsx and docx. (BZ#444052)
Users of OpenOffice.org are advised to upgrade to these updated packages, which resolve these issues and add this enhancement.

1.144. openssh

1.144.1. RHBA-2009:1668: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1668
Updated openssh packages that fix a bug are now available.
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
These updated openssh packages fix the following bug:
* when sshd, the SSH daemon, used multiple SFTP channels simultaneously, each SFTP cthannel leaked a UNIX socket. This leak could eventually cause sshd to consume large amounts of system resources. This update fixes the leak by ensuring that every SFTP channel closes the UNIX socket, with the result that using SFTP with multiple simultaneous channels does not cause sshd to monopolize system resources. (BZ#537348)
All users of openssh are advised to upgrade to these updated packages, which resolve this issue.

1.144.2. RHBA-2010:0123: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0123
Updated openssh packages that resolve an issue are now available.
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
These updated openssh packages fix the following bug:
* in order to comply with the FIPS 140-2 standard, Security Requirements for Cryptographic Modules, RAND_cleanup() function calls were added to places where processes, and their child processes, exited, in both the ssh program and the sshd service. (BZ#561420)
All users of openssh are advised to upgrade to these updated packages, which resolve this issue.

1.144.3. RHSA-2009:1470: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1470
Updated openssh packages that fix a security issue are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904)
All OpenSSH users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the OpenSSH server daemon (sshd) will be restarted automatically.

1.144.4. RHBA-2010:0193: bug fix update

Updated openssh packages that fix various bugs and add an enhancement are now available.
OpenSSH is OpenBSD's SSH (Secure Shell) protocol implementation. These packages include the core files necessary for both the OpenSSH client and server.
These packages address the following bugs:
* When sshd used multiple SFTP channels simultaneously, each SFTP channel leaked a unix socket. This socket leak could have eventually caused the sshd daemon to monopolize system resources. The bug has been fixed with these updated packages by ensuring that there is no socket leak within a subsystem. (BZ#530358)
* If a zero length SSH2 DSA key existed, the ssh init script would hang. This issue has been fixed by allowing the ssh init script to automatically overwrite any zero length keys that exist. The ssh init script now functions as expected, even if a zero length key exists before execution of the script. (BZ#531738)
As well, these updated packages add the following enhancement:
* A call to RAND_cleanup() has been added to ssh and sshd to clean the PRNG status when exiting the program. This enhancement also ensures FIPS-140-2 compliance. (BZ#557164)
All openssh users should upgrade to these updated packages, which resolve these issues.

1.145. openssl

1.145.1. RHSA-2010:0162: Important security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0162
Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code. (CVE-2009-3245)
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. (CVE-2009-3555)
Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw: http://kbase.redhat.com/faq/docs/DOC-20491
A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake. (CVE-2010-0433)
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

1.145.2. RHSA-2010:0054: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0054
Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
It was found that the OpenSSL library did not properly re-initialize its internal state in the SSL_library_init() function after previous calls to the CRYPTO_cleanup_all_ex_data() function, which would cause a memory leak for each subsequent SSL connection. This flaw could cause server applications that call those functions during reload, such as a combination of the Apache HTTP Server, mod_ssl, PHP, and cURL, to consume all available memory, resulting in a denial of service. (CVE-2009-4355)
Dan Kaminsky found that browsers could accept certificates with MD2 hash signatures, even though MD2 is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker to create a malicious certificate that would be treated as trusted by a browser. OpenSSL now disables the use of the MD2 algorithm inside signatures by default. (CVE-2009-2409)
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

1.146. openswan

1.146.1. RHBA-2010:0096: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0096
Updated openswan packages that fix an issue with NSS passwords being logged at run time are now available.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.
This update addresses the following issue:
* when an NSS database is created with a password (either in FIPS or non-FIPS mode), access to a private key (associated with a certificate or a raw public key) requires authentication. At authentication time, openswan passes the database password to NSS. Previously, when this happened, openswan also logged the password to /var/log/secure. The password could also be seen by running "ipsec barf". With this update, openswan still passes the database password at authentication time but no longer logs it in any fashion. (BZ#557688)
All openswan users are advised to upgrade to these updated packages, which resolve this issue.

1.146.2. RHBA-2009:1612: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1612
Updated openswan packages that fix an issue and enable Openswan to pass the TAHI test suite for HMAC-SHA1-96 support are now available.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up Openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The Openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.
The TAHI Project IPv6 Ready Test Suite, Phase 2, includes an IKE version 2 test category. Support for the HMAC-SHA1-96 message digest algorithm is required by this category and, previously, Openswan did not include such support. With this update, HMAC-SHA1-96 supported has been added to the openswan package. (BZ#533883)
This update fixes the following issue:
* the FIPS-140-2 standard requires cryptographic modules to provide methods to "zeroize" (meaning: to overwrite with zeroes) all plain text secret and private cryptographic keys and Critical Security Parameters (CSPs). With this update, Openswan uses methods supplied by the NSS library to perform zeroization on plain text secret and private cryptographic keys and CSPs.
All users of openswan are advised to upgrade to these updated packages, which resolve this issue.

1.147. oprofile

1.147.1. RHBA-2010:0283: bug fix and enhancement update

An updated oprofile package that corrects architecture-specific bugs and adds support for Nehalem-EP and IBM POWER7 processors is now available.
OProfile is a system-wide profiler for Linux systems. The profiling runs transparently in the background and profile data can be collected at any time. OProfile uses the hardware performance counters provided on many processors, and can use the Real Time Clock (RTC) for profiling on processors without counters.
This update applies the following fixes and enhancements:
* An incorrect argument in a binutil library call caused a segmentation fault in opreport whenever the --debug-info option was used. The elf_find_function() function in libbfd required a non-NULL symbol, but opreport did not receive a warning whenever NULL symbols were present. This update adds an early warning system for this, thereby resulting in more graceful error reporting for the presence of NULL symbols rather than a segmentation fault. (BZ#450642)
* OProfile now supports Nehalem-EP processor performance events. (BZ#498619)
* When the OProfile daemon started on the Itanium architecture, it created children processes to run perfmon; however, those children processes did not properly close file descriptors for stdin, stdout, and stderr. This could prevent oprofiled from properly sending output to any third-party applications. This update corrects the behavior by adding close() functions for open stdin, stdout, and stderr file descriptors, which corrects the daemon behavior on the Itanium architecture. (BZ#518480)
* A regression in the binutils-devel static library caused the bfd_get_section_by_name() function to produce incorrect output. This regression was caused by an error that was present in the binutils-devel specfile when it was compiled. Since OProfile uses binutils-devel at compile time, bfd_get_section_by_name() also cause opreport -l to fail. With this release, binutils-devel is compiled with a corrected specfile; OProfile is then re-compiled with this version of binutils-devel, thereby fixing the regression. (BZ#527679)
* OProfile now supports the IBM POWER7 processor. (BZ#566524)
All OProfile users should apply this update.

1.148. pam

1.148.1. RHBA-2010:0135: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0135
Updated pam packages that fix a bug in the pam_time and pam_group modules are now available.
Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies, without having to recompile programs to handle authentication.
These updated packages fix the following bug:
* the pam_time and pam_group modules, which support allowing or rejecting authentication based on time and assigning group names respectively, incorrectly matched user, service, or terminal name substrings even if no wildcard was specified in the configuration. For example, "user" and "user1" were incorrectly equated, causing policies to apply to both usernames even when "user" was the only username subject to said policies. This update improves the string matching in the pam_time and pam_group modules ensuring such mis-matches (and consequent policy mis-applications) no longer occur. (BZ#571341)
All pam users are advised to upgrade to these updated packages, which resolve this issue.

1.149. pam_krb5

1.149.1. RHSA-2010:0258: Low security and bug fix update

Updated pam_krb5 packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware applications to use Kerberos to verify user identities by obtaining user credentials at log in time.
A flaw was found in pam_krb5. In some non-default configurations (specifically, those where pam_krb5 would be the first module to prompt for a password), the text of the password prompt varied based on whether or not the username provided was a username known to the system. A remote attacker could use this flaw to recognize valid usernames, which would aid a dictionary-based password guess attack. (CVE-2009-1384)
This update also fixes the following bugs:
* certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the "chpw_prompt" option for its service should restore the old behavior. (BZ#509092)
* pam_krb5 does not allow the user to change an expired password in cases where the Key Distribution Center (KDC) is configured to refuse attempts to obtain forwardable password-changing credentials. This update fixes this issue. (BZ#489015)
* failure to verify TGT because of wrong keytab handling. (BZ#450776)
Users of pam_krb5 are advised to upgrade to these updated packages, which resolve these issues.

1.150. paps

1.150.1. RHBA-2009:1679: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1679
An updated paps package that fixes a word wrap bug associated with paps' use as the CUPS text filter is now available.
Paps reads UTF-8 encoded text files and renders them to a PostScript file. It uses the pango library to create the outline curves. The paps package also includes the libpaps library, which simplifies PostScript rendering for any pango-based applications (for example, programs that use the GTK+ widget toolkit). As well, paps is used as the CUPS text filter, allowing CUPS to handle UTF-8 encoded strings.
This update addresses the following issue:
* when paps was used as the CUPS text filter with a "wrap=false" parameter, paps did not honor the parameter: text was wrapped to fit the page despite the parameter instructing otherwise. Paps now calls pango's word wrap functions correctly and, consequently, honors this parameter as expected. (BZ#520590)
All paps users should upgrade to this updated package, which resolve this issue.

1.151. parted

1.151.1. RHBA-2010:0257: bug fix update

Updated parted packages that resolve an issue editing gpt tables are now available.
The GNU Parted program allows you to create, destroy, resize, move, and copy hard disk partitions. Parted can be used for creating space for new operating systems, reorganizing disk usage, and copying data to new hard disks.
This update fixes the following problems:
* when parted is invoked in interactive mode on a disk with GUID Partition Tables (GPT), if the backup GPT is not in the disk's last sector, parted presents an alert;
Error: The backup GPT table is not at the end of the disk, as it should be. This might mean that another operating system believes the disk is smaller. Fix, by moving the backup to the end (and removing the old backup)?
and offers three options for continuing: Fix, Cancel or Ignore. Previously, choosing Cancel or Ignore had no effect: no matter what option was chosen, parted "fixed" (ie changed) the GUID partition table. This update corrects this: if and when the above error presents, the Cancel and Ignore options are now honored if selected, as expected. (BZ#529672)
* When parted is invoked on a disk, it checks to see if there is a file system it recognizes on the partitions on the disk.
When parted was invoked on a dasd disk, and one of the partitions on the disk did not contain a filesystem (such as for example a partition which is a lvm physical volume), then parted would crash due to a NULL pointer dereference. Parted now no longer crashes under these circumstances. (BZ#563266)
All parted users should install the updated package, which resolve these issues.

1.152. pax

1.152.1. RHBA-2009:1591: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1591
An updated pax package that fixes a bug is now available.
pax is the portable archive exchange utility. It is defined by a POSIX specification, and is able to compress and decompress both tar and cpio archives, as well as several of their older variants.
This updated pax package fixes the following bug:
* the pax utility creates ustar (Uniform Standard Tape Archive) archives by default. Attempting to create a ustar archive of a directory which contained path names that were exactly 100 characters in length caused pax to fail with the following error message:
pax: File name too long for ustar
With this update, creating ustar archives with pax succeeds regardless of the length of the absolute paths names of the files and directories being archived. (BZ#239001)
All users of pax are advised to upgrade to this updated package, which resolves this issue.

1.153. pciutils

1.153.1. RHBA-2009:1592: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1592
An updated pciutils package that fixes a bug is now available.
The pciutils package contains various utilities for inspecting and manipulating devices connected to the PCI bus.
This updated pciutils package fixes the following bug:
* the pciutils use PCILIB, a portable, platform-independent library, to talk to PCI cards. By default PCILIB uses the first available access method but switches can be used to control its behavior. The PCILIB AND ITS OPTIONS section of the lspci man page lists two such switches (-H1 and -H2) that did not work as documented.
The -H1 switch was listed as allowing "direct hardware access via Intel configuration mechanism 1" and the -H2 switch as setting PCILIB to use mechanism 2. In the previous pciutils release, however, using either switch on AMD64 or Intel 64 architectures resulted in an "invalid option -- H" error. (Note: the switches worked as expected on 32-bit x86 architectures).
This error was due to the pciutils package not enabling these switches when compiled for 64-bit architectures. With this update the pciutils spec file includes a corrected build script which enables these features for AMD64 and Intel 64 and, consequently, provides Intel configuration mechanism support to 64-bit architectures as documented. (BZ#505557)
All pciutils users should upgrade to this updated package, which resolves this issue.

1.154. pcsc-lite

1.154.1. RHBA-2010:0278: bug fix update

An updated pcsc-lite package that fixes a bug in the source RPM is now available.
pcsc-lite is a daemon which controls access to smart cards and other security tokens on your system.
This update addresses the following issue:
* the .spec file for the pcsc-lite source rpm contained an error in its Release field. The {dist} tag was not appended to the Release value as a conditional. It was "{dist}" where it should have been "{?dist}". The question mark translates to "If %{dist} is defined, insert its value here. If not, do nothing." Without the question mark, the tag means "dist" is defined and insert its value here. Consequently, if the source rpm was re-built in an environment where the dist variable was not set, the resultant .rpm file contained garbage characters in its file name. This release corrects this. The tag is now a conditional and rebuilding pcse-lite from the source rpm produces an rpm file with the expected file name. (BZ#440627)
Only users who use smart cards or security tokens who also rebuild components such as pcsc-lite from source need to update this package.

1.155. perl-Sys-Virt

1.155.1. RHBA-2010:0251: bug fix update

An updated perl-Sys-Virt package that fixes several bugs is now available.
The Sys::Virt module provides a Perl XS binding to the libvirt virtual machine management APIs. This allows machines running within arbitrary virtualization containers to be managed with a consistent API.
This update addresses the following issues:
* a number of calls available in the C API, including virStorageVolLookupByKey, virStorageVolLookupByName, and virStorageVolLookupByPath, did not contain Perl bindings. As a result, these storage functions were unavailable when using Perl-based tools for virtual machine management. This update adds the missing calls to the Perl API, and Perl-based management of virtual machines is now possible. (BZ#519647)
* the 'message' subroutine of Error.pm returned an error code instead of an error message. As a consequence, error conditions that required a textual error message instead received an alpha-numeric error code. The 'message' subroutine has been amended to return a textual message, and error conditions now produce a more informative error description. (BZ#525091)
* Sys::Virt did not document the 'flags' parameter used by several methods, including the following:
* $vmm->num_of_node_devices * $vmm->list_node_device_names * $vmm->find_storage_pool_sources * $dom->core_dump * $dom->reboot * $dom->block_peek * $dom->memory_peek * $dom->get_autostart * $pool->refresh * $pool->build * $pool->delete
Since the 'flags' parameter is currently unused, the parameter and its default value were not mentioned in the methods' descriptions. This could cause certain operations that referenced the 'flags' parameter to fail with a usage error. The 'flags' parameter is now documented as an optional parameter that defaults to a value of zero if it is omitted. Usage errors no longer occur when using the methods as documented. (BZ#519712)
* the description of the $dom->reboot method made reference to a list of &Sys::Virt::Domain::REBOOT_* constants for use with the 'flags' parameter. However, since the 'flags' parameter is not currently used, the reboot constants were not included in the document. This could cause confusion when implementing the $dom->reboot method. The reference to the reboot constants has been removed from the documentation, and the correct usage of the $dom->reboot method is now clearer. (BZ#543878)
All users using Perl or Perl-based tools to do virtual machine management should install this updated package which fixes these bugs.

1.156. perl-XML-SAX

1.156.1. RHBA-2010:0008: and perl-XML-LibXML bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0008
Updated perl-XML-SAX and perl-XML-LibXML packages that fix various bugs are available.
XML::SAX is a SAX parser access API for Perl. It includes classes and APIs required for implementing SAX drivers, along with a factory class for returning any SAX parser installed on the user's system. XML::LibXML provides a library for working with XML files.
These updated perl-XML-SAX and perl-XML-LibXML packages provide the following bug fixes:
* UTF-8 would not be represented correctly by the perl-XML-SAX parser because the Unicode version of XML::SAX::PurePerl::Reader::switch_encoding_string() used Encode::from_to() that did not set the Perl internal UTF-8 flag. This bug has been corrected by replacing the use of Encode::from_to() with the use of Encode::decode(). (BZ#475250)
* When upgrading to Red Hat Enterprise Linux 5, a later version or upgrading the individual perl-XML-SAX-0.14 package to perl-XML-SAX-0.14-6, error messages concerning the perl-XML-SAX package would be logged in the /root/upgrade.log file. These messages occurred because of a missing file or file data within ParserDetails.ini. This file has been restored to the perl-XML-SAX and perl-XML-LibXML packages with this update. (BZ#289061,
Warning, both perl-XML-SAX and perl-XML-LibXML packages must be updated together in one step. Updating these packages separately can result in the configuration file ParserDetails.ini becoming broken.
All users of perl-XML-SAX and perl-XML-LibXML are advised to upgrade to these updated packages, which resolve these issues.

1.157. pexpect

1.157.1. RHBA-2009:1508: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1508
An updated pexpect package that fixes two bugs is now available.
pexpect is a pure Python module for spawning child applications, controlling them, and responding to expected patterns in their output. Pexpect works like Don Libes' Expect. Pexpect allows your script to spawn a child application and control it as if a human were typing commands. Pexpect can be used for automating interactive applications such as ssh, ftp, passwd, telnet, etc. It can also be used to automate setup scripts for duplicating software package installations on different servers and for automated software testing.
This update addresses the following issues:
* pexpect was previously included in the unsupported Extra Packages for Enterprise Linux (EPEL) repository. It is now a supported package in Red Hat Enterprise Linux but is otherwise unchanged. The initial release of pexpect as a supported package included no changes at all and, as a consequence, did not obsolete the EPEL version. To ensure the supported package properly obsoletes the EPEL package, the Release value for this package was incremented. (BZ#481380)
* previously, the shebang lines in pexpect's python executables pointed to "/usr/bin/env python" rather than explicitly referencing the version of Python installed on the system. This broke these executables in the case of a user installing an alternative Python version. With this update, all shebang lines point explicitly to the system version at /usr/bin/python. (BZ#521891)
All pexpect users should install this updated package, which addresses these issues.

1.158. php

1.158.1. RHSA-2010:0040: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0040
Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.
Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially-crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292)
A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially-crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546)
It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017)
Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request.
It was discovered that PHP was affected by the previously published "null prefix attack", caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291)
It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142)
All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

1.158.2. RHBA-2010:0241: bug fix and enhancement update

Updated php packages that fix various bugs and add enhancements are now available.
PHP is an HTML-embedded scripting language that allows developers to write dynamically generated web pages. PHP is ideal for writing database-enabled websites, with built-in integration for several commercial and non- commercial database management systems. PHP is often used as a replacement for CGI scripts.
The php package contains a module that adds support for the PHP language to the Apache HTTP Server.
* two minor fixes were performed in the php substr_compare and substr_count functions to correct integer overflows. (BZ#469807 & BZ#470971)
* if a PHP script uses odbc_connect and the -lodbcpsql is being used for PostgreSQL, it will either hang forever or cause a segmentation fault. The default behavior was changed, and the hangs and errors no longer occur. (BZ#483690)
* the default PHP build was not thread-safe, and became unusable with the worker MPM in httpd. It was upgraded to be thread-safe and can now be used as expected. (BZ#484058)
* when an unsupported character set was used, the PHP mbstring module would experience a segmentation fault. A patch was added to resolve a double-free problem, and the segfault no longer occurs. (BZ#486651)
* when rebuilding PHP on IBM PowerPC architecture, the build would fail. A change was made to the PHP specfile, and a rebuild now works as expected. (BZ#491050)
* the PHP move_uploaded_file function was generating inconsistent destination file permissions. The destination file's permissions are now always determined by the active umask and permissions are now consistent. (BZ#498031)
* some PHP code was creating invalid pointer errors and stack traces. The package was updated so that an entry is added to the log file, and no error occurs. (BZ#515372)
* the default memory_limit value was too low for some 64-bit architectures. The user needed to manually edit the php.ini file to be able to start Apache. The default value has been increased to 128M and Apache now starts as expected on 64-bit hardware. (BZ#517604)
* when attempting to build Zarafa a syntax error caused the build to fail. Extraneous keystrokes were removed and Zarafa now builds as expected. (BZ#530824)
* the PHP package has been updated to include new code from upstream. (BZ#500383, BZ#505355, & BZ#511175)
Users are advised to upgrade to these updated php packages, which resolve these issues and add these enhancements.

1.159. pidgin

1.159.1. RHBA-2010:0176: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0176
Updated pidgin packages that fix a bug are now available.
Pidgin allows you to talk to anyone using a variety of messaging protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and Zephyr.
These updated pidgin packages fix the following bug:
* Pidgin users who attempted to log on to an AOL Instant Messenger (AIM) account found that their connections failed due to recent AIM protocol changes. A workaround for this incompatibility involved disabling secure authentication. This update resolves the incompatibility so that Pidgin users are once again able to log on to their AOL Instant Messenger accounts using secure authentication. (BZ#576311)
All users of pidgin are advised to upgrade to these updated packages, which resolve this issue.

1.160. piranha

1.160.1. RHBA-2010:0297: bug fix update

Updated piranha packages that fix several bugs are now available.
Piranha provides high-availability and load balancing services for Red Hat Enterprise Linux. It includes various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers.
This update fixes the following bugs:
* Stopping pulse service does not stop service monitors. In this updated package, pulse will stop all service monitors. (BZ#522230)
* Nanny does not work with port different than 80 when monitoring is not provided. In this updated package, nanny works correctly. (BZ#533113)
* Nanny does not set port on real server correctly if port on LVS is not 80. In this update package, nanny set port correctly.(BZ#549738)
* Pulse does not activate sorry server when all real servers are down. In this updated package, pulse will activate sorry server when needed.(BZ#566140)
Users of piranha are advised to upgrade to these updated packages, which resolve these issues.

1.161. pirut

1.161.1. RHBA-2010:0058: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0058
An updated pirut package that fixes various bugs is now available.
The pirut graphical package manager front end provides a set of graphical tools for managing software.
This updated pirut package includes fixes for the following bugs:
* removing a package with pirut when no repositories were configured caused pirut to exit with a Python traceback. With this update, the application does not exit with a traceback when a package is removed in the absence of any configured repositories. (BZ#444697)
* occasionally, a failed assertion check related to the progress bar, and specifically to the gtk_progress_set_percentage() function, caused the pirut package manager to exit with a traceback. This update ensures that this assertion no longer fails, thus resolving the problem. (BZ#459489)
* after upgrading to the Red Hat Enterprise Linux 5.3 release, pirut began showing the epoch number as the first characters in the package group details list. With this update, package lists are once again sorted correctly. (BZ#478834)
* the "pup" graphical package manager application used an incorrectly-sized icon. (BZ#436193)
All users of pirut are advised to upgrade to this updated package, which resolves these issues.

1.162. policycoreutils

1.162.1. RHBA-2010:0208: bug fix update

Updated policycoreutils packages that fix several bugs are now available.
The policycoreutils packages contain the core utilities that are required for the basic operation of a Security-Enhanced Linux (SELinux) system and its policies. These utilities include load_policy to load policies, setfiles to label file systems, newrole to switch roles, and run_init to run /etc/init.d/ scripts in their proper context.
These updated packages fix the following bugs:
* executing the semanage command with the translation option caused denials and undesired mode changes to the setrans.conf file. This update removes the translation functionality from the semanage command. (BZ#460970)
* the semanage command allowed an invalid network port number to be passed to it. This update adds proper verification of the port number option to semanage. Any invalid port number is now rejected. (BZ#505521)
* the use of the #!/usr/bin/env python option at the top of python scripts is being phased out, in favour of the #!/usr/bin/python option. There was one instance of the former option in a policycoreutils python script. This fix replaces this line with the latter option in this file. (BZ#521298)
* the semanage command did not support the node option being passed to it and resulted in an error when it was used. This fix adds the node option to the semanage command. This option allows you to list, add and modify nodes in SELinux policy. (BZ#527487)
Users of policycoreutils are advised to upgrade to these updated packages, which resolve these issues.

1.163. poppler

1.163.1. RHSA-2009:1504: Important security and bug fix update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1504
Updated poppler packages that fix multiple security issues and a bug are now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince.
Multiple integer overflow flaws were found in poppler. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. (CVE-2009-3603, CVE-2009-3608, CVE-2009-3609)
Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608 issue.
This update also corrects a regression introduced in the previous poppler security update, RHSA-2009:0480, that prevented poppler from rendering certain PDF documents correctly. (BZ#528147)
Users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

1.164. postgresql

1.164.1. RHSA-2009:1484: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1484
Updated postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
PostgreSQL is an advanced object-relational database management system (DBMS).
It was discovered that the upstream patch for CVE-2007-6600 included in the Red Hat Security Advisory RHSA-2008:0038 did not include protection against misuse of the RESET ROLE and RESET SESSION AUTHORIZATION commands. An authenticated user could use this flaw to install malicious code that would later execute with superuser privileges. (CVE-2009-3230)
A flaw was found in the way PostgreSQL handled encoding conversion. A remote, authenticated user could trigger an encoding conversion failure, possibly leading to a temporary denial of service. Note: To exploit this issue, a locale and client encoding for which specific messages fail to translate must be selected (the availability of these is determined by an administrator-defined locale setting). (CVE-2009-0922)
Note: For Red Hat Enterprise Linux 4, this update upgrades PostgreSQL to version 7.4.26. For Red Hat Enterprise Linux 5, this update upgrades PostgreSQL to version 8.1.18. Refer to the PostgreSQL Release Notes for a list of changes:
http://www.postgresql.org/docs/7.4/static/release.html http://www.postgresql.org/docs/8.1/static/release.html
All PostgreSQL users should upgrade to these updated packages, which resolve these issues. If the postgresql service is running, it will be automatically restarted after installing this update.

1.165. ppc64-utils

1.165.1. RHBA-2010:0225: bug fix and enhancement update

Updated ppc64-utils packages that fix various bugs and add various enhancements are now available.
ppc64-utils is a collection of utilities for Linux running on 64-bit PowerPC platforms.
These packages address the following bugs:
* A bug existed within the ppc64-utils packages that caused a conflict with the powerpc-utils package from IBM. The power-pc-utils package provides dynamic logical partitioning (DLPAR) support, which is a common virtualization feature on the Power PC platform. This conflict forced a user to first remove the ppc61-utils package before installing the power-pc-utils package. To correct this bug, support for the lsslot and drmgr commands has been added to the ppc64-utils packages, ensuring there is no conflict when installing the powerpc-utils package. The lsslot command provides system configuration data to the user and the drmgr command is required to perform DLPAR operations. (BZ#512373)
* When attempting to use the Hardware Management Console (HMC) to display the end to end virtual device topology, no data would be shown. The scripts ls-vscsi, ls-veth and ls-vdev have been added for the HMC to use to retrieve Virtual Input and Output (VIO) information that is used to correlate with the output of lsdevinfo to display the end to end virtual device topology. ( BZ#565518 )
* Running lsdevinfo on an IBM POWER6 machine with a Virtual Fibre Channel resulted in incorrect errors and an incorrect device name being displayed. These updated packages make sure only necessary error messages are printed and that the correct device name is shown. ( BZ#565518 )
As well, these updated packages add the following enhancements:
* CLI and CIM support has been added for end to end virtual device mapping. This additional infrastructure improves the ease of use of virtualization technology by enabling the end to end virtual device view. (BZ#514813)
* Support for the -R parameter and the uniquetype field have been added to the HMC. The -R parameter recursively displays the children of the selected device and the uniquetype field is used by the HMC for filtering. ( BZ#565518 )
Users of ppc64-utils are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.166. procps

1.166.1. RHBA-2010:0200: bug fix and enhancement update

An updated procps package that fixes various bugs is now available.
The procps package contains a set of system utilities that provide system information. Procps includes ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch and pdwx.
This updated procps package includes fixes for the following bugs:
* There was an array in proc/devname.c that was trying to hold bytes in excessive of its capacity, leading to string overflow errors and making the names unusable. A patch has been incorporated that widens the strings so that they include the NUL terminator so that this error no longer occurs. (BZ#469495)
* The ps command defines a fixed width for user names. If a name exceeds this width, the command will revert to displaying the numeric id instead. This behavior was not properly documented in the man page for the command so it has now been added to make users more clearly aware of this behavior. (BZ#471476)
* There was an issue when using the slabtop command with the "-o" option. The command's output would immediately disappear instead of being printed to stdout meaning that the information could not be read. slabtop has now been altered so that output is directed to stdout. As a result, users can now read the output on the terminal screen. (BZ#475963)
* With increases in memory sizes, tools such as vmstat were misaligning the header columns and output for statistics such as free, buff and cache memory. To fix this issue, the "-w" switch has been modified to account for longer figures pertaining to memory statistics. With these wider fields, the columns and their headers are now correctly aligned. (BZ#484789)
* The ps command would occasionally throw a double-free corruption error. This would cause the software to die unexpectedly. This has been fixed by adding a test that looks for zero at the end of a process. As a result, ps no longer aborts unexpectedly. (BZ#487700)
* The "sysctl -a" command was using deprecated syscalls. The software has been modified so that it no longer uses these deprecated calls. As a result, when the archaic code is eventually removed, sysctl will continue to work. A warning message has also been removed from the package's man page. (BZ#501785 BZ#556508)
* The ps command was not producing a core dump when it crashed, making it extremely hard to troubleshoot. Code to handle SIGABRT and SIGSEGV has now been added to the software so that it will produce a core dump if it crashes. As a result, problems will be much easier to trace. (BZ#512857)
* The ps utility's "etime" field shows the elapsed time since a process was started. On heavily-loaded systems, it was possible for a negative value to be returned due to an integer overflow. This has been rectified so that it always correctly returns a positive value, thus providing users with accurate data.. (BZ#556762)
* If the user pressed "f" whilst running top and selected a low number of fields, erroneous and jumbled text would appear at the top of the screen. The top utility has now been modified so that the text clears correctly and the output is displayed as one would expect. (BZ#556777)
* The vmstat utility has a field entitled "Time stolen from a virtual machine." Unfortunately, the addition of the "-w" switch had an adverse impact upon the way this information was output. Consequentially, when vmstat was run in default mode, the field's header was missing and when it was run with the "-w" option, it disappeared altogether. A patch has now been added and, as a result, the field now displays correctly at all times. (BZ#558475)
* The "pmap -x" command was not displaying the resident set size (RSS) for process ids. No figures were appearing in the column. A patch has been applied so that the figures for this field are now correctly calculated and displayed. (BZ#561392)
Users are advised to upgrade to this updated procps package, which resolves these issues.

1.167. pykickstart

1.167.1. RHBA-2010:0248: bug fix and enhancement update

An updated pykickstart package that fixes two bugs and adds three enhancements is now available.
The pykickstart package is a python library used to manipulate kickstart files.
This updated package fixes the following bugs:
* The anaconda installation system would crash when attempting to write guest installation files to a iscsi connected host. This was because pykickstart did not specify an iscsi port for use in the installation. This behaviour has been corrected and pykickstart now specifies a default iscsi port. (BZ#547678)
* The update which enabled the --hvargs boot option in pykickstart (see BZ#547877 ) caused anaconda to a return the error: "KeyError: 'hvArgs'" and exit the installation. A patch has been applied to kickstart.py to correct this. (BZ#540473)
This update also adds the following enhancements:
* pykickstart now has an additional bootloader option (--hvargs) which allows kernel arguments for the hypervisor to be specified in the kickstart file. ( BZ#547877 )
* pykickstart now adds the kickstart line number of a script to anaconda error logs if that script causes the installation to fail. This assists with debugging kickstart installation problems. (BZ#547188)
* The kickstart install process is able to use package group entries to automatically install all packages in a specified 'group'. Functionality has now been added to both pykickstart and the anaconda install system to also support group exclusions, such as -@conflicts. (BZ#555311).
pykickstart users should upgrade to this updated package, which fixes these issue and adds these enhancements.

1.168. python-virtinst

1.168.1. RHBA-2010:0282: bug fix and enhancement update

An updated python-virtinst package that fixes bugs and adds enhancements is now available.
python-virtinst is a module that helps build and install libvirt based virtual machines.
This updated package addresses the following issues:
* When installing a KVM Windows guest with virt-install, QEMU would not immediately recognise the installation. An error message would appear, despite a successful installation. A minor delay has been added to allow the correct information to be gathered, and the incorrect error message no longer appears. (BZ#498237)
* An unsupported --prompt option was listed in the --help output for virt-image. When virt-image --prompt was run, an error message would print. The --prompt option has been removed from the --help output. (BZ#503721)
* cow, qcow and qcow2 were not listed in the virt-convert format whitelist, although they were supported. An unknown disk format error would print for each format when virt-convert was run from a VMware virtual machine to a virt-image. cow, qcow and qcow2 are now listed.
* virt-install would fail when re-installing a virtual system using an .img file that had been moved or deleted, instead of re-creating the guest image. The error was found to be spurious characters in the image paths ('/'). Code has been corrected in python-virtinst to prevent this error. (BZ#511925)
* By default, virtual disks are not opened with O_DIRECT. This meant data would sometimes be cached twice: once inside the virtual machine, and once outside. Users had to manually add <driver name='qemu' cache='none'/> to the virtual machine definition to prevent double caching. The default cache mode of QEMU and KVM guests is now set to "none", which prevents inconsistent disc states. (BZ#512072)
* The --disk option of virt-install was not compatible with the --prompt option, and caused error messages to print when they were used together. The interaction between these two options has been adjusted, and --disk can now be used with --prompt successfully. (BZ#516129)
* When --wait is specified as 0, virt-install should begin the installation process and exit the console. However, a syntax error in the code caused virt-install --wait to perform as if it was not specified, and the console must be closed manually. The syntax error has now been corrected, and if --wait=0, the installation process will begin and close the console. (BZ#517081)
* When running virt-install --prompt --nographics, if the disk size was too big for the available diskspace, a badly formatted error message would print. The error message syntax has been corrected, and the user prompt now appears on a new line beneath the message. (BZ#523767)
* virt-install reported that the installation was still in progress after the installation was complete and the guest machine was being rebooted. The post installation error catching and reporting has been improved. The guest state is now reported accurately. (BZ#545837)
* An os dictionary entry has been backported into this release. Users no longer need to use virtio26 to enable virtio support for guests. This entry can be selected in virt-manager or via virt-install --os-variant. (BZ#547380)
* libvirt was, at times, unable to start guest systems when installing under a minor load, and the install would fail. There were memory problems if another process was writing to disk simultaneously, and virt-install was misreading nonsparse disk images. This fix modifies the libvirt timeout manager to better cope with shared I/O conditions an adds the 0_DSYNC flag to python-virtinst to manage nonsparse disk reading. (BZ#558855)
* Previously, a patch was added to virtinst to avoid non-sparse volume creation, because libvirt did not drop the pool lock while allocating. However, the libvirt version in this release does not have this issue. The patch has been removed and virt-install no longer ignores --nonsparse when creating an image inside libvirt's storage pool. (BZ#569339)
Users are advised to upgrade to this updated python-virtinst package which resolves these issues.

1.169. PyXML

1.169.1. RHSA-2010:0002: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0002
An updated PyXML package that fixes one security issue is now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
PyXML provides XML libraries for Python. The distribution contains a validating XML parser, an implementation of the SAX and DOM programming interfaces, and an interface to the Expat parser.
A buffer over-read flaw was found in the way PyXML's Expat parser handled malformed UTF-8 sequences when processing XML files. A specially-crafted XML file could cause Python applications using PyXML's Expat parser to crash while parsing the file. (CVE-2009-3720)
This update makes PyXML use the system Expat library rather than its own internal copy; therefore, users must install the RHSA-2009:1625 expat update together with this PyXML update to resolve the CVE-2009-3720 issue.
All PyXML users should upgrade to this updated package, which changes PyXML to use the system Expat library. After installing this update along with RHSA-2009:1625, applications using the PyXML library must be restarted for the update to take effect.

1.170. qspice

1.170.1. RHBA-2009:1489: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1489
Updated qspice packages that fix several bugs are now available.
The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol designed for virtual environments. SPICE users can view a virtualized desktop or server from the local system or any system with network access to the server. SPICE is available for a variety of machine architectures and operating systems. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the KVM hypervisor or on Red Hat Enterprise Virtualization Hypervisors.
These updated packages fix the following bugs:
* the SPICE server uses a heuristic method for detecting video streams. Some sites, however, send two video frame pixmaps: the actual size of the frame and a variant that measures from the top-left of the web-page presenting the frame to the bottom-right of the video frame. Receiving two video pixmaps caused the SPICE heuristic to fail to detect the video stream. This failure also caused a dramatic increase in CPU use and network traffic. With this update, the heuristic detects dual-pixmap video streams accurately; video playback occurs as expected and CPU use and network traffic no longer spike. (BZ#521791)
* previously the SPICE server used a fixed bit-rate for video streams. If external factors affected the data stream, this fixed bit-rate resulted in dropped frames and low quality playback. With this update, the SPICE server no longer uses a hard-coded bit-rate; instead it can choose a bit-rate that reflects current network conditions, improving video playback in low-bandwidth conditions. (BZ#521792)
* on new client connections the SPICE server previously sent the client an uncompressed initial screen image. In low bandwidth conditions this resulted in a long period of apparent inactivity, with the client presenting an unsuable black screen. The SPICE server now compresses the initial screen image, greatly reducing initialization time. (BZ#522049)
Users requiring remote display capabilities for KVM hypervisors are advised to upgrade to these updated qspice packages, which resolve these issues.

1.170.2. RHBA-2010:0264: bug fix update

Updated qspice packages that fix various bugs are now available.
The Simple Protocol for Independent Computing Environments (SPICE), a remote display protocolis used in Red Hat Enterprise Linux for viewing virtualized guests running on the KVM hypervisor or on Red Hat Enterprise Virtualization Hypervisors.
The updated packages fix the following bugs:
* previously, if some sites sent two video frame pixmaps, the SPICE heuristic failed to detect the video stream and caused a dramatic increase in CPU use and network traffic. With this update, the dual-pixmap video streams is detected, video playback occurs as expected and CPU use and network traffic no longer spike. (BZ#518193)
* the SPICE server previously used a fixed bit-rate for video streams. If external factors affected the data stream, thi resulted in dropped frames and low quality playback. With this update, the SPICE server no longer uses a hard-coded bit-rate; instead it can choose a bit-rate that reflects current network conditions, improving video playback in low-bandwidth conditions. (BZ#518388)
* the SPICE server previously sent a new client connections an uncompressed initial screen image. In low bandwidth conditions this resulted in a long period of apparent inactivity, with the client presenting an unusable black screen. The SPICE server now compresses the initial screen image, greatly reducing initialization time. (BZ#521488)
* if configured with SSL, previously a SPICE client would open SSL with DEFLATE compression and the server would accept the compression, resulting in a poor display. Currently, if the client offers SSL compression, the compression is not accepted by the server. (BZ#482111)
* the video compression algorithm can start when the guest is accessing text instead of video causing the text to be blurry. The SPICE server now has an improved heuristic for distinguishing between videos and textual streams. (BZ#493375)
* VM run on loaded host crashed when SPICE session opened from RHEV Manager Local-Host [trap divide error 0]. (BZ#525055)
* sometimes a client was timed out if the server was overloaded or due to low bandwidth. Client time-out has been increased to 15 seconds to prevent this.(BZ#526458)
* qemu crashed when OpenOffice 3.1.1 launched .odp files. (BZ#545862)
* qspice provides an implementation of the qspice server, not the client (which is provided by the spice-client package). Previous qspice builds, however, included spice-client directories and files. These unnecessary files and directories were removed from the qspice package for this update. (BZ#549532)
* destination server authentication during migration process is now supported. The SPICE server sends destination server identity to the client which uses it to authenticate the server.(BZ#549673)
* previous qemu and SPICE server crashes were caused by wrong access to ring items in the code. These have since been resolved. (BZ#551580 and
* a video streaming issue caused display of an unclean Welcome button on log-out on a Windows 7 guest. A lower limit to streamable images prevents streaming of images that are probably textual.(BZ#558270)
* in Windows media player 12 full screen mode small videos are scaled directly and sent to the client. SPICE server identified the scaled images as "artificial" and did not stream them. A more permissive heuristic now enables these to be streamed. (BZ#562744)
Users requiring remote display capabilities for KVM hypervisors are advised to upgrade to these updated qspice packages which resolve the above issues.

1.171. readahead

1.171.1. RHBA-2010:0005: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2010:0005
An updated readahead package that fixes a bug is now available.
readahead reads the contents of a list of files into memory, which causes them to be read from cache when they are actually needed. Its goal is to speed up the boot process.
This update addresses the following bug:
* readahead includes a python helper script for readahead list maintainers: /usr/share/doc/readahead-1.3/readahead-check. Previously, this script's shebang line pointed to "/usr/bin/env python" rather than explicitly referencing the Python version installed on the system. This reference broke scripts such as readahead-check in the case of a user installing an alternative Python version. With this update, the shebang line in readahead-check points explicitly to the system version at /usr/bin/python. (BZ#521280)
All readahead users should install this update which addresses this issue.

1.172. redhat-artwork

1.172.1. RHBA-2010:0311: bug fix update

Updated redhat-artwork packages that remove unnecessary duplicate images are now available.
redhat-artwork contains artwork for the default look and feel of Red Hat Enterprise Linux.
This update addresses the following issues:
* in the previous release, the directory used to store images for use by the KDE Display Manager -- /usr/share/apps/kdm/themes/RHEL/ -- contained images also present in the directory used by the GNOME Display Manager -- /usr/share/gdm/themes/RHEL/ (GNOME is the default desktop environment for Red Hat Enterprise Linux). For this release, these duplicates were removed and replaced with symlinks to the images in /usr/share/gdm/themes/RHEL/. This reduces the redhat-artwork package's size slightly with no effect on functionality. ( BZ#485978 )
* as well, /usr/share/apps/kdm/themes/RHEL/ also contained Red Hat trademarked images that are (and should only be) included in the redhat-logos package. For this update, these trademarked images were removed from redhat-artwork. When a Red Hat trademarked image is displayed, such images are always assumed to be in directories below /usr/share/ other than /usr/share/apps/, so this removal also has no effect on functionality. ( BZ#485978 )
Users should upgrade to this updated package, which resolves these issues.

1.173. redhat-release

1.173.1. RHEA-2010:0207: enhancement update

A new redhat-release package is now available for Red Hat Enterprise Linux 5.5.
The redhat-release package contains licensing information regarding, and identifies the installed version of, Red Hat Enterprise Linux.
This new package reflects changes made for the release of Red Hat Enterprise Linux 5.5.
Users of Red Hat Enterprise Linux 5 should upgrade to this updated package.

1.174. redhat-release-notes

1.174.1. RHEA-2010:0315: enhancement update

An updated redhat-release-notes package is now available.
An updated version of the redhat-release-notes package is now available as part of ongoing support and maintenance of Red Hat Enterprise Linux 5.
This package contains the release notes for Red Hat Enterprise Linux 5.5.

1.175. rgmanager

1.175.1. RHBA-2009:1510: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1510
Updated rgmanager packages that fix a bug are available.
The rgmanager packages contain the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime.
This update applies the following bug fix:
* An issue preventing correct handling of Xen virtual machines utilizing the "path" attribute in cluster.conf has been fixed.
Red Hat Resource Group Manager users are advised to upgrade to these updated packages, which address this issue.

1.175.2. RHBA-2009:1521: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1521
Updated rgmanager packages that fix two bugs are available.
The rgmanager packages contain the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime.
This update applies the following bug fixes:
* An issue preventing correct handling of bonded links on virtual network bridges when using VLANs has been fixed.
* An issue preventing killing all processes holding references on a mount point during a force unmount operation has been fixed.
Red Hat Resource Group Manager users are advised to upgrade to these updated packages, which address these issues.

1.175.3. RHBA-2009:1589: bug-fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1589
Updated rgmanager packages that fix a bug are available.
The rgmanager packages contain the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime.
This update applies the following bug fix:
* An issue causing services to get stuck in the 'recovering' state during a failed relocation attempt has been fixed. (BZ#531799)
Red Hat Resource Group Manager users are advised to upgrade to these updated packages, which address this issue.

1.175.4. RHBA-2010:0280: bug fix and enhancement update

Updated rgmanager packages that fix numerous bugs and add several enhancements are now available.
The rgmanager packages contain the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime.
This update addresses the following bugs:
* failed virtual machine migrations are handled more correctly. (BZ#499835)
* clustered file systems are no longer unmounted after a configuration change. (BZ#506094)
* clustat's output is now consistent when given bad input. (BZ#506346)
* the force_unmount flag now works correctly when used with HA-LVM. (BZ#514040)
* path support for Xen virtual machines works again. (BZ#519786)
* S/Lang processor no longer leaks memory. (BZ#507431)
* rgmanager exits if killed while waiting for fencing. (BZ#508147)
* bonded link handling when using Xen bridged interfaces works. (BZ#518037)
* services no longer get stuck in the 'recovering' state. (BZ#530409)
* node rejoins prior to fencing completion are now handled correctly. (BZ#527777)
* live migration of frozen VMs is an invalid operation. (BZ#510017)
* tomcast-5.sh now uses su instead of sudo. (BZ#524757)
* multiple event handlers no longer cause problems with central_processing. (BZ#527239)
* ip.sh honors monitor_link during service start. (BZ#532756)
* ip.sh now attempts to detect IP address collisions. (BZ#526647)
* ip.sh now handles ipv6 addresses with shortened quads correctly. (BZ#533461)
* SAPInstance and SAPDatabase may now be referenced from the <resources/> block. (BZ#529052)
* fs.sh no longer warns about bind mounts. (BZ#526286)
* migrating a virtual machine to an offline node returns an error. (BZ#536157)
* aggressive timeouts causing services to sometimes erroneously enter the 'failed' state have been changed to scale with the cluster's timeout. (BZ#548133)
* clusvcadm now checks the return code msg_send. (BZ#529929)
* 'Depend' attributes when using central processing are handled correctly. (BZ#523999)
* a bug in HA-LVM which could cause metadata corruption in some cases has been fixed. (BZ#557167)
This update also includes the following enhancements:
* more debugging information has been added to /tmp/rgmanager-dump.. (BZ#512052)
* path support emulation has been added for KVM virtual machines. (BZ#545916)
* vm.sh now provides more meaningful error reports. (BZ#529926)
* file system resources now report errors when status checks fail. (BZ#562237)
Red Hat Resource Group Manager users are advised to upgrade to these updated packages, which address these issues.

1.176. rhn-client-tools

1.176.1. RHBA-2010:0270: bug fix and enhancement update

Updated rhn-client-tools packages that fix several bugs and add enhancements are now available.
Red Hat Network Client Tools provide programs and libraries that allow your system to receive software updates from Red Hat Network (RHN).
This update fixes several bugs and implements new features:
* support for subscribing to a RHN and RHN Satellite channels using a command line tool. (BZ#216808)
* fix for a problem where a package profile uploaded to RHN or RHN Satellite during system registration was incomplete. (BZ #489901,
* require recent version of hal to be able to properly retrieve all dmi related information during system registration. (BZ#494679)
* fix for a problem where dbus and hal services were not running at the end of new system provisioning making it impossible for system registration to RHN or RHN Satellite. Without these services running, registration code was unable to correctly detect a virtualization guest, resulting in the provisioned virtualized system consuming a physical system entitlement. The fix for the problem contains a new method of detecting a virtualizaton guest when dbus and hal services are not running. (BZ#495680)
* do not limit the output from rhnreg_ks utility only to a console. This makes it possible for redirection of the output from rhnreg_ks to a file or a pipe. (BZ#503146)
* fix typo error in up2date manual page. (BZ#510014)
* in network setups where the system is getting a hostname from a DHCP server even though its hostname does not have a valid DNS record, register the system with its hostname. (BZ#511273)
* when registering system to RHN or RHN Satellite using firstboot interface, correctly populate configuration values in /etc/sysconfig/rhn/up2date. (BZ#513660)
* remove unnecessary text window displayed during registration of system. (BZ#516207)
* when registering a system using network bonding setup, report real hardware addresses of all network interfaces involved in a network bond. (BZ#517945)
* fix headers of python executable files to comply with Fedora packaging guidelines. (BZ#521281)
* revised logic of the networkRetries configuration option. Setting the option to '0' will have the same effect as setting to '1'. (BZ#526450)
* support for package installation date displayed in RHN Satellite web user interface. This feature also requires server-side support. (BZ#530369)
* fixed traceback occurring during GUI based system registration executed from firstboot environment. (BZ#530659)
* include the new Red Hat Network Certificate Authority file (BZ#566479)
All users of rhn-client-tools are advised to upgrade to these updated packages, which resolve these issues.

1.177. rhnlib

1.177.1. RHBA-2010:0322: bug fix update

An updated rhnlib package that provides bug fixes and enhancements is now available.
rhnlib is a collection of Python modules used by the Red Hat Network (RHN) software.
This updated package addresses the following bugs:
* When attempting to download multiple packages during satellite-sync, the download will fail after the first redirect to the content provider. (BZ#564299)
This update also provides the following enhancement:
* rhnlib was rebased to version 2.5.22, the latest stable release in the Spacewalk branch. This rebase includes performance improvements and contains an enhancement required in a forthcoming release of RHN Satellite. (BZ#566694)
All Red Hat Network Satellite users are advised to upgrade to this updated package, which provides these enhancements and bug fixes.

1.178. rhnsd

1.178.1. RHBA-2009:1655: bug fix update

Note

This update has already been released (prior to the GA of this release) as FASTRACK errata RHBA-2009:1655
An updated rhnsd package that fixes a problem with inconsistent system environments during rhn_check execution is now available.
The Red Hat Update Agent -- rhnsd -- periodically polls the Red Hat Network (RHN) or a Red Hat Network Satellite server to determine actions to be executed on a client, such as which packages need to be updated on a given system, and then runs those actions.
This update addresses the following issue:
* an alternative to polling a server for scheduled actions is pushing the scheduled actions from the RHN or Satellite server to the client. This is implemented with the XMPP protocol and the OSAD program running on a client. Both rhnsd and osad use the rhn_check program to execute scheduled actions on a client. Previously, the system environment passed to rhn_check by rhnsd was not consistent with the system environment passed to rhn_check by osad. In some circumstances, this inconsistency led to update failures. With this update both rhnsd and osad now return an equivalent "env" to rhn_check and actions executed either by pulling (rhnsd) or pushing (ocad) both work as expected. (BZ#503738)
All RHN or RHN Satellite users should install this updated package which fixes this bug.

1.179. rhpxl

1.179.1. RHBA-2010:0318: bug fix update

An updated rhpxl package that fixes two bugs is now available
The rhpxl package contains a Python library for configuring and running the X Window System.
This updated package fixes the following bugs:
* The American Megatrends Inc. KVM cannot be handled by the standard mouse driver. It needs a configuration section in xorg.conf to employ the evdev driver instead. This issue was resolved by parsing the list of available devices and adding the configuration section on demand. (BZ#492565)
* The list of screen resolutions was not emptied in set_resolution causing some resolutions to not be selectable. An initialization variable has now been implemented. This allows the correct screen resolutions choices. (BZ#242577)
Users of rhpxl are advised to upgrade to this updated package, which resolves these issues.

1.180. rsyslog

1.180.1. RHBA-2010:0213: bug fix update

An updated rsyslog package that fixes various bugs and adds enhancements are now available.
The rsyslog package is an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is compatible with stock syslogd and can be used as a drop-in replacement. Rsyslog is simple to set up, with advanced features suitable for enterprise-class, encryption-protected syslog relay chains.
rsyslog has been rebased to upstream version 3.22.1-3. The rebased package provides fixes for the following bugs:
* when rsyslog had directories creation disabled with $CreateDirs off, regular file creation was also disabled. This resulted in a situation where directory creation needed to be enabled to allow regular file creation. File creation is now allowed in existing directories, even while directory creation is disabled. (BZ#473419)
* if remote messages were being queued, the local rsyslog daemon would stop logging when messages were being discarded or if TCP connections were being rejected. This also caused some applications to fail. The configuration details were updated, and local messages now continue being logged, even when remote messages are queued. (BZ#519201 & BZ#519203)
These rebased packages also provide the following enhancements:
* rsyslog can now handle a greater number of clients. (BZ#475217)
* support has been added for Transport Layer Security (TLS) encryption and conditional filters. (BZ#488068)
* timezone conversion support has been added. All rsyslog messages should now appear in local time. (BZ#499186)
* the rsyslog server can now handle more than 1000 open files and Transmission Control Protocol (TCP) connections. (BZ#519192)
All users of rsyslog are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.

1.181. ruby

1.181.1. RHBA-2010:0012: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0012
Updated ruby packages that fix a regression are now available.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.
These updated ruby packages fix the following bug:
* a regression introduced by the fix for CVE-2009-1904 caused leading zeros after the decimal point in BigDecimal objects to be dropped, which could have led to incorrect mathematical calculations. This update fixes this problem by ensuring that leading zeros following a decimal point in BigDecimal objects are not dropped.
A link to the update which introduced this regression is provided in the References section of this errata. (BZ#546245)
All users of ruby are advised to upgrade to these updated packages, which resolve this issue.

1.182. samba

1.182.1. RHBA-2009:1641: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1641
Updated samba packages that fix credentials file handling for mount.cifs are now available for Red Hat Enterprise Linux 5.
Samba is a suite of programs used by machines to share files, printers, and other information.
The kernel CIFS client mount helper binary (mount.cifs) uses details stored in a credentials file to authenticate with file servers. After a recent security update, mount.cifs no longer parsed credentials files correctly, and included trailing newlines in the authentication information. Attempts to authenticate would therefore fail with errors such as NT_STATUS_LOGON_FAILURE. The parsing code is now corrected and no longer includes the newline as part of the authentication details. Mount.cifs can therefore use credentials files to authenticate with file servers successfully.
Users of Samba should upgrade to these updated packages, which contain backported patches to correct this issue.

1.182.2. RHSA-2009:1529: Moderate security update

Important

This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1529
Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Samba is a suite of programs used by machines to share files, printers, and other information.
A denial of service flaw was found in the Samba smbd daemon. An authenticated, remote user could send a specially-crafted response that would cause an smbd child process to enter an infinite loop. An authenticated, remote user could use this flaw to exhaust system resources by opening multiple CIFS sessions. (CVE-2009-2906)
An uninitialized data access flaw was discovered in the smbd daemon when using the non-default "dos filemode" configuration option in "smb.conf". An authenticated, remote user with write access to a file could possibly use this flaw to change an access control list for that file, even when such access should have been denied. (CVE-2009-1888)
A flaw was discovered in the way Samba handled users without a home directory set in the back-end password database (e.g. "/etc/passwd"). If a share for the home directory of such a user was created (e.g. using the automated "[homes]" share), any user able to access that share could see the whole file system, possibly bypassing intended access restrictions. (CVE-2009-2813)
The mount.cifs program printed CIFS passwords as part of its debug output when running in verbose mode. When mount.cifs had the setuid bit set, a local, unprivileged user could use this flaw to disclose passwords from a file that would otherwise be inaccessible to that user. Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. This flaw only affected systems where the setuid bit was manually set by an administrator. (CVE-2009-2948)
Users of Samba should upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.

1.182.3. RHBA-2010:0300: bug fix update

Updated samba packages that contain various bugfixes are now available.
Samba is a suite of programs used by machines to share files, printers, and other information.
This package addresses the following bugs:
* previously, the man pages and usage messages for rpcclient, smbcacls, samba-client, smbget, smbtree, and pdbedit contained errors, omissions, and outdated information. Users could not therefore rely on the provided documentation to use these programs. The documentation for each of these components has been reviewed and corrected and no longer contains misleading information. (BZ#457082,
* Samba stores its own Kerberos configuration in /var/cache/samba/smb_krb5. Previously, although the "net ads join" command used this configuration and was able to join an Active Directory, "net ads testjoin" and "net ads leave" ignored the samba- specific file and tried to use the configuration in /etc/krb5.conf instead. These commands would therefore fail when authentication through Kerberos was needed. "net ads testjoin" and "net ads leave" now use /var/cache/samba/smb_krb5 and therefore work with authenticated Active Directory resources. (BZ#509170)
* cifs.upcall performs certain CIFS-related tasks for the kernel in user space. The version of cifs.upcall included with previous versions of Samba could not provide the kernel with the credentials cache path stored in the KRB5CCNAME environment variable. Attempts to mount CIFS shares through fstab as a normal user would therefore fail. The version of cifs.upcall included with Red Hat Enterprise Linux 5.5 can now provide the kernel with the credentials cache path, and CIFS shares can therefore be mounted for normal users. (BZ#517195)
* previously, when handling a POSIX open call, Samba did not account for the SMB_O_CREAT, SMB_O_EXCL, or SMB_O_TRUNC flags. As a result, Samba would respond with STATUS_INVALID_PARAMETER to any of these flags instead of honoring the call. Samba now recognizes these flags and honors POSIX open calls that use them. (BZ#522866)
* when setting the "allow trusted domain = no" parameter on a Samba server it would not have any effect on the configuration and Samba would still attempt to contact trusted domains. By refreshing the trusted domain cache only if the parameter "allow trusted domain = yes" is set, Samba no longer attempts to contact trusted domains when "allow trusted domain = no". (BZ#526065)
* mount.cifs would fail to correctly authenticate when a credentials file was used. As a result, any mount operation that used a credentials file would fail. By correcting the newlines during the parsing routines during mounting the issue has been fixed. mount.cifs now works correctly when authenticating with a credentials file. (BZ#532153)
* mounting and unmounting a CIFS filesystem quickly would eventually lead to the CIFS mounts becoming unmountable. The issue has been corrected by linking mtab.o to the building of mount.cifs and unmount.cifs. CIFS mounts no longer become unmountable when performing quick mounting and unmounting of the filesystem. (BZ#533912)
* kdebase conflicted with Samba 3. Samba 2 components libsmbclient and libsmbclient-devel are now available as independent rpms and can be installed alongside Samba 3. By separating out these packages it allows for kdebase to reference its dependencies independent of a Samba installation, correcting the conflict. (BZ#555654)
Users of Samba should upgrade to these updated packages, which resolve these issues.

1.183. samba3x

1.183.1. RHBA-2010:0301: bug fix update

Updated samba3x packages that contain various bug fixes are now available for Red Hat Enterprise Linux 5.
Samba is a suite of programs used to share files, printers and other information between machines.
These packages contain fixes for the following bugs:
* the upstream Samba version in the samba3x packages distributed with the RHEA-2009:1399 update contained broken implementations of the Netlogon credential chain and SAMR access checks security subsystems. This prevented Samba from acting as a domain controller: Client systems could not join the domain; users could not authenticate; and systems could not access the user and group list. (BZ#506292)
* to modify the access control list for a file, WRITE_DAC and WRITE_OWNER access must be requested when the file is opened. When dos_filemode was enabled, these requests were not sent, so the access control list for a writeable file could not be changed. WRITE_DAC and WRITE_OWNER access are now requested when dos_filemode is enabled, so the access control list can be modified. (BZ#537165)
* samba3x was previously available only for AMD64 and Intel 64 architectures. It is now available for Itanium, PowerPC, IBM System z, x86, AMD64 and Intel 64 server and client variants. (BZ#547715)
* cifs.upcall could not determine the KRB5CCNAME environment variable, so it could not locate a Kerberos credential cache with a non-default name. This caused a 'required key not available' error when attempting to mount a Common Internet File System (CIFS) share. cifs.upcall now scans the /tmp directory for credential caches with non-default names, enabling users authenticated via pam_krb5 to use their tickets to mount CIFS. (BZ#548129)
* samba3x was previously only available as a technology preview for AMD64 and Intel 64 architectures. It is now supported for Itanium, PowerPC, IBM System z, x86, AMD64 and Intel 64 server and client variants.
Important: Clustered samba3x support is still a technology preview, and is available only on AMD64 and Intel 64 systems. (BZ#557921)
* Using the Windows Add Printer Wizard on samba3x-3.3.8 with CUPS configuration led to SMB panic. The printer would be installed correctly on CUPS. On Windows clients, an error message printed due to a Windows driver issue, installation failed, and SMB panic would be printed in the log. This patch resolves the SMB panic issue, allowing printers to be installed and removed from samba3x in Windows clients. (BZ#571778)
All previous samba3x technology preview packages must be removed before installing this new supported version of samba3x.
All users are advised to upgrade to these updated packages, which fix these bugs.

1.184. sblim

1.184.1. RHBA-2010:0231: bug fix and enhancement update

Updated sblim packages that fix various bugs and add various enhancements are now available.
SBLIM stands for Standards-Based Linux Instrumentation for Manageability. It consists of a set of standards-based, Web-Based Enterprise Management (WBEM) modules that use the Common Information Model (CIM) standard to gather and provide systems management information, events, and methods to local or networked consumers via an CIM object services broker using the CMPI (Common Manageability Programming Interface) standard. This package provides a set of core providers and development tools for systems management applications.
These packages address the following bugs:
* The libraries installed with sblim-cmpi-base were assigned incorrect permissions. This meant that any user outside of a specific group could not read the packages, forcing the check for the SBLIM Base in sblim-sfcb to fail. To fix this bug, when the libraries are installed the assigned permissions allow for any user group to access them. The library files are now able to be used in the building of other packages. (BZ#526756)
* Some sblim packages were released with the incorrect version number. This did not cause any error in installation or the running of the components. For consistency in file naming conventions and to improve package management, the version numbers of all sblim packages now reflect the correct version numbers. (BZ#516785)
As well, these updated packages add the following enhancements:
* A new sblim-smis-hba package has been added to the SBLIM package set. This package adds the Host Bus Adapters (HBA) API that is an industry standard C language for management of fibre channel host bus adapters and discovery of SAN resources. (BZ#512238)
* A new sblim-sfcb package has been added to the SBLIM package set. This package adds the Small Footprint CIM Broker (SFCB). The SFCB allows for improved standardized Linux Systems Management in terms of a CIM and WEBM infrastructure between linux distributions. (BZ#512370)
* A new sblim-sfcc package has been added to the SBLIM package set. This package adds the Small Footprint CIM Client (SFCC). The SFCC provides a client that can directly access the SFCB in order to add a CIM to your programs. (BZ#512374)
* These packages include the upgrade of many SBLIM packages to the latest upstream versions. These upgrades fix bugs and add KVM support and CMPI 2.0 compliance. ( BZ#512230 )
* The license for all SBLIM packages has been changed to EPL. ( BZ#512230 ,
Users are advised to upgrade to these updated sblim packages, which resolve these issues and add these enhancements.

1.185. screen

1.185.1. RHBA-2009:1621: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1621
An updated screen package that fixes a bug is now available.
The screen utility allows multiple logins on a single terminal. Screen is useful for users who telnet into a machine or are connected via a dumb terminal, but want to use more than one login.
This updated package resolves the following issue:
* in the previous screen release, utempter support was disabled. The utempter library provides an interface for terminal emulators such as screen and xterm to record user sessions to utmp and wtmp files. Without utempter support, commands such as logname and "who am i" did not work in screen sessions. With this update the screen spec file was updated to require the libutempter-devel package. This ensures utempter support is enabled and commands such as logname, "who am i" and "w" work in screen sessions as expected. (BZ#541875)
All screen users are advised to upgrade to this updated package, which resolves this issue.

1.186. scsi-target-utils

1.186.1. RHBA-2010:0067: bug fix and enhancement update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0067
An updated scsi-target-utils package that fixes various bugs is now available.
The scsi-target-utils package contains the daemon and tools to set up and monitor SCSI targets. Currently, iSCSI software and iSER targets are supported.
This updated scsi-target-utils package includes fixes for the following bugs:
* the tgtadm utility is used to monitor and modify SCSI target software. When using tgtadm to present an LVM-backed target to clients, attempting to create a new file system by running the mkfs utility on a logical volume caused the tgtd daemon to become unresponsive and connection errors to be logged to /var/log/messages. With this update, clients are once again able to successfully create a new file system on an LVM logical volume. (BZ#545785)
* running the command "tgtadm --mode connection --op delete" to instruct tgtadm to close and remove an open connection to a target which has ongoing I/O caused the tgtadm utility to segmentation fault. Subsequently, attempting to stop the tgtd daemon by running "service tgtd stop" failed and resulted in error messages. With this update, it is now possible to use tgtadm to close and remove an open connection to a target which is undergoing I/O without causing tgtadm to crash, and subsequently stopping or restarting the tgtd service proceeds as expected. (BZ#545786)
* attempting to create 32 or more iSCSI targets using tgtadm caused the utility to segmentation fault after successfully creating the first 31 targets. This update fixes this limitation so that tgtadm does not segmentation fault when creating large numbers of targets, such as 400 or more. (BZ#552928)
* the /etc/tgt/targets.conf file now supports more advanced configuration parameters. Refer to the tgt-admin(8) manual page for further information about valid parameters for the /etc/tgt/targets.conf file.
All users of scsi-target-utils are advised to upgrade to this updated package, which resolves these issues.

1.187. selinux-policy

1.187.1. RHBA-2009:1495: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2009:1495
Updated selinux-policy packages that fix a bug are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated packages fix the following bug:
* the cyrus-imapd daemon is compiled with net-snmp support and it attempts to register its snmp sub-agent during startup. This was not allowed by previous SELinux policy. These updated packages include updated policy that allows cyrus-imapd to register its snmp sub-agent during startup, as expected. (BZ#523548)
All users are advised to upgrade to these updated packages, which resolves these issue.

1.187.2. RHBA-2010:0013: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0013
Updated selinux-policy packages that fix several bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide fixes for the following bugs:
* the "setkey" utility from the ipsec-tools package manipulates and dumps the kernel's Security Policy Database (SPD) entries and Security Association Database (SAD) entries. The current selinux-policy did not allow users running under the "sysadm" role to use setkey. This update allows users running under the sysadm SELinux role to use the setkey utility from the ipsec-tools package. (BZ#538449)
* using the Openswan implementation of IPsec could have resulted in AVC (Access Vector Cache) denials causing the integrity check to fail, which in turn would cause the pluto key management daemon not to start. This update includes updated policy rules for IPsec which fix the AVC denials so that pluto is allowed to run as expected. Note that this is necessary for FIPS-140 compliance. (BZ#538452)
* SELinux denials caused by the ssh-keygen's "system_u:object_r:initrc_exec_t" context caused ssh-keygen to fail to generate public/private RSA key pairs. These updated SELinux policy rules allow ssh-keygen to successfully generate public/private RSA key pairs as expected. (BZ#538453)
* when the "ifup" script was run manually in order to activate the first IPsec interface, which then attempts to start racoon, racoon incorrectly ran under the "unconfined_t" context instead of under the expected "racoon_t", thus preventing it from starting. Note that this did not happen when the IPsec network interface configuration file contained an "ONBOOT=yes" parameter; racoon successfully started in this case. With this update, racoon possesses the correct context, "racoon_t", which allows it to run when started via the ifup network startup script. (BZ#538503)
All users are advised to upgrade to these updated packages, which resolve these issues.

1.187.3. RHBA-2010:0063: bug fix update

Note

This update has already been released (prior to the GA of this release) as errata RHBA-2010:0063
Updated selinux-policy packages that fix a regression that prevented postfix-driven systems from sending e-mail via sendmail are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages provide the fix for the following bug:
* selinux-policy errata update RHBA-2010:0013 introduced a regression which prevented postfix-driven systems from sending e-mail using sendmail if SELinux was in enforcing mode. With this update, postfix_postdrop can read and write sendmail unix_stream_sockets, correcting the regression and allowing e-mails to be sent using sendmail. (BZ#555793)
Note: a workaround involving the manual creation of a mypostfix.te was documented in BZ#553492 (see References below). Once this update is installed, the workaround and manually created file are no longer required.
All users should upgrade to these updated packages, which resolve this issue.

1.187.4. RHBA-2010:0182: bug fix update

Updated selinux-policy packages that fix numerous bugs are now available.
The selinux-policy packages contain the rules that govern how confined processes run on the system.
These updated selinux-policy packages contain the following changes to SELinux policy rules:
  • The coolkey library used by some Kerberos implementations caused an SELinux denial when credentials were sent to an NFS server, and during the creation of a cache directory. This package modifies SELinux policy so that the coolkey Kerberos library is excluded from being audited when performing this operation. (BZ#294651)
  • A leaked file descriptor in cupsd caused an SELinux error or denial. SELinux policy has been modified to allow this activity and not to cause a denial when this activity takes place. (BZ#483395)
  • The /root/.ssh directory contained incorrect SELinux permissions if it was deleted and re-created. This permission error caused the ssh-keygen command to fail when creating keys in this directory from an init script, as it was not labelled correctly. SELinux policy has been modified to enable the correct permissions on the /root/.ssh directory if it is removed and re-added. Having the correct permission on this directory results in ssh-keygen now being able to successfully generate keys as expected. (BZ#492519)
  • Hosts with SELinux in enforcing mode were not able to create a cluster with Red Hat Cluster Suite (RHCS) when running service cman start because aisexec could not allocate shared memory. Support has been added in SELinux policy for Cluster Suite, which resolves these issues. (BZ#503141)
  • An SELinux denial was triggered when the coolkey command integrated with samba to join an Active Directory service. SELinux policy has been modified to allow for proper coolkey cache management in the samba policy module. (BZ#507797)
  • SELinux policy has been modified to allow proper operation of the rsync command when it is used via the SSH protocol. (BZ#510748)
  • A problematic library file for the Oracle sqlplus command caused an SELinux denial. Policy has been modified to label this file correctly to allow for its unexpected behavior. The sqlplus command functions normally after applying this update. (BZ#512375)
  • Users operating in the sysadm SELinux role can now use the setkey utility from the ipsec-tools package. (BZ#513447)
  • A transition rule has been added to SELinux policy that allows vbetool the permissions it needs to operate normally. (BZ#515491)
  • When setkey was executed from a network startup script, an SELinux denial was triggered. An interface has been added to enable integration with temporary files when using setkey within the MLS SELinux policy. (BZ#515687)
  • The protection offered over the rsync command has changed. rsync is now protected only when started from inetd or xinetd. Other usages of rsync are considered client-side operations and are not protected any further than that of utilities such as cp or scp. (BZ#516780)
  • The sudo command was not properly launching an intermediary shell to authenticate users with correct sudo role privileges. This fix allows transitions to operate normally and allows users to execute commands as root via sudo, when configured to do so. (BZ#519017)
  • Launching an ipsec connection by using the service network restart command did not succeed. The ipsec connection did not start as it was started from the init_t domain. Policy for setkey has been modified so that it can now read temporary data from init scripts, and ipsec connections now start normally from the init_t domain. (BZ#519363)
  • Scripts for mod_fcgid, a CGI plugin for the Apache HTTP server caused SELinux permission errors when used. Policy has been modified to both allow mod_fcgid scripts the required permissions, and to allow CGI applications to use their own mail modules to send mail, instead of calling sendmail. (BZ#519369)
  • Instances of #!/usr/bin/env python have been removed from SELinux policy source code, as using this technique to call python in the top of an executable python file is being discontinued by Red Hat developers. (BZ#521284)
  • Support for Red Hat Cluster Suite has been added to SELinux policy. Please note that SELinux policy only provides coverage for the infrastructure components. Services directly managed by Cluster Suite will require their own policies and are not covered by this enhancement. (BZ#522158)
  • SELinux policy has been modified so that cyrus-imapd is now able to register its SNMP sub-agent by connecting to a socket upon startup. (BZ#523548)
  • An SELinux denial was triggered when configuring the SNMP daemon to listen on TCP or UDP ports for AgentX sub-agents. Policy has been modified so that this daemon can now bind TCP/UDP sockets to AgentX ports. (BZ#523773)
  • SELinux denials were caused when implementing user quotas over NFS (Network File System) shares. Policy has been modified to properly allow for the normal operation of quotas when using NFS shares. (BZ#525420)
  • Upon updating the udev daemon to the latest version and restarting it, the SELinux context for udev was changed from the default, causing errors. This update ensures that this context remains correct when restarting udev. (BZ#526640)
  • SELinux policy has been modified to not trigger an error when the virDomainSave() API is called from qemu-kvm. (BZ#530552)
  • procmail was causing an AVC denial when attempting to read files used by spamassassin. Rules have been added to policy so that these applications can communicate normally via pipes. (BZ#530750)
  • The ability to send and receive unlabeled packets was added to policy rules. (BZ#530809)
  • A bug prevented the installation of the selinux-policy-strict package because the requirements of aisexec were not properly met. The strict policy can now be installed as expected. (BZ#531196)
  • Real Time Kernel support was added to selinux-policy. (BZ#531230)
  • The e4fsck command was not properly labeled, causing execution to fail. Policy permissions have been fixed so that e4fsck is now correctly labeled. (BZ#532565)
  • Permissions were modified to allow pluto to write logs properly. (BZ#537106)
  • This update includes updated policy rules for IPsec, fixing the AVC denials that prevented pluto from running properly. After applying this update, pluto runs as expected. Note that this is necessary for FIPS-140 security compliance. (BZ#537133)
  • vhostmd is a daemon that provides a communication channel between a host and its hosted virtual machines. Implementing a vhostmd daemon caused AVC denial errors when launching it via service vhostmd start. SELinux policy rules have been added to protect the vhostmd daemon. The daemon starts and operates normally after applying the update. (BZ#543941)
  • SELinux AVC denial errors were triggered when using the sysadm SELinux user to connect to racoon using a UNIX domain stream socket. After applying this update, access functions as expected. (BZ#545369)
  • When using the MLS functionality, iptables can now start properly and has proper permissions to read configuration files. (BZ#546604)
  • Policy has been modified to give the smartd daemon the ability to read from and write to generic SCSI devices. (BZ#547387)
  • SELinux policy has been modified to fix a segfault error when using an iSCSI target with the bnx2i interface type. (BZ#548599)
  • The /var/vdsm directory was incorrectly labeled by SELinux, showing two different SELinux contexts. After applying this update, the directory is now correctly labeled with a single label. (BZ#549492)
  • When using the '-i' option to the lpadmin command to set an interface script for a printer, SELinux error messages are triggered. A new type, cupsd_interface_t, has been added to policy to allow cupsd to properly utilize a System V style interface script. (BZ#550015)
  • The postgresql regression tests include libraries that need to be dynamically loaded by the postgresql server. Some of these libraries were incorrectly labeled, which caused the regression tests to fail and SELinux errors to appear. This update applies the correct permissions to the libraries, and the postgresql regression tests now operate as expected. (BZ#551063)
  • prelink is a utility that can reduce the startup times of applications by linking to libraries and storing the linking in the executable. prelink is now allowed under SELinux policy to load and execute functions from shared libraries, with legacy support included for older libraries. (BZ#551664)
  • qemu-kvm caused SELinux errors when creating or starting a virtual machine when Transport Layer Security (TLS) is enabled in qemu.conf for an environment using a Public Key Infrastructure (PKI). This error occurred because qemu-kvm did not have sufficient permission to read from a random number generator (/dev/random and /dev/urandom) in order to gather its entropy. Permissions have been modified so that qemu-kvm can now read from these random number generators. (BZ#552763)
  • A regression error was discovered when installing new SELinux packages. The postfix_postdrop command was unable to use sockets. This resulted in emails not being sent. After applying this update, postfix is able to read and write sendmail unix_stream_sockets and emails can be sent using sendmail as expected. (BZ#553492)
  • The /etc/xen was incorrectly labeled. This caused errors when using automated scripts for staging Xen guest virtual machines. A fix was applied to correctly label the directory, which resolved the problem. Xen guests are now functioning as expected. (BZ#554777)
  • Restarting networking services using the service network restart command resulted in an AVC denial caused by dhcpc_t being unable to relabel to and from net_conf_t. This update allows this with the result that restarting networking succeeds without SELinux denials. (BZ#559355)
  • The iscsid daemon, which implements the control path of the iSCSI protocol along with management functions, could not create its log file due to an incorrect SELinux context. (BZ#562303)
  • The context for the named name server daemon, when running in a chrooted environment, was incorrect, and with this update is labeled correctly. (BZ#562833)
  • Attempting to save the firewall configuration with the service iptables save command triggered an AVC denial. This update changes the default context for the /sbin/iptables-save application to iptabels_exec_t so that the firewall configuration can be saved. (BZ#564376)
  • Attempting to run a CGI script from a cgi-bin directory mounted on an NFS share resulted in an AVC denial, whereas serving static pages from a public_html directory worked as expected. CGI scripts can now be run from NFS-mounted directories given the correct permissions. (BZ#566557)
  • When the SELinux boolean ftp_home_dir was enabled, the allow_ftpd_anon_write boolean did not take effect, and users could upload files to their home directories via anonymous FTP even though write access should have been restricted by the value of allow_ftpd_anon_write. With this update, the value of allow_ftpd_anon_write allows or permits anonymous FTP writes, as expected. (BZ#566975)
All users are advised to upgrade to these updated packages, which resolve these issues.

1.188. sendmail

1.188.1. RHSA-2