Red Hat Enterprise Linux 5

5.9 Technical Notes

Detailed notes on the changes implemented in Red Hat Enterprise Linux 5.9

Edition 9

Red Hat Engineering Content Services

Legal Notice

Copyright © 2013 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.

Abstract

The Red Hat Enterprise Linux 5.9 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between Red Hat Enterprise Linux 5.8 and minor release Red Hat Enterprise Linux 5.9.
Preface
1. Technology Previews
2. Known Issues
2.1. anaconda
2.2. autofs
2.3. cmirror
2.4. cpio
2.5. compiz
2.6. device-mapper-multipath
2.7. dmraid
2.8. dogtail
2.9. file
2.10. firefox
2.11. firstboot
2.12. gfs2-utils
2.13. gnome-volume-manager
2.14. grub
2.15. initscripts
2.16. ipa-client
2.17. iscsi-initiator-utils
2.18. kernel-xen
2.19. kernel
2.20. kexec-tools
2.21. kvm
2.22. less
2.23. lftp
2.24. lvm2
2.25. mesa
2.26. mkinitrd
2.27. mod_revocator
2.28. nfs-utils
2.29. openib
2.30. openmpi
2.31. openswan
2.32. perl-libxml-enno
2.33. pm-utils
2.34. rpm
2.35. redhat-release-notes
2.36. rhn-client-tools
2.37. qspice
2.38. samba3x
2.39. shadow-utils
2.40. sos
2.41. subscription-manager
2.42. systemtap
2.43. xen
2.44. vdsm22
2.45. virt-v2v
2.46. virtio-win
2.47. xorg-x11-drv-i810
2.48. xorg-x11-drv-nv
2.49. xorg-x11-drv-vesa
2.50. xorg-x11-server
2.51. yaboot
3. New Packages
3.1. RHEA-2013:0011 — new packages: php53-odbc64
3.2. RHEA-2013:0035 — new packages: libitm
3.3. RHEA-2013:0049 — new packages: scl-utils
3.4. RHEA-2013:0074 — new packages: ant17
3.5. RHEA-2013:0084 — new packages: java-1.7.0-openjdk
3.6. RHEA-2013:0088 — new packages: rsyslog5
3.7. RHEA-2013:0089 — new packages: java-1.7.0-ibm
3.8. RHEA-2013:0090 — new packages: java-1.7.0-oracle
3.9. RHEA-2013:0111 — new packages: hypervkvpd
4. Package Updates
4.1. acroread
4.2. aide
4.3. alsa-utils
4.4. anaconda
4.5. aspell-en
4.6. autofs
4.7. bind
4.8. bind97
4.9. binutils
4.10. busybox
4.11. cman
4.12. cmirror
4.13. conga
4.14. coreutils
4.15. cpio
4.16. crash
4.17. crontabs
4.18. cscope
4.19. ctdb
4.20. cyrus-sasl
4.21. device-mapper-multipath
4.22. dhcp
4.23. diffutils
4.24. doxygen
4.25. e2fsprogs
4.26. e4fsprogs
4.27. esc
4.28. etherboot
4.29. expat
4.30. file
4.31. firefox
4.32. freeradius2
4.33. freetype
4.34. ftp
4.35. gawk
4.36. gcc
4.37. gcc44
4.38. gdb
4.39. gdbm
4.40. gfs-kmod
4.41. gfs-utils
4.42. gfs2-utils
4.43. ghostscript
4.44. gimp
4.45. glibc
4.46. gnbd
4.47. gnome-session
4.48. gnome-vfs2
4.49. gnutls
4.50. gpxe
4.51. grub
4.52. gtk+
4.53. gtk2
4.54. guagga
4.55. hal
4.56. hplip3
4.57. hsqldb
4.58. httpd
4.59. hwdata
4.60. ImageMagick
4.61. initscripts
4.62. ipa-client
4.63. iproute
4.64. iprutils
4.65. ipsec-tools
4.66. iptables
4.67. iscsi-initiator-utils
4.68. java-1.6.0-openjdk
4.69. flash-plugin
4.70. java-1.4.2-ibm
4.71. java-1.5.0-ibm
4.72. java-1.6.0-ibm
4.73. java-1.6.0-sun
4.74. jpackage-utils
4.75. kbd
4.76. kdebase
4.77. kernel
4.78. kexec-tools
4.79. ksh
4.80. kudzu
4.81. kvm
4.82. lftp
4.83. libexif
4.84. libgcrypt
4.85. libpng
4.86. libtalloc
4.87. libtdb
4.88. libtiff
4.89. libuser
4.90. libvirt
4.91. libwpd
4.92. libxml2
4.93. libxslt
4.94. linuxwacom
4.95. logrotate
4.96. logwatch
4.97. lvm2
4.98. lvm2-cluster
4.99. m2crypto
4.100. man
4.101. man-pages-overrides
4.102. mdadm
4.103. microcode_ctl
4.104. mkinitrd
4.105. mod_auth_kerb
4.106. mod_nss
4.107. mod_python
4.108. mozldap
4.109. mt-st
4.110. mutt
4.111. mysql
4.112. net-snmp
4.113. nss
4.114. nss_ldap
4.115. OFED
4.116. openais
4.117. OpenIPMI
4.118. openldap
4.119. openmotif
4.120. openoffice.org
4.121. openssl
4.122. openswan
4.123. pam
4.124. parted
4.125. pdksh
4.126. perl
4.127. perl-IO-Socket-SSL
4.128. perl-LDAP
4.129. perl-XML-SAX
4.130. php
4.131. php53
4.132. pidgin
4.133. piranha
4.134. pirut
4.135. pm-utils
4.136. postfix
4.137. postgresql
4.138. ppc64-utils
4.139. procps
4.140. psmisc
4.141. python
4.142. python-iniparse
4.143. python-rhsm
4.144. qt
4.145. quagga
4.146. quota
4.147. redhat-release
4.148. redhat-release-notes
4.149. rgmanager
4.150. rhn-client-tools
4.151. rhnsd
4.152. rp-pppoe
4.153. rpm
4.154. ruby
4.155. perl-DBD-Pg
4.156. samba
4.157. samba3x
4.158. scim-bridge
4.159. selinux-policy
4.160. setroubleshoot
4.161. shadow-utils
4.162. smartmontools
4.163. specspo
4.164. spice-client
4.165. spice-xpi
4.166. sqlite
4.167. squirrelmail
4.168. sssd
4.169. strace
4.170. subscription-manager
4.171. subscription-manager-migration-data
4.172. subversion
4.173. sudo
4.174. symlinks
4.175. syslinux
4.176. sysstat
4.177. system-config-bind
4.178. system-config-cluster
4.179. system-config-lvm
4.180. system-config-netboot
4.181. system-config-printer
4.182. systemtap
4.183. tar
4.184. tcl
4.185. tcsh617
4.186. telnet
4.187. tomcat5
4.188. tzdata
4.189. udev
4.190. util-linux
4.191. vim
4.192. virt-who
4.193. vsftpd
4.194. wget
4.195. wireshark
4.196. tetex
4.197. thunderbird
4.198. xen
4.199. xinetd
4.200. xorg-x11-server
4.201. xulrunner
4.202. ypserv
4.203. yum
4.204. yum-metadata-parser
4.205. yum-rhn-plugin
4.206. yum-updatesd
4.207. zlib
4.208. zsh
A. Package Manifest
A.1. Server
A.2. Client
B. Revision History

Preface

The Red Hat Enterprise Linux 5.9 Technical Notes list and document the changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications between minor release Red Hat Enterprise Linux 5.8 and minor release Red Hat Enterprise Linux 5.9.
For system administrators and others planning Red Hat Enterprise Linux 5.9 upgrades and deployments, the Red Hat Enterprise Linux 5.9 Technical Notes provide a single, organized record of the bugs fixed in, features added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 5.9 Technical Notes provide a single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 5.9 Technical Notes provide details of what has changed in this new release.

Chapter 1. Technology Previews

Technology Preview features are currently not supported under Red Hat Enterprise Linux subscription services, may not be functionally complete, and are generally not suitable for production use. However, these features are included as a customer convenience and to provide the feature with wider exposure.
Customers may find these features useful in a non-production environment. Customers are also free to provide feedback and functionality suggestions for a Technology Preview feature before it becomes fully supported. Erratas will be provided for high-severity security issues.
During the development of a Technology Preview feature, additional components may become available to the public for testing. It is the intention of Red Hat to fully support Technology Preview features in a future release.
DFS
Starting with Red Hat Enterprise Linux 5.3, CIFS supports Distributed File System (DFS) as a Technology Preview.
Package: kernel-2.6.18-348
LSI 12 Gb/s adapters with the MegaRAID SAS driver
LSI MegaRAID SAS 9360/9380 12Gb/s controllers are now supported as a Technology Preview.
Package: kernel-2.6.18-348
CDTB
CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.
Package: ctdb-1.0.112-2
Kerberos support for CIFS mounts
In Red Hat Enterprise Linux 5.9, users can use their Kerberos credentials to perform a CIFS mount.
Package: samba-client-3.0.33-3.39
FreeIPMI
FreeIPMI is included in as a Technology Preview. FreeIPMI is a collection of Intelligent Platform Management IPMI system software. It provides in-band and out-of-band software, along with a development library conforming to the Intelligent Platform Management Interface (IPMI v1.5 and v2.0) standards.
For more information about FreeIPMI, refer to http://www.gnu.org/software/freeipmi/
Package: freeipmi-0.5.1-7
TrouSerS and tpm-tools
TrouSerS and tpm-tools are included in this release to enable use of Trusted Platform Module (TPM) hardware. TPM hardware features include (among others):
  • Creation, storage, and use of RSA keys securely (without being exposed in memory)
  • Verification of a platform's software state using cryptographic hashes
TrouSerS is an implementation of the Trusted Computing Group's Software Stack (TSS) specification. You can use TrouSerS to write applications that make use of TPM hardware. tpm-tools is a suite of tools used to manage and utilize TPM hardware.
For more information about TrouSerS, refer to http://trousers.sourceforge.net/.
Packages: tpm-tools-1.3.1-1, trousers-0.3.1-4
eCryptfs
eCryptfs is a stacked cryptographic file system for Linux. It mounts on individual directories in existing mounted lower file systems such as EXT3; there is no need to change existing partitions or file systems in order to start using eCryptfs. eCryptfs is released as a Technology Preview for Red Hat Enterprise Linux 5.9.
For more information about eCryptfs, refer to http://ecryptfs.sf.net. You can also refer to http://ecryptfs.sourceforge.net/README and http://ecryptfs.sourceforge.net/ecryptfs-faq.html for basic setup information.
Package: ecryptfs-utils-75-8
Stateless Linux
Stateless Linux, included as a Technology Preview, is a new way of thinking about how a system should be run and managed, designed to simplify provisioning and management of large numbers of systems by making them easily replaceable. This is accomplished primarily by establishing prepared system images which get replicated and managed across a large number of stateless systems, running the operating system in a read-only manner (refer to /etc/sysconfig/readonly-root for more details).
In its current state of development, the Stateless features are subsets of the intended goals. As such, the capability remains as Technology Preview.
Red Hat recommends that those interested in testing stateless code join the stateless-list@redhat.com mailing list.
The enabling infrastructure pieces for Stateless Linux were originally introduced in Red Hat Enterprise Linux 5.
AIGLX
AIGLX is a Technology Preview feature of the otherwise fully supported X server. It aims to enable GL-accelerated effects on a standard desktop. The project consists of the following:
  • A lightly modified X server.
  • An updated Mesa package that adds new protocol support.
By installing these components, you can have GL-accelerated effects on your desktop with very few changes, as well as the ability to enable and disable them at will without replacing your X server. AIGLX also enables remote GLX applications to take advantage of hardware GLX acceleration.
Packages: X Window System group of packages.
FireWire
The firewire-sbp2 module is included in this update as a Technology Preview. This module enables connectivity with FireWire storage devices and scanners.
At present, FireWire does not support the following:
  • IPv4
  • pcilynx host controllers
  • multi-LUN storage devices
  • non-exclusive access to storage devices
In addition, the following issues still exist in FireWire:
  • a memory leak in the SBP2 driver may cause the machine to become unresponsive.
  • a code in this version does not work properly in big-endian machines. This could lead to unexpected behavior in PowerPC.
Package: kernel-2.6.18-348
Device Failure Monitoring of RAID sets
Device Failure Monitoring, using the dmraid and dmevent_tool tools, is included in Red Hat Enterprise Linux 5.9 as a Technology Preview. This Technology Preview provides the ability to watch and report device failures on component devices of RAID sets.
Packages: dmraid-1.0.0.rc13-65, dmraid-events-1.0.0.rc13-65
SGPIO Support for dmraid
Serial General Purpose Input Output (SGPIO) is an industry standard communication method used between a main board and a variety of internal and external hard disk drive bay enclosures. This method can be used to control LED lights on an enclosure through the AHCI driver interface.
In this release, SGPIO support in dmraid is included as a technology preview. This will allow dmraid to work properly with disk enclosures.
Package: dmraid-1.0.0.rc13-65
Kernel Tracepoint Facility
In this update, the kernel marker/tracepoint facility remains a Technology Preview. This interface adds static probe points into the kernel, for use with tools such as SystemTap.
Package: kernel-2.6.18-348
Software based Fibre Channel over Ethernet (FCoE)
The Fibre Channel over Ethernet (FCoE) driver (fcoe.ko), along with libfc, provides the ability to run FCoE over a standard Ethernet card. This capability is provided as a Technology Preview in Red Hat Enterprise Linux 5.9.
To enable this feature, you must login by writing the network interface name to the /sys/module/fcoe/parameters/create file, for example:
~]# echo eth6 > /sys/module/fcoe/parameters/create
To logout, write the network interface name to the /sys/module/fcoe/parameters/destroy file, for example:
~]# echo eth6 > /sys/module/fcoe/parameters/destroy
For further information on software based FCoE refer to: http://www.open-fcoe.org/open-fcoe/wiki/quickstart.
Red Hat Enterprise Linux 5.9 provides full support for FCoE on three specialized hardware implementations. These are: Cisco fnic driver, the Emulex lpfc driver, and the Qlogic qla2xx driver.
Package: kernel-2.6.18-348
iSER Support
iSER support, allowing for block storage transfer across a network and provided by the scsi-target-utils package, remains a Technology Preview in Red Hat Enterprise Linux 5.9. In this release, single portal and multiple portals on different subnets are supported. There are known issues related to using multiple portals on the same subnet.
To set up the iSER target component install the scsi-target-utils and libibverbs-devel packages. The library package for the InfiniBand hardware that is being used is also required. For example: host channel adapters that use the cxgb3 driver the libcxgb3 package is needed, and for host channel adapters using the mthca driver the libmthca package is needed.
There is also a known issue relating to connection timeouts in some situations. Refer to BZ#470627 for more information on this issue.
Package: scsi-target-utils-1.0.14-2, other above-mentioned system-specific packages
cman fence_virsh fence agent
The fence_virsh fence agent is provided in this release of Red Hat Enterprise Linux as a Technology Preview. fence_virsh provides the ability for one guest (running as a domU) to fence another using the libvirt protocol. However, as fence_virsh is not integrated with cluster-suite it is not supported as a fence agent in that environment.
Package: cman-2.0.115-109
glibc new MALLOC behavior
The upstream glibc has been changed to enable higher scalability across many sockets and cores. This is done by assigning threads their own memory pools and by avoiding locking in some situations. The amount of additional memory used for the memory pools (if any) can be controlled using the environment variables MALLOC_ARENA_TEST and MALLOC_ARENA_MAX.
MALLOC_ARENA_TEST specifies that a test for the number of cores is performed once the number of memory pools reaches this value. MALLOC_ARENA_MAX sets the maximum number of memory pools used, regardless of the number of cores.
The glibc in the Red Hat Enterprise Linux 5.9 release has this functionality integrated as a Technology Preview of the upstream malloc. To enable the per-thread memory pools the environment variable MALLOC_PER_THREAD needs to be set in the environment. This environment variable will become obsolete when this new malloc behavior becomes default in future releases. Users experiencing contention for the malloc resources could try enabling this option.
Package: glibc-2.5-107

Chapter 2. Known Issues

2.1. anaconda

The anaconda packages provide the installation program used by Red Hat Enterprise Linux to identify and configure the hardware, and to create the appropriate file systems for the system's architecture, as well as to to install the operating system software.
  • When installing Red Hat Enterprise Linux 5.8 on a machine that had previously used a GPT partitioning table, Anaconda does not provide the option to remove the previous disk layout and is unable to remove the previously used GPT partitioning table. To work around this issue, switch to the tty2 terminal (using CTRL+ALT+F2), execute the following command, and restart the installation process:
    dd if=/dev/zero of=/dev/USED_DISK count=512
  • Starting with Red Hat Enterprise Linux 5.2, to boot with ibft, the iSCSI boot firmware table support, use the ip=ibft option as the network install option:
    ip=<ip>
        IP to use for a network installation, use 'dhcp' for DHCP.
    
    By default, the installer waits 5 seconds for a network device with a link. If an iBFT network device is not detected in this time, you may need to specify the linksleep=SECONDS parameter in addition to the ip=ibft parameter by replacing SECONDS with an integer specifying the number of seconds the installer should wait, for example:
    linksleep=10
    
  • Setting the dhcptimeout=0 parameter does not mean that DHCP will disable timeouts. If the user requires the clients to wait indefinitely, the dhcptimeout parameter needs to be set to a large number.
  • When starting an installation on IBM S/390 systems using SSH, re-sizing the terminal window running the SSH client may cause the installer to unexpectedly exit. Once the installer has started in the SSH session, do not resize the terminal window. If you want to use a different size terminal window during installation, re-size the window before connecting to the target system via SSH to begin installation.
  • Installing on June with a RAID backplane on Red Hat Enterprise Linux 5.7 and later does not work properly. Consider the following example: a test system which had two disks with two redundant paths to each disk was set up:
    mpath0: sdb, sdd
    mpath1: sda, sdc
    
    In the above setup, Anaconda created the PReP partition on mpath0 (sdb/sdd), but set the bootlist to boot from sda. To work around this issue, follow these steps:
    1. Add mpath to the append line in the /etc/yaboot.conf file.
    2. Use the --ondisk=mapper/mpath0 in all part directives of the kickstart file.
    3. Add the following script to the %post section of the kickstart file.
      %post
      # Determine the boot device
      device=;
      
      # Set the bootlist in NVRAM
      if [ "z$device" != "z" ]; then
      bootlist -m normal $device;
      
      # Print the resulting boot list in the log
      bootlist -m normal -o;
      bootlist -m normal -r;
      else
      echo "Could not determine boot device!";
      exit 1;
      fi
      
      The above script simply ensures that the bootlist is set to boot from the disk with the PReP partition.
  • Mounting an NFS volume in the rescue environment requires portmap to be running. To start portmap, run:
    /usr/sbin/portmap
    Failure to start portmap will return the following NFS mount errors:
    sh-3.2# mount 192.168.11.5:/share /mnt/nfs
    mount: Mounting 192.168.11.5:/share on /mnt/nfs failed: Input/output error
    
  • The order of device names assigned to USB attached storage devices is not guaranteed. Certain USB attached storage devices may take longer to initialize than others, which can result in the device receiving a different name than you expect (for example, sdc instead of sda).
    During installation, be sure to verify the storage device size, name, and type when configuring partitions and file systems.
  • anaconda occasionally crashes while attempting to install on a disk containing partitions or file systems used by other operating systems. To workaround this issue, clear the existing partition table using the command:
    clearpart --initlabel [disks]
    
    (BZ#530465)
  • Performing a System z installation, when the install.img is located on direct access storage device (DASD) disk, causes the installer to crash, returning a backtrace. anaconda is attempting to re-write (commit) all disk labels when partitioning is complete, but is failing because the partition is busy. To work around this issue, a non-DASD source should be used for install.img. (BZ#455929)
  • When installing to an ext3 or ext4 file system, anaconda disables periodic file system checking. Unlike ext2, these file systems are journaled, removing the need for a periodic file system check. In the rare cases where there is an error detected at runtime or an error while recovering the file system journal, the file system check will be run at boot time. (BZ#513480)
  • Red Hat Enterprise Linux 5 does not support having a separate /var on a network file system (nfs, iSCSI disk, nbd, etc.) This is because /var contains the utilities required to bring up the network, for example /var/lib/dhcp. However, you may have /var/spool, /var/www or the like on a separate network disk, just not the complete /var file system. (BZ#485478)
  • When using rescue mode on an installation which uses iSCSI drives which were manually configured during installation, the automatic mounting of the root file system does not work. You must configure iSCSI and mount the file systems manually. This only applies to manually configured iSCSI drives; iSCSI drives which are automatically detected through iBFT are fully supported in rescue mode.
    To rescue a system which has / on a non-iBFT configured iSCSI drive, choose to skip the mounting of the root file system when asked, and then follow the steps below:
    $TARGET_IP: IP address of the iSCSI target (drive)
    $TARGET_IQN: name of the iSCSI target as printed by the discovery command
    $ROOT_DEV: devicenode (/dev/.....) where your root fs lives
    
    1. Define an initiator name:
      $ mkdir /etc/iscsi
      $ cat << EOF>> /etc/iscsi/initiatorname.iscsi
      InitiatorName=iqn.1994-05.com.fedora:d62f2d7c09f
      EOF
      
    2. Start iscsid:
      $ iscsid
      
    3. Discover and login to target:
      $ iscsiadm -m discovery -t st -p $TARGET_IP
      $ iscsiadm -m node -T $TARGET_IQN -p $TARGET_IP --login
      
    4. If the iSCSI LUN is part of a LVM Logical volume group:
      $ lvm vgscan
      $ lvm vgchange -ay
      
    5. Mount your / partition:
      $ mount /dev/path/to/root /mnt/sysimage
      $ mount -t bind /dev /mnt/sysimage/dev
      $ mount -t proc proc /mnt/sysimage/proc
      $ mount -t sysfs sysfs /mnt/sysimage/sys
      
    6. Now you can chroot to the root file system of your installation if wanted
      $ chroot /mnt/sysimage /bin/su -
      
  • When installing KVM or Xen guests, always create a partition for the guest disk, or create an LVM volume. Guests should not be installed to block devices or raw disk devices. Anaconda includes disk label duplication avoidance code, but when installing within a VM, it has no visibility to the disk labels elsewhere on the host and cannot detect duplicates.
    If guest file systems, especially the root file system, are directly visible to the host, a host OS reboot may inadvertently parse the partition table and mount the guest file systems. This can lead to highly undesirable outcomes.
  • The minimum memory requirement when installing all Red Hat Enterprise Linux packages (i.e. * or @everything is listed in the %packages section of the kickstart file) on a fully virtualized Itanium guest is 768MB. After installation, the memory allocated to the guest can be lowered to the desired amount.
  • Upgrading a system using Anaconda is not possible if the system is installed on disks attached using zFCP or iSCSI (unless booted from the disk using a network adapter with iBFT). Such disks are activated after Anaconda scans for upgradable installations and are not found. To update please use the Red Hat Network with the hosted Web user interface, a Red Hat Network Satellite, the local graphical Updater, or the yum command line.
  • Anaconda's graphical installer fails to start at the default 800x600 resolution on systems utilizing Intel Graphics Device Next Generation (IGDNG) devices. To work around this issue, ensure anaconda uses a higher resolution by passing the parameters resolution=1024x768 or resolution=1280x1024 to the installer using the boot command line.
  • The NFS default for RHEL5 is locking. Therefore, to mount nfs shares from the %post section of anaconda, use the mount -o nolock,udp command to start the locking daemon before using nfs to mount shares. (BZ#426053)
  • If you are using the Virtualized kernel when upgrading from Red Hat Enterprise Linux 5.0 to a later 5.x release, you must reboot after completing the upgrade. You should then boot the system using the updated Virtualized kernel.
    The hypervisor ABI changes in an incompatible way between Red Hat Enterprise Linux 5 and 5.1. If you do not boot the system after upgrading from Red Hat Enterprise Linux 5.0 using the updated Virtualized kernel, the upgraded Virtualization RPMs will not match the running kernel. (BZ#251669)
  • When upgrading from Red Hat Enterprise Linux 4.6 to Red Hat Enterprise Linux 5.1 or later, gcc4 may cause the upgrade to fail. As such, you should manually remove the gcc4 package before upgrading. (BZ#432773)
  • When provisioning guests during installation, the RHN tools for guests option will not be available. When this occurs, the system will require an additional entitlement, separate from the entitlement used by dom0.
    To prevent the consumption of additional entitlements for guests, install the rhn-virtualization-common package manually before attempting to register the system to Red Hat Network. (BZ#431648)
  • When installing Red Hat Enterprise Linux 5 on a guest, the guest is configured to explicitly use a temporary installation kernel provided by dom0. Once installation finishes, it can then use its own bootloader. However, this can only be achieved by forcing the guest's first reboot to be a shutdown.
    As such, when the Reboot button appears at the end of the guest installation, clicking it shuts down the guest, but does not reboot it. This is an expected behavior.
    Note that when you boot the guest after this it will then use its own bootloader.
  • Using the swap --grow parameter in a kickstart file without setting the --maxsize parameter at the same time makes anaconda impose a restriction on the maximum size of the swap partition. It does not allow it to grow to fill the device.
    For systems with less than 2GB of physical memory, the imposed limit is twice the amount of physical memory. For systems with more than 2GB, the imposed limit is the size of physical memory plus 2GB. (BZ#462734)
  • Existing encrypted block devices that contain vfat file systems will appear as type foreign in the partitioning interface; as such, these devices will not be mounted automatically during system boot. To ensure that such devices are mounted automatically, add an appropriate entry for them to /etc/fstab. For details on how to do so, refer to man fstab. (BZ#467202)
  • When using anaconda's automatic partitioning on an IBM System p partition with multiple hard disks containing different Linux distributions, the anaconda installer may overwrite the bootloaders of the other Linux installations although their hard disks have been unchecked. To work around this, choose manual partitioning during the installation process.
The following known issue applies to the PowerPC architecture:
  • The minimum RAM required to install Red Hat Enterprise Linux 5.8 is 1GB; the recommended RAM is 2GB. If a machine has less than 1GB RAM, the installation process may hang.
    Furthermore, PowerPC-based machines that have only 1GB of RAM experience significant performance issues under certain RAM-intensive workloads. For a Red Hat Enterprise Linux 5.8 system to perform RAM-intensive processes optimally, 4GB of RAM is recommended. This ensures the system has the same number of physical pages as was available on PowerPC machines with 512MB of RAM running Red Hat Enterprise Linux 4.5 or earlier.
The following known issue applies to the IBM System z architecture:
  • Installation on a machine with existing Linux or non-Linux file systems on DASD block devices may cause the installer to halt. If this happens, it is necessary to clear out all existing partitions on the DASD devices you want to use and restart the installer.
The following known issue applies to the Itanium architecture:
  • If your system only has 512MB of RAM, attempting to install Red Hat Enterprise Linux 5.4 may fail. To prevent this, perform a base installation first and install all other packages after the installation finishes. (BZ#435271)

2.2. autofs

The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.
  • When using NFSv4 with a global root, autofs has no way to know which server export path corresponds to the global root. Consequently, the internal hosts map fails to mount server exports. For detailed information on this problem, refer the following Knowledge Base article:
  • Starting with Red Hat Enterprise Linux 5.4, behavior of the umount -l autofs command has changed. For more information, refer to BZ#452122.
    Previously, the umount -l would unmount all autofs-managed mounts and autofs internal mounts at start-up, and then mounted all autofs mounts again as a part of the start-up procedure. As a result, the execution of the external umount -l command was not needed.
    The previous autofs behavior can be used via the following commands:
    ~]# service autofs forcerestart
    or
    ~]# service autofs forcestart

2.3. cmirror

The cmirror packages provide user-level utilities for managing cluster mirroring.
  • Due to limitations in the cluster infrastructure, cluster mirrors greater than 1.5TB cannot be created with the default region size. If larger mirrors are required, the region size should be increased from its default (512kB), for example:
    # -R <region_size_in_MiB>
    lvcreate -m1 -L 2T -R 2 -n mirror vol_group
    
    Failure to increase the region size will result in the LVM creation process hanging and may cause other LVM commands to hang. (BZ#514814)

2.4. cpio

The cpio packages provide the GNU cpio file archiver utility. GNU cpio can be used to copy and extract files into or from cpio and Tar archives.
  • The cpio utility uses a default block size of 512 bytes for I/O operations. This may not be supported by certain types of tape devices. If a tape device does not support this block size, cpio fails with the following error message:
    cpio: read error: Cannot allocate memory
    
    To work around this issue, modify the default block size with the --block-size long option, or use the -B option to set the block size to 5120 bytes. When the block size supported by the tape device is provided, the cpio utility works as expected. (BZ#573943)

2.5. compiz

Compiz is an OpenGL-based window and compositing manager.
  • Running rpmbuild on the compiz source RPM will fail if any KDE or qt development packages (for example, qt-devel) are installed. This is caused by a bug in the compiz configuration script.
    To work around this, remove any KDE or qt development packages before attempting to build the compiz package from its source RPM. (BZ#444609)

2.6. device-mapper-multipath

The device-mapper-multipath packages provide tools to manage multipath devices using the device-mapper multipath kernel module.
  • Note that under certain circumstances, the multipathd daemon can terminate unexpectedly during shutdown.
  • It is possible to overwrite the default hardware table. However, regular expression matches are not allowed; the vendor and product strings need to be matched exactly. These strings can be found by running the following command:
    ~]# multipathd -k"show config"
    
  • By default, the multipathd service starts up before the iscsi service. This provides multipathing support early in the bootup process and is necessary for multipathed iSCSI SAN boot setups. However, once started, the multipathd service adds paths as informed about them by udev. As soon as the multipathd service detects a path that belongs to a multipath device, it creates the device. If the first path that multipathd notices is a passive path, it attempts to make that path active. If it later adds a more optimal path, multipathd activates the more optimal path. In some cases, this can cause a significant overhead during a startup.
    If you are experiencing such performance problems, define the multipathd service to start after the iscsi service. This does not apply to systems where the root device is a multipathed iSCSI device, since it the system would become unbootable. To move the service start time run the following commands:
    ~]# mv /etc/rc5.d/S06multipathd /etc/rc5.d/S14multipathd
    ~]# mv /etc/rc3.d/S06multipathd /etc/rc3.d/S14multipathd
    To restore the original start time, run the following command:
    ~]# chkconfig multipathd resetpriorities
    (BZ#500998)
  • Running the multipath command with the -ll option can cause the command to hang if one of the paths is on a blocking device. Note that the driver does not fail a request after some time if the device does not respond.
    This is caused by the cleanup code, which waits until the path checker request either completes or fails. To display the current multipath state without hanging the command, use multipath -l instead. (BZ#214838)

2.7. dmraid

The dmraid packages contain the ATARAID/DDF1 activation tool that supports RAID device discovery, RAID set activation, and displays properties for ATARAID/DDF1 formatted RAID sets on Linux kernels using device-mapper.
  • The installation procedure stores the name of RAID volume and partition in an initscript. When the system boots, dmraid enables the RAID partition (that are named implicitly in the init script. This action functions until the volume and partition names are changed. In these cases, the system may not boot, and the user is given an option to reboot system and start the rebuild procedure in OROM.
    OROM changes the name of RAID volume (as seen by dmraid) and dmraid cannot recognize the array identified by previous name stored in initscript. The system no longer boots from RAID partition, since it is not enabled by dmraid. In case of RAID 1 (mirror), the system may be booted from disk that is part of RAID volume. However, dmraid does not allow to active or rebuild the volume which component in mounted.
    To work around this issue, do not rebuild the RAID array in OROM. Start the rebuild procedure by dmraid in the operating system, which performs all the steps of rebuilding. dmraid does not change the RAID volume name, therefore the system can be booted from RAID array without the need of init script modification.
    To modify init script after OROM has started rebuild:
    1. Start the system in rescue mode from the installation disk, skip finding and mounting previous installations.
    2. At the command line, find and enable the raid volume that is to be booted from (the RAID volume and partitions will be activated)
      ~]# dmraid -ay isw_effjffhbi_Volume0
    3. Mount the root partition:
      ~]# mkdir /tmp/raid
      ~]# mount /dev/mapper/isw_effjffhbi_Volume0p1 /tmp/raid
    4. Decompress the boot image:
      ~]# mkdir /tmp/raid/tmp/image
      ~]# cd /tmp/raid/tmp/image
      ~]# gzip -cd /tmp/raid/boot/inird-2.6.18-155.el5.img | cpio -imd –quiet
    5. Change the names of the RAID volumes in the initscript to use the new names of RAID:
      ~]# dmraid –ay –I –p –rm_partition “/dev/mapper/isw_effjffhbi_Volume0”
      ~]# kpartx –a –p p “/dev/mapper/isw_effjffhbi_Volume0”
      ~]# mkrtootdev –t ext3 –o defaults,ro /dev/mapper/isw_effjffhbi_Volume0p1
    6. Compress and copy initrd image with the modified init script to the boot directory
      ~]# cd /tmp/raid/tmp/image
      ~]# find . –print | cpio –c –o | gzip -9 > /tmp/raid/boot/inird-2.6.18-155.el5.img
    7. Unmount the raid volume and reboot the system:
      ~]# umount /dev/mapper/isw_effjffhbi_Volume0p1
      ~]# dmraid -an

2.8. dogtail

dogtail is a GUI test tool and automation framework that uses assistive technologies to communicate with desktop applications.
  • Attempting to run sniff may result in an error. This is because some required packages are not installed with dogtail. (BZ#435702)
    To prevent this from occurring, install the following packages manually:
    • librsvg2
    • ghostscript-fonts
    • pygtk2-libglade

2.9. file

The File utility is used to identify a particular file according to the type of data contained in the file.
  • The file utility can exit with the 0 exit code even if some input files have not been found. This behavior is correct; refer to the file(1) man page for more information.

2.10. firefox

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
  • In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue. If you experience this issue:
    1. Start Firefox.
    2. Type about:config into the URL bar and press the Enter key.
    3. If prompted with "This might void your warranty!", click the I'll be careful, I promise! button.
    4. Right-click in the Preference Name list. In the menu that opens, select NewBoolean.
    5. Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.
    6. Select true for the boolean value and then press the OK button.

2.11. firstboot

The firstboot utility runs after installation. It guides the user through a series of steps that allows for easier configuration of the machine.
The following known issue applies to the IBM System z architecture:
  • When firstboot is running in text mode, the user can only register to Red Hat Netwrork legacy, not with subscription-manager. When firstboot is running in GUI mode, both options are available.
  • The IBM System z does not provide a traditional Unix-style physical console. As such, Red Hat Enterprise Linux 5 for the IBM System z does not support the firstboot functionality during initial program load.
    To properly initialize setup for Red Hat Enterprise Linux 5 on the IBM System z, run the following commands after installation:
    • /usr/bin/setup — provided by the setuptool package.
    • /usr/bin/rhn_register — provided by the rhn-setup package.
    (BZ#217921)

2.12. gfs2-utils

The gfs2-utils packages provide the user-level tools necessary to mount, create, maintain and test GFS2 file systems.
If gfs2 is used as the root file system, the first boot attempt will fail with the error message "fsck.gfs2: invalid option -- a". To work around this issue:
  1. Enter the root password when prompted.
  2. Mount the root file system manually:
    ~]# mount -o remount,rw /dev/VolGroup00/LogVol00 /
  3. Edit the /etc/fstab file from:
    /dev/VolGroup00/LogVol00 / gfs2 defaults 1 1
    
    to
    /dev/VolGroup00/LogVol00 / gfs2 defaults 1 0
    
  4. Reboot the system.

Important

Note, however that using GFS2 as the root file system is unsupported.

2.13. gnome-volume-manager

The GNOME Volume Manager monitors volume-related events and responds with user-specified policy. The GNOME Volume Manager can automount hot-plugged drives, automount inserted removable media, autorun programs, automatically play audio CDs and video DVDs, and automatically import photos from a digital camera.
  • Removable storage devices (such as CDs and DVDs) do not automatically mount when you are logged in as root. As such, you will need to manually mount the device through the graphical file manager.
    Alternatively, you can run the following command to mount a device to /media:
    mount /dev/[device name] /media
    

2.14. grub

The GRUB utility is responsible for booting the operating system kernel.
  • Executing the grub-install command fails if the name of a volume group intended to be used for booting contains only non-digit characters. To prevent this problem, it is recommended to name the volume group with a combination of non-digit text followed by a digit; for example, system0.

2.15. initscripts

The initscripts package contains system scripts to boot your system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly.
  • On systems with more than two encrypted block devices, anaconda has a option to provide a global passphrase. The init scripts, however, do not support this feature. When booting the system, entering each individual passphrase for all encrypted devices will be required. (BZ#464895)
  • Boot-time logging to /var/log/boot.log is not available in Red Hat Enterprise Linux 5. (BZ#223446, BZ#210136)

2.16. ipa-client

The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy and Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials.
  • Sometimes, the krb5.conf file contains incorrect SELinux context, namely, when the krb5.conf is not created by default, or the IPA client is installed, un-installed, or re-installed. AVC denials can therefore occur in such scenarios.
  • Attempting to run the ipa-client-install command with the --no-sssd option fails with the following error message:
    authconfig: error: no such option: --enableforcelegacy
    
    (BZ#852746)

2.17. iscsi-initiator-utils

The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks.
  • Broadcom L2 iSCSI (Internet Small Computer System Interface) boot is not supported in Red Hat Enterprise Linux 5. (BZ#831681)
  • iSCSI iface binding is not supported during install or boot. The initiator only supports the ability to log into target portals using the default behavior where the initiator uses the network routing table to decide which NIC to use.
    To work around this limitation, booting or installation can be done using the default behavior. After the iscsi and iscsid services start, the iscsi service can log into the target using iSCSI iface binding. This however, will leave an extra session using the default behavior, and it has to be manually logged out using the following command:
    iscsiadm -m node -T target -p ip -I default -u
    
    (BZ#500273)

2.18. kernel-xen

Xen is a high-performance and secure open-source virtualization framework. The virtualization allows users to run guest operating systems in virtual machines on top of a host operating system.
  • The Xen hypervisor will not start when booting from an iSCSI disk. To work around this issue, disable the Xen hypervisor's EDD feature with the "edd=off" kernel parameter. For example:
    kernel /xen.gz edd=off
    (BZ#568336)
  • With certain hardware, blktap may not function as expected, resulting in slow disk I/O causing the guest to operate slowly also. To work around this issue, guests should be installed using a physical disk (i.e. a real partition or a logical volume). (BZ#545692)
  • When booting paravirtualized guests that support gigabyte page tables (i.e. a Fedora 11 guest) on Red Hat Enterprise Linux 5.7 Xen, the domain may fail to start if more than 2047MB of memory is configured for the domain. To work around this issue, pass the "nogbpages" parameter on the guest kernel command-line. (BZ#502826)
  • Boot parameters are required to enable SR/IOV Virtual Function devices. SR/IOV Virtual Function devices can only be accessed if the parameter pci_pt_e820_access=on is added to the boot stanza in the /boot/grub/grub.conf file. For example:
    title Red Hat Enterprise Linux Server (2.6.18-152.el5xen)
    root (hd0,1)
    kernel /xen.gz-2.6.18-152.el5 com1=115200,8n1 console=com1 iommu=1
    module /vmlinuz-2.6.18-152.el5xen ro root=LABEL=/ console=ttyS0,115200
    pci_pt_e820_access=on
    
    This enables the MMCONF access method for the PCI configuration space, a requirement for VF device support
  • Diskette drive media will not be accessible when using the virtualized kernel. To work around this, use a USB-attached diskette drive instead.
    Note that diskette drive media works well with other non-virtualized kernels. (BZ#401081)
  • Fully virtualized guests cannot correct for time lost due to the domain being paused and unpaused. Being able to correctly track the time across pause and unpause events is one of the advantages of paravirtualized kernels. This issue is being addressed upstream with replaceable timers, so fully virtualized guests will have paravirtualized timers. Currently, this code is under development upstream and should be available in later versions of Red Hat Enterprise Linux. (BZ#422531)
The following known issue applies to the Intel 64 and AMD64 architectures:
  • Upgrading a host (dom0) system to Red Hat Enterprise Linux 5.7 may render existing Red Hat Enterprise Linux 5.4 SMP paravirtualized guests unbootable. This is more likely to occur when the host system has more than 4GB of RAM.
    To work around this, boot each Red Hat Enterprise Linux 5.4 guest in single CPU mode and upgrade its kernel to the latest version (for Red Hat Enterprise Linux 5.4.z). (BZ#253087, BZ#251013)
The following known issues apply to the Itanium architecture:
  • On some Itanium systems configured for console output to VGA, the dom0 virtualized kernel may fail to boot. This is because the virtualized kernel failed to properly detect the default console device from the Extensible Firmware Interface (EFI) settings.
    When this occurs, add the boot parameter console=tty to the kernel boot options in /boot/efi/elilo.conf. (BZ#249076)
  • On some Itanium systems (such as the Hitachi Cold Fusion 3e), the serial port cannot be detected in dom0 when VGA is enabled by the EFI Maintenance Manager. As such, you need to supply the following serial port information to the dom0 kernel:
    • Speed in bits/second
    • Number of data bits
    • Parity
    • io_base address
    These details must be specified in the append= line of the dom0 kernel in /boot/efi/elilo.conf. For example:
    append="com1=19200,8n1,0x3f8 -- quiet rhgb console=tty0 console=ttyS0,19200n8"
    In this example, com1 is the serial port, 19200 is the speed (in bits/second), 8n1 specifies the number of data bits/parity settings, and 0x3f8 is the io_base address. (BZ#433771)
  • Virtualization does not work on some architectures that use Non-Uniform Memory Access (NUMA). As such, installing the virtualized kernel on systems that use NUMA will result in a boot failure.
    Some installation numbers install the virtualized kernel by default. If you have such an installation number and your system uses NUMA and does not work with kernel-xen, deselect the Virtualization option during installation.

2.19. kernel

The kernel packages contain the Linux kernel, the core of any Linux operating system.
  • The Emulex lpfc driver is missing functionality required to support 16 Gb point-to-point configurations for all adapters in Red Hat Enterprise Linux 5. All other currently available 16 Gb lpfc configurations are supported on most adapters available. Specifically, the LPe16000B adapter is not supported for any configuration, and the LPe16000A adapter is supported for all configurations besides a point-to-point configuration.
  • The qla2xxx driver creates optrom and optrom_ctl files in sysfs which are used by some tools such as the scli command line tool from QLogic. However, the functions which implement these pseudo-files have race conditions. As a consequence, a kernel panic occurs when multiple tools use these files at the same time. To work around this problem, make sure only one such process is running at a given point of time.
  • Red Hat Enterprise Linux 5 can become unresponsive or even terminate due to the lack of ticketed spinlocks in the shrink_active_list() function.
  • When USB hardware uses the ACM interface, there is a race condition that can lead to a system deadlock due to the spinlocks not disabling interrupts. This has been noticed through various types of softlockups. To workaround this problem, reboot the machine.
  • If kdump is configured on an i686 system using a non-PAE kernel and memory larger than 4 GB, it creates an elf core header which includes extra unavailable memory range. This causes kdump to become unresponsive.
  • A large number of kernel log messages may flood netconsole while under heavy RX traffic, causing the netconsole kernel module to stop working. To work around this issue, avoid the use of netconsole, or remove the netconsole module using the rmmod netconsole command and re-configure it again using the insmod netconsole command.
  • To update firmware on Mellanox cards, use mstflint which replaces the outdated tvflash utility.
  • The kernel in Red Hat Enterprise Linux 5 does not support Data Center Bridging (DCB). Software-based Fibre Channel over Etherner (FCoE) is a Technology Preview and it is therefore recommended to use Red Hat Enterprise Linux 6 for fully supported software-based FCoE. The following hardware-accelerated FCoE cards are fully supported in Red Hat Enterprise Linux 5: Emulex LPFC, QLogic qla2xxx, Brocade BFA. (BZ#860112)
  • Throughput across machines using IPv6 addresses and with bnx2x interfaces set up can be degraded.
  • The following problems can occur when using Brocade 1010 and 1020 Converged Network Adapters (CNAs):
    • BIOS firmware may not be able to log in the Fibre Channel over Ethernet (FCoE) session when loading a Brocade optional BIOS, which causes the server to be unable to boot and the following error message to appear:
      Adapter 1/0/0 Link initialization failed. Disabling BIOS
      
    • Configuration cannot be saved via serial port of the server. Use a physical console or Brocade HSM software.
    Contact Brocade for additional information on these problems.
  • In network only, use of Brocade Converged Network Adapters (CNAs) switches that are not properly configured to work with Brocade FCoE functionality can cause a continuous linkup/linkdown condition. This causes error messages to continuously appear on the host console:
    bfa xxxx:xx:xx.x: Base port (WWN = xx:xx:xx:xx:xx:xx:xx:xx) lost fabric connectivity
    
    To work around this problem, unload the Brocade BFA driver.
  • Master Boot Record (MBR) or the /boot partition can be installed on an incorrect disk if the server boots from storage area network (SAN) with many Logical Unit Numbers (LUNs) assigned. To work around this problem, partition the space manually so that the operating system uses only the boot LUN as the root (/) and /boot partitions. (BZ#852305)
  • Qemu-kvm does not check if a given CPU flag is really supported by the KVM kernel module. Attempting to enable the "acpi" flag can lead to a kernel panic on guest machines. To work around this problem, do not enable the "acpi" CPU flag in the configuration of a virtual machine. (BZ#838921)
  • Running the ethtool --identify command in a production environment blocks network traffic and certain network configuration operations until ethtool is aborted. To prevent this problem, do not run ethtool --identify in a production environment; this command is supposed for debugging purposes only.
  • Starting with Red Hat Enterprise Linux 5.8, the size of I/O operations allowed by the NFS server has been increased by default. The new default max block size varies depending on RAM size, with a maximum of 1M (1048576 bytes).
    This may cause problems for 32-bit servers configured to use large numbers of nfsd threads. For such servers, we recommend decreasing the number of threads, or decreasing the I/O size by writing to the /proc/fs/nfsd/max_block_size file before starting nfsd. For example, the following command restores the previous default iosize of 32k:
    ~]# echo 32767 >/proc/fs/nfsd/max_block_size
    (BZ#765751 )
  • If the qla4xxx driver fails to discover all iSCSI targets, make sure to Clear Persistent Targets and set up iSCSI again via CTRL+Q in the Qlogic iSCSI option ROM BIOS.
  • The OProfile infrastructure in Red Hat Enterprise Linux 5 does not support the hardware performance counters of the AMD family 0x15 processor family; profiling is only available in timer interrupt mode. When profiling on bare metal, OProfile automatically selects the timer interrupt mode. When running under kernel-xen, due to different CPU family reporting, OProfile must be explicitly configured to use timer interrupt mode. This is possible by adding options oprofile timer=1 to the /etc/modprobe.conf file. (BZ#720587)
  • Red Hat Enterprise Linux 5 may become unresponsive due to the lack of ticketed spinlocks in the shrink_active_list() function. As a result, the spin_lock_irq(&zone->lru_lock) operation disables interrupts, and the following error message is returned when the system hangs:
    NMI Watchdog detected LOCKUP
    
  • Booting a Red Hat Enterprise Linux 5 system with a connected DVD drive and the smartdservice running hangs with the following error messages:
    Starting smartd: hdc: drive_cmd: status=0x58 { DriveReady SeekComplete
    DataRequest }
    ide: failed opcode was: 0xa1
    hdc: status error: status=0x58 { DriveReady SeekComplete DataRequest }
    ide: failed opcode was: unknown
    hdc: drive not ready for command
    hdc: status timeout: status=0xd8 { Busy }
    ide: failed opcode was: unknown
    hdc: drive not ready for command
    hdc: ATAPI reset complete
    hdc: status error: status=0x58 { DriveReady SeekComplete DataRequest }
    ⋮
    
    To work around this issue, disconnect the DVD drive or turn the smartd service off with the following command:
    ~]# chkconfig smartd off
  • The modify SRQ verb is not supported by the eHCA adapter and will fail with an error code when called from an application context.
  • In RHEL 5.8, machine check (MCE) support for Intel Nehalem or newer CPUs (family 6, model >= 26) is disabled. This is a change from RHEL5.6 and earlier where basic MCE support was provided for these CPUs. Uncorrected CPU and memory errors will cause an immediate CPU shut down and system panic.
  • On a Red Hat Enterprise Linux 5.8 system and later, while hand-loading the i386 (32-bit) kernel on z210/z210 SFF with BIOS 1.08, the system may fail to boot. To workaround this issue, please add the following parameter to the boot command line option:
    pci=nosort
    (BZ#703538)
  • Red Hat Enterprise Linux 5.7 has introduced a new multicast snooping feature for the bridge driver used for virtualization (virt-bridge). This feature is disabled by default in order to not break any existing configurations. To enable this feature, please set the following tunnable parameter to 1:
    /sys/class/net/breth0/bridge/multicast_snooping
    Please note that when multicast snooping is enabled, it may cause a regression with certain switches where it causes a break in the multicast forwarding for some peers.
  • By default, libsas defines a wideport based on the attached SAS address, rather than the specification compliant strict definition of also considering the local SAS address. In Red Hat Enterprise Linux 5.8 and later, only the default loose definition is available. The implication is that if an OEM configures an SCU controller to advertise different SAS addresses per PHY, but hooks up a wide target or an expander to those PHYs, libsas will only create one port. The expectation, in the strict case, is that this would result in a single controller multipath configuration.
    It is not possible to use a single controller multipath without the strict_wide_port functionality. Multi-controller multipath should behave as a expected.
    A x8 multipath configuration through a single expander can still be obtained under the following conditions:
    1. Start with an SCU SKU that exposes (2) x4 controllers (total of 8 PHYs)
    2. Assign sas_address1 to all the PHYs on controller1
    3. Assign sas_address2 to all the PHYs on controller2
    4. Hook up the expander across all 8 PHYs
    5. Configure multipath across the two controller instances
    It is critical for controller1 to have a distinct address from controller2, otherwise the expander will be unable to correctly route connection requests to the proper initiator. (BZ#651837)
  • On a Red Hat Enterprise Linux 5 system, it is advisable to update the firmware of the HP ProLiant Generation 6 (G6) controller's firmware to version 5.02 or later. Once the firmware is successfully updated, reboot the system and Kdump will work as expected.
    HP G6 controllers include: P410i, P411, P212, P712, and P812
    In addition, kdump may fail when using the HP Smart Array 5i Controller on a Red Hat Enterprise Linux 5 system. (BZ#695493)
  • On Red Hat Enterprise Linux 5.5 and later, suspending the system with the lpfc driver loaded may crash the system during the resume operation. Therefore, systems using the lpfc driver, either unload the lpfc driver before the system is suspended, or ,if that is not possible, do not suspend the system. (BZ#703631)
  • NUMA class systems should not be booted with a single memory node configuration. Configuration of single node NUMA systems will result in contention for the memory resources on all of the non-local memory nodes. As only one node will have local memory the CPUs on that single node will starve the remaining CPUs for memory allocations, locks, and any kernel data structure access. This contention will lead to the "CPU#n stuck for 10s!" error messages. This configuration can also result in NMI watchdog timeout panics if a spinlock is acquired via spinlock_irq() and held for more than 60 seconds. The system can also hang for indeterminate lengths of time.
    To minimize this problem, NUMA class systems need to have their memory evenly distributed between nodes. NUMA information can be obtained from dmesg output as well as from the numastat command. (BZ#529428)
  • When upgrading from Red Hat Enterprise Linux 5.0, 5.1 or 5.2 to more recent releases, the gfs2-kmod may still be installed on the system. This package must be manually removed or it will override the (newer) version of GFS2 which is built into the kernel. Do not install the gfs2-kmod package on later versions of Red Hat Enterprise Linux. gfs2-kmod is not required since GFS2 is built into the kernel from 5.3 onwards. The content of the gfs2-kmod package is considered a Technology Preview of GFS2, and has not received any updates since Red Hat Enterprise Linux 5.3 was released.
    Note that this note only applies to GFS2 and not to GFS, for which the gfs-kmod package continues to be the only method of obtaining the required kernel module.
  • Issues might be encountered on a system with 8Gb/s LPe1200x HBAs and firmware version 2.00a3 when the Red Hat Enterprise Linux 5.8 kernel is used with the in-box LPFC driver. Such issues include loss of LUNs and/or fiber channel host hangs during fabric faults with multipathing.
    To work around these issues, it is recommended to either:
    • Downgrade the firmware revision of the 8Gb/s LPe1200x HBA to revision 1.11a5, or
    • Modify the LPFC driver’s lpfc_enable_npiv module parameter to zero.
      When loading the LPFC driver from the initrd image (i.e. at system boot time), add the line
      options lpfc_enable_npiv=0
      
      to /etc/modprobe.conf and re-build the initrd image.
      When loading the LPFC driver dynamically, include the lpfc_enable_npiv=0 option in the insmod or modprobe command line.
    For additional information on how to set the LPFC driver module parameters, refer to the Emulex Drivers for Linux User Manual.
  • If AMD IOMMU is enabled in BIOS on ProLiant DL165 G7 systems, the system will reboot automatically when IOMMU attempts to initialize. To work around this issue, either disable IOMMU, or update the BIOS to version 2010.09.06 or later. (BZ#628534)
  • As of Red Hat Enterprise Linux 5.6, the ext4 file system is fully supported. However, provisioning ext4 file systems with the anaconda installer is not supported, and ext4 file systems need to be provisioned manually after the installation. (BZ#563943)
  • In some cases the NFS server fails to notify NFSv4 clients about renames and unlinks done by other clients, or by non-NFS users of the server. An application on a client may then be able to open the file at its old pathname (and read old cached data from it, and perform read locks on it), long after the file no longer exists at that pathname on the server.
    To work around this issue, use NFSv3 instead of NFSv4. Alternatively, turn off support for leases by writing 0 to /proc/sys/fs/leases-enable (ideally on boot, before the nfs server is started). This change prevents NFSv4 delegations from being given out, restore correctness at the expense of some performance.
  • Some laptops may generate continuous events in response to the lid being shut. Consequently, the gnome-power-manager utility will consume CPU resources as it responds to each event. (BZ#660644)
  • A kernel panic may be triggered by the lpfc driver when multiple Emulex OneConnect Universal Converged Network Adapter initiators are included in the same Storage Area Network (SAN) zone. Typically, this kernel panic will present after a cable is pulled or one of the systems is rebooted. To work around this issue, configure the SAN to use single initiator zoning. (BZ#574858)
  • If a Huawei USB modem is unplugged from a system, the device may not be detected when it is attached again. To work around this issue, the usbserial and usb-storage driver modules need to be reloaded, allowing the system to detect the device. Alternatively, the if the system is rebooted, the modem will be detected also. (BZ#517454)
  • Memory on-line is not currently supported with the Boxboro-EX platform. (BZ#515299)
  • Unloading a PF (SR-IOV Physical function) driver from a host when a guest is using a VF (virtual function) from that device can cause a host crash. A PF driver for an SR-IOV device should not be unloaded until after all guest virtual machines with assigned VFs from that SR-IOV device have terminated. (BZ#514360)
  • Data corruption on NFS file systems might be encountered on network adapters without support for error-correcting code (ECC) memory that also have TCP segmentation offloading (TSO) enabled in the driver. Note: data that might be corrupted by the sender still passes the checksum performed by the IP stack of the receiving machine A possible work around to this issue is to disable TSO on network adapters that do not support ECC memory. (BZ#504811)
  • After installation, a System z machine with a large number of memory and CPUs (e.g. 16 CPU's and 200GB of memory) might may fail to IPL. To work around this issue, change the line
    ramdisk=/boot/initrd-2.6.18-<kernel-version-number>.el5.img
    
    to
    ramdisk=/boot/initrd-2.6.18-<kernel-version-number>.el5.img,0x02000000
    
    The command zipl -V should now show 0x02000000 as the starting address for the initial RAM disk (initrd). Stop the logical partition (LPAR), and then manually increase the storage size of the LPAR.
  • On certain hardware configurations the kernel may panic when the Broadcom iSCSI offload driver (bnx2i.ko and cnic.ko) is loaded. To work around this do not manually load the bnx2i or cnic modules, and temporarily disable the iscsi service from starting. To disable the iscsi service, run:
    ~]# chkconfig --del iscsi
    ~]# chkconfig --del iscsid
    On the first boot of your system, the iscsi service may start automatically. To bypass this, during bootup, enter interactive start up and stop the iscsi service from starting.
  • In Red Hat Enterprise Linux 5, invoking the kernel system call "setpriority()" with a "which" parameter of type "PRIO_PROCESS" does not set the priority of child threads. (BZ#472251)
  • A change to the cciss driver in Red Hat Enterprise Linux 5.4 made it incompatible with the echo disk < /sys/power/state suspend-to-disk operation. Consequently, the system will not suspend properly, returning messages such as:
    Stopping tasks:
    ======================================================================
    stopping tasks timed out after 20 seconds (1 tasks remaining):
    cciss_scan00
    Restarting tasks...<6> Strange, cciss_scan00 not stopped
    done
    
    (BZ#513472)
  • The kernel is unable to properly detect whether there is media present in a CD-ROM drive during kickstart installs. The function to check the presence of media incorrectly interprets the "logical unit is becoming ready" sense, returning that the drive is ready when it is not. To work around this issue, wait several seconds between inserting a CD and asking the installer (anaconda) to refresh the CD. (BZ#510632)
  • When a cciss device is under high I/O load, the kdump kernel may panic and the vmcore dump may not be saved successfully. (BZ#509790)
  • Configuring IRQ SMP affinity has no effect on some devices that use message signaled interrupts (MSI) with no MSI per-vector masking capability. Examples of such devices include Broadcom NetXtreme Ethernet devices that use the bnx2 driver.
    If you need to configure IRQ affinity for such a device, disable MSI by creating a file in /etc/modprobe.d/ containing the following line:
    options bnx2 disable_msi=1
    
    Alternatively, you can disable MSI completely using the kernel boot parameter pci=nomsi. (BZ#432451)
  • The smartctl tool cannot properly read SMART parameters from SATA devices. (BZ#429606)
  • IBM T60 laptops will power off completely when suspended and plugged into a docking station. To avoid this, boot the system with the argument acpi_sleep=s3_bios. (BZ#439006)
  • The QLogic iSCSI Expansion Card for the IBM Bladecenter provides both ethernet and iSCSI functions. Some parts on the card are shared by both functions. However, the current qla3xxx and qla4xxx drivers support ethernet and iSCSI functions individually. Both drivers do not support the use of ethernet and iSCSI functions simultaneously.
    Because of this limitation, successive resets (via consecutive ifdown/ifup commands) may hang the device. To avoid this, allow a 10-second interval after an ifup before issuing an ifdown. Also, allow the same 10-second interval after an ifdown before issuing an ifup. This interval allows ample time to stabilize and re-initialize all functions when an ifup is issued. (BZ#276891)
  • Laptops equipped with the Cisco Aironet MPI-350 wireless may hang trying to get a DHCP address during any network-based installation using the wired ethernet port.
    To work around this, use local media for your installation. Alternatively, you can disable the wireless card in the laptop BIOS prior to installation (you can re-enable the wireless card after completing the installation). (BZ#213262)
  • Hardware testing for the Mellanox MT25204 has revealed that an internal error occurs under certain high-load conditions. When the ib_mthca driver reports a catastrophic error on this hardware, it is usually related to an insufficient completion queue depth relative to the number of outstanding work requests generated by the user application.
    Although the driver will reset the hardware and recover from such an event, all existing connections at the time of the error will be lost. This generally results in a segmentation fault in the user application. Further, if opensm is running at the time the error occurs, then you need to manually restart it in order to resume proper operation. (BZ#251934)
  • The IBM T41 laptop model does not enter Suspend Mode properly; as such, Suspend Mode will still consume battery life as normal. This is because Red Hat Enterprise Linux 5 does not yet include the radeonfb module.
    To work around this, add a script named hal-system-power-suspend to /usr/share/hal/scripts/ containing the following lines:
    chvt 1
    radeontool light off
    radeontool dac off
    
    This script will ensure that the IBM T41 laptop enters Suspend Mode properly. To ensure that the system resumes normal operations properly, add the script restore-after-standby to the same directory as well, containing the following lines:
    radeontool dac on
    radeontool light on
    chvt 7
    
    (BZ#227496)
  • If the edac module is loaded, BIOS memory reporting will not work. This is because the edac module clears the register that the BIOS uses for reporting memory errors.
    The current Red Hat Enterprise Linux Driver Update Model instructs the kernel to load all available modules (including the edac module) by default. If you wish to ensure BIOS memory reporting on your system, you need to manually blacklist the edac modules. To do so, add the following lines to /etc/modprobe.conf:
    blacklist edac_mc
    blacklist i5000_edac
    blacklist i3000_edac
    blacklist e752x_edac
    
    (BZ#441329)
  • Due to outstanding driver issues with hardware encryption acceleration, users of Intel WiFi Link 4965, 5100, 5150, 5300, and 5350 wireless cards are advised to disable hardware accelerated encryption using module parameters. Failure to do so may result in the inability to connect to Wired Equivalent Privacy (WEP) protected wireless networks after connecting to WiFi Protected Access (WPA) protected wireless networks.
    To do so, add the following options to /etc/modprobe.conf:
    alias wlan0 iwlagn
    options iwlagn swcrypto50=1 swcrypto=1
    
    where wlan0 is the default interface name of the first Intel WiFi Link device.
    (BZ#468967)
  • A kernel security fix released between Red Hat Enterprise Linux 5.7 and 5.8 may prevent PCI passthrough working and guests starting. Refer to Red Hat Knowledgebase article 66747 for further details.
The following note applies to the PowerPC architecture:
  • The size of the PowerPC kernel image is too large for OpenFirmware to support. Consequently, network booting will fail, resulting in the following error message:
    Please wait, loading kernel...
    /pci@8000000f8000000/ide@4,1/disk@0:2,vmlinux-anaconda: No such file or directory
    boot:
    
    To work around this:
    1. Boot to the OpenFirmware prompt, by pressing the '8' key when the IBM splash screen is displayed.
    2. Run the following command:
      ~]# setenv real-base 2000000
    3. Boot into System Management Services (SMS) with the command:
      ~]# 0> dev /packages/gui obe
    (BZ#462663)

2.20. kexec-tools

The kexec-tools package provides the /sbin/kexec binary that facilitates a new kernel to boot using the kernel's kexec feature either on a normal or a panic reboot.
  • Executing kdump on an IBM Bladecenter QS21 or QS22 configured with NFS root will fail. To avoid this, specify an NFS dump target in /etc/kdump.conf. (BZ#368981)
  • Some forcedeth based devices may encounter difficulty accessing memory above 4GB during operation in a kdump kernel. To work around this issue, add the following line to the /etc/sysconfig/kdump file:
    KDUMP_COMMANDLINE_APPEND="dma_64bit=0"
    
    This work around prevents the forcedeth network driver from using high memory resources in the kdump kernel, allowing the network to function properly.
  • The system may not successfully reboot into a kexec/kdump kernel if X is running and using a driver other than vesa. This problem only exists with ATI Rage XL graphics chipsets.
    If X is running on a system equipped with ATI Rage XL, ensure that it is using the vesa driver in order to successfully reboot into a kexec/kdump kernel. (BZ#221656)
  • kdump now serializes drive creation registration with the rest of the kdump process. Consequently, kdump may hang waiting for IDE drives to be initialized. In these cases, it is recommended that IDE disks not be used with kdump. (BZ#473852)
  • It is possible in rare circumstances, for makedumpfile to produce erroneous results but not have them reported. This is due to the fact that makedumpfile processes its output data through a pipeline consisting of several stages. If makedumpfile fails, the other stages will still succeed, effectively masking the failure. Should a vmcore appear corrupt, and makedumpfile is in use, it is recommended that the core be recorded without makedumpfile and a bug be reported. (BZ#475487)
  • kdump now restarts when CPUs or DIMMs are hot-added to a system. If multiple items are added at the same time, several sequential restarts may be encountered. This behavior is intentional, as it minimizes the time-frame where a crash may occur while memory or processors are not being tracked by kdump. (BZ#474409)
The following known issue applies to the Itanium architecture:
  • Some Itanium systems cannot properly produce console output from the kexec purgatory code. This code contains instructions for backing up the first 640k of memory after a crash.
    While purgatory console output can be useful in diagnosing problems, it is not needed for kdump to properly function. As such, if your Itanium system resets during a kdump operation, disable console output in purgatory by adding --noio to the KEXEC_ARGS variable in /etc/sysconfig/kdump. (BZ#436426)

2.21. kvm

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on x86 hardware.
KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. KVM can run multiple unmodified, virtualized guest Windows and Linux operating systems. KVM is a hypervisor which uses the libvirt virtualization tools (virt-manager and virsh).
  • A CD-ROM device can be assigned to a guest by configuring the guest to back a virtual CD-ROM device with a physical device's special file, for example, /dev/sr0. When a physical CD-ROM device is assigned to a guest, the guest assumes it has full control of the device. However, it is still possible to access the device from the host. In such a case, the guest can become confused about the CD-ROM state; for instance, running eject commands in the host to change media can cause the guest to attempt to read beyond the size of the new medium, resulting in I/O errors. To work around this problem, do not access a CD-ROM device from the host while it is assigned to a guest. (BZ#847259)
  • VNC password authentication is disabled when the host system is operating in FIPS mode. QEMU exits if it is configured to run as a password-authenticated VNC server; if QEMU is configured to run as an unauthenticated VNC server, it will continue to run as expected.
  • Erroneous boot-index of a guest with mixed virtio/IDE disks causes the guest to boot from the wrong disk after the OS installation and hang with the error message boot from HD.
  • When using PCI device assignment with a 32-bit Microsoft Windows 2008 guest on an AMD-based host system, the assigned device may fail to work properly if it relies on MSI or MSI-X based interrupts. The reason for this is that the 32-bit version of Microsoft Windows 2008 does not enable MSI based interrupts for the family of processor exposed to the guest. To work around this problem, the user may wish to move to a RHEL6 host, use a 64-bit version of the guest operating system, or employ a wrapper script to modify the processor family exposed to the guest as follows (Note that this is only for 32-bit Windows guests):
    1. Create the following wrapper script:
      ~]$ cat /usr/libexec/qemu-kvm.family16
      #!/bin/sh
      
      ARGS=$@
      
      echo $ARGS | grep -q ' -cpu '
      if [ $? -eq 0 ]; then
          for model in $(/usr/libexec/qemu-kvm -cpu ? \
                         | sed 's|^x86||g' | tr -d [:blank:]); do
              ARGS=$(echo $ARGS | \
                     sed "s|-cpu $model|-cpu $model,family=16|g")
          done
      else
          ARGS="$ARGS -cpu qemu64,family=16"
      fi
      
      echo "$0: exec /usr/libexec/qemu-kvm $ARGS" >&2
      
      exec /usr/libexec/qemu-kvm $ARGS
      
    2. Make the script executable:
      ~]$ chmod 755 /usr/libexec/qemu-kvm.family16
    3. Set proper SELinux permissions:
      ~]$ restorecon /usr/libexec/qemu-kvm.family16
    4. Update the guest XML to use the new wrapper:
      ~]# virsh edit $GUEST
      and replace:
      <emulator>/usr/libexec/qemu-kvm</emulator>
      
      with:
      <emulator>/usr/libexec/qemu-kvm.family16</emulator>
      
    (BZ#654208)
  • Booting a Linux guest causes 1.5 to 2 second time drift from the host time when the default hwclock service starts. It is recommended to disable the hwclock service. Alternatively, enable the ntp service so that it can correct the time once the service is started. (BZ#523478)
  • By default, KVM virtual machines created in Red Hat Enterprise Linux 5.6 have a virtual Realtek 8139 (rtl8139) network interface controller (NIC). The rtl8139 virtual NIC works fine in most environments, but may suffer from performance degradation issues on some networks for example, a 10 GigE (10 Gigabit Ethernet) network.
    One workaround for this issue is switch to a different type of virtual NIC, for example, Intel PRO/1000 (e1000) or virtio (a virtual I/O driver for Linux that can talk to the hypervisor).
    To switch to e1000:
    1. Shutdown the guest OS
    2. Edit the guest OS definition with the command-line tool virsh:
      virsh edit GUEST
    3. Locate the network interface section and add a model line as shown:
      <interface type='network'>
      ...
      <model type='e1000' />
      </interface>
      
    4. Save the changes and exit the text editor
    5. Restart the guest OS
    Alternatively, if you're having trouble installing the OS on the virtual machine because of the rtl8139 NIC (for example, because you're installing the OS over the network), you can create a virtual machine from scratch with an e1000 NIC. This method requires you to have at least one virtual machine already created (possibly installed from CD or DVD) to use as a template.
    1. Create an XML template from an existing virtual machine:
      virsh dumpxml GUEST > /tmp/guest.xml
    2. Copy and edit the XML file and update the unique fields: virtual machine name, UUID, disk image, MAC address, etc. Note that you can delete the UUID and MAC address lines and virsh will generate a UUID and MAC address.
      cp /tmp/guest.xml /tmp/new-guest.xml
      vi /tmp/new-guest.xml
    3. Locate the network interface section and add a model line as shown:
      <interface type='network'>
      ...
      <model type='e1000' />
      </interface>
      
    4. Create the new virtual machine:
      virsh define /tmp/new-guest.xml 
      virsh start new-guest
  • The mute button in the audio control panel on a Windows virtual machine does not mute the sound.
  • When migrating KVM guests between hosts, the NX CPU feature setting on both source and destination must match. Migrating a guest between a host with the NX feature disabled (i.e. disabled in the BIOS settings) and a host with the NX feature enabled may cause the guest to crash. (BZ#516029)
  • The use of the qcow2 disk image format with KVM is considered a Technology Preview. (BZ#517880)
  • 64-bit versions of Windows 7 do not have support for the AC'97 Audio Codec. Consequently, the virtualized sound device Windows 7 kvm guests will not function. (BZ#563122)
  • Hot plugging emulated devices after migration may result in the virtual machine crashing after a reboot or the devices no longer being visible. (BZ#507191)
  • The KVM modules from the kmod-kvm package do not support kernels prior to version 2.6.18-203.el5. If kmod-kvm is updated and an older kernel is kept installed, error messages similar to the following will be returned if attempting to install these modules on older kernels:
    WARNING: /lib/modules/2.6.18-194.el5/weak-updates/kmod-kvm/ksm.ko needs unknown symbol kvm_ksm_spte_count
    
    (BZ#509361)
  • The KVM modules available in the kmod-kvm package are loaded automatically at boot time if the kmod-kvm package is installed. To make these KVM modules available after installing the kmod-kvm package the system either needs to be rebooted or the modules can be loaded manually by running the /etc/sysconfig/modules/kvm.modules script. (BZ#501543)
  • The Preboot eXecution Environment (PXE) boot ROMs included with KVM are from the Etherboot project. Consequently, some bug fixes or features that are present on the newer gPXE project are not available on Etherboot. For example, Virtual Machines (VMs) cannot boot using Microsoft based PXE (that is, Remote Installation Services (RIS) or Windows Deployment Services (WDS)).
  • The following QEMU / KVM features are currently disabled and not supported: (BZ#512837)
    • smb user directories
    • scsi emulation
    • "isapc" machine type
    • nested KVM guests
    • usb mass storage device emulation
    • usb wacom tablet emulation
    • usb serial emulation
    • usb network emulation
    • usb bluetooth emulation
    • device emulation for vmware drivers
    • sb16 and es1370 sound card emulations
    • bluetooth emulation
    • qemu CPU models other than qemu32/64 and pentium3
    • qemu block device drivers other than raw, qcow2, and host_device

2.22. less

The less utility is a text file browser that resembles more, but with more capabilities ("less is more"). The less utility allows users to move backwards in the file as well as forwards. Because less need not read the entire input file before it starts, less starts up more quickly than text editors (vi, for example).
  • The "less" command has been updated. less no longer adds the "carriage return" character when wrapping long lines. Consequently, lines longer than the terminal width will be displayed incorrectly when browsing the file line per line. The command line option "--old-bot" forces less to behave as it did previously, with long text lines displayed correctly. (BZ#441691)

2.23. lftp

LFTP is a sophisticated file transfer program for the FTP and HTTP protocols. Like bash, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It is designed with reliability in mind.
  • As a side effect of changing the underlying cryptographic library from OpenSSL to GnuTLS in the past, starting with lftp-3.7.11-4.el5_5.3, some previously offered TLS ciphers were dropped. In handshake, lftp does not offer these previously available ciphers:
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA  
    TLS_DHE_DSS_WITH_DES_CBC_SHA  
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA  
    TLS_DHE_RSA_WITH_DES_CBC_SHA  
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
    TLS_RSA_EXPORT_WITH_RC4_40_MD5  
    TLS_RSA_WITH_AES_256_CBC_SHA  
    TLS_RSA_WITH_DES_CBC_SHA
    
    lftp still offers variety of other TLS ciphers:
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_RC4_128_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    
    For servers without support for any of these ciphers, it is now possible to force SSLv3 connection instead of TLS using the set ftp:ssl-auth SSL configuration directive. This works both for implicit and explicit FTPS. (BZ#532099)

2.24. lvm2

The lvm2 package contains support for Logical Volume Management (LVM).
  • LVM no longer scans multipath member devices (underlying paths for active multipath devices) and prefers top level devices. This behavior can be switched off using the multipath_component_detection option in the /etc/lvm/lvm.conf.

2.25. mesa

Mesa provides a 3D graphics API that is compatible with OpenGL. It also provides hardware-accelerated drivers for many popular graphics chips.
The following known issue applies to the Intel 64 and AMD64 architectures:
  • On an IBM T61 laptop, Red Hat recommends that you refrain from clicking the glxgears window (when glxgears is run). Doing so can lock the system.
    To prevent this from occurring, disable the tiling feature. To do so, add the following line in the Device section of /etc/X11/xorg.conf:
    Option "Tiling" "0"
    
    (BZ#444508)

2.26. mkinitrd

The mkinitrd utility creates file system images for use as initial RAM disk (initrd) images.
  • When running Red Hat Enterprise Linux 5 with an older kernel in a Microsoft Hyper-V virtualization guest, mkinitrd does not include the Microsoft Hyper-V drivers when asked to generate the initial RAM disk for a Red Hat Enterprise Linux 5.9 kernel or later. This causes a kernel panic when the guest is rebooted with such a kernel as there is no driver available for the storage hosting the guest's root file system. To work around this problem, run the mkinitrd utility with either the --preload option that loads the module before any SCSI modules are loaded, or with the --with option that loads the module after SCSI modules are loaded. For more information, refer to the following Knowledge Base article:
  • When using an encrypted device, the following error message may be reported during bootup:
    insmod: error inserting '/lib/aes_generic.ko': -1 File exists
    
    This message can safely be ignored. (BZ#466296)
  • Installation using a Multiple Device (MD) RAID on top of multipath will result in a machine that cannot boot. Multipath to Storage Area Network (SAN) devices which provide RAID internally are not affected. (BZ#467469)
The following known issue applies to the IBM System z architecture:
  • When installing Red Hat Enterprise Linux 5, the following errors may be returned in install.log:
    Installing kernel-2.6.18-158.el5.s390x
    cp: cannot stat `/sbin/dmraid.static': No such file or directory
    
    This message can be safely ignored.
  • iSCSI root devices do not function correctly if used over an IPv6 network connection. While the installation will appear to succeed, the system will fail to find the root file system during the first boot. (BZ#529636)

2.27. mod_revocator

The mod_revocator module retrieves and installs remote Certificate Revocation Lists (CRLs) into an Apache web server.
  • In order to run mod_revocator successfully, the following command must be executed in order to allow httpd to connect to a remote port which SELinux would otherwise deny:
    ~]# setsebool -P httpd_can_network_connect=1
    This is due to the fact that by default, Apache is not allowed to also be used as an HTTP client (that is, send HTTP messages to an external host).

2.28. nfs-utils

The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server and related tools, which provides better performance than the traditional Linux NFS server used by most users. These packages also contain the mount.nfs, umount.nfs, and showmount programs.
  • In the previous version of the nfs-utils package, the mount utility incorrectly reported the rpc.idmapd mapping daemon as not running when the daemon was executed. This bug has been fixed; however the problem can occur after upgrading nfs-utils to a later version. Note that the mount operation is successful and the warning can be safely ignored. To avoid this problem, perform a clean installation of the package.
  • Currently, the rpc.gssd daemon looks only for the the "nfs/*" keys in the keytab file. Other keys are not supported.

2.29. openib

The OpenFabrics Alliance Enterprise Distribution (OFED) is a collection of Infiniband and iWARP hardware diagnostic utilities, the Infiniband fabric management daemon, Infiniband/iWARP kernel module loader, and libraries and development packages for writing applications that use Remote Direct Memory Access (RDMA) technology. Red Hat Enterprise Linux uses the OFED software stack as its complete stack for Infiniband/iWARP/RDMA hardware support.
The following known issue applies to the Itanium architecture:
  • Running perftest will fail if different CPU speeds are detected. As such, you should disable CPU speed scaling before running perftest. (BZ#433659)

2.30. openmpi

Open MPI, MVAPICH, and MVAPICH2 are all competing implementations of the Message Passing Interface (MPI) standard. MVAPICH implements version 1 of the MPI standard, while Open MPI and MVAPICH2 both implement the later, version 2 of the MPI standard.
  • mvapich and mvapich2 in Red Hat Enterprise Linux 5 are compiled to support only InfiniBand/iWARP interconnects. Consequently, they will not run over ethernet or other network interconnects. (BZ#466390)
  • When upgrading openmpi using yum, the following warning may be returned:
    cannot open `/tmp/openmpi-upgrade-version.*' for reading: No such file or directory
    
    The message is harmless and can be safely ignored. (BZ#463919)
  • A bug in previous versions of openmpi and lam may prevent you from upgrading these packages. This bug manifests in the following error (when attempting to upgrade openmpi or lam:
    error: %preun(openmpi-[version]) scriptlet failed, exit status 2
    As such, you need to manually remove older versions of openmpi and lam in order to install their latest versions. To do so, use the following rpm command:
    rpm -qa | grep '^openmpi-\|^lam-' | xargs rpm -e --noscripts --allmatches
    (BZ#433841)

2.31. openswan

Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key Exchange) for Linux. The openswan package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6 and later also supports IKEv2 (Internet Key Exchange Protocol Version 2), which is defined in RFC5996
  • Openswan generates a Diffie-Hellman (DH) shared key that is 1 byte short because nss does not add leading zero bytes when needed. Also, openswan in Red Hat Enterprise Linux 5.9 does not support setting of the sha2_truncbug parameter in Red Hat Enterprise Linux 5.9, because the kernel does not support it.

2.32. perl-libxml-enno

The perl-libxml-enno modules were used for XML parsing and validation.
  • Note: the perl-libxml-enno library did not ship in any Red Hat Enterprise Linux 5 release. (BZ#612589)

2.33. pm-utils

The pm-utils package contains utilities and scripts for power management.
  • nVidia video devices on laptops can not be correctly re-initialized using VESA in Red Hat Enterprise Linux 5. Attempting to do so results in a black laptop screen after resume from suspend.

2.34. rpm

The RPM Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.
  • Users of a freshly-installed PowerPC Red Hat Enterprise Linux 5 system may encounter package-related operation failures with the following errors:
    rpmdb: PANIC: fatal region error detected; run recovery
    error: db4 error(-30977) from db->sync: DB_RUNRECOVERY: Fatal error, run
    database recovery
    

2.35. redhat-release-notes

The redhat-release-notes package contains the Release Notes for Red Hat Enterprise Linux 5.8.
  • The Release Notes shipped in Red Hat Enterprise Linux 5.9 through the redhat-release-notes package contain an incorrect driver version number for the qla2xxx driver. In Red Hat Enterprise Linux 5.9, the qla2xxx driver for QLogic Fibre-Channel HBAs has been updated to version 8.03.07.15.05.09-k, not 8.04.00.05.05.09-k.

2.36. rhn-client-tools

Red Hat Network Client Tools provide programs and libraries that allow your system to receive software updates from Red Hat Network (RHN).
  • Attempting to subscribe a system during firstboot can fail with a traceback. To work around this problem, register the system from the command line.

2.37. qspice

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows users to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.
  • Occasionally, the video compression algorithm starts when the guest is accessing text instead of video. This caused the text to be blurred. The SPICE server now has an improved heuristic for distinguishing between videos and textual streams.

2.38. samba3x

Samba is a suite of programs used by machines to share files, printers, and other utilities.
  • The updated samba3x packages change the way ID mapping is configured. Users are advised to modify their existing Samba configuration files. Also, due to the ID mapping changes, authconfig does not create a working smb.conf file for the latest samba3x package, it only produces a valid configuration for the samba package.
    Note that several tdb files have been updated and the printing support has been rewritten to use the actual registry implementation. This means that all tdb files are upgraded as soon as you start the new version of smbd. You cannot downgrade to an older samba3x version unless you have backups of the tdb files.
    For more information about these changes, refer to the Release Notes for Samba 3.6.0.
  • In Samba 3.0, the privilege SeSecurityPrivilege was granted to a user by default. To make Samba more secure, this privilege is no longer granted to a user by default. If you use an application that requires this privilege, like the IBM Tivoli Storage Manager, you need to grant it to the user running the Storage Manager with the following command:
    net sam rights grant <username> SeSecurityPrivilege
    See net sam rights list for a list of available privileges.

2.39. shadow-utils

The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server and related tools, which provides better performance than the traditional Linux NFS server used by most users. These packages also contain the mount.nfs, umount.nfs, and showmount programs.
  • Previously, under certain circumstances, the faillog utility created huge files. This problem has been fixed; however, the useradd utility can still create large files. To avoid such a situation, use the -l option when creating a user with a very high user or group ID (UID or GID). (BZ#670364)

2.40. sos

The sos packages contain a set of tools that gather information from system hardware, logs and configuration files. The information can then be used for diagnostic purposes and debugging.
  • If the sosresport utility becomes unresponsive, a keyboard interrupt (CTRL+C) can fail to terminate it. In such a case, to terminate the process:
    • press Ctrl+Z and execute kill %N (N represents the number of the sosreport job; usually 1) or
    • execute kill -9 %N (N represents the number of the sosreport job; usually 1). (BZ#708346)

2.41. subscription-manager

The new Subscription Management tooling allows users to understand the specific products which have been installed on their machines, and the specific subscriptions which their machines are consuming.
  • For virtual guests, the Subscription Manager daemons use dmidecode to read the System Management BIOS (SMBIOS), which is used to retrieve the guest UUID. On 64-bit Intel architecture, the SMBIOS information is controlled by the Intel firmware and stored in a read-only binary entry. Therefore, it is not possible to retrieve the UUID or set a new and readable UUID. Because the guest UUID is unreadable, running the facts command on the guest system shows a value of Unknown in the virt.facts file for the system (virt.uuid: Unknown). This means that the guest does not have any association with the host machine and, therefore, does not inherit some subscriptions. The facts used by Subscription Manager can be edited manually to add the UUID:
    1. Obtain the guest name or guest ID.
    2. On the virtual host, use virsh to retrieve the guest UUID. For example, for a guest named 'rhel5server_virt1':
      virsh domuuid rhel5server_virt1
      
    3. On the guest, manually create a facts file:
      vim /etc/rhsm/facts/virt.facts
      
    4. Add a line which contains the given UUID.
      {
        "virt.uuid": "$VIRSH_UUID"
      }
      
    Creating the facts file and inserting the proper UUID means that Subscription Manager properly identifies the guest rather than using an Unknown value.
  • Japanese SCIM input-method editor cannot be activated and cannot input locale string in the data field for non-root users. To work around this problem, follow these steps:
    1. Log in to the system as a non-root user.
    2. As root, run the following commands:
      ~]# export GTK_IM_MODULE=scim-bridge
      ~]# subscription-manager-gui
      
  • Using Subscription Manager in the following use case fails: a user installs Red Hat Enterprise Linux Desktop from a Red Hat Enterprise Linux 5.7 Client CD/DVD without an installation number. A user uses Subscription Manager, which finds one Red Hat Enterprise Linux Desktop product ID to subscribe to a Red Hat Enterprise Linux Workstation subscription. A user downloads content from a Workstation repository.
    The use case scenario described above fails because the rhel-workstation repositories require the rhel-5-workstation product tag in the product certification beforehand in order to view them.
    To work around this issue, follow these steps:
    1. Install a rhel-5-client system.
    2. Mount the ISO to your file system.
    3. Copy <path_to_ISO>/Workstation/repodata/productid to the /etc/pki/product/ directory, making sure that the file copied ends with .pem (for example, /etc/pki/product/productid.pem)
    4. Subscribe to a Workstation subscription.
    5. Install a package from a Workstation repository.

2.42. systemtap

SystemTap provides an instrumentation infrastructure for systems running the Linux 2.6 kernel. It allows users to write scripts that probe and trace system events for monitoring and profiling purposes. SystemTap's framework allows users to investigate and monitor a wide variety of wide variety of kernel functions, system calls, and other evens that occur in both kernel-space and user-space.
  • The systemap-testsuite subpackage is designed for installation on development Workstation machines, not limited Client variants. More complete RPM dependencies now mandate the presence of several non-Client RPM packages, so it is no longer installable on the Client variant. Attempting to update can fail if the update includes the system-testsuite subpackage. To work around this problem remove the systemtap-testsuite subpackage from a Client machine before upgrading the systemtap package.
  • Running some user-space probe test cases provided by the systemtap-testsuite package fail with an Unknown symbol in module error on some architectures. These test cases include (but are not limited to):
    • systemtap.base/uprobes.exp
    • systemtap.base/bz10078.exp
    • systemtap.base/bz6850.exp
    • systemtap.base/bz5274.exp
    Because of a known bug in the latest SystemTap update, new SystemTap installations do not unload old versions of the uprobes.ko module. Some updated user-space probe tests provided by the systemtap-testsuite package use symbols available only in the latest uprobes.ko module (also provided by the latest SystemTap update). As such, running these user-space probe tests result in the error mentioned earlier.
    If you encounter this error, simply run rmmod uprobes to manually remove the older uprobes.ko module before running the user-space probe test again. (BZ#499677)
  • SystemTap currently uses GCC to probe user-space events. GCC is, however, unable to provide debuggers with precise location list information for parameters. In some cases, GCC also fails to provide visibility on some parameters. As a consequence, SystemTap scripts that probe user-space may return inaccurate readings. (BZ#239065)

2.43. xen

Xen is a high-performance and secure open-source virtualization framework. The virtualization allows users to run guest operating systems in virtual machines on top of a host operating system.
  • In some cases, Red Hat Enterprise Linux 6 guests running fully-virtualized under Red Hat Enterprise Linux 5 experience a time drift or fail to boot. In some cases, drifting may start after migration of the virtual machine to a host with different speed. This is due to limitations in the Red Hat Enterprise Linux 5 Xen Hypervisor. To work around this, add clocksource=acpi_pm or clocksource=jiffies to the kernel command line for the guest. Alternatively, if running under Red Hat Enterprise Linux 5.7 or newer, locate the guest configuration file for the guest and add the hpet=0 option in it.
  • There are only 2 virtual slots (00:06.0 and 00:07.0) that are available for hot plug support in a virtual guest. (BZ#564261)
  • As of Red Hat Enterprise Linux 5.4, PCI devices connected to a single PCI-PCI bridge can no longer be assigned to different PV guests. If the old, unsafe behavior is required, disable pci-dev-assign-strict-check in /etc/xen/xend-config.sxp. (BZ#508310)
  • When running x86_64 Xen, it is recommended to set dom0-min-mem in /etc/xen/xend-config.sxp to a value of 1024 or higher. Lower values may cause the dom0 to run out of memory, resulting in poor performance or out-of-memory situations. (BZ#519492)
  • The Red Hat Enterprise Linux 3 kernel does not include SWIOTLB support. SWIOTLB support is required for Red Hat Enterprise Linux 3 guests to support more than 4GB of memory on AMD Opteron and Athlon-64 processors. Consequently, Red Hat Enterprise Linux 3 guests are limited to 4GB of memory on AMD processors. (BZ#504187)
  • The Hypervisor outputs messages regarding attempts by any guest to write to an MSR. Such messages contain the statement Domain attempted WRMSR. These messages can be safely ignored; furthermore, they are rate limited and should pose no performance risk. (BZ#477647)
The following known issues applies to the Intel 64 and AMD64 architectures:
  • Installing Red Hat Enterprise Linux 3.9 on a fully virtualized guest may be extremely slow. In addition, booting up the guest after installation may result in hda: lost interrupt errors.
    To avoid this bootup error, configure the guest to use the SMP kernel. (BZ#249521)

2.44. vdsm22

VDSM is a management module that servers as the Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor and Red Hat Enterprise Linux hosts.
  • Adding Red Hat Enterprise Virtualization Hypervisor as a Red Hat Enterprise Linux host is not supported in Red Hat Enterprise Linux 5, and will therefore fail.

2.45. virt-v2v

The virt-v2v package provides a tool for converting virtual machines to use the KVM hypervisor or Red Hat Enterprise Virtualization. The tool can import a variety of guest operating systems from libvirt-managed hosts and VMware ESX.
  • VMware Tools on Microsoft Windows is unable to disable itself when it detects that it is no longer running on a VMware platform. As a consequence, converting a Microsoft Windows guest from VMware ESX, which has VMware Tools installed, resulted in multiple error messages being displayed on startup. In addition, a Stop Error (also known as Blue Screen of Death, or BSOD) was displayed every time when shutting down the guest. To work around this issue, users are advised to uninstall VMware Tools from Microsoft Windows guests before conversion. (BZ#711972)

2.46. virtio-win

VirtIO para-virtualized Windows(R) drivers for 32-bit and 64-bit Windows (R) guests.
  • Low performance with UDP messages larger than 1024 is a known Microsoft issue: http://support.microsoft.com/default.aspx/kb/235257. For the message larger than 1024 bytes follow the workaround procedure detailed in the above Microsoft knowledgebase article.
  • Installation of Windows XP with the floppy containing guest drivers (in order to get the virtio-net drivers installed as part of the installation), will return messages stating that the viostor.sys file could not be found. viostor.sys is not part of the network drivers, but is on the same floppy as portions of the virtio-blk drivers. These messages can be safely ignored, simply accept the installation's offer to reboot, and the installation will continue normally.

2.47. xorg-x11-drv-i810

xorg-x11-drv-i810 is an Intel integrated graphics video driver for the X.Org implementation of the X Window System.
  • When switching from the X server to a virtual terminal (VT) on a Lenovo ThinkPad T510 laptop, the screen can remain blank. Switching back to the X server will restore the screen.
  • Running a screensaver or resuming a suspended laptop with an external monitor attached may result in a blank screen or a brief flash followed by a blank screen. If this occurs with the screensaver, the prompt for your password is being obscured, the password can still be entered blindly to get back to the desktop. To work around this issue, physically disconnect the external monitor and then press the video hotkey (usually Fn-F7) to rescan the available outputs, before suspending the laptop.
The following known issues apply to the Intel 64 and AMD64 architectures:
  • If your system uses an Intel 945GM graphics card, do not use the i810 driver. You should use the default intel driver instead. (BZ#468218)
  • On dual-GPU laptops, if one of the graphics chips is Intel-based, the Intel graphics mode cannot drive any external digital connections (including HDMI, DVI, and DisplayPort). This is a hardware limitation of the Intel GPU. If you require external digital connections, configure the system to use the discrete graphics chip (in the BIOS). (BZ#468259)

2.48. xorg-x11-drv-nv

xorg-x11-drv-nv provides a driver for NVIDIA cards for the X.org implementation of the X Window System.
  • Improvements have been made to the 'nv' driver, enhancing suspend and resume support on some systems equipped with nVidia GeForce 8000 and 9000 series devices. Due to technical limitations, this will not enable suspend/resume on all hardware. (BZ#414971)
The following known issue applies to the Intel 64 and AMD64 architectures:
  • Some machines that use NVIDIA graphics cards may display corrupted graphics or fonts when using the graphical installer or during a graphical login. To work around this, switch to a virtual console and back to the original X host. (BZ#222737, BZ#221789)

2.49. xorg-x11-drv-vesa

xorg-x11-drv-vesa is a video driver for the X.Org implementation of the X Window System. It is used as a fallback driver for cards with no native driver, or when the native driver does not work.
The following known issue applies to the x86 architecture:
  • When running the bare-metal (non-Virtualized) kernel, the X server may not be able to retrieve EDID information from the monitor. When this occurs, the graphics driver will be unable to display resolutions highers than 800x600.
    To work around this, add the following line to the ServerLayout section of /etc/X11/xorg.conf:
    Option "Int10Backend" "x86emu"
    (BZ#236416)

2.50. xorg-x11-server

X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon.
  • On HP Z1 AIO workstations using Intel embedded graphics, the Anaconda installer uses graphical install mode, but displays it only in one quarter of the screen. Although the installation completes successfully, navigation can be difficult in this mode. To work around this problem, use the text-based installation instead of graphical mode, which correctly uses the entire screen on the mentioned workstations.

2.51. yaboot

The yaboot package is a boot loader for Open Firmware based PowerPC systems. It can be used to boot IBM eServer System p machines.
  • If the string that represents the path to kernel (or ramdisk) is greater than 63 characters, network booting an IBM POWER5 series system may result in the following error:
    FINAL File Size = 8948021 bytes.
    load-base=0x4000 
    real-base=0xc00000 
    DEFAULT CATCH!, exception-handler=fff00300
    
    The firmware for IBM POWER6 and IBM POWER7 systems contains a fix for this issue. (BZ#550086)

Chapter 3. New Packages

New php53-odbc64 packages are now available for Red Hat Enterprise Linux 5.
The php53-odbc64 packages provide a module which can be used to access ODBC database interfaces from PHP 5.3 through the 64-bit API provided in the unixODBC64 package.
This enhancement update adds the php53-odbc64 package to Red Hat Enterprise Linux 5. (BZ#772293)
Users who are not encountering ODBC compatibility issues do not need to install these packages. Users who need to access ODBC database interfaces from PHP 5.3 through the 64-bit API provided in the unixODBC64 package are advised to install these new packages.
New libitm packages are now available for Red Hat Enterprise Linux 5.
Libitm contains the GNU Transactional Memory Library, which provides transaction support for accesses to the memory of a process to enable synchronization of accesses to a shared memory by several threads.
This enhancement update adds the libitm packages to Red Hat Enterprise Linux 5. (BZ#813302)
All users who require libitm should install these new packages.
New scl-utils packages are now available for Red Hat Enterprise Linux 5.
The scl-utils packages provide a runtime utility and RPM packaging macros for packaging Software Collections. Software Collections allow users to concurrently install multiple versions of the same RPM packages on the system. Using the scl utility, users may enable specific versions of RPMs, which are installed into the /opt directory.
This enhancement update adds the scl-utils packages to Red Hat Enterprise Linux 5. (BZ#789469)
All users who require scl-utils should install these new packages.
New ant17 packages are now available for Red Hat Enterprise Linux 5.
The ant17 packages provide Ant version 1.7, a platform-independent build tool required for building with Java 7 OpenJDK7.
This enhancement update adds the ant17 packages to Red Hat Enterprise Linux 5. Note that the ant17 packages are released as an OpenJDK7 build requirement and are not compatible with ant 1.6. Therefore, no system or package should depend on ant17. (BZ#803797)
It is not recommended to install ant17 explicitly.
New java-1.7.0-openjdk packages are now available for Red Hat Enterprise Linux 5.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit so as to supply Java 7.
This enhancement update adds the java-1.7.0-openjdk packages to Red Hat Enterprise Linux 5. (BZ#803732)
Note: If creating packages dependent on Java 7, make sure your packaging system uses Java 7 packages as dependencies.
All users who require java-1.7.0-openjdk should install these new packages.
New rsyslog5 packages are now available for Red Hat Enterprise Linux 5.
The rsyslog5 packages provide an enhanced, multi-threaded syslog daemon. It supports MySQL, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control.
The rsyslog5 package is a substitute of the existing rsyslog package which provides major version 3 of rsyslog in Red Hat Enterprise Linux 5. In order to install the rsyslog5 package, the rsyslog package must first be uninstalled.
This enhancement update adds the rsyslog5 packages to Red Hat Enterprise Linux 5. (BZ#820396)
For more information on changes included in major version 5 of rsyslog, refer to the Red Hat Enterprise Linux 5.9 Release Notes:
All users who require rsyslog5 should install these new packages.
New java-1.7.0-ibm packages are now available for Red Hat Enterprise Linux 5.
The java-1.7.0-ibm packages provide the IBM Java 7 Runtime Environment and the IBM Java 7 Software Development Kit.
This enhancement update adds the java-1.7.0-ibm packages to Red Hat Enterprise Linux 5. (BZ#841913)
All users who require java-1.7.0-ibm should install these new packages.
New java-1.7.0-oracle packages are now available for Red Hat Enterprise Linux 5.
Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.
This update adds the java-1.7.0-oracle packages to Red Hat Enterprise Linux 5. (BZ#841910)
Note: Before applying this update, make sure that any previous Oracle Java packages have been removed.
All users who require java-1.7.0-oracle should install these new packages.
New hypervkvpd packages are now available for Red Hat Enterprise Linux 5.
The hypervkvpd packages contain hypervkvpd, the guest Hyper-V Key-Value Pair (KVP) daemon. The daemon passes basic information to the host through VMbus, such as the guest IP address, fully qualified domain name, operating system name, and operating system release number.
This enhancement update adds the hypervkvpd packages to Red Hat Enterprise Linux 5. (BZ#849855)
All users who require hypervkvpd are advised to install these new packages.

Chapter 4. Package Updates

4.1. acroread
4.2. aide
4.3. alsa-utils
4.4. anaconda
4.5. aspell-en
4.6. autofs
4.7. bind
4.8. bind97
4.9. binutils
4.10. busybox
4.11. cman
4.12. cmirror
4.13. conga
4.14. coreutils
4.15. cpio
4.16. crash
4.17. crontabs
4.18. cscope
4.19. ctdb
4.20. cyrus-sasl
4.21. device-mapper-multipath
4.22. dhcp
4.23. diffutils
4.24. doxygen
4.25. e2fsprogs
4.26. e4fsprogs
4.27. esc
4.28. etherboot
4.29. expat
4.30. file
4.31. firefox
4.32. freeradius2
4.33. freetype
4.34. ftp
4.35. gawk
4.36. gcc
4.37. gcc44
4.38. gdb
4.39. gdbm
4.40. gfs-kmod
4.41. gfs-utils
4.42. gfs2-utils
4.43. ghostscript
4.44. gimp
4.45. glibc
4.46. gnbd
4.47. gnome-session
4.48. gnome-vfs2
4.49. gnutls
4.50. gpxe
4.51. grub
4.52. gtk+
4.53. gtk2
4.54. guagga
4.55. hal
4.56. hplip3
4.57. hsqldb
4.58. httpd
4.59. hwdata
4.60. ImageMagick
4.61. initscripts
4.62. ipa-client
4.63. iproute
4.64. iprutils
4.65. ipsec-tools
4.66. iptables
4.67. iscsi-initiator-utils
4.68. java-1.6.0-openjdk
4.69. flash-plugin
4.70. java-1.4.2-ibm
4.71. java-1.5.0-ibm
4.72. java-1.6.0-ibm
4.73. java-1.6.0-sun
4.74. jpackage-utils
4.75. kbd
4.76. kdebase
4.77. kernel
4.78. kexec-tools
4.79. ksh
4.80. kudzu
4.81. kvm
4.82. lftp
4.83. libexif
4.84. libgcrypt
4.85. libpng
4.86. libtalloc
4.87. libtdb
4.88. libtiff
4.89. libuser
4.90. libvirt
4.91. libwpd
4.92. libxml2
4.93. libxslt
4.94. linuxwacom
4.95. logrotate
4.96. logwatch
4.97. lvm2
4.98. lvm2-cluster
4.99. m2crypto
4.100. man
4.101. man-pages-overrides
4.102. mdadm
4.103. microcode_ctl
4.104. mkinitrd
4.105. mod_auth_kerb
4.106. mod_nss
4.107. mod_python
4.108. mozldap
4.109. mt-st
4.110. mutt
4.111. mysql
4.112. net-snmp
4.113. nss
4.114. nss_ldap
4.115. OFED
4.116. openais
4.117. OpenIPMI
4.118. openldap
4.119. openmotif
4.120. openoffice.org
4.121. openssl
4.122. openswan
4.123. pam
4.124. parted
4.125. pdksh
4.126. perl
4.127. perl-IO-Socket-SSL
4.128. perl-LDAP
4.129. perl-XML-SAX
4.130. php
4.131. php53
4.132. pidgin
4.133. piranha
4.134. pirut
4.135. pm-utils
4.136. postfix
4.137. postgresql
4.138. ppc64-utils
4.139. procps
4.140. psmisc
4.141. python
4.142. python-iniparse
4.143. python-rhsm
4.144. qt
4.145. quagga
4.146. quota
4.147. redhat-release
4.148. redhat-release-notes
4.149. rgmanager
4.150. rhn-client-tools
4.151. rhnsd
4.152. rp-pppoe
4.153. rpm
4.154. ruby
4.155. perl-DBD-Pg
4.156. samba
4.157. samba3x
4.158. scim-bridge
4.159. selinux-policy
4.160. setroubleshoot
4.161. shadow-utils
4.162. smartmontools
4.163. specspo
4.164. spice-client
4.165. spice-xpi
4.166. sqlite
4.167. squirrelmail
4.168. sssd
4.169. strace
4.170. subscription-manager
4.171. subscription-manager-migration-data
4.172. subversion
4.173. sudo
4.174. symlinks
4.175. syslinux
4.176. sysstat
4.177. system-config-bind
4.178. system-config-cluster
4.179. system-config-lvm
4.180. system-config-netboot
4.181. system-config-printer
4.182. systemtap
4.183. tar
4.184. tcl
4.185. tcsh617
4.186. telnet
4.187. tomcat5
4.188. tzdata
4.189. udev
4.190. util-linux
4.191. vim
4.192. virt-who
4.193. vsftpd
4.194. wget
4.195. wireshark
4.196. tetex
4.197. thunderbird
4.198. xen
4.199. xinetd
4.200. xorg-x11-server
4.201. xulrunner
4.202. ypserv
4.203. yum
4.204. yum-metadata-parser
4.205. yum-rhn-plugin
4.206. yum-updatesd
4.207. zlib
4.208. zsh

4.1. acroread

Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Adobe Reader allows users to view and print documents in Portable Document Format (PDF).

Security Fix

CVE-2012-0774, CVE-2012-0775, CVE-2012-0777
This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened.
All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.5.1, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect.

4.2. aide

Updated aide packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.

Bug Fix

BZ#811936
Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.
All users of aide are advised to upgrade to these updated packages, which fix this bug.
Updated aide packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
Advanced Intrusion Detection Environment (AIDE) is a program that creates a database of files on a system, and then uses that database to ensure file integrity and detect system intrusions.

Bug Fixes

BZ#547658
The help output of the aide executable did not mention the "-D" option which is a shortcut for "--config-check". The option could only be found on the aide(1) man page. With this update, the "-D" option is mentioned in both the help output and on the man page.
BZ#553137
Previously, the aide utility incorrectly initialized the gcrypt library. This consequently prevented aide to initialize its database if the system was running in FIPS-compliant mode. The initialization routine has been corrected, and along with an extension to the libgcrypt's API introduced in the RHEA-2012:0484 advisory, aide now initializes its database as expected if run in a FIPS-compliant way.
BZ#580253
The compare_dbline() function returned an "int" value, even though the function can operate with variables of size larger than "int" (for example, DB_SELINUX, DB_XATTRS or DB_WHIRPOOL). As a consequence, aide could produce incorrect results when checking a database for inconsistencies. The underlying source code has been modified so that the compare_dbline() function now returns an "unsigned long long" value, and aide correctly detects and reports database inconsistencies.
All users of aide are advised to upgrade to these updated packages, which fix these bugs.

4.3. alsa-utils

Updated alsa-utils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The alsa-utils package contains command line utilities for the Advanced Linux Sound Architecture (ALSA).

Bug Fix

BZ#854012
Due to an incorrect configuration of the alsaloop utility from the alsa-utils package, high CPU usage occurred when using alsaloop. This also affected the alsa-delay script, which uses alsaloop for the configurable audio delay functionality. With this update, the alsaloop function has been reconfigured. As a result, the CPU usage is now optimized when alsaloop is used.
All users of alsa-utils are advised to upgrade to these updated packages, which fix this bug.

4.4. anaconda

Updated anaconda packages that fix several bugs and two enhancements are now available for Red Hat Enterprise Linux 5.
The anaconda packages contain portions of the Anaconda installation program that can be run by the user for reconfiguration and advanced installation options.

Bug Fixes

BZ#750681
When a host name provided by the user could not be resolved during system installation, it was added to the /etc/hosts file as a localhost record (under 127.0.0.1). Thus when configuring the network, DNS resolution of the host name did not work properly. This update ensures that user-provided host names are no longer written to the /etc/hosts file and host name resolution now works as expected.
BZ#760496
During the installation process, Anaconda failed to read the Release Notes using the getReleaseNotes() function. Consequently, the Release Notes button showed a pop-up error Release Notes are missing. The getReleaseNotes() function has been fixed and now properly presents the Release Notes when the Release Notes button is pressed.
BZ#769287
The maximum size limit for all ext file systems was set to 8 TB. Consequently, Anaconda limited the maximum size artificially for the ext3 and ext4 file systems, even though these systems support sizes up to 16 TB. The size limits for ext3 and ext4 have been extended to 16 TB.
BZ#773573
Pressing the ESC key in certain Anaconda dialog boxes behaved the same way as if the OK button was hit. This has been fixed and pressing the ESC key now has the same effect as hitting the Cancel button.
BZ#784159
Previously, symbolic links in the /dev/ directory, such as /dev/fd/, were not created during installation. Consequently, an attempt to use these links during the installation failed. The source code has been updated and symbolic links are now created correctly and can be used during installation.
BZ#788871
The openibd service was not enabled after installation when using IP over InfiniBand (IPoIB). Consequently, an InfiniBand device did not come up after installation. The underlying source code has been modified and the openibd service is now enabled when using IPoIB during installation.
BZ#797075
Previously, the --label option in the part section of a kickstart file was not honored. Consequently, partitions were not labeled in accordance with the kickstart option after system installation. The source code that handles partition label setting has been fixed, and partition labeling via a kickstart file works as expected.
BZ#812719
Kernel and initrd image sizes grew slightly in Red Hat Enterprise Linux 5.8. Consequently, the diskboot.img file did not have enough space to store all files and some of them were truncated or were not included in the image. The size of diskboot.img has been increased and all files fit as expected.
BZ#819721
Due to improper handling of invalid disks referenced in the kickstart file, Anaconda could crash with a traceback when attempting to execute the partitioning instructions. This bug has been fixed, Anaconda now checks for invalid BIOS disk references correctly and exits gracefully indicating that the referenced BIOS disk cannot be found.
BZ#841136
Newer versions of nfs-utils and mount.nfs are set to use the TCP protocol by default and Anaconda mounting code conflicted with this new default. Consequently, the Network File System (NFS) sources were not mountable and users were unable to install the system over this protocol. The Anaconda NFS mounting code has been updated to use TCP by default. As result, installations over NFS function as expected.

Enhancements

BZ#756213
This enhancement adds a class for Global File System (GFS) to the Anaconda code base. As a result, the lines with the gfs string in the /etc/fstab file are preserved on upgrade and using the gfs boot option enables a way to create new GFS partitions during installation. The lines with the unknown (unsupported) file system type are just commented out on upgrade instead of removed from the /etc/fstab file.
BZ#824880
This enhancement includes Microsoft ParaVirtualized (PV) drivers into the installation environment. Previously, running Red Hat Enterprise Linux as a guest on Microsoft provided only a sub-part user experience with need to download and install Microsoft tools and add the PV support. This update enables seamless installation of Red Hat Enterprise Linux as a guest on a Hyper-V server and Red Hat Enterprise Linux works out-of-the-box now.
Users of anaconda are advised to upgrade to these updated packages, that fix these bugs and add these enhancements.

4.5. aspell-en

An updated aspell-en package that adds one enhancement is now available for Red Hat Enterprise Linux 5.
The aspell-en package provides the word list and dictionaries for the English language.

Enhancement

BZ#562286
Prior to this update, the default English dictionary contained profanity. With this update, the profanity is moved from the default dictionary to the "en-complete" dictionary. To run aspell with this dictionary, use the "-d" switch: "aspell -d en-complete".
All users of aspell-en are advised to upgrade to this updated package, which adds this enhancement.

4.6. autofs

Updated autofs packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts file systems when you use them, and unmounts them when they are not busy.

Bug Fix

BZ#810126
A function to check validity of a mount location was meant to check only for a small subset of map location errors. A recent improvement modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused automount to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.
All users of autofs are advised to upgrade to these updated packages, which fix this bug.
An updated autofs package that fixes one security issue, several bugs, and adds one enhancement is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The autofs utility controls the operation of the automount daemon. The automount daemon automatically mounts and unmounts file systems.

Security Fix

CVE-2012-2697
A bug fix included in RHBA-2012:0264 introduced a denial of service flaw in autofs. When using autofs with LDAP, a local user could use this flaw to crash autofs, preventing future mount requests from being processed until the autofs service was restarted. Note: This flaw did not impact existing mounts (except for preventing mount expiration).
Red Hat would like to thank Ray Rocker for reporting this issue.

Bug Fixes

BZ#585058
The autofs init script sometimes timed out waiting for the automount daemon to exit and returned a shutdown failure if the daemon failed to exit in time. To resolve this problem, the amount of time that the init script waits for the daemon has been increased to allow for cases where servers are slow to respond or there are many active mounts.
BZ#767428
Due to an omission when backporting a change, autofs attempted to download the entire LDAP map at startup. This mistake has now been corrected.
BZ#798448
A function to check the validity of a mount location was meant to check only for a small subset of map location errors. A recent modification in error reporting inverted a logic test in this validating function. Consequently, the scope of the test was widened, which caused the automount daemon to report false positive failures. With this update, the faulty logic test has been corrected and false positive failures no longer occur.
BZ#847101
When there were many attempts to access invalid or non-existent keys, the automount daemon used excessive CPU resources. As a consequence, systems sometimes became unresponsive. The code has been improved so that automount checks for invalid keys earlier in the process which has eliminated a significant amount of the processing overhead.
BZ#859890
The auto.master(5) man page did not document the "-t, --timeout" option in the FORMAT options section. This update adds this information to the man page.

Enhancement

BZ#690404
Previously, it was not possible to configure separate timeout values for individual direct map entries in the autofs master map. This update adds this functionality.
All users of autofs are advised to upgrade to this updated package, which contains backported patches to correct these issues and add this enhancement.

4.7. bind

Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named), a resolver library (routines for applications to use when interfacing with DNS), and tools for verifying that the DNS server is operating correctly.

Bug Fix

BZ#885731
Previously, the "named" name service daemon could terminate unexpectedly due to a race condition in the socket module. This race condition has been fixed and the "named" daemon no longer crashes.
Users of bind are advised to upgrade to these updated packages, which fix this bug.
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fixes

CVE-2012-1667
A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
CVE-2012-1033
A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Users of bind are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-3817
An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-4244
A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.

Bug Fix

BZ#857056
The bind-chroot-admin script, executed when upgrading the bind-chroot package, failed to correctly update the permissions of the /var/named/chroot/etc/named.conf file. Depending on the permissions of the file, this could have prevented named from starting after installing package updates. With this update, bind-chroot-admin correctly updates the permissions and ownership of the file.
Users of bind are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-5166
A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

4.8. bind97

Updated bind97 packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. It contains a DNS server (named), a resolver library with routines for applications to use when interfacing with DNS, and tools for verifying that the DNS server is operating correctly. These packages contain version 9.7 of the BIND suite.

Bug Fix

BZ#883402
When authoritative servers did not return a Start of Authority (SOA) record, the "named" daemon failed to cache and return answers. A patch has been provided to address this issue and "named" is now able to handle such under-performing servers correctly.
Users of bind97 are advised to upgrade to these updated packages, which fix this bug.
Updated bind97 packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Bug Fixes

BZ#657260
Previously, the DNS server (named) init script killed all named processes when stopping the named daemon. This caused a problem for container-virtualized hosts, such as OpenVZ, because their named processes were killed by the init script. The init script has been fixed and now only kills the correct named processes.
BZ#703452
When the /etc/resolv.conf file contained the search keyword with no arguments, the host/nslookup/dig utility failed to parse it correctly. With this update, such lines are ignored.
BZ#719855
The /etc/named.root.key file was not listed in the ROOTDIR_MOUNT variable. Consequently, when using bind97 with chroot, the named.root.key file was not mounted to the chroot environment. A patch has been applied and /etc/named.root.key is now mounted into chroot.
BZ#758057
A non-writable working directory is a long time feature on all Red Hat systems. Previously, named wrote the working directory is not writable as an error to the system log. This update changes the code so that named now writes this information only into the debug log.
BZ#803369
During a DNS zone transfer, named sometimes terminated unexpectedly with an assertion failure. A patch has been applied to make the code more robust, and named no longer crashes in the scenario described.
BZ#829823
Due to an error in the bind spec file, the bind-chroot subpackage did not create a /dev/null device. In addition, some empty directories were left behind after uninstalling bind. With this update, the bind-chroot packaging errors have been fixed.
BZ#829829
Previously, the nslookup utility did not return a non-zero exit code when it failed to get an answer. Consequently, it was impossible to determine if an nslookup run was successful or not from the error code. The nslookup utility has been fixed and now it returns 1 as the exit code when it fails to get an answer.
BZ#829831
The named daemon, configured as master server, sometimes failed to transfer an uncompressible zone. The following error message was logged:
transfer of './IN': sending zone data: ran out of space
The code which handles zone transfers has been fixed and this error no longer occurs in the scenario described.

Enhancements

BZ#693788
Previously, bind97 did not contain the root zone DNSKEY. DNSKEY is now located in /etc/named.root.key.
BZ#703096
With this update, the size, MD5 checksum, and modification time of the /etc/sysconfig/named configuration file is no longer checked via the rpm -V bind command.
BZ#703397
The host utility now honors debug, attempts, and timeout options in the /etc/resolv.conf file.
BZ#703411
The DISABLE_ZONE_CHECKING option has been added to /etc/sysconfig/named. This option adds the possibility to bypass zone validation via the named-checkzone utility in the /etc/init.d/named init script and allows starting named with misconfigured zones.
BZ#749214
The return codes of the dig utility are now documented in the dig man page.
BZ#811566
The option to disable Internationalized Domain Name (IDN) support in the dig utility was incorrectly documented in the man page. The dig man page has been corrected to explain the use of the libidn environment option CHARSET for disabling IDN.
BZ#829827
Previously, the rndc.key file was generated during package installation by the rndc-confgen -a command, but this feature was removed in Red Hat Enterprise Linux 5.8 because users reported that installation of the bind package sometimes became unresponsive due to lack of entropy in /dev/random. The named init script now generates rndc.key during the service startup if it does not exist.
All users of bind97 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated bind97 packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fixes

CVE-2012-1667
A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
CVE-2012-1033
A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
Users of bind97 are advised to upgrade to these updated packages, which correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-3817
An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-4244
A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.
Updated bind97 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix

CVE-2012-5166
A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
Users of bind97 are advised to upgrade to these updated packages, which correct this issue. After installing the update, the BIND daemon (named) will be restarted automatically.

4.9. binutils

Updated binutils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The binutils packages are a collection of programming tools for the manipulation of object code in various object file formats.

Bug Fix

BZ#818708
Due to instability in calculating the program header size, the GNU linker could terminate unexpectedly with the "looping in map_segments" error message. With this update, the linker has been modified to properly handle changes in the size of the segment map, which prevents the instability and the linker no longer crashes in this scenario.
All users of binutils are advised to upgrade to these updated packages, which fix this bug.

4.10. busybox

Updated busybox packages that fix one bug are now available for Red Hat Enterprise Linux 5.
BusyBox is a binary that combines a large number of common system utilities into a single executable. BusyBox provides replacements for most GNU file utilities, shell utilities, and other command-line tools.

Bug Fix

BZ#834277
When attempting to mount an NFS file system, the mount command in the busybox package was using the UDP protocol by default while the standard mount utility uses the TCP protocol by default. Consequently, directories could not be mounted from the server. With this update, the mount command in busybox has been fixed to use TCP by default, thus preventing this bug.
All users of busybox are advised to upgrade to these updated packages, which fix this bug.

4.11. cman

An updated cman package that fixes one bug is now available for Red Hat Enterprise Linux 5.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

Bug Fix

BZ#765665
The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "powering_up", "paused", "migrating", "unknown", "not_responding", "wait_for_launch", "reboot_in_progress", "saving_state", "restoring_state", "suspended", "image_illegal", "image_locked" or "powering_down". Previously, only if the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states although the machine was actually running. This allowed for successful fencing even before the machine was really powered off. With this update, the fence_rhevm agent detects power status of a cluster node more conservatively, and the "off" status is returned only if the machine is really powered off, it means in the "off" state.
All users of cman are advised to upgrade to this updated package, which fixes this bug.
Updated cman packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

Bug Fix

BZ#811939
Previously, cman did not handle idle connection timeout correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed if the "delay" option was set to more than 5 seconds. With this update, the "delay" option is applied before the connection is opened and the fencing thus no longer fails in this scenario.
All users of cman are advised to upgrade to these updated packages, which fix this bug.
Updated cman packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

Bug Fix

BZ#861392
The speed of fencing is critical because otherwise, broken nodes have more time to corrupt data. Previously, the operation of the fence_vmware_soap fencing agent was slow when used on the VMWare vSphere platform with hundreds of virtual machines. This update fixes a problem with virtual machines that do not have a valid UUID, which can be created during failed P2V (Physical-to-Virtual) processes. Now, the fencing process is also much faster and it does not terminate if a virtual machines without an UUID is encountered.
All users of cman are advised to upgrade to these updated packages, which fix this bug.
Updated cman packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Cluster Manager (cman) utility provides user-level services for managing a Linux cluster.

Bug Fixes

BZ#674497
With this update, several typographical errors in the fence/agents/scsi/fence_scsi.pl file have been fixed. As a result, the debug messages of this file are now typographically correct.
BZ#745985
Prior to this update, the VMware vSphere 5.0 SOAP API was not listed as a version supported by the fence_vmware_soap fence agent. Consequently, the fence agent did not function properly with virtual machines managed by VMware vSphere 5.0. With this update, VMware vSphere 5.0 has been added to the list of supported interfaces, and is fully compatible with fence_vmware_soap.
BZ#753839
Previously, the fence_scsi man page contained incorrect information about the limitations of the fence_scsi agent. The correct description of these limitations can be found in the in the Cluster Administration guide. With this update, the misleading section has been removed from the manual page in order to avoid the potential confusion.
BZ#782919
Prior to this update, when attempting to create registrations on a multipath device with the fence_scsi_test -o command, some registrations failed without signalization. Consequently, there was a need to verify that all registrations had been successfully created. With this update, a --strict option has been added into the fence_scsi_test program. This option forces the verification step to compare the number of paths to the number of times the registration key appears on the device. Without this option, the verification step only inspects the existence of a registration key on the device. Although it is usually safe to omit the --strict option, it is strongly recommended to use --strict on multipath devices.
BZ#786485
The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the power status ("on" or "off") of a virtual machine. In addition to the states of "up" and "down", the API includes other states like "unassigned", "paused", etc. (14 in sum). Previously, only when the machine was in the "up" state, the "on" power status was returned. The "off" status was returned for all other states even though the machine was actually running. This behavior allowed for successful fencing even before the machine was powered off. The bug has been fixed and the "off" status is now returned only in a case the machine is in the "off" state.
BZ#804170
Previously, the cman utility did not apply the --delay option correctly when fencing a cluster node. Consequently, a connection to a fence device timed out and fencing failed when --delay was set to more than 5 seconds. With this update, --delay is applied before the connection is opened and the fencing no longer fails in the described scenario.
BZ#809390
Prior to this update, when the method name setting was left empty in the /etc/cluster/cluster.conf configuration file, an unintended core file was created. Consequently, a fenced cloud terminated with a segmentation fault. This bug has been fixed, and the termination no longer occurs in the aforementioned scenario.
BZ#809481
Due to a bug in the fence_scsi_test function, failing to create a reservation led to an incorrect reset of the error count to zero. The bug has been fixed, and the error count is now incremented properly when the error occurs.
BZ#836654
Previously, the fence_vmware_soap fencing agent operated slowly on the VMware vSphere platform with hundreds of virtual machines (VM). This behavior was caused by requesting for needless attributes. With this update, the unnecessary requests have been removed. This update also handles the VMs with invalid UUIDs, which can occur as a result of the failed P2V (physical to virtual machine) process. As a result, fence_vmware_soap performs fencing with increased speed and the process is no longer terminated when a VM without an UUID is encountered.
BZ#843083
In certain cases, the fence_xvm fencing agent incorrectly reported successful fencing, and ignored a communication issue between the agent and the fence_xvmd fencing host. This bug has been fixed and the communication errors are now reported correctly.
BZ#863567
The new href attribute on the /vms/vm element in the Red Hat Enterprise Virtualization Manager 3.1 API caused the get_id regular expression of the fence_rhevm fencing agent to fail. Consequently, the plug status was not available. With this update, get_id has been modified to allow arbitrary attributes to be added to the element. As a result, the plug status is now correctly shown.

Enhancements

BZ#738705
RHEL5 Cluster Suite now supports using RHEV shared storage disks as the shared storage between cluster nodes. Highly Available Logical Volume Manager (HA-LVM), Clustered Logical Volume Manager (CLVM), and the qDisk daemon are all supported on this storage. Fencing via fence_scsi will not work as shared disks are only exposed as VirtIO or IDE devices.
BZ#741985
A new fence agent, fence_ipdu, that handles the IBM iPDU fence device over the Simple Network Management Protocol (SNMP) has been added. As a result, the cman package now provides compatibility with IBM iPDU.
BZ#782900
Previously, using the qdiskd daemon for multipath devices required tuning with the device-mapper-multipath tool, which was a complex and error-prone process. With this update, the qdiskd input and output operations have been improved to automatically detect the multipath-related timeouts without requiring a manual configuration. As a result, qdiskd can now be easily deployed with device-mapper-multipath.
BZ#810949
Various cman fence agents differ in handling of the end-of-line (EOL) markers. Previously, changing the universal \r\n EOL could make the login process impossible for the fence agent. With this update, an automatic detection of EOL has been added to a fencing library and the described error no longer occurs.
BZ#821857
Prior to this update, it was not possible to specify more than four fencing devices per method with the cman utility. With this update, the maximum number of devices per method has increased to eight.
BZ#836963
The Distributed Lock Manager (DLM) now allows tuning of DLM hash table sizes from the /etc/sysconfig/cman file. The following parameters can be set in the /etc/sysconfig/cman file:
DLM_LKBTBL_SIZE=<size_of_table>
DLM_RSBTBL_SIZE=<size_of_table>
DLM_DIRTBL_SIZE=<size_of_table>
which, in turn, modifies the values in the following files respectively:
/sys/kernel/config/dlm/cluster/lkbtbl_size
/sys/kernel/config/dlm/cluster/rsbtbl_size
/sys/kernel/config/dlm/cluster/dirtbl_size
BZ#856954
Previously, it was not possible to modify the default TCP port (21064) of the Distributed Lock Manager (DLM). With this update, the DLM_TCP_PORT configuration parameter has been added into the /etc/sysconfig/cman file. As a result, the DLM TCP port can be manually configured.
BZ#878998
Support for clusters utilizing VMware's VMDK disk image technology with the multi-writer option is now provided. It is now possible to deploy Global File System 2 (GFS2) on top of VMDK.
All users of cman are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.12. cmirror

Updated cmirror packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The cmirror package provides user-level tools for managing cluster mirroring. Cmirror is needed for LVM-based mirroring (RAID1) in a cluster environment.

Bug Fix

BZ#809642
Previously, when successively activating and deactivating cluster mirrors, cmirror could fail to initialize the mirrors properly. Consequently, any I/O operations to the device and further LVM commands became unresponsive. With this update, cmirror has been modified to fix this bug; however, the problem can still occur after a large number of iterations.
All users of cmirror are advised to upgrade to these updated packages, which fix this bug.
Updated cmirror packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The cmirror packages provide user-level tools for managing cluster mirroring. Cmirror is needed for LVM-based mirroring (RAID1) in a cluster environment.

Bug Fix

BZ#816973
The cluster mirror daemon sends information between cluster nodes to keep the mirror log state consistent. Information about the state and health of the mirror and its devices is gathered as needed from the daemon. Some of the information does not change after the device has reached a certain state, for example when the mirror becomes "in-sync", while other information can change, for example the health of the log device in response to a failure. To limit the amount of such requests and reduce the load on the network, processing of information which cannot change is done locally. Previously, also requests for information regarding the health of the log device - which ultimately controls the fault handling behavior of the mirror - were processed locally, which caused the daemon to miss the failure of the log device on a remote machine. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.
All users of cmirror are advised to upgrade to these updated packages, which fix this bug.
Updated cmirror packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The cmirror packages provide a user-level utility for managing cluster mirroring. Cmirror is needed for LVM (Logical Volume Manger) based mirroring (RAID1) in a cluster environment.

Bug Fixes

BZ#711594
Prior to this update, requests for information about the health of the log device were processed locally. As a consequence, the cluster mirror daemon could not detect log device failures on remote machines. With this update, the information is requested from the cluster so that log device failures are detected and processed as expected.
BZ#806919
Prior to this update, the cmirror utility could fail to initialize the mirrors correctly when successively activating and deactivating cluster mirrors. As a consequence, any I/O operation to the device and further LVM commands became unresponsive.This update modifies the underlying code so that the problem only occurs after a large number of iterations.
All users of cmirror are advised to upgrade to these updated packages, which fix these bugs.

4.13. conga

Updated conga packages that fix one security issue, multiple bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.

Security Fix

CVE-2012-3359
It was discovered that luci stored usernames and passwords in session cookies. This issue prevented the session inactivity timeout feature from working correctly, and allowed attackers able to get access to a session cookie to obtain the victim's authentication credentials.
Red Hat would like to thank George Hedfors of Cybercom Sweden East AB for reporting this issue.

Bug Fixes

BZ#832181
Prior to this update, luci did not allow the fence_apc_snmp agent to be configured. As a consequence, users could not configure or view an existing configuration for fence_apc_snmp. This update adds a new screen that allows fence_apc_snmp to be configured.
BZ#832183
Prior to this update, luci did not allow the SSL operation of the fence_ilo fence agent to be enabled or disabled. As a consequence, users could not configure or view an existing configuration for the 'ssl' attribute for fence_ilo. This update adds a checkbox to show whether the SSL operation is enabled and allows users to edit that attribute.
BZ#832185
Prior to this update, luci did not allow the "identity_file" attribute of the fence_ilo_mp fence agent to be viewed or edited. As a consequence, users could not configure or view an existing configuration for the "identity_file" attribute of the fence_ilo_mp fence agent. This update adds a text input box to show the current state of the "identity_file" attribute of fence_ilo_mp and allows users to edit that attribute.
BZ#835649
Prior to this update, redundant files and directories remained on the file system at /var/lib/luci/var/pts and /usr/lib{,64}/luci/zope/var/pts when the luci package was uninstalled. This update removes these files and directories when the luci package is uninstalled.
BZ#839732
Prior to this update, the "restart-disable" recovery policy was not displayed in the recovery policy list from which users could select when they configure a recovery policy for a failover domain. As a consequence, the "restart-disable" recovery policy could not be set with the luci GUI. This update adds the "restart-disable" recovery option to the recovery policy pulldown list.
BZ#842865
Prior to this update, line breaks that were not anticipated in the "yum list" output could cause package upgrade and/or installation to fail when creating clusters or adding nodes to existing clusters. As a consequence, creating clusters and adding cluster nodes to existing clusters could fail. This update modifies the ricci daemon to be able to correctly handle line breaks in the "yum list" output.

Enhancements

BZ#741986
This update adds support for configuring the Intel iPDU fence agent to the luci package.
BZ#822633
This update adds support for viewing and changing the state of the new 'nfsrestart' attribute to the FS and Cluster FS resource agent configuration screens.
All users of conga are advised to upgrade to these updated packages, which resolve these issues and add these enhancements. After installing this update, the luci and ricci services will be restarted automatically.

4.14. coreutils

An updated coreutils package that fixes one bug is now available for Red Hat Enterprise Linux 5.
The coreutils package contains the core GNU utilities. It is the combination of the old GNU fileutils, sh-utils, and textutils packages.

Bug Fix

BZ#803356
An incomplete fix for behavior of the "mv --backup" command, that was released with the RHBA-2011:1074 errata advisory, caused the "cp --backup" command to work incorrectly. When used with a directory as a source argument, the "cp --backup" command did not backup individual files within the directory but whole directory. This update corrects the problem and the "--backup" feature of the "cp" utility now works as intended again.
All users of coreutils are advised to upgrade to this updated package, which fixes this bug.

4.15. cpio

Updated cpio packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The cpio packages provide the GNU cpio file archiver utility. GNU cpio can be used to copy and extract files into or from cpio and Tar archives. This update is related to the following bug:
BZ#573943
Prior to this update, the cpio man page did not document how to use tape devices that do not use the default block size of 512 bytes for I/O operations. As a result, the cpio utility could fail with the error message "cpio: read error: Cannot allocate memory" if another block size was used. With this update, the man page states that setting the block size with the "--block-size" long option avoids this problem.
All users of cpio are advised to upgrade to these updated packages, which fix this bug.

4.16. crash

Updated crash packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The crash packages contain a self-contained utility that can be used to investigate live systems and kernel core dumps created by the netdump, diskdump, and kdump utilities.

Bug Fix

BZ#883727
The Xen dom0 dump files created with the "makedumpfile -d1" command on very large systems could create an ELF vmcore that the crash utility incorrectly determined to be an old-style netdump vmcore. Consequently, the crash session failed during initialization with the error message "crash: cannot read xen kdump p2m mfn page". With this update, the code has been fixed and the crash utility now properly starts in the described scenario.
Users of crash are advised to upgrade to these updated packages, which fix this bug.

4.17. crontabs

An updated crontabs package that adds one enhancement is now available for Red Hat Enterprise Linux 5.
The crontabs package contains root crontab files and directories. Crontab files are used to schedule jobs to be executed by the cron daemon, such as cronie. Crontabs handles a basic system function so it should be installed on your system.

Enhancement

BZ#532157
The cron daemon had no mechanism to manage cron job rescheduling in a shared environment selectively. Therefore, when a large number of hosts attempted to execute their jobs at the same time, a network or server running the jobs could become overloaded. This update modifies the run-parts script to provide cron job randomization. When cron job randomization is enabled and configured, and a cron job fails to be executed at the scheduled time, cron retries to execute jobs after a random interval. The network and server overloading due to too many simultaneous cron jobs can no longer occur.
All users of crontabs are advised to upgrade to this updated package, which adds this enhancement.

4.18. cscope

Updated cscope packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The cscope packages contain ncurses-based C source code tree browsing tool which allows users to search large source code bases for variables, functions, macros, as well as perform general regex and plain text searches. Results are returned in lists, from which the user can select individual matches for use in file editing.

Bug Fix

BZ#440628
Previously, the spec file contained the %{dist} tag on the "Release" line. To comply with the packaging and naming guidelines, the tag has been changed to %{?dist} with this update.
All users of cscope are advised to upgrade to these updated packages, which fix this bug.

4.19. ctdb

Updated ctdb packages that fix one bug are now available for Red Hat Enterprise Linux 5.
CTDB is a clustered database based on Samba's Trivial Database (TDB). The ctdb package is a cluster implementation used to store temporary data. If an application is already using TBD for temporary data storage, it can be very easily converted to be cluster-aware and use CTDB.

Bug Fix

BZ#739502
Due to a name conflict of tools provided by the samba and tdb-tools packages, some binaries from the tdb-tools have to be renamed upon installation. The ctdb init script did not contain the updated names for the tdb-tools utilities. Consequently, the ctdb service could not be started via the init script. This update corrects the ctdb init script to search for tdb-tools utilities under their new name.
All users of ctdb are advised to upgrade to these updated packages, which fix this bug.

4.20. cyrus-sasl

Updated cyrus-sasl packages that resolve memory leaks are now available.
The cyrus-sasl packages contain the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.

Bug Fix

BZ#849581
A memory leak in the digest-md5 plugin was discovered. Specifically, make_client_request was called twice without being freed. Consequently, applications that used DIGEST-MD5 with very large datasets could (and did) crash. This update frees make_client_request correctly and closes the memory leak. Applications using DIGEST-MD5 as part of authentication with large datasets now work as expected.
Note: this update also incorporates two upstream memory leak fixes reported during customer testing.
All cyrus-sasl users should upgrade to these updated packages, which fix these leaks.

4.21. device-mapper-multipath

Updated device-mapper-multipath packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The device-mapper-multipath packages provide tools to manage multipath devices using the device-mapper multipath kernel module.

Bug Fix

BZ#806204
The multipathd daemon creates its private namespace which is supposed to keep only the file systems that are necessary for multipathd to run. However, multipathd did not check every file system in the namespace, and the namespace thus could contain also non-essential file systems. As a consequence, devices containing such file systems could not be removed from the system. With this update, multipathd verifies all file systems in its private namespace and removes every non-essential file system found. The devices containing the non-essential file systems can now be removed as expected when the file systems are unmounted.
All users of device-mapper-multipath are advised to upgrade to these updated packages, which fix this bug.
Updated device-mapper-multipath packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The device-mapper-multipath packages provide tools to manage multipath devices using the device-mapper multipath kernel module.

Bug Fix

BZ#858010
If the initrd RAM disk was not rebuilt when a new storage device was added to the system, the new device could be assigned a user_friendly_names value that collided with a value already assigned to another device. Consequently, the original device then stopped working correctly. Now, the multipathd daemon accepts the "-B" option, which makes the user_friendly_names bindings file read-only. When initrd calls multipath with the "-B" option, devices without a binding to a user_friendly_names use their World Wide Identifier (WWID) instead, thus fixing this bug.
All users of device-mapper-multipath are advised to upgrade to these updated packages, which fix this bug.
Updated device-mapper-multipath packages that fix numerous bugs and add several enhancements are now available for Red Hat Enterprise Linux 5.
The device-mapper-multipath packages provide the tools for managing multipath devices.

Bug Fix

BZ#833193
The multipathd daemon ignored all subdirectories in /var/lib/ when deciding which file systems to unmount. Now, the only subdirectory of /var/lib/ that multipathd does not unmount is /var/lib/multipath/. Also, multipathd now unmounts all unnecessary file systems before mounting the ramfs on the /tmp/, /bin/, and /sbin/ directories.
BZ#769990
If initrd was not rebuilt when a new storage device was added to the system, the new device could have been assigned a user_friendly_names value already assigned to another device, and the device stopped working correctly. multipathd now accepts the -B option, which makes the user_friendly_names bindings file read-only. When started with the -B option, multipath devices without a binding to a user_friendly_names use their World Wide Identifier (WWID).
BZ#803849
The multipathd daemon failed to unmount some file systems because the daemon was deleting unnecessary file systems while reading through the list of mounted file systems. Consequently, Multipath could have missed the deleted file systems. The multipathd daemon now reads through all file systems first and creates a list of the file systems to unmount, which are then unmounted based on this list.
BZ#771571
The multipathd daemon incorrectly returned exit code 1 when called with the -h option. The deamon now returns exit code 0 when called with the -h option.
BZ#783522
The multipathd daemon did not always flush the log buffer if it failed during start-up and error messages logged during start-up could be lost. multipathd now always flushes the log buffer on failures and error messages are logged correctly if multipathd terminates unexpectedly during start-up.
BZ#781480
The multipath priority callout programs did not work correctly with CCISS (Compaq Command Interface for SCSI-3 Support) devices because multipath could not convert the ! character in a CCISS sysfs name to the / character in the CCISS device name. Consequently, callout programs failed to set path priorities for these devices. The code has been modified and Multipath now supports the "%c" wildcard for callout functions and the CCISS names are converted correctly.

Enhancements

BZ#742906
This update adds the default configuration for HP P2000 G3 MSA Smart Array Systems.
BZ#744231
Multiple default settings and parameters have been enhanced: - The multipathd daemon did not set the max_fds option and the user had to manually set the max_fds option in multipath.conf. - Multipath did not disable queuing when it stopped: when multipathd stopped on node shutdown, if a multipath device had no working paths and was set to queue_if_no_path, the device queued outstanding IO forever, rendering the machine unresponsive. - The user_friendly_names option was only configurable in the defaults section and users could not override its value in their device-specific configurations. - A path group with many secondary paths could be used instead of the path group with the primary path by default. This happened because Multipath set the priority of path groups to the sum of their path priorities and used the path group with the primary path instead of using a path group with many secondary paths.
Device Mapper Multipath now sets max_fds to the system maximum, queue_if_no_daemon to the "no", and pg_prio_calc to "average" by default. The user_friendly_names property can be configured in the devices section of multipath.conf.
BZ#788965
Configuration for Fujitsu ETERNUS storage systems has been added.
BZ#799847
The built-in configuration for NetApp LUNs has been updated to use the tur path checker by default and multiple hardware table parameters have been updated.
Users of device-mapper-multipath are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.22. dhcp

Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address.
CVE-2012-3571
A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time.
Upstream acknowledges Markus Hietava of the Codenomicon CROSS project as the original reporter of this issue.
Users of DHCP should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, all DHCP servers will be restarted automatically.

4.23. diffutils

Updated diffutils packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The diffutils package contains utilities for comparing text files. These utilities include diff, cmp, diff3, and sdiff.

Bug Fixes

BZ#484892
Prior to this update, the "-E" option of the sdiff command was not accepted and returned the following error message:
sdiff: invalid option -- E sdiff: Try `sdiff --help' for more information.
This was because the "-E" option was accidentally omitted from the list of accepted options. This update fixes this bug, and the "-E" option works as expected.
BZ#563618
When using the cmp command's "-s" option to compare files, incorrect results were returned for special files whose metadata is not accurate, for example files in the proc file system. This update fixes this bug by always reading the content of files whose length is reported as zero bytes.
All users of diffutils are advised to upgrade to these updated packages, which fix these bugs.

4.24. doxygen

Updated doxygen packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Doxygen can generate an online class browser in HTML and/or a reference manual in LaTeX from a set of documented source files. The documentation is extracted directly from the sources.

Bug Fix

BZ#448293
Prior to this update, the doxygen utility could create conflicts with multilib when doxygen added timestamps by creating doc files. This update modifies doxygen so that no more conflicts between multilib and doxygen occur.
All users of Doxygen are advised to upgrade to these updated packages, which fix this bug.

4.25. e2fsprogs

Updated e2fsprogs packages that fix one bug are now available for Red Hat Enterprise Linux 5.
[Updated 13 August 2012] This advisory has been updated with the correct product name (that is, Red Hat Enterprise Linux 5) in the Details section. The package included in this revised update has not been changed in any way from the package included in the original advisory.
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting any inconsistencies in the ext2 file system.

Bug Fix

BZ#824051
Previously, the status of the uuidd daemon was not correct when shown by the service tool, because the stored PID was not the PID of the running uuidd daemon. This was due to the incorrect PID that was written by the uuidd daemon upon startup. With this update, this bug has been fixed so that the returned status of the uuidd daemon is now correct.
All users of e2fsprogs are advised to upgrade to these updated packages, which fix this bug.
Updated e2fsprogs packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The e2fsprogs packages provide a number of utilities for creating, checking, modifying, and correcting any inconsistencies in the ext2 file systems.

Bug Fixes

BZ#701776
Due to a bug in the resize2fs program, the size of the ext3 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16T block devices can now be re-sized within the existing file system size limits.
BZ#707433
Previously, the uuidd daemon (uuidd) wrote an incorrect PID on startup to the /var/lib/libuuid/uuidd.pid file. Consequently, the service utility showed the incorrect status of uuidd because the stored PID was not the PID of the running uuidd process. This bug has been fixed and the returned status of uuidd is now correct in the described scenario.
Users of e2fsprogs are advised to upgrade to these updated packages, which fix these bugs.

4.26. e4fsprogs

Updated e4fsprogs packages that fix two bugs are now available for Red Hat Enterprise Linux 5.

Bug Fixes

BZ#707314
Due to a bug in the resize2fs program, the size of the ext4 file system created on a 16TB block device could not be modified. Consequently, the "device too big" error occurred. This bug has been fixed and file systems residing on 16TB block devices can now be re-sized within the existing file system size limits.
BZ#785200
Prior to this update, the mke4fs command created an ext2 file system by default. In order to create an ext4 file system, the "-t ext4" command-line option had to be inserted. This behavior has been changed, and mke4fs now creates an ext4 file system by default, without the need for extending the command.
Users of e4fsprogs package are advised to upgrade to these updated packages, which fix these bugs.

4.27. esc

Updated esc packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The esc packages contain the Smart Card Manager GUI, which allows user to manage security smart cards. The primary function of the tool is to enroll smart cards, so that they can be used for common cryptographic operations, such as secure e-mail and website access.

Bug Fixes

BZ#807269
The ESC utility did not start when the latest 10 series release of the XULRunner runtime environment was installed on the system. This update includes necessary changes to ensure that ESC works as expected with the latest version of XULRunner.
BZ#807801
After removing and replacing an enrolled token, ESC could terminate unexpectedly followed by a traceback. A patch has been applied to address this issue and ESC now displays the enrolled smart card details as expected.
All users of esc are advised to upgrade to these updated packages, which fix these bugs.

4.28. etherboot

Updated etherboot packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The etherboot packages provide an open-source network bootloader. Etherboot replaces the proprietary Preboot eXecution Environment (PXE) ROMs. It also provides additional features, such as DNS, HTTP and iSCSI.

Bug Fix

BZ#714880
The etherboot-zroms-kvm package runs the update-alternatives utility during installation; however, the chkconfig package which provides the utility was previously not required by etherboot-zroms-kvm. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of etherboot-zroms-kvm.
All etherboot users are advised to upgrade to these updated packages, which fix this bug.

4.29. expat

Updated expat packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Expat is a C library written by James Clark for parsing XML documents.

Security Fixes

CVE-2012-0876
A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
CVE-2012-1148
A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
All Expat users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, applications using the Expat library must be restarted for the update to take effect.

4.30. file

Updated file packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The File utility is used to identify a particular file according to the type of data contained in the file.

Bug Fixes

BZ#758105
Prior to this update, the swap signature on the Itanium architecture was not stored in the same place as on other architectures. As a consequence, the file utility failed to detect the swap signature on Itanium. This update adds a new "magic" pattern to detect the swap signature on Itanium architecture.
BZ#789830
Prior to this update, the "magic" pattern to detect Infocom Game Data was too weak. As a consequence, Some files were wrongly identified as Infocom Game Data when they were actually in different format. This update modifies the Infocom Game Data "magic" pattern so only valid Infocom Game Data files are detected by this pattern.
BZ#758631
Prior to this update, the file utility did not contain a "magic" pattern to detect zip64 (zip 3.0) files. As a consequence, the file utility failed to detect archives in the zip64 format. This update adds a new "magic" pattern to detect the zip64 format.
BZ#758634
Prior to this update, the file utility did not contain a "magic" pattern to detect WebM video files. As a consequence, the file utility failed to detect WebM video files. This update adds a new "magic" pattern to detect the WebM files.
BZ#809801
Prior to this update, the file utility did not contain a "magic" pattern to detect LZMA archives. As a consequence, the file utility failed to detect archives in LZMA format were not detected. This update adds a new "magic" pattern to detect the LZMA files.
BZ#826899
Prior to this update, the "magic" pattern to detect Dell BIOS headers was outdated. As a consequence, the file utility failed to detect newer BIOS formats. This update modifies the ""magic"" pattern to detect also new formats of Dell BIOS correctly.
BZ#826901
Prior to this update, the file utility contained ""magic"" patterns that incorrectly detected files according to one byte only. As a consequence, Unicode text files that contained the particular byte in a particular position could be incorrectly recognized as DOS executable files. This update removes the problematic patterns. Patterns that match less than 16 bits are no longer accepted, and the utility no longer detects Unicode files as DOS executables.
All users of the file utility are advised to upgrade to these updated packages, which fix these bugs.

4.31. firefox

Updated firefox packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The firefox packages provides an open source web browser, Mozilla Firefox.

Bug Fix

BZ#871568
The "out-of-process plug-ins" feature was previously disabled for wrapped plug-ins by default. This could cause Firefox to terminate unexpectedly when accessing a page that contained a flash object and the flash plug-in and the nswrapperplugin plug-in viewer were installed. To resolve this problem, the "out-of-process plug-ins" feature has been enabled for the wrapped plug-ins. Firefox no longer crashes in this scenario.
All users of firefox are advised to upgrade to these updated packages, which fix this bug.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-1970, CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)

Security Fixes

CVE-2012-3969, CVE-2012-3970
A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3967, CVE-2012-3968
Two flaws were found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3966
A flaw was found in the way Firefox decoded embedded bitmap images in Icon Format (ICO) files. A web page containing a malicious ICO file could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-3966)
CVE-2012-3980
A flaw was found in the way the "eval" command was handled by the Firefox Web Console. Running "eval" in the Web Console while viewing a web page containing malicious content could possibly cause Firefox to execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3972
An out-of-bounds memory read flaw was found in the way Firefox used the format-number feature of XSLT (Extensible Stylesheet Language Transformations). A web page containing malicious content could possibly cause an information leak, or cause Firefox to crash.
CVE-2012-3976
It was found that the SSL certificate information for a previously visited site could be displayed in the address bar while the main window displayed a new page. This could lead to phishing attacks as attackers could use this flaw to trick users into believing they are viewing a trusted site.
CVE-2012-3978
A flaw was found in the location object implementation in Firefox. Malicious content could use this flaw to possibly allow restricted content to be loaded.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.7 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Gary Kwong, Christian Holler, Jesse Ruderman, John Schoenick, Vladimir Vukicevic, Daniel Holbert, Abhishek Arya, Frédéric Hoguin, miaubiz, Arthur Gerkis, Nicolas Grégoire, Mark Poticha, moz_bug_r_a4, and Colby Russell as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.7 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that address security issues, fix bugs, add enhancements, and upgrade Firefox to version 10.0, are now available for Red Hat Enterprise Linux 5 and 6.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.
The firefox packages have been upgraded from version 3.6.26 to version 10.0.1, which provides a number of bug fixes and enhancements over the previous version. (BZ#789048, BZ#786872)
These updated firefox packages include numerous bug fixes and enhancements. Space precludes documenting these changes in this advisory. For details concerning these changes, refer to the Firefox release notes.

Bug Fix

BZ#794721, BZ#789051
Previously, with the xulrunner-5.0-2.el6 package installed, the yelp plug-in failed to start and returned the "Could not initialize gecko!" error message. Now, the updated yelp package has been provided and yelp works as expected in the described scenario.
Important: Firefox 10 is not completely backwards-compatible with all Mozilla add-ons and Firefox plug-ins that worked with Firefox 3.6. Firefox 10 checks compatibility on first-launch, and, depending on the individual configuration and the installed add-ons and plug-ins, may disable said Add-ons and plug-ins, or attempt to check for updates and upgrade them. Add-ons and plug-ins may have to be manually updated.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues and three bugs are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser.
CVE-2012-0461, CVE-2012-0462, CVE-2012-0464
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0456, CVE-2012-0457
Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image files. A web page containing a malicious SVG image file could cause an information leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0455
A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame.
CVE-2012-0458
It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox.
CVE-2012-0459
A flaw was found in the way Firefox parsed certain web content containing "cssText". A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0460
It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. A web page containing malicious web content could exploit this API flaw to cause user interface spoofing.
CVE-2012-0451
A flaw was found in the way Firefox handled pages with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.3 ESR.

Bug Fixes

BZ#729632
When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes occurred when closing Firefox.
BZ#784048
Inputting any text in the Web Console (Tools -> Web Developer -> Web Console) caused Firefox to crash.
BZ#799042
The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the "/usr/lib/mozilla/plugins/" directory on 32-bit systems, and the "/usr/lib64/mozilla/plugins/" directory on 64-bit systems. These directories are created by the xulrunner package; however, they were missing from the xulrunner package provided by the RHEA-2012:0327 update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sun-plugin package. With this update, xulrunner once again creates the plugins directory. This issue did not affect users of Red Hat Enterprise Linux 6.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.3 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2011-3062
A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential exploits in malformed OpenType fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0467, CVE-2012-0468, CVE-2012-0469
A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0470
A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0472
A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0478
A flaw was found in the way Firefox rendered certain images using WebGL. A web page containing malicious content could cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-0471
A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
CVE-2012-0473
A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page containing malicious content could cause Firefox to crash.
CVE-2012-0474
A flaw in Firefox allowed the address bar to display a different website than the one the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks.
CVE-2012-0477
A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character sets. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
CVE-2012-0479
A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Firefox to display the address of said content in the location bar, but not the content in the main window. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the location bar, when the page is actually content controlled by an attacker.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.4 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2011-3062; Aki Helin from OUSPG as the original reporter of CVE-2012-0469; Atte Kettunen from OUSPG as the original reporter of CVE-2012-0470; wushi of team509 via iDefense as the original reporter of CVE-2012-0472; Ms2ger as the original reporter of CVE-2012-0478; Anne van Kesteren of Opera Software as the original reporter of CVE-2012-0471; Matias Juntunen as the original reporter of CVE-2012-0473; Jordi Chancel and Eddy Bordi, and Chris McGowen as the original reporters of CVE-2012-0474; Masato Kinugawa as the original reporter of CVE-2012-0477; and Jeroen van der Gun as the original reporter of CVE-2012-0479.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-1944
Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.
It was found that the Content Security Policy (CSP) implementation in Firefox no longer blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly bypass a web application's intended restrictions, if that application relied on CSP to protect against flaws such as cross-site scripting (XSS).
CVE-2012-1945
If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening HTML files from Microsoft Windows shares, or Samba shares, that are mounted on their systems.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.5 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938; Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-3982, CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-3986, CVE-2012-3991
Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.
CVE-2012-1956, CVE-2012-3992, CVE-2012-3994
Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, script injection, or spoofing attacks.
CVE-2012-3993, CVE-2012-4184
Two flaws were found in the way Chrome Object Wrappers were implemented. Malicious content could be used to perform cross-site scripting attacks or cause Firefox to execute arbitrary code.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.8 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili, miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White, moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these issues.

Bug Fix

BZ#809571, BZ#816234
In certain environments, storing personal Firefox configuration files (~/.mozilla/) on an NFS share, such as when your home directory is on a NFS share, led to Firefox functioning incorrectly, for example, navigation buttons not working as expected, and bookmarks not saving. This update adds a new configuration option, storage.nfs_filesystem, that can be used to resolve this issue.

If you experience this issue:

1) Start Firefox.
2) Type "about:config" (without quotes) into the URL bar and press the Enter key.
3) If prompted with "This might void your warranty!", click the "I'll be careful, I promise!" button.
4) Right-click in the Preference Name list. In the menu that opens, select New -> Boolean.
5) Type "storage.nfs_filesystem" (without quotes) for the preference name and then click the OK button.
6) Select "true" for the boolean value and then press the OK button.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.8 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fix

CVE-2012-4194, CVE-2012-4195, CVE-2012-4196
Multiple flaws were found in the location object implementation in Firefox. Malicious content could be used to perform cross-site scripting attacks, bypass the same-origin policy, or cause Firefox to execute arbitrary code.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.10 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mariusz Mlynski, moz_bug_r_a4, and Antoine Delignat-Lavaud as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.10 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-4202
A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-4210
A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges.
CVE-2012-4207
A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website.
CVE-2012-4209
A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins.
CVE-2012-5841
A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks.
CVE-2012-4201
A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.11 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Abhishek Arya, miaubiz, Jesse Ruderman, Andrew McCreight, Bob Clary, Kyle Huey, Atte Kettunen, Mariusz Mlynski, Masato Kinugawa, Bobby Holley, and moz_bug_r_a4 as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.11 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox.

Security Fixes

CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967
A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
CVE-2012-1959
A malicious web page could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges.
CVE-2012-1966
A flaw in the context menu functionality in Firefox could allow a malicious website to bypass intended restrictions and allow a cross-site scripting attack.
CVE-2012-1950
A page different to that in the address bar could be displayed when dragging and dropping to the address bar, possibly making it easier for a malicious site or user to perform a phishing attack.
CVE-2012-1955
A flaw in the way Firefox called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site.
CVE-2012-1957
A flaw in a parser utility class used by Firefox to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Firefox. This issue could have affected other browser components or add-ons that assume the class returns sanitized input.
CVE-2012-1961
A flaw in the way Firefox handled X-Frame-Options headers could allow a malicious website to perform a clickjacking attack.
CVE-2012-1963
A flaw in the way Content Security Policy (CSP) reports were generated by Firefox could allow a malicious web page to steal a victim's OAuth 2.0 access tokens and OpenID credentials.
CVE-2012-1964
A flaw in the way Firefox handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted.
CVE-2012-1965
A flaw in the way Firefox handled feed:javascript URLs could allow output filtering to be bypassed, possibly leading to a cross-site scripting attack.

Bug Fix

BZ#838879
The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6 introduced a mitigation for the CVE-2011-3389 flaw. For compatibility reasons, it remains disabled by default in the nss packages. This update makes Firefox enable the mitigation by default. It can be disabled by setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before launching Firefox.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.6 ESR.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby Holley, Code Audit Labs, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan Bhargavan, Matt McCutchen, Mario Gomes, and Soroush Dalili as the original reporters of these issues.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.6 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect.

4.32. freeradius2

Updated freeradius2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
FreeRADIUS is a high-performance and highly configurable free Remote Authentication Dial In User Service (RADIUS) server, designed to allow centralized authentication and authorization for a network.

Security Fix

CVE-2012-3547
A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP).
Red Hat would like to thank Timo Warns of PRESENSE Technologies GmbH for reporting this issue.
Users of FreeRADIUS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, radiusd will be restarted automatically.
Updated freeradius2 packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
FreeRADIUS is an open-source Remote Authentication Dial-In User Service (RADIUS) server which allows RADIUS clients to perform authentication against the RADIUS server. The RADIUS server may optionally perform accounting of its operations using the RADIUS protocol.

Security Fix

CVE-2011-4966
It was found that the "unix" module ignored the password expiration setting in "/etc/shadow". If FreeRADIUS was configured to use this module for user authentication, this flaw could allow users with an expired password to successfully authenticate, even though their access should have been denied.

Bug Fixes

BZ#787111
After log rotation, the freeradius logrotate script failed to reload the radiusd daemon and log messages were lost. This update has added a command to the freeradius logrotate script to reload the radiusd daemon and the radiusd daemon re-initializes and reopens its log files after log rotation as expected.
BZ#846476
The radtest script with the "eap-md5" option failed because it passed the IP family argument when invoking the radeapclient utility and the radeapclient utility did not recognize the IP family. The radeapclient utility now recognizes the IP family argument and radtest now works with eap-md5 as expected.
BZ#846471
Previously, freeradius was compiled without the "--with-udpfromto" option. Consequently, with a multihomed server and explicitly specifying the IP address, freeradius sent the reply with the wrong IP source address. With this update, freeradius has been built with the "--with-udpfromto" configuration option and the RADIUS reply is always sourced from the IP address the request was sent to.
BZ#818885
Due to invalid syntax in the PostgreSQL admin schema file, the FreeRADIUS PostgreSQL tables failed to be created. With this update, the syntax has been adjusted and the tables are created as expected.
BZ#846475
FreeRADIUS has a thread pool that dynamically grows based on load. If multiple threads using the "rlm_perl()" function are spawned in quick succession, the FreeRADIUS server sometimes terminated unexpectedly with a segmentation fault due to parallel calls to the "rlm_perl_clone()" function. With this update, a mutex for the threads has been added and the problem no longer occurs.
BZ#781877
The man page for "rlm_dbm_parser" was incorrectly installed as "rlm_dbm_parse", omitting the trailing "r". The man page now correctly appears as rlm_dbm_parser.
All users of freeradius2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. They are also advised to check for RPM backup files ending in ".rpmnew" or ".rpmsave" under the /etc/raddb/ directory after the update because the FreeRADIUS server will attempt to load every file it finds in its configuration directory. The extra files will often cause the wrong configuration values to be applied resulting in either unpredictable behavior or the failure of the server to initialize and run.

4.33. freetype

Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
FreeType is a free, high-quality, portable font engine that can open and manage font files. It also loads, hints, and renders individual glyphs efficiently.

Security Fixes

CVE-2012-1134, CVE-2012-1136, CVE-2012-1142, CVE-2012-1144
Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2012-1126, CVE-2012-1127, CVE-2012-1130, CVE-2012-1131, CVE-2012-1132, CVE-2012-1137, CVE-2012-1139, CVE-2012-1140, CVE-2012-1141, CVE-2012-1143
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting these issues.
Users are advised to upgrade to these updated packages, which contain a backported patch to correct these issues. The X server must be restarted (log out, then log back in) for this update to take effect.

4.34. ftp

Updated ftp packages that add one enhancement are now available for Red Hat Enterprise Linux 5.
The ftp package provides the standard UNIX command line File Transfer Protocol (FTP) client. FTP is a widely used protocol for transferring files over the Internet, and for archiving files.

Enhancement

BZ#665240
Previously, the command line width in the ftp client was limited to 200 characters. With this update, the maximum possible length of the FTP command line is extended to 4296 characters.
All users of ftp are advised to upgrade to these updated packages, which add this enhancement.

4.35. gawk

Updated gawk packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Problem Description: The gawk package contains the GNU version of awk, a text processing utility. Awk interprets a special-purpose programming language to do quick and easy text pattern matching and reformatting jobs.

Bug Fix

BZ#827372
Prior to this update, the "re_string_skip_chars" function incorrectly used the character count instead of the raw length to estimate the string length. As a consequence, text in multi-byte encoding that did not use the UTF-8 format failed to be processed correctly. This update modifies the underlying code so that the correct string length is used. multi-byte encoding is processed correctly.
All users of gawk requiring multi-byte encodings that do not use UTF-8 are advised to upgrade to these updated packages, which fix this bug.

4.36. gcc

Updated gcc packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries.

Bug Fix

BZ#806394
GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.
Users of gcc are advised to upgrade to these updated packages only if they are encountering functionality problems related to C++11 exception handling.
Updated gcc packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries.

Bug Fixes

BZ#750545
GCC was missing a lazy declaration of a class type destructor in the locate_dtor function in the method implementation. As a consequence, exception handling did not work as expected under certain circumstances and the generated code could terminate unexpectedly. This update adds the missing destructor declaration and the problem no longer occurs.
BZ#760417
Previously, GCC did not correctly handle processor registers and used an incorrect memory operand when processing the CMPXCHG8B instruction. As a consequence, the compiler generated erroneous code if the "-fPIC" option was used. This update modifies the underlying source code so that GCC now handles memory operands correctly and compiles position-independent code with the "fPIC" option as expected.
BZ#797938
GCC previously used incorrect flags for IBM System z specific options, such as "-m31", "-m64", "-mesa", "-mzarch", "-msoft-float", "-mhard-float", "-mlong-double-64" and "-mlong-double-128". As a consequence, when compiling code with any of these options, GCC did not recognize the option and the command failed. With this update, negative flags are now used for these options and code can be compiled successfully in this scenario.
BZ#806275
GCC did not, under rare circumstances, handle exceptions properly when GCC 4.1 libstdc++ was used with GCC 4.4 or later C++11 code. This update improves exception handling so that GCC now processes exceptions as expected when using GCC 4.4 or later to compile code written in C++11.
All users of gcc are advised to upgrade to these updated packages, which fix these bugs.

4.37. gcc44

Updated gcc44 packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The gcc44 packages provide the GNU Compiler Collection (GCC), which includes GNU compilers and related support libraries for C, C++, and Fortran programming languages. These packages also include libgomp, the GNU implementation of the OpenMP Application Programming Interface for multi-platform shared-memory parallel programming.

Upgrade to an upstream version

The gcc44 packages have been upgraded to upstream version 4.4.7, which provides a number of bug fixes and enhancements over the previous version. Among others, this update fixes bugs causing GCC internal errors when compiling code with the "-O2" and "-O3" optimization options. Also, support for the OpenMP API version 3.1 has been added to libgomp to ensure compatibility with future GCC releases. (BZ#813708)

Bug Fixes

BZ#815207
Previous version of gcc44 incorrectly stated that the gcc44 package includes a technical preview of GCC version 4.4. The package description has been corrected and no longer claims to provide the technical preview of GCC version 4.4.
BZ#784360
Due to misplaced space characters in the x86 architecture driver, the "-mxop", "-mfma4", "-mbmi" and "-mtbm" compiler options were concatenated incorrectly when compiling code with gcc44. Consequently, compilation failed with an "unrecognized command line option" error. This update fixes space characters position and the options are concatenated correctly. Code is now compiled successfully with these options.

Enhancement

BZ#556962
G++ previously assumed that a value of enumeration type is always in the range specified by the C++ standard. Consequently, if a program converted an arbitrary integer value to the enumeration type, the code compiled with the "-fPIC -O2" or "-fPIC -O3" options could terminate unexpectedly. With this update, the underlying code has been modified to no longer assume strict evaluation of enumeration type. The old functionality can be turned on by specifying the "fstrict-enums" option.
All users of gcc44 are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.38. gdb

Updated gdb packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The GNU Debugger (GDB) allows debugging of programs written in C, C++, Java, and other languages by executing them in a controlled fashion and then printing out their data.

Bug Fix

BZ#837894
When a struct member was at an offset greater than 256 MB, the resulting bit position within the struct overflowed and caused an invalid access by GDB. With this update, the code has been modified to ensure that GDB can access such positions.
All users of gdb are advised to upgrade to these updated packages, which fix this bug.
Updated gdb packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
The gdb packages provide the GNU Debugger (GDB) to debug programs written in C, C++, Java, and other languages by executing them in a controlled fashion and then printing out their data.

Bug Fixes

BZ#795423
Prior to this update, a bit position within a structure overflowed when a member of this structure was at an offset greater than 256 MB and GDB failed to access the position. This update modifies the underlying code to ensure that GDB can access such positions.
BZ#818343
Prior to this update, GDB incorrectly tried to load virtual dynamic shared objects (vDSO) from the file system when using the "solib-absolute-prefix" command. As a consequence, vDSOs could abort. This update modifies the underlying code to handle vDSOs as expected.
BZ#823789
Prior to this update, GDB failed to debug XLF generated code due to incorrect symbol handling. As a consequence, the type of variable in modules was not found. This update modifies the underlying code to handle symbols correctly and the type of a variable is found.
All users of gdb are advised to upgrade to these updated packages, which fix these bugs.

4.39. gdbm

Updated gdbm packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Gdbm is a GNU database indexing library, which includes routines which use extensible hashing. Gdbm works in a similar way to standard UNIX dbm routines.

Bug Fix

BZ#671156
Prior to this update, gdbm-devel had no explicit requirements to gdbm, which could introduce interoperability problems. With this update, the gdbm-devel adds explicit requirements to the gdbm package.
All users of gdbm are advised to upgrade to these updated packages, which fix this bug.

4.40. gfs-kmod

Udated gfs-kmod packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gfs-kmod packages contain kernel modules that provide the ability to mount and use the Global File System (GFS).

Bug Fix

BZ#788694
Prior to this update, registered kobjects could, under certain circumstances, be freed while they were still in use. As a consequence, a kernel panic could occur when processing the gfs_controld daemon. This update adds the kobject release() method. Now, processing the gfs_controld daemon no longer causes a kernel panic.
All users of gfs-kmod are advised to upgrade to these updated packages, which fix this bug.

4.41. gfs-utils

Updated gfs-utils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gfs-utils packages provide various user-space tools necessary to mount, create, maintain, and test Global File Systems (GFS).

Bug Fix

BZ#788694
Prior to this update, the gfs_fsck file system checker failed to detect "bad indirect block pointer" corruptions due to incorrect error paths. This update modifies the gfs_fsck error paths. Now, gfs_fsck detects and repairs corruptions as expected.
All users of gfs-utils are advised to upgrade to these updated packages, which fix this bug.

4.42. gfs2-utils

Updated gfs2-utils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gfs2-utils packages provide the user-space utilities necessary to mount, create, maintain and test GFS2 file systems.

Bug Fix

BZ#838910
Prior to this update, an overly long cluster name in /etc/cluster/cluster.conf could cause a buffer overflow when running fsck.gfs2 on a GFS2 file system with a corrupt super block. This update modifies the underlying code to to ensure that the cluster name is truncated appropriately when the super block is being rebuilt. Now, this buffer overflow condition is prevented.
All users of gfs2-utils are advised to upgrade to these updated packages, which fix this bug.

4.43. ghostscript

Updated ghostscript packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files.

Security Fix

CVE-2012-4405
An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.
Red Hat would like to thank Marc Schönefeld for reporting this issue.
Users of Ghostscript are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

4.44. gimp

Updated gimp packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The GIMP (GNU Image Manipulation Program) is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo.

Bug Fix

BZ#452998
Prior to this update, the Postscript plug-in could abort with a segmentation fault when saving images as Postscript files from GIMP if a preview was embedded in the file. This update modifies the underlying code so to handle embedded previews.
Users of gimp are advised to upgrade to these updated packages, which fix this bug.
Updated gimp packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The GIMP (GNU Image Manipulation Program) is an image composition and editing program.

Security Fixes

CVE-2009-3909, CVE-2012-3402
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the GIMP's Adobe Photoshop (PSD) image file plug-in. An attacker could create a specially-crafted PSD image file that, when opened, could cause the PSD plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
CVE-2012-3481
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
CVE-2011-2896
A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW) decompression algorithm implementation used by the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
CVE-2012-3403
A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file format plug-in. An attacker could create a specially-crafted KiSS palette file that, when opened, could cause the CEL plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP.
Red Hat would like to thank Secunia Research for reporting CVE-2009-3909, and Matthias Weckbecker of the SUSE Security Team for reporting CVE-2012-3481.
Users of the GIMP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The GIMP must be restarted for the update to take effect.

4.45. glibc

Updated glibc packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

Bug Fix

BZ#810323
Previously, glibc did not walk through the entire list of Network Information Service (NIS) password or group buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire lists so that memory is freed as expected and memory leaks no longer occur in this scenario.
All users of glibc are advised to upgrade to these updated packages, which fix this bug.
Updated glibc packages that fix multiple bugs and add several enhancements are now available for Red Hat Enterprise Linux 5.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.glibc is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

Bug Fixes

BZ#823905
Using the iconv() or the iconv command to convert a file or string from IBM-930 encoding to another encoding, such as UTF-8, resulted in a segmentation fault. This happened if the file or string contained the invalid multibyte character 0xffff. Now, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler and the segmentation fault no longer occurs.
BZ#837852
Due to logic errors, functions exp(), exp2(), pow(), sin(), tan(), and rint() could return different results in non-default rounding modes or terminate with a segmentation fault. Multiple fixes have been applied to the function implementations and the functions now return correct results in all rounding modes.
Note that the change can cause runtime performance loss as values which were previously handled by the fast function implementation are now handled by the slower multi-precision library to achieve accurate results.
BZ#813348
The dynamic linker previously sorted cyclic dependencies incorrectly when there were more that 127 Dynamic Shared Objects (DSO). The changed order of the dependencies caused some programs to behave differently or crash due to symbol resolution failure. This update fixes the initialization order of the cyclic dependencies and the problem no longer occurs.
BZ#848481
Various functions that called the nl_explode_name() function failed to check its return value for errors. As a result, applications could terminate unexpectedly after passing a NULL pointer or uninitialized values to the calling functions. The callers of nl_explode_name() have been updated to check for error conditions and fail gracefully.
BZ#808014
Previously, if the Name Service Cache Daemon (nscd) daemon received a CNAME (Canonical Name) record as a response to a DNS (Domain Name System) query, the cached DNS entry adopted the TTL (Time to Live) value of the underlying A or AAAA response. This caused the nscd daemon to wait for an unexpectedly long time before reloading the DNS entry. With this update, nscd uses the shortest TTL from the response as the TTL value for the entire record and DNS entries are now reloaded as expected in this scenario.
BZ#799853
The Slovak currency was set to the Slovak Crown. However, Slovakia now uses the Euro. The Slovak currency was set to the Euro.
BZ#809325
Previously, glibc did not walk through the entire list of buffers. As a consequence, when utilizing the NIS password or group maps, allocated memory was not freed properly, which caused memory leaks. This update modifies glibc to walk through the entire list so that memory is freed as expected and memory leaks no longer occur in this scenario.
BZ#751748
A race between the _IO_flush_all_lockp() function and pthread_cancel() function could cause a process to become unresponsive during forking. This happened because the _IO_unlock_lock macro decremented the lock count before it attempted to unlock its lock and did not check if the count contained a positive value. If the lock was never held since _IO_unlock_lock(), the macro did not release the lock due to the lock count being less than zero. With this update, the lock count is decremented only if it contains a positive value.
BZ#639000
The Ukrainian currency symbol was incorrectly set to rp. With this update, the currency symbol was corrected to rpH.
BZ#759341
A race condition existed between functions which allocated and reclaimed stacks in multi-threaded applications. As a result, some applications could enter a deadlock. The code for managing lists of stacks has been changed to publish its changes to all threads at the appropriate time. This fixes synchronization between the multiple threads and eliminates the race condition.
BZ#788989
The Name Service Cache Daemon (nscd) terminated unexpectedly if a group contained a few thousand members. This was caused by a stack overflow which resulted in a segmentation fault in nscd. With this update, when a large amount of memory is needed for a group with many members, the memory is allocated on the heap instead of the stack. This prevents the stack overflow and nscd no longer crashes in this scenario.
BZ#839572
During installation on IBM System z, Red Hat Enterprise Linux Server installer returned traceback with the following error value after the stage2 download:
ValueError: (3, 'No such process')
This was due to a workaround implementation for IBM System z in the fegetenv() function in the math.h header file. With this update, the function implementation was modified so as to follow the IEEE standard and the problem no longer occurs.
BZ#769852
A race condition between the setuid() function and the sighandler_setxid() function could result in a lock remaining unreleased. As a result, an application could remain in a deadlock. With this update, the lock is released in this scenario and proper synchronization between the threads is maintained.
BZ#843672
Prior to this update, when a multi-threaded process called the qsort() function, a race condition could occur. This could result in an uninitialized memory read and the process could receive a floating point exception or other fault condition. The race condition in the function code has been fixed and the problem no longer occurs.
BZ#766832
Calling the strncmp() function on the Power4 processors could cause the program to terminate unexpectedly. This occurred because the function occasionally attempted to read past the zero byte in certain cases. With this update, strings are aligned correctly and the function no longer attempts to read past the zero byte.
BZ#710216
The Portuguese locale (pt_PT.utf8) incorrectly used the $ character instead of the , character as its decimal point. The error has been corrected and the , character is now used as the decimal point as expected.
BZ#703239
Previously, if the /etc/resolv.conf file contained an IPv6 DNS server address with trailing spaces, the address failed to be parsed correctly and DNS lookups with the ping6 command failed. With this update, the parsing code has been corrected so as to cope with trailing spaces and the problem no longer occurs.
BZ#692182
The sysconf() function allows applications to determine values for system limits or options at runtime. The mechanism that sysconf uses to acquire various CACHE parameters previously failed to look up the requested information on Intel Xeon X5670 processors and incorrectly returned zero values. The sysconf() function has been modified to acquire the system information on these processors correctly and the problem no longer occurs.
BZ#806403
A missing check of memory allocation and an incorrect loop test in the nss/getnssent.c source file could cause an application to fail. The memory allocation check and the loop test code have been added and the problem no longer occurs.
BZ#851450
Previously, the ttyname() and ttyname_r() calls returned an error if the /proc/ directory was not mounted. Consequently, some applications did not run in the chroot environment properly. With this update, if the /proc/self/fd/ directory cannot be read, the calls iterate through devices first and only then return an error. As a result, applications which were previously failing now work correctly.
BZ#500767
The getgrent() function generated an error when it requested to read a Network Information Services (NIS) group record of 1024 bytes from the NIS master server. This happened because the function attempted to free an unallocated pointer. With this update, the free() function is not called under these circumstances and getgrent() now works as expected in this scenario.
BZ#797096
Various functions (glob_in_dir, getaddrinfo) could potentially allocate unlimited amounts of data on the stack. As a result, these functions were potential security attack vectors. With this update, these routines use malloc() when allocating large amounts of memory and the security issue is eliminated.
BZ#657266
The Finnish locale included redundant trailing spaces in month abbreviations. This could cause parsing and conversion problems when working with dates. With this update, the trailing spaces have been removed from the definition of abbreviated month format and the parsing and conversion of abbreviated month names work as expected.
BZ#657588
Abbreviated month names in the simplified Chines locale (zh_CN) contained redundant spaces, which caused incorrect output of dates. With this update, the spaces have been removed from the format definition and the system returns dates formatted correctly.
BZ#678227
The Name Service Cache Daemon (nscd) initscript was returning a non-zero exit status when a stop was requested on an already stopped daemon. However, the expected behavior is to consider the request to be successful and return the exit status of zero. The nscd initscript has been modified to handle this case correctly and set the exit status appropriately.
BZ#819430
Previously, the fnmatch() function failed and returned the -1 status code when its pattern argument contained the wildcard character * and the file name argument contained an invalid multibyte encoding character. The fnmatch() function now handles such arguments gracefully: it considers the invalid characters not to match and proceeds.
BZ#800240
If the maximum number of memory pools (arenas) used by a thread was set to 1 (MALLOC_ARENA_MAX=1), the setting was ignored and the program still used multiple pools due to incorrect logic when checking the number of pools in use and reusing pools. With this update, the underlying code has been modified and the pool setting is applied as expected.
BZ#857387
The vfprintf() function returned the ERANGE errno instead of EOVERFLOW when a string of a too long format was specified. The errno is now set correctly to EOVERFLOW in this scenario.

Enhancements

BZ#795896
A Virtual Dynamic Shared Object (VDSO) allows an application in user space to perform some kernel actions with less overhead than if using a system call. The VDSO is often used to provide fast access to the gettimeofday system call data. Support for VDSOs on the IBM System z series platform has been added to glibc.
BZ#641094
Previously, the pthread_create() function used the MAP_32BIT flag to reserve the lower 32 bits of virtual address space for thread stacks so as to provide better performance. This setting is no longer of benefit and in some cases can negatively impact performance. A patch has been backported so that pthread_create() now uses the MAP_STACK flag instead of the MAP_32BIT flag.
BZ#765710
The getaddrinfo() function returns one or more addrinfo structures, each of which contains an Internet socket address. If the hints argument to getaddrinfo() is not NULL, it specifies criteria for selecting the socket address structures to be returned. Previously, getaddrinfo() did not support the Stream Control Transmission Protocol (SCTP) hints. With this update, the getaddrinfo() function has been enhanced to accept SCTP hints.
Users of glibc are advised to upgrade to these updated packages, that fix these bug and add these enhancements.
Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.

Security Fix

CVE-2012-0864
An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
All users of glibc are advised to upgrade to these updated packages, which contain a patch to resolve this issue.
Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly.

Security Fix

CVE-2012-3406
It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.

Bug Fix

BZ#837896
If a file or a string was in the IBM-930 encoding, and contained the invalid multibyte character "0xffff", attempting to use iconv() (or the iconv command) to convert that file or string to another encoding, such as UTF-8, resulted in a segmentation fault. With this update, the conversion code for the IBM-930 encoding recognizes this invalid character and calls an error handler, rather than causing a segmentation fault.
All users of glibc are advised to upgrade to these updated packages, which contain backported patches to fix these issues.
Updated glibc packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The glibc packages provide the standard C and standard math libraries used by multiple programs on the system. Without these libraries, the Linux system cannot function properly.

Security Fix

CVE-2012-3480
Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.

Bug Fix

BZ#839411
Previously, logic errors in various mathematical functions, including exp, exp2, expf, exp2f, pow, sin, tan, and rint, caused inconsistent results when the functions were used with the non-default rounding mode. This could also cause applications to crash in some cases. With this update, the functions now give correct results across the four different rounding modes.
All users of glibc are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4.46. gnbd

Updated gnbd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gnbd package provides user-level tools for manipulating the global network block device (GNBD).

Bug Fix

BZ#500591
Prior to this update, the gnbd makefile stripped the binaries of their debugging symbols. As a consequence, the gnbd debuginfo package was empty. This update removes the strip commands from the gnbd makefiles. Now, the debuginfo packages have all the appropriate information.
All users of gnbd are advised to upgrade to these updated packages, which fix this bug.

4.47. gnome-session

Updated gnome-session packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gnome-session package provides a utility to start up and manage the GNOME desktop session. Gnome-session starts up other core components of GNOME and handles log-outs and saves the sessions.

Bug Fix

BZ#477688
Prior to this update, the gnome-session utility did not fully honor the "Hidden=" key in autostart desktop files. As a consequence, users could not mark autostart files as Hidden= in their home directory to disable autostart files in system directories.With this update, gnome-session allows users to "mask" system autostart files by installing a file of the same name in ~/.config/autostart with a key Hidden=true when loading autostart files.
All users of gnome-session are advised to upgrade to these updated packages, which fix this bug.

4.48. gnome-vfs2

Updated gnome-vfs2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The gnome-vfs2 packages provide the GNOME Virtual File System, which is the foundation of the Nautilus file manager. neon is an HTTP and WebDAV client library embedded in the gnome-vfs2 packages.

Security Fix

CVE-2009-2473
A denial of service flaw was found in the neon Extensible Markup Language (XML) parser. Visiting a malicious DAV server with an application using gnome-vfs2 (such as Nautilus) could possibly cause the application to consume an excessive amount of CPU and memory.

Bug Fixes

BZ#580855
When extracted from the Uniform Resource Identifier (URI), gnome-vfs2 returned escaped file paths. If a path, as stored in the URI, contained non-ASCII characters or ASCII characters which are parsed as something other than a file path (for example, spaces), the escaped path was inaccurate. Consequently, files with the described type of URI could not be processed. With this update, gnome-vfs2 properly unescapes paths that are required for a system call. As a result, these paths are parsed properly.
BZ#586015
In certain cases, the trash info file was populated by foreign entries, pointing to live data. Emptying the trash caused an accidental deletion of valuable data. With this update, a workaround has been applied in order to prevent the deletion. As a result, the accidental data loss is prevented, however further information is still gathered to fully fix this problem.
BZ#621394
Due to a wrong test checking for a destination file system, the Nautilus file manager failed to delete a symbolic link to a folder which was residing in another file system. With this update, a special test has been added. As a result, a symbolic link pointing to another file system can be trashed or deleted properly.
BZ#772307
Prior to this update, when directories without a read permission were marked for copy, the Nautilus file manager skipped these unreadable directories without notification. With this update, Nautilus displays an error message and properly informs the user about the aforementioned problem.
BZ#822817
Previously, gnome-vfs2 used the stat() function calls for every file on the MultiVersion File System (MVFS), used for example by IBM Rational ClearCase. This behavior significantly slowed down file operations. With this update, the unnecessary stat() operations have been limited. As a result, gnome-vfs2 user interfaces, such as Nautilus, are more responsive.
All gnome-vfs2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4.49. gnutls

Updated gnutls packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gnutls package provides the GNU Transport Layer Security (GnuTLS) library, which provides a secure layer over a transport layer using protocols such as TLS, SSL and DTLS.

Bug Fix

BZ#789041
Under certain circumstances, a NULL pointer could have been dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that a NULL pointer can no longer be dereferenced and TLS clients no longer crash.
All users of gnutls are advised to upgrade to these updated packages, which fix this bug. All applications linked with the GnuTLS library must be restarted (or the system rebooted) in order for this update to take effect.
Updated gnutls packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
The gnutls packages provides the GNU Transport Layer Security (GnuTLS) library, which provides a secure layer over a transport layer using protocols such as TLS, SSL, and DTLS.

Bug Fixes

BZ#592112
The gnutls packages reported wrong distinguished names (DNs) for chain CA certificates used for the client authentication; the issuer DN was reported instead of the subject DN. As a consequence, the TLS clients were not able to provide a client certificate signed by a chain CA certificate when connecting to a gnutls TLS server. The underlying source code has been modified and gnutls now reports the right DN and the TLS clients work as expected in the described scenario.
BZ#730816
Previously, in the certool utility was a missing check used for an empty string when a challenge password was entered. Consequently, certificate requests generated by certtool were sometimes invalid when an empty challenge password was used. This missing empty-string check has been added and now the certtool's certificate requests are valid even if the challenge password is not entered.
BZ#785001
Under certain circumstances, a null pointer could be dereferenced in the GnuTLS library. This caused TLS clients, such as the rsyslog utility, to terminate unexpectedly with a segmentation fault. This update adds a test condition ensuring that null pointers can no longer be dereferenced and TLS clients no longer crash.
All users of gnutls are advised to upgrade to these updated packages, which fix these bugs.
Updated gnutls packages that fix three security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). GnuTLS includes libtasn1, a library developed for ASN.1 (Abstract Syntax Notation One) structures management that includes DER (Distinguished Encoding Rules) encoding and decoding.

Security Fixes

CVE-2012-1573
A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer.
CVE-2012-1569
A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash.
CVE-2011-4128
A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting CVE-2012-1573 and CVE-2012-1569.
Users of GnuTLS are advised to upgrade to these updated packages, which contain backported patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted.

4.50. gpxe

Updated gpxe packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gpxe packages provide gPXE, an open source Preboot Execution Environment (PXE) implementation and bootloader.

Bug Fix

BZ#714882
The gpxe-roms-qemu runs the update-alternatives utility during installation; however, the chkconfig package, which provides the utility, was previously not required by gpxe-roms-qemu. As a consequence, the installation could fail with a "No such file or directory" error message. The chkconfig package has been added as a dependency to ensure successful installation of gpxe-roms-qemu.
All users of gpxe are advised to upgrade to these updated packages, which fix this bug.

4.51. grub

Updated grub packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
The GRUB utility is responsible for booting the operating system kernel.

Bug Fixes

BZ#212649
The grub documentation contained incorrect information about the planned but unimplemented "grub-set-default" command; the "savedefault" command has been implemented instead, providing similar functionality. This update corrects the grub documentation that now reflect only those commands which have been implemented in GRUB.
BZ#782096
Prior to this update, the "grub-install" command was matching only against one letter after the "sd" string in the disk's device path name. Consequently, disks named "sdaa" and higher were not recognized as disks. The matching expression has been changed and now the "grub-install" command matches against any number of reasonable characters after the "sd" string in the disk's device path name.
BZ#829228
Previously, the number of disks was hard-coded to a maximum of 8. As a consequence, no more than 8 devices could be used. This update has changed the definition of allowed disks to a maximum of 128 and now up to 128 devices can be used.
All users of GRUB are advised to upgrade to these updated packages, which fix these bugs.

4.52. gtk+

Updated gtk+ packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The gtk+ packages provide a multi-platform toolkit for creating graphical user interfaces.

Bug Fix

BZ#694888
Using a Wacom tablet with a dual head configuration caused an error in the GTK+ toolkit when the input coordinates of the Wacom tablet were bound to a single monitor. Consequently, drawing with a pen with pressure sensitivity enabled led to an offset between the pen position and the content drawn on the screen. This update changes the way that input coordinates are translated by the library in this specific case.
All users of GTK+ are advised to upgrade to these updated packages, which fix this bug.

4.53. gtk2

Updated gtk2 packages that fix one bug are now available for Red Hat Enterprise Linux 5.
GIMP Toolkit (GTK+) is a multi-platform toolkit for creating graphical user interfaces.

Bug Fix

BZ#830901
Previously, performing drag-and-drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer crash in the described scenario.
All users of GTK+ are advised to upgrade to these updated packages, which fix this bug.
Updated gtk2 packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
GIMP Toolkit (GTK+) is a multi-platform toolkit for creating graphical user interfaces.

Security Fix

CVE-2012-2370
An integer overflow flaw was found in the X BitMap (XBM) image file loader in GTK+. A remote attacker could provide a specially-crafted XBM image file that, when opened in an application linked against GTK+ (such as Nautilus), would cause the application to crash.

Bug Fixes

BZ#487630
Due to a bug in the Input Method GTK+ module, the usage of the Taiwanese Big5 (zh_TW.Big-5) locale led to the unexpected termination of certain applications, such as the GDM greeter. The bug has been fixed, and the Taiwanese locale no longer causes applications to terminate unexpectedly.
BZ#518483
When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not open the file. With this update, the initially selected file is opened regardless of the visibility of the Location field.
BZ#523657
When a file was initially selected after the GTK+ file chooser dialog was opened and the Location field was visible, pressing the Enter key did not change into the directory. With this update, the dialog changes into the initially selected directory regardless of the visibility of the Location field.
BZ#603809
Previously, the GTK Print dialog did not reflect the user-defined printer preferences stored in the ~/.cups/lpoptions file, such as those set in the Default Printer preferences panel. Consequently, the first device in the printer list was always set as a default printer. With this update, the underlying source code has been enhanced to parse the option file. As a result, the default values in the print dialog are set to those previously specified by the user.
BZ#702342
The GTK+ file chooser did not properly handle saving of nameless files. Consequently, attempting to save a file without specifying a file name caused GTK+ to become unresponsive. With this update, an explicit test for this condition has been added into the underlying source code. As a result, GTK+ no longer hangs in the described scenario.
BZ#743658
When using certain graphics tablets, the GTK+ library incorrectly translated the input coordinates. Consequently, an offset occurred between the position of the pen and the content drawn on the screen. This issue was limited to the following configuration: a Wacom tablet with input coordinates bound to a single monitor in a dual head configuration, drawing with a pen with the pressure sensitivity option enabled. With this update, the coordinate translation method has been changed, and the offset is no longer present in the described configuration.
BZ#830901
Previously, performing drag and drop operations on tabs in applications using the GtkNotebook widget could lead to releasing the same resource twice. Eventually, this behavior caused the applications to terminate with a segmentation fault. This bug has been fixed, and the applications using GtkNotebook no longer terminate in the aforementioned scenario.
All users of GTK+ are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4.54. guagga

Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol.

Security Fixes

CVE-2011-3327
A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially-crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network.
CVE-2010-1674
A NULL pointer dereference flaw was found in the way the bgpd daemon processed malformed route Extended Communities attributes. A configured BGP peer could crash bgpd on a target system via a specially-crafted BGP message.
CVE-2011-3323
A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router.
CVE-2011-3324
A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system.
CVE-2011-3325
A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system.
CVE-2011-3326
A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system.
CVE-2012-0249
An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort.
CVE-2012-0250
A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router.
Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249 and CVE-2012-0250. CERT-FI acknowledges Riku Hietamäki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249 and CVE-2012-0250.
Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.

4.55. hal

Updated hal packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The HAL daemon collects and maintains information about the hardware on the system from several sources, and provides a live device list through D-BUS.

Bug Fixes

BZ#704079
Previously, the HAL daemon sometimes identified a non-existent error when running a new process and displayed the following warning:
Warning: Error while wite r->input () to stdin_v.
This bug has been fixed and the HAL daemon now works properly in the described scenario.
BZ#555303
The previous version of the hal package did not provide a manual page for the hal-device utility. This update adds the hal-device(1) manual page to this package.
All users of hal are advised to upgrade to these updated packages, which fix these bugs.

4.56. hplip3

Updated hplip3 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Hewlett-Packard Linux Imaging and Printing (HPLIP) provides drivers for Hewlett-Packard (HP) printers and multifunction peripherals.

Security Fix

CVE-2011-2722
It was found that the HP CUPS (Common UNIX Printing System) fax filter in HPLIP created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting arbitrary files accessible to a process using the fax filter (such as the hp3-sendfax tool).

Bug Fix

BZ#501834
Previous modifications of the hplip3 package to allow it to be installed alongside the original hplip package introduced several problems to fax support; for example, the hp-sendfax utility could become unresponsive. These problems have been fixed with this update.
All users of hplip3 are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

4.57. hsqldb

Updated hsqldb packages that fix one bug are now available for Red Hat Enterprise Linux 5.
HSQLDB is a relational database engine written in Java, with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in-memory and disk-based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (which can be run as applets or servlets), and a number of demonstration examples.
BZ#844877
The HSQLDB database did not depend on java packages of version 1:1.6.0 or later, which caused the hsqldb packages to be installed incorrectly in some cases. Consequently, the build-classpath command did not work on systems without the java-1.6.0-openjdk package installed. This update modifies the hsqldb spec file to add a requirement for java-1.6.0-openjdk, and the installation of hsqldb now proceeds correctly as expected.
All users of hsqldb are advised to upgrade to these updated packages, which fix this bug.

4.58. httpd

Updated httpd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Bug Fix

BZ#825675
Due to a bug in the "mod_cache" module, an unexpected "304 Not Modified" HTTP response could be incorrectly returned to the client on non-conditional HTTP GET requests. With this update, the "mod_cache" module has been modified to correctly handle 304 responses, which are not returned in this scenario.
All users of httpd are advised to upgrade to these updated packages, which fix this bug.
Updated httpd packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Bug Fixes

BZ#873677
Due to a bug in the "mod_mem_cache" module, an aborted HTTP connection could result in a cached entity becoming corrupt. With this update, the "mod_mem_cache" module has been fixed to correctly handle aborted connections, avoiding cache corruption in this scenario.
BZ#873730
Due to a bug in the "mod_cache" module, the "304 Not Modified" response from an origin server was not properly handled when a cached entity was being refreshed. Consequently, the entity could be returned to the HTTP client with incorrect headers. With this update, the "mod_cache" module has been modified to correctly handle headers in the "304 Not Modified" response. The cached entity is now returned with correct headers in this scenario.
All users of httpd are advised to upgrade to these updated packages, which fix these bugs.
Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation.

Security Fix

CVE-2008-0455, CVE-2008-0456, CVE-2012-2687
Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site.

Bug Fix

BZ#752618
Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected.
BZ#773473
The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected.
BZ#783242
Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code.
BZ#840845
Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POST request with a "chunk-size" or "chunk-extension" value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs.
BZ#845532
Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client.
BZ#853128
In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a "description" string was received from the origin server, for a non-standard status code, such as the "450" status code, a "500 Internal Server Error" would be returned to the client. This bug has been fixed so that the original response line is returned to the client.

Enhancements

BZ#727342
The configuration directive "LDAPReferrals" is now supported in addition to the previously introduced "LDAPChaseReferrals".
BZ#767890
The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the "ProxyErrorOverride" directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP.
BZ#833042
The "%posttrans" scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd-disable-posttrans exists, the scriptlet will not restart the daemon.
BZ#833043
The output of "httpd -S" now includes configured alias names for each virtual host.
BZ#840036
New certificate variable names are now exposed by "mod_ssl" using the "_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the commonly used object identifier (OID) definition of "userID", OID 0.9.2342.19200300.100.1.1.
All users of httpd are advised to upgrade to these updated packages, which fix these issues and add these enhancements.
Updated httpd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Bug Fix

BZ#873678
Due to a bug in the mod_mem_cache module, an aborted HTTP connection could result in a cached entity becoming corrupt. This update fixes mod_mem_cache to correctly handle aborted connections, thus avoiding cache corruption in this scenario.
All users of httpd are advised to upgrade to these updated packages, which fix this bug.

4.59. hwdata

Updated hwdata packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 5.
The hwdata packages contain various hardware identification and configuration data.

Bug Fix

BZ#824559
Due to a syntax error in the usb.ids file, the lsusb utility failed to display a list of used USB devices. The syntax error has been removed from the usb.ids file and the lsusb utility now displays the information correctly.

Enhancement

BZ#839225, BZ#870363
The PCI ID numbers have been updated for the Beta and the Final compose lists.
Users of hwdata packages are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

4.60. ImageMagick

Updated ImageMagick packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.
CVE-2012-0247
A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code.
CVE-2012-0248
A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
CVE-2012-0260
A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time.
Red Hat would like to thank CERT-FI for reporting CVE-2012-0260. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.

Bug Fix

BZ#804546
The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301 ImageMagick update, introduced a regression. Attempting to use the "convert" utility to convert a PostScript document could fail with a "/undefinedfilename" error. With this update, conversion works as expected.
Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect.

4.61. initscripts

Updated initscripts packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The initscripts package contains system scripts to boot your system, change runlevels, activate and deactivate most network interfaces, and shut the system down cleanly.

Bug Fix

BZ#845246
Previously, the kpartx utility was not called with the "-p p" option in the netfs init script. Consequently, inconsistent partition mappings occurred. This bug has been fixed and kpartx is now called as expected.
All users are advised to upgrade to these updated packages, which fix this bug.

4.62. ipa-client

Updated ipa-client packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine. user. virtual machines, groups, and authentication credentials.

Bug Fix

BZ#818313
If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.
All users of ipa-client are advised to upgrade to these updated packages, which fix this bug.
Updated ipa-client packages that fixes two bugs are now available for Red Hat Enterprise Linux 5.
The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials.

Bug Fixes

BZ#813387
During the installation, the ipa-client-install utility created a zero-length /etc/sysconfig/network file. Consequently, the information about the network configuration was not specified. The underlying source code has been modified and the installation process no longer erases the configuration file.
BZ#816693
If the client requested keys for encryption types that the server did not support, and the requested key was not returned, the ipa-getkeytab utility, and consequently the client enrollment, failed. With this update, the ipa-getkeytab utility has been modified to no longer fail if the key is not retrieved; a warning message is now displayed instead.
All users of ipa-client are advised to upgrade to these updated packages, which fix these bugs.

4.63. iproute

Updated iproute packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The iproute packages provide networking utilities like ip and rtmon, which use the advanced networking capabilities of the Linux kernel.

Bug Fix

BZ#738965
Prior to this update, the print_route() could, udner circumstances use the wrong "hz" value. As a consequence, the "ip route show" option returned an incorrect value for rto_min (minimum TCP retransmission timeout). This update modifies the underlying code to identify the different "hz" values. Now, the correct rto_min value is displayed.
BZ#751285
Prior to this update, the tc command-line utility generated a wrong filter match for the IPv6 "priority", the resulting match did not reflect the IPv6 header field proper. This update modifies the underlying code to match the IPv6 "Priority" header as expected.
All users of iproute are advised to upgrade to these updated packages, which fix these bugs.

4.64. iprutils

Updated iprutils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The iprutils packages provide a suite of utilities to manage and configure SCSI devices that are supported by the IBM Power RAID SCSI storage device driver.

Upgrade to an upstream version

The iprutils packages have been upgraded to upstream version 2.3.11, which provides a number of bug fixes and enhancements over the previous version. (BZ#795953)

Bug Fixes

BZ#750702
Prior to this update, the iprutils suite did not correctly compute the size of the serial number. As a consequence, the attempt to delete arrays could fail. This update modifies the serial number comparison and increases the buffer size for new adapter configuration data.
BZ#843639
Prior to this update, iprconfig tool failed to delete RAID arrays. This update modifies the underlying code by sending the "START_STOP_STOP" executible before deleting the device. Now, RAID arrays are deleted as expected.
All users of iprutils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.65. ipsec-tools

Updated ipsec-tools packages that fix two bugs is now available for Red Hat Enterprise Linux 5.
The ipsec-tools packages contain configuration and management tools for the IPsec protocol.

Bug Fixes

BZ#852735
Under certain circumstances, the racoon daemon terminated unexpectedly due to referencing a NULL pointer when writing to the system log. The update ensures that the NULL pointer is never referenced by racoon in this scenario, thus fixing this bug.
BZ#852734
When using the setkey command to dump the pfkey database, the setkey command could decrease the size of a kernel buffer that is used to send the data. Consequently, the dumped database was incomplete and the operation failed with an error in the recv() function. With this update, setkey never decreases the kernel buffer size, thus preventing this bug.
All users of ipsec-tools are advised to upgrade to these updated package, which fix these bugs.

4.66. iptables

Updated iptables packages that add an enhancement are now available for Red Hat Enterprise Linux 5.
The iptables utility controls the network packet filtering code in the Linux kernel.

Enhancement

BZ#847729
A new iptables module has been added that allows to configure the Differentiated Services Code Point (DSCP) match extension for the IPv6 protocol.
Users are advised to upgrade to these updated iptables packages, which add this enhancement.

4.67. iscsi-initiator-utils

Updated iscsi-initiator-utils packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The iscsi-initiator-utils packages provide the server daemon for the Internet Small Computer System Interface (iSCSI) protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol (IP) networks.

Upgrade to an upstream version

The iSCSI user-space driver, iscsiuio, has been upgraded to upstream version 0.7.4.3, which provides a number of bug fixes and enhancements over the previous version. In particular, VLAN and routing support. (BZ#796836)

Bug Fix

BZ#849661
The source RPM package for the iSCSI user-space driver, iscsiuio, did not include the NEW and AUTHORS files as required by the GNU packaging guidelines, and did not set the automake foreign option. The iscsiuio autoconf script uses libtool macros, but libtool was not specified as a build requirement in the RPM spec file. Consequently, attempting to rebuild the source RPM package in an environment with automake installed failed. Attempting to rebuild the source RPM package in an environment with autoconf installed, but without libtool, failed. The iscsiuio source has been updated to set the foreign automake option, in order to disable strict enforcing of the GNU packaging guidelines. In addition, libtool has been added as a build requirement for iscsi-initiator-utils, so that the required autoconf macros are available at build time. As a result, the iscsi-initiator-utils package can be built from the source RPM in a build environment that has automake and autoconf installed.

Enhancement

BZ#798178
Some iSCSI offload hardware requires the network interface to be "up" to function properly. Previously, this required additional network configuration steps before starting iSCSI. With this update, when the iSCSI daemon (iscsid) is starting an offloaded iSCSI session, the operational state of the associated network interface is now checked. The network interface is brought into an administrative up state automatically if needed. Offloaded iSCSI sessions can now be established without manually configuring the network interface first, iscsid will bring the interface up if needed.
All users of iscsi-initiator-utils are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.68. java-1.6.0-openjdk

Updated java-1.6.0-openjdk packages that fix various bugs are now available for Red Hat Enterprise Linux 5.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.

Bug Fixes

BZ#729502
Previously, the CCacheInputStream class could not to read Kerberos ticket cache files as it failed to handle the configuration settings stored in the ticket cache file under a special principal name. The configuration credentials are now ignored and the ticket cache is parsed correctly. Also, the initial context token generated by the GSSAPI/SPNEGO plug-in was previously rejected by the MIT Kerberos library due to incorrect data type of the reqFlags and NegTokenInit fields. The fields now use the correct data types.
BZ#808293
A JStack exception was thrown when a program was trying to capture both java and native stacktrace (mixed mode). Safety checks have been added and the problem no longer occurs.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which fix these bugs.
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.

Security Fixes

CVE-2012-1711, CVE-2012-1719
Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data.
CVE-2012-1716
It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
CVE-2012-1713
Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine.
CVE-2012-1723, CVE-2012-1725
Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
CVE-2012-1724
It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop.
CVE-2012-1718
It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.
CVE-2012-1717
It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files.
This erratum also upgrades the OpenJDK package to IcedTea6 1.10.8. Refer to the NEWS file for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.

Security Fixes

CVE-2012-1682
It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions.
CVE-2012-0547
A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.
This erratum also upgrades the OpenJDK package to IcedTea6 1.10.9. Refer to the NEWS file further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.

Security Fixes

CVE-2012-5086, CVE-2012-5084, CVE-2012-5089
Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072
Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2012-5079
It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2012-5081
It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
CVE-2012-5075
It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
CVE-2012-4416
A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
CVE-2012-5077
It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
CVE-2012-3216
It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
CVE-2012-5085
This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
This erratum also upgrades the OpenJDK package to IcedTea6 1.10.10. Refer to the NEWS file for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

4.69. flash-plugin

An updated Adobe Flash Player package that fixes three security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fix

CVE-2012-5676, CVE-2012-5677, CVE-2012-5678
This update fixes three vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-27. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.258.
An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fix

CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5278, CVE-2012-5279, CVE-2012-5280
This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB12-24. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.251.
An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fix

CVE-2012-5248, CVE-2012-5249, CVE-2012-5250, CVE-2012-5251, CVE-2012-5252, CVE-2012-5253, CVE-2012-5254, CVE-2012-5255, CVE-2012-5256, CVE-2012-5257, CVE-2012-5258, CVE-2012-5259, CVE-2012-5260, CVE-2012-5261, CVE-2012-5262, CVE-2012-5263, CVE-2012-5264, CVE-2012-5265, CVE-2012-5266, CVE-2012-5267, CVE-2012-5268, CVE-2012-5269, CVE-2012-5270, CVE-2012-5271, CVE-2012-5272
This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-22. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.243.
An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fixes

CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167
This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content.
CVE-2012-4168
A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
Note: This erratum upgrades Adobe Flash Player from version 10.3.183.20 to version 11.2.202.238.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.238.
An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fixes

CVE-2012-2034, CVE-2012-2035, CVE-2012-2036, CVE-2012-2037, CVE-2012-2039
This update fixes several vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-14.
Several security flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.
CVE-2012-2038
A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.20.
An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fixes

CVE-2012-0779
This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.19.
An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fix

CVE-2012-0773
This update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-07, listed in associated with each description below. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially-crafted SWF content.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.18.
An updated Adobe Flash Player package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

Security Fixes

CVE-2012-0768
This update fixes two vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed on the Adobe security page APSB12-05.
A flaw was found in the way flash-plugin displayed certain SWF content. An attacker could use this flaw to create a specially-crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the specially-crafted SWF content.
CVE-2012-0769
A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page.
All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.16.

4.70. java-1.4.2-ibm

Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. This is the last update of these packages for Red Hat Enterprise Linux 5 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM J2SE version 1.4.2 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-1531, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5073, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
This is the last update of the java-1.4.2-ibm packages in Red Hat Enterprise Linux 5 Supplementary. Customers are advised to migrate to later versions of Java at this time. More current versions of IBM Java SE continue to be available via the Red Hat Enterprise Linux 5 Supplementary channel. Customers should also consider OpenJDK which is the default Java development and runtime environment in Red Hat Enterprise Linux. In cases where it is not feasible to move to a later version of supported Java, customers are advised to contact IBM to evaluate other options.
All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM J2SE 1.4.2 SR13-FP14 release. All running instances of IBM Java must be restarted for this update to take effect
Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM J2SE version 1.4.2 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-1713, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM J2SE 1.4.2 SR13-FP13 release. All running instances of IBM Java must be restarted for this update to take effect.
Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The IBM Java SE version 1.4.2 release includes the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit.

Security Fix

CVE-2011-3563, CVE-2012-0499, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506
This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM Java 1.4.2 SR13-FP12 release. All running instances of IBM Java must be restarted for this update to take effect.

4.71. java-1.5.0-ibm

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-1531, CVE-2012-3143, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-5069, CVE-2012-5071, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR15 release. All running instances of IBM Java must be restarted for this update to take effect.
Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1725
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR14 release. All running instances of IBM Java must be restarted for this update to take effect.
Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

Security Fix

CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR13-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect.

4.72. java-1.6.0-ibm

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1682, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR12 release. All running instances of IBM Java must be restarted for the update to take effect.
Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

Security Fix

CVE-2012-0551, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR11 release. All running instances of IBM Java must be restarted for the update to take effect.
Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit.

Security Fix

CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page.
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java 6 SR10-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.

4.73. java-1.6.0-sun

Updated java-1.6.0-sun packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

Bug Fix

BZ#868174
Prior to this update, the java-1.6.0-sun-plugin package did not contain an architecture-specific dependency on the java-1.6.0-sun package. Consequently, an error occurred during package unpacking when installation was done in a specific sequence. With this update the dependency has been added, and the aforementioned error no longer occurs.
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which fix this bug.
Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

Security Fix

CVE-2012-0547, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-3143, CVE-2012-3159, CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089
This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages.
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 37. All running instances of Oracle Java must be restarted for the update to take effect.
Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit.

Security Fix

CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725
This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page.
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JDK and JRE 6 Update 33 and resolve these issues. All running instances of Sun Java must be restarted for the update to take effect.

4.74. jpackage-utils

Updated jpackage-utils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The jpackage-utils package installs directory structures, RPM macros, configuration files, and scripts that provide support for jpackage.org Java packaging. It is required by all packages that follow the JPackage conventions.

Bug Fix

BZ#865102
Previously, jpackage-utils did not install java-1.7.0 directories in the /usr/share/ and /usr/lib/ directories. This caused failures when running the build-classpath script with Java 7 set as the javac alternative. These directories are now created and the build-classpath script works as expected with Java 7.
All users of jpackage-utils should upgrade to these updated packages that fix this bug.

4.75. kbd

Updated kbd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The kbd packages provide tools for managing console behavior on a Linux system, including the keyboard, screen fonts, virtual terminals and font files.

Bug Fix

BZ#622981
Prior to this update, the "bin/unicode_start" script was called twice. As a consequence, "unicode_start" with environment variables set to "BASH_ENV=~/.bashrc" and "TERM=linux" could enter an infinite loop. This update modifies the "/etc/unicode_start" init script so that "unicode_start" is now called once and no longer causes a loop.
All users of kbd are advised to upgrade to these updated packages, which fix this bug.

4.76. kdebase

Updated kdebase packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
The K Desktop Environment (KDE) is a graphical desktop environment for the X Window System. The kdebase packages include core applications for the K Desktop Environment.

Bug Fixes

BZ#500399
If multiple users were using a KDE desktop on the same machine (for example by using the XDMCP protocol), only one user was able to lock the desktop. A patch has been applied to address this problem, and all users can now lock their desktops in the described scenario.
BZ#663638
Previously, the kdebase package did not honor mount options set in the HAL configuration files. This update corrects the problem, so that kdebase honors these mount options.
BZ#669354
On 64-bit systems, if the user changed time backwards, the KWin window manager incorrectly detected applications as not responding. This was due to a timestamp problem, which has been corrected, and KWIN no longer incorrectly reports applications as not responding.
All users of kdebase are advised to upgrade to these updated packages, which fix these bugs.

4.77. kernel

Updated kernel packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2013-2206, Important
A flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled duplicate cookies. If a local user queried SCTP connection information at the same time a remote attacker has initialized a crafted SCTP connection to the system, it could trigger a NULL pointer dereference, causing the system to crash.
CVE-2013-2224, Important
It was found that the fix for CVE-2012-3552 released via RHSA-2012:1540 introduced an invalid free flaw in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to corrupt kernel memory via crafted sendmsg() calls, allowing them to cause a denial of service or, potentially, escalate their privileges on the system.
CVE-2013-2232, Moderate
An invalid pointer dereference flaw was found in the Linux kernel's TCP/IP protocol suite implementation. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system by using sendmsg() with an IPv6 socket connected to an IPv4 destination.
CVE-2013-2147, CVE-2013-2164, CVE-2013-2234, CVE-2013-2237, Low
Information leak flaws in the Linux kernel could allow a privileged, local user to leak kernel memory to user-space.

Bug Fixes

BZ#948187
Switching the FPU context was not properly handled in certain environments, such as systems with multi-core AMD processors using the 32-bit kernel. When running multiple instances of the applications using the FPU frequently, data corruption could occur because processes could often be restored with the context of another instance. This update applies series of patches that modifies the kernel's FPU behavior: the "lazy" FPU context switch is temporarily disabled after 5 consecutive context switches using the FPU, and restored again after the context is switched 256 times. The aforementioned data corruption problem no longer occurs.
BZ#972583
Due to a bug in memory management, a kernel thread process could become unresponsive for a significant amount of time, waiting for a quota of dirty pages to be met and written out, which caused a kernel panic. With this update, memory management allows processes to break out of the throttle loop if there are no more dirty pages available to be written out. This prevents a kernel panic from occurring in this situation.
BZ#976441
Previously, an NFS client could sometimes cache negative dentries until the page cache was flushed or the directory listing operation was performed on the parent directory. As a consequence, an incorrect dentry was never normally revalidated and a stat call always failed, providing incorrect results. This was caused by an incorrect resolution of an attribute indicating a cache change (cache_change_attribute) along with insufficient flushing of cached directories. A series of patches has been backported to resolve this problem so the cache_change_attribute is now updated properly and the cached directories are flushed more readily.
BZ#979920
Due to a segment register that was not reset after a transition to protected mode, a bug could have been triggered in certain older versions of the upstream kernel (the kernel 3.9 - 3.9.4), preventing a guest system from booting and rendering it unresponsive on certain Intel Virtualization Technology (VT) hardware. On the newer kernels, this behavior had a significant impact on the booting speed of virtual machines. This update applies a patch providing early segment setup for the VT feature which allows executing VT under KVM. Guest machines no longer hang on boot and the booting process is now significantly faster when using 64-bit Intel hardware with the VT feature enabled.
BZ#980811
A previous change in the port auto-selection code allowed sharing ports with no conflicts extending its usage. Consequently, when binding a socket with the SO_REUSEADDR socket option enabled, the bind(2) function could allocate an ephemeral port that was already used. A subsequent connection attempt failed in such a case with the EADDRNOTAVAIL error code. This update applies a patch that modifies the port auto-selection code so that bind(2) now selects a non-conflict port even with the SO_REUSEADDR option enabled.
BZ#983452
Due to a bug in the networking stack, the kernel could attempt to deference a NULL pointer if a VLAN was configured on top of a GRE tunnel and network packets were transmitted, which resulted in a kernel panic. A patch has been applied to fix this bug by modifying the net driver to test a VLAN hardware header for a NULL value properly. The kernel no longer panics in this scenario.
BZ#983628
The memory management code specific to the AMD64 and Intel 64 architectures previously did not contain proper memory barriers in the smp_invalidate_interrupt() routine. As a consequence, CPUs on AMD64 and Intel 64 systems containing modulo 8 number of CPUs (8, 16, 24 and so on) could sometimes heavily compete for spinlock resources, spending most of the CPU time by attempts to acquire spinlocks. Such systems could therefore rarely appear to be unresponsive with a very slow computing progress. This update applies a patch introducing proper memory barriers in the smp_invalidate_interrupt() routine so the problem can no longer occur.
BZ#987976
A panic could occur in the XEN hypervisor due to a race in the XEN's tracing infrastructure. The race allows an idle vCPU to attempt to log a trace record while another vCPU executes a hypercall to disable the active tracing using the xenmon.py performance monitoring utility. To avoid triggering the panic, the respective BUG_ON() routine call in the trace code has been replaced with a simple test condition. The XEN hypervisor no longer crashes due to aforementioned race condition.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix three security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with the descriptions below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2012-5515, Moderate
It was found that the Xen hypervisor implementation did not perform range checking on the guest provided values in multiple hypercalls. A privileged guest user could use this flaw to trigger long loops, leading to a denial of service (Xen hypervisor hang).
CVE-2012-1568, Low
It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
CVE-2012-4444, Low
A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system.
Red Hat would like to thank the Xen project for reporting CVE-2012-5515, and Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program and Loganaden Velvindron of AFRINIC for reporting CVE-2012-4444.

Bug Fixes

BZ#884702
Due to a regression introduced by a recent update of the be2net driver, 10Gb NICs configured to use multiple receive queues across multiple CPUs were restricted to use a single receive queue on a single CPU. This resulted in significant performance degradation. With this update, the be2net driver has been corrected to provide support for multiple receive queues on 10Gb NICs as expected.
BZ#884708
Under certain circumstances, a race between certain asynchronous operations, such as "silly rename" and "silly delete", and the invalidate_inodes() function could occur when unmounting an NFS file system. Due to this race, the system could become unresponsive, or a kernel oops or data corruption could occur if an inode was removed from the list of inodes while the invalidate_inodes() function performed an iteration on the inode. This update modifies the NFS code to wait until the asynchronous operations are finished before performing inode clean-up. The race condition no longer occurs and an NFS file system is unmounted as expected.
BZ#884740
Previously, if a target sent multiple local port logout (LOGO) events, the fc_rport_work() function in the Fibre Channel library module (libfc) tried to process all of them, irrespective of the status of processing prior to the LOGO events. Consequently, fc_rport_work() terminated unexpectedly with a stack trace. This update simplifies the remote port (rport) restart logic by making the decision to restart after deleting the transport rport. Now, all I/O operations run as expected and fc_rport_work() no longer crashes in the described scenario.
BZ#884742
With Red Hat Enterprise Linux 5.9, a patch that fixed IGMP reporting bug in a network bridge was backported to the bonding code from Red Hat Enterprise Linux 6. However, two other patches related to the problem were not included. This update backports these patches from Red Hat Enterprise Linux 6. Specifically, the first patch fixing a NULL pointer deference that could occur if the master bond was not a network bridge. The patch adds a testing condition which prevents the code from dereferencing a NULL pointer. The second patch introduces a hook that allows to identify which bridge port is used for the master bridge interface and modifies the bonding code to use new functions to determine whether the used bond is a network bridge.
BZ#885062
Previously, the Xen kernel used the memory size found at the "0x40e" address as the beginning of the Extended BIOS Data Area (EBDA). However, this is not valid on certain machines, such as Dell PowerEdge R710, which caused the system to become unresponsive during boot on these machines. This update modifies the kernel to use the multiboot structure to acquire the correct location of EBDA and the system boot now proceeds as expected in this scenario.
BZ#885692
A previous change in the tg3 driver corrected a bug causing DMA read engine of the Broadcom BCM5717 Ethernet controller to initiate multiple DMA reads across the PCIe bus. However, the original bug fix used the CHIPREV_ID_5717_A0 macro which is more restrictive so that the DMA read problem was not fixed for the Broadcom BCM5718 Ethernet controller. This update modifies the code to use the ASIC_REV_5717 macro, which corrects the original bug properly.
BZ#885700
Previously, when hot-unplugging a USB serial adapter device, the USB serial driver did not properly clean up used serial ports. Therefore, when hot-plugging the USB serial device again, the USB serial driver allocated new port IDs instead of using previously used ports. This update modifies the USB serial driver to clean up open ports correctly so that the ports can be reused next time the device is plugged in.
BZ#886124
Previously, GFS2 did not properly free directory hash table memory from cache when the directory was removed from cache. If the same GFS2 inode was later reused as another directory, the stale directory hash table was reused instead of reading the correct information from the media. If the GFS2 hash table was not reused, a small amount of memory was lost until the next reboot. If the hash table was reused, the directory could become corrupt. Later, GFS2 could discover the file system inconsistency and withdraw from the file system, making it unavailable until the system was rebooted. This update applies a patch to the kernel that frees the directory hash table correctly from cache and prevents this file system corruption.
BZ#886876
Certain recent Intel input/output memory management unit (IOMMU) systems reported very large numbers of supported mapping domains. Consequently, if the number was too large, booting a system with the intel_iommu kernel parameter enabled (intel_iommu=on) failed with the following error message:
Allocating domain array failed.
With this update, a limit of 4000 domains is set to avoid the described problems.
All users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix several hundred bugs and add numerous enhancements are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 5. This is the ninth regular update.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Bug Fixes

BZ#563247
Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' forget list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. With this update, the "b_modified" flag is cleared before the journal head is filed onto any transaction, and assertion failures no longer occur.
BZ#862811
On certain platforms, the be2net driver could incorrectly indicate UE bits and stop further access to be2net-based network interface cards (NICs). With this update, these UE bits are ignored and if a real UE occurs, the corresponding hardware block will automatically go offline and stop the traffic.
BZ#857448
Previously, two threads could race to automount the same Distributed File System (DFS) share. The second thread called the do_add_mount() function after the first thread had completed the automount, and received a reference to the existing vfs_mount inserted by the first thread. Consequently, the new vfs_mount created by this thread for the mount process was dropped. This resulted in the use count for the dentry pointed to by vfs_mount to drop to -1 and the system terminated with a kernel panic. The underlying source code has been modified, and a kernel panic no longer occurs under these circumstances.
BZ#854067
A bug in the ipvs code caused insufficient performance of the Transmission Control Protocol (TCP) when generic receive offload (GRO) or generic segmentation offload (GSO) was enabled on a machine running the IP Virtual Server (IPVS) or Linux Virtual Server (LVS). The TCP connection continued to work, however, only by retransmitting all data, as only TCP segments with a single packet were allowed to go through. This update allows reception of GRO-aggregated packet buffers, through the IPVS framework. On transmission the GSO-aggregated packet buffer is automatically deaggregated by GSO. Use of GSO/GRO together with this update will result in an improved throughput and lower CPU utilization.
BZ#852526
Prior to this update, a process of continuously opening and closing a file within a second could prevent the data cache of a file from ever expiring. This resulted in stale data being presented on the client. With this update, the modify time and size stored in cache for an existing inode are compared with the modify time and size returned by the open() call; the cache is invalidated if the values differ.
BZ#850977
To resolve a kernel panic that occurred under certain circumstances, an upstream cleanup patch for VFS automount support was backported to Red Hat Enterprise Linux 5, which also fixed the panic. This upstream change occurred after the VFS automount support was added to Red Hat Enterprise Linux 5 so was not present.
BZ#840642
An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC now works as expected.
BZ#839753
When attempting to mount a NFS share twice on the same mount point, a check in the do_add_mount() function causes an error to be returned. However, when using the "noac" option, the user was abe to mount the same share on the same mount point multiple times. This was because the "noac" option was automatically assigned the MS_SYNCHRONOUS flag in the nfs_initialise_sb() function. This flag was set after the check for already existing superblocks had been performed in the sget() function, and was therefore not taken into account during the check of mount flags. This update checks for the "noac" option and assigns the MS_SYNCHRONOUS fag before sget() is called to obtain an already existing superblock structure. As a result, it is no longer possible to mount a NFS share on the same location multiple times.
BZ#836244
Failures and errors could occur due to a NULL pointer dereference in the vm_enough_memory() function. To prevent such problems, the NULL checking has been revised
BZ#835660
Previously, if a command timed out to a device with a reservation conflict, the SCSI error handling marked the device as offline. This was because the RESERVATION_CONFLICT return code was treated as a fatal error when a TUR command was sent to confirm that the device was reachable and responding. Consequently, the error handling progressed to the next error routine, eventually marking the device offline. The error processing in the scsi_eh_completed_normally() function has been changed to consider RESERVATION_CONFLICT for a TUR command as success. This causes the scsi_eh_tur() call to pass successfully, and the devices are no longer set as offline.
BZ#834562
An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the aforementioned calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
BZ#746122
The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.
BZ#834379
When two processes attempted to automount an NFS file system at the same time, an account usage error occurred in the dentry of the mount point, leading to EBUSY errors when trying to unmount the file system. In addition, a kernel panic could occur when the automount timeout expired or the shutdown procedure tried to unmount the file system. This was because the vfsmount structure was missing a reference of the mount point. This update ensures that a reference of the mount point is placed on the vfsmount structure before the do_add_mount() function is called. The NFS file system can now be unmounted as expected, and the kernel panic no longer occurs in this scenario.
BZ#833000
Previously, the SAS-2 tape drive was not detected after connecting it to a SATA/SAS Storage Control Unit (SCU) port. This was because the speed values in the isci driver were not updated and the negotiated connection speed for the SAS-2 device was therefore incorrect. With this update, the PHY_LINKRATE values defined in the scsi_transport_sas header file are now used, which ensures correct detection of SAS-2 devices.
BZ#822166
A race condition between a device being opened and the device being disconnected occurred in the evdev code. During this condition, the evdev structure for a device continued to be used after it had been freed. If the memory was reallocated afterward and zeroed by the new owner, the evdev_open() function could become stuck and generate a soft lockup. This update directly uses a kref structure to implement proper reference counting, which prevents the race condition from occurring in this scenario.
BZ#819830
Previously, when listing of IPv6 routing table was prematurely ended, it could cause corruption of that table, leading to various problems, including a kernel panic. To prevent the problems, the routing table is now traversed correctly.
BZ#818787
An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances. Note: This advisory does not include a fix for this bug for the 32-bit architecture
BZ#753244
The function that used to find a resource block (rsb) during directory recovery was searching the rsb's single linear list, which took an excessive amount of time. Consequently, recovery of Distributed Lock Manager (DLM) could take a long time. With this update, the standard hash table is used to find the rsb, which decreases the search time, and DLM recovery finishes in a reasonable time.
BZ#749813
If the IP stack proper is accessed from bridge netfilter, the socket buffer needs to be in a form the IP stack expects. Previously, the entry point on the NF_FORWARD hook did not meet the requirements of the IP stack. Consequently, hosts could terminate unexpectedly. A backported upstream patch has been provided to address this issue and the crashes no longer occur in the described scenario.
BZ#814626
The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.
BZ#809937
A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.
BZ#756506
A kernel panic occurred when the size of a block device was changed and I/O was issued at the same time. This was because the direct and non-direct I/O code was written with the assumption that the block size would not change. This update introduces a new read-write lock, bd_block_size_semaphore. The lock is taken for read during I/O and for write when changing block size. As a result, block size cannot be changed while I/O is being submitted. This prevents the kernel from crashing in the described scenario.
BZ#808489
Previously, requests for large data blocks with the ZSECSENDCPRB ioctl() system call failed due to an invalid parameter. A misleading error code was returned, concealing the real problem. With this update, the parameter for the ZSECSENDCPRB request code constant is validated with the correct maximum value. Now, if the parameter length is not valid, the EINVAL error code is returned, thus fixing this bug.
BZ#805799
A bug in the vsyscall interface caused 32-bit multi-threaded programs, which received the SIGCANCEL signal right after they returned from a system call, to terminate unexpectedly with a segmentation fault when run on the AMD64 or Intel 64 architecture. A patch has been provided to address this issue and the crashes no longer occur in the described scenario.
BZ#804778
Previously, the restriction of the way epoll file descriptors could nest was overly aggressive. Consequently, certain applications were unable to add the desired number of epoll watches and possibly terminated unexpectedly or became unresponsive. With this update, there is no restriction on the number of epoll file descriptors that can be attached to the source file descriptor, thus preventing the described problems. Note that if an application requests a deeply-nested epoll file descriptor, the request fails gracefully rather that causing the kernel to terminate unexpectedly.
BZ#800653
The qla2xxx driver set up interrupts for Qlogic 4Gb Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now sets up interrupts as expected.
BZ#800575
When a slave started up, the active flags failed to be marked inactive while unsetting the current_arp_slave parameter. Consequently, more than one slave with active flags in active-backup mode could be present on the system. With this update, the active flags are properly marked inactive from a slave before the current_arp_slave is unset, thus preventing this bug.
BZ#799530
When the Fibre Channel (FC) layer sets a device to "running", the layer also scans for other new devices. Previously, there was a race condition between these two operations. Consequently, for certain targets, thousands of invalid devices were created by the SCSI layer and the udev service. This update ensures that the FC layer always sets a device to "online" before scanning for others, thus fixing this bug. Additionally, when attempting to transition priority groups on a busy FC device, the multipath layer retried immediately. If this was the only available path, a large number of retry operations was performed in a short period of time. Consequently, the logging of retry messages slowed down the system. This bug has been fixed by ensuring that the DM Multipath feature delays retry operations in the described scenario.
BZ#799170
When the kvmclock initialization was used in a guest, it could write to the time stamp counter (TSC) and, under certain circumstances, could cause the kernel to become unresponsive on boot. With this update, TSC synchronization, which is unnecessary due to kvmclock, has been disabled, thus fixing this bug.
BZ#798048
The mlx4 driver did not contain the necessary callbacks to implement Enhanced I/O Error Handling and recovery, so the PCI layer used the probe and remove callbacks to try to recover the device after an error occurred on the bus. However, a race condition occurred between these callbacks and the internal catastrophic error recovery functions which also detected the error, and consequently caused a kernel oops if both EEH and the internal recovery functions attempted to reset the device. This update adds the necessary error recovery callbacks and ensures that the internal catastrophic error functions do not try to reset the device in such scenarios. Also, additional calls have been added to suppress read and write operations on the bus when the slot cannot accept I/O operations, which prevents unnecessary accesses to the bus and speeds up the device removal.
BZ#797011
Due to a regression, the ifdef macro was used with an invalid value. Consequently, the tg3 driver did not support VLAN tagging and the vconfig utility was unable to configure VLAN tagging properly, thus blocking the network connection. This update removes incorrect usages of ifdef from the code and the VLAN support now works as expected.
BZ#771366
When using the Intel e1000e ethernet driver, the RXCW register's invalid bit (IV) was being set periodically due to incorrect register read logic for the 82571 Serializer-Deserializer (SERDES), which resulted in link flapping. The read logic has been improved: RXCW is now read twice to filter one-time false events and obtain correct values for the IV bit. Link flaps no longer occur in this scenario.
BZ#795672
Certain Broadcom devices, mostly the BMC5704 controllers, failed to work due to incorrect TSO (TCP Segmentation Offload) handling in the tg3 driver. The TSO handling code has been revised so that the devices now work as expected.
BZ#772192
Due to a bug in the qla2xxx driver and the HBA firmware, storage I/O traffic could become unresponsive during storage fault testing. With this update, these bugs have been fixed and the hangs no longer happen in the described scenario.
BZ#772216
Previously, secondary, tertiary, and other IP addresses added to bond interfaces could overwrite the bond->master_ip and vlan_ip values. Consequently, a wrong IP address could be occasionally used, the MII (Media Independent Interface) status of the backup slave interface went down, and the bonding master interfaces were switching. This update removes the master_ip and vlan_ip elements from the bonding and vlan_entry structures, respectively. Instead, devices are directly queried for the optimal source IP address for ARP requests, thus fixing this bug.
BZ#790900
When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.
BZ#773022
Due to a bug in the error clean-up code, the kernel could fail to boot when a tg3 NIC utilized the 4 KB transmit segmentation code but could not map all the physical memory fragments. This update rectifies the situation so that the tg3 driver no longer prevents the kernel from booting.
BZ#773735
When using the be2net driver, if a card was reset due to EEH (Enhanced Error Handling), the error recovery involves ring clean-up and re-creation. However, because worker threads touch this ring, there was a race condition that caused kernel to terminate unexpectedly. With this update, a worker thread is stopped during this clean-up process, thus preventing this bug.
BZ#790840
The QDIO (Queued Direct I/O) data transfer architecture maintains a "buffers-used" counter for its hardware buffers. If the buffers were returned in the ERROR state, the counter was updated incorrectly when running under the z/VM operating system with the QIOASSIST flag switched on. Consequently, the buffer handling logic in QDIO was working incorrectly. This update fixes the code to update the counter correctly in the described scenario, thus fixing this bug.
BZ#782124
When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.
BZ#790103
A kernel panic could occur on IBM Power systems while running the fsfuzz test. This was caused by an attempt to perform an I/O operation on an unmapped buffer, which triggered a BUG_ON() function call. This update modifies the kernel so that I/O operations can be performed only on mapped buffers. The kernel no longer panics in this scenario.
BZ#782677
Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.
BZ#782790
A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.
BZ#788777
When SAS (Serial Attached SCSI) disks were present on the system and the CK_COND=1 parameter was set in the Command Descriptor Block (CDB), the SAT ATA PASS-THROUGH commands produced a large number of irrelevant warning messages, clogging up logs with useless information. With this update, the logging has been disabled in the described scenario, thus fixing this bug.
BZ#783043
An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.
BZ#783540
Previously, a kernel panic could occur on IBM S/390 systems after a reboot. This happened due to a race condition between the raw3215_tasklet() and the tty3215_close() functions, which could result in calling the tty_wakeup() function with either a NULL pointer or with a pointer to an already freed tty structure. This update prevents the race condition by adding the tasklet_kill() function call to the tty3215_close() function. The kernel no longer panics when closing the 3215 console on IBM S/390 systems.
BZ#785062
In NFSv4, both write and open code paths depended on the I_LOCK flag in inode->i_state. In addition to this, the write code path also needs the latest stateid returned by open to before it can proceed. It waits for this while holding the I_LOCK bit in inode->state. As a consequence, multi-threaded applications could be blocked when using NFSv4. With this update, the nfs_fhget() function has been modified to use the I_NEW flag for the open code path, thus fixing this bug.
BZ#789067
When USB hardware uses the ACM interface, there is a race condition that can lead to a system deadlock due to the spinlocks not disabling interrupts. This has been noticed through various types of softlockups. The only workaround is to reboot. The fix is common, when taking a spinlock, disable the interrupts too.
BZ#773777
When a single, large data stream was being written to an NFS server while other applications periodically wrote small amounts of data to a local file system, other applications could experience long pauses when dirty memory reaches the dirty_ratio limit. With this update, the code for COMMIT calls has been improved to not skip such calls if the system is under memory pressure and to allow high priority COMMIT calls to bypass inode commit locks. Now, the pauses in traffic no longer occur in the described scenario.
BZ#798809
The vfs-automount infrastructure assumes that the LOOKUP_DIRECTORY flag is included in nameidata flags if a trailing slash character (/) is given on a path being walked. But this flag is private to the __link_path_walk() function so it must be added when looking up the last component. Previously, during a path walk where the path included a trailing slash character, LOOKUP_DIRECTORY was not propagated to path walk functions. Consequently, directories that needed to trigger an automount failed to do so, which resulted in a -ENOTDIR error. This bug has been fixed and the error code is no longer returned in the described scenario.
BZ#804800
Starting with Red Hat Enterprise Linux 5.6, all devices that used the ixgbe driver would stop stripping VLAN tags when the device entered promiscuous mode. Placing a device in a bridge group causes the device to enter promiscuous mode. This caused various issues under certain configurations of bridging and VLANs. A patch has been provided to address this issue and the devices now properly strip VLAN tags in the driver whether in promiscuous mode or not.
BZ#848098
Previously, the code checking for a NULL pointer was incorrect; it checked for a non-NULL pointer instead. As a consequence, this could lead to a kernel panic. This update corrects the problem, so that the kernel no longer crashes in this scenario.
BZ#830226
Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.
BZ#814418
If a path followed a symlink that ended with the slash ("/") character, the LOOKUP_DIRECTORY flag could be set earlier than the last path component. This led to an ENOTDIR (Not a directory) error. The LOOKUP_DIRECTORY flag is now propagated only for the last component. For the purpose of possible automounting, the flag is not needed for intermediate path components; the LOOKUP_CONTINUE flag is set in such a case. The ENOTDIR error no longer occurs in this scenario.
BZ#839770
In the ext4 file system, splitting an unwritten extent while using Direct I/O could fail to mark the modified extent as dirty, resulting in multiple extents claiming to map the same block. This could lead to the kernel or fsck reporting errors due to multiply claimed blocks being detected in certain inodes. In the ext4_split_unwritten_extents() function used for Direct I/O, the buffer which contains the modified extent is now properly marked as dirty in all cases. Errors due to multiply claimed blocks in inodes should no longer occur for applications using Direct I/O.
BZ#830351
On ext4 file systems, when the fallocate() system call failed to allocate blocks due to the ENOSPC condition (no space left on device) for a file larger than 4 GB, the size of the file became corrupted and, consequently, caused file system corruption. This was due to a missing cast operator in the ext4_fallocate() function. With this update, the underlying source code has been modified to address this issue, and file system corruption no longer occurs.
BZ#756091
Calculations for sizing certain memory allocation thresholds (dcache, files-max, ...) depend on the number of physical pages found in a system; this generally includes (occasionally a large amount of) non-RAM pages. Due to a miscalculated number of usable RAM pages, memory allocation thresholds calculation on large systems with discontiguous memory (such as modern NUMA systems) could result in bad sizing. This could impact workload performance. With this update, the aforementioned calculation basis has been switched to what actually is usable as storage (RAM). The sizing of the memory allocation thresholds is now fixed and they render the expected values when they are verified.
BZ#852340
A kernel panic can occur when attempting to create a Fibre Channel over Ethernet (FCoE) session on a network interface controller (NIC) with a virtual LAN (VLAN) enabled. Software-based Fibre Channel over Ethernet (FCoE) is a Technology Preview in Red Hat Enterprise Linux 5, and it is therefore recommended to use Red Hat Enterprise Linux 6 for fully supported software-based FCoE. The following hardware-accelerated FCoE cards are fully supported in Red Hat Enterprise Linux 5: Emulex LPFC, QLogic qla2xxx, Brocade BFA.
BZ#858724
This update changes Xen hypervisor's behavior introduced in the CVE-2012-2934 issue: the host was prevented from booting on AMD processors with the AMD #121 erratum applied. Users were prompted to pass the "allow_unsafe" parameter on the command line to allow booting the Xen host. However, this could prevent remotely managed hosts from being started. With this update, the boot process is no longer denied by default; only guest creation is denied. The allow_unsafe semantics has changed to allow creation of guests instead of allowing booting the host.
BZ#800708
Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.
BZ#782866
The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.
BZ#712513
The kdump kernel maintains the configuration of MSI-X interrupts as created by the crashed kernel but enables only one CPU in the new environment. Previously, this caused the tg3 driver to abort MSI-X setup which caused interrupt delivery to fail. Consequently, the link became unavailable and any attempt to dump a core file to a remote host to failed. With this update, the tg3 driver has been modified to enforce single-vector MSI-X interrupt mode by disabling the multivector interrupt mode for tg3 in the kdump kernel. The NIC is now brought up as expected and kdump can successfully dump a core file to the remote host in this scenario.
BZ#683303
The bnx2x driver performed the initialization of hardware in a way that was unsafe if the previous instance of the driver terminated in an unclean manner. Consequently, the kernel could become unresponsive or panic while initializing the NIC in the kdump environment. With this update, the bnx2x driver has been modified to perform a safer initialization, solving the possible crash scenarios. The NIC is now initialized as expected and kdump can successfully dump a core file to a remote host when using the bnx2x driver.
BZ#845169
Previously, when Enhanced I/O Error Handling (EEH) detected an error while a firmware dump was being collected, a reset of the PCI adapter could have been triggered before the dumping operation could complete. As a consequence, the firmware dump was interrupted and recovery of the PCI adapter failed leaving the adapter in an inconsistent state. This update modifies the be2net driver to wait for the firmware dump to complete before resetting EEH. A core file is successfully dumped and the PCI adapter recovers as expected in this scenario.
BZ#842486
When bringing up a network interface with VLANs configured on top of it using the mlx4 driver, the kernel could panic due to a NULL pointer dereference. This was caused by the core networking code which called the VLAN addition routine before setting the VLAN device entry in the VLAN group table. This update modifies the mlx4 driver to prevent this behavior so that the VLAN device entry in now added to the VLAN group table before adding the VLAN and the kernel no longer panics in this scenario.
BZ#786403
Due to incorrect information provided by firmware, the netxen_nic driver did not calculate the correct Generic Segmentation Offload (GSO) length of packets that were received using the Large Receive Offload (LRO) optimization. This caused network traffic flow to be extensively delayed for the NICs using LRO on netxen_nic, which had a huge impact on NIC's performance (in some cases, throughput for some 1 GB NICs could be below 100 kbs). With this update, firmware now provides the correct GSO packet length and the netxen_nic driver has been modified to handle new information provided by firmware correctly. Throughput of the NICs using the LRO optimization with the netxen_nic driver is now within expected levels.

Enhancements

Note

For more information on the most important of the Red Hat Enterprise Linux 5.9 kernel enhancements, refer to the Kernel and Device Drivers chapters in the Red Hat Enterprise Linux 5.9 Release Notes on https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/.
BZ#872612
The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.
BZ#640206
With this update, NIC speed and duplex information are now exported through sysfs. This feature allows users to determine the state and status of the NIC and it's connections.
BZ#605727
This update modifies IPMI to support configurable timeouts and retry attempts for the keyboard controller-style (KCS) interface. Ability to configure timeouts and retry attempts ensures that no IPMI requests or responses are dropped due to the default limit of the KCS host driver, which increases reliability of communication over KCS.
BZ#790841
With this update, the mlx4 driver has been upgraded to the The OpenFabrics Alliance Enterprise Distribution (OFED) level 1.5.4.1 with the exception of the XRC support. Among other changes, the update includes support for IBoE, which is, however, disabled by default, and a fix for a bug related to the mlx4 multicast support.
All Red Hat Enterprise Linux 5 users are advised to install these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Bug Fix

BZ#749246
The root user without the CAP_SYS_ADMIN capability was able to reset the contents of the "/proc/sys/kernel/dmesg_restrict" configuration file to 0. Consequently, the unprivileged root user could bypass the protection of the "dmesg_restrict" file and read the kernel ring buffer. This update ensures that only the root user with the CAP_SYS_ADMIN capability is allowed to write to the dmesg_restrict file. Any unauthorized attempt on writing to this file now fails with an EPERM error.
BZ#786168
An Ethernet physical transceiver (a PHY chip) was always powered up when a network interface card (NIC) using the igb driver was brought down. Recent changes had modified the kernel so that the PHY chip was powered down in such a scenario. With this PHY power saving feature, the PHY chip could unexpectedly lose its settings on rare occasions. Consequently, the PHY chip did not recover after the NIC had been re-attached and the NIC could not be brought up. The igb driver has been modified so that the PHY chip is now reset when the NIC is re-attached to the network. NICs using the igb driver are brought up as expected.
BZ#789369
The way how the kernel processes dentries in the dcache when unmounting file systems allowed the concurrent activity on the list of dentries. If the list was large enough, the kernel could, under certain circumstances, panic due to NMI watchdog timeout triggered by the waiting concurrent process. This update modifies underlying functions to use a private dcache list for certain operations on the dcache so that concurrent activities are no longer affected in this scenario.
BZ#790778
The Abstract Control Model (ACM) driver uses spinlocks to protect the lists of USB Request Blocks (URBs) and read buffers maintained by the driver. Previously, when a USB device used the ACM interface, a race condition between scheduled ACM tasklets could occur. Consequently, the system could enter a deadlock situation because tasklets could take spinlocks without disabling interrupt requests (IRQs). This situation resulted in various types of soft lockups ending up with a kernel panic. This update fixes the problem so that IRQs are disabled when a spinlock is taken. Deadlocks no longer occur and the kernel no longer crashes in this scenario.
BZ#790907
A recent change in the QLogic qla2xxx driver introduced a bug which could, under rare circumstances, cause the system to become unresponsive. This problem occurred during I/O error recovery on systems using SAN configurations with QLogic Fibre Channel Hot Bus Adapters (HBAs). This update corrects the qla2xxx driver so the system no longer hangs in this scenario.
BZ#790910
Due to recent changes in the tg3 driver, the driver attempted to use an already freed pointer to a socket buffer (SKB) when the NIC was recovering from unsuccessful memory mapping. Consequently, the NIC went offline and the kernel panicked. With this update, the SKB pointer is newly allocated in this scenario. The NIC recovers as expected and a kernel panic does not occur. Also, the tg3 driver could, under certain circumstances, attempt to unmap a memory fragment that had not been mapped. Consequently, the kernel panicked. This update fixes the bug by correcting the "last" parameter supplied.
BZ#790912
When a network interface card (NIC) with a fan experiences a fan failure, the PHY chip is usually powered down by its firmware. Previously, the bnx2x driver did not handle fan failures correctly, which could trigger a non-maskable interrupt (NMI). Consequently, the kernel could crash or panic. This update modifies the bnx2x driver to handle fan failures properly, the NIC is now shut down as expected and the kernel does not crash in this scenario.
All users are advised to upgrade to these updated packages, which fix these bugs. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix

CVE-2012-3375, Moderate
The fix for CVE-2011-1083 (RHSA-2012:0150) introduced a flaw in the way the Linux kernel's Event Poll (epoll) subsystem handled resource clean up when an ELOOP error code was returned. A local, unprivileged user could use this flaw to cause a denial of service.

Bug Fixes

BZ#816373
The qla2xxx driver handled interrupts for QLogic Fibre Channel adapters incorrectly due to a bug in a test condition for MSI-X support. This update corrects the bug and qla2xxx now handles interrupts as expected.
BZ#817571
A process scheduler did not handle RPC priority wait queues correctly. Consequently, the process scheduler failed to wake up all scheduled tasks as expected after RPC timeout, which caused the system to become unresponsive and could significantly decrease system performance. This update modifies the process scheduler to handle RPC priority wait queues as expected. All scheduled tasks are now properly woken up after RPC timeout and the system behaves as expected.
BZ#820358
The kernel version 2.6.18-308.4.1.el5 contained several bugs which led to an overrun of the NFS server page array. Consequently, any attempt to connect an NFS client running on Red Hat Enterprise Linux 5.8 to the NFS server running on the system with this kernel caused the NFS server to terminate unexpectedly and the kernel to panic. This update corrects the bugs causing NFS page array overruns and the kernel no longer crashes in this scenario.
BZ#824654
An insufficiently designed calculation in the CPU accelerator in the previous kernel caused an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5 days. This overflow led to a kernel panic on the systems using the Time Stamp Counter (TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the calculation so that this arithmetic overflow and kernel panic can no longer occur under these circumstances.
Note: This advisory does not include a fix for this bug for the 32-bit architecture.
BZ#827205
Under memory pressure, memory pages that are still a part of a checkpointing transaction can be invalidated. However, when the pages were invalidated, the journal head was re-filed onto the transactions' "forget" list, which caused the current running transaction's block to be modified. As a result, block accounting was not properly performed on that modified block because it appeared to have already been modified due to the journal head being re-filed. This could trigger an assertion failure in the "journal_commit_transaction()" function on the system. The "b_modified" flag is now cleared before the journal head is filed onto any transaction; assertion failures no longer occur.
BZ#829059
When running more than 30 instances of the cclengine utility concurrently on IBM System z with IBM Communications Controller for Linux, the system could become unresponsive. This was caused by a missing wake_up() function call in the qeth_release_buffer() function in the QETH network device driver. This update adds the missing wake_up() function call and the system now responds as expected in this scenario.
BZ#832169
Recent changes removing support for the Flow Director from the ixgbe driver introduced bugs that caused the RSS (Receive Side Scaling) functionality to stop working correctly on Intel 82599EB 10 Gigabit Ethernet network devices. This update corrects the return code in the ixgbe_cache_ring_fdir function and setting of the registers that control the RSS redirection table. Also, obsolete code related to Flow Director support has been removed. The RSS functionality now works as expected on these devices.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue, various bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix

CVE-2012-1583, Important
A flaw in the xfrm6_tunnel_rcv() function in the Linux kernel's IPv6 implementation could lead to a use-after-free or double free flaw in tunnel6_rcv(). A remote attacker could use this flaw to send specially-crafted packets to a target system that is using IPv6 and also has the xfrm6_tunnel kernel module loaded, causing it to crash.
If you do not run applications that use xfrm6_tunnel, you can prevent the xfrm6_tunnel module from being loaded by creating (as the root user) a "/etc/modprobe.d/xfrm6_tunnel.conf" file, and adding the following line to it:
blacklist xfrm6_tunnel
This way, the xfrm6_tunnel module cannot be loaded accidentally. A reboot is not necessary for this change to take effect.
This update also fixes various bugs and adds an enhancement. Documentation for these changes is available in the Technical Notes document.
Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs and add the enhancement noted in the Technical Notes. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix

CVE-2012-2136, Important
It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access.
This update also fixes various bugs. Documentation for these changes is available in the Technical Notes document.
Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2012-0217, Important
It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
CVE-2012-2934, Moderate
It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ("allow_unsafe=on"). This option should only be used with hosts that are running trusted guests, as setting it to "on" reintroduces the flaw (allowing guests to crash the host).
Note: For Red Hat Enterprise Linux guests, only privileged guest users can exploit the CVE-2012-0217 and CVE-2012-2934 issues.
Red Hat would like to thank the Xen project for reporting these issues. Upstream acknowledges Rafal Wojtczuk as the original reporter of CVE-2012-0217.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix

CVE-2012-2313, Low
A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).
Red Hat would like to thank Stephan Mueller for reporting this issue.
This update also fixes several bugs. Documentation for these changes is available in the Technical Notes document.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fixes

CVE-2012-3412, Important
A flaw was found in the way socket buffers (skb) requiring TSO (TCP segment offloading) were handled by the sfc driver. If the skb did not fit within the minimum-size of the transmission queue, the network card could repeatedly reset itself. A remote attacker could use this flaw to cause a denial of service.
CVE-2012-3510, Moderate
A use-after-free flaw was found in the xacct_add_tsk() function in the Linux kernel's taskstats subsystem. A local, unprivileged user could use this flaw to cause an information leak or a denial of service.
CVE-2012-2319, Low
A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS Plus (HFS+) file system implementation in the Linux kernel. A local user able to mount a specially-crafted HFS+ file system image could use this flaw to cause a denial of service or escalate their privileges.
CVE-2012-3430, Low
A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting CVE-2012-3412, and Alexander Peslyak for reporting CVE-2012-3510. The CVE-2012-3430 issue was discovered by the Red Hat InfiniBand team.

Bug Fixes

BZ#846125
The cpuid_whitelist() function, masking the Enhanced Intel SpeedStep (EST) flag from all guests, prevented the "cpuspeed" service from working in the privileged Xen domain (dom0). CPU scaling was therefore not possible. With this update, cpuid_whitelist() is aware whether the domain executing CPUID is privileged or not, and enables the EST flag for dom0.
BZ#847326
If a delayed-allocation write was performed before quota was enabled, the kernel displayed the following warning message:
        WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112()
This was because information about the delayed allocation was not recorded in the quota structure. With this update, writes prior to enabling quota are properly accounted for, and the message is not displayed.
BZ#847327
In Red Hat Enterprise Linux 5.9, the DSCP (Differentiated Services Code Point) netfilter module now supports mangling of the DSCP field.
BZ#847359
Some subsystems clear the TIF_SIGPENDING flag during error handling in fork() paths. Previously, if the flag was cleared, the ERESTARTNOINTR error code could be returned. The underlying source code has been modified so that the error code is no longer returned.
BZ#852448
An unnecessary check for the RXCW.CW bit could cause the Intel e1000e NIC (Network Interface Controller) to not work properly. The check has been removed so that the Intel e1000e NIC works as expected.
Users should upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix

CVE-2012-2100, Low
It was found that the RHSA-2010:0178 update did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.
This update also fixes several bugs. Documentation for these changes is available in the Technical Notes document.
Users should upgrade to these updated packages, which contain backported patches to correct this issue, and fix the bugs noted in the Technical Notes. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues, two bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
These packages contain the Linux kernel.

Security Fixes

CVE-2012-4508, Important
A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file.
CVE-2012-5513, Important
A flaw in the way the Xen hypervisor implementation range checked guest provided addresses in the XENMEM_exchange hypercall could allow a malicious, para-virtualized guest administrator to crash the hypervisor or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.
CVE-2012-2372, Moderate
A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service.
CVE-2012-3552, Moderate
A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs.
CVE-2012-4535, Moderate
The Xen hypervisor implementation did not properly restrict the period values used to initialize per VCPU periodic timers. A privileged guest user could cause an infinite loop on the physical CPU. If the watchdog were enabled, it would detect said loop and panic the host system.
CVE-2012-4537, Moderate
A flaw in the way the Xen hypervisor implementation handled set_p2m_entry() error conditions could allow a privileged, fully-virtualized guest user to crash the hypervisor.
Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508; the Xen project for reporting CVE-2012-5513, CVE-2012-4535, and CVE-2012-4537; and Hafid Lin for reporting CVE-2012-3552. Upstream acknowledges Dmitry Monakhov as the original reporter of CVE-2012-4508. CVE-2012-2372 was discovered by Li Honggang of Red Hat.

Bug Fixes

BZ#870118
Previously, the interrupt handlers of the qla2xxx driver could clear pending interrupts right after the IRQ lines were attached during system start-up. Consequently, the kernel could miss the interrupt that reported completion of the link initialization, and the qla2xxx driver then failed to detect all attached LUNs. With this update, the qla2xxx driver has been modified to no longer clear interrupt bits after attaching the IRQ lines. The driver now correctly detects all attached LUNs as expected.
BZ#877943
The Ethernet channel bonding driver reported the MII (Media Independent Interface) status of the bond interface in 802.3ad mode as being up even though the MII status of all of the slave devices was down. This could pose a problem if the MII status of the bond interface was used to determine if failover should occur. With this update, the agg_device_up() function has been added to the bonding driver, which allows the driver to report the link status of the bond interface correctly, that is, down when all of its slaves are down, in the 802.3ad mode.

Enhancements

BZ#870120
This update backports several changes from the latest upstream version of the bnx2x driver. The most important change, the remote-fault link detection feature, allows the driver to periodically scan the physical link layer for remote faults. If the physical link appears to be up and a fault is detected, the driver indicates that the link is down. When the fault is cleared, the driver indicates that the link is up again.
BZ#874973
The INET socket interface has been modified to send a warning message when the ip_options structure is allocated directly by a third-party module using the kmalloc() function.
Users should upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

4.78. kexec-tools

Updated kexec-tools packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. The kexec-tools package provides the /sbin/kexec binary and ancillary utilities that form the user-space component of the kernel's kexec feature.

Bug Fix

BZ#822617
When one interface was used for a iSCSI boot environment while is other was used by kdump with the "net" option on, the ifconfig utility caused an error. Consequently, vmcore was not collected in a dump server that stores vmcore specified in the kdump.conf file. This bug has been fixed and a memory dump capture now succeeds by kdump in an iSCSI boot environment.
Users of kexec-tools are advised to upgrade to these updated packages, which fix this bug.
Updated kexec-tools packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The kexec fastboot mechanism allows booting a Linux kernel from the context of an already running kernel. The kexec-tools package provides the /sbin/kexec binary and ancillary utilities that form the user-space component of the kernel's kexec feature.

Bug Fixes

BZ#716340
Previously, kdump could become unresponsive if a disk name was changed. This could happen because the kdump initrd did not include irrelevant disk drivers that were used in the first kernel. Persistent disk names change in kdump presents considerable risk to Red Hat Enterprise Linux 5 stability. Therefore, this problem has been resolved by updating the kdump.conf file to recommend to use disk UUIDs or LABELs instead of disk names for file-system based dump targets.
BZ#716386
Previously, kdump did not verify whether the target raw dump device exists before attempting to dump a core file. Instead, kdump started to rebuild an initrd image directly, which resulted in a kdump failure. Furthermore, even though raw dump succeeded, kdump did not verify whether the vmcore file was saved and the core file could not be recovered. This update modifies the kdump init script to perform verification tests on the target device. Kdump now no longer rebuilds the initrd image if the target device does not exist and properly recovers a core file if the raw dump has succeeded.
BZ#752930
Kdump previously used an IP address as a part of the core dump directory name only for remote core dumps, which was confusing the users. With this update, kdump was modified to use the IP address of the loopback device (127.0.0.1) for local dumps so that the core dump directory name has the same form for both local and remote core dumps.
BZ#771829
Usually, when dumping a vmcore file over network, kdump has to bring up only one network interface card (NIC). However, when dumping to an iSCSI device, kdump may need to bring up multiple NICs. This functionality was not previously implemented in kdump and any dump attempt to the iSCSI device that required multiple NICs failed. With this update, kdump has been modified to be able to bring up multiple NICs if needed, and vmcore can now be successfully dumped on the iSCSI device.
BZ#788678
The mkdumprd utility did not detect the /var file system if it was mounted on a separate partition, which caused kdump to fail to dump a core file. This update modifies mkdumprd to detect the partition that contains the /var file system correctly. Kdump no longer fails in this scenario.
BZ#801496
When dumping a core file using ssh and the remote kdump user is configured to use restricted shell (rksh), the core dump attempt failed. This happened because kdump used the cat > command to store the vmcore file and the restricted shell forbids redirection. This update modifies kdump to use the dd command to save the vmcore file instead and dumping is now successful in this scenario.
BZ#802928
The mkdumprd utility did not correctly handled NICs if the NIC had the BOOTPROTO=none parameter configured in the ifcfg file. Consequently, kdump was not able to bring the NIC up and failed to dump a core file over network. This update corrects mkdumprd to recognize the BOOTPROTO=none parameter, and such NICs are now properly brought up when dumping a core file over network.
BZ#809983
Previously for ext2, ext3 and ext4 file systems, if the dump location was on different file system than was the root file system, the mkdumprd utility searched only for the ext4 kernel module. Consequently, kdump failed to recognize a file system and dump a core file. This update modifies mkdumprd to find proper kernel module also for ext2 and ext3 file systems and kdump works as expected in this scenario.
BZ#832017
Currently on Red Hat Enterprise Linux 5, the dd utility is the default core collector when dumping on a raw partition. However, the only core collector supported by kdump is the makedumpfile utility, which is not able to recognize vmcore files copied by dd. Previously, when the vmcore file was dumped on a raw partition, it was considered invalid and the core file recovery failed. With this update, mkdumprd has been modified to display a warning message when a different core collector than makedumpfile was used to compress the core file on the raw partition. The user has to recover the core dump manually.

Enhancement

BZ#587361
Previously, the vmcore file could not be dumped to a multipath device because kexec-tools did not support this option. This update introduces multipath target support, which allows vmcore to be captured with multipath devices.
Users of kexec-tools are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

4.79. ksh

An updated ksh package that fixes one bug is now available for Red Hat Enterprise Linux 5.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language which is also compatible with sh, the original Bourne Shell.

Bug Fix

BZ#805459
Previously, ksh did not expand the tilde (~) character properly. For example, characters in the tilde prefix were not treated as a login name but as a part of the path and the "No such file or directory" message was displayed. The underlying source code has been modified and tilde expansion now works as expected in such a scenario.
All users of ksh are advised to upgrade to this updated package, which fixes this bug.
Updated ksh packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
KSH-93 is the most recent version of the KornShell by David Korn of AT&T Bell Laboratories. KornShell is a shell programming language which is also compatible with sh, the original Bourne Shell.

Bug Fixes

BZ#771188
Prior to this update, using the -R or -Z options of the typeset command did not work as expected. When a variable was assigned to a field that was of smaller size than the size of the variable, it would trim the incorrect values from the variable. Consequently, the resulting value in the trimmed variable was incorrect. The underlying source code has been modified and the typeset -R/-Z command works as expected.
BZ#802565
Previously, ksh did not expand the tilde (~) character properly. For example, characters in the tilde prefix were not treated as a login name but as a part of the path and the "No such file or directory" message was displayed. The underlying source code has been modified and tilde expansion now works as expected in such a scenario.
BZ#804925
In certain cases, ksh unnecessarily called the vfork() function. An extra process was created and it could be difficult to determine how many instances of a script were running. A patch has been applied to address this problem, and extra processes are no longer created if not required.
BZ#811318
Due to a missing patch that introduced the tsetio flag, the redirect output behavior changed depending on what ksh version was used. With this update, the missing patch was added and redirect output behavior is now consistent across all versions of ksh.
BZ#812930
Previously, ksh did not close certain file descriptors prior to execution. This could lead to a file descriptor leak, and certain applications could consequently report error messages. With this update, file descriptors are marked to be closed on execution if appropriate, so file descriptor leaks no longer occur.
BZ#827522
Due to a bug in the typeset command, when executed with the -Z option, output was being formatted to an incorrect width. As a result, exporting a right-aligned variable of smaller size than the predefined field size caused it to not be prepended with 0 characters. With this update, the typeset command works as expected in the aforementioned scenario.
BZ#827613
Previously, ksh did not allocate the correct amount of memory for its data structures containing information about file descriptors. When running a task that used file descriptors extensively, ksh terminated unexpectedly with a segmentation fault. With this update, the proper amount of memory is allocated, and ksh no longer crashes if file descriptors are used extensively.
All users of the ksh are advised to upgrade to these updated packages, which fix these bugs.

4.80. kudzu

Updated kudzu packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 5.
The kudzu packages provide a hardware probing library for automatic discovery and configuration of hardware.

Bug Fix

BZ#748481
Prior to this update, the X11 configuration of video cards was skipped if no kernel driver was available, even if a corresponding Xorg driver existed. This update skips the configuration only in cases when none of the mentioned drivers are aqvailable.

Enhancement

BZ#819903
This update adds native support for Microsoft Hyper-V virtual hardware.
All users of kudzu are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

4.81. kvm

Updated kvm packages that fix one bug are now available for Red Hat Enterprise Linux 5.
[Updated 16 May 2012] This advisory has been updated with the correct description for bug 802429. The packages included in this revised update have not been changed in any way from the packages included in the original advisory.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

Bug Fix

BZ#802429
An accounting error in the I/O thread subsystem in QEMU could, under certain circumstances, lead to I/O stalls on the guest. This would typically cause the guest to become unresponsive. With this update, the accounting error has been corrected, and I/O stalls no longer occur in this scenario.
All users of kvm are advised to upgrade to these updated packages, which fix this bug. Note that the procedure in the Solution section must be performed before this update will take effect.
Updated kvm packages that fix various bugs are now available for Red Hat Enterprise Linux 5.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

Bug Fixes

BZ#814096
Under certain circumstances, the qemu-kvm utility tried to invalidate an incorrect physical memory block, which resulted in qemu-kvm to terminate unexpectedly with a segmentation fault. The code has been fixed and the crashes no longer occur.
BZ#684745
Previously, when an I/O error occurred on a KVM host, the guest running on it became paused. After the guest was migrated to another host, the guest could not be properly resumed. Consequently, it was impossible to log in to the guest via SSH or a console. This bug has been fixed and migrated guests can now be resumed as expected.
BZ#782631
Due to an accounting error in the QEMU I/O thread subsystem, I/O delays were occurring on guests, which were observed as unresponsive for the time of the delay. This bug has been fixed and the delays no longer occur.
BZ#805676
Due to an incompatibility between previously used encryption modes and FIPS mode, it was impossible to start KVM guests when running kernel in FIPS mode. With this update, VNC password authentication is disabled when the host system is operating in FIPS mode, and QEMU exits and returns an error message if it is configured to run as a password-authenticated VNC server. If QEMU is configured to run as an unauthenticated VNC server, it will work as expected.
BZ#838466
Previously, the typeperf command of the virtualized Microsoft Windows Server 2008 Service Pack 2 for the x86 architecture with the SQL Server 2005 Service Pack 3 installed returned an invalid value for the Processor Time. This bug has been fixed and typeperf now returns a correct value.
BZ#761350
Previously, a simple counter was used to track GSIs (Global System Interrupts) that were given to devices. Consequently, when a hot plug or unplug operation was performed approximately 30 times on certain Ethernet controllers in a Microsoft Windows Server 2008 guest on the AMD64 and Intel 64 architectures, the controller driver returned a large number of error messages on incorrectly deallocated MSI-X table entries. This update uses a bitmap to track GSIs and the errors no longer occur.
BZ#843683
Previously, KVM did not provide receive overrun status information, which is used for virtual serial devices. Consequently, virtual machines using a serial console redirection became unresponsive on startup. This update implements receive overrun status and the hangs no longer occur.
BZ#829040
Due to a coding bug, the masking in the device assignment function was invalid. Consequently, the KVM device assignment bridge test could break virtual function of certain devices that implement BAR (Base Address Register) resources. This bug has been fixed and the test now works as expected.
BZ#781922
Under certain circumstances, implementation of the Realtek 8139 Ethernet driver allowed the qemu-kvm utility to attempt to allocate unlimited buffer size. If it happened, qemu-kvm terminated unexpectedly with a glib error, unable to allocate such a buffer. This update limits the transmission buffer size of the driver, thus fixing this bug.
BZ#819413
Previously, it was possible to shut down a guest using the system_powerdown command even if the "-no-shutdown" option was specified on the command line. This bug has been fixed and "-no-shutdown" is now handled properly.
Users of KVM are advised to upgrade to these updated packages, which fix these bugs. Note that the procedure in the Solution section must be performed before this update will take effect.
Updated kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

Security Fixes

CVE-2012-1601
A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer dereference later when the VCPU is scheduled to run. A malicious user in the kvm group on the host could use this flaw to crash the host.
CVE-2012-2121
A flaw was found in the way device memory was handled during guest device removal. Upon successful device removal, memory used by the device was not properly unmapped from the corresponding IOMMU or properly released from the kernel, leading to a memory leak. A malicious user in the kvm group on the host who has the ability to assign a device to a guest could use this flaw to crash the host.

Bug Fix

BZ#816207
An off-by-one error in the QEMU guest's memory management could, in rare cases, cause QEMU-KVM to crash due to a segmentation fault in tb_invalidate_phys_page_range() if a device initiated DMA into a specific guest address. In a reported case, this issue presented on a system that had a guest using the 8139cp network driver.
All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note that the procedure in the Solution section must be performed before this update will take effect.
Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

Security Fix

CVE-2012-3515
A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host.
This flaw did not affect the default use of KVM. Affected configurations were:
* When guests were started from the command line ("/usr/libexec/qemu-kvm"), and without specifying a serial or parallel device that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking "qemu-kvm" from the command line on Red Hat Enterprise Linux 5.)
* Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices.
Red Hat would like to thank the Xen project for reporting this issue.
All KVM users should upgrade to these updated packages, which correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect.

4.82. lftp

Updated lftp packages that fix one bug are now available for Red Hat Enterprise Linux 5.
LFTP is a file transfer utility for FTP, SFTP, HTTP, and other commonly used protocols. It uses the readline library for input, and provides support for bookmarks, built-in monitoring, job control, and parallel transfer of multiple files at the same time

Bug Fix

BZ#810217
Due to an incorrect evaluation of the length of an uploaded file, the lftp tool became unresponsive after a file transfer in ASCII mode. With this update, the volume of transferred data is recognized correctly and the lftp program no longer hangs in this scenario.
All users of lftp are advised to upgrade to these updated packages, which fix this bug.

4.83. libexif

Updated libexif packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libexif packages provide an Exchangeable image file format (Exif) library. Exif allows metadata to be added to and read from certain types of image files.

Security Fix

CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Red Hat would like to thank Dan Fandrich for reporting these issues. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2012-2812, CVE-2012-2813, and CVE-2012-2814; and Yunho Kim as the original reporter of CVE-2012-2836 and CVE-2012-2837.
Users of libexif are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libexif must be restarted for the update to take effect.

4.84. libgcrypt

Updated libgcrypt packages that add one enhancement are now available for Red Hat Enterprise Linux 5.
The libgcrypt library provides general-purpose implementations of various cryptographic algorithms.

Enhancement

BZ#810319
With Federal Information Processing Standards (FIPS) mode enabled, the libgcrypt library always started in the soft FIPS mode which allows applications to use the MD5 cryptographic hash algorithm. The libgcrypt API previously did not allow the library to programmatically switch from the soft FIPS mode to the enforced FIPS mode. With this update, if the application does not need MD5 support for the Transport Layer Security (TLS) protocol or non-cryptographic purposes, libgcrypt can be preset in the enforced FIPS mode.
All users of libgcrypt are advised to upgrade to these updated packages, which add this enhancement.

4.85. libpng

Updated libpng packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.

Security Fix

CVE-2011-3045
A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade libpng to version 1.2.48. All running applications using libpng must be restarted for the update to take effect.
Updated libpng packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files.

Security Fix

CVE-2011-3048
A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade libpng to version 1.2.49. All running applications using libpng must be restarted for the update to take effect.

4.86. libtalloc

Updated libtalloc packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The libtalloc packages provide a library that implements a hierarchical memory allocator with destructors.

Upgrade to an upstream version

The libtalloc packages have been upgraded to upstream version 2.0.7, which provides a number of bug fixes over the previous version. (BZ#855862)

Bug Fix

BZ#837853, BZ#855387
The talloc() hierarchical allocator did not ensure that the child pointers of a pointer did not become invalid during memory freeing operation. Consequently, processes that use the talloc library, such as the spoolss process of samba, could have terminated with a segmentation fault. The underlying source code has been modified and talloc() no longer causes Samba to fail in this situation.
All libtalloc users are advised to upgrade to these updated packages, which fix these bugs.

4.87. libtdb

Updated libtdb packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The libtdb packages provide a library that implements the Trivial Database (TDB). TDB is based on the GNU dbm (GDBM) library of database functions but uses internal locking to allow multiple simultaneous writers.

Upgrade to an upstream version

The libtdb packages have been upgraded to upstream version 1.2.10, which provides a number of bug fixes and enhancements over the previous version. (BZ#837865)

Bug Fix

BZ#736112
Prior to this update, several names and file paths of binaries and manual pages in the tdb-tools package were in conflict with binaries and manual pages that are shipped in the samba package. With this update, these files have been renamed to avoid conflicts.
All users of libtdb are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.88. libtiff

Updated libtiff packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix

CVE-2012-1173
Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
All libtiff users should upgrade to these updated packages, which contain a backported patch to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect.
Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fixes

CVE-2012-2088
libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
CVE-2012-2113
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the tiff2pdf tool. An attacker could use these flaws to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
All libtiff users should upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect.
Updated libtiff packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fixes

CVE-2012-4447
A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF images using the Pixar Log Format encoding. An attacker could create a specially-crafted TIFF file that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2012-5581
A stack-based buffer overflow flaw was found in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
CVE-2012-3401
A heap-based buffer overflow flaw was found in the tiff2pdf tool. An attacker could use this flaw to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
CVE-2012-4564
A missing return value check flaw, leading to a heap-based buffer overflow, was found in the ppm2tiff tool. An attacker could use this flaw to create a specially-crafted PPM (Portable Pixel Map) file that would cause ppm2tiff to crash or, possibly, execute arbitrary code.
The CVE-2012-5581, CVE-2012-3401, and CVE-2012-4564 issues were discovered by Huzaifa Sidhpurwala of the Red Hat Security Response Team.
All libtiff users should upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libtiff must be restarted for this update to take effect.

4.89. libuser

Updated libuser packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The libuser packages provide a library to implement a standardized interface for manipulating and administering user and group accounts. The library uses pluggable back ends to interface to its data sources. Sample applications modeled after those included with the shadow password suite are included.

Bug Fixes

BZ#506628
Prior to this update, libuser could not signal the name service caching daemon (nscd) to refresh the cache. As a consequence, delays in the name service could occur when the user account information was changed. With this update, the libuser signals nscd to rebuild its cache. Now, changes that affect the name service take effect more quickly.
BZ#670279
Prior to this update, libuser used the value of the "gecos" attribute for the "cn" attribute by default when creating a user account with the Lightweight Directory Access Protocol (LDAP). As a consequence, an invalid value for "cn" was used and the user account was not created if the "gecos" attribute was empty. With this update, the user name of the account is stored in the "cn" attribute if the "gecos" attribute is empty, thus allowing successful creation of the user account.
BZ#758117
Prior to this update, libuser could attempt to access unallocated virtual memory when searching for account information in files of certain sizes. As a consequence, libuser could terminate unexpectedly with a segmentation fault when looking for user or group account information. This update modifies modifies the libuser library to only access memory related to the file being processed.
All users of libuser are advised to upgrade to these updated packages, which fix these bugs.

4.90. libvirt

Updated libvirt packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems.

Security Fix

CVE-2012-2693
Bus and device IDs were ignored when attempting to attach multiple USB devices with identical vendor or product IDs to a guest. This could result in the wrong device being attached to a guest, giving that guest root access to the device.

Bug Fixes

BZ#675319
Previously, the libvirtd library failed to set the autostart flags for already defined QEMU domains. This bug has been fixed, and the domains can now be successfully marked as autostarted.
BZ#680289
Prior to this update, the virFileAbsPath() function was not taking into account the slash ("/") directory separator when allocating memory for combining the cwd() function and a path. This behavior could lead to a memory corruption. With this update, a transformation to the virAsprintff() function has been introduced into virFileAbsPath(). As a result, the aforementioned behavior no longer occurs.
BZ#783001
With this update, a man page of the virsh user interface has been enhanced with information on the "domxml-from-native" and "domxml-to-native" commands. A correct notation of the format argument has been clarified. As a result, confusion is avoided when setting the format argument in the described commands.
All users of libvirt are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, libvirtd will be restarted automatically.

4.91. libwpd

Updated libwpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
libwpd is a library for reading and converting Corel WordPerfect Office documents.

Security Fix

CVE-2012-2149
A buffer overflow flaw was found in the way libwpd processed certain Corel WordPerfect Office documents (.wpd files). An attacker could provide a specially-crafted .wpd file that, when opened in an application linked against libwpd, such as OpenOffice.org, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
All libwpd users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications that are linked against libwpd must be restarted for this update to take effect.

4.92. libxml2

Updated libxml2 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The libxml2 library is a development toolbox providing the implementation of various XML standards.

Security Fixes

CVE-2012-2807
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way libxml2 handled documents that enable entity expansion. A remote attacker could provide a large, specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2011-3102
A one byte buffer overflow was found in the way libxml2 evaluated certain parts of XML Pointer Language (XPointer) expressions. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
All users of libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.
Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
The libxml2 library is a development toolbox providing the implementation of various XML standards.

Security Fix

CVE-2012-5134
A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

4.93. libxslt

Updated libxslt packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
libxslt is a library for transforming XML files into other textual formats (including HTML, plain text, and other XML representations of the underlying data) using the standard XSLT stylesheet transformation mechanism.

Security Fixes

CVE-2012-2871
A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2012-2825, CVE-2012-2870, CVE-2011-3970
Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash.
CVE-2011-1202
An information leak could occur if an application using libxslt processed an untrusted XPath expression, or used a malicious XSL file to perform an XSL transformation. If combined with other flaws, this leak could possibly help an attacker bypass intended memory corruption protections.
All libxslt users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. All running applications linked against libxslt must be restarted for this update to take effect.

4.94. linuxwacom

Updated linuxwacom packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The linuxwacom package contains the drivers, libraries, and documentation for configuring and running Wacom tablets under the Linux operating system. It contains diagnostic applications as well as X.org XInput drivers.

Bug Fix

BZ#843859
Due to a regression, when a Wacom tablet was used with only a lens cursor device attached to it for input, the lens cursor could not be moved. This update fixes this bug and lens cursor devices now work as expected in the described scenario.
Users of linuxwacom are advised to upgrade to these updated packages, which fix this bug.

4.95. logrotate

Updated logrotate packages that fix three bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The logrotate utility simplifies the administration of multiple log files, allowing the automatic rotation, compression, removal, and mailing of log files.

Bug Fixes

BZ#644741
Prior to this update, a conflict could occur when string arrays between the popt library and a hand-coded method written in logrotate were allocated and freed. As a consequence, the "compressoptions" directive in the logrotate configuration file caused logrotate to abort unexpectedly. This update modifies the underlying code to use the popt library instead. Now, logrotate works as expected.
BZ#795405
Prior to this update, the ".rhn-cfg-tmp-" file exension was missing from the the list of extensions to be skipped when loading the configuration files. As a consequence, ".rhn-cfg-tmp-" files were loaded as normal configuration files and the rotation process was interrupted. This update adds the ".rhn-cfg-tmp-" extension to the list of extensions to be skipped.
BZ#736045
Prior to this update, the logrotate utility did not check whether brackets were correctly matched in the configuration file. As a consequence, files were removed because logrotate did not detect the incorrectly matched brackets and did not stop the rotation process for the particular configuration file. This update modifies the underlying code to check the presence of brackets whether they are matched. Now, configuration files with bad syntax are skipped.

Enhancement

BZ#510124
With this update, logrotate can rotate logs defined in configuration files that contain configuration errors.
All users of logrotate are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

4.96. logwatch

An updated logwatch package that fixes various bugs is now available.
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on many systems.

Bug Fixes

BZ#578806
Due to an incorrect regular expression, positive changes in temperatures reported by the smartd daemon were shown as unmatched entries in the logwatch output. This update fixes the faulty regular expression and temperature log information is now displayed correctly.
BZ#583607
Prior to this update, logwatch did not correctly parse the RSYSLOG_FileFormat time stamps and displayed them as unmatched entries. With this update, parsing of the rsyslog time stamps has been fixed and works as expected.
BZ#583721
Yum's "applydate" time ranges were not correctly parsed by logwatch and were displayed as unmatched entries. This has been fixed and "applydate" time ranges are no longer displayed as unmatched entries.
BZ#595068
Xen virtual console logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
BZ#668067
Logins initiated with the "su -" or "su -l" command were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
BZ#684577
SSH Kerberos (GSS) logins were not correctly parsed by logwatch and were displayed as unmatched entries. This update fixes this bug.
All users of logwatch are advised to upgrade to this updated package, which fixes these bugs.

4.97. lvm2

Updated lvm2 packages that fix four bugs are now available for Red Hat Enterprise Linux 5.
The lvm2 packages provide support for Logical Volume Management (LVM).

Bug Fixes

BZ#770970
Prior to this update, the --alloc option in the lvm2 man pages was insufficiently documented. A more detailed specification of allocation policies was needed. With this update, the description has been enhanced and provides a more comprehensive insight into the allocation process.
BZ#786009
Previously, when the pv_min_size setting in the lvm.conf configuration file (/etc/lvm/lvm.conf) was set to value smaller than the default value of 2048 KB, the system ignored this configuration later on. Consequently, the lvm commands returned the following warning when processing smaller physical volumes:
Ignoring too small pv_min_size 512KB, using default 2048KB.
This bug has been fixed, and user-set pv_min_size is no longer ignored in the aforementioned case.
BZ#820237
Previously, when a physical volume (PV) with no physical extents (PE) was in a volume group (VG), the vgcfgrestore command executed on the VG failed with the following message:
Floating point exception
This behavior was caused by a division by zero error. With this update, a fix has been introduced to avoid the aforementioned exception. As a result, vgcfgrestore no longer fails in the described scenario.
BZ#821013
Previously, it was possible to use the lvcreate command with the --alloc cling option to create a linear device that exceeded any single physical volume (PV) within the volume group (VG). The lvcreate command placed the data across multiple PVs, which was in conflict with the cling allocation policy. This bug has been fixed and lvcreate now works in accordance with the selected allocation policy.
All users of lvm2 are advised to upgrade to these updated packages, which fix these bugs.

4.98. lvm2-cluster

Updated lvm2-cluster packages that fix one bug is now available for Red Hat Enterprise Linux 5.
The lvm2-cluster package provides support for Logical Volume Management (LVM) in a clustered environment.

Bug Fix

BZ#824813
If a physical volume (PV) presented in a volume group (VG) contained only metadata and no physical extents (PE), an attempt to write the volume group's metadata by running the "vgcfgrestore" command was not successful. Running the command failed with the "Floating point exception" error message, which was caused by a "division by zero" error. This bug has been fixed and lvm2-cluster now works correctly in such a case.
All users of lvm2-cluster are advised to upgrade to these updated packages, which fix this bug.

4.99. m2crypto

Updated m2crypto packages that fix one bug and add one enhancement are now available for Red Hat Enterprise Linux 5.
The m2crypto library allows Python programs to call OpenSSL functions.

Bug Fix

BZ#520817
M2Crypto generated an invalid exception object on SSL timeouts, causing an IndexError in the Python httplib module. This made it impossible to correctly handle SSL timeouts in applications. This updated package adds the required attributes to the SSL timeout exception object and lets httplib process this information correctly.

Enhancement

BZ#761596
The M2Crypto.httpslib.HTTPSConnection class always created an IPv4 socket. This made it impossible to connect to IPv6 servers using this class. With this update, the implementation now correctly creates an IPv4 or IPv6 socket, as necessary, thus adding support for IPv6 servers.
All users of m2crypto are advised to upgrade to these updated packages, which fix this bug and add this enhancement.

4.100. man

Updated man packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The man packages provide the man, apropos, and whatis tools to find information and documentation about the Linux system.

Bug Fix

BZ#749288
Prior to this update, the makewhatis script, which creates the whatis database of manual pages, ignored symbolic links between pages. With this update, the makewhatis script includes symbolic links in the whatis database.
All users of man are advised to upgrade to these updated packages, which fix this bug.

4.101. man-pages-overrides

Updated man-pages-overrides packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The man-pages-overrides package contains a collection of manual pages to complement other packages or update those contained therein.

Bug Fixes

BZ#621953
Previously, the size of the buffer "entry" for the readdir_r() function was undocumented in the readdir(3) manual page. Consequently, a buffer overflow in user programs could occur. With this update, the readdir(3) manual page has been backported from Red Hat Enterprise Linux 6. As a result, the documentation of the readdir() and readdir_r() functions is now more accurate.
BZ#695783
Previously, the proper usage of the IPv6 addresses was not described in the ssh(1), scp(1), sftp(1) and sshd(8) manual pages. This update adapts these manual pages to reduce the possible ambiguity in the IPv6 address notation.
BZ#782006
Prior to this update, the vpdupdate(8) manual page did not contain any description of the "-a", "-s" and "-v" options. The manual page has been updated and the aforementioned options are now documented properly.
BZ#783739
The nscd.conf(5) manual page was missing some descriptions and contained several duplicate entries. With this update, the text has been clarified and redundant entries have been removed.
BZ#786684
Previously, the nsswitch.conf(5) manual page lacked information on the search mechanism, particularly about the "notfound" status. This update adds this information to the manual page.
BZ#787567
Prior to this update, the behavior of the connect() call with the local address set to INADDR_ANY was insufficiently described in the ip(7) manual page. Possible duplication of the local port after the call was not acknowledged. With this update, the documentation has been reworked in order to reflect the behavior of the connect() call correctly.
BZ#809490
Due to a vague description of the getdents() call in the getdents(2) manual page, the risk of using this call directly was not clear enough. The description has been extended with a warning to prevent incorrect usage of the getdents() call.
BZ#838395
Previously, the "-q" option of the scp program was insufficiently described in the scp(1) manual page. Part of its functionality was not mentioned, which could lead to unwanted results. The description has been extended and now provides a full characteristic of the "-q" option.
All users of man-pages-overrides are advised to upgrade to these updated packages, which fix these bugs.

4.102. mdadm

Updated mdadm packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
The mdadm packages contain a utility for creating, managing, and monitoring Linux MD (multiple disk) devices.

Bug Fixes

BZ#566828
Due to a bug in the raid-check script, non-zero mismatch counts were reported on RAID 1 arrays, although this could happen legitimately on this type of array. Consequently, the "repair" and "check" commands did not work as expected. The raid-check script has been fixed and now non-zero mismatch counts are no longer reported in the described scenario.
BZ#735803
Under certain circumstances, arrays that were always busy when running the raid-check script would never be checked due to a bug in the script. This script has been modified and all RAIDs with active I/0 are checked as expected.
All mdadm users are advised to upgrade to these updated packages, which fix these bugs.

4.103. microcode_ctl

Updated microcode_ctl packages that add one enhancement are now available for Red Hat Enterprise Linux 5.
The microcode_ctl packages provide microcode updates for Intel and AMD processors.

Enhancement

BZ#790195
The Intel CPU microcode file has been updated to version 20120606. This is the most recent version of the microcode available from Intel.
All users of microcode_ctl are advised to upgrade to these updated packages, which add this enhancement. Note that the system must be rebooted in order for these changes to take effect.

4.104. mkinitrd

Updated mkinitrd packages that fix two bugs and add two enhancements are now available Red Hat Enterprise Linux 5.
The mkinitrd packages provide a utility to create the initrd file system image. The initrd image is an initial RAM disk that is loaded by a boot loader before the Linux kernel is started.

Bug Fixes

BZ#556785
Prior to this update, the "mkrootdev" command could incorrectly use the slave device instead of the intended multipath device to create the /dev/root node when a multipath root device was specified by the label "LABEL". As a consequence, the slave device could not be mounted as it was already used by the master and creating the "/dev/root" node failed. This update modifies the mkinitrd code so that "mkrootdev" now ignores devices which are in use.
BZ#782615
Prior to this update, the bindings file in the initial RAM disk (initrd) could, under certain circumstances, fail to match the bindings file on the root file system. As a consequence, the boot process was interrupted and the system rebooted. This update modifies the underlying code so match the bindings file as expected.

Enhancements

BZ#737081
This update adds support for using FIPS mode with dmraid root devices. The dmraid device is now activated before checking the FIPS checksum.
BZ#852686
This update adds support for Hyper-V to the mkinitrd utility.
All users of mkinitrd are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.105. mod_auth_kerb

Updated mod_auth_kerb packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The mod_auth_kerb package provides a module for the Apache HTTP Server designed to provide Kerberos authentication over HTTP. The module supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges.

Bug Fixes

BZ#456662
Prior to this update, the mod_auth_kerb source RPM could not be built by a non-root user. This was because the httpd-devel package places the apxs utility, which is needed to build the mod_auth_kerb package, into the /usr/sbin directory. This directory is not specified in the PATH variable for non-root users. With this update, the apxs utility is defined as being placed in the /usr/bin directory in the "mod_auth_kerb.spec" file, and the mod_auth_kerb SRPM can now be successfully built by non-root users.
BZ#734098
The "mod_auth_kerb" module did not use the Kerberos libraries in a thread-safe way. Therefore, if mod_auth_kerb ran under a multi-threaded Apache HTTP Server, authentication requests could terminate unexpectedly with a segmentation fault. With this update, the thread-safety problem has been fixed, and crashes no longer occur under these circumstances.
In addition, these updated mod_auth_kerb packages provide the following enhancement:
BZ#446670
The "KrbLocalUserMapping" Apache directive has been added to allow Kerberos principal names to be mapped to system user names.
Users are advised to upgrade to these updated mod_auth_kerb packages, which fix these bugs and add this enhancement.

4.106. mod_nss

Updated mod_nss packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.

Bug Fix

BZ#849044
Due to a regression, the mod_proxy module no longer worked when configured to support SSL reverse proxy operation. The following error message was logged:
[error] SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up.
A new patch has been applied and the mod_proxy module now works correctly to support SSL reverse proxy.
All users of mod_nss are advised to upgrade to these updated packages, which fix this bug.
Updated mod_nss packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security Services (NSS) security library.

Bug Fixes

BZ#669963
The previous release had an incorrect post-install script. Consequently, when upgrading "mod_nss" from version 1.0.3 to 1.0.8, the group and file permissions were incorrectly set. The HTTP server (httpd) did not start and the following error message was displayed:
[error] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
This update improves the post-install script to set file permissions and ownership correctly. As a result, all child processes of the Apache HTTP Server can enable SSL and now httpd starts as expected in the scenario described.
BZ#677698
With the release of "mod_nss" version 1.0.8 there was no lock mechanism to control sequential httpd process access to the "nss_pcache" process. This sometimes resulted in multiple requests being interpreted as a single request by "nss_pcache" and a single result returned. The calling process sometimes experienced a timeout error or a failure with the error message:
[error] Unable to read from pin store
With this update the code has been improved and multiple requests to the "nss_pcache" process are processed sequentially without the errors described.
BZ#692868
Due to a regression, the "mod_proxy" module no longer worked when configured to support reverse proxy operation. The following error was logged:
[error] SSL Proxy: I don't have the name of the host we're supposed to
connect to so I can't verify that we are connecting to who we think we
should be. Giving up.
A new patch has been applied and the "mod_proxy" module now works correctly to support SSL reverse proxy.
BZ#714255
Previously, a static array containing the arguments for launching the "nss_pcache" command overflowed the array size by one. This could lead to a variety of problems including unexpected termination. This bug has been fixed, and "mod_nss" now uses a properly sized static array when launching "nss_pcache".
BZ#749401
Due to an incorrect use of the memcpy() function in the "mod_nss" module, running the Apache HTTP Server with this module enabled could cause some requests to fail with the following message written to the error_log file:
request failed: error reading the headers
This update applies a patch to ensure that the memcpy() function is now used in accordance with the current specification, and using the "mod_nss" module no longer causes HTTP requests to fail.
BZ#749402
Prior to this update, client certificates were only retrieved during the initial SSL handshake if the NSSVerifyClient option was set to "require" or "optional". Also, the FakeBasicAuth option only retrieved Common Name rather than the entire certificate subject. Consequently, it was possible to spoof an identity using that option. This bug has been fixed, the FakeBasicAuth option is now prefixed with "/" and is thus compatible with OpenSSL. Certificates are now retrieved on all subsequent requests beyond the first one.
BZ#749405, BZ#784548
When the NSS library was not initialized and "mod_nss" tried to clear its SSL cache on start-up, "mod_nss" terminated unexpectedly when the NSS library was built with debugging enabled. With this update, "mod_nss" does not try to clear the SSL cache in the described scenario, thus preventing this bug.
BZ#749406
The "Requires: %{_libdir}/libnssckbi.so" directive has been added to the spec file to make "libnssckbi.so" a runtime dependency. This is to prevent symbolic links failing.
All users of mod_nss are advised to upgrade to these updated packages, which fix these bugs.

4.107. mod_python

Updated mod_python packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The mod_python packages provide a module to embed the Python language interpreter within the Apache web server, allowing handlers to be written in Python.

Bug Fix

BZ#431684
Prior to this update, the publisher module did not correctly handle certain authentication variables. As a consequence, the web server could return an "400 Bad Request" error if the "publisher" handler was used with an authentication scheme other than "Basic". This update modifies the publisher.py code to handle the autentication as expected.
All users of mod_python are advised to upgrade to these updated packages, which fix this bug.

4.108. mozldap

Updated mozldap packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The mozldap packages provide the Mozilla LDAP C SDK libraries that allow applications to communicate with Lightweight Directory Access Protocol (LDAP) directory servers. These libraries are derived from the University of Michigan and Netscape LDAP libraries and use Mozilla NSPR and NSS for crypto.

Bug Fix

BZ#753014
Prior to this update, the ldapsearch tool could, under certain circumstances, access or free uninitialized memory when following a smart referral entry using anonymous credentials. As a consequence, the ldapsearch tool could encounter a segmentation fault. This update ensures that the memory is initialized. Now, ldapsearch works with anonymous credentials as expected.
All users of mozldap are advised to upgrade to these updated packages, which fix this bug.

4.109. mt-st

Updated mt-st packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The mt-st package contains the mt and st tape drive management programs. Mt (for magnetic tape drives) and st (for SCSI tape devices) can control rewinding, ejecting, skipping files and blocks and more.

Bug Fix

BZ#501014
Prior to this update, it was not possible to use a symbolic name for the SILI bit on the command line; the bit could only be specified as a hexadecimal constant (0x4000). With this update, users can use the "sili" symbolic name on the command line.
All users of mt-st are advised to upgrade to these updated packages, which fix this bug.

4.110. mutt

Updated mutt packages that fix one bug are now available for Red Hat Enterprise Linux 5.
Mutt is a text-mode mail user agent. Mutt supports color, threading, arbitrary key remapping, and a lot of customization.

Bug Fix

BZ#313291
Prior to this update, the mutt agent failed to allow interruptions during getch calls. As a consequence, the signal "SIGINT" (Ctrl-C) was not handled correctly when waiting for user input. This update modifies the underlying code to allow interruptions.
All users of mutt are advised to upgrade to these updated packages, which fix this bug.

4.111. mysql

Updated mysql packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.

Security Fix

CVE-2012-4452
It was found that the fix for the CVE-2009-4030 issue, a flaw in the way MySQL checked the paths used as arguments for the DATA DIRECTORY and INDEX DIRECTORY directives when the "datadir" option was configured with a relative path, was incorrectly removed when the mysql packages in Red Hat Enterprise Linux 5 were updated to version 5.0.95 via RHSA-2012:0127. An authenticated attacker could use this flaw to bypass the restriction preventing the use of subdirectories of the MySQL data directory being used as DATA DIRECTORY and INDEX DIRECTORY paths. This update re-applies the fix for CVE-2009-4030.
Note: If the use of the DATA DIRECTORY and INDEX DIRECTORY directives were disabled as described in RHSA-2010:0109 (by adding "symbolic-links=0" to the "[mysqld]" section of the "my.cnf" configuration file), users were not vulnerable to this issue.
This issue was discovered by Karel Volný of the Red Hat Quality Engineering team.

Bug Fixes

647223
Prior to this update, the log file path in the logrotate script did not behave as expected. As a consequence, the logrotate function failed to rotate the "/var/log/mysqld.log" file. This update modifies the logrotate script to allow rotating the mysqld.log file.
654000
Prior to this update, the mysqld daemon could fail when using the EXPLAIN flag in prepared statement mode. This update modifies the underlying code to handle the EXPLAIN flag as expected.
703476
Prior to this update, the mysqld init script could wrongly report that mysql server startup failed when the server was actually started. This update modifies the init script to report the status of the mysqld server as expected.
806365
Prior to this update, the "--enable-profiling" option was by default disabled. This update enables the profiling feature.
All MySQL users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the MySQL server daemon (mysqld) will be restarted automatically.

4.112. net-snmp

Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl Management information Base (MIB) browser.

Bug Fix

BZ#820850
The SNMP daemon (snmpd) did not properly encode a negative Request-ID in outgoing requests (for example during trap operations). As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests could be refused by some implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes.
All users of net-snmp are advised to upgrade to these updated packages, which fix this bug.
Updated net-snmp packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
These packages provide various libraries and tools for the Simple Network Management Protocol (SNMP).

Security Fix

CVE-2012-2141
An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request.

Bug Fix

BZ#754652, BZ#755958, BZ#822061
Devices that used certain file systems were not reported in the "HOST-RESOURCES-MIB::hrStorageTable" table. As a result, the snmpd daemon did not recognize devices using tmpfs, ReiserFS, and Oracle Cluster File System (OCFS2) file systems. This update recognizes these devices and reports them in the "HOST-RESOURCES-MIB::hrStorageTable" table.
BZ#760001
The snmptrapd (8) man page did not correctly describe how to load multiple configuration files using the "-c" option. This update describes correctly that multiple configuration files must be separated by a comma.
BZ#783892
Integers truncated from 64 to 32-bit were not correctly evaluated. As a consequence, the snmpd daemon could enter an endless loop when encoding the truncated integers to network format. This update modifies the underlying code so that snmpd correctly checks truncated 64-bit integers. Now, snmpd avoids an endless loop.
BZ#799699
snmpd did not correctly check for interrupted system calls when enumerating existing IPv6 network prefixes during startup. As a consequence, snmpd could prematurely exit when receiving a signal during this enumeration. This update checks the network prefix enumeration code for interrupted system calls. Now, snmpd no longer terminates when a signal is received.
BZ#803585
snmpd used the wrong length of COUNTER64 values in the AgentX protocol. As a consequence, snmpd could not decode two consecutive COUNTER64 values in one AgentX packet. This update uses the correct COUNTER64 size and can process two or mode COUNTER64 values in AgentX communication.
BZ#805689
snmpd ignored the "-e" parameter of the "trapsess" option in the snmpd configuration file. As a result, outgoing traps were incorrectly sent with the default EngineID of snmpd when configuring "trapsess" with an explicit EngineID. This update modifies the underlying code to send outgoing traps using the EngineID as specified in the "trapsess -e" parameter in the configuration file.
BZ#818259
snmpd did not correctly encode negative Request-IDs in outgoing requests, for example during trap operations. As a consequence, a 32-bit value could be encoded in 5 bytes instead of 4, and the outgoing requests were refused by certain implementations of the SNMP protocol as invalid. With this update, a Request-ID can no longer become negative and is always encoded in 4 bytes.
BZ#828691
snmpd ignored the port number of the "clientaddr" option when specifying the source address of outgoing SNMP requests. As a consequence, the system assigned a random address. This update allows to specify both the port number and the source IP address in the "clientaddr" option. Now, administrators can increase security with firewall rules and Security-Enhanced Linux (SELinux) policies by configuring a specific source port of outgoing traps and other requests.
BZ#830042
snmpd did not correctly process responses to internal queries when initializing monitoring enabled by the "monitor" option in the "/etc/snmp/snmpd.conf" configuration file. As a consequence, snmpd was not fully initialized and the error message "failed to run mteTrigger query" appeared in the system log 30 seconds after the snmpd startup. This update explicitly checks for responses to internal monitoring queries.
Users of net-snmp should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the update, the snmpd and snmptrapd daemons will be restarted automatically.

4.113. nss

Updated nss and nspr packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Upgrade to an upstream version

The nss-util package has been upgraded to upstream version 3.13, which provides a number of enhancements over the previous version. (BZ#788670)
The nss packages have been upgraded to upstream version 3.13, which provides a number of bug fixes and enhancements over the previous version. (BZ#788673, BZ#788964, BZ#788672)
The nspr package has been upgraded to upstream version 4.8.9, which provides a number of enhancements over the previous version. (BZ#788674)

Bug Fixes

BZ#789043
A lack of robustness flaw caused crashes in the administration server for Red Hat Directory Server because the mod_nss module made nss calls before initializing nss per documented API. With this update, nss protects itself against being called before it as been properly initialized by the caller.
BZ#786436
Previously, due to a bug in the FreeBL library, Openswan could generate a Key Exchange payload that was one byte shorter than what was required by the Diffie Hellman (DH) protocol. As a consequence, Openswan dropped connections during such payloads. With this update, the size of the payload is set to zero by default, and the Softoken module is queried for the size. Connections are no longer dropped by Openswan in the described scenario.
All users of nss and nspr are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated nss packages that fix a bug are now available for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security enabled client and server applications.

Bug Fix

BZ#798461, BZ#798462
Crashes were reported in the messaging daemon (qpidd) included in Red Hat Enterprise MRG after a recent update to nss. This occurred as qpidd made nss calls before initializing nss. These updated packages prevent qpidd, and other affected processes that call nss without initializing as mandated by the API, from crashing.
All users of nss are advised to upgrade to these updated packages, which fix these bugs.
Updated nss and nspr packages that fix two bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Bug Fixes

BZ#633519
Due to errors in the Netscape Portable Runtime (NSPR) code responsible for thread synchronization, memory corruption sometimes occurred. Consequently, the web server daemon (httpd) sometimes terminated unexpectedly with a segmentation fault after making more than 1023 calls to the NSPR library. With this update, an improvement to the way NSPR frees previously allocated memory has been made and httpd no longer crashes in the scenario described.
BZ#797939
Some Network Security Services (NSS) clients call NSS without initializing first as mandated by the API and NSS did not protect itself against such improper usage. Consequently, this caused unexpected terminations on shutdown as some variables had not been properly initialized. Such crashes were reported in the messaging daemon (qpidd), included in Red Hat Enterprise MRG, after a recent update to the nss package. This occurred as qpidd made NSS calls before initializing NSS. With this update, NSS now protects itself against potential improper use by client code. As a result, NSS prevents qpidd, and other processes that may call NSS without initializing as mandated by the API, from crashing.

Enhancement

BZ#820684
The certutil tool was enhanced to support creation of Elliptic Curve (EC) key pairs on Hardware Security Modules.
All nss and nspr users should upgrade to these updated packages, which fix these bugs and add this enhancement. After installing the update, applications using NSS and NSPR must be restarted for the changes to take effect.
Updated nss and nspr packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

Security Fix

CVE-2012-0441
A flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response.
It was found that a Certificate Authority (CA) issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted. (BZ#798533)
Note: The BZ#798533 fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token.

Upgrade to an upstream version

The nspr package has been upgraded to upstream version 4.9.1, and the nss package has been upgraded to upstream version 3.13.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#834220, BZ#834219)
All NSS and NSPR users should upgrade to these updated packages, which correct these issues and add these enhancements. After installing the update, applications using NSS and NSPR must be restarted for the changes to take effect.

4.114. nss_ldap

Updated nss_ldap packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The nss_ldap packages contain the nss_ldap and pam_ldap modules. The nss_ldap module is a name service switch module which allows applications to retrieve information about users and groups from a directory server. The pam_ldap module allows a directory server to be used by PAM-aware applications to verify user passwords.

Bug Fixes

BZ#761281
When parsing an ldap.conf file that contained a host and a port definition, the nss_ldap "do_add_hosts()" function always created a URI starting with "ldap://" regardless of SSL being enabled. Consequently, when the response included an "ldaps://..." referral to the same server and port, the libldap library considered this to be a different scheme ("ldaps" vs. the initial "ldap") and opened new connections for each referral lookup instead of reusing the existing persistent connection. The code has been improved and now when the SSL option is enabled the initial URI will be in the format "ldaps://...". As a result, nss_ldap now correctly uses the LDAPS scheme with SSL connections.
BZ#797410
Due to a regression in the configuration parser, the "do_readline()" function did not return the correct exit code when the last line of "/etc/ldap.secret" did not contain a newline. Consequently, the nss_ldap module failed to bind to the LDAP server. With this update the parser now returns the correct exit code when parsing /etc/ldap.secret and nss_ldap works as expected in the scenario described.
BZ#835555
The nss_ldap module used to leak memory when an entry that did not exist on the remote server was requested. The memory leak has been fixed by freeing an internal search structure even in cases where the search does not finish successfully.
All users of nss_ldap are advised to upgrade to these updated packages, which fix these bugs.

4.115. OFED

Updated OpenFabrics Alliance (openib) packages that upgrade the OpenFabrics Enterprise Distribution (OFED) stack, fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
The OpenFabrics Enterprise Distribution (OFED) is a collection of InfiniBand and iWARP hardware diagnostic utilities, the InfiniBand fabric management daemon, the Infiniband and iWARP kernel module loader, as well as libraries and development packages for writing applications that use Remote Direct Memory Access (RDMA) technology. Red Hat Enterprise Linux uses the OFED software stack as its complete stack for InfiniBand, iWARP, and RDMA hardware support.

Upgrade to an upstream version

The InfiniBand driver stack in the Red Hat Enterprise Linux 5.9 kernel has been updated to the OpenFabrics Enterprise Distribution (OFED) 1.5.4.1 stack, and this erratum updates the user space packages to work with the updated kernel. The user space packages are updated to the same level as the Red Hat Enterprise Linux 6.3 user space InfiniBand software stack with the exception that in Red Hat Enterprise Linux 5.9 we do not support InfiniBand over Ethernet (IBoE), also known as RDMA over Converged Ethernet (RoCE).

Bug Fixes

BZ#536690
IP over InfinBand (IPoIB) interfaces are artificial constructs created on top of InfiniBand RDMA devices. The IPoIB interface has a generated hardware MAC address. The queue pair that the interface is attached to is encoded in the hardware MAC address. However, when unloading and reloading the IPoIB module, it is likely that a different queue pair to the IPoIB queue pair will be assigned. Because the queue pair number is encoded in the MAC address of the IPoIB interface, and because it can change when the IPoIB module is unloaded and reloaded, the final MAC address of IPoIB interfaces can change. Consequently, when users created ifcfg-ibX files that specified the MAC address of the IPoIB interface, after a reload of the IPoIB kernel module, when the MAC address no longer matched, the IPoIB interface failed to be recognized as a configured interface by the network subsystem. To solve this problem, this update implements custom ifup-ib and ifdown-ib network scripts that are aware of the portion of an IPoIB's MAC address that is constant versus the portion that is subject to change. As a result, when a user reloads the IPoIB module, and when the IPoIB interface's MAC address changes, the ifup-ib and ifdown-ib scripts will properly match against the portion that did not change and recognize the interface correctly.
BZ#571779
Imperfect argument processing in the ibv_rc_pingpong program allowed arguments that were too large to be passed to the program. Consequently, the program terminated unexpectedly with a segmentation fault when attempting to set up transfers using large arguments. The checking of arguments in ibv_rc_pingpong has been strengthened. As a result, the program no longer crashes on bad arguments.
BZ#575608
Insufficient state checking in the ifup-ib script could cause it to create an invalid state on bond devices that had IPoIB slaves. Consequently, when the user called ifup on the IPoIB interface, and expected it to be working, the master bond device was sometimes taken down. A check to make sure that the device is not already present in the bond device before attempting to add it is now made. As a result, the device is now initialized properly.
BZ#578640
The libibverbs.spec file was missing the BuildRequires: valgrind-devel line. Consequently, the libibverbs package was built without valgrind memory allocation debugging support. The required line has been added to the spec file and the libibverbs package now supports valgrind memory debugging.
BZ#668913
When passed the -r flag, the ibdiagnet program attempted to free the same memory twice. Consequently, the program would trigger protection built into glibc and end the execution. The program has been fixed to no longer attempt to free the same memory twice and as a result the program completes as expected.
BZ#772602
The ibnodes program is a simple shell wrapper script that calls ibhosts and ibswitches. When passed the -h switch to get help for the program, it passed that switch on to both ibhosts and ibswitches. Consequently, when the user ran ibnodes -h they saw help output for ibhosts and ibswitches. A simple help handler in the ibnodes program that outputs ibnodes-specific help information has been implemented and the problem no longer occurs.
BZ#773718
A race condition on handling of completion events could confuse the ib_send_lat test program. Consequently, the ib_send_lat test program sometimes terminated unexpectedly with a segmentation fault. Completion processing has now been separated into two separate queues, one for send completions and one for receive completions. As a result, out of order and unexpected completions no longer confuse the test program, nor cause crashes.
BZ#783945
An error in thread handling resulted in the rping binary freeing resources before all threads that accessed those resources had exited. Consequently, the rping binary terminated unexpectedly with a segmentation fault when attempting to access already freed resources. Thread handling has been improved to wait for all threads to exit in various locations before proceeding with freeing memory resources. As a result, the rping application no longer crashes on iWARP hardware in the scenario described.
BZ#846162
The openibd init script loaded the parent RDS module if configured to do so, but did not load either of the RDS transports (TCP and RDMA). RDS is non-functional without at least one transport module loaded. Consequently, the RDS protocol was listed as available, but was not usable because no suitable interfaces with a supported transport could be found. The openibd init script has been updated to always load the TCP and RDMA transports if the RDS service is configured to be enabled in /etc/ofed/ofed.conf. As a result, the RDS protocol is now functional and can find suitable interfaces over which to operate.
BZ#846164
Early versions of the Qperf application had the value for the RDS address family protocol value hardcoded because it was not specified via the normal system headers at the time. When the RDS protocol was accepted upstream, the preliminary address family value was changed. Qperf did not pick this change up and instead used the incorrect constant. Consequently, when Qperf thought it was attempting to open an RDS protocol socket, it was in fact attempting to open a different, unsupported socket family. This updates removes the old preliminary constant from the qperf sources and instead gets the constant from the kernel headers now that it is included. As a result, Qperf will open the correct socket type and operate as expected.
BZ#846574
The ifup-ib script did not support naming an IPoIB interface anything other than ib0 or ib1. Consequently, it was not possible to give more meaningful names to IPoIB interfaces. The ifup-ib script has been updated to match against the MAC address in an ifcfg-[name] file, and if the name of the device as specified in the file is not the same as the name of the device according to the kernel, then it will use the iproute tools to rename the device in the kernel. As a result, it is now possible to create a file ifcfg-mlx4_1 with a device HWADDR=[MAC address of mlx4_1 port], and DEVICE=[desired device name] and have the ifup-ib scripts automatically rename the device to the desired device name.
BZ#847647
Reuse of the outgoing RDS ping sockets before the last sent package had received its ACK caused the rds-ping utility to corrupt its internal data. This happened anytime the user specified a ping interval short enough to result in there being 8 or more outstanding ping packets as there are 8 outgoing sockets used by rds-ping by default. Given that RDS ping times are often in the 20-30 msec range, any value less than 8 or so msec for the ping interval ran a reasonable chance of causing this problem. Consequently, the rds-ping utility would give erratic results and sometimes terminate unexpectedly with a segmentation fault. The rds-ping send path has been reworked to track whether or not the response packet has been received on each socket. When it is time to send the next ping, if all sockets still have outstanding pings lacking a response, the program now waits until a ping response comes back in and frees up a socket for sending again. As a result, the application now works in a reliable manner when given very short ping intervals.
BZ#847938
The rping program tried to give an invalid value for the retry_count element on newly created queue pairs. Consequently, depending on the particular hardware driver in question, the driver would either refuse to create the queue pair, causing rping to fail to create a connection and exit, or it would silently truncate the out-of-bounds value to a smaller value and proceed with the connection. This update changes rping to request a valid value for retry_count. As a result, regardless of hardware the connection is now accepted and works as expected.

Enhancements

BZ#787610
The mstflint package, which provides Mellanox firmware burning and diagnostics tools, now includes support for Mellanox ConnectX-3 devices.
BZ#802619
The libcxgb3 library has been updated from upstream version 1.3.0 to the latest upstream version, version 1.3.1. The libcxgb3 library provides a user space driver for Chelsio cxgb3 hardware to be used with libibverbs. This update refreshes the driver for enhanced hardware support and bug fixes.
BZ#802620
The libcxgb4 library has been updated from upstream version 1.1.1 to the latest upstream version, version 1.2.0. The libcxgb4 library provides a user space driver for Chelsio cxgb4 hardware to be used with libibverbs. This update refreshes the driver for enhanced hardware support and bug fixes.
All users using Infiniband and iWARP hardware are advised to upgrade to these updated openib packages, which fix these bugs and add these enhancements.

4.116. openais

Updated openais packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The Application Interface Specification (AIS) is an API and a set of policies for developing applications that maintain services during faults. The OpenAIS Standards Based Cluster Framework is an OSI-certified implementation of the Service Availability Forum AIS. The openais package contains the openais executable, OpenAIS service handlers, default configuration files and an init script.

Bug Fix

BZ#817610
The syslog utility prints data to standard output as a function with a dynamic number of arguments. Previously, a logged string was passed directly as a format string, and if formatting characters were included, stack overflow or underflow could occur. This consequently caused the aisexec process to terminate unexpectedly with a segmentation fault. The underlying source code has been modified so that aisexec no longer crashes in this scenario.
All users of openais are advised to upgrade to these updated packages, which fix this bug.
Updated openais packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The openais package contains the openais executable, OpenAIS service handlers, default configuration files and an init script. The OpenAIS Standards Based Cluster Framework is an OSI-certified implementation of the Service Availability Forum AIS. The Application Interface Specification (AIS) is an API and a set of policies for developing applications that maintain services during failures.

Bug Fix

BZ#812302
OpenIAS previously performed the incorrect test of the message ID range in the update_aru() function. This could cause OpenAIS to fail to receive multicast packet transmissions with the "FAILED TO RECEIVE" error message. This update removes the incorrect test so that OpenAIS no longer fails in this scenario, and proper checks of the message ID range are performed using the fail_to_recv_const constant.
All users of openais are advised to upgrade to these updated packages, which fix this bug.
Updated openais packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The Application Interface Specification (AIS) is an API and a set of policies for developing applications that maintain services during faults. The OpenAIS Standards Based Cluster Framework is an OSI-certified implementation of the Service Availability Forum AIS. The openais package contains the openais executable, OpenAIS service handlers, default configuration files and an init script.

Bug Fixes

BZ#671575
The FAIL_TO_RECV_CONST constant specifies how many rotations of a token should be received without receiving any messages before a new configuration is formed. Previously, this constant was set to 50, which is low for most modern switch hardware. This could cause processes, such as corosync, to terminate unexpectedly. The FAIL_TO_RECV_CONST constant is now set to 2500, which prevents processes from crashing in this scenario.
BZ#794837
The syslog utility prints data to standard output as a function with a dynamic number of arguments. Previously, a logged string was passed directly as a format string, and if formatting characters were included, stack overflow or underflow could occur. This consequently caused the aisexec process to terminate unexpectedly with a segmentation fault. The underlying source code has been modified so that aisexec no longer crashes in this scenario.
BZ#806901
Previously, the range condition for the update_aru() function could cause incorrect check of message IDs. Due to this, in rare cases, the corosync utility entered the "FAILED TO RECEIVE" state, and so failed to receive multicast packets. With this update, the range value in the update_aru() function is no longer checked for; the fail_to_recv_const constant performs such checks. Now, corosync does not fail to receive packets.
BZ#810250
This update adds support for cluster hearbeat configuration through VLAN network interfaces.
All users of openais are advised to upgrade to these updated packages, which fix these bugs.

4.117. OpenIPMI

Updated OpenIPMI packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The OpenIPMI packages provide command-line tools and utilities to access platform information using Intelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to manage systems and to perform system health monitoring.

Bug Fix

BZ#867008
In cases of congested network or slow-responding BMC (Baseboard Management Controller), the reply operation timeout triggered the protocol command retry action. Consequently, the ipmitool utility could incorrectly process a LAN session protocol command with the reply from a previous protocol command. This update fixes handling of expected replies for each command alone and cleans up expected replies between commands. Now, the retried reply of the first command is correctly ignored while the later command, which is currently pending, is properly processed in the described scenario.
Users of OpenIPMI are advised to upgrade to these updated packages, which fix this bug.
Updated OpenIPMI packages that fix one security issue, multiple bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The OpenIPMI packages provide command line tools and utilities to access platform information using Intelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to manage systems and to perform system health monitoring.
CVE-2011-4339
It was discovered that the IPMI event daemon (ipmievd) created its process ID (PID) file with world-writable permissions. A local user could use this flaw to make the ipmievd init script kill an arbitrary process when the ipmievd daemon is stopped or restarted.
Note: This issue did not affect the default configuration of OpenIPMI as shipped with Red Hat Enterprise Linux 5.

Bug Fixes

BZ#658762
Prior to this update, the ipmitool utility first checked the IPMI hardware for Dell IPMI extensions and listed only supported commands when printing command usage like the option "ipmtool delloem help". On a non-Dell platform, the usage text was incomplete and misleading. This update lists all Dell OEM extensions in usage texts on all platforms, which allows users to check for command line arguments on non-Dell hardware.
BZ#671059, BZ#749796
Prior to this update, the ipmitool utility tried to retrieve the Sensor Data Records (SDR) from the IPMI bus instead of the Baseboard Management Controller (BMC) bus when IPMI-enabled devices reported SDR under a different owner than the BMC. As a consequence, the timeout setting for the SDR read attempt could significantly decrease the performance and no sensor data was shown. This update modifies ipmitool to read these SDR records from the BMC and shows the correct sensor data on these platforms.
BZ#740780
Prior to this update, the exit code of the "ipmitool -o list" option was not set correctly. As a consequence, "ipmitool -o list" always returned the value 1 instead of the expected value 0. This update modifies the underlying code to return the value 0 as expected.
BZ#829705
Prior to this update, the "ipmi" service init script did not specify the full path to the "/sbin/lsmod" and "/sbin/modprobe" system utilities. As a consequence, the init script failed when it was executed if PATH did not point to /sbin, for example, when running "sudo /etc/init.d/ipmi". This update modifies the init script so that it now contains the full path to lsmod and modrpobe. Now, it can be executed with sudo.
BZ#846596
Prior to this update, the ipmitool man page did not list the "-b", "-B", "-l" and "-T" options. In this update, these options are documented in the ipmitool man page.

Enhancement

BZ#797050
Updates to the Dell-specific IPMI extension: A new vFlash command, which allows users to display information about extended SD cards; a new setled command, which allows users to display the backplane LED status; improved error descriptions; added support for new hardware; and updated documentation of the ipmitool delloem commands in the ipmitool manual page.
All users of OpenIPMI are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.

4.118. openldap

Updated openldap packages that fix one bug are now available for Red Hat Enterprise Linux 5.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP.

Bug Fix

BZ#835444
Previously, the OpenLDAP library looked up for an AAAA (IPv6) DNS record while resolving the server IP address even if IPv6 was disabled on the host, which could cause extra delays when connecting. With this update, the AI_ADDRCONFIG flag is set when resolving the remote host address. As a result, the OpenLDAP library no longer looks up for the AAAA DNS record when resolving the server IP address and IPv6 is disabled on the local system.
All users of openldap are advised to upgrade to these updated packages, which fix this bug.

4.119. openmotif

An updated openmotif package that fixes one bug is now available for Red Hat Enterprise Linux 5.
The openmotif package includes the Motif shared libraries needed to run applications which are dynamically linked against Motif, as well as MWM, the Motif Window Manager.

Bug Fix

BZ#799001
The RHBA:2011-1451 advisory introduced a regression by specifying the "XmI.h" header file in the include directive of multiple files. However, if the file was not installed, compiling applications that used the Label and LabelGadget widgets failed with the following message:
/usr/include/Xm/LabelGP.h:48:17: error: XmI.h: No such file or directory With this update, the include directive containing "XmI.h" has been removed. Applications using the Label and LabelGadget widgets can now be compiled as expected.
All users of openmotif are advised to upgrade to this updated package, which fixes this bug.

4.120. openoffice.org

Updated openoffice.org packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program. OpenOffice.org embeds a copy of Raptor, which provides parsers for Resource Description Framework (RDF) files.

Security Fix

CVE-2012-0037
An XML External Entity expansion flaw was found in the way Raptor processed RDF files. If OpenOffice.org were to open a specially-crafted file (such as an OpenDocument Format or OpenDocument Presentation file), it could possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user running OpenOffice.org had access to. A bug in the way Raptor handled external entities could cause OpenOffice.org to crash or, possibly, execute arbitrary code with the privileges of the user running OpenOffice.org.
Red Hat would like to thank Timothy D. Morgan of VSR for reporting this issue.
All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct this issue. All running instances of OpenOffice.org applications must be restarted for this update to take effect.
Updated openoffice.org packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Security Fixes

CVE-2012-2334
An integer overflow flaw, leading to a buffer overflow, was found in the way OpenOffice.org processed an invalid Escher graphics records length in Microsoft Office PowerPoint documents. An attacker could provide a specially-crafted Microsoft Office PowerPoint document that, when opened, would cause OpenOffice.org to crash or, potentially, execute arbitrary code with the privileges of the user running OpenOffice.org.
CVE-2012-1149
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the JPEG, PNG, and BMP image file reader implementations in OpenOffice.org. An attacker could provide a specially-crafted JPEG, PNG, or BMP image file that, when opened in an OpenOffice.org application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Upstream acknowledges Sven Jacobi as the original reporter of CVE-2012-2334, and Tielei Wang via Secunia SVCRP as the original reporter of CVE-2012-1149.
All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect.
Updated openoffice.org packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
OpenOffice.org is an office productivity suite that includes desktop applications, such as a word processor, spreadsheet application, presentation manager, formula editor, and a drawing program.

Security Fix

CVE-2012-2665
Multiple heap-based buffer overflow flaws were found in the way OpenOffice.org processed encryption information in the manifest files of OpenDocument Format files. An attacker could provide a specially-crafted OpenDocument Format file that, when opened in an OpenOffice.org application, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Upstream acknowledges Timo Warns as the original reporter of these issues.
All OpenOffice.org users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of OpenOffice.org applications must be restarted for this update to take effect.

4.121. openssl

Updated openssl packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fixes

CVE-2012-1165
A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.
CVE-2012-0884
A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times.
This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA-2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to fail.
All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl, openssl097a, and openssl098e packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fix

CVE-2012-2110
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Updated openssl packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

Security Fix

CVE-2012-2333
An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious DTLS client or server could use this flaw to crash its DTLS connection peer.
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Codenomicon as the original reporter.
On Red Hat Enterprise Linux 6, this update also fixes an uninitialized variable use bug, introduced by the fix for CVE-2012-0884 (released via RHSA-2012:0426). This bug could possibly cause an attempt to create an encrypted message in the CMS (Cryptographic Message Syntax) format to fail.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

4.122. openswan

Updated openswan packages that fix multiple bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Openswan is a free implementation of IPsec and IKE (Internet Key Exchange) for Linux. This package contains the daemons and user space tools for setting up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6.x also supports IKEv2 (RFC4306).

Bug Fix

BZ#807772
The openswan packages have been upgraded to incorporate a number of backported patches which provide a number of bug fixes and enhancements over the previous version.
All users of openswan are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.

4.123. pam

Updated pam packages that fix three bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.

Bug Fixes

BZ#614765
Due to an error in the %post script, the /var/log/faillog and /var/log/tallylog files were truncated on PAM upgrade. Consequently, the user authentication failure records were lost. The %post script has been fixed, and the user authentication failure records are now preserved during the pam package upgrade.
BZ#768087
When the "remember" option was used, the pam_unix and pam_cracklib modules were matching usernames incorrectly while searching for the old password entries in the /etc/security/opasswd file. Due to this bug, the old password entries could be mixed; the users whose usernames were a substring of another username could have the passwords entries of another user. With this update, the string that is used to match usernames has been fixed. Now only the exact same usernames are matched and the entries about old passwords are no longer mixed in the described scenario.
BZ#824858
Prior to this update, using the pam_pwhistory module caused an error when changing user's password. It was not possible to choose any password, that was in user's password history, as a new password. With this update, root can change the password regardless of whether it is in the user's history or not.

Enhancements

BZ#551312
Prior to this update, the pam_listfile module was searching through all group entries using the getgrent command when looking for group matches. Due to this implementation, getgrent took too much time on systems using central identity servers such as LDAP for storing large number of groups. This feature has been replaced by more efficient implementation, which does not require to look up through all groups on the system. As a result, pam_listfile is now much faster in the described scenario.
BZ#675835
Previously, the pam_access module did not include the nodefgroup option. Consequently, it was impossible to differentiate between users and groups using this module. This enhancement adds backported support for the nodefgroup option of pam_access. When using this option, the user field of the entries in the access.conf file is not matched against groups on the system. The group matches have to be explicitly marked with parentheses "(" and ")".
BZ#554518
Prior to this update, when the pam_exec module ran an external command, the environment variables such as PAM_USER or PAM_HOST were not exported. This enhancement adds support for exporting environment variables, including those which contains common PAM item values from the PAM environment to the script that is executed by the pam_exec module.
BZ#809247
This update improved the pam_cracklib module, which is used to check properties of a new password entered by the user and reject it if it does not meet the specified limits. The pam_cracklib module now allows to check whether a new password contains the words from the GECOS field entries in the "/etc/passwd" file. It also allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number, and special characters) in a password.
All pam users are advised to upgrade to these updated packages, which fix these bugs and adds these enhancements.

4.124. parted

Updated parted packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The parted packages provide tools to create, destroy, resize, move, and copy hard disk partitions. The parted program can be used for creating space for new operating systems, reorganizing disk usage, and copying data to new hard disks.

Bug Fix

BZ#750396
Prior to this update, the libparted partition_duplicate() function did not correctly copy all GPT partition flags. This update modifies the underlying code so that all flags are correctly copied.
All users of parted are advised to upgrade to these updated packages, which fix this bug.

4.125. pdksh

Updated pdksh packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The pdksh package contains a public domain implementation the Korn shell (ksh-88). The ksh shell is a command interpreter intended for both interactive and shell script use.

Bug Fix

BZ#848078
Prior to this update, the pdksh binary file was installed as "/bin/pdksh" but the path written to the /etc/shells file was "/usr/bin/pdksh". As a consequence, some audit tools reported errors. This update fixes the path written to /etc/shells and audit tools no longer report errors in the described scenario.
Users of pdksh are advised to upgrade to these updated packages, which fix this bug.

4.126. perl

Updated perl packages that fix a bug are now available for Red Hat Enterprise Linux 5.
Perl is a high-level programming language commonly used for system administration utilities and web programming.

Bug Fix

BZ#865709
Previously, certain Perl scripts using modules, which use the overload() function in a specific way, could be impacted by a performance regression. Consequently, users could observe slower operation of such scripts after an upgrade from perl packages of version 5.8.5. This update removes an upstream patch from these perl packages that was responsible for the regression, thus preventing this bug.
All users of perl are advised to upgrade to these updated packages, which fix this bug.

4.127. perl-IO-Socket-SSL

An updated perl-IO-Socket-SSL package that fixes one bug is now available for Red Hat Enterprise Linux 5.
The perl-IO-Socket-SSL package is a drop-in replacement for IO-Socket-INET that uses SSL to encrypt data before it is transferred to a remote server or client. IO::Socket::SSL supports all the extra features that one needs to write a full-featured SSL client or server application.

Bug Fix

BZ#815335
Prior to this update, check_crl routines could, under certain circumstances, cause a segmentation fault. This update modifies the underlying code so that the correct function is now called and the check_crl routine works as expected.
All users of perl-IO-Socket-SSL are advised to upgrade to this updated package, which fixes this bug.

4.128. perl-LDAP

Updated perl-LDAP packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The perl-LDAP package provide a collection of modules that implements a LDAP services API for Perl programs. The module may be used to search directories or perform maintenance functions such as adding, deleting, or modifying entries.

Bug Fix

BZ#858699
Previously, errors in LDAP communication occurred when the sent data was too large. Consequently, user could not send data bigger than 15,000 bytes over SSL. With this update, backported upstream patches have been provided, which modify the syswrite() call to use smaller chunks of data passed to the IO::Socket::SSL module, thus fixing this bug.
All users of perl-LDAP are advised to upgrade to these updated packages, which fix this bug.

4.129. perl-XML-SAX

An updated perl-XML-SAX package that fixes one bug is now available for Red Hat Enterprise Linux 5.
XML::SAX is a SAX parser access API for Perl. It includes classes and APIs required for implementing SAX drivers, along with a factory class for returning any SAX parser installed on the user's system.

Bug Fix

BZ#846814
Prior to this update, the presence of a comment in an XML file could cause the XML::SAX parser to terminate unexpectedly with an "End tag mismatch" error. This update adapts the algorithm for finding a closing tag to process comments properly. As a result, XML files that contain comments can now be parsed without errors, as expected.
All users of perl-XML-SAX are advised to upgrade to this updated package, which fixes this bug.

4.130. php

Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix

CVE-2012-1823
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.
All php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fixes

CVE-2012-0057
It was discovered that the PHP XSL extension did not restrict the file writing capability of libxslt. A remote attacker could use this flaw to create or overwrite an arbitrary file that is writable by the user running PHP, if a PHP script processed untrusted eXtensible Style Sheet Language Transformations (XSLT) content.
CVE-2012-1172
Note: This update disables file writing by default. A new PHP configuration directive, "xsl.security_prefs", can be used to enable file writing in XSLT.
A flaw was found in the way PHP validated file names in file upload requests. A remote attacker could possibly use this flaw to bypass the sanitization of the uploaded file names, and cause a PHP script to store the uploaded file in an unexpected directory, by using a directory traversal attack.
CVE-2012-2336
It was discovered that the fix for CVE-2012-1823, released via RHSA-2012:0546, did not properly filter all php-cgi command line arguments. A specially-crafted request to a PHP script could cause the PHP interpreter to output usage information that triggers an Internal Server Error.
CVE-2012-0789
A memory leak flaw was found in the PHP strtotime() function call. A remote attacker could possibly use this flaw to cause excessive memory consumption by triggering many strtotime() function calls.
CVE-2011-4153
It was found that PHP did not check the zend_strndup() function's return value in certain cases. A remote attacker could possibly use this flaw to crash a PHP application.
All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

4.131. php53

Updated php53 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix

CVE-2012-1823
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration using the PHP module for Apache httpd to handle PHP scripts.
All php53 users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
Updated php53 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fixes

CVE-2012-0057
It was discovered that the PHP XSL extension did not restrict the file writing capability of libxslt. A remote attacker could use this flaw to create or overwrite an arbitrary file that is writable by the user running PHP, if a PHP script processed untrusted eXtensible Style Sheet Language Transformations (XSLT) content.
CVE-2012-1172
Note: This update disables file writing by default. A new PHP configuration directive, "xsl.security_prefs", can be used to enable file writing in XSLT.
A flaw was found in the way PHP validated file names in file upload requests. A remote attacker could possibly use this flaw to bypass the sanitization of the uploaded file names, and cause a PHP script to store the uploaded file in an unexpected directory, by using a directory traversal attack.
CVE-2012-2386
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially-crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP.
CVE-2010-2950
A format string flaw was found in the way the PHP phar extension processed certain PHAR files. A remote attacker could provide a specially-crafted PHAR file, which once processed in a PHP application using the phar extension, could lead to information disclosure and possibly arbitrary code execution via a crafted phar:// URI.
CVE-2012-2143
A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength.
CVE-2012-2336
Note: With this update, passwords are no longer truncated when performing DES hashing. Therefore, new hashes of the affected passwords will not match stored hashes generated using vulnerable PHP versions, and will need to be updated.
It was discovered that the fix for CVE-2012-1823, released via RHSA-2012:0547, did not properly filter all php-cgi command line arguments. A specially-crafted request to a PHP script could cause the PHP interpreter to execute the script in a loop, or output usage information that triggers an Internal Server Error.
CVE-2012-0789
A memory leak flaw was found in the PHP strtotime() function call. A remote attacker could possibly use this flaw to cause excessive memory consumption by triggering many strtotime() function calls.
CVE-2011-4153
It was found that PHP did not check the zend_strndup() function's return value in certain cases. A remote attacker could possibly use this flaw to crash a PHP application.
Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of CVE-2012-2143.
All php53 users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

4.132. pidgin

Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

Security Fixes

CVE-2012-1178
A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially-crafted MSN message.
CVE-2012-2318
An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially-crafted MSN notification message.
CVE-2012-3374
A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially-crafted emoticon tags.
Red Hat would like to thank the Pidgin project for reporting the CVE-2012-3374 issue. Upstream acknowledges Ulf Härnhammar as the original reporter of CVE-2012-3374.
All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

4.133. piranha

Updated piranha packages that fix two bugs are now available for Red Hat Enterprise Linux 5.
Piranha provides high-availability and load balancing services for Red Hat Enterprise Linux. The piranha packages contains various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers.

Bug Fixes

BZ#786364
Previously, the lvsd daemon did not correctly identify the existence of a new virtual server when re-reading the configuration file. As a consequence, the lvsd daemon could terminate unexpectedly with a segmentation fault when the pulse service was reloaded. With this update, the lvsd daemon correctly determines if a virtual server has been added to the configuration file when the pulse service is reloaded.
BZ#739223
Previously, the lvsd daemon exited if a nanny process encountered an error as a result of executing the ipvsadm command to add or remove a real server. If a nanny process attempted to delete a real server that was not defined for a virtual service, or if a nanny process attempted to add a real server that was already defined for a virtual service, nanny encountered an error from ipvsadm and exited abnormally. With this update, a nanny process does not exit if it fails to add or remove a real server.
All users of piranha are advised to upgrade to these updated packages, which fix these bugs.

4.134. pirut

Updated pirut packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The pirut (Package Install, Remove, and Update Tool) packages provide a set of graphical tools for managing software.

Bug Fix

BZ#472606
When pirut was used to edit a repository that did not have a ".repo" file but was instead provided by a yum plug-in, such as RHN, pirut terminated unexpectedly. This update provides a patch that ensures an error message is displayed for repositories that cannot be edited and pirut no longer crashes in the described scenario.
Users of pirut are advised to upgrade to these updated packages, which fix this bug.

4.135. pm-utils

Updated pm-utils packages that fix three bugs are now available for Red Hat Enterprise Linux 5.
The pm-utils packages contain a set of utilities and scripts for tasks related to power management.

Bug Fixes

BZ#481811
Prior to this update, the pm-utils set listed files without listing the directories for those files. As a consequnce, pm-utils only created but did not own the directories "/usr/lib/pm-utils/bin", "/usr/lib/pm-utils/power.d," and "/usr/lib/pm-utils/sleep.d". This update modifies pm-utils so that all directories are correctly listed in the package. Now, pm-utils owns the created directories.
BZ#675268
Prior to this update, the x86emu code could cause problems for certain hardware. As a consequence, systems that used NVIDIA Quadro FX 1700 video cards and the nv driver did not correctly resume after suspending the system. This update modifies the x86emu code so that all systems resume as expected.
BZ#817421
Prior to this update, the RPM description contained wrong product names. This update removes all wrong information.
All users of pm-utils are advised to upgrade to these updated packages, which fix these bugs.

4.136. postfix

Updated postfix packages that fix multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The postfix packages provide a Mail Transport Agent (MTA), which supports protocols like LDAP, SMTP AUTH (SASL), and TLS.

Bug Fixes

BZ#251677
Prior to this update, upstream example scripts were not included. This update adds these upstream example scripts to the postfix package.
BZ#474541
Prior to this update, the recipient duplicate elimination did not work correctly. As a consequence, users with multiple virtual aliases could receive multiple copies of emails. This update modifies the underlying code so that the recipient duplicate elimination will work as expected if the "enable_original_recipient" configuration option is set to "no". Now, users will no longer receive multiple copies of emails.
BZ#514948
Prior to this update, the postconf documentation contained ambiguous information about "reject_invalid_helo_hostname" restrictions. This update modifies the postconf documentation and the "reject_invalid_helo_hostname" parameter is now documented without ambiguity .
BZ#617069
Prior to this update, the milter (mail filter) communication failed for headers that are larger than 64 kB. Further milter processing of the email was blocked. Now, this update modifies the underlying code so that the long headers are truncated to 60000 characters or less before milter processing. Now, milter processes these large headers as expected.
BZ#645348
Prior to this update, the postfix init script looked for any process named "master" when checking whether the postfix daemon was running. As a consequence, the script could be tricked by any other process named "master", which could lead to problems. This update modifies the init script to check for the process ID (PID) which is more robust.
BZ#664627
Prior to this update, the manual pages for the command line tools "mailq", "newaliases", "sendmail" and "aliases" were not supported by alternatives. As a consequence, these man pages could not be displayed. This update adds support for these manual pages to the alternatives list.
BZ#766499
Prior to this update, the biff notification code did not set the FD_CLOEXEC file descriptor flag on created UDP sockets. As a consequence, the postfix agent could leak file descriptors (FD) to the local delivery agent (LDA) and to other processes spawned by LDA. This update modifies the underlying code to set the FD_CLOEXEC as expected.

Enhancement

BZ#502412
Prior to this update, the postfix agent did not support MySQL. This update adds MySQL support to postfix.
All users of postfix are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

4.137. postgresql

Updated postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fixes

CVE-2012-0868
The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation.
CVE-2012-0866
CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing.
All PostgreSQL users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update.
Updated postgresql84 and postgresql packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fixes

CVE-2012-0868
The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation.
CVE-2012-0867
When configured to do SSL certificate verification, PostgreSQL only checked the first 31 characters of the certificate's Common Name field. Depending on the configuration, this could allow an attacker to impersonate a server or a client using a certificate from a trusted Certificate Authority issued for a different name.
CVE-2012-0866
CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing.
These updated packages upgrade PostgreSQL to version 8.4.11, which fixes these issues as well as several data-corruption issues and lesser non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes:
http://www.postgresql.org/docs/8.4/static/release.html
All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update.
Updated postgresql packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix

CVE-2012-2143
A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
Note: With this update, the rest of the string is properly included in the DES hash; therefore, any previously stored password values that are affected by this issue will no longer match. In such cases, it will be necessary for those stored password hashes to be updated.
Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of this issue.
All PostgreSQL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update.
Updated postgresql84 and postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fixes

CVE-2012-2143
A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
CVE-2012-2655
Note: With this update, the rest of the string is properly included in the DES hash; therefore, any previously stored password values that are affected by this issue will no longer match. In such cases, it will be necessary for those stored password hashes to be updated.
A denial of service flaw was found in the way the PostgreSQL server performed a user privileges check when applying SECURITY DEFINER or SET attributes to a procedural language's (such as PL/Perl or PL/Python) call handler function. A non-superuser database owner could use this flaw to cause the PostgreSQL server to crash due to infinite recursion.
Upstream acknowledges Rubin Xu and Joseph Bonneau as the original reporters of the CVE-2012-2143 issue.
These updated packages upgrade PostgreSQL to version 8.4.12, which fixes these issues as well as several non-security issues. Refer to the PostgreSQL Release Notes for a full list of changes:
http://www.postgresql.org/docs/8.4/static/release.html
All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update.
Updated postgresql84 and postgresql packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6 respectively.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fixes

CVE-2012-3488
It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.
CVE-2012-3489
It was found that the "xml" data type allowed local files and remote URLs to be read with the privileges of the database server to resolve DTD and entity references in the provided XML. An unprivileged database user could use this flaw to read local files they would otherwise not have access to by issuing a specially-crafted SQL query. Note that the full contents of the files were not returned, but portions could be displayed to the user via error messages.
Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Peter Eisentraut as the original reporter of CVE-2012-3488, and Noah Misch as the original reporter of CVE-2012-3489.
These updated packages upgrade PostgreSQL to version 8.4.13. Refer to the PostgreSQL Release Notes for a list of changes:
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues. If the postgresql service is running, it will be automatically restarted after installing this update.
Updated postgresql packages that fix one security issue are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix

CVE-2012-3488
It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.
Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Peter Eisentraut as the original reporter.
All PostgreSQL users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update.

4.138. ppc64-utils

Updated ppc64-utils packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The ppc64-utils packages are a collection of utilities for Linux running on 64-bit PowerPC platform.

Bug Fix

BZ#821850
Previously, due to errors in the source code, the lparstat utility displayed incorrect values for the "smt", "ent" and "lcpu" items, and undefined values (XXX) for the "entc" and "phint" items. The underlying source code has been modified so that correct values are now displayed when running lparstat.
All users of ppc64-utils are advised to upgrade to these updated packages, which fix this bug.

4.139. procps

Updated procps packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The procps packages contain a set of system utilities that provide system information. The procps packages include the following utilities: ps, free, skill, pkill, pgrep, snice, tload, top, uptime, vmstat, w, watch, and pwdx.

Bug Fixes

BZ#598561
Due to an inaccurate internal evaluation of the CPU utilization, the "ps --sort" command did not work as expected in some cases. Consequently, some of the values in the final sorted sequence were in an incorrect order. This bug has been fixed and these values are sorted correctly in the described scenario.
BZ#730724
Prior to this update, the description of the SWAP field in the top(1) man page could be misleading and confusing. The man page has been fixed by using the SWAP field description from the man page of the successor project procps-ng.
BZ#757734
Descriptions for some of the top command switches were missing in the top(1) man page. Switches "-m", "-M", and "-V", which represent sorting by memory usage, memory units detection, and version/help, respectively, have been added to these updated procps packages.
BZ#839340
Previously, values shown in the "si" and "so" columns were always zero for the "m" or "M" conversion units. The evaluation has been modified to prevent losses of the arithmetic precision and zero values no longer appears in this situation.

Enhancement

BZ#586742
This update introduces a new enhancement in using of the "w" command. Users can switch the value shown in the FROM field to represent IP addresses instead of hostnames. This behavior can be achieved with the "-i" switch.
All users of procps are advised to upgrade to these updated packages that fix these bugs and add this enhancement.

4.140. psmisc

Updated psmisc packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The psmisc package contains the pstree, killall, and fuser utilities to manage system processes.

Bug Fixes

BZ#479345
Prior to this update, the fuser utility incorrectly used the "/proc/net/tcp" socket table to list processes. As a consequence, the fuser tool did not list processes that use a UDP port as expected. This update modifies the underlying code to parse the correct "/proc/net/udp" socket table, and fuser now lists processes for UDP ports as expected.
BZ#666213
Prior to this update, memory was not correctly allocated. As a consequence, the "killall -g" option could fail to kill a process group. This update modifies the memory allocation. Now, the killall utility works as expected.
BZ#693476
Prior to this update, IPv6 addresses were not correctly handled. As a consequence, the fuser command could return empty output for IPv6 sockets. This update modifies the code to handle IPv6 addresses as expected. Now, IPv6 sockets are identified correctly.
All users of psmisc are advised to upgrade to these updated packages, which fix these bugs.

4.141. python

Updated python packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC).

Bug Fixes

BZ#573782
Prior to this update, calling the logging.config.fileConfig() function failed when the logging handlers already existed. Consequently, a KeyError occured in the atexit() call to the logging.shutdown() function. With this update, a fix has been added into logging.config.fileConfig() in order to lose previously existing handlers. As a result, the KeyError no longer occurs.
BZ#638514
IDLE is an integrated development environment for Python. With this update, support to run multiple instances of IDLE on a server has been added. As a result, multiple users can now use IDLE at the same time.
BZ#640523
Previously, the os.chown() function failed on 32-bit architectures when the UID and GID parameters contained numeric values greater than 2147483647 (0x7fffffff). Consequently, an error occurred with the following message:
OverflowError: signed integer is greater than maximum
This bug has been fixed and the os.chown function now handles larger identification numbers correctly.
BZ#822072
Previously, the fcntl.ioctl() function failed on 32-bit architectures when the op parameter contained a numeric value greater than 2147483647 (0x7fffffff). Consequently, an error occurred with the following message:
OverflowError: signed integer is greater than maximum
This bug has been fixed and the fcntl.ioctl function now handles larger request codes correctly.
BZ#701277
Due to a flaw in the Makefile.pre.in file, occasional compilation or link errors appeared when Python was rebuilt on systems with more than one CPU core. This bug has been fixed, and Python can now be rebuilt on multiple-core processing units without the aforementioned errors.
BZ#701569
Previously, a memory leak occurred when Python was used with the _japanese_codecs module. This bug has been fixed, and the memory leak no longer occurs in the described scenario.

Enhancement

BZ#644661
The gdb debugger has been enhanced to allow more effective debugging of Python code. The added hooks enable gdb to display human-readable representations of Python objects within the process being debugged. As a result, backtraces involving Python are now easier to read, and the new hooks enhance the effectiveness of the debugging process.
All users of Python are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.
Updated python packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Python is an interpreted, interactive, object-oriented programming language.

Security Fixes

CVE-2012-1150
A denial of service flaw was found in the implementation of associative arrays (dictionaries) in Python. An attacker able to supply a large number of inputs to a Python application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
Note: The hash randomization is not enabled by default as it may break applications that incorrectly depend on dictionary ordering. To enable the protection, the new "PYTHONHASHSEED" environment variable or the Python interpreter's "-R" command line option can be used. Refer to the python(1) manual page for details.
The RHSA-2012:0731 expat erratum must be installed with this update, which adds hash randomization to the Expat library used by the Python pyexpat module.
CVE-2011-4940
A flaw was found in the way the Python SimpleHTTPServer module generated directory listings. An attacker able to upload a file with a specially-crafted name to a server could possibly perform a cross-site scripting (XSS) attack against victims visiting a listing page generated by SimpleHTTPServer, for a directory containing the crafted file (if the victims were using certain web browsers).
CVE-2011-4944
A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories. (CVE-2011-4944)
Red Hat would like to thank oCERT for reporting CVE-2012-1150. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters of CVE-2012-1150.
All Python users should upgrade to these updated packages, which contain backported patches to correct these issues.

4.142. python-iniparse

An updated python-iniparse package that fixes one bug is now available for Red Hat Enterprise Linux 5.
The python-iniparse package contains an INI parser for Python which is API-compatible with the standard library's ConfigParser, preserves structure of INI files (order of sections and options, indentation, comments, and blank lines is preserved when data is updated), and is more convenient to use.

Bug Fix

BZ#753891
Due to errors in the defaults() method, python-iniparse failed with a traceback and the "ValueError: too many values to unpack" message was printed when using the method. The underlying source code has been revised, and the traceback no longer occurs when the defaults() method is used.
All users of python-iniparse are advised to upgrade to this updated package, which fixes this bug.

4.143. python-rhsm

Updated python-rhsm packages that fix multiple bugs are now available for Red Hat Enterprise Linux 5.
The python-rhsm packages provide a library for communicating with the representational state transfer (REST) interface of Red Hat's subscription and content service. The Subscription Management tools use this interface to manage system entitlements, certificates, and content access.

Bug Fixes

BZ#806958, BZ#830767, BZ#842885
Prior to this update, the python-rhsm library used unimplemented methods in certain error classes. As a consequence, messages contained a traceback obscuring actual error messages. This update implements the missing methods in the error classes. Now, the error message is reported as expected.
BZ#833537
Prior to this update, malformed requests were sent to the content delivery network (CDN). As a consequence, clients could not get a list of releases. This update modifies the underlying code to format the requests to CDN as expected. Now, clients can get a list of releases.
BZ#834108
Prior to this update, the httplib library used the default timeout setting of several minutes. As a consequence, clients that used the python-rhsm library appeared to be suspended. This update shortens the default setting for the timeout to 60 seconds.
BZ#848742
Prior to this update, the python-rhsm library did not support arbitrary bit length certificate serial numbers. As a consequence, certificates could be created with incorrect file names. This update supports arbitrary length certificate serial numbers to ensure that certificates are created with the correct file name.
BZ#851644
Prior to this update, the python-rhsm library did not decode logging messages using the Japanese locale as expected. As a consequence, python-rhsm logged tracebacks instead of messages. This update configures python-rhsm to handle messages in the Japanese locale correctly.
BZ#857426
Prior to this update, post data was set as "None" due to an invalid "if" statement. As a consequence, python-rhsm failed to set an empty JSON structure as the body of the request. This update modifies the "if" statement to explicitly check that the data is not "None". Now, empty mapping of hypervisors can pass as expected and is correctly sent to candlepin.
All users of python-rhsm are advised to upgrade to these updated packages, which fix these bugs.

4.144. qt

Updated qt packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The qt packages contain a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System.

Bug Fix

BZ#758386
When building multilib RPM packages, Qt's moc preprocessor inserted different timestamps in their source files. As a consequence, attempting to install debuginfo multilib packages failed because of conflicts between the packages. With this update, the timestamp-insertion code has been removed, so that the source files are identical and multilib packages can be installed as expected.
All users of qt are advised to upgrade to these updated packages, which fix this bug.

4.145. quagga

Updated quagga packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector.

Bug Fixes

BZ#528583
Previously, several function declarations were missing in the zebra.h header file. As a consequence, a zebra server terminated unexpectedly with a segmentation fault when commands, such as "show ip protocol", calling these functions were issued on the zebra server. With this update, the missing function declarations have been added and zebra servers no longer crash in this scenario.
BZ#604620
Previously on system update, Quagga marked obsolete any other routing packages that provide the same functionality as Quagga, such as the bird package that provides a TCP/IP routing daemon. Consequently, such packages were removed from the system. With this update, the quagga spec file has been modified so that it no longer obsoletes other routing packages.
BZ#508800
Previously, Quagga init scripts did not locate PID files of Quagga daemons correctly. Consequently, these PID files were not removed during service shutdown. With this update, Quagga init scripts have been modified to locate the respective PID files correctly and the PID files now no longer remain on the system after the service is stopped.
BZ#716324
Previously, Quagga init scripts ignored the QCONFDIR variable specified in the /etc/sysconfig/quagga file and used an explicit path to the configuration files instead. This could cause problems if the location of the configuration changed. This update modifies Quagga init scripts to use the QCONFDIR variable as expected.
All users of quagga are advised to upgrade to these updated packages, which fix these bugs.

4.146. quota

An updated quota package that fixes one security issue and multiple bugs is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The quota package provides system administration tools for monitoring and limiting user and group disk usage on file systems.

Security Fix

CVE-2012-3417
It was discovered that the rpc.rquotad service did not use tcp_wrappers correctly. Certain hosts access rules defined in "/etc/hosts.allow" and "/etc/hosts.deny" may not have been honored, possibly allowing remote attackers to bypass intended access restrictions.
This issue was discovered by the Red Hat Security Response Team.

Bug Fixes

BZ#667360
Prior to this update, values were not properly transported via the remote procedure call (RPC) and interpreted by the client when querying the quota usage or limits for network-mounted file systems if the quota values were 2^32 kilobytes or greater. As a consequence, the client reported mangled values. This update modifies the underlying code so that such values are correctly interpreted by the client.
BZ#680429
Prior to this update, warnquota sent messages about exceeded quota limits from a valid domain name if the warnquota tool was enabled to send warning e-mails and the superuser did not change the default warnquota configuration. As a consequence, the recipient could reply to invalid addresses. This update modifies the default warnquota configuration to use the reserved example.com. domain. Now, warnings about exceeded quota limits are sent from the reserved domain that inform the superuser to change to the correct value.
BZ#689822
Previously, quota utilities could not recognize the file system as having quotas enabled and refused to operate on it due to incorrect updating of /etc/mtab. This update prefers /proc/mounts to get a list of file systems with enabled quotas. Now, quota utilities recognize file systems with enabled quotas as expected.
BZ#831520
Prior to this update, the setquota(8) tool on XFS file systems failed to set disk limits to values greater than 2^31 kilobytes. This update modifies the integer conversion in the setquota(8) tool to use a 64-bit variable big enough to store such values.
All users of quota are advised to upgrade to this updated package, which contains backported patches to resolve these issues.

4.147. redhat-release

A new redhat-release package is now available for Red Hat Enterprise Linux 5.9.
The redhat-release package contains licensing information regarding, and identifies the installed version of, Red Hat Enterprise Linux.
This new package reflects changes made for the release of Red Hat Enterprise Linux 5.9.
Users of Red Hat Enterprise Linux 5.9 are advised to install this new package.

4.148. redhat-release-notes

An updated redhat-release-notes package is now available for Red Hat Enterprise Linux 5.9 as part of ongoing support and maintenance of Red Hat Enterprise Linux 5.
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security and bug fix errata. The Red Hat Enterprise Linux 5.9 Release Notes document the major changes made to the Red Hat Enterprise Linux 5 operating system and its accompanying applications for this minor release. Detailed notes on all changes in this minor release are available in the Technical Notes.
This package contains the Release Notes for Red Hat Enterprise Linux 5.9.
The online Red Hat Enterprise Linux 5.9 Release Notes, which are located online at https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/h tml-single/5.9_Release_Notes/index.html, are to be considered the definitive, up-to-date version. Customers with questions about the release are advised to consult the online Release Notes and Technical Notes for their version of Red Hat Enterprise Linux.
Users of Red Hat Enterprise Linux 5 are advised to upgrade to this updated redhat-release-notes package, which adds the updated Release Notes.

4.149. rgmanager

Updated rgmanager packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager which provides the ability to create and manage high-availability server applications in the event of system downtime.

Bug Fix

BZ#827390
The filesystem and clusterfs resource agents were, in some cases, unable to unmount file systems that were exported using the nfsd utility. This update adds a new configuration option, "nfsrestart", as a workaround which ensures that the system is successfully unmounted. This new option is not compatible with the nfsserver resource agent, and requires the "force_unmount" option to be enabled.
All users of rgmanager are advised to upgrade to these updated packages, which fix this bug.
Updated rgmanager packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager which provides the ability to create and manage high-availability server applications in the event of system downtime.

Bug Fix

BZ#839195
Under rare conditions, rgmanager could attempt to free memory that had previously been freed. When this occurred, rgmanager terminated unexpectedly with a segmentation fault. This bug has been fixed and rgmanager no longer attempts to free previously-freed memory.
All users of rgmanager are advised to upgrade to these updated packages, which fix this bug.
Updated rgmanager packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager, which allows to create and manage high-availability server applications in the event of system downtime.

Bug Fix

BZ#852865
If the contents of the /proc/mounts file changed during a status check operation of the file system resource agent, the status check could incorrectly detect that a mount was missing. Consequently, a healthy service could have incorrectly be marked as having failed. This bug has been fixed and rgmanager's file system resource agent no longer reports false failures in the described scenario.
All users of rgmanager are advised to upgrade to these updated packages, which fix this bug.
Updated rgmanager packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager, which allows to create and manage high-availability server applications in the event of system downtime.

Bug Fix

BZ#859999
Due to a regression in the filesystem resource agent as part of the bug fix related to reading the /proc/mounts file, the filesystem resource agent status operations failed if the name of a file system resource contained the "/" character. This bug has been fixed and resources with "/" in their name no longer cause rgmanager to report failure for status operations.
All users of rgmanager are advised to upgrade to these updated packages, which fix this bug.
Updated rgmanager packages that fix a bug are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager, which allows to create and manage high-availability server applications in the event of system downtime.

Bug Fix

BZ#876962
When rgmanager received a remote start message for a particular service while already in the process of starting that service locally, a deadlock could occur. This sometimes happened during recovery of a service that had failed its start operation. This bug has been fixed and rgmanager works as expected.
All users of rgmanager are advised to upgrade to these updated packages, which fix this bug.
Updated rgmanager packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The rgmanager packages contain the Red Hat Resource Group Manager, which provides the ability to create and manage high-availability server applications in the event of system downtime.

Bug Fixes

BZ#693855
A mirror device failure during the relocation of the High Availability LVM service (HA-LVM) could cause, under certain circumstances, the service to fail. This bug has been fixed and now the mirror device failure no longer affects the HA-LVM service in such a case.
BZ#723819
The orainstance.sh resource agent did not detect all startup failures properly. The underlying source code has been modified and all failures are now detected correctly.
BZ#756180
LVM resource agent could not update logical volume tags if there were missing physical volumes. This bug has been fixed and the logical volume tags are forcibly removed if the physical volumes are missing.
BZ#769730
If the cman service was stopped while the rgmanager service was running, rgmanager sometimes exited uncleanly without releasing its Distributed Lock Manager (DLM) lock space. Consequently, it was impossible to shut down rgmanager and cman. Now if the user mistakenly attempts to stop cman service while rgmanager is still running, rgmanager no longer stops in this situation.
BZ#773372
If the /etc/lvm/lvm.conf file was changed after the last initrd (initial ramdisk) rebuild, the LVM resource agent failed. This agent has been modified to generate a warning message and no longer fails in such a case.
BZ#789366
If a service with a relocate failover policy failed and the relocation operation failed as well, the service could be restarted locally. Due to an error in the source code, the service afterwards stopped, even if the local restart succeeded. This error has been fixed, and these services no longer stop after a successful local restart.
BZ#819595
When the root file system was full, rgmanager randomly killed applications when trying to force-unmount. The underlying source code has been modified and applications are stopped instead of killed in this case.
BZ#820632
Under rare conditions, rgmanager attempted to free memory that had been previously freed. As a consequence, rgmanager terminated unexpectedly with a segmentation fault. This bug has been fixed and rgmanager no longer attempts to free previously-freed memory.
BZ#834459
When rgmanager received a remote start message for a particular service while already in the process of starting that service locally, a deadlock could occur. This sometimes happened during recovery of a service that had failed its start operation. This bug has been fixed and rgmanager works as expected.
BZ#847125
If the contents of the /proc/mounts file changed during a status check operation of the file system resource agent, the status check could incorrectly detect that a mount was missing and mark a service as failed. This bug has been fixed and rgmanager's file system resource agent no longer reports false failures in the described scenario.

Enhancements

BZ#819494
A new "prefer_interface" parameter has been added to the rgmanager ip.sh resource agent. This parameter is used for adding an IP address to a particular network interface if a cluster node has multiple active interfaces that have IP addresses on the same subnetwork.
BZ#822066
In some cases, "fs unmount" command and clustersfs resource agents were unable to unmount the file systems which were exported by the nfsd utility. The new nfsrestart option to enable a last resort workaround prior to failing to unmount the file system has been added. The new option requires force_unmount="" to be enabled and it is not compatible with nfsserver resource agent.
All users of rgmanager should upgrade to these updated packages, which fix these bugs and add these enhancements.

4.150. rhn-client-tools

Updated rhn-client-tools packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The rhn-client-tools packages provide programs and libraries that allow a system to receive software updates from Red Hat Network.

Bug Fixes

BZ#761489
Previously, when the rhn-virtualization-host package was installed and the libvirtd service was not running, the exit status of the rhnreg_ks utility would incorrectly indicate an error even if it succeeded in registering the system. This update corrects this error and the rhnreg_ks utility now terminates with the exist status of 0 in this situation.
BZ#771749
Prior to this update, an attempt to use the rhn-channel tool to manage a non-existent channel failed with a traceback. With this update, the user is presented with an informative error message.
BZ#781336
When the user attempted to register a system with RHN Classic and provided invalid credentials, the rhn_register utility for the graphical user interface previously reported the following error at the very end of the registration process: "You have no active subscriptions available in your account". This update adapts the rhn_register utility to report invalid credentials as expected.
BZ#798181
Previously, an error message that had no effect and mentioned Subscription Manager could appear if the user was registering the system with Red Hat Network or Red Hat Network Satellite. With this update, this message is no longer presented to the user.
BZ#865641
In the beta version of Red Hat Enterprise Linux 5.9, certain parts of the rhn_register utility and the firstboot application were not fully translated to all supported languages. This update ensures that both these tools are translated as expected.
BZ#827076
When the server failover mechanism was enabled and rhnplugin failed to connect to the primary server, it did not correctly fall back to the secondary Red Hat Network Satellite or Red Hat Network Proxy server. This update ensures that when the primary server is unavailable and secondary servers are configured, rhnplugin correctly attempts to connect to these servers instead.

Enhancement

BZ#823549
The rhn_register utility for the graphical user interface and the "Set Up Software Updates" part of the firstboot application have been adapted to mention Subscription Manager.
All users of rhn-client-tools are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.

4.151. rhnsd

Updated rhnsd packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The rhnsd packages provide the Red Hat Network Services Daemon, a system service that automatically queries the Red Hat Network servers, determines which packages on the machine need to be updated, and performs appropriate actions.

Bug Fix

BZ#800127
The /etc/sysconfig/rhn/rhnsd configuration file allows the system administrator to specify how many minutes the rhnsd service waits before checking the Red Hat Network for available updates and actions again. The previous version of the rhnsd service would incorrectly log a message telling the user that this interval is specified in seconds. This update corrects the wording of this log message.
All users of rhnsd are advised to upgrade to these updated packages, which fix this bug.

4.152. rp-pppoe

Updated rp-pppoe packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The rp-pppoe packages provide the Roaring Penguin PPPoE client, a user-mode program that does not require any kernel modifications. This client is fully compliant with RFC 2516, the official PPPoE (Point-to-Point Protocol over Ethernet) specification.

Bug Fix

BZ#606403
Prior to this update, the pppoe-server did not correctly calculate the value of the Access Concentrator (AC) Cookie on Intel 64 and AMD64 platforms. As a consequence, the pppoe-server did not return a PPPoE active discovery session-confirmation (PADS) packet to the client. This update modifies the pppoe-server code so that a PADS packet is returned.
All users of rp-pppoe are advised to upgrade to these updated packages, which fix this bug.

4.153. rpm

Updated rpm packages that fix several bugs are now available for Red Hat Enterprise Linux 5.
The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.

Bug Fixes

BZ#620570
RPM treated systems which were using Geode processors as compatible with the i686 architecture. Consequently, installation of i686 packages failed on this systems. This compatibility issue has been resolved by setting the architecture to i686, and installation of the i686 architecture packages works as expected.
BZ#760552
Previously, the Japanese version of the rpm(8) manual page contained multiple typos. This update corrects those typos.
BZ#783451
The Python bindings provided by the rpm-python package incorrectly added a new line character at the end of the group tag when retrieving it from a Python program. This bug has been fixed and the tag is now returned unaltered.
BZ#808547
Due to the lack of DWARF 3 and 4 format support, the rpmbuild utility was not able to produce usable debug packages with newer compilers. This update adds the required support for the debugedit utility to RPM, and DWARF 3 and 4 formats are now supported as expected.
BZ#813282
The "freshen" (rpm -F/--freshen) operation did not consider the architecture the packages were built for when selecting update candidates, which caused either misleading error messages or packages being updated to a different architecture inappropriately on multilib systems. RPM now requires an exact architecture match between packages on multilib systems to perform the freshen operation.
BZ#814602
Descriptions of the "--define" and "--eval" parameters were missing in the rpm(8) manual page. This update adds these missing descriptions.
All users of RPM are advised to upgrade to these updated packages, which fix these bugs.
Updated rpm packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6; Red Hat Enterprise Linux 3 and 4 Extended Life Cycle Support; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support.
The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.

Security Fix

CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code.
Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue would allow a specially-crafted RPM package to execute arbitrary code before its digital signature has been verified. Package downloads from the Red Hat Network are protected by the use of a secure HTTPS connection in addition to the RPM package signature checks.
All RPM users should upgrade to these updated packages, which contain a backported patch to correct these issues. All running applications linked against the RPM library must be restarted for this update to take effect.

4.154. ruby

Updated ruby packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.

Security Fixes

CVE-2012-4522
It was found that certain methods did not sanitize file names before passing them to lower layer routines in Ruby. If a Ruby application created files with names based on untrusted input, it could result in the creation of files with different names than expected.
CVE-2012-4481
It was found that the RHSA-2011:0909 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent.
The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.

Bug Fix

BZ#834381
Prior to this update, the "rb_syck_mktime" option could, under certain circumstances, terminate with a segmentation fault when installing libraries with certain gems. This update modifies the underlying code so that Ruby gems can be installed as expected.
All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

4.155. perl-DBD-Pg

An updated perl-DBD-Pg package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Perl DBI is a database access Application Programming Interface (API) for the Perl language. perl-DBD-Pg allows Perl applications to access PostgreSQL database servers.

Security Fix

CVE-2012-1151
Two format string flaws were found in perl-DBD-Pg. A specially-crafted database warning or error message from a server could cause an application using perl-DBD-Pg to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
All users of perl-DBD-Pg are advised to upgrade to this updated package, which contains a backported patch to fix these issues. Applications using perl-DBD-Pg must be restarted for the update to take effect.

4.156. samba

Updated samba packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1